Tag Archives: SEC

Security News for the Week Ending September 10, 2021

Signal Provides Customer IP Address to Swiss Police

While police all over the world complain about the universe going dark on them, that is only true to an extent. Proton maintains no logs, but they can capture data in real time. In this case they received an order from the Swiss Federal Department of Justice, which they complied with. I don’t have a lot of heartburn over this. If people break the law they should assume that cloud providers will not ignore that fact and pretend everything is okay. Note that they cannot provide any content in this case, so really it is a person’s IP address that was exposed. Smart crooks might access their mail via changing VPNs or Tor, but apparently, in this case, they were not smart enough to do that. One positive thing is that the suspects were required to be notified of the data being turned over, unlike in most countries. Credit: Proton Reddit

McDonalds in El Salvador (and Everyone Else) Now Accept Bitcoin

El Salvador’s Bitcoin law went into effect this week, requiring all businesses and government agencies to accept Bitcoin. Of course everyone needs to figure out how to do that. For large companies that can afford to spend millions, that can be done, even if it is clunky. For small business, that is a different story. That doesn’t protect any company from the huge swings in Bitcoin price. In one direction, the company is okay; in the other, not so much. We shall see if this is a trend, but I doubt it. Tesla was accepting Bitcoin for cars, but stopped after realizing that they might sell a car for $30,000 but only recover $20,000 when they cashed in the Bitcoin. Credit: Vice

Corporate Execs Fear That SEC Investigation Will Uncover Other Breaches They “Forgot” to Report

As the SEC investigates the reach of the SolarWinds attack, it is asking companies to turn over “any other” data breach or ransomware attack information since the start of the SolarWinds attack in 2019. This will likely turn over rocks that companies would prefer remain right side up. Companies could lie and say they don’t have anything, but if a whistleblower informs the SEC of the truth, or the SEC figures out the truth by itself, now companies have really big problems. A consultant working with some of these companies says that “most” companies have had unreported breaches and they don’t know how the SEC might deal with that. The SEC said that companies would not be penalized if they shared data about the SolarWinds attack voluntarily, but they didn’t say they would give companies amnesty for other breaches that they should have reported. Credit: Reuters

WhatsApp Promises End to End Encrypted Backups on iCloud

Apple’s backups on iCloud are readable by Apple and that fact has allowed Apple to turn over data to police and was the core of the Apple spying service that they recently postposed. Facebook (WhatsApp) says that they are about to roll out end to end encrypted WhatsApp backups to iCloud for iPhone users and Google Drive for Android users. Assuming they are correct, this is the first time that someone offered fully encrypted backups for two billion users. Credit: The Register

The SEC is Coming, The SEC is Coming!

For Financial Service firms, the message is clear.  Both FINRA and the SEC are looking over your shoulder to make sure that you are taking cyber security seriously.

And the fines are not small.  From hundreds of thousands to millions of dollars, firms big and small are getting whacked with fines.

In 2014, the SEC office of Compliance Inspections and Examinations released a risk alert describing their new initiative designed to assess cybersecurity preparedness.  Among the requirements outlined in the program are:

  • Inventory of physical devices and systems
  • Inventory of platforms and applications
  • map of network resources, connections and data flows
  • The map above to include locations where customer data is housed
  • External connections are cataloged
  • Resources are prioritized for protection based on their sensitivity and business value
  • Logging capabilities and practices are assessed
  • A written information security policy is available
  • Periodic risk assessments conducted and findings mitigated
  • Periodic physical security risk assessments are conducted
  • Cyber security roles in the company are explicitly assigned and communicated
  • A written cyber business continuity plan has been implemented
  • The firm has a CISO or equivalent

This is only part of the list.  The list goes on for 8 pages.

Check out the end of this post for a list of references to FINRA and SEC documents describing these programs.

John Stark Reed of Reed Consulting has come up with some recommendations.  While paper is 12 pages long, here is the gist of the recommendations.  A link to the paper appears below.

  1. Review overall cyber security policies for adequacy
  2. Eliminate red flags (DUH!)
  3. Create the team (Now, not after a breach)
  4. Protect against identity theft
  5. Get private (protect private data)
  6. Choose the right monitoring technology
  7. Watch out for insiders (Chase learned the hard way)
  8. Consider cyber insurance (Don’t consider it, buy it)
  9. At the first sign of trouble, investigate

There is a ton of information in the articles listed below.

If your head is swimming after reading the articles, contact outside experts (yes, that is self-serving;  we do that for financial service companies, but it is very hard to do it yourself).  I liken fixing cyber security in a running business like paving a road while you are driving on it.  Not easy.

