Thursday, October 31, 2019

Experts address cybersecurity trends, best practices at fintech webinar

By Jay Fishman, J.D.

The North American Securities Administrators Association, Inc. (NASAA) included a panel discussion on cybersecurity data breaches and the best ways to prevent them as part of its October 29, 2019 Fintech and Cybersecurity Symposium held in Washington D.C. and online. Jake van der Laan, the director and chief information officer of the Information Technology and Regulatory Informatics Division at the Financial and Consumer Services Commission in New Brunswick, Canada moderated the panel. The panelists included David Kelley, the surveillance director at FINRA’s Kansas City District Office; Assunta Vivolo, the assistant director of the Cyber Unit at the SEC’s Philadelphia Regional Office; and Charles de Simone, the vice president of Technology and Operations for the Securities Industry and Financial Markets Association (SIFMA).

Van der Laan heightened the topic’s importance by first citing the significant Equifax, Yahoo, Marriot, and Capital One data breaches of the past three years, and then adding the following statistics—that by 2020 there will be six billion Internet users who could become cyberattack victims, and that there are 250 pieces of malicious software released daily to perpetrate those attacks.

Van der Laan asked the panelists the following questions:
  1. What types of data breaches are you seeing now and predict for the future?
  2. How should firms manage their risk now and in the future?
  3. What help is there for a firm’s clients and U.S. citizens to prevent cyberattacks to their own data?
What types of data breaches are you seeing now and predict for the future? Kelley said that FINRA’s staff, when going on broker-dealer firm examinations, have asked members about the types of cyberattacks they have been subjected to. The firms replied: (1) phishing emails; (2) account compromise; (3) imposter websites; (4) ransomware; and (5) malware. Kelley and Vivolo both remarked on the rise of two types of imposter websites, one type where the firm already has a legitimate website but a copycat website suddenly appears containing the same accurate information about the firm and perfect photos of its executives.

The criminals try to lure unsuspecting clients to add their personal, confidential information onto the fake website before the firm or regulatory authorities discover the scam. The other type occurs when a firm does not have a website and then suddenly has one. The sudden website is, of course, fake.

All three panelists additionally mentioned a rise in client accounts being compromised inadvertently by third parties. De Simone said that this type of data breach begins innocently when a firm entrusts a third-party vendor to provide the technology for protecting the firm’s clients’ account data. The third party, itself, might be trustworthy but may rely on a fourth party vendor to supply the nuts and bolts of that technology, which could cause the data breach. Essentially, the firm does not become aware of the client data breach until it is too late because the firm only directly contracted with the third party so was not even aware of the fourth party’s existence.

The panelists also proclaimed a rise in cyberattacks caused by company insiders who are either malicious or unintentional insiders. The panelists mentioned the 2017 Verizon data breach caused by a "malicious insider" out for revenge against the company in order to cite the statistic that 25 percent of all data breaches are caused by insiders. The "unintentional insider" they referred to as a "weak link in the company" who may be a fine person but believes he or she is doing a good deed in relaying confidential data to someone outside the company, who then causes the attack.

How should firms manage their risk now and in the future? Regarding data breaches that occur through account compromise, Vivolo said that firms should create and require a two-tiered authentication process for accessing client account information. Concerning insiders, de Simone stated that SIFMA encourages its members to create an insider threat program to train employees on steps to take to mitigate cyberattacks. All the panelists agreed that it is much easier to proactively create cyberattack programs to test before an attack occurs rather than to wait until an attack happens.

But Kelley and Vivolo emphasized that there is not a "one size fits all" approach for all firms. Kelley said that small, medium, and large size firms each have different risks, and that the appropriate method also depends on a company’s type of business, which often prescribes the type and amount of data it maintains. Kelley said that FINRA tries to assess a member firm’s risks by raising the issue when staff performs a field examination, and then hints that the firm should implement a data breach prevention program. He stressed the importance of having these talks with firms especially in light of FINRA’s discovery that many firms do not even know where their data is stored. And Vivolo added that assessing the risks of data stored on the cloud is increasingly becoming a concern because many firms now rely on the cloud to store their data. She also declared the importance of firms’ knowing if their critical data is being stored by a fourth party because in the event of a breach, the firm itself will be liable.

But Vivolo also mentioned that SEC Regulations SCI, SID, and SP were promulgated to help issuers and firms assess their cybersecurity risks. And de Simone exclaimed that firms should hire enough people to work on cybersecurity matters behind the scenes in their offices so that the firm’s consulting cybersecurity technology experts can proactively address the problem in the field.

Concerning the future, the panelists remarked upon the increase in insurance companies selling firms cybersecurity insurance. The panelists agreed that having this insurance is a good idea in the event of a cybersecurity attack, which they declared will inevitably happen to all firms. The panelists further proclaimed that the process of applying for the insurance is a good thing if, in order to calculate the amount of insurance a firm needs, it forces the firm to assess its cybersecurity assets, its data, where the data is stored, and the risk of that data being subject to cyberattack.

What help is there for a firm’s clients and U.S. citizens to prevent cyberattacks to their own data? All the panelists emphasized that the firms alone cannot prevent cyberattacks. They said that it is up to everyone in the chain including the firms’ clients and U.S. citizens to bear some of the responsibility at the community level. The panelists said, for example, that individuals can take steps to mitigate data breaches by protecting their router, creating a two-tiered authentication process to access data, updating their devices’ virus protections, and installing patches.

When Van der Laan asked the panelists what they are doing to help citizens protect themselves from data breaches, Kelley remarked upon FINRA’s website now having a web page to provide cyber information as hot topics develop. Vivolo mentioned the SEC’s website, together with the Commission’s Office of Investor Advocacy and Education. And de Simone said that SIFMA members routinely inform their clients about cybersecurity issues to protect them from attack.