Cyber Threats Grow as Advisers, Companies and Governments Seek Defenses
The threat to advisers, broker-dealers and other financial institutions from cyber assaults is likely to get worse as hackers become more sophisticated and their goals expand. Companies look at new best practices as both federal and state governments retroactively play catch up, but if what experts say is true, things may get worse before they get better – if they get better at all.
"The world has changed in the past 12 months for cybersecurity in terms of both the threats and the regulatory environment," said Eversheds Sutherland partner and former House Intelligence Committee minority staff director and general counsel Michael Bahar. "The hackers are no longer just looking to steal data. It’s now about data manipulation, extortion, disruption and even destruction."
One question for advisers is whether these new types of hacking are likely to be aimed at them, as opposed to larger companies. Major companies, among them Facebook, Orbitz, Under Armour and Panera Bread, have recently been hacked, although these breaches appear to have been attempts aimed at collecting data, rather than the new types of hacking described by Bahar.
According to Bahar, advisers and broker-dealers have reason to be concerned. Hackers, especially those connected to nation states, tend to test their techniques and capabilities on smaller companies and they allow room for escalation, he said. It is not unreasonable to expect that they would test some of these new hacking programs against small advisers and then move up to larger firms and banks. In addition, "a little bit can go a long way in cyber, especially if your goal as an attacker is to undermine public confidence. Cyber attacks can have an outsized psychological effect, even when they occur at small companies. Word gets out, people get nervous, money gets withdrawn and the integrity of systems can get compromised."
Some of the newer threats are indeed targeting advisory firms, said ACA Aponix partner Raj Bakhru – among them efforts to capture material nonpublic information and fraudulent capital calls to private equity firms (see below for more on these threats).
The good news, said Mayer Brown partner Jeffrey Taft, is that "people are getting more forward on cyber, taking additional steps to comply, and setting up policies and procedures." In addition, he said, most states have now adopted some form of law involving cybersecurity, whether it is merely a data breach notification law, as Alabama and South Dakota have recently done, or more affirmatively adopting regulations that require certain cybersecurity practices, as Colorado did in July 2017 and Vermont did in May 2017.
"Each side is building up its arsenal," said Bakhru.
That said, the SEC’s Office of the Inspector General on April 3 issued its annual report measuring the SEC’s progress in fiscal year 2017 in complying with cybersecurity requirements required under the Federal Information Security Management Act (FISMA). It found that while the agency had made progress in addressing issues found in fiscal year 2016’s report, the SEC was not at the level of information security needed in seven key areas (see related story in this issue for more). Many will also remember that the agency’s EDGAR system was the target of a 2016 breach, the SEC disclosed last September, in which some personally identifiable information was accessed.
"There are going to be evolving standards of care," said Bahar. "Cyber is not a one-and-done. You need to manage the problem, you can’t expect to wholly solve it."
However, noted Taft, "as long as you employ humans, there are going to be mistakes."
Let’s look at some of the new and evolving cyber threats. These may emanate from changes in hackers’ goals to growing sophistication in their attempts.
Data manipulation. The danger here is that these attacks, when successful, negatively affect the credibility of the firm or system attacked. "It is not necessarily about theft for monetary gain, but about corrupting the system and even bringing it down," Bahar said. "People lose confidence in a system" when financial statements have altered data and customers don’t know if the numbers are correct. "Suddenly everybody starts taking their money out, causing a run." A reasonable question is asking what the hacker has to gain from such efforts since no money is taken. The answer is tied to who these hackers are. "They tend to be nation states, like Russia or North Korea," he said, adding that the attempts to manipulate the 2016 elections can be seen as a starting point. While these attempts have yet to reach advisers and broker-dealers, hacks of a country’s infrastructure – including its electrical grid or its financial system – "are coming," and, as mentioned above, hackers may start with smaller financial firms, including advisers and/or broker-dealers.
Attacks on companies with MNPI. Hackers "used to go after the easy stuff, like names and passwords," said Bakhru. "Now they are targeting private information like MNPI." Attempts to gain access to non-public information have included the hacking of the SEC’s EDGAR system that was disclosed last year, an attack on a press release firm to obtain upcoming earnings announcements that the hacker planned to use for front-running purposes, and an attempted penetration of a major mergers and acquisition firm in an attempt to secure deal data, he said.
