April 2022 Cyber Recap
The ever-changing cybersecurity landscape can be hard to keep up with. The introduction of new technologies such as cryptocurrency and the ever-changing nature of threats from hackers require constant attention. Below are some “quick hits” from April, including some noteworthy updates and developments that might be helpful to you and your organization as you try to protect against these kinds of threats.
Here’s what you need to know:
1. Chair of U.S. Securities and Exchange Commission proposes that organizations adopt a “Team Cyber” to help protect those in the financial industry from the growing threat of cyberattacks.
On April 14, 2022, Gary Gensler, Chair of the U.S. Securities and Exchange Commission, gave remarks during a joint meeting of the Financial and Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC). Gensler emphasized how disastrous the growing number of threats from hackers can be not only on individual businesses, but on our financial system and economy as a whole. Gensler proposed that all organizations within the financial industry develop a Team Cyber, who is solely focused on dedicating time and resources to protecting against cyberattacks.
2. North Korean state-sponsored malicious cyber activity targets organizations in blockchain technology and cryptocurrency industry.
On April 18, 2022, CISA, the Federal Bureau of Investigation (FBI) and the U.S. Treasury Department released a joint Cybersecurity Advisor (CSA) detailing cyber threats associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) since at least 2020. The cybersecurity industry usually refers to this group as Lazarus Group. This group typically targets organizations in the blockchain technology and cryptocurrency industries.
Cyber actors use social engineering across a variety of communication platforms andencourage individuals to download trojanized cryptocurrency applications on Windows and macOS operating systems. This gives cyber actors the ability to use the applications to gain access to the victim’s computer, spread malware across the network environment, and steal private keys or exploit other security gaps. These initial activities are only the beginning and can lead to additional activities that initiate fraudulent blockchain transactions.
3. Cybersecurity authorities from the U.S., Australia, Canada, New Zealand and the U.K. coauthored a Cybersecurity Advisory (CSA) which was released on April 27, and details the top 15 Common Vulnerabilities and Exposures (CVEs) continually exploited by malicious cyber actors in 2021.
In 2021, cyber actors targeted internet-facing systems, emails servers and virtual private network (VPN) servers via exploits of newly disclosed vulnerabilities. They also continued to exploit older software, publicly known software vulnerabilities, serving as a strong reminder to patch software timeline, and discontinue the use of software that is no longer supported by a vendor.
The top 15 vulnerabilities, as well as recommendations for protecting your organization from these risks, can be found here: https://www.cisa.gov/uscert/ncas/alerts/aa22-117a
4. The National Society of Compliance Professionals (“NSCP”) held an online seminar on April 28 to discuss new developments in cybersecurity.
Current SEC exam focus areas are governance / risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. Under the Proposed Advisers Act Rule 206(4)-9 and IC Act Rule 38a-2 focus areas will shift and firms will be required to:
Develop written policies for cyber risk
- Implement cyber risk controls (e.g., encryption, network segmentation, access controls, monitoring, escalation, network testing, and vulnerability remediation)
- Conduct vendor oversight (due diligence and vendor contracts)
- Enhance advisor and fund cyber risk and incident disclosures on Form ADV and Forms N-1A, N-2, etc.
- Report significant cybersecurity incidents on Form ADV-C
- Adopt additional recordkeeping
- Conduct periodic cyber risk assessments and implement an annual cyber program review
Common areas observed during NFA Cyber Exams included:
- Protecting PII (i.e., encrypting email, portals, removable media, DLP controls, and hardware and software inventory)
- Strengthening Identity Access Management (IAM) Processes (i.e., password complexity, changes, history, and multifactor authentication)
- Third Party Risk Management (i.e., vendor DDQs, site visits, contract, and SOC audits)
- Testing and monitoring for threats and vulnerabilities
- Training
Common areas observed during SEC Cyber Exams included:
- Risk Alerts surrounding; credential compromise / dark web, ransomware, Reg. S-P: Privacy Notice and Safeguard Policies, electronic messaging
- Translating SEC guidance in actionable cyber controls
- Importance of training
Need help?
Fairview Cyber specializes in the creation, testing, and maintenance of meaningful cybersecurity programs for financial industry businesses, in compliance with SEC regulations. If your firm requires assistance interpreting and implementing these proposed cybersecurity laws, amendments, recommendations, SEC exam focus areas, or is seeking further guidance on cybersecurity issues, Fairview Cyber can help. Contact us today for more information about our services.