Home » cybersecurity

Tag: cybersecurity

Tech Company Fined $5.1 Billion for Failing to Disclose Customer Data Violations

The SEC fined a large technology company $100 Million for misleading shareholders in public filings about breaches of its policies protecting user information.  The firm was also fined $5 Billion by the FTC.   According to the SEC, the firm knew in 2015 that a researcher had violated its policies by obtaining and transferring confidential user data to a third party research firm.  Regardless, the defendant’s public filings for the next two years presented the risk of misappropriated data as hypothetical even though the researcher had already transferred the data and admitted the scheme to the defendant.  The SEC charged the company with violating the securities laws by issuing several misleading public filings.

Last February the SEC issued cybersecurity guidance to public companies about their obligations to fully disclose cybersecurity risks and incidents.  If public companies didn’t take the SEC seriously then, we expect that the combined $5.1 Billion in fines will garner attention.  For asset managers and broker-dealers, in addition to implementing required customer data protections, they must also consider their disclosures in Form ADV and Form BD as well as any relevant offering documents. 

SEC Alerts RIAs/BDs to Cloud Provider Monitoring Obligations

The SEC’s Office of Compliance Inspections and Examinations (OCIE) has issued a Risk Alert warning firms to monitor and supervise third-party cloud providers that house their regulatory data. OCIE has observed many firms failing to properly configure security settings and thereby neglect to utilize available security services such as encryption and password protection. OCIE has also seen weak oversight of third-party cloud providers including failures to assess information security and utilization of available security features. OCIE would like to see significant policies and procedures addressing the installation, maintenance and review of network storage solutions as well as robust vendor management policies that require the regular implementation of software patches and hardware updates.

Firms can (and probably should) outsource their network and data storage to qualified vendors, but they cannot abdicate their responsibilities to ensure the data is protected from unauthorized intrusion. The compli-pros must work with the IT folks to assess the cloud provider’s ongoing compliance.

FINRA Report Recommends Cybersecurity Best Practices

FINRA has issued a report on cybersecurity best practices to assist firms in the development of their cybersecurity programs.  FINRA notes that it continues to see “problematic cybersecurity practices” during examinations and that firms identify cybersecurity as a “primary operational risk.”  The report focuses on strengthening cybersecurity controls in branch offices, ways to limit phishing attacks, how to mitigate insider threats, the elements of an effective penetration testing program, and adequate controls for mobile devices.  The report also includes an appendix that lists core cybersecurity controls for small firms including patch maintenance, access management, vulnerability scanning, and email protection. 

The 19-page report does a good job describing every cybersecurity nightmare scenario, which may be instructive for those C-suite executives still in denial.  The best part of the report is the small firm appendix that focuses on key issues. 

SEC Warns Firms to Take Action Against Cyber-Frauds

 

The SEC has issued and investigative report that advises public companies to enhance internal accounting controls to prevent losses from cyber-related frauds.  The SEC report describes frauds at 9 issuers that involved spoofing emails and false vendor invoices that resulted in significant losses when internal employees transferred funds to the wrongdoers.  One of the companies made 14 wire payments, resulting in a loss of over $45 Million.  Another paid 8 invoices totaling $1.5 Million.  Although the SEC did not bring enforcement actions against these registrants, the SEC alleges that the companies violated their obligations to implement internal accounting controls sufficient to ensure transactions are only permitted with management’s authorization.  In particular, the SEC advises companies to review and enhance their payment authorization and verification procedures and employee training.  SEC Chairman Jay Clayton warned: “Cyber frauds are a pervasive, significant, and growing threat to all companies, including our public companies.”

OUR TAKE: You’ve been warned.  The SEC gave these 9 companies a pass, but we don’t expect the same treatment for future violators who should now take action to prevent spoofing and email cyber-frauds. 

Hackers Impersonated Reps to Gain Access to Client Info

 A large BD/IA agreed to pay a $1 Million fine and retain an independent compliance consultant as a result of a third-party intrusion into its customer system.  Outside hackers impersonated independent consultant registered representatives and tricked internal IT personnel to change passwords over the phone.  Although there was no unauthorized transfer of funds, the impersonators were able to access personally identifiable information of over 5000 customers.  The SEC charges the firm with violating the Safeguards Rule and with failing to implement an effective Identity Theft Prevention Program.  The SEC faults the firm for allowing outside contractors to use their own equipment, which often had security and encryption problems, and with failures to follow remote session termination procedures.

OUR TAKE:  This is the nightmare scenario for retail BD/IAs.  The desire to make life easier for the producing reps creates IT vulnerabilities exploited by bad actors.  Our recommendation is to retain an outside firm that can conduct an honest vulnerability assessment.

