From left: Dave Kelley, Dale Spoljaric, Salvatore Montemarano, Gregory Markovich. (Photo: Jeff Berman)

Broker-dealer firms continue to face cybsersecurity threats on multiple fronts, including phishing and ransomware attacks from outside their organizations and from disgruntled ex-workers and weak security controls within, according to compliance experts from the Financial Industry Regulatory Authority, Securities and Exchange Commission and National Futures Association who spoke at the FINRA Cybersecurity Conference in New York on Tuesday.

“We’ve seen the gamut of compromises,” including phishing and other types of attacks, Salvatore Montemarano, an examiner in the SEC’s Office of Compliance Inspections and Examinations, told attendees during the event’s final panel session, “Cybersecurity — the Current Regulatory Environment: Insight from Regulators and Industry Experts.”

Multi-factor authentication — a security enhancement in which people must enter two pieces of information before being able to access a website or other system — does “provide an additional layer of security for authentication environments,” he said, noting it’s a better system to use than single-factor authentication.

But Montemarano was quick to add: “We have seen compromises of multi-factor authentication as well.” He pointed to an incident he was aware of in which there was a phishing attack against a firm’s registered representative, who inadvertently gave the “bad actor” involved access to the rep’s own workstation.

The hacker was then able to “leverage that access to gain access to the firm’s client portal,” he noted. After all, the hacker was using the rep’s credentials and the rep’s workstation was then seen as a trusted user by the client portal, so it didn’t require a second factor for the hacker to access it also, he explained.

The hacker in that case then transferred data successfully, but a second attempt to transfer data was stopped thanks to the security system that was in place at the firm, Montemarano added.

During a review of the incident, it was discovered that the hacker had changed the authentication credentials so it was that bad actor’s phone number that was recognized by the firm’s system rather than the rep’s, he said.

The SEC, meanwhile, is seeing that many firms are “leveraging cloud services” now and, as a result, they are often leveraging cybersecurity, email and other software solutions from third parties, Montemarano explained. Concerns that have popped up as a result include the need to know what kind of data a firm is putting in that cloud environment and the need to know where that environment is physically located, he pointed out.

Also important is to establish what the cloud service provider is and is not responsible for, he said. It’s also important to note that many cloud service providers provide services on a “modular” basis, so it’s important to be aware of which services a firm is buying, he cautioned. It’s all too easy for a firm to be under the false impression that it is paying for multiple control solutions when, in fact, they are only paying for spam blocking, he said.

It’s possible that at least some hackers are people who have worked within the industry. “Fraudsters have really good knowledge of financial services processes and practices,” Gregory Markovich, FINRA principal IT risk and controls examiner, warned attendees.

“It’s almost as if many of the fraudsters have worked in financial services in the past and know how call centers operate, they know how back office processes operate and they leverage that,” he said. Therefore, he cautioned firms to “expect the fraudster to understand your operating procedures” and consider auditing their security procedures to find any flaws in their processes.

Another type of cybersecurity threat Markovich said he’s seen is the “imposter website” in which somebody will duplicate the look of a firm’s website, create a fake version of the site with a URL that’s very similar to the firm’s URL, and then use that fake site to commit fraud.

That was a topic that FINRA heard a lot of firms were discussing, so it issued an information notice to all member firms to warn them, moderator David Kelley, the regulator’s surveillance director, pointed out.

In fact, if people experience a security issue, they should inform their coordinators about it, so they can then let FINRA know and spread the word about it across all members and provide them with tips on how to handle those issues, he told attendees. “There’s no rule” that members have to inform FINRA, but it’s recommended that everybody does so, he said.

All too many employees also wind up taking some data with them when they leave a firm, Kelley said, estimating about 60% do so.

It’s important, therefore, that a firm “monitor the access” of an employee who is being terminated or who has submitted their resignation and is planning to leave, Montemarano said.

Firms should consider whether their offboarding procedures are effective, according to Dale Spoljaric, managing director of the National Futures Association, who noted it “could pose problems for you” if it’s taking weeks for a “disgruntled” employee to have their access to important data taken away.

When it comes to passwords, meanwhile, it’s important for firms to not only make sure they have good policies in place, but also make sure those rules are being followed and enforced, Spoljaric told attendees.