Cybersecurity News: SEC & CFTC Update

Cybersecurity News Alert


2020 SEC EXAMINATION PRIORITIES

On Tuesday, January 7th 2020, the U.S. Securities and Exchange Commission (the “SEC”) released the examination priorities for 2020. The SEC has shifted their examination priorities from years past in an effort to adapt to emerging risks, but cybersecurity continues to remain a top priority for the SEC. The SEC will be focusing on the following key areas with respect to cybersecurity:

  • Proper configuration of network storage devices
  • Information security governance
  • Retail trading information security
  • Governance and risk management
  • Access controls
  • Data loss prevention
  • Vendor management (this includes cloud based service providers)
  • Training
  • Incident response and resiliency
  • Proper disposal of retired hardware
  • Controls surrounding online access and mobile application access to customer brokerage account information

There will be a renewed focus on S-ID (Identity Theft Red Flags Rules) and S-P (Privacy Rules), which requires SEC-regulated entities to implement policies and procedures designed to do the following:

  • S-ID
  • Identify identity theft red flags
  • Detect the existence of those red flags
  • Respond appropriately to the detected red flags
  • Periodically assess and update the identity theft program
  • S-P
  • Adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information

For additional information, please visit: https://www.sec.gov/news/press-release/2020-4


CFTC WARNS REGISTRANTS OF THREATS AND REQUESTS INFORMATION

On December 30th, 2019, The Wall Street Journal published an article outlining a sustained cyber attack against cloud service providers by a Chinese hacker group known as APT10. By design, cloud service providers operate by sharing infrastructure and resources between many clients. This type of design makes them a valuable target, as a provider with inadequate cybersecurity controls may open themselves and their clients up to attack from malicious actors.

CFTC Cyber Threat Alerts
  • On January 3, 2020, the Commodity Futures Trading Commission (CFTC) issued two cyber threat alerts centered around the hacking of the cloud service providers described in the WSJ article.
  • Swap Dealers (SDs), Futures Commission Merchants (FCMs) should respond to the alert they received from the Division of Swap Dealer and Intermediary Oversight (DSIO) by January 10, 2020 on whether or not any of their cloud service providers were affected by the attack.
  • Commodity Pool Operators (CPOs), Commodity Trading Advisors (CTAs), Introducing Brokers (IBs) and Retail Foreign Exchange Dealers (RFEDs) should respond to the alert they received from the National Futures Association (NFA) by January 10, 2020 only if any of their cloud service providers were affected by the attack. These registrants DO NOT need to respond if they were not affected.
  • Any registrant whose cloud service providers have been affected by the attack should include a summary of the information it has gathered, and its plan to protect its systems and data.
  • All CFTC registrants should respond by January 20, 2020 on whether or not it has received communications from any third parties regarding the attack or a related potential cyber event. DSIO is requesting responses from all of its registrants.

What is Cloud Hopper?

  • Operation Cloud Hopper represents a series of continuous attacks against cloud service providers and their clients by Chinese hacker group APT10.
  • The goal of these attacks was to gain access to sensitive intellectual and customer data. Once the attackers gained access to a cloud service provider, they used the shared cloud infrastructure to “hop” from one target to another, gaining access to sensitive data.

How did this attack occur, and who is affected?

  • Attackers used phishing emails to compromise employee accounts, while also using network infiltration tools to circumvent various security controls.
  • Compromised credentials were leveraged to bypass security borders, successfully using cloud service providers as an attack vector to gain access to corporate data of multiple organizations.
  • Reporting is still coming in regarding the major companies that were affected, but we do know cloud providers such as Hewlett Packard Enterprise, IBM, and CGI Group in Canada were all victims.
  • The scope of the attack and amount of compromised data is still unknown, and the attack appears to be ongoing.

How do I protect myself?

  • Understand where your sensitive data is stored. This will help you configure targeted security solutions for your most critical data.
  • Conduct vendor due diligence on a yearly basis. Your vendors are an access point to your data, and they should be continuously maintaining and improving their security posture as threats evolve.
  • Document and consistently enforce policies and controls. Human error is the most common target of cyberattacks. Security policies require users to act in a security-focused manner, and technical controls act as a safety net when human error occurs.
  • Implement strict account management practices. Accounts should be monitored and reviewed on a regular basis to ensure correct privileges and usage. Accounts are less likely to be compromised if they are tracked and maintained.
  • Institute robust monitoring controls. Monitoring your network, accounts, and data allows you to detect and remediate a cyberattack quickly and efficiently. Many cloud providers make monitoring and alerting tools available to their clients, and we recommend that you have a discussion with your vendors around these controls.
  • Review your contracts with vendors for breach notification language.
  • Formalize change controls. Changes to permissions, accounts, or network controls should be reviewed, authorized, and documented. Awareness of the changes occurring in your network or within your cloud tenant will reduce the risk of compromise due to unnoticed modifications.
  • Encrypt data at rest. Most cloud providers offer encryption at rest; however, you should verify that this is the case with any cloud provider storing your data.

For additional information, please visit: https://www.wsj.com/articles/ghosts-in-the-clouds-inside-chinas-major-corporate-hack-11577729061