Skip to content

Insights

Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)

July 31, 2019

On July 25, 2019, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) and the Identity Theft Prevention and Mitigation Services Act were signed into law in the State of New York. Both Acts strengthen cybersecurity and consumer privacy protections for New York state residents.

The SHIELD Act

The SHIELD Act amends New York’s breach notification law by:

(more…)

SEC OCIE RISK ALERT

May 23, 2019

On May 23, 2019, the Securities and Exchange Commission’s (the “SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released a new risk alert identifying security risks associated with the storage of electronic customer records and information in various network storage solutions, including cloud-based storage. Some of the concerns brought to light from recent examinations were misconfigured network storage solutions, inadequate oversight of vendor-provided network storage solutions, and insufficient data classification policies and procedures.

The Risk Alert can be viewed in its entirety here.

CYBERSECURITY RISK ALERT: WhatsApp Vulnerability

May 14, 2019

Yesterday, various governmental agencies and news outlets were made aware of a security vulnerability affecting the WhatsApp messaging platform. The vulnerability may have enabled malicious actor(s) to inject spyware on user devices which potentially exposed user information on mobile devices. WhatsApp has encouraged users to update the application immediately to avoid potential exposure and compromise of data.

To update WhatsApp on various platforms:

(more…)

Hedge Funds Besieged by Hackers on Daily Basis

May 1, 2019

By David Beach — May 1,2019

Hackers are exploiting inherent weaknesses in mature hedge funds on a daily basis, say a security vendor and the chief technology officer of an established fund, leading to huge boosts in cybersecurity spending.

“Hedge funds are being targeted simply because of cash movements where frequent large transfers are normal at a small business that doesn’t necessarily have all the controls in place,” says Jason Elmer, managing partner at Drawbridge, the cybersecurity consultancy.

For smaller funds, cyber threats have become an ever more daunting prospect as hackers become more efficient and the reputational effects of a breach become more severe, believes Elmer.

“We’ve seen it both sides, investors being targeted via a fund that was spoofed – we saw a capital call of $7m that didn’t go out the door – and we’ve also seen the other side where a wire to an investor has gone out with fraudulent transfer requests,” says Elmer.

(more…)

CYBERSECURITY RISK ALERT: Broadcom Wi-Fi

April 18, 2019

For individuals using Broadcom Wi-Fi, on April 17, 2019, the CERT Coordination Center (“CERT/CC”) published information identifying various vulnerabilities stemming from the Broadcom ‘w1’ driver and open source ‘brcmfmac’ driver for Broadcom Wi-Fi chipsets. Ultimately, these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on a vulnerable system, most frequently resulting in a denial-of-service (DoS) attack.

(more…)

CYBERSECURITY RISK ALERT: SEC Regulation S-P Risk Alert

April 16, 2019

Today, April 16, 2019, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published a risk alert regarding compliance issues related to Regulation S-P. The focal points identified by the OCIE were the failure to provide customers with privacy and opt-out notices, as well as the failure to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.

(more…)

How Private Equity Firms Can Mitigate Portfolio Company Cybersecurity Risk

March 27, 2019

Driven by investors’ demands and regulatory expectations, private equity firms have made significant progress in protecting their data. However, many of their portfolio companies don’t have those same incentives and have not put the same level of cybersecurity protections in place.

In a guest article, Jason Elmer, the managing partner at Drawbridge Partners, explains how firms should approach due diligence on portfolio companies, engage in ongoing oversight and work proactively to assist the portfolio companies with strengthening their cybersecurity programs.

See also “Cyber Due Diligence Strategies During Acquisitions” (Oct. 25, 2017).

CYBERSECURITY RISK ALERT: GOOGLE CHROME VULNERABILITY

March 8, 2019

Recently, Google identified a zero-day vulnerability affecting Chrome internet browsers. The vulnerability is a memory management error which could allow a remote attacker to read the contents of files stored on a user’s computer. Google addressed the vulnerability in Chrome version 72.0.3626.121.

Check if your Chrome browser is up-to-date:

(more…)

CYBERSECURITY RISK ALERT: CISCO WEBEX VULNERABILITY

March 1, 2019

Cisco has identified a vulnerability in its Webex Meetings Desktop App and Webex Productivity Tools. By invoking the update service command with a crafted argument, an authenticated, local attacker could run arbitrary commands with SYSTEM level user privileges. The vulnerability may also be exploited remotely in Active Directory deployments by leveraging operating system remote management tools.

Cisco has released the following software updates to remediate the vulnerability:

(more…)

CYBERSECURITY RISK ALERT : Cisco Webex Alert

February 28, 2019

Cisco Webex Cybersecurity Alert: Cisco has identified a vulnerability in its Webex Meetings Desktop App and Webex Productivity Tools. By invoking the update service command with a crafted argument, an authenticated, local attacker could run arbitrary commands with SYSTEM level user privileges. The vulnerability may also be exploited remotely in Active Directory deployments by leveraging operating system remote management tools.

Cisco has released the following software updates to remediate the vulnerability:

(more…)