Fraudulent capital calls appearing to come from private equity firms. These attacks, which are often not publicly reported, are basically efforts to steal money from funds, and Bakhru.
More sophisticated phishing attempts. Phishing is typically about sending an email with a fraudulent link that the hacker wants the recipient to click, thereby providing the hacker with access to a firm’s information. Since company employees are on to these efforts, hackers are increasingly able to "provide enough information in their email to fool people into believing the mail is genuine and therefore opening the link," Taft said.
Extortion. The May 2017 "WannaCry" worldwide ransomware attack (ACA Insight, 5/22/17) was an example of this, said Bahar. The attack, which affected organizations in more than 100 countries, including Federal Express in the United States, the National Health Service in Great Britain, universities in China, and the Russian Interior Ministry. Infected computer owners were told that they would have to pay a $300 ransom if they wanted to regain control of their computers. Expect such attacks to occur again, he said.
Firms and governments are taking steps to stop hackers, but with advances in technology and the growing sophistication of attacks, defense is a moving target. Here are some items already done, as well as best practices for advisory firms, broker-dealers and others.
Government action. In addition to passage of state laws and regulations mentioned earlier, there are a number of federal and European actions designed to keep companies safe. The SEC’s Office of Compliance Inspections and Examinations in 2017 issued two cybersecurity risk alerts. The most recent, in August of that year, contained observations from OCIE’s cybersecurity examinations. The upshot was that while examiners found increased cybersecurity preparedness, they also found areas where further improvement was needed – and also provided examples of where it felt effective steps were taken, presumably so firms could consider the same steps themselves. The other risk alert was issued a few months before, in May of 2017. It was a "Cybersecurity: Ransomware Alert," issued in the wake of the WannaCry ransomware attack discussed above. It called on advisers and broker-dealers to consider cyber risk assessments, penetration tests and system maintenance to protect themselves. The SEC’s Division of Investment Management, as far back as April 2015, issued cybersecurity guidance that called on advisers and funds to perform periodic assessments of their data and cybersecurity threats, and create and implement a strategy to prevent and respond to such threats. Aside from these steps from the Commission, the European Union’s General Data Protection Regulation (GDPR) takes effect in May. Among other things, it requires businesses to notify the EU of a breach within 72 hours, places direct obligations on vendors to implement an appropriate security level, and more. "If U.S. companies have a presence in Europe or advertise in Europe, they will likely have to follow the GDPR," Bahar said.
External company identification. Under this practice, which Taft said some firms have adopted, emails that arrive from outside an organization will be marked, either in the subject line or body copy, that they originated outside the company. The idea is to cause recipients to open those emails and any links or attachments they contain a bit more cautiously, he said.
Document identification. Employees would be required to classify each of their documents in one of multiple levels (i.e., public information, confidential information, top secret information). "So if a person was to send a document already classified as ‘top secret,’ the software would not let that document be sent," Taft said. Not many firms have adopted these programs, said Bahar, as "people are reluctant to adopt measures that add friction, one more step before they get to press ‘send.’ But companies are eventually going to do it as threats evolve."
Assess third-party ecosystems. This is simply a way of staying on top of vendors and their cyber security programs, said Bakhru. "Vendors house data and critical operations. Advisers need to assess whether their protections are consistent with the advisers’ own."
Acquisition cybersecurity due diligence. Much like with vendors, companies acquired may have very different, or a less effective, cybersecurity program than that of the companies acquiring them. "You don’t want to buy a huge liability, or some party that’s already been breached," said Bakhru. "Find out prior to the purchase."
More educational programs. Training may sound boring, but doing so on a regular basis is absolutely essential, particularly to keep up to date on phishing messages, said Taft. Many advisers and broker-dealers are already doing so, in some cases having third parties prepare email phishing messages in attempts to fool them. "It raises the consciousness every time you get an email, and results in effective training, coupled with public shaming for those that fail to comply, which might involve getting reported to a supervisor or having to attend additional training."