SEC, NFA cyber security enforcement is set to intensify in light of recent global attacks and new enforcement chiefs

Public companies and firms operating in regulated industries, especially finance, should expect more SEC, NFA cyber security enforcement in the wake of new and emerging threats, like WannaCry and NotPetya, as well as the appointment of two new cyber-minded enforcement chiefs. Reuters reports:

On Thursday, the U.S. Securities and Exchange Commission named Stephanie Avakian and Steven Peikin as new co-directors of enforcement.

In an exclusive interview ahead of the formal announcement, the two said they were deeply concerned about cyber threats and see the topic as a major enforcement priority.

“The greatest threat to our markets right now is the cyber threat,” said Peikin, who was still wearing a guest badge because he has not yet received his formal SEC, NFA credentials yet. “That crosses not just this building, but all over the country.”

The SEC, NFA has started to see an “uptick” in the number of investigations involving cyber crime, as well as an increase in reports of brokerage account intrusions, Avakian said. As a result, the agency has started gathering statistics about cyber crimes to spot broader market-wide issues.

This follows on the heels of a risk bulletin the SEC, NFA released in response to the WannaCry attacks, urging broker-dealers, investment advisers, and investment companies “to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.” The bulletin directed readers to a website established by the Financial Industry Regulatory Authority (FINRA), a self-regulatory organization overseen by the SEC, that provides numerous cyber security tips and resources.

Cyber Security Problems Uncovered During Regulatory Exams

Also contributing to the new SEC, NFA cyber security focus are widespread security lapses the SEC, NFA found during recent regulatory exams at financial companies, including:

• Unauthorized disclosures of personally identifiable information (PII).
• Issues with phishing emails; employees were found to click on suspicious attachments more than 20% of the time.
• Third-party wires not being properly authenticated.
• Organizations not conducting periodic risk assessments, penetration tests, and vulnerability scans.

Penalties for non-compliance with SEC, NFA cyber security standards can be severe. Last June, the agency fined Morgan Stanley Smith Barney LLC $1 million for failing to sufficiently secure its systems to prevent a breach; sanctioned Craig Scott Capital LLC for $100,000 for using non-firm email addresses to receive faxes; and made R.T. Jones Capital Equities Management Inc. pay $75,000 for “failing to implement proper cyber policies” after the firm was breached.

Financial firms aren’t the only ones on the SEC’s radar. Law360 reports that the SEC, NFA is investigating Yahoo for its numerous data breaches.

Sound GRC Practices Will Keep Your Organization on the SEC’s Good Side

A panel held at the recent 2017 FINRA Annual Conference discussed five best practices organizations should adopt to prevent cyber attacks and maintain compliance with both FINRA and SEC, NFA cyber security standards: governance, risk assessment, cyber security training, access management, and vendor management.

Some organizations, especially small and medium-sized businesses, struggle with the cost and time commitment that proactive cyber security and GRC require. To slash the time and money companies must devote to cyber security, Lazarus Alliance utilizes the Continuum GRC IT Audit Machine (ITAM), a proprietary RegTech software package with user-friendly self-help modules, including modules for the FINRA SEC, NFA Cyber Security Report Card and the FINRA Small Firm Cybersecurity Checklist. ITAM saves money, simplifies the compliance process, eliminates audit anarchy, and speeds up the GRC assessment and reporting processes by 180%.

The cost of cyber attacks and non-compliance penalties are much higher than preventing attacks and maintaining compliance in the first place.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Cryptocurrency mining malware may end up being a bigger problem than WannaCry

Organizations that think they dodged a bullet when their older systems did not fall prey to the WannaCry ransomware may want to think again. Weeks prior to the WannaCry attacks, a group of hackers was taking advantage of the same Windows vulnerabilities that WannaCry exploited. Instead of locking down systems with ransomware, these cyber criminals were putting them to work, using a cryptocurrency mining malware called Adylkuzz.

Not only did users have no idea their machines had been turned into cryptocurrency mining zombies, but Adylkuzz acted as a sort of vaccine for machines against the WannaCry malware so that mining operations would continue unimpeded. So, in a bizarre twist, had it not been for Adylkuzz, the WannaCry attacks may have been even larger and more destructive.

That’s not to say Adylkuzz is benign. Just as WannaCry was a warning shot for the destructive potential of ransomware, Adylkuzz sounded the alarm about the next threat on the horizon: cryptocurrency mining malware.

Cryptocurrency 101

Cryptocurrencies are digital or virtual currencies that use cryptography to prevent counterfeiting. They are distinguished from “fiat currency” – the dollars, euros, and other money issued by governments – because they are not issued by a central authority or representative of debts. They are sometimes referred to as “hard” or “sound” money and are more similar to gold bars than dollar bills. The most well-known and widely used cryptocurrency is Bitcoin, which was invented in 2009 as a byproduct of the blockchain technology that enables it.

Although there is nothing inherently nefarious about cryptocurrencies, they have come under fire for their popularity among cyber criminals. While many perfectly legitimate businesses accept payment in Bitcoin, it also is the de facto currency of the Dark Net, and most ransomware variants demand payments be rendered in it.

New units of digital currencies are created through a process known as cryptocurrency mining. “Miners” solve highly complex cryptography problems that allow them to add blocks to the blockchain, and they are rewarded for their efforts with free cryptocurrency units. To prevent devaluation, all digital currencies have a cap on how many units can ultimately be mined; Bitcoin’s cap is 21 million units and, as of this writing, about 5 million are left to be mined.

