InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC Sues 32 Defendants Involved in Insider Trading Operation; DOJ Files Criminal Charges Against Leaders
On August 10, the SEC filed a complaint against 32 defendants in the District of New Jersey for their alleged involvement in an international scheme to profit from stolen, confidential information regarding corporate earnings announcements. According to the SEC, the defendants hacked at least two newswire services’ computer servers to retrieve unpublished corporate press releases, subsequently using it to make trades generating over $100 million in profits. The SEC further asserted that the two leaders of the scheme designed a “secret web-based location to transmit the stolen data to traders in Russia, the Ukraine, Malta, Cyprus, France, and three U.S. states, Georgia, New York, and Pennsylvania.” The SEC contends that, for five years, the two leaders of the scheme (i) disguised their identity by posing as newswire service employees, using proxy servers, and/or using backdoor access-modules; and (ii) recruited traders by making a video that displayed their ability to steal earnings information prior to public release. In return for information, the traders paid the hackers either a percentage of the profits obtained from trading the stolen information, or a flat fee. The SEC Director called the scheme “one of the most intricate and sophisticated trading rings [the agency has] ever seen.” The U.S. Attorneys’ offices for New Jersey and the Eastern District of New York also announced criminal charges against nine of the same defendants, including the two leaders of the scheme.
OCC Comptroller Talks Future of Financial Services, Eyes FinTech Industry
On August 7, OCC Comptroller Thomas Curry delivered remarks at the Federal Home Loan Bank of Chicago, which was hosting a conference highlighting the future of financial services. Specifically, Curry discussed innovation in the emerging financial technology industry, or “fintech,” noting the risks and benefits associated with mobile payments, virtual currency, and peer-to-peer lending products within the U.S. banking system. With respect to virtual currency, Curry stressed how important it is for financial institutions to implement adequate procedures to deter money laundering and terrorist financing. Curry also recognized that the OCC is “still early in the process” of evaluating a regulatory framework to examine some new and innovative products and services. Rounding out his remarks, Curry expressed his growing concerns with so called “neobanks,” which operate primarily online but provide similar services to brick and mortar retail branch banks, including the heightened privacy risks that neobanks present in light of recent cybersecurity attacks.
Comptroller Talks Interest Rate, Compliance, and Cybersecurity Risks Facing Financial Institutions
On July 24, OCC Comptroller Curry delivered remarks before the New England Council in Boston, MA regarding the risks that financial institutions face today. Rising interest rates and regulatory compliance were two of the three risks discussed. Curry emphasized that the inevitable rise in interest rates could greatly affect loan quality, particularly loans that were not carefully underwritten to begin with, and that ”[l]oans that are typically refinanced, such as leveraged loans,” would be particularly severely affected. Recognizing the impact that Dodd-Frank continues to have on banks, Curry said that financial institutions face two categories of risk from new regulations: (i) “banks run afoul of the new regulations, possibly damaging their reputations and subjecting themselves to regulatory penalties”; and (ii) banks devote their time and money to regulatory compliance, rather than putting those resources toward serving their customers and communities. The final and “perhaps the foremost risk facing banks today,” according to Curry, is cyber threats. Curry outlined the agency’s efforts to curtail cyber intrusion in the banking industry, highlighting the June 30 release of its Semiannual Risk Assessment and the creation of a Cybersecurity and Critical Infrastructure Working Group, which was designed to (i) increase cybersecurity awareness; (ii) promote best practices; and (iii) strengthen regulatory oversight of cybersecurity readiness. Curry noted, however, that information-sharing is just as important as self-assessment and supervisory oversight: “We strongly recommend … that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center, a non-profit information-sharing forum established by financial services industry participants to facilitate the sharing of physical and cyber threat and vulnerability information.” Collaboration among banks of all sizes and non-bank providers, Curry stated, can be a “game-changer” in more ways than one: “By promoting the discovery of common interests and common responses to the risks that you face in your businesses and we all face together, you provide an invaluable service to New England and to the United States.”
