According to compliance and cybersecurity experts, financial industry regulators are embarking on a new cybersecurity sweep, with a focus on registrants' data loss prevention, oversight of third-party service providers and incident response planning.
And with good reason. Cyber assailants continue to perpetrate increasingly sophisticated attacks on U.S financial institutions, including exploiting weaknesses to steal valuable data and breaching third-party information service provider systems. Yet many firms remain woefully ill-prepared to fend off the latest threats and lack actionable incident response plans to recover from a breach.
In the wake of minor malware attacks just five years ago, a newer breed of cyberthreats is a growing national concern. The latest of these include opportunistic phishing attacks, which are broad efforts to infect as many computers as possible. In contrast, more targeted "spear-fishing" attacks focus on specified individuals to perpetrate higher-value crime that is much harder to trace. An example of the latter includes organized crime rings that search social media sites to identify financial industry executives such as hedge fund managers, to compromise their accounts.
Equally as clever, criminals often create fake email accounts that are very similar to those of their targets, changing just one letter in the email address, an activity referred to as "typo-squatting."
Michael Brice, co-founder of BW Cyber Services, has seen multiple cases of fraudulent capital calls in which investors were duped into sending wire transfers to illicit accounts. And these activities are not insignificant, with wire transfers ranging anywhere from hundreds of thousands to millions of dollars irretrievably lost.
For cryptocurrency funds, the cyber stakes may be even higher. Not only are individual criminals involved, but organizations and countries like Korea are being traced to crypto-cyber malfeasance.
The skill and sophistication of attackers are often outpacing registrants in their ability to protect themselves. "Some simple security practices and operational precautions related to the collection and storage of personally identifiable information — a top regulatory priority — will go a long way to mitigating regulatory and even litigatory issues should a breach occur," Mr. Brice said.
Another regulatory focus area involves third-party service providers. When companies engage information technology service providers, they should review their cybersecurity policies and procedures, and not assume a provider is up to the task of protecting their data.
"Firms should require that their vendor either has deep technical expertise or enhanced security protection for systems and data as there is a strong possibility they are not doing it or not doing it very well," Mr. Brice explained.
Thus, even firms that are making their best effort to minimize cyberrisk may be operating with a false sense of security because executives often make incorrect assumptions regarding the risks they are dealing with. For instance, cyber insurance policies rarely cover wire transfers, Mr. Brice added. Yet this is one of the primary reasons organizations get cybersecurity policies in the first place.
As outlined in their respective 2018 examination priorities notifications, the Securities and Exchange Commission and the Financial Industry Regulatory Authority Inc. are focusing their resources on examining the quality of registrants' written cybersecurity policies and procedures.
In February, the SEC issued guidance to encourage companies to assess the sufficiency of cybersecurity policies and procedures in part to satisfy federal securities law disclosure obligations. One goal of the guidance is to prevent directors and other insiders from making selective disclosures about cybersecurity risks or incidents and then trading on that information.
An important part of a firm's cybersecurity plan, vulnerability assessments and supporting penetration testing, or pen tests, aim to reveal security weaknesses before attackers do. The SEC allows leeway as to how firms conduct cyber pen testing but expect registrants to engage third-party experts to assist in this process. Doing so ensures both the quality and independence of testing results.
The cybersecurity plan must be customized to each firm and encompass a holistic approach to periodically assess, remediate and test the organization. Many firms engage cyber experts and compliance professionals to develop a cybersecurity plan as part of the compliance program.
Experienced professionals can ensure that a registrant's compliance program and cybersecurity plan address regulators' top focus areas — data loss prevention, third-party service providers, and response planning — and that the technical testing matches the registrant's risk profile.
The costs of retaining experts entails cost upfront, but those costs could be far outweighed by the reputational and financial impact of a breach. Moreover, it will help firms maintain an audit-ready posture.
Guy F. Talarico is CEO of Alaric Compliance Services.