InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Software company to pay $3 million to SEC for misleading disclosures about ransomware attack
On March 9, the SEC charged a South Carolina-based donor data management software company with allegedly making materially misleading disclosures about a 2020 ransomware attack. According to the SEC’s cease-and-desist order, the company issued statements that the ransomware attack did not affect donor bank account information or social security numbers. It was later revealed that the attacker had accessed and exfiltrated the unencrypted sensitive information. However, the SEC maintained that due to the company’s alleged failure to maintain disclosure controls and procedures, employees did not inform senior management responsible for public disclosures. As a result, the company’s quarterly report filed with the SEC allegedly omitted material information about the scope of the attack and “misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical,” the SEC said. The company did not admit or deny the SEC’s findings, but agreed to pay a $3 million civil penalty and said it would cease and desist from committing violations of the Securities Act of 1933 and the Securities Exchange Act of 1934.
FINRA alerts firms about rising ransomware risks
On December 14, FINRA issued Regulatory Notice 22-29, alerting member firms about the increasing number and sophistication of ransomware incidents. FINRA explained that the proliferation in ransomware attacks can be attributed in part to the increased use of technology and continued adoption of cryptocurrencies that bad actors use to conceal their identities when collecting ransom payments. Moreover, bad actors who purchase attack services on the dark web “have helped execute attacks on a much larger scale and make attacks available to less technologically savvy bad actors,” FINRA said. Under Rule 30 of the SEC’s Regulation S-P, firms are required to maintain written policies and procedures designed to reasonably safeguard customer records and information, FINRA stated, adding that FINRA Rule 4370 (related to business continuity plans and emergency contact information) also applies to ransomware attacks that include service denials and other interruptions to firms’ operations. The notice provides questions for firms to consider when evaluating their cybersecurity programs and outlines common attack types and considerations for firms’ ransomware threat defenses, as well as additional ransomware controls and relevant resources.
G7 Cyber Expert Group releases reports on ransomware and third-party risk
On December 8, the G7 Cyber Expert Group (CEG) – co-chaired by the Bank of England and the U.S. Treasury Department’s Office of Cybersecurity and Critical Infrastructure – released two reports addressing ransomware and third-party risk in the financial sector. According to the announcement, the reports “are intended to help financial sector entities better understand cybersecurity topics as agreed upon by a multilateral consensus.”
The Fundamental Elements of Ransomware Resilience for the Financial Sector provides financial entities with high-level building blocks for addressing ransomware threats. The “non-prescriptive and non-binding” report is meant to guide public and private financial institutions for their own internal ransomware mitigation activities and “provide[s] an overview of the current policy approaches, industry guidance, and best practices in place throughout the G7.”
The Fundamental Elements of Third-Party Risk Management for the Financial Sector updates a previous version published in 2018. According to the announcement, the updated report was necessary due to the increase in use of service providers by financial institutions in their central operational functions and subsequent vulnerabilities as a result of such reliance. The update includes explicit recommendations for monitoring risks along the supply chain and identifying systemically important third-party providers and concentration risks.
FinCEN reports significant increase in ransomware-related BSA filings in 2021
On November 1, FinCEN reported that ransomware continues to pose a significant threat to U.S. infrastructure, businesses, and the public, with ransomware-related Bank Secrecy Act (BSA) filings in 2021 accounting for nearly $1.2 billion. Issued pursuant to the Anti-Money Laundering Act of 2020, FinCEN’s Financial Trend Analysis examines ransomware activities for calendar year 2021, with a particular focus on ransomware trends in BSA data from July-December 2021. According to FinCEN, reported ransomware-related incidents have substantially increased from 2020, with roughly 75 percent of these incidents reported during the second half of 2021 emanating from or connected to actors in Russia. Highlights from the report include: (i) the number and total U.S. dollar value for ransomware-related incidents during 2021 far exceeds data for any previous year, with FinCEN reporting a 188 percent increase from 2020 to 2021 (possibly reflecting either an increase of ransomware-related incidents or improved reporting and detection); (ii) an average of 132 and a median of 136 ransomware-related incidents per month were reported during the review period (Treasury’s October 2021 measures to combat ransomware — covered by InfoBytes here — and potentially associated reporting obligations may have contributed to the overall rise in 2021 filings, FinCEN noted); and (iii) of the 793 ransomware-related incidents reported during the second half of 2021, 594 (roughly 75 percent) pertained to Russia-related variants.
The same day, Deputy Secretary of the Treasury Wally Adeyemo hosted participants from 36 countries during the second International Counter Ransomware Initiative Summit where attendees examined the challenges presented by ransomware and discussed the U.S.’s whole-of-government approach for responding to serious threats posed by bad actors.
