An overwhelming majority of brokerage and investment advisory firms examined by the U.S. Securities and Exchange Commission (SEC) have been the subject of a cyber-attack.

In its recent ‘Cybersecurity Examination Sweep Summary‘ report, the SEC took a look at 57 registered broker-dealers and 49 registered investment advisors. Eighty-eight percent of the broker-dealers and 74 percent of the advisers stated that they have experienced cyber-attacks either directly or through one or more of their vendors.

The majority of the cyber-related incidents are related to malware and fraudulent email. In fact, more than half of the broker-dealers (54 percent) and 43 percent of the advisers reported receiving fraudulent emails seeking to transfer client funds. More than a quarter of those broker-dealers reported losses in excess of $ 5,000 related to these emails, with no single loss being greater than $ 75,000. Twenty-five percent of the broker-dealers confessing losses related to the emails said the damage was the result of employees not following their firm’s identity authentication procedures.

<a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.securityweek.com%2Fcybersecurity-healthcare-retail-sectors-lags-behind-utility-and-financial-industries-report%22%3E"Brokers and advisors, especially those who handle very wealthy clients, are used to dealing with substantial sums of money, but they’re also human beings who can be duped by a well-crafted phishing scam,” said Tim Erlin, director of IT security and risk strategy at Tripwire. “Not all of these brokerages are as big as Wells Fargo and Morgan Stanley. Small and medium financial firms are gaining visibility because criminals are walking away with meaningful sums of money. The criminals are becoming more savvy about which kinds of transactions remain under the radar, and the more success they have with these targets, the more of these businesses they go after.”

The good news is the vast majority of examined broker-dealers (93 percent) and advisers (83 percent) have adopted written information security policies, and 89 percent of the broker-dealers and 57 percent of the advisers conduct periodic audits to determine compliance with these policies. For the majority of both broker-dealers (82 percent) and the advisers (51 percent), these written policies discuss mitigating the effects of a cyber-security incident and/or outline the plan to recover from such an incident. These policies however generally did not address how firms determine whether they are responsible for client losses associated with cyber incidents.

While firms identified misconduct by employees and other authorized users of their networks as a significant concern, only a small proportion of the broker-dealers (11 percent) and the advisers (four percent) reported incidents in which insiders engaged in misconduct resulting in the misappropriation of funds, securities, sensitive client or firm information, or damage to the firms’ networks. 

The vast majority of examined firms conduct firm-wide risk assessments on a periodic basis to identify cybersecurity threats, vulnerabilities and any potential impact to business. While most of the broker-dealers (93 percent) and advisers (79 percent) reported considering such risk assessments in establishing their cybersecurity policies and procedures, fewer firms applied these requirements to their vendors. While 84 percent of the brokerage firms require cyber-security risk assessments of vendors with access to their firm’s networks, only 32 percent of the advisers do so.

“Cybersecurity threats know no boundaries,” said SEC Chair Mary Jo White, in a statement. “That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC. Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks.”

Tags:

• NEWS & INDUSTRY
• Vulnerabilities

The official website of the popular source code editor Notepad++ was hacked and defaced on Monday by hacktivists protesting against the recently released “Je suis Charlie” edition of the application.

Hackers of the Fallaga Team, a Tunisian group, breached and defaced a large number of French websites following the Charlie Hebdo incident in which 12 people were killed by two masked gunmen.

The website of Notepad++ (notepad-plus-plus.org) became a target after the release of version 6.7.4, “Je suis Charlie” edition.

The attackers defaced the website with a message in which they accused Notepad++ developers of saying that “Islam is terrorist.”

In a statement published on Thursday, Don Ho, the France-based developer of Notepad++, clarified that the hackers have not compromised the binaries of the “Je suis Charlie” edition because they are stored on a different server.

“The message of the defacement accused Notepad++ of inciting hatred towards Islam and accusing Islam of supporting terrorism. The statements of Notepad++ ‘Je suis Charlie’ edition support nothing but the freedom of expression and only that. The fact of Notepad++ supporting the ‘Je suis Charlie’ movement has nothing to do with any accusation towards a specific community,” Ho explained.

“In fact the ‘Je suis Charlie’ movement in France, as far as I can tell, deserves no label of racism or of Islamophobia. I have many Muslim friends who are for ‘Je suis Charlie’. And sincerely, I don’t think that two extremist fools can stand for all Muslims or Islam itself,” he added.

The developer highlighted that those who don’t like the “Je suis Charlie” edition can simply use version 6.7.3, which contains the same features and bug fixes.

