ThreatWire

An Overview of the SEC’s New Cybersecurity Regulation

In March, the Securities and Exchange Commission (SEC) proposed new cybersecurity risk management rules for organizations including registered investment advisers, registered investment companies, and business development companies (registered funds).

The SEC is also proposing numerous modifications to existing rules governing investment adviser and registered fund disclosures.

This 200+ page rule is dedicated to strengthening existing standards and encouraging firms to upgrade their cybersecurity risk management procedures. Cybersecurity has been at the forefront of the SEC’s examinations and we can expect that focus to increase now that the new regulation ( known as 206(4)-9 ) will move us from a period of cybersecurity “guidance” to a period of cybersecurity “regulation”.

I have covered this topic in a past webinar. If you prefer a recorded version of this information, I highly encourage you check out the YouTube Link below.

Here is the YouTube link.

How does this affect your firm?

According to the accompanying Cybersecurity Risk Management Fact Sheet released by the SEC (Link Here) the planned regulation would have a significant impact on registrants’ cybersecurity measures in a number of key areas.

The New SEC Cybersecurity Regulations will Require: 

  • You will now be required to implement written cybersecurity policies and procedures that are designed to address cybersecurity risks, including the risks of using interconnected systems and networks directly and through IT vendors, cloud providers, and MSPs;
  • You are now required to perform vulnerability scans and penetration tests
  • Firms will now be required to maintain records related to cybersecurity programs and their outcomes, as well as data breaches; and systems logs.
  • Firms will now have to disclose cybersecurity risks and incidents to the adviser’s clients and prospective clients; (See our webinar on why this is a disastrous and dangerous requirement)
  • Registered advisers will now be required to report significant cybersecurity incidents to the SEC, and file Form-ADV-C

The new cybersecurity risk management and recordkeeping rules would be put in place under the Investment Advisers Act of 1940 (“Advisers Act”) and the Investment Company Act of 1940 (“Investment Company Act”), which already require registered advisers and funds to evaluate certain cybersecurity risks while developing policies and procedures.

To summarize, organizations will be forced to take additional proactive steps that will undoubtedly increase the burden and costs of their compliance workflows with registrants required to examine the design and efficacy of their cybersecurity measures on an annual basis and produce a written report as a result of those audits.

I will go through some of the most important aspects of the SEC’s new proposed rule below.

Cybersecurity Risk Management Rules

All registered advisers and funds must “adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks” under rules 206(4)-9 of the Advisers Act and 38a-2 of the Investment Company Act, according to the SEC.

Given the ever-changing nature of threats, the SEC feels that the proposed cybersecurity regulation would be adaptable, allowing companies to tailor their security efforts based on their particular operations and complexity, as well as changing cybersecurity risks.

The proposed rule addresses several crucial aspects of a cybersecurity strategy:

  • Risk and Threat assessments: requires registered advisers and funds to conduct periodic risk assessments of the network’s vulnerabilities as well as service providers that have been granted access to the network.
  • User security and access: produce evidence of minimizing user-related risks and prevent unlawful access to the network by mandating policies that follow existing cybersecurity standards.
  • Information protection. Firms would be required to assess the sensitivity of data on their network and actively monitor IT systems to identify suspicious activity.
  • Threat and Vulnerability Management. The new risk management rule would require registered advisers and funds to monitor systems and industry or government cyber threat information for them to detect, mitigate, and remediate cybersecurity hazards and vulnerabilities.
  • Cybersecurity Incident Response. Firms will need to have procedures in place to identify, react to, and recover from a cyber-related disruption.

Interested in seeing the technical/nerdy aspects of how you or your IT firm will have to deal with these requirements?

I cover that topic in this YouTube video.

Reporting of Significant Cybersecurity Incidents to the SEC

The SEC is proposing a new regulation that would require advisers to provide confidential information on Form ADV-C “promptly but not more than 48 hours” after establishing a reasonable basis to believe that a significant adviser cybersecurity problem or a significant fund cyber incident has occurred or is occurring. This is EXTREMELY problematic for reasons that we have covered extensively in videos and other write-ups.

Additionally, the proposed rule would also require registered advisers to amend any previously filed Form ADV-C promptly, “but in no event more than 48 hours, after information reported on the form becomes materially inaccurate; if new material information about a previously reported incident is discovered; and after resolving a previously reported incident or closing an internal investigation about a previously disclosed incident.”

This timeline for breach reporting to the SEC under the proposed rule would be one of the strictest in the industry when compared with other reporting regimes and I can tell you from years of doing this kind of work that the timeline is completely unrealistic.

