Part 2: Cybersecurity Regulators and How They Help You Avoid Cyberattacks
Welcome to the second installment of a three-part series on Cybersecurity. Protecting your sensitive data from theft or unintentional leaks continues to be a top risk to companies and governments alike. Aside from good cybersecurity hygiene, many cybersecurity best practices are also regulatory requirements, and security gaps can have dire consequences.
To explore this topic further, we sat down with Michael Marrano, the founder of Riskigy, a Certified Information Systems Security Professional (CISSP)and a member of 4THBIN's advisory board, to talk about cybersecurity regulators, their priorities, and the latest in cyber fraud attacks.
Q: So, how can the regulators help you avoid cyberattacks?
A: It has been over five years since the SEC found registered investment advisor RT Jones violated Rule 30(a) of Regulation SP and issued a $75,000 Penalty. RT Jones failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information. RT Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server and maintain a response plan for cybersecurity incidents. It was the first in many disciplinary actions related to cybersecurity in years to come.
But the regulators do more than discipline member firms. More recently, during the start of the COVID-19 pandemic, FINRA warned member firms of a widespread, spear-phishing campaign that involved fraudulent emails claiming to be FINRA officers. These emails had a source domain name, "@broker-finra.org," and requested immediate attention to an attachment relating to the firm.
Regulators provide valuable alerts and guidance, such as the FINRA published Regulatory Notice 20-13, reminding firms to "beware of fraud" during the pandemic. FINRA warned of the increase in these four scams:
- Fraudulent account openings and money transfers
- Firm imposter scams
- IT Help Desk scams
- Business email compromise (BEC) schemes
Q: What are some examples of the latest cyberattacks?
A: The NY Department of Financial Services (NYDFS) recently issued an industry letter detailing "a systemic and aggressive campaign to exploit cybersecurity flaws in public-facing websites to steal Nonpublic Information (NPI)" and steps that can be taken to secure your data. The campaign is focused on stealing NPI from public-facing websites that display or transmit consumer NPI, including websites that provide an instant quote. The NYDFS was made aware of auto insurers whose websites that offer instant online automobile insurance premium quotes were being targeted to steal unredacted driver's license numbers. NYDFS has confirmed that, at least in some cases, this stolen information has been used to submit fraudulent claims for pandemic and unemployment benefits.
Examples of methods used to steal NPI from Auto Quote Websites included:
- Taking unredacted NPI from the Auto Quote Websites' Hypertext Markup Language ("HTML") that was not displayed in the rendered webpage but visible in the HTML.
- Using developer debug tools to intercept and decode unredacted NPI. In some cases, developer tools were used on the public-facing website to access the HTML code and reshape website frames to view hidden NPI.
- Manipulating the technology used to redact portions of NPI by using web browser developer tools to access the parts of the websites that redacted data, therefore fully revealing the NPI on the public-facing website.
Q: How do the regulators determine their priorities?
A: Regulators' top priorities are protecting clients and customers. Current events are a source of priorities, and there is never a shortage of cybersecurity incidents and attacks in the news headlines. There is no rest for the wicked, and the fraudsters are taking no time off during COVID-19. Instead, they are increasing cyber-attacks on organizations across many industries but most noted are financial services such as banks, credit unions, broker-dealers, investment advisors, schools, universities, edu-tech, and healthcare services such as hospitals, pharmaceutical companies, and vaccine supply chain.
For the first time ever, employees are being told they must stay home and telecommute. To avoid exposure to the Coronavirus, almost every organization is telling employees to avoid the office and work from home. It may not seem complicated, but for many employees, it's going to be the first time they have ever worked from home.
What do you think happens when organizations scramble to configure employees to work from home quickly? Mistakes happen when we rush, don't plan, and do not have enough resources (we never have enough Tech and Cybersecurity resources). Imagine this highly likely scenario - An employee working in Human Resources receives an email from the "CFO" requesting the Social Security Numbers (SSN) of all employees so they can hurry to update and distribute W2s. Maybe throw in a couple of lines of urgency and a complaint about the system being down because of the "IT Issues." This is a common social engineering tactic during tax season (right now!) and may be under normal circumstances, a phishy request might seem irregular and be diverted.
