ELTENI’S CYBER SCOOP
In this newsletter, we uncover additional regulatory rules being approved for Clearing Agencies. Also, the numbers are in, and enforcement actions are up, including SEC settled charges against a broker-dealer and a software company for allegedly providing misleading information regarding cyber incidents. Lastly, the proposed cybersecurity rules for RIAs will now be voted on in April ’24.
SEC Announces Rules to Improve Governance of Clearing Agencies and Prevent Conflict of Interest
The rules establish registrant governance requirements regarding board composition, independent directors, nominating committees, and risk management committees. In addition, the new rules require developing and adopting new policies and procedures around conflict of interest, third-party risk management of core service providers, and the board to consider stakeholder viewpoints.
The release of these rules shows further crackdown from the SEC regarding conflicts of interest with its registrants. An area that leaves companies exposed to potential conflicts of interest is within the vendor management space where a conflict of interest could arise from a person or entity having a vested interest that raises questions of whether their actions, judgement, and/or decision was unbiased when recommending the usage of said vendor to the Board and firm. This further bolsters the argument that firms need a mature and developed Third-Party Risk Management Program
SEC Releases Enforcement Results for Fiscal Year 2023
“The Securities and Exchange Commission today announced that it filed 784 total enforcement actions in fiscal year 2023, a 3 percent increase over fiscal year 2022. In fiscal year 2023 the SEC charged broker-dealer Virtu for allegedly making materially false and misleading statements and omissions regarding information barriers to prevent the misuse of sensitive customer information. The litigation is pending, and the SEC settled charges against software company Blackbaud Inc. for making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers. Blackbaud agreed to pay a $3 million civil penalty to settle the charges.”
The mounting frequency of cyber incidents has spurred increased regulatory scrutiny, notably exemplified by the increase in enforcement and the imminent introduction of cybersecurity rules proposed by the SEC. This regulatory momentum underscores a concerted effort to fortify investor protection. While addressing cybersecurity involves various aspects, such as policy development and enforcement, this discourse emphasizes the critical importance of transparency and reporting designed to inform investors of a firm’s capacity to safeguard sensitive information and assets.
Firms must clearly comprehend what necessitates disclosure and reporting, coupled with a well-defined plan for executing these processes. This proactive approach is essential to avoid any adverse repercussions associated with non-compliance. In addition to the potential for enforcement penalties, substantial reputational risk exists for organizations that lack diligence or fail to implement adequate controls and policies for risk management. Firms that institute a robust and well-thought-out cybersecurity program position themselves for readiness not only reducing exposure and risk to cyber incidents but also mitigating the reputational risk tied to the necessity of reporting such issues. A comprehensive and strategic approach to cybersecurity is not merely a regulatory requirement but a proactive stance that fortifies an organization against multifaceted risks in the digital landscape.
Ransomware group reports victim it breached to SEC regulators | Ars Technica
A ransomware crime syndicate, AlphV, filed a complaint with the SEC after breaching digital lending company MeridianLink’s network, informing the SEC that MeridianLink did not disclose the incident, which affected customer data and operational information. Although the new incident disclosure rule hasn’t gone into effect yet, the move shows a new threatening tactic by ransomware groups targeting the financial industry.
In October 2023, Okta disclosed a security incident involving an unidentified threat actor who gained access to their environment and leveraged that access to steal credentials to their support case management system. Okta recently confirmed that all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers were impacted except those in their FedRamp High and DoD IL4 environments. In addition, Okta has now learned that the actor potentially accessed reports containing contact information of all Okta certified users, some Okta Customer Identity Cloud (CIC) customers, and unspecified Okta employee information. Lastly, Okta has confirmed that the data disclosed did not contain credentials or other sensitive personal data.
Several key cybercriminals associated with allegedly targeting over 1,800 cyber victims were arrested in Ukraine on November 21st. Europol states, “The investigation determined that the perpetrators encrypted over 250 servicers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros”.