Hundreds of French websites have been defaced over the past days. Islamist hackers started launching attacks after some members of the Anonymous hacktivist movement initiated an anti-jihadist campaign in response to the Charlie Hebdo shooting.

The Charlie Hebdo incident has given hacktivists a reason to deface websites, but it has also given cybercriminals the opportunity to lure unsuspecting users to their shady websites. Researchers at OpenDNS discovered a fake BBC News website earlier this week. The site was shut down before experts could determine its purpose, but it could have been used to serve malicious content, redirect users to other websites, or for click fraud purposes.

Tags:

• NEWS & INDUSTRY
• Cybercrime

WASHINGTON – President Barack Obama will Friday announce plans to stop the National Security Agency hoarding hundreds of millions of telephone call records, among reforms to US surveillance programs exposed by Edward Snowden.

A senior US official, speaking ahead of Obama’s speech on NSA programs, said that Obama believed trawling for telephone “metadata” was vital to fighting terrorism, but needed to be reformed to preserve civil liberties.

“In his speech, the president will say that he is ordering a transition that will end the Section 215 telephone metadata program as it currently exists,” the senior official told AFP.

The president foresees a move to a program “that preserves the capabilities we need without the government holding this bulk metadata.”

“The president believes that the 215 program addresses important capabilities that allow us to counter terrorism, but that we can and should be able to preserve those capabilities while addressing the privacy and civil liberties concerns that are raised by the government holding this metadata.”

It was not immediately clear how Obama would accomplish the reform or whether he would leave it up to Congress to decide which entity should hold the call data.

Telecommunications companies have balked at suggestions that data on the destination and duration of calls should be held within their servers and be accessed by US spies armed with court permission.

Some activists have suggested a third party company could be charged with holding the data.

Obama will also order Friday another immediate change to the system of telephone data dragnets, requiring a judicial finding before the NSA can query the database, the official said.

Obama has also asked Attorney General Eric Holder and the intelligence community to report to him by March 28 on how the program can be preserved without the government holding the metadata.

Snowden, a fugitive US contractor now exiled in Russia, has fueled months of revelations by media organizations over data mining and spying on foreign leaders by the NSA in one of the biggest security breaches in US history.

The disclosures have infuriated US allies, embarrassed Obama administration diplomats and shocked privacy campaigners and lawmakers.

The White House has assured Americans that data on phone calls and Internet use is only collected to build patterns of contacts between terror suspects — and that US spies are not listening in.

But Obama has said that one of his goals in Friday’s speech at the US Justice Department is to restore public confidence in the clandestine community.

His appearance follows a prolonged period of soul-searching and policy reviews by the White House.

On the eve of the speech, Britain’s Guardian newspaper and Channel 4 News splashed the latest revelations from Snowden.

Their reports said the NSA had collected almost 200 million mobile phone text messages a day from around the world, and used them to extract data on the location, contact networks and credit card details of mobile users.

Civil liberties activists are bracing themselves for disappointment.

Michelle Richardson, legislative counsel for the American Civil Liberties Union, said Thursday that Obama would likely neither outlaw nor significantly reform bulk collection of telephone and Internet metadata.

“We are looking to the president tomorrow to make a very bold statement about reclaiming privacy. We are looking to him to take leadership about reining in this programs,” she said.

“Will our government continue to spy on everyday Americans?”

Kevin Bankston, policy director of the Open Technology Institute at the New America Foundation, warned that if Obama did not announce specific reforms, the battle would shift to Congress.

“President Obama’s trajectory on these issues from reformer to supporter of these programs has been very dispiriting,” Bankston said.

“If he does fail to take a stand and exercise the bold leadership that is necessary, it will become Congress’s responsibility to step into the breach and we look forward to working with them to do so.”

Intelligence chiefs say the programs are perfectly legal, but their opponents say they are unconstitutional.

Obama is also expected to back extra privacy protections for foreigners swept up by the programs and limits to spying on friendly world leaders.

His challenge will be to prove that data mining programs, made possible by swift advances in technology, can enhance national security while restoring public confidence that individual freedoms are safe.

During his deliberations, Obama has had to reconcile his duties as a commander-in-chief sworn to keep Americans safe and his oath to uphold the US Constitution.

Not to mention guard his political flank — Obama knows his Republican enemies would pounce if a future terror attack could be pinned on restrictions he placed on spy agency capabilities.

The president’s speech will also be closely watched for any changes to the PRISM program, which mainly sweeps up Internet data on foreigners, based on records acquired from Internet companies like Google, Yahoo and Apple.

Tags:

• NEWS & INDUSTRY
• Privacy
• Tracking & Law Enforcement