DOJ Announces Charges Against Two Florida Men for Operating Underground Bitcoin Exchange
On July 21, U.S. Attorney for the Southern District of New York Preet Bharara, along with the Assistant Director-in-Charge of the New York Field Office of the FBI and the Special Agent-in-Charge of the New York Field Office of the United States Secret Service, announced the unsealing of criminal complaints filed against Anthony R. Murgio and Yuri Lebedev. According to the complaints, since at least late 2013, the two men and their co-conspirators illegally ran a money transfer operation called Coin.mx, which allowed customers to exchange cash for bitcoins for a fee. Murgio's and Lebedev’s allegedly illegal money transfer operation involved exchanging cash for people whom they believed may be engaging in criminal activity, as well as allowing victims of “ransomware” attacks to trade cash for bitcoins. During these “ransomware” attacks, cybercriminals would “electronically block access to a victim’s computer system until a sum of ‘ransom’ money, typically in bitcoins, [was] paid to them.” In an attempt to evade detection, Murgio, Lebedev, and their co-conspirators operated through “Collectables Club,” a fake front-company. Also in an attempt to avoid detection, Murgio obtained beneficial control of a New Jersey-based federal credit union, then placed Lebedev and others on the Board of Directors so that Coin.mx’s operations could be transferred to the credit union. The individuals used the credit union as a “captive bank for their unlawful business,” until at least early 2015, at which point, the NCUA discovered the illegal activity and forced the credit union to “cease engaging in such activity,” but Murgio “thereafter found new, overseas payment processing channels for his unlawful business.” Murgio and Lebedev are each being charged with one count of conspiracy to operate an unlicensed money transmitting business, and one count of operating an unlicensed money transmitting business. Each of these charges carries a maximum prison sentence of five years. Murgio also was charged with one count of money laundering and one count of willful failure to file a suspicious activity report. These additional charges carry maximum prison sentences of 20 years and 5 years, respectively.
U.S. Senators Introduce Automobile-Focused Cybersecurity Legislation
On July 21, Senators Blumenthal (D-CT) and Markey (D-MA) introduced legislation, the Security and Privacy in Your Car Act (“SPY Car" Act), that would protect drivers’ privacy while allowing them to remain connected to the growing technological advances in the automobile industry. In addition to directing the National Highway Traffic Safety Administration (NHTSA) and the FTC to develop federal cybersecurity and privacy standards that would secure motor vehicles manufactured for sale in the United States and protect drivers, the SPY Car Act seeks to establish a rating system, or “cyber dashboard,” that “informs consumers about how well the vehicle protects drivers’ security and privacy” beyond the minimum standards potentially set by the NHTSA and the FTC. The requirements that motor vehicles: (i) be equipped with reasonable measures to protect against hacking attacks; (ii) maintain the ability to reasonably secure data collected within electronic systems; and (iii) be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle, are among the cybersecurity standards outlined in the SPY Car Act. In regards to privacy standards, the legislation proposes the following: (i) transparency, such that owners or lessees are explicitly aware of the collection, transmission, retention, and use of driving data; (ii) consumer choice, allowing owners or lessees to opt out of data collection and retention without losing access to other features, such as key navigation; and (iii) marketing prohibition, which would ban companies from using personal driving information for advertising purposes without obtaining the affirmative express consent of the owner or lessee. The introduction of the SPY Car Act follows Senator Markey’s 2015 Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk report, which showed gaps in the auto industry’s ability to prevent hackers from accessing internet-connected features in vehicles.
Treasury Deputy Secretary Raskin Delivers Remarks on Cybersecurity in the Financial Sector
On July 14, Deputy Secretary of the Treasury Sarah Bloom Raskin delivered remarks at the American Bankers Association Summer Leadership meeting in Baltimore. Speaking on cybersecurity and cyber-resiliency in banking and the financial sector generally, Raskin’s remarks continued her December 2014 remarks in Austin at the Executive Leadership Cybersecurity Conference regarding three main areas, including (i) baseline protections, (ii) information sharing, and (iii) response recovery. According to Raskin, since December the growing number of cyberattacks – including against health insurers and the federal government’s Office of Personnel Management – has made the government and public more mindful of the serious threat posed by cyberattacks. Accordingly, cybersecurity has seen a “profoundly positive cultural change,” moving beyond just the purview of IT specialists. Deputy Secretary Raskin’s most recent remarks added 10 follow-up questions for banks and financial entities to consider, including whether cybersecurity is incorporated into the bank’s governance systems, security controls are tailored to specific cyber risks presented (as opposed to a “one-size fits all” approach), enhanced controls are implemented and adequate training provided, and basic “cyber hygiene” practices (including multi-factor authentication) are followed. Raskin also emphasized the need to appropriately tailor cyber risk insurance.
