Alaric Compliance Alert: U.S. Regulators See Cyber Crime as the Single Greatest Market Threat
According to cyber security experts, the May ransomware attack, WannaCry was “brilliantly written” but poorly executed. And like Commander Ramius said after a failed torpedo attack in The Hunt for Red October, perpetrators “won’t make the same mistake twice.”
On the contrary, attackers are sharpening their blades.
“Every financial business with employees and clients – which is to say every financial services firm – needs to be aware that WannaCry is just a symptom of a much bigger scourge. We expect to see far more attacks that will be far worse,” says Michael Brice, founder of cyber security consultancy BW Cyber Services.
To make a bad situation worse, there are “infinite flavors” of cyber attacks that continue to find systems vulnerabilities, making it almost impossible to protect business operations and data. Most experts now say, it’s not a matter of if a hacker might get in – it’s a matter of when.
“Unlike the early days of cyber attacks – a mere five years ago – when firms focused on technical protections that prevented unwanted and mostly inconvenient software viruses, today’s attacks set off a series of damaging operational repercussions, including extortion, fraudulent wire transfers and the theft or sale of personally identifiable information,” says Guy Talarico, CEO and founder, Alaric Compliance Services.
Talarico and Brice agree that these impacts are real and existential threats that can close a business overnight. Industry watchdogs also see cyber crime as the single greatest market threat.
Stephanie Avakian, named in June as Co-Director of the Division of Enforcement at the Securities and Exchange Commission (SEC)1, recently said the SEC is seeing an increase in the number of cyber crime investigations and reported intrusions, and expects cyber threats will continue to emerge.2
Both the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) have made cybersecurity a top enforcement priority this year.3 4 Following the lead set by these agencies, the National Futures Association issued an Interpretive Notice last year outlining the components of a cybersecurity Information Systems Security Program.5 Consequently, regulatory examiners from these organizations have conducted targeted sweeps to review registrants’ compliance with current cybersecurity rules and regulations that focus on the following:6
- SEC Regulation S-P (17 CFR §248.30) requires firms to adopt written policies and procedures to protect customer information against cyber attacks and other forms of unauthorized access
- SEC Regulation S-ID (17 CFR §248.201-202) outlines a firm’s duties regarding the detection, prevention, and mitigation of identity theft
- The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)) requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format
When there is a breach, the effects are multi-dimensional, and tend to cascade in terms of regulatory, operational, legal and financial impact. For instance, the SEC charged an investment adviser in 2015 with failing to establish cybersecurity policies and procedures in advance of a breach that compromised the PII of approximately 100,000 individuals, including thousands of the firm’s clients.7 In addition to the obvious reputational impact, equally significant financial impact related to the legal, cyber forensic, and remedial efforts tend to consume every organization after a breach becomes public.
Last year, a widely publicized cyber-related Phishing attack against one of the world’s largest fund administrators resulted in a series of fraudulent wire transfers to China that cost a commodity pool operator (CPO) nearly $6 million dollars in assets. This, in turn, resulted in a suspension of business from which the CPO could not recover. The CPO and fund administrator are now in protracted litigation – the CPO faulting its fund administrator for a lack of cyber controls.8 Both parties are still arguing the case, and appeared before the New York Supreme Court in May.9
Beyond simple business disruption and fraudulent wire transfers, attackers are now focusing on firms’ “Crown Jewel” software and information, i.e., algorithms and supporting data that are critical to registrants. In December, for instance, the SEC filed a complaint against three Chinese nationals accused of hacking the networks of two New York-based law firms to access confidential information in advance of several mergers and acquisitions. According to court documents, the trio reaped millions of dollars by trading on the inside information in advance of the transactions.10 And in another such case, a quantitative analyst was charged with stealing confidential computer data from the hedge fund for which he worked, purportedly to give to competitors or to start his own firm in China.11
Under the U.S. Bank Secrecy Act12, financial institutions are required to submit a Suspicious Activity Report (SAR) should they encounter a suspicious transaction or attempted cyber breach involving $5,000 or more in funds or other assets. The Financial Crimes Enforcement Network (FinCEN) uses the reports to conduct investigations, identify criminals and disrupt criminal networks.13
Requirements to report a breach vary from state to state, but a rule of thumb is that firms are also required to report a cyber attack if PII or other regulated information (such as information protect under the Health Insurance Portability and Accountability Act) is released.14
And yet, while cybersecurity represents a real and present danger, the vast majority of breaches are handled without being publicized. Thus there’s an industry-wide awareness problem. And those breaches that come to light may not accurately represent the pervasive threat.