Internet Company Pays $35 Million for Failing to Timely Disclose Hack of Customer Info

A large publicly traded internet media company agreed to pay a $35 Million fine and cooperate with investigators for failing to timely disclose a hacker breach of more than 500 million client accounts.  The SEC charges that the respondent waited nearly 2 years before disclosing the breach, during which time it filed misleading annual reports and Form 10-Ks and 10-Qs.  Additionally, the SEC accuses the company with filing a stock purchase agreement (as part of Form 8-K) that included misrepresentations about security breaches, thereby leading to a $350 Million reduction in the purchase price.  A senior SEC official advised: “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”

OUR TAKE: When it comes to cybersecurity incidents, time is not on your side.  Because of the potential harm to clients and investors, it is better to provide immediate disclosure that will be followed up with additional information rather than waiting and thereby compounding the potential harm.  Hacked firms must move quickly to investigate, assess, and remediate the harm to minimize damages.

 

NYS Attorney General Reports 1500 Data Breaches in 2017

The New York State Attorney General has issued a report indicating that a record 1583 data breaches affecting 9.2 Million New Yorkers were reported to the NYAG in 2017.   The information exposed included social security numbers (40%) and financial account information (33%).  Hacking was the leading cause of the data security breaches.  NYAG Eric Schneiderman warned “My office will continue to hold companies accountable for protecting the personal information they manage.”  The NYAG has urged the New York State legislature to pass the SHIELD Act, which would require companies to adopt reasonable safeguards to protect sensitive data, including relevant policies and procedures.

OUR TAKE: The state regulators have taken a primary role in enforcing data protection safeguards.  Make sure your compliance procedures have the necessary policies and procedures that include governance, incident response, vulnerability assessment, and vendor management.

 

SEC Issues Cybersecurity Compliance and Disclosure Guidance

The SEC has issued cybersecurity guidance that directs public companies to adopt effective disclosure controls and procedures and overhaul their disclosure about incidents and threats.  The SEC believes that public companies should adopt and implement cybersecurity risk management policies and procedures that ensure timely disclosure, internal reporting, processing of risks and incidents, and prevention of insider trading.  The SEC also admonishes public companies to review all public disclosures including the materiality of incidents and security, risk factors, MD&A disclosure, business description, legal proceedings, financial statements, and board risk oversight.  Firms should also consider disclosing past incidents “in order to place discussions of these risks in the appropriate context.”  The SEC believes that “the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.”  The SEC said that it will be reviewing cybersecurity disclosures.

OUR TAKE: We expect institutional investors will add similar cybersecurity inquiries into their Operational Due Diligence processes before choosing an investment firm.  So, even if you do not work for a public company, you should consider implementing the SEC’s recommendations.

 

Large Insurance Company Settles for $5.5 Million over Data Breach

A large insurance company agreed to pay a total of $5.5 Million to settle charges brought by 32 states resulting from the loss of critical consumer information attributable to a criminal data breach.  According to the Settlement Agreement, the respondent lost the data for 1.27 million customer across the country when hackers exploited a security breach created when the respondent failed to implement a security patch. As part of the settlement, the insurance company agreed to appoint a security patch supervisor, implement security patch policies and procedures, and perform internal assessments.  The New York State Attorney General criticized the respondent for its “true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.”   He warned, “This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t.”

OUR TAKE: The NYS Attorney General implies that companies can be held liable for data breaches that result from simple negligence rather than recklessness or intent.  A solid compliance program that includes a robust cybersecurity assessment can help defend charges that a firm acted negligently.

 

SEC Sweep Yields Cybersecurity Best Practices

The SEC Office of Compliance Inspections and Examinations (OCIE) released the results of its Cybersecurity 2 sweep initiative.  OCIE reviewed policies and procedures and assessed cybersecurity preparedness of 75 firms with respect to governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.  OCIE found that most firms have adopted policies and procedures, conducted penetration tests and vulnerability scans, used a system to prevent data loss, installed software patches, adopted response plans, and conducted vendor risk assessments. OCIE recommended that registrants better tailor policies and procedures, conduct enhanced employee training, replace outdated systems, and ensure remediation of identified vulnerabilities.    OCIE warned that cybersecurity “remains one of the top compliance risks for financial firms” and that it “will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms.”

OUR TAKE: Advisers, broker-dealers, and funds that fail these compliance best practices risk falling behind their competitors and incurring the wrath of the OCIE examiners.  Compliance officers must become conversant in the required elements of an adequate cybersecurity program and implement the required policies and procedures, testing, and remediation.