The securities industry has been as vulnerable to cyber attacks in 2018 as any other industry. According to the SEC’s Enforcement Division newly created Cyber Unit (formed in 2017 to enhance the ability of the Commission to identify and investigate all cyber-related threats to firms), 20 actionable cases were brought forward in fiscal year (FY) 2018. 225 open investigations are also being conducted by members of the Cyber Unit at the close of FY 2018.
Firms have an affirmative duty to establish policies and procedures designed to detect and deter cyber-threats. These include both the Safeguards Rule and the Identity Theft Red Flags Rule. Failure to put in place necessary protections designed to safeguard customer information and prevent fraud may result in enforcement action by the SEC.
SEC Cyber Security Enforcement Actions
This was the case with an enforcement action taken against a Des Moines, IA-based firm fined $1 million for its failure to put in place proper cybersecurity policies and procedures. The action came as a result of a cyber intrusion that fraudulently reset customer passwords. This allowed the cyber thieves access to more than 5,600 of the firm’s accounts, which allowed new profiles to be created and specific access to private documents of three customer accounts. The failure to have in place proper procedures in keeping with regulatory requirements made what was preventable inevitable.
As the old year ends and a new one begins, what are some of the cyber threats facing investment professionals? In keeping with mandated requirements from the SEC, FINRA, and state securities commissions, what should be done to keep ahead of the growing potential of a cyber attack or unwanted intrusion that threatens customer safety, privacy, and the integrity of U.S. financial markets?
The State of Cyber Security in 2018
A recently discovered data breach of Marriott International’s Starwood Hotel guest reservation database comprised the information of nearly 500 million customers. A Federal Trade Commission (FTC) consumer advisory released on December 4, 2018, announced that the breach, which began in 2014, impacts all hotel registrations made up to September 10, 2018.
Information that hackers were able to access includes customer names, addresses, phone numbers, email addresses, passport numbers, dates of birth, and the gender of the reservationist. Additionally, any Starwood loyalty program account information and reservation information entered was taken and for some customers, payment information (and possible expiration dates).
The compromise of Starwood customer information by hackers is just the tip of a very tall iceberg of incidents that took place in the U.S. and across the globe. Cybersecurity issues touched nearly every industry sector and business size, from Texas-based Jason’s Deli to social media giant Facebook. State-sponsored attacks have also been exposed in 2018, validating concerns about the integrity of the U.S. election process and the continuing influence of bad-faith actors such as Iran, Russian, and North Korea.
Those issues affecting business worldwide are those that affect financial professionals and the securities industry. Efforts must be taken to tighten up required controls that detect and deter cyber attacks. Paying lip service to these issues will result in the loss of customer confidence as further attacks expose vulnerabilities.
Cyber Security Issues for 2019 Affecting Financial Professionals
There are at least four specific cybersecurity issues that financial professionals should be aware of heading into 2019:
- Testing a firm’s cybersecurity policies and procedures to ensure
- Leveraging technology to police technology
- The impact of artificial intelligence by hackers to access client accounts and information
- The growing influence of the “Dark Web” and the exposure of personal and private information
These issues may be of particular concern for financial professionals looking to maintain strong customer relationships. Awareness of the potential for attack must be met with definitive action to strengthen systems and hold back minor and major intrusions that could have a long-term effect on business and the confidence the investing public has in the U.S. financial system.
Establishing and Testing an Investment Firm’s Cyber Security Policies and Procedures
The SEC noted in its enforcement actions taken against firms in 2018 that failed to protect client data that the failure stemmed from the lack of sufficient cybersecurity policies and procedures. Such policies and procedures are only one part of the solution to building robust IT systems capable of withstanding dedicated cyber attacks.
In addition to well-documented policies and procedures specifically tailored to the financial systems, firms and financial professionals must also work with their IT teams to test their ability to detect, address, and defeat cyber attacks. The loss of customer information to a data breach through a system vulnerability that could have been prevented hurts not only the entity breached but the industry as a whole.
As firms increasingly rely on technology to conduct business, greater reliance must be placed on constant vigilance. The mentality cannot be that since an attack has not occurred, there is no problem; it must be that an attack may happen at any time.
Using Technology to Defeat Technology
Cybersecurity issues cannot be regulated away. The establishment of policies and procedures, as discussed, is one of the ways to identify the severity of these attacks and their potential impact on business. Working on using technology to prevent technology from causing cyber attacks and other unwanted intrusions is the next level for financial professions.
It stands to reason that these attacks are the result of machines finding ways to invade other devices. This may be to spread viruses that cripple or disable a recipient system for a period of time, or to disrupt business operations by denying access to customers, or to set in motion ransomware or other types of malware for the purpose of extortion. Policies and procedures establish recognition of the potential for harm but technology sets in place the necessary firewalls and disaster recovery processes for business to continue operating (with little to no disruption).
Machines, currently through the aid of those with ill-intent, lead the attack on financial systems, threatening the privacy of customer data. Artificial intelligence (AI) or the ability of machines to develop routines and learning processes that make devices less dependent on human input is also growing as a potential threat.
Facebook confronted this issue in the summer of 2018 when its Facebook AI Research Lab (FAIR) was forced to shut down a project involving the use of AI known as chatbots. Chatbots are a type of AI where programs that are automated to complete a specific task can communicate with each other to make the routine more efficient. The FAIR project attempted to add a negotiation element between the chatbots, which to the horror of researchers, resulted in the AI developing its own language at a rate that was faster than what humans could anticipate and control.
The growing presence of AI in technology and the use of robots, specifically chatbots, to complete basic tasks may very well be the way of the future. Its existence, however, should raise legitimate concerns and warrant additional protections and regulatory action to ensure that the results of an accidental experience (like the outcome of the FAIR project) does not set in motion a sponsored attack that could have the potential of taking down the U.S. financial system in 2019 (and beyond).
The dark web, which refers to encrypted information that is unavailable through traditional internet search engines. A part of the deep web, it is a facility for transactions in private data (most of which is financial in nature) that has been stolen and may be purchased with cryptocurrency such as bitcoins. eCommerce on the dark web has grown exponentially – the Economist reported that between 2012 and 2016 the sale of illegal drugs through the darknet increased from $12 – $17 million to $120 – $180 million in four short years.
Data breaches that have occurred with all too regular frequency in 2018 have produced information that has found its way to the dark web. The marketplace for compromised identity information (i.e., social security number, date of birth, payment information, etc.) is growing at a rate comparable to what the Economist reported for illicit drug sales. Financial professionals, particularly in the age of anti-money laundering (AML) programs required to prevent terrorist financing and other illegal financial activities, will be challenged to verify the legitimacy of customer information and protect against the introduction of dark web data used to illegally open accounts or engage in financial transactions.
These are only a few of the cybersecurity issues facing financial professionals entering 2019. Greater awareness and vigilance is required of everyone within the industry to get in front of the growing influence of technology on our lives. Protecting the integrity of financial systems is more than good business. It may very well be what prevents a global financial disaster from happening, the scale for which would be unprecedented.