Financial Services Cybersecurity Weekly Briefing 9-22-2017

Weekly FS Cybersecurity Blast

Weekly FS Cybersecurity Blast

Asset Managers Must Beef Up Cyber Security Defenses
“Bluntly, asset managers are not prepared for the increased threat landscape,” says Walter Price, fund manager at the Allianz Technology Trust. “This was highlighted by the 35 per cent drop in Equifax’s valuation and their benign comments that they were vigilant with regard to cyber security when, in retrospect, they were not.”

Equifax Hackers Stole 200k Credit Card Accounts in One Fell Swoop
Visa has updated their advisory about these 200,000+ credit cards stolen in the Equifax breach. Visa now says it believes the records also included the cardholder’s Social Security number and address, suggesting that (ironically enough) the accounts were stolen from people who were signing up for credit monitoring services through Equifax. Equifax also clarified the breach timeline to note that it patched the Apache Struts flaw in its Web applications only after taking the hacked system(s) offline on July 30, 2017. Which means Equifax left its systems unpatched for more than four months after a patch (and exploit code to attack the flaw) was publicly available.

New York State’s New Financial Services Cybersecurity Policy Relies On Encryption
The regulatory framework has multiple requirements, including the writing of a cyber security policy, the hiring of a CISO, and the running of vulnerability assessments. Critical to compliance is an encryption strategy, which companies must have in place by September 2018. How should financial services companies approach an encryption strategy? The foundation begins with implementing protected security intelligence logs that identify irregular access patterns and breaches in progress.

US Launches Criminal Probe Into Equifax Breach
The DoJ investigation, led by the US Attorney’s office in Atlanta where Equifax is headquartered, centres on the actions of three top executives. The Securities and Exchange Commission is also likely to be investigating their trades, according to an attorney involved in the case. Kevin Callahan, an SEC spokesman, said the commission declined to comment.

Equifax’s IT Leaders ‘Retire’ as Company Says It Knew About the Bug That Brought It Down
Equifax’s chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software. The retirements and more details about the company’s mega-breach are revealed in a new entry to in which the company describes what it knew, when it knew it, and how it responded.

SEC Discloses Cybersecurity Breach
“We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk,” he said. “Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.” The disclosure came as part of a broader statement by Clayton about cybersecurity.

Breakingviews – SEC Failure Puts U.S. Cyber Security On Back Foot
But it, too, is providing a textbook case of what not to do in the event of a cyber attack. Not only did the SEC take a long time to make the breach public. It buried the news in a more wide-ranging statement on such issues by Chairman Jay Clayton, who said he wanted to highlight “importance of cybersecurity to the agency and market participants.” In addition, the watchdog has so far provided scant details.

Here’s What Really Terrifies Wall Street About the SEC Hack
EDGAR is where Corporate America goes to file statements on their businesses. Brad Bondi, an attorney with Cahill Gordon and Reindel and former council at the SEC, called it “the Fort Knox” of the SEC. It’s where the important stuff is stored: quarterly earnings reports, market-moving news, IPOs, mergers and acquisitions, it all goes into the EDGAR system, and is often filed before the news is made public.

U.S. Consumer Finance Agency Expected to Punish Equifax: Lawyers
But because Equifax is not strictly a financial company, questions arose whether the Consumer Financial Protection Bureau, the agency created after the 2008 financial crisis, has the power to penalize the firm for the breach. Legal experts said the CFPB is likely to weigh in using powers it wields under the 2010 Dodd-Frank Act. “Its Dodd-Frank mandate gives the CFPB authority to investigate Equifax even without cyber security rules,” said Quyen Truong, former deputy general counsel for the agency.

Equifax Breach is a Reminder of Society’s Larger Cybersecurity Problems 
Several major problems need to be addressed before people can live in a truly secure society: For example, companies must find and hire the right people to actually solve the overall problems and think innovatively rather than just fixing the day-to-day issues. Companies must be made to get serious about cybersecurity – at a time when many firms have financial incentives not to, also. Until then, major breaches will keep happening and may get even worse.


Stay up to date on the Financial Services Information Security news that you need to know by signing up for our Financial Cybersecurity Briefing Here.


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.