ELTENI’S CYBER SCOOP
In this newsletter, we uncover an SEC Director’s op-ed on disclosure rules. A major international cybersecurity crackdown by law enforcement. The SEC op-ed on disclosure rules.
SEC Director of Corporation Finance weighs in on Cybersecurity Disclosures Rules
The Director of the SEC’s Division of Corporation Finance provided his thoughts and opinions on the incident disclosure requirements for publicly traded companies. Comments received in 2022 from the public were used to draft final rules around the disclosure of an incident by a publicly traded entity. Disclosure improvements were needed due to the increasing reliance on electronic systems, remote work options, the monetization of cybersecurity incidents, digital payments, and the usage of third-party IT Managed Service Providers (MSP). In addition, the cost associated with an incident is increasing for organizations within the financial industry. The Director goes on to provide additional details regarding the disclosure rule and what needs to be disclosed, the delay of reporting in support of national security and public safety, the annual disclosure of firm risk management, strategy, and governance practices, and the availability of SEC staff to discuss the new disclosure provisions as firm’s work to adopt these requirements in 2024.
The discourse on the disclosure and reporting of cybersecurity incidents and governance has gained paramount significance in the ongoing battle to prevent such incidents. Beyond merely ensuring transparency for investors to safeguard their assets, the exchange of information serves as a crucial tool in offering insights and assistance to those facing similar risks. The implementation of disclosure rules may also compel companies to enhance their diligence in managing their cybersecurity programs. Specifically, bolstering their incident response plans and documentation will be vital to ensure effective and efficient compliance with disclosure and reporting requirements. The relative effectiveness of this rule on public companies will certainly impact how this topic may be approached with non-public entities when the proposed rules are finalized.
International Police Operation Arrests 3,500 Cyber Criminals Targeting the Financial Industry
For six months, between the months of July-December, a multi-country operation codenamed “HAECHI-IV” was investigating cyber criminals with a focus on voice phishing, romance scams, online sextortion, investment fraud, money laundering, etc. who have been targeting the financial industry. The investigation resulted in the arrest of 3,500 individuals from 34 countries and the seizure of more than $300 million in assets.
First and foremost, it is commendable to witness authorities actively pursuing perpetrators as part of our collective efforts to safeguard against cybersecurity events. This proactive approach is crucial in preventing potential future threats. The comprehensive, vast, and complex nature of this enforcement initiative emphasizes the challenges associated with combating cybersecurity threats and recovering lost assets. The repercussions extend beyond virtual assets to encompass tangible hard currency, underscoring the urgency for a robust and meticulous cyber program. A well-rounded program should incorporate a blend of technical, logical, and administrative controls. These controls need to be clearly articulated in policies that not only guide processes but also ensure the dissemination of sufficient education and advisories across the entire business.
In response to President Biden’s Executive Order on developing safe, secure, and trustworthy uses of AI, the Department of Commerce’s National Institute of Standards and Technology (NIST) has issued a Request for Information (RFI) from the public to assist them in developing guidelines and standards for the use of AI. The RFI focuses on AI red-teaming, generative AI risk management, and the overall reduction of risk to synthetic content, and instituting standards for the development of AI. Responses are being accepted until February 2, 2024.
A decryption tool was released on Monday, December 25th by the Justice Department to assist victims of the Alphv Group in removing malicious software from their computer systems that locked up their network and demanded payment to unlock the system(s). Alphv Group is most recently known for their cyberattack on MGM Resorts in September of 2023. MGM reported a loss of $100 million due to the attack that required a shutdown of their computer systems that resulted in the closure of casino floors, email outages, and non-functioning keycards. The Justice Department does not believe this will have a lasting impact on the Alphv Group as they are believed to be based in Russia where U.S. law enforcement has no authority. However, with this decryption tool victims can begin to secure their systems again with the removal of the malicious software.
Ransomware groups are targeting unmanaged devices to encrypt data via remote encryption. Malicious activity cannot be detected on unmanaged devices and firm remediation processes will be ineffective during investigation. Microsoft revealed in Q4 of 2023 that more than 80% of incidents occurred from unmanaged devices. With the development of attacks such as targeting systems beyond Windows, the selling of stolen data on the dark web, and unusual programming languages, it is increasingly important to manage all devices with access to the network and/or client data to avoid ineffective detection and incident response processes.
DECODE THE TERMS
WISP – in the context of cybersecurity, refers to a Written Information Security Policy. This policy is a document that outlines an organization’s approach to securing its information assets. It serves as a comprehensive guide that defines the security controls, processes, and practices to protect sensitive information from unauthorized access, disclosure, alteration, and destruction.
IRP – In the context of cybersecurity, IRP commonly stands for “Incident Response Plan.” An Incident Response Plan is a set of documented procedures and guidelines that an organization follows when responding to and managing security incidents. The primary goal of an IRP is to minimize damage and reduce recovery time and costs. An effective Incident Response Plan is crucial for organizations to effectively manage security incidents, ranging from cyberattacks to data breaches. It helps ensure a coordinated and efficient response, minimizes the impact of incidents, and facilitates a quicker return to normal operations. Additionally, having a well-documented plan is often a requirement for regulatory compliance in various industries.
TTX/TTE – commonly referred to as a Tabletop Exercise, is a type of simulated training activity that allows individuals or teams within an organization to practice and evaluate their response to a hypothetical scenario, typically related to an incident or crisis. The term “tabletop” refers to the fact that the exercise usually takes place in a conference room or similar setting, where participants gather around a table to discuss and simulate their response to a given scenario. Often this is a test of your Incident Response Plan. Tabletop Exercises are valuable tools for enhancing an organization’s preparedness for real-world incidents. They help teams develop a shared understanding of roles and responsibilities, improve communication and coordination, and identify gaps in policies and procedures. Conducting regular Tabletop Exercises is a proactive approach to refining and testing an organization’s incident response capabilities.