Cryptocurrencies have another failsafe to prevent devaluation and other forms of abuse: The problems miners must solve suck up enormous amounts of processing power, which means that miners who want to use their own equipment are looking at a capital investment in highly specialized hardware. For those who don’t want to spend the money, cryptocurrency mining malware such as Adylkuzz has emerged. Although Adylkuzz takes advantage of the same Windows vulnerabilities as WannaCry, it behaves more like the Mirai botnet. It does not lock down systems or access data; instead, it goes after a machine’s processing power, hijacking it and using it to mine units of a Bitcoin competitor called Monero, a “next-generation” cryptocurrency that is growing in popularity among cyber criminals because it promises even stronger anonymity than Bitcoin.

Adylkuzz has proven to be far more lucrative than WannaCry; it’s estimated that rogue Monero miners have raked in 10 times more money than the WannaCry hackers. It’s also not the only cryptocurrency mining malware in town. There’s a Samba bug that attacks Linux machines, and, in a surprising twist, another form of malware that goes after Raspberry Pi devices, tiny computers that are popular among tech enthusiasts. While it may seem counterintuitive to target such a small machine, the idea is not to hijack one device but tens of thousands, as the Mirai botnet did, and harness the combined power of a “zombie army.”

Protecting Your Systems from Cryptocurrency Mining Malware

One of the reasons why Adylkuzz and similar malware are so successful is that many victims have no idea they’ve been hijacked. The symptoms of an infection are vague, consisting of general system sluggishness and a loss of access to shared network resources.

Critics of cryptocurrencies have long been calling for governments to regulate or even ban them, and WannaCry and Adylkuzz have added fuel to their arguments. However, because of the very nature of cryptocurrencies, any attempts to legislate them face a protracted, uphill battle. The best defense against cryptocurrency mining malware is to employ the same proactive cyber security measures used to defend against ransomware, data breaches, and other cyber attacks: ensure that all systems and software are up-to-date; install new manufacturer patches as soon as possible; always change manufacturer default passwords; perform regular penetration testing; continuously monitor networks for anomalies; and address the human factor by training employees on cyber security best practices.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Cyber Insurance Coverage: a Brave, Uncertain New World for Insurers and Policyholders

Despite the escalating intensity and frequency of cyber attacks, fewer than 1/3 of U.S. businesses have purchased cyber insurance policies. A recent report by Deloitte provides insight into why organizations are deciding to go without cyber coverage, as well as why many insurers are hesitant to offer the coverage on a large-scale basis.

According to a recent report by Deloitte, Demystifying Cyber Insurance Coverage, cyber insurance policies represented only $1.5 to $3 billion out of a total of $505.8 billion in premium revenues generated by U.S. carriers in 2015. Further, only about 29% of organizations had even purchased a policy as of October 2016. Just 40% of Fortune 500 companies have coverage. Even companies that do have policies may have “skinny” coverage that will leave them high and dry if they ever do file a claim; just ask fast-casual restaurant chain P.F. Chang’s, which found out the hard way that its cyber insurance policy did not cover millions of dollars in liabilities to credit card issuers in the wake of a POS breach.

Why is cyber coverage so spotty? It’s easy to point fingers at insurers, policyholders, or both. After all, insurance companies do not make money from paying claims; they make money from collecting premiums and paying claims only rarely. When a policyholder files a claim, whether it’s for a roof repair or a ransomware attack, the insurer will look for every reason not to pay out. At the same time, both the public and private sector are guilty of not taking cyber security seriously; from Yahoo to Major League Baseball to the U.S. Secret Service, organizations keep getting breached, yet they also keep behaving as though a major cyber attack will never happen to them.

While these are valid issues, the cyber insurance situation is not that simple. Deloitte’s report identified numerous obstacles in the path of both insurance companies that wish to sell policies and organizations that wish to buy them. Specifically, insurers struggle with:

• A lack of historical data, making it difficult or impossible to build reliable predictive models.
• The dynamic nature of cyber security, where brand-new threats are emerging literally daily.
• The potential for “catastrophic accumulation” of claims if a nationwide or worldwide cyber attack brings down hundreds or thousands of claimants simultaneously; for example, if cyber terrorists were to strike the nation’s power grid, or a major website host is taken down.
• “Tunnel vision,” which causes insurers to primarily focus on policies that protect insureds against the theft of personal identifying information (PII); not all organizations handle PII, and the threat landscape includes DDoS attacks, ransomware, and other attacks that can cripple an organization but do not involve the compromise of PII.

On the other side, policyholders are plagued by:

• Not fully understanding their cyber risks or insurance options; similar to the situation with health insurance, many organizations feel they don’t “need” cyber insurance or require only bare-bones policies.
• Erroneously thinking that they are already covered because another insurance policy, such as a general liability or business interruption policy, does cover some degree of cyber risk.
• An inability to effectively compare policies due to a lack of standardization, another issue that seen in the individual health insurance market; buyers are unable to make “apples to apples” comparisons.
• A legal landscape that is as dynamic as the threat environment; what is and isn’t covered by an insurance policy can be hard to determine, and insureds fear having to duke it out with insurance companies in court.

Cyber Insurance Is Not a Replacement for Proactive Cyber Security

Organizations that wish to purchase cyber insurance policies cannot go it alone. They must enlist expert help from cyber security professionals, not only to make sense of potential policies but also to evaluate their risk environments and determine what type of coverage they need. Because the cyber risk environment is continually evolving and changing, cyber coverage should be reviewed annually; a policy an organization purchased two years ago may no longer meet its needs.

Just as homeowners’ insurance is not an excuse to keep your doors unlocked or leave food cooking on the stove unattended, even a robust cyber insurance policy is not a replacement for proactive cyber security measures. Insurance policies will always contain exclusions, especially in cases where the insured was negligent in some manner, claim payouts will never be immediate, and insurance policies cannot repair damage to an organization’s reputation.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.