Broker-dealer firms continue to face cybsersecurity threats on multiple fronts, including phishing and ransomware attacks from outside their organizations and from disgruntled ex-workers and weak security controls within, according to compliance experts from the Financial Industry Regulatory Authority, Securities and Exchange Commission and National Futures Association who spoke at the FINRA Cybersecurity Conference in New York on Tuesday.
“We’ve seen the gamut of compromises,” including phishing and other types of attacks, Salvatore Montemarano, an examiner in the SEC’s Office of Compliance Inspections and Examinations, told attendees during the event’s final panel session, “Cybersecurity — the Current Regulatory Environment: Insight from Regulators and Industry Experts.”
Multi-factor authentication — a security enhancement in which people must enter two pieces of information before being able to access a website or other system — does “provide an additional layer of security for authentication environments,” he said, noting it’s a better system to use than single-factor authentication.
But Montemarano was quick to add: “We have seen compromises of multi-factor authentication as well.” He pointed to an incident he was aware of in which there was a phishing attack against a firm’s registered representative, who inadvertently gave the “bad actor” involved access to the rep’s own workstation.
The hacker was then able to “leverage that access to gain access to the firm’s client portal,” he noted. After all, the hacker was using the rep’s credentials and the rep’s workstation was then seen as a trusted user by the client portal, so it didn’t require a second factor for the hacker to access it also, he explained.
The hacker in that case then transferred data successfully, but a second attempt to transfer data was stopped thanks to the security system that was in place at the firm, Montemarano added.
During a review of the incident, it was discovered that the hacker had changed the authentication credentials so it was that bad actor’s phone number that was recognized by the firm’s system rather than the rep’s, he said.
The SEC, meanwhile, is seeing that many firms are “leveraging cloud services” now and, as a result, they are often leveraging cybersecurity, email and other software solutions from third parties, Montemarano explained. Concerns that have popped up as a result include the need to know what kind of data a firm is putting in that cloud environment and the need to know where that environment is physically located, he pointed out.
Also important is to establish what the cloud service provider is and is not responsible for, he said. It’s also important to note that many cloud service providers provide services on a “modular” basis, so it’s important to be aware of which services a firm is buying, he cautioned. It’s all too easy for a firm to be under the false impression that it is paying for multiple control solutions when, in fact, they are only paying for spam blocking, he said.