Cybersecurity Q&A Series with Michael Marrano Part2

Part 2: Cybersecurity Regulators and How They Help You Avoid Cyberattacks

March 2, 2021

Welcome to the second installment of a three-part series on Cybersecurity. Protecting your sensitive data from theft or unintentional leaks continues to be a top risk to companies and governments alike. Aside from good cybersecurity hygiene, many cybersecurity best practices are also regulatory requirements, and security gaps can have dire consequences.

To explore this topic further, we sat down with Michael Marrano, the founder of Riskigy, a Certified Information Systems Security Professional (CISSP)and a member of 4THBIN's advisory board, to talk about cybersecurity regulators, their priorities, and the latest in cyber fraud attacks.


Q: So, how can the regulators help you avoid cyberattacks?

A:  It has been over five years since the SEC found registered investment advisor RT Jones violated Rule 30(a) of Regulation SP and issued a $75,000 Penalty.  RT Jones failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information. RT Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server and maintain a response plan for cybersecurity incidents. It was the first in many disciplinary actions related to cybersecurity in years to come.

But the regulators do more than discipline member firms. More recently, during the start of the COVID-19 pandemic, FINRA warned member firms of a widespread, spear-phishing campaign that involved fraudulent emails claiming to be FINRA officers. These emails had a source domain name, "," and requested immediate attention to an attachment relating to the firm. 

Regulators provide valuable alerts and guidance, such as the FINRA published Regulatory Notice 20-13, reminding firms to "beware of fraud" during the pandemic. FINRA warned of the increase in these four scams: 

  1. Fraudulent account openings and money transfers
  2. Firm imposter scams
  3. IT Help Desk scams
  4. Business email compromise (BEC) schemes


Q: What are some examples of the latest cyberattacks?

A:  The NY Department of Financial Services (NYDFS) recently issued an industry letter detailing "a systemic and aggressive campaign to exploit cybersecurity flaws in public-facing websites to steal Nonpublic Information (NPI)" and steps that can be taken to secure your data.  The campaign is focused on stealing NPI from public-facing websites that display or transmit consumer NPI, including websites that provide an instant quote.  The NYDFS was made aware of auto insurers whose websites that offer instant online automobile insurance premium quotes were being targeted to steal unredacted driver's license numbers. NYDFS has confirmed that, at least in some cases, this stolen information has been used to submit fraudulent claims for pandemic and unemployment benefits. 

Examples of methods used to steal NPI from Auto Quote Websites included: 

  • Taking unredacted NPI from the Auto Quote Websites' Hypertext Markup Language ("HTML") that was not displayed in the rendered webpage but visible in the HTML.
  •  Using developer debug tools to intercept and decode unredacted NPI.  In some cases, developer tools were used on the public-facing website to access the HTML code and reshape website frames to view hidden NPI.
  • Manipulating the technology used to redact portions of NPI by using web browser developer tools to access the parts of the websites that redacted data, therefore fully revealing the NPI on the public-facing website.


Q: How do the regulators determine their priorities? 

A: Regulators' top priorities are protecting clients and customers.  Current events are a source of priorities, and there is never a shortage of cybersecurity incidents and attacks in the news headlines. There is no rest for the wicked, and the fraudsters are taking no time off during COVID-19. Instead, they are increasing cyber-attacks on organizations across many industries but most noted are financial services such as banks, credit unions, broker-dealers, investment advisors, schools, universities, edu-tech, and healthcare services such as hospitals, pharmaceutical companies, and vaccine supply chain.

For the first time ever, employees are being told they must stay home and telecommute. To avoid exposure to the Coronavirus, almost every organization is telling employees to avoid the office and work from home. It may not seem complicated, but for many employees, it's going to be the first time they have ever worked from home. 

What do you think happens when organizations scramble to configure employees to work from home quickly? Mistakes happen when we rush, don't plan, and do not have enough resources (we never have enough Tech and Cybersecurity resources). Imagine this highly likely scenario - An employee working in Human Resources receives an email from the "CFO" requesting the Social Security Numbers (SSN) of all employees so they can hurry to update and distribute W2s. Maybe throw in a couple of lines of urgency and a complaint about the system being down because of the "IT Issues." This is a common social engineering tactic during tax season (right now!) and may be under normal circumstances, a phishy request might seem irregular and be diverted.


Q:  What about working from home?

A:  While most companies allowed some workers to work from home from time to time, few organizations were prepared to have a large portion, if not all, of their workforce, doing it at one time.  In addition to ensuring your company had the hardware and software to support this massive change, establishing and enforcing compliance with security guidelines for remote work is just as critical. Believe it or not, some firms still do not have a work from home or telecommuting policy or train employees to work remotely for Business Continuity.

Working from home (WFH) poses many challenges for cybersecurity, including the use of personal devices, sharing wifi with your kids, or the temptation for using unauthorized apps or freeware.  In May 2020, FINRA published a special alert to help businesses transition to a remote workforce by sharing practices implemented by firms during COVID-19. 

FINRA's guidelines included: 

  • How to transition to a remote environment 
  • Maintaining supervision in a work environment
  • And preserving compliance for the archiving of all customer communications


Q: What can organizations do to prepare for Regulatory requirements?

A:  A company practices good data protection hygiene by developing and implementing data governance. A company data governance program focuses on the confidentiality, integrity, and availability of the company data and information. The data governance program encompasses the physical, technical, and administrative (operational) control areas of data protection. Developing strong physical, technical, and administrative controls shows that a company has taken reasonable due care for the activities that take place within the company and has made the necessary steps to protect the company, its customers, and employees from possible threats.