Annual Review

On an annual basis, firms would have to reevaluate their cybersecurity policies and procedures. They would then need to generate a written report documenting security assessments, recording security incidents, and discussing any policy changes (that are material) since the last report.

New Record Keeping Requirements

The new rule will introduce further record-keeping obligations in the form of maintaining five years of cybersecurity policies, annual written cybersecurity audits, risk assessments, breach notification notices, and records documenting “any cybersecurity incidents”. This is going to be extremely expensive and a barrier to entry for many firms.

Disclosure of Cybersecurity Risks and Incidents

The proposed changes would add a new Item 20, “Cybersecurity Risks and Incidents,” to the Form ADV Part 2A…….which is made available to the public!

Scary. I know.

Does your firm need help to understand the new regulations?

MTradecraft can help.

Hacker Tales: How Did BiFi get BuFu’d out of $2.25MM?

Let’s discuss BiFi.

A few weeks ago, an attack was launched against BIFROST’s BiFi service. The hacker was able to steal 1,852 ETH ($2.25 million) from the project by exploiting a security hole in the service’s address management system.

If you are going to dabble in ponzi schemes, you better know what the hell you are doing because there is always a better scammer. Here is how one such better scammer took advantage of the flaw:

BIFROST is a cross-blockchain bridge that requires a mechanism for monitoring deposits on one blockchain to allow withdrawals on another.

When a user deposits Bitcoin into the service, the address issuing server generates and digitally signs an address for that person. The address is then accepted and functional on the BiFi platform after this digital signature is verified. The user may then deposit money to that address and transfer assets across the cross-chain bridge.

This method relies on the address issuing server’s private key, which is then used to generate these digital signatures. The attacker was able to gain access to this key, allowing them to produce a genuine digital signature for a deposit address of their choosing.

When the hacker sent bitcoin to their deposit address, BiFi service interpreted it as a deposit into the service. This gave the attacker access to a fake balance in BiFi that allowed them to drain the coffers with bogus withdraws. Because the deposited address was under control of the attacker, they were able to keep the phony BTC deposit as well.

Meet Sharon – Sharon works for a large RIA and accidentally lost $798MM in client assets to a hacker.

I was recently engaged to do a penetration test on an RIA. The primary goal was to detect and identify sensitive or leaked information from the company, as well as see whether an external attacker could gain access to portfolio management software (PMS). I also wanted to perform a human risk assessment before we enrolled them in our training program.

With access to the PMS, I could alter transactions and cashiering to reroute client funds into accounts that I control.

When conducting OSINT research on this firm, I discovered and gathered several usernames and passwords that its employees used to log into their custodian. Due to a misconfigured Office365 setting and a careless CCO who did not verify the “sharing” permissions on this document or user, the username and password I collected was accidentally made public and searchable by anyone that knows how to Google Dork (Yes, Google-Dorking is a real thing. Google it)

This isn’t remarkable and improperly configured sensitive papers are one of the first things I check for in these sorts of assaults.

I chose “Sharon” as my target because she had identified herself on LinkedIn as the firm’s “portfolio assistant,” and she was very active on several social media sites. Aside from that, she was a completely random choice of a target.

I discovered that the firm’s PMS required two-factor authentication (2FA) for all users from research, so I knew her credentials were also linked to a rolling 2FA code that I needed to access through the PMS.

By phishing Sharon, it took less than a day for me to get access to the firm’s PMS. Here is how Sharon was taken down in a nutshell. To protect the guilty, the company and employees’ names have been altered or blacked out in this narrative.

Phone Call # 1:

I dialed Sharon as “Dave” who is interested in opening a new account.

(Shortened for Readability)

Dave Hi Sharon – I am interested in opening an account with you folks. If I do, where do you keep my money.

SharonWe use [REDACTED CUSTODIAN NAME] as the custodian for our accounts.

Dave Ah! [REDACTED CUSTODIAN NAME]! I already have an account with them, so great. My current advisor uses them, so will it be an easy transition if I move my accounts? Since the accounts are already there, how do I switch them over to be managed by your firm?

SharonIt is pretty easy. I will send you some paperwork to fill out and then I will fax those up to [REDACTED CUSTODIAN NAME].

Dave Excellent! And in the mean time I can email you my PDF statement so that you can get the ball rolling with onboarding?

Note: In the example above, I’m setting Sharon up to receive a PDF containing key-logging malware. At this stage, I’m still unsure how I’ll get access into the system, so I’m planting this seed.

SharonSounds great. My email address is [***@***.com)

DaveGreat. I will send that over soon.

And, to be honest, I’m not entirely sure what I’m going to do in the long run. So I get on the phone with another advisor who is not connected to the firm but who does use the same custodian.

