The afternoon panel of the SEC-FINRA compliance program, held in Chicago, featured a robust discussion on the evolving cybersecurity threat matrix impacting broker-dealers and some of the best practices developed in response. One major brokerage firm is seeing at least 1000 malicious cyber-intrusion attempts a day, noted Thomas Nelli, a FINRA senior vice president and regional director, and the moderator of the day’s final panel at the 2019 National Compliance Outreach Program for Broker-Dealers held at the Federal Reserve Bank of Chicago.
The event, hosted jointly by the SEC and FINRA, was billed as an open forum for regulators and industry professionals to share strong compliance practices and promote the exchange of ideas to develop an effective compliance structure.
Evolving cyber-threats. At the onset, Nelli looked to Raymond James Financial’s Andy Zolper, the firm’s Chief Information Security Officer and Head of Technology Infrastructure, for a rundown on the latest cyber-threats facing the broker-dealer community. Zolper noted that financial service firms are increasingly becoming the top target for cyber-criminals, adding, “that’s where the money is,” a reference to the famous quote from legendary American bank robber, Willie Sutton, about why he robs banks.
Zolper also provided some valuable insights developing on the cyber-threat horizon that he has observed. He noted that cyber-intruders are becoming increasingly patient and persistent. They might hang around for a long time after gaining access into a system and observe before striking in a malicious manner. This is behavior that has typically been associated with nation state actors. He also noted that bad actors will often learn a network from the inside-out and then strike with a ransomware attack.
According to Zolper, the cyber-attackers, who recently struck the City of Baltimore in a mega-hack that paralyzed the municipality, were on the city’s network for months. They figured out where then high value assets were and then struck mercilessly. Only 70 percent of the city’s computer operations have been restored.
Cyber-criminals are rational actors. Panelist Shamoil Shipchandler, a partner with Jones Day, noted that cyber-intruders cannot price the ransom demands in connection with a ransomware attack too high, and they must be able to deliver the solution for a victim to get back up and running. He noted, with some irony, “cyber-criminals must be reputable.” Zolper also noted that these hackers are rational economic actors in pricing their extortion attempts. If their demands are priced too high, a cyber victim will not deal with them and will explore their alternatives.
What to do now? Both Zolper and Shipchandler offered practical advice in terms of what firms can do now to address these cybersecurity risks. These include:
- Shipchandler posed the intriguing question: Do you know what your firm will do if an FBI agent advises you today that the company has been hacked? He also urged firms to consider these important cybersecurity issues now, rather than when they are confronted with a cyber-intrusion in real time. He advised firms to retain a forensic service provider and to consider their policies and procedures now rather than at a time when you are under the gun.
- Zolper urged personnel at firms involved in cyber defense to be in communication with their colleagues, to share information regarding emerging threats facing their organizations, and to share best practices in countering cyber-threats. Zolper pointed to the valuable work done by the Financial Services and Information Analysis Center (FS-ISAC) in this area.
- Zolper also pointed to the importance of implementing a system for installing security patches and updates. He noted it’s fairly straightforward, but it takes a great deal of discipline and process management to do this really well.
- Shipchandler noted that each firm must dig deep and examine their unique environment and circumstances. He also observed that firms are often overwhelmed with every regulatory agency having their own checklists in the cybersecurity realm. He noted this is not a check-the-box exercise.