FCC Announces $3.5 Million Settlement with Carriers to Resolve Consumer Privacy Investigation
On July 9, the FCC announced a $3.5 million settlement with carriers TerraCom, Inc. and YourTel America, Inc. to resolve an investigation into the exposure of personal information of over 300,000 of their customers online via unprotected servers used by their vendors to store customer information. The exposed information included names, addresses, Social Security numbers, driver’s licenses, and other pieces of sensitive information that were viewable by anyone with access to a search engine. Section 222(a) of the Communications Act imposes on carriers a duty to protect the confidentiality of “proprietary information of… customers” and the FCC Enforcement Bureau viewed this incident as a violation of that duty, as well as its duty under Section 201(b) to employ “just and reasonable” data security practices to protect the confidentiality of consumers’ proprietary information. Under the settlement, TerraCom and YourTel are required to (i) designate a senior corporate manager with certified privacy expertise, (ii) conduct a privacy risk assessment, (iii) put in place a written information security program and data breach response plan, (iv) maintain “reasonable oversight” of third-party vendors, and (v) offer privacy and security training. FCC-regulated entities should review their privacy and data security practices to ensure that they are taking appropriate steps to protect their customers’ proprietary information.
White House Provides Update on 2015 Cybersecurity Initiatives
On July 9, the White House released a fact sheet regarding the Administration’s 2015 cybersecurity efforts “both domestic and international, to improve our cyber defenses, enhance our response capabilities, and upgrade our incident management tools.” More specifically, these include (i) supporting the private sector; (ii) enhancing federal cybersecurity; (iii) developing new policies and capabilities to identify, defend against, and counter malicious cyber actors; and (iv) engaging internationally. Among the private sector achievements is new legislative proposals; the Department of Defense and Department of Homeland (DHS) opening offices in Silicon Valley; and the increase in information sharing between the private sector and government, including DHS’s initiative to develop an automated system for sharing cyber threat indicators. The federal achievements include continual cross-agency efforts to improve how the government conducts background investigations. The new policy achievements includes imposing financial sanctions on those participating in malicious cyber-enabled activities threatening national security, strengthening national defense, and creating new cybersecurity laws. Finally, the international accomplishments include the President’s efforts to bolster international commitments and law enforcement, and to strengthen the country’s global leadership role in cybersecurity.
DOJ Deputy Assistant AG Delivers Testimony at Senate Subcommittee Hearing Regarding Cyber Crime
On July 8, the DOJ’s Deputy Assistant AG, David Bitkower, delivered his testimony before the Senate Judiciary Subcommittee on Crime and Terrorism’s hearing entitled, “Cyber Crime: Modernizing Our Legal Framework for the Information Age.” Bitkower’s testimony focused on two of President Obama’s earlier 2015 legislative proposals regarding the security of online privacy for American citizens and businesses. The first proposal, with an emphasis on the “insider threat,” seeks to amend a provision of the Computer Fraud and Abuse Act (CFAA) – the primary statute the DOJ uses to charge computer crime cases – to ensure that corrupt employees using their authority to access sensitive data for personal gain are not immune from federal punishment. Bitkower noted that recent judicial decisions have impeded the government’s ability to prosecute cases where “serious violations and invasions of privacy” were prevalent. The second legislative proposal would enhance the DOJ’s ability to combat botnets, the networks of computers that are infected with malware and used by criminals to steal personal information, evade detection, and hold computers and computer systems for ransom. The proposed legislation would broaden the categories of crimes committed with botnets that can be enjoined by courts, which, under the current law, are mostly limited financial crimes.
NAAG Urging Congress to Refrain From Passing Federal Data Breach Legislation Preempting State Authority
On July 7, as Congress considers proposed legislation on data breach notification and security, the National Association of Attorneys General (NAAG) sent a letter to leaders of both houses of Congress urging them to refrain from passing federal data breach and identity theft laws that would preempt states’ authority to enforce their own legislation, or pass legislation that exceeds federal standards. The 47 state attorneys general argued that “preempting state law would make consumers less protected than they are right now” because (i) states are closer to people affected consumers and can better respond to their concerns; (ii) states are “better equipped to quickly adjust to the challenges presented by a data-driven economy”; (iii) although helpful for a national data breach, a single federal agency would be unable to “respond effectively” to the large number of smaller data breaches that “have a large impact in a particular state or region”; and (iv) “with the increasing speed rate of technological developments,” states need the ability to surpass minimal and continually obsolete federal requirements. Accordingly, the state attorneys general asserted it was “crucial” that they “maintain their enforcement authority under their states’ laws, and that any legislation be tailored to ensure complementary enforcement authority.”