Call #2 –

I called a different RIA that uses the same custodian.

A young woman named Allison picked up the phone. According to her LinkedIn profile, Allison was a recent graduate working as a trade desk assistant, and she was 28 years old. She had dropped out of film school and frequently posted her opinions about movies on several social media sites.

DaveHi Allison you might not be the right person and I am sorry for the distraction, but I am hoping you can help me out for 5 minutes. I found you on LinkedIn and saw you went to film school which is why I am reaching out. I am a movie director and I am working on a film and I am needing someone to interview for some background. The film involves an investment firm that experiences a cyber attack and loses the client’s money. I need someone’s expertise to make sure my movie fits the real-life scenario since I know little about cybersecurity. I know you are very busy, but would you perhaps have a few minutes to answer some simple questions for my project?

AllisonSure, I would love to help. What kinds of questions do you have?

I start in with my BS questioning….

Dave Well, I know what it means to balance a portfolio. That means sometimes you have to sell some holdings and buy others to make the portfolio balance. I get that. But what I don’t understand is HOW you make the trades in those portfolios.

Allison Well…it’s really not that complicated….

(Allison goes on for 15 minutes telling me everything I need to know about how she uses [REDACTED CUSTODIAN]’s PMS)

Allison was awesome. She conveyed every detail of how they access their portfolios, how they access the systems, how they make new accounts, how they get reports printed, how they protect the information with 2fa encryption methods in depth

Call #3 –

I called Sharon once more. This time as Chris Johnson, a customer service rep from [REDACTED CUSTODIAN]. I asked Sharon if she had a few minutes for a customer satisfaction survey in exchange for a gift certificate to her favorite restaurant, Chick-Fil-A (according to Facebook).

Chris – Hi Sharon – This is Chris Johnson with [REDACTED]. I am conducting a customer satisfaction survey and wanted to see if you had 4 minutes to answer some questions about your satisfaction with our service. We are sending all respondents a coupon for a free lunch at Chick-fil-A. Would it be OK if I ask you a few questions?

Sharon – Sure thing.

[Sharon was enthusiastic to help…and sounded excited for the break in her routine]

Chris – First off, are you authorized to use the [REDACTED] PMS system?

Sharon – Yes.

Chris – Great!

-Okay, what hours are you guys in the office?

-How many employees dial into Fidelity? -How often to do call us?

-Is there anyone in particular you like to talk to?

-Did we ever fail to meet your expectations? -How is our response time to your issues?

-Do you have any suggestions on how we can improve?

[Sharon answers them all and is very pleasant and happy throughout]

Chris: Thanks, Sharon. I really appreciate your help and your time. Let me save your answers in my survey and get that gift certificate over to you in an email. One second, please…

Chris – (Pausing….) Hmm…that is interesting. Are you sure you are an authorized employee on the PMS system? I don’t see your name here.

(I asked this in a puzzled or questioning tone since victims are always eager to clarify or demonstrate their rightness when called into question. They become blind when you ask them to validate themselves.)

SharonYes, I am authorized on all accounts.

Chris OK, that is strange because I don’t see your name listed on the account.

Sharon(acting somewhat insulted and annoyed)– Well, there is something wrong there because I have been here for 7 years and call the [REDACTED CUSTODIAN] team every day; usually for several hours each day.

Chris – There is no doubt from me Sharon. This is a frequent problem and one of the side-reasons for my call, actually. I want to make sure we have the most accurate records so let me research and get that updated for you. Give me one second to get you added here. I am going to go and pull the actual physical paperwork from our archive and then get you added back in. I am so sorry for the inconvenience here.

Sharon – {laughs and sighs}

[I allow 45 seconds of no talking with lots of typing in the background. I have an extra loud mechanic keyboard (hat-tip Shinobi Keyboards) that I use for this work to make sure the victim can hear. The overall goal here is to have Sharon swing from an agreeable state of mind, to a confrontational mindset, and back to a passive mindset. Essentially, I want to wear her out mentally so that her guards go down on this call.]

Dave – OK,I see your authorization paperwork right here. Sharon Smith. I found it. No problem. Let me get you added to the official record again. I’m not sure how it was removed because I see where you were authorized previously. Honestly, It may have been a mistake I made when I pulled your record up so I am sorry for that. They call me “Fat finger” around here with the way I accidentally delete records so thanks for your patience on this.

[20 second pause]

Dave – OK, all set. Let me get your 2FA code set back up and authenticated . Can you please read me the current 6 digits from your 2FA device so that I can get that added back in and synced with the system?

Sharon reads the 2FA code.