Q: What about working from home?
A: While most companies allowed some workers to work from home from time to time, few organizations were prepared to have a large portion, if not all, of their workforce, doing it at one time. In addition to ensuring your company had the hardware and software to support this massive change, establishing and enforcing compliance with security guidelines for remote work is just as critical. Believe it or not, some firms still do not have a work from home or telecommuting policy or train employees to work remotely for Business Continuity.
Working from home (WFH) poses many challenges for cybersecurity, including the use of personal devices, sharing wifi with your kids, or the temptation for using unauthorized apps or freeware. In May 2020, FINRA published a special alert to help businesses transition to a remote workforce by sharing practices implemented by firms during COVID-19.
FINRA's guidelines included:
- How to transition to a remote environment
- Maintaining supervision in a work environment
- And preserving compliance for the archiving of all customer communications
Q: What can organizations do to prepare for Regulatory requirements?
A: A company practices good data protection hygiene by developing and implementing data governance. A company data governance program focuses on the confidentiality, integrity, and availability of the company data and information. The data governance program encompasses the physical, technical, and administrative (operational) control areas of data protection. Developing strong physical, technical, and administrative controls shows that a company has taken reasonable due care for the activities that take place within the company and has made the necessary steps to protect the company, its customers, and employees from possible threats.
The increased security risk of remote work reinforces the need to have a plan in place if something goes wrong and things will go wrong over the coming weeks and months of telecommuting.
Your plan should include:
- Review of data breach and incident response plans (IRP) to ensure that your organization is prepared to respond to a data breach or security incident.
- Business Continuity Plan review and maintenance should coincide with IRP updates.
- Update the plans if necessary, review contact information for the incident response team and outside advisors.
- Define the roles and responsibilities of team members.
- Maintain the location and health status of team members.
- Cross-train the team to avoid key-person risk and single points of failure.
To help companies, FINRA recently released their “2021 Report on FINRA’s Examination and Risk Monitoring Program.” The report highlights effective asset management such as - "Asset Inventory – Creating and keeping current an inventory of critical information technology assets—including hardware, software, and data—as well as corresponding cybersecurity controls."
These new recommendations are similar to FINRA’s 2018 Cybersecurity Report "Creating processes and selecting firm-approved vendors for the secure disposal of hard copy records and firm computer hardware (e.g., hardware listed in the firm's inventory) that may contain sensitive information."
Companies now know that security incidents involving unauthorized access to their customer, employee, and business data are inevitable. A lack of due diligence and due care in data protection can result in significant financial and reputational damage to a company.
There are resources and companies available to help companies navigate the changing landscape of cybersecurity. A proactive "breach ready" security program combined with a positive security-focused company culture will help build and maintain a strong reputation and clients' trust. Remember, it is not IF, it is WHEN an incident is going to occur. Hope for the best but plan for the worst!
About Michael Marrano:
Michael Marrano is the founder of Riskigy and a cybersecurity professional focused on providing Virtual CISO and Cybersecurity services for clients. With his boutique cybersecurity consulting and advisory firm, he provides high-quality services to organizations of all sizes. Michael has been honing his skills as a real-world technology and information security practitioner over the last three decades. Michael is a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Information Systems Auditor (CISA) with extensive experience in consulting, audit and business leadership roles. Michael is the author of “The Human Firewall Builder – Weakest Link to Human Firewall in Seven Days”, a Cyber and Homeland Security master’s scholar at Fairleigh Dickinson University (NJ) and previously held roles such as Senior Principal Cybersecurity Consultant, Managing Director, a former Chief Technology Officer (CTO) and Chief Information Security Officer (CISO). Connect with Michael today on LinkedIn.