Each year the SEC and FINRA visit more businesses and each year their examiners get more knowledgeable about cyber, so don’t think you are going to fool them.

If you start early and have an active program, you are much more likely to get a friendly reception when the examiners come to visit.

It will take quite a while to put together an entire program, so we really do recommend starting early.  It is much easier to put together a program over a year or two rather than trying to get it done in a couple of months after you get that examination report.  If you wait, not only do you have to pay someone like us, but you also have to pay the fines.

LINKS to useful articles:

Cybersecurity and Financial Firms: Bracing for the Regulatory Onslaught by John Reed Stark

SEC National Exam Program risk alert.

SEC examination sweep results summary.

FINRA Report on cyber security practices.

FINRA cyber security report with small business checklist.

SEC Fines Investment Advisor $75,000 For Breach

The SEC and Investment Adviser R.T. Jones (RTJ) came to an agreement last week regarding a breach that RTJ had.

R.T. Jones, an investment advisor in St. Louis with about 8,000 clients, has agreements with retirement plan administrators to offer investment advice to participants in those plans via the web.

To log in to the site the participant enters their name, date of birth and social security number, since that is all secret information (Hint: NOT!).  In order to do that, the information for a hundred thousand POSSIBLE users was stored on the web server, unencrypted.

The web server, hosted at a third party, had administrative rights limited to two employees (that is a good move).  Unfortunately, the server was hacked.

RTJ hired a forensics company to assess the damage.  The investigators concluded that the hack came from multiple IP addresses in mainland China, but that the logs had been destroyed and therefore, there was no way to tell what the hackers took, if anything.

This wasn’t a great outcome, so RTJ hired another firm to see if they could provide a better assessment, but they could not.  In the end, RTJ notified all 100,000 people that their information had been breached.

In hindsight it seems obvious that using your birth date and social as a login is not a great thing to do.

In addition, storing that data unencrypted was not wise, but since the administrative credentials got compromised, the outcome would have been the same whether it was encrypted or not.

The fact that they had information for all possible customers instead of only the few that chose to avail themselves of RTJ’s advice is also a problem.

As the SEC investigated, it turned out that RTJ did not have written security policies, did not conduct periodic risk assessments, did not use a firewall to protect the web server with the client data on it and other measures that would be reasonably expected.

In the end, the SEC sanctioned them, fined them $75,000 and issued a cease and desist regarding every violating rule 30 (a) of regulation S-P (safeguarding customer information).

While marketing people say that there is no such thing as bad publicity, this is probably an exception to that saying.

The bad news here is that 92,000 of the people who’s information was compromised were not even customers of RTJ.  The plan administrators had provided that information to RTJ as a service to the participants.

Some attorneys are saying that this action along with  issuing the risk alert that they issued last week marks a new age for the SEC and that they plan to more aggressively go after brokers and advisers that do not protect customer information.

Information for this post came from the SEC web site.

SEC Issues Risk Alert To Advisors and Brokers

Last week the SEC released what they call a Risk Alert to Investment Advisors and Broker-Dealers saying that they were concerned about the protection of client information because of recent attacks and attempted attacks against the financial community.

In the alert, they laid out the very particular concerns they have in 6 specific areas and said that they are going to start a Cybersecurity Examination Initiative to create better compliance.

They are not saying who is going to get one of these special surprises, how many will or when.

That being said, the focus of these examinations are applicable to almost every company.

The 6 areas are;

  1. Governance – how are you managing the cyber risk process.  Is the board and C-Suite actively involved?   How often are you doing risk assessments – things like that.
  2. Access rights and controls – are you controlling who has access to what systems and what data and how are you managing that process.
  3. Data loss prevention – monitoring information that goes out of the organization electronically to make sure that it is not going to places that it should not – like China or an employee’s personal storage.
  4. Vendor management – making sure that you are not the next Target or Home Depot – both of whom were done in by vendors who did not manage cyber security appropriately.
  5. Training – while training will not stop all attacks, poorly trained employees may make inappropriate security decisions because they do not understand the risks of their actions.
  6. Incident response –  we have seen that in some breach situations (Sony and OPM come to mind), the companies were not prepared to deal with a breach.  This can turn into a PR disaster and usually increases the cost of recovering from the breach.

So, whether you are a firm who is regulated by the SEC or not, these 6 areas are definitely a good place to start with your cyber risk assessment.  After these areas are handled you can move on to other areas.