Chris Sharon?

SharonYes?

Dave This is Brian @ MTradecraft. We met a few weeks ago in your office.

After a lengthy pause, there was another lengthy exhalation of despair and concern, and she understood how serious the problem was.

With that, the pentest was finished, and I had full control of the company’s $789 million portfolio in less than a day. Having the 2FA code enabled me to access the PMS system and take a screenshot as proof of my presence. Sharon was furious. She had just destroyed her career and her employer if this was the real world.

Without proper cybersecurity threat training, this type of mistake happens frequently.

Background and Lessons here:

MTradecraft was hired to perform this penetration test. We agreed upon a month for the test, but not on any specific dates. Sharon was the first person who reached out to MTradecraft to schedule an introductory call for this penetration test. Sharon had also listened in during the initial meeting and knew that MTradecraft would be performing phishing tests.

Despite Sharon’s meticulous preparation and understanding, it was still quite simple to obtain those 2FA codes and steal the client’s money. She claims that she overlooked that this sort of assault would continue, and she never imagined anything on the phone.

Two things ultimately lead to this epic and devastating compromise:

  1. The CCO had previously made a blunder by inadvertently publicizing critical information via the Share tools available in Office 365. This led to Sharon’s login and password being discovered after employing a variety of intelligence gathering techniques known as “Google Dorks”.
  2. Sharon neglected to use basic cyber security precautions that should be covered in the company’s cybersecurity education course. Sharon sh 2FA code to anybody, even though this is clearly stated in the policy. This principle cannot be broken.

Cybersecurity Insurance and the SEC

In this video, we will put on our CCO hats and discuss why your firm absolutely needs a cybersecurity insurance policy and why you wouldn't want to go through an examination without one.

Then, we will switch gears and put on our ethical hacker hats and explain why a cybersecurity insurance policy is a complete waste of money.

To be clear, we do not sell or have relationships with any firm that sells cybersecurity insurance. The goal of this webinar is to give you an unbiased opinion on the cybersecurity insurance industry and how claims play out in the real world so that you can make the best decision for your firm.

SEC Cybersecurity Trends for 2022

Towards the end of 2021 and now starting into 2022  we started seeing an increase in the number of SEC examinations that are focusing on cybersecurity compliance.

In this video, I summarize and share some of the specific requests that we have seen in the latest wave of SEC audits and I will show you how I organize the related data and structure our compliance folders so that our clients can easily respond to these requests.

Compliance Template: The Employee Technology Usage Agreement

This is a template that can be used as a Technology Usage Agreement between an SEC or FINRA registered firm and their employees.

We recommend that you have your employee sign this document during onboarding and also attest to it annually.

This document should accompany a firm-level cybersecurity policies and procedures manual.

This policy sets forth a basic set of standards for the use and protection of {FIRM NAME} computer assets.

Continue reading “Compliance Template: The Employee Technology Usage Agreement”

Cybersecurity Tips for RIAs and Hedge Funds

When it comes to privacy, as a Hedge Fund or Registered Investment Advisor (RIA), the protection of your client's data is critical. A data breach might not only jeopardize your reputation but also result in hefty fines and penalties. Last year, the SEC fined an RIA for failing to have adequate cybersecurity measures in place before a breach occurred.

SEC Cybersecurity

The SEC’s recently announced Regulation 206(4)-9; regulations that will outline cybersecurity expectations for all registered firms. These regulations will start to move the SEC cybersecurity rules into a more solid form.

Here are all 244 pages of the SEC proposed cybersecurity

https://www.sec.gov/rules/proposed/2022/33-11028.pdf

It comes as no surprise that the SEC cybersecurity guidance places heavy emphasis on making sure safeguards exist to protect client information.

Here are some simple steps to follow if you are worried about your RIA’s cybersecurity compliance workflows.

Continue reading “Cybersecurity Tips for RIAs and Hedge Funds”

A Technical Guide to the SEC’s 206(4)-9 Proposed Cybersecurity Rules

On Feb. 9, 2022, the SEC voted to propose new cybersecurity requirements for investment advisers, investment companies and business development companies known as 206(4)-9.  

In this technical discussion, we will focus on the new cybersecurity books and records rules found in 206(4)-9 and then demonstrate several compliance operations that all CCOs should consider when tackling this new regulation for your firm.  

We will focus on tools and techniques that will simplify your cybersecurity compliance operations.

This is an educational webinar and not a pitch.   The webinar will be followed by a live Q&A session.   

For deeper reading, here are all 243 pages of the new cybersecurity requirements headed your way: 

https://www.sec.gov/rules/proposed/2022/33-11028.pdf