EU countries and lawmakers have agreed to enact the Cyber Resilience Act, which sets out requirements for the design, development, production and sale of hardware and software products. The rule targets all smart devices connected to the internet in hopes of making a basic cybersecurity threshold for connected devices.
Dozens of government cyber agencies and AI vendors have recently released their Guidelines for Secure AI System Development. The guidelines contain four key areas: secure design, secure development, secure deployment, and secure operation and maintenance. These guidelines are intended to help make AI systems more secure and include recommendations from the CISA Roadmap for Artificial Intelligence.
HOLIDAY SCAM ALERTS
“‘Tis the Season to be Wary: Tips for Cyber Navigating the Holiday”
- E-Greeting Card Scams – More greeting cards are being sent electronically and bad actors may send electronic greeting cards containing malware that can lead to an infection of the network or data loss.
- Prevention: Avoid opening any suspicious email from unknown senders and always confirm the senders domain. Report any suspicious activity to your IT department for further investigation.
- Package Delivery Scams – Many people are shipping and receiving packages during this time of year, bad actors may send fake delivery issue notifications in an attempt to capture data, personal information or payment.
- Prevention: Always verify such notifications directly with the delivery service using their official contact information on their website.
- Fake Charities – In this time of giving, bad actors may create fake charity websites or send unsolicited emails requesting donations for supposed special causes.
- Prevention: Confirm the legitimacy of the charity in question through alternative channels before donating.
- Travel – Many people travel to visit friends and family this time of year so bad actors may take advantage and may post fake travel deals or issues with airlines to trick users into providing their personal information or making payments.
- Prevention: Only rely on travel deals and flight information from legitimate airlines travel agencies or platforms (e.g., AAA, Orbitz, Kayak, etc.).
- Google Searches / Lookalike Websites – bad actors may create fraudulent websites to entice individuals with deals on the most popular items of the holiday season to capture personal information or steal login details or account information to the real website.
- Prevention: Only use legitimate, reputable retailers online.
- Ads on Social Media Platforms – bad actors may use social media platforms to post fake holiday contests, quizzes, or giveaways to collect personal information.
- Prevention: Avoid clicking on advertisements, participating in contests, quizzes, or giveaways via social media platforms during the holiday unless the source can be verified.
- Gift Card Scams – bad actors will impersonate friends, family, and/or management to request gift card codes for an emergency or last-minute holiday gift.
- Prevention: Always verify the request being made directly with the individual via a callback or other alternative communication channels. If the request comes from your employer, colleague, or through a work-approved communication channel, report the suspicious request(s) to your IT department for further investigation.
- Malicious Mobile Apps – bad actors may create fake holiday-themed apps that contain malware which could infect the device and potentially steal the user’s sensitive information.
- Prevention: Avoid downloading questionable applications from unknown sources, especially gaming applications, during the holiday season. If a user downloads a suspicious mobile application, ensure it is deleted promptly and the mobile device evaluated by your IT team.
DECODE THE TERMS
Pretexting in cybersecurity refers to the practice of using deceptive tactics to obtain sensitive information or access to secure systems. It involves creating a fabricated pretext or scenario to manipulate individuals into disclosing confidential data, such as login credentials or personal information. This social engineering technique often relies on psychological manipulation and false identity creation to trick unsuspecting targets. Pre-texting can be a precursor to more advanced cyber-attacks, making awareness and vigilance crucial in preventing unauthorized access and information breaches.
A “Trojan Horse” in cybersecurity refers to malicious software disguised as legitimate or benign programs. Named after the ancient Greek story, this type of malware deceives users by appearing harmless but, once executed, secretly enables unauthorized access or activities on the victim’s system. Unlike viruses or worms, Trojans do not replicate themselves but can cause significant damage, such as stealing sensitive information, providing backdoor access for attackers, or delivering additional malware. Vigilance in avoiding suspicious downloads and regularly updating security software are essential to defend against Trojan Horse threats.