Phishing, spear phishing (when an email appears to come from a familiar client or business partner but is another phishing attack) and social engineering continue to be issues for financial services firms trying to protect themselves from cyberattacks, according to David Kelley, surveillance director in the Financial Industry Regulatory Authority’s Kansas City office. Kelley participated in a cybersecurity panel at the Rocky Mountain Securities Conference on Friday, outlining the most common issues firms are dealing with.
In addition to the familiar cyberattacks above, ransomware and account takeover are increasingly common.
Establishing processes to recognize and remedy vulnerabilities on an ongoing basis are critical to firms’ cybersecurity efforts. The panelists at the conference shared ways to address the various risks — internal and external — that firms face.
Even at big firms, account takeover is “a big deal,” Kelley said. “That may be the thing we hear about most from a lot of firms,” he said. A client’s account credentials are stolen and the hacker tries to move the account to another institution.
Firms should take stock of what controls they have in place to prevent unauthorized changes to a client’s account.
“The losses from these kinds of schemes can be enormous,” David Glockner, regional director of the SEC’s Chicago office and moderator of the panel, said, referring to Ubiquiti Networks, which reported a $39 million loss last year from “what was essentially a business email compromise.”
Kelley said that in June, FINRA started seeing an increase in reports of distributed denial of service (DDoS) attacks, especially among small and medium-size firms, where hackers would shut down a firm’s website and extort them for bitcoin.
“Cybercriminals have determined how easy it is to make money,” panelist Kevin Witt, chief technology officer of Kestra Financial, said. “The old notion that cybersecurity was all about protecting your customers’ privacy and nothing else” is no longer accurate. “It’s also about protecting the availability of your systems and information, and the integrity of those systems.”
Stealing information is a difficult crime to monetize, he added. It may be easy to steal information, but it’s harder to find someone to sell it to. “It doesn’t take any sophistication at all to hold someone’s information for ransom. It’s a very scalable business model.”
Hackers don’t even have to understand the information they’re stealing, “but they can encrypt it and hold it hostage for $10,000,” Witt pointed out. Furthermore, bitcoin makes it easy to collect ransoms anonymously, he said.
Joseph Sansone, co-chief of the Securities and Exchange Commission Division of Enforcement’s market abuse unit, identified three types of cyberattacks. First is when hackers steal material nonpublic information to sell or to trade on.
He referred to a case the SEC brought in August against a Ukraine-based hacker ring that stole earnings information from newswires.
“There was a crucial window of opportunity the hackers and traders had to use this information, and they did on numerous instances and made over $100 million in illicit profits,” Sansone said.
Another source of attack is when employees steal information to conduct insider trading, Sansone said.
Cybercriminals may also attempt to manipulate markets by spreading misinformation to profit on the market reaction, he said.
The internet makes that very easy to do, he said, referring to a case in November 2015. James Allen Craig created fake Twitter accounts that resembled those of recognized research firms. He tweeted fake information “about different issuers, which was adjusted by the market and ended up causing rather large downward spikes in the price” of those issuers’ securities.
“The point here is we need to be very careful with analyzing what’s on the internet,” Sansone said. Telltale signs to look for include incorrect names for executives in filings, misspellings and other typos.
The good news is that the SEC has become “incredibly sophisticated in its ability to spot these patterns.” The bad news is it doesn’t matter. “The bad guys are not easily deterred,” Sansone said.
In fact, he warned that cybercriminals will work their way through a series of networks and “circle back to prior victims in subsequent years.”
“You can’t assume that once you’ve shut down the intrusion, it’s going to go away and you’re safe. You really have to stay on top of” cybersecurity efforts, he said.
Witt added that once firms are aware of a breach, “it’s extremely dangerous to come back online at that point.” Unless the firm has significant IT forensic tools, it “won’t know all that the bad actor did while they were inside.”
However, he did say that even without a “giant IT budget,” firms can “[compartmentalize] their enterprise” to limit different systems’ exposure to cyberattacks.
One technique that’s common in other industries, Witt said, is to set up “honeypots,” intentionally weak systems that attract hackers to allow firms to observe them. However, he said those types of defenses were uncommon in the financial services space.
Digital watermarks are another way to test whether a system is secure, Witt said. He described a firm he consulted with that suspected its network had been breached. It embedded a fake address with a P.O. box in its database; when mail appeared in the mailbox, it was clear the database had been breached.