The increased security risk of remote work reinforces the need to have a plan in place if something goes wrong and things will go wrong over the coming weeks and months of telecommuting. 

Your plan should include:

  • Review of data breach and incident response plans (IRP) to ensure that your organization is prepared to respond to a data breach or security incident. 
  • Business Continuity Plan review and maintenance should coincide with IRP updates. 
  • Update the plans if necessary, review contact information for the incident response team and outside advisors. 
  • Define the roles and responsibilities of team members. 
  • Maintain the location and health status of team members. 
  • Cross-train the team to avoid key-person risk and single points of failure.

To help companies, FINRA recently released their “2021 Report on FINRA’s Examination and Risk Monitoring Program.” The report highlights effective asset management such as - "Asset Inventory – Creating and keeping current an inventory of critical information technology assets—including hardware, software, and data—as well as corresponding cybersecurity controls."

These new recommendations are similar to FINRA’s 2018 Cybersecurity Report "Creating processes and selecting firm-approved vendors for the secure disposal of hard copy records and firm computer hardware (e.g., hardware listed in the firm's inventory) that may contain sensitive information." 


Final Words

Companies now know that security incidents involving unauthorized access to their customer, employee, and business data are inevitable. A lack of due diligence and due care in data protection can result in significant financial and reputational damage to a company. 

There are resources and companies available to help companies navigate the changing landscape of cybersecurity. A proactive "breach ready" security program combined with a positive security-focused company culture will help build and maintain a strong reputation and clients' trust. Remember, it is not IF, it is WHEN an incident is going to occur. Hope for the best but plan for the worst!


About Michael Marrano:

Michael Marrano is the founder of Riskigy and a cybersecurity professional focused on providing Virtual CISO and Cybersecurity services for clients. With his boutique cybersecurity consulting and advisory firm, he provides high-quality services to organizations of all sizes. Michael has been honing his skills as a real-world technology and information security practitioner over the last three decades. Michael is a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Information Systems Auditor (CISA) with extensive experience in consulting, audit and business leadership roles. Michael is the author of “The Human Firewall Builder – Weakest Link to Human Firewall in Seven Days”, a Cyber and Homeland Security master’s scholar at Fairleigh Dickinson University (NJ) and previously held roles such as Senior Principal Cybersecurity Consultant, Managing Director, a former Chief Technology Officer (CTO) and Chief Information Security Officer (CISO).  Connect with Michael today on LinkedIn.

More News


4THBIN 4GOOD - Museum of the Moving Image

We are excited to announce our sponsorship with the Museum of the Moving Image (MoMI) for the exhibition of “Refreshing the Loop,” an Animated GIF Installation Series! Refreshing the Loop, which brings together artists well-known for their GIFs and artists who gained popularity in the industry throughout recent years, will be on display from April 20, 2023 - January 14, 2024.


Back 2 School 2023

Start the new school year off right with 4THBIN! As more schools and universities reduce the number of books students need and opt for more computers and tablets, educational institutions are quickly becoming leading e-waste producers. The back-to-school season is the perfect time to embrace sustainable practices that not only benefit the environment but also inspire positive changes in classrooms that provide new opportunities for learning. 4THBIN is here to help you have the most sustainable back-to-school season yet!


Take Part in a Sustainable Summer with 4THBIN!

Summer is here, and with it comes warmer days, fun nights, and more opportunities to implement sustainable practices! We can’t think of a better way to kick off the summer than ensuring all of our seasonal activities are not only enjoyable for us, but our planet as well! Join 4THBIN in taking part in a sustainable summer!


4THBIN 4GOOD: Ars Memoriae

4THBIN is honored to announce that we have provided 601Artspace with e-waste for the exhibition of Ars Memoriae. 4THBIN supplied cables, circuit boards, computers, phones, and other obsolete electronic assets to help the artists assemble their projects. The equipment making up the pieces would have otherwise ended up in landfills or incinerators if not for 4THBIN’s efforts to recycle them properly first.


Earth Day at Industry City 2023 - Recap

4THBIN would like to thank all members of the Industry City community who took part in our Earth Day e-waste recycling event! Our 2023 Earth Day event with Industry City allowed us to help the community securely recycle 2,822 pounds of e-waste - the weight of two adult male polar bears!


4THBIN's sponsorship of Climate: Make That Change at St. John's University
December 2, 2023

Climate: Make That Change at St. John's University

We are excited to announce our sponsorship with St. Johns University for Climate: Make That Change, an event dedicated to understanding climate change issues and the impact they have on the community in Jamaica, Queens.

4THBIN-BGA-Event E-Waste Recycling Fall 2023
November 15, 2023
Drop-off Event

4THBIN and Broadway Green Alliance Team Up for a Fall 2023 E-Waste Drive

We are excited to announce our collaboration with environmental innovators, Broadway Green Alliance (BGA), for a Fall E-Waste Drive. We aim to provide members of the Broadway community and beyond with the opportunity to securely and sustainably recycle their old electronics. 

4THBIN -PS 29 Rummage Sale Fall 2023-Neighborhood Recycling Event
October 22, 2023
Drop-off Event

PS 29 Rummage Sale Fall 2023 - Neighborhood Recycling Event

We are excited to announce our collaboration with PS 29 again this fall for an Electronic Recycling Event. We aim to provide members of the PS 29 community and beyond with the opportunity to securely and sustainably recycle their old electronics.