On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the third in a series of summaries sharing essential, timely insight on how these practices may impact your business. Please click here for the first and second posts on cybersecurity practice impacts.

This post focuses on threats posed by insiders of the firm, which may be created by either deliberate, malicious conduct or by inadvertent mistakes. Both types of data breaches create significant risk to the firm and its customers. In the Report, FINRA notes that, while most higher revenue firms (95-99%) address insider threats as part of the program, only 66% of mid-level revenue firms address such risks. Its assessment comes from their review of firm responses to relevant inquiry areas in the 2017 and 2018 their Risk Control Assessment (RCA). Continue Reading FINRA’s 2018 Report on Cybersecurity Practices – Insider Threats If Your Program Only Focuses on External Threats, You are Only Halfway There

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the second in a series of summaries sharing essential, timely insight on how these practices impact your business. Please click here for the first post on cybersecurity practice impacts.

FINRA names “phishing” attacks as one of the most common cybersecurity threats raised by firms with the self-regulator.[1] The goal of a phishing email is to manipulate the recipient into taking action. FINRA focuses on two types of phishing attacks in the report. The first is “spear phishing,” where the sender researches and targets the recipient(s) with a customized approach designed to get confidential information from the individual(s). The second is “whaling,” wherein the hacker sends targeted emails impersonating senior executives at the firm in order to set action in motion, typically wiring funds to specifically identified accounts.    Continue Reading FINRA’s 2018 Report on Cybersecurity Practices – Preventing “Spear Phishing” and “Whaling” Attacks

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. This post is the first of a series of summaries sharing essential, timely insight on how these practices impact your business. The Report follows close on the heels of FINRA’s annual Report on Examination Findings issued Dec. 14, 2018. Now we know why Cybersecurity, a top regulatory and examination priority for FINRA in 2018, was not included in their examination findings report. Not surprising, albeit somewhat unusual, the importance of the topic and FINRA’s insights warranted a separate communication. Continue Reading FINRA Issues 2018 Report on Selected Cybersecurity Practices

As previously discussed, software as a service (SaaS) solutions offer the allure of being able to outsource IT for data storage.  Being able to rely on someone else to protect you sounds great, but is it really?  Losing control over your sensitive data requires serious diligence of the third party vendor.  Caveat emptor: SaaS solutions can expose companies to unknown risks. Tips to avoid those risks are discussed below.

Continue Reading Three More Risks to Consider with SaaS Solutions

On November, 2, 2018, Ohio’s recently passed Data Protection Act (Act) officially became law. The Act provides a possible affirmative defense to businesses in lawsuits where the plaintiff alleges a tort based on a business’ failure to implement a cybersecurity framework.

Importantly, the new law does not create a minimum cybersecurity standard in Ohio or new cybersecurity regulations that businesses must follow. Rather, the law operates by incentivizing businesses to develop and maintain a cybersecurity program that “reasonably conforms” to an already existing, industry recognized cybersecurity framework. If the company can prove that it had a compliant cybersecurity program in place at the time of a breach, the company can use the program’s existence as an affirmative defense to certain tort claims. Continue Reading New Cybersecurity Law Offers Safe Harbor Against Tort Claims

As a part of National Cybersecurity Month, last week the Federal Trade Commission (FTC) launched a campaign to help educate and assist small businesses with cybersecurity.  In conjunction with the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), and the Small Business Administration (SBA), the FTC has published a collection of materials for small businesses about cybersecurity. These materials include information about the following:

  • Cybersecurity Basics;
  • Understanding the NIST Cybersecurity Framework;
  • Physical Security;
  • Ransomware;
  • Phishing;
  • Business Email Imposters;
  • Tech Support Scams;
  • Vendor Security;
  • Cyber Insurance;
  • Email Authentication;
  • Hiring a Web Host; and
  • Secure Remote Access.

Additional information about the cybersecurity campaign and access to the materials can be found here.

2018 Best Legal Blog Contest - Click to Vote

On October 16, 2018, the Securities and Exchange Commission (SEC) issued a report on the results of investigations made by the SEC’s Division of Enforcement into nine public companies that were victims of cyber-related frauds.  In each case, the SEC investigation focused on whether the target companies had complied with the applicable requirements of the Securities Exchange Act of 1934, as amended (Act). The Act requires public companies to devise and maintain a system of internal control over financial reporting designed to provide reasonable assurance that, among other things, transactions are executed in accordance with company management’s authorization, that transactions are properly recorded and that access to assets is permitted only with management’s authorization.

Ultimately, the SEC did not pursue enforcement actions against any of these companies, but released the report to advise public companies that cyber-fraud incidents must be taken into account when designing and maintaining internal control procedures. Continue Reading SEC Report Reiterates Cybersecurity Implications for Internal Control Requirement

CTIA, a trade association representing the wireless communications industry, recently announced a new cybersecurity certification program for IoT cellular-connected devices. The announcement comes shortly after NIST hosted a workshop in July regarding Considerations for Managing IoT Cybersecurity and Privacy Risks.

CTIA states, “[t]he program will protect consumers and wireless infrastructure, while creating a more secure foundation for smart cities, connected cars, mHealth and other IoT applications.” Tom Sawanobori, SVP and Chief Technology Officer at CTIA states that, “[t]he IoT Cybersecurity Certification Program harnesses CTIA’s network of authorized labs and reflects our commitment to securing networks and devices in an increasingly connected wireless world.”

According to CTIA, the Cybersecurity Certification Program is built upon NTIA and NIST IoT security recommendations. The Program will begin accepting devices for certification testing in October 2018.

More information about the Cybersecurity Certification Program can be found here.

On August 14, 2018, President Trump signed into law S. 770, the “NIST Small Business Cybersecurity Act.”  This Act requires the National Institute of Standards and Technology (NIST) to develop and disseminate resources for small businesses to help reduce their cybersecurity risks. The Act states that the resources should be:

  • “Generally applicable and usable by a wide range of small business concerns;
  • Vary with the nature and size of the implementing small business concern, and the nature and sensitivity of the data collected or stored on the information systems or devices of the implementing small business concern;
  • Include elements, that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships, to assist small business concerns in mitigating common cybersecurity risks;
  • Include case studies of practical application;
  • Technology-neutral and can be implemented using technologies that are commercial and off-the-shelf; and
  • Based on international standards to the extent possible, and are consistent with the Stevenson-Wydler Technology Innovation Act of 1980.”

The eighteen month transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies expires on September 4, 2018. These requirements apply to entities, “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”  In less than a month, these Covered Entities subject to Part 500 are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.

These requirements include:

  • Implement and maintain audit trail requirements (500.06);
  • Adopt written application security requirements (500.08);
  • Adopt written data retention requirements (500.13);
  • Implement monitoring/unauthorized access requirements (Section 500.14(a)); and
  • Implement encryption requirements (500.15).

The final compliance deadline is March 1, 2019.  In addition to those aforementioned Covered Entities, credit reporting agencies with significant operations in New York were recently required to comply with the cybersecurity regulations.  More information about the Cybersecurity Requirements can be found here.