As previously written, cybercrime today is no longer a threat. It is an enormous reality that is growing at enormous rates. The latest warning comes in the form of a risk alert report, recently released by the Security and Exchange Commission (SEC), that was entitled “Cybersecurity Examination Sweep Summary”. The report “examined 57 registered broker-dealers and 49 registered investment advisers to better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues associated with cybersecurity.” The report is an alarming mix of good and bad news.
The results are a sobering testament that the criminal element in our society has gone high tech. Fraud risk comes in many forms these days, and to prevent it requires vigilant due diligence on the part of consumers and their online business partners. The real risk detailed in this report concerns the ability of crooks to gain valuable login information to your private forex trading account, and then, at some appropriate time in the future, to direct a withdrawal request or transfer without your expressed knowledge or approval. Does this scenario sound farfetched? Unfortunately, it happens everyday.
If you do not believe that last statement, then ponder this one bulleted item from the report: “Over half of the broker-dealers (54%) and just under half of the advisers (43%) reported receiving fraudulent emails seeking to transfer client funds. Over a quarter of those broker-dealers (26%) reported losses related to fraudulent emails of more than $5,000; however, no single loss exceeded $75,000. One adviser reported a loss in excess of $75,000 related to a fraudulent email, for which the client was made whole.” We can only suspect that the shear embarrassment of this event caused this last adviser to become overly generous in his customer remuneration policies.
In less than 11% of the cases, an internal employee or authorized user of information was found to be the culprit behind the theft. If this internal compromise could have been substantiated, then the broker/adviser could recover the loss with a claim under its theft insurance policy, but if the defalcation occurred due to the ineffectiveness of their internal controls to prevent an external attack, then “nada”. Perhaps, the adviser’s indemnity cover kicked in for the loss in excess of $75,000, another reason to be generous when compensating one of your high net-worth clients.
What must happen for this type of cyber-attack to take place?
Brokers and advisers have gone out their way over the past few years to gain our trust by marketing three key aspects of their security and privacy procedures:
1) Being in compliance with strict regulatory regulations;
2) Segregating client deposits in Tier-1 banks on or off shore, separate from the operating capital of the fund; and
3) Informing us that all trading session activity and personal account data are encrypted, using only the latest in 128-bit SSL technology.
One can almost repeat these three conditions in their sleep, as this verbiage has become so commonplace in the forex industry and in all other online investment venues, as well. But Bernie Madoff made off with his billions in the most heavily regulated region on the planet, and, while segregation and encryption techniques may help us sleep at night, they do not block attacks where the login and password information has already been compromised.
According to Tim Thompson, CEO of British payment services and risk management technology company NOIRE, “FOREX brokerage accounts are usually accessible online needing only a username and password in order to gain access to sensitive data and exposure to fraudulent withdrawals. It can start in a number of ways; Fraudsters phishing customers details, through emails pretending to be from the broker and telephone calls, Trojan malware programs often downloaded for trading platforms which look legitimate but could be obtaining customers’ login details and passwords. Fraudsters do this on an industrial scale and gain access to many customer accounts across many businesses.”
What were the other specifics of the SEC report findings?
The examination focused on several key areas within more than 100 broker/dealers across the United States. It did not review foreign entities, where, unfortunately, there seems to be a higher propensity for fraudulent activities due to lax regulatory oversight. The director of the examination initiative, Andrew Bowden, stated that, “Our examinations assessed a cross-section of the industry as a way to inform the Commission on the current state of cybersecurity preparedness. We hope that investors and industry participants will also benefit from what we have learned.”
The examination collected responses from each participant on how it:
- Identified cybersecurity risks
- Established cybersecurity policies, procedures, and oversight processes
- Protected their networks and information
- Identified and addressed risks associated with remote access to client information, funds transfer requests, and third-party vendors
- Detected unauthorized activity.
Although the vast majority of examined firms had written security policies and ongoing audit procedures to ensure compliance, the prevalence of experiences of cybersecurity attacks was off the charts. “A majority of the broker-dealers (88%) and the advisers (74%) stated that they have experienced cyber-attacks directly or through one or more of their vendors. The majority of the cyber-related incidents are related to malware and fraudulent emails.”
These results occurred even though 95% of the broker/advisers stated that they used encryption and roughly 50% of the group shared best practices with other firms in industry-wide information-sharing groups. Would insurance help? Companies can purchase insurance for cyber-related attacks. 58% of brokers and 21% of advisers did so, according to the survey, but no information was given pertaining to premiums, deductibles, limits to coverage, or required operating procedures. Suffice it to say that only one firm from each group reported that they had actually filed a claim.
The sad reality of this threatening situation is that these firms performed on a high scale as far as assessing the risks involved with technology, implementing appropriate policies and audit regimens to address those risks, and going the extra yards in preparedness to ensure readiness when the actual cyber attack occurs. The same problem haunts them, however, in that their third-party vendors may be the source of their vulnerability. It is now known that one the largest recorded data breaches in history, the attack on Target in 2013, was made possible when hackers accessed credentials from its HVAC vendor.
What can law enforcement do to help fight the war against cybercrime?
Unfortunately, most state and federal agencies are strapped for funds. On many occasions the CFTC has publicly stated that it does not have the necessary budget to pursue every complaint that it receives. There is hope, however, if only in the United States. Both the FBI and Secret Service have invested heavily in technology and are aggressive in ferreting out criminal cyber activity. Part of the reason is that they must protect the nation’s currency from counterfeiters, and, in their efforts to uncover the crooks with their hands in the cookie jar, they have gone stealth on many occasions.
When counterfeiters attacked credit cards in the eighties, card associations and law enforcement officials moved quickly to include these crimes under the statutes that forbid counterfeiting actual currency. Hundreds of millions in card fraud losses required more resources, and most of those resources went into the technology of the nineties. As a result, law enforcement agents have often hacked the PCs of hackers, installing their own malware that inventories files and reports back IP addresses, compromised account data, and other incriminating activity evidence.
While much of this data would not be admissible in court without a search warrant, the process can provide early warnings for potential targets of a cyber assault. Security departments can be warned ahead of time. Traps can be set, and arrests can be made. There is little in the press about these activities, but it can be a very intimidating situation when you get a call at 3:00 in the morning from the FBI or Secret Service advising you that your customer account information has been detected on rogue devices. It is both good and bad news, but it is also actionable information, to say the least.
While the Internet has changed our lives greatly and increased convenience and access to information in remarkable ways, it has also opened up new avenues of attack for the unscrupulous ones among us, bent on relieving you of every last dollar in your forex and other accounts. Cybersecurity and its related criminal threats are with us to stay. They are ubiquitous and have invaded every aspect of the Electronic Age, both foreign and domestic. If we are all in this fight together, then education, cooperation, and constant attention and awareness to change are the only ways out.
SEC Chair Mary Jo White, perhaps, summarizes at best the issue we all face together in the future: “Cybersecurity threats know no boundaries. That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC. Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks.”