Cyber assailants targeted in important new security sweep

The skill and sophistication of attackers are often outpacing firms' ability to protect themselves

Jun 7, 2018 @ 10:41 am

By Guy F. Talarico

According to compliance and cybersecurity experts, financial industry regulators are embarking on a new cybersecurity sweep, with a focus on registrants' data loss prevention, oversight of third-party service providers and incident response planning.

And with good reason. Cyber assailants continue to perpetrate increasingly sophisticated attacks on U.S financial institutions, including exploiting weaknesses to steal valuable data and breaching third-party information service provider systems. Yet many firms remain woefully ill-prepared to fend off the latest threats and lack actionable incident response plans to recover from a breach.

In the wake of minor malware attacks just five years ago, a newer breed of cyberthreats is a growing national concern. The latest of these include opportunistic phishing attacks, which are broad efforts to infect as many computers as possible. In contrast, more targeted "spear-fishing" attacks focus on specified individuals to perpetrate higher-value crime that is much harder to trace. An example of the latter includes organized crime rings that search social media sites to identify financial industry executives such as hedge fund managers, to compromise their accounts.

Equally as clever, criminals often create fake email accounts that are very similar to those of their targets, changing just one letter in the email address, an activity referred to as "typo-squatting."

Michael Brice, co-founder of BW Cyber Services, has seen multiple cases of fraudulent capital calls in which investors were duped into sending wire transfers to illicit accounts. And these activities are not insignificant, with wire transfers ranging anywhere from hundreds of thousands to millions of dollars irretrievably lost.

For cryptocurrency funds, the cyber stakes may be even higher. Not only are individual criminals involved, but organizations and countries like Korea are being traced to crypto-cyber malfeasance.

The skill and sophistication of attackers are often outpacing registrants in their ability to protect themselves. "Some simple security practices and operational precautions related to the collection and storage of personally identifiable information — a top regulatory priority — will go a long way to mitigating regulatory and even litigatory issues should a breach occur," Mr. Brice said.

Another regulatory focus area involves third-party service providers. When companies engage information technology service providers, they should review their cybersecurity policies and procedures, and not assume a provider is up to the task of protecting their data.

"Firms should require that their vendor either has deep technical expertise or enhanced security protection for systems and data as there is a strong possibility they are not doing it or not doing it very well," Mr. Brice explained.

Thus, even firms that are making their best effort to minimize cyberrisk may be operating with a false sense of security because executives often make incorrect assumptions regarding the risks they are dealing with. For instance, cyber insurance policies rarely cover wire transfers, Mr. Brice added. Yet this is one of the primary reasons organizations get cybersecurity policies in the first place.

As outlined in their respective 2018 examination priorities notifications, the Securities and Exchange Commission and the Financial Industry Regulatory Authority Inc. are focusing their resources on examining the quality of registrants' written cybersecurity policies and procedures.

In February, the SEC issued guidance to encourage companies to assess the sufficiency of cybersecurity policies and procedures in part to satisfy federal securities law disclosure obligations. One goal of the guidance is to prevent directors and other insiders from making selective disclosures about cybersecurity risks or incidents and then trading on that information.

An important part of a firm's cybersecurity plan, vulnerability assessments and supporting penetration testing, or pen tests, aim to reveal security weaknesses before attackers do. The SEC allows leeway as to how firms conduct cyber pen testing but expect registrants to engage third-party experts to assist in this process. Doing so ensures both the quality and independence of testing results.

The cybersecurity plan must be customized to each firm and encompass a holistic approach to periodically assess, remediate and test the organization. Many firms engage cyber experts and compliance professionals to develop a cybersecurity plan as part of the compliance program.

Experienced professionals can ensure that a registrant's compliance program and cybersecurity plan address regulators' top focus areas — data loss prevention, third-party service providers, and response planning — and that the technical testing matches the registrant's risk profile.

The costs of retaining experts entails cost upfront, but those costs could be far outweighed by the reputational and financial impact of a breach. Moreover, it will help firms maintain an audit-ready posture.

(More: Financial professionals targeted by sophisticated 'keylogger' malware)

Guy F. Talarico is CEO of Alaric Compliance Services.


What do you think?

View comments

Recommended for you

Upcoming Event

Oct 23


Women Adviser Summit - San Francisco

The InvestmentNews Women Adviser Summit, a one-day workshop now held in four cities due to popular demand, is uniquely designed for the sophisticated female adviser who wants to take her personal and professional self to the next level.... Learn more

Featured video


Financial health of advisory firms is excellent. Or is it?

Deputy editor Bob Hordt and senior columnist Jeff Benjamin discuss the fact that double-digit growth in revenue and assets doesn't necessarily spell a rosy future.

Latest news & opinion

Don't be fooled by the numbers — the industry is in a dangerously vulnerable state

Last year's stock market gains helped advisers turn in solid growth in assets and revenue, but that growth could disappear in the next market downturn.

Divided we stand: How financial advisers view President Trump

InvestmentNews poll finds 49.2% approve of his performance, while 46.7% disapprove. How has that changed over the course of his presidency?

10 states with the most college student debt

Residents of these states have the most student debt when you consider their job opportunities.

Invesco to buy OppenheimerFunds

Deal brings Invesco another $246 billion in assets, as well as high-fee actively managed funds.

Dawn Bennett found guilty of $20 million Ponzi scheme

Jury took less than five hours to convict the former financial adviser and radio host.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting investmentnews.com? It'll help us continue to serve you.

Yes, show me how to whitelist investmentnews.com

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print