Financial Services Cybersecurity Weekly Briefing 8-11-2017

Weekly FS Cybersecurity Blast

Weekly FS Cybersecurity Blast

Uptick in Malware Targets the Banking Community

Over the past few weeks, there has been a noticeable glut of high-profile malicious activity aimed at financial institutions. Both traditional banking and cryptocurrency trading platforms have been successfully targeted in these campaigns. Attackers continue to use a variety of tactics both old and new. […] Generally speaking, I would expect attacks on financial institutions to continue to grow as users become more interconnected, online banking continues to expand, and cryptocurrencies gain increased adoption and use from companies and customers alike.—threats/uptick-in-malware-targets-the-banking-community/a/d-id/1329541


SEC to Advisors: Improve Cybersecurity Preparedness

Advisory firms should more closely adhere to their stated cybersecurity policies, keep current on security patches and correct all vulnerabilities detected, the SEC noted. These observations stem from examinations of 75 firms, including broker-dealers, investment advisers and funds conducted from September 2015 through June 2016. Firms also need to improve how they maintain response plans for addressing data breaches and letting clients know about material events. Less than two-thirds of advisors have implemented these plans, Investment News reports, citing the alert.


WannaCry Hero Marcus Hutchins ‘Admitted Creating Code to Harvest Bank Details’ – Court Told

After the hearing, Hutchins’ lawyer Adrian Lobo denied he is the author and said he would be pleading not guilty to all of the charges, which date between July 2014 and July 2015. She said: “He fights the charges and we intend to fight the case. […] The indictment claims Hutchins created the malware that can side-step anti-virus software to steal banking usernames and passwords before conspiring with the co-defendant to sell it on internet forums. Prosecutors claim the co-defendant successfully sold the software for 2,000 dollars (£1,522) in digital currency in June 2015.


United States: SEC Increases Focus on Cyber Incident Response

By increasing regular examination of regulated entities, such as broker dealers and investment advisers, these entities will likely have more direct oversight and scrutiny of their information security programs. In addition, direct regulatory oversight of financial institutions subject to the SEC’s jurisdiction, and broader scrutiny of public companies and their security breach-related disclosures, seems probable.  “In the wake of a breach, we are going to ask questions and look at disclosures before and after an incident,” said Avakian.


Cyber Risk, Market Failures, and Financial Stability

This paper considers the properties of cyber risk, discusses why the private market can fail to provide the socially optimal level of cybersecurity, and explore how systemic cyber risk interacts with other financial stability risks. Furthermore, this study examines the current regulatory frameworks and supervisory approaches, and identifies information asymmetries and other inefficiencies that hamper the detection and management of systemic cyber risk. The paper concludes discussing policy measures that can increase the resilience of the financial system to systemic cyber risk.


The First Rule of FinTech Security

Do security people understand the business?  If no, start immediately.  How can you secure that which you do not understand?  Like all other areas of the business, competency must be shown first before security engineering can begin. […] How many tools do you really need?  If you have more than seven toolsets that are large portions of IT spend, you may have a problem with a runaway security program.


Stay up to date on the Financial Services Information Security news that you need to know by signing up for our Financial Cybersecurity Briefing at:


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.