Firms may not even know they have regulated information that has been hacked, sold on the dark web and released until it’s too late. Adds Brice: “The dirty little secret is that one in four asset managers have been the victim of some form of cyber-attack. Because those breaches are kept tightly under wraps, the vast majority of firms are unaware of the scope and severity of the problem.”
For firms aiming to protect their business, infrastructure assessments as well as technical and operational controls are crucial, says Doug Preveza, Director, Alaric Compliance Services, which recently joined forces with BW Cyber Services to strengthen their clients’ compliance programs. “We find too many companies failing to properly review and implement these basic cyber controls.”
At a minimum, registered financial firms must implement a formal cybersecurity policy, signed by a principal or senior executive of the firm, and reviewed on an annual basis. Among other things, this policy should include the following activities: Technical Security Control Assessment, Cyber Risk Assessment, Critical Third Party Assessment, Incident Response Plan, and Training Plan. These activities must be performed proactively on an ongoing basis, instead of after an attack.
When regulators review a registered entity in response to a deficiency, as part of a targeted sweep or in the course of routine examinations, they evaluate more than the basic components of a cybersecurity program. They focus on the quality and full scope of a firm’s compliance and cybersecurity risk management program, including approaches for handling a cyber attack, and whether or not a firm has applicable insurance coverage to manage the potentially costly impact after-the-fact.
Regulatory Focus Areas15
- Written cybersecurity policies and procedures
- Cybersecurity risk analysis and assessment practices
- Business continuity and response plans in case of a cyber attack
- Registrant’s understanding of concerns and threats faced by the industry
- Deployment of protective measures against the identified threats and vulnerabilities
- Assessment of the impact of cyber attacks on the firm over the past 12 months
- Processes for sharing and obtaining information about cybersecurity threats
- Employee cybersecurity education and training programs
- Approaches to handling distributed denial of service (DoS) and other attacks
- Contractual arrangements with third-party service providers
- Insurance coverage for cybersecurity-related events
Experts that specialize in cybersecurity will work with clients to evaluate their compliance with regulators’ cybersecurity focus areas. This includes reviewing a firm’s policies and procedures regarding its use of technology, systems backup procedures, testing, vendor management as well as employee training and certifications. They also help clients think through the best steps to take after an attack, such as escalation and remediation procedures.
Prior to joining Alaric Director Doug Preveza worked with a retail broker-dealer and investment advisor that encountered a breach similar to WannaCry. Someone at the firm clicked an email link that encrypted the firm’s server. Even with fewer than 50 employees, the firm did have controls in place, including nightly backups and, as a result, only lost a day’s worth of work.
In the absence of a cybersecurity program and strong commitment from management to adhere to it, breaches can happen more easily. When they do, senior management must try to identify the source of the problem. “A firm must have the right corporate culture prior to a breach, because like any other operational issue, a cyber breach can quickly become a blame game,” Preveza observed.
If an SEC-registered firm falls victim to a cyber attack, the firm is at risk on numerous potentially costly fronts: 1) the registrant can lose firm and client data and assets; 2) the firm can be charged and fined by regulators for non-compliance with relevant cybersecurity rules, such as Reg S-P and Reg S-ID; 3) the firm can be sued by investors for loss of their data and 4) the firm’s brand and bottom line can be irreparably damaged.
Firms with a solid cybersecurity plan can limit their exposure to attackers from both an operational standpoint, (e.g., the amount of data stolen and how quickly the attack can be identified) as well as a regulatory and reputational perspective. “Even if attackers succeed in their attempts, having a comprehensive plan in place will allow firms to provide tangible evidence that they were doing everything possible to try and reduce risk for their firm and clients,” Preveza concludes.
ABOUT ALARIC COMPLIANCE SERVICES
Established in 2004, Alaric Compliance Services LLC provides regulatory compliance support, including independent Chief Compliance Officer (CCO) outsourcing to investment managers registered with the SEC, CFTC, NFA and FINRA. The Alaric client base includes many well-known and respected registered investment advisers (RIAs) and registered investment companies, commodity trading advisers and pool operators, business development companies (BDCs), hedge funds, funds of hedge funds, mutual funds, ETFs, broker-dealers, structured asset back securities, alternative funds, real estate funds and private equity firms.
Alaric offers several solutions powered by BW Cyber Services to help your firm comply with cybersecurity regulatory requirements and to mitigate the threat of real-world security breaches. To learn more about these services please contact us at firstname.lastname@example.org or call us at 1-888-243-2448.