In what has been referred to as an “unprecedented anomaly,” cybercriminals are increasingly targeting the financial services sector during the Covid-19 coronavirus pandemic, with attacks on banks and other financial institutions spiking by 38% between February and March, according to VMware’s Carbon Black Cloud threat researchers.
This sudden spike has caused the financial services sector to face unprecedented challenges to maintain requisite cybersecurity protocols and meet regulatory expectations, while also potentially leaving these companies more vulnerable to external attacks and breaches.
Carbon Black researchers noted that, of the 52% of attacks targeting the financial services sector in March, 70.9% of those came from the Kryptik trojan, a backdoor Trojan, which targets victims through malicious installers and then tries to acquire admin rights to make registry modifications, all without the users’ knowledge. Without the appropriate visibility tools, this threat can be very hard to spot because it tends to delete its executable file after running.
Vigilance Is More Important Than Ever
Increased vigilance and visibility into enterprise-wide endpoint activity are more paramount than ever, as the Covid-19 global pandemic has created a virtual environment ripe for cyber fraud, and cybercriminals are focusing their efforts specifically on private fund managers and financial organizations.
This increase is further evidenced by the joint advisory on April 8, issued by the U.K.’s National Cyber Security Centre (NCSC) and the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). The advisory discusses the escalating attempts by cyber criminals and advanced persistent threat groups of exploiting the Covid-19 pandemic outbreak with a range of ransomware, malware, and other malicious attacks.
The sensitive and financial data held by certain entities, such as investment firms, banks, and financial institutions, makes them attractive targets for cybercriminals. The Financial Crimes Enforcement Network (FinCEN) recently reminded financial institutions to “remain alert about malicious and fraudulent transactions similar to those that occur in the wake of natural disasters.”
Many malicious cyber actors are using the current challenge to attempt to swindle individuals and institutions out of money through Business Email Compromise, ransomware attacks, phishing scams, and telework software vulnerabilities.
Regulator Interest Increasing
As interest in financial organizations has increased among cybercriminals, so too has interest in protecting data privacy among regulators. Regulation S-P, the SEC’s primary rule on privacy notices and safeguard policies, follows much broader laws and regulations adopted by various states requiring an array of privacy and security programs, safeguarding of records, and notification requirements in the event of an information security breach.
As every investment adviser, broker-dealer, and fund manager knows, noncompliance with Regulation S-P and its state law analogs can lead to time-consuming and costly examinations, investigations, and, occasionally, enforcement actions. What noncompliance looks like, however, has not always been clear.
On Jan. 7, even before the Covid-19 crisis had fully developed, the staff of the SEC’s Office of Compliance Inspections and Examinations (OCIE) listed “Information Security” as one of its top examination priorities for 2020. The staff noted that the “impact of a breach in information security, including a successful cyber-attack, may have consequences that extend beyond the firm compromised to other market participants and retail investors, who may not be well informed of these risks and potential consequences.” OCIE followed up with a report on Jan. 27, “Cybersecurity and Resiliency Observations.”
Common privacy and opt-out notice deficiencies, previously observed by OCIE in its Risk Alerts, have included the failure to provide timely and accurate privacy notices to customers, including those that failed to inform customers that they could opt out of sharing their personally identifiable information. OCIE also observed failures to implement comprehensive policies and procedures designed to safeguard customer records and information.
Review Your Practices
In light of the convergence of Covid-19-related cybercrime and the increased regulatory scrutiny on cybersecurity, investment advisers of all kinds should review their practices in the areas of governance and risk management, access rights and controls, data loss and prevention, mobile security, incident response and resiliency, vendor management, and training and awareness, specifically by:
- Designing and implementing policies and procedures to safeguard customer information on personal laptops and prevent employees from sending any personally identifiable information through unencrypted emails or to unsecure outside networks.
- Communicating with and training employees on cybersecurity precautions used to protect and monitor customer information, particularly while working remotely.
- Reviewing and managing third-party handling of customer information and ensuring adequate protection.
- Monitoring access to personally identifiable information of customers by taking inventory and limiting access as appropriate.
- Designing and implementing an effective incident response plan.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Nick Morgan is a partner in the Investigations and White Collar Defense practice at Paul Hastings. He focuses his practice on complex securities litigation in state and federal courts and representations involving government investigations and white-collar crime allegations levied against individuals and businesses. Before private practice, Morgan served as senior trial counsel in the SEC’s Enforcement Division.
Robert Silvers is a partner at Paul Hastings LLP, where he serves as vice-chair of the firm’s Privacy and Cybersecurity practice, co-chair of the Artificial Intelligence (AI) practice, and a member of the Investigations and White Collar Defense practice. Silvers formerly served in senior roles at the DHS during the Obama administration, most recently as assistant secretary for cyber policy.
Nicole Lueddeke is an associate in the Litigation practice of Paul Hastings and is based in the firm’s Los Angeles office. Lueddeke focuses her practice on complex commercial litigation, securities litigation, anti-corruption and Foreign Corrupt Practices Act, and white collar defense.