Biden outlines aggressive approach for strengthening U.S. cybersecurity
On October 11, President Biden outlined actions for strengthening and safeguarding the nation’s cybersecurity. In addition to stressing the importance of improving cybersecurity and resilience measures for critical infrastructure owners and operators, the Biden administration outlined additional priorities that focus on (i) strengthening the federal government’s cybersecurity requirements; (ii) countering ransomware attacks, including by making it more difficult for criminals to move illicit money; (iii) collaborating with allies and partners to build collective cybersecurity, develop coordinated responses, and develop cyber deterrence; (iv) imposing costs on and sanctioning malicious cyber actors; (v) implementing internationally-accepted cyber “rules of the road”; (vi) strengthening cyber-education efforts; (vii) developing quantum-resistant encryption algorithms to protect privacy in digital systems such as online banking; and (viii) establishing research centers and workforce development programs under the National Quantum Initiative to protect investments, companies, and intellectual property and prevent harm as technology in this space continues to develop.
CISA urges companies to take action to combat malicious cyber activity
On September 14, the Cybersecurity and Infrastructure Security Agency, along with several other federal agencies and international partners, released a joint cybersecurity advisory (CSA) highlighting continued malicious cyber activity taken by advanced persistent threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). The CSA recommended that companies continually test their security programs to protect against longstanding online threats that may arise from IRGC-affiliated actors known for exploiting vulnerabilities for ransom operations. “Our unified purpose is to drive timely and prioritized adoption of mitigations and controls that are most effective to reducing risk to all cyber threats,” CISA said in its announcement. Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson added that the U.S. Treasury Department “is dedicated to collaborating with other U.S. government agencies, allies, and partners to combat and deter malicious cyber-enabled actors and their activities, especially ransomware and cybercrime that targets economic infrastructure.” He noted that the CSA provides information on specific tactics, techniques, and procedures used by IRGC-affiliated actors, and advised both the public and private sector to use the information to strengthen cybersecurity resilience and reduce the risk of ransomware incidents. Organizations are encouraged to review a 2021 Treasury advisory, which highlights the sanctions risks associated with ransomware payments and provides steps for companies to take to mitigate the risk of being a victim of ransomware (covered by InfoBytes here).
CISA issues RFI on new cyber incident reporting requirements
On September 9, the Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) from critical infrastructure owners and operators on how to develop new data breach reporting regulations related to ransomware and other malicious attacks. The RFI will inform CISA’s promulgation of proposed regulations as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Specifically, the agency is requesting feedback on definitions and terminology for the proposed rules, the form and content of reports, incident reporting requirements, enforcement procedures, and information protection policies. Once the final regulation is published, CISA will use information obtained from cyber-incident reports submitted by covered entities to “deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends and understand how malicious cyber actors are perpetrating their attacks, and quickly share that information with network defenders to warn other potential victims,” the RFI explained. CISA will also host a series of public listening sessions across the country to receive additional input as it develops the proposed regulations. Comments on the RFI are due November 14.
District Court dismisses ransomware suit alleging negligence
On August 30, the U.S. District Court for the Northern District of Indiana granted a software company defendant’s motion to dismiss, ruling that a healthcare system nonprofit (the “nonprofit”) and its insurer (collectively, “plaintiffs”) had not plausibly alleged that the defendant’s 2020 ransomware attack caused it to incur expenses that were compensable injuries. According to the opinion, the nonprofit, which possesses personally identifiable information (PII) records, executed two contracts with the defendant “to help consolidate its existing databases into one system of records and protect this sensitive data.” According to the first agreement, the defendant agreed to maintain servers holding the health nonprofit’s donor and patient data, including PII. In the second agreement, the defendant agreed to, among other things, comply with its obligations as a “business associate” under HIPAA, HITECH, and any implementing regulations.
According to the plaintiffs’ complaint, a third party allegedly hacked into the defendant’s systems and deployed ransomware in February 2020, which gained access to the PII that the health nonprofit stored with the defendant; however, the cybercriminals were unable to block the defendant from accessing its own systems. The defendant was said to have learned about the cyber-attack May 2020 and waited until July 2020 to notify the nonprofit. The plaintiffs alleged that the data breach occurred because of the defendant’s failure to reasonably safeguard their database of PII. The plaintiffs also claimed that “’had [the defendant] maintained a sufficient security program, including properly monitoring its network, security, and communications, it would have discovered the cyberattack sooner or prevented it altogether.’” Following the breach, the plaintiffs alleged that they incurred remediation damages that included “various expenses, which included credit monitoring services and call centers, legal counsel, computer systems recovery, and data recovery and data migration services.” The plaintiffs filed suit, alleging breach of contract, negligence, gross negligence, negligent misrepresentation, fraudulent misrepresentation, and breach of fiduciary duty. The defendant argued that the plaintiffs do not adequately explain how the breach caused their remediation damages, warranting dismissal.
The district court found that the plaintiffs failed to adequately plead causation for each of their claims, noting that “without any allegations explaining why they had to spend these amounts, the court is left to speculate how [the defendant’s] breaches caused [the health nonprofit’s] remediation damages.” The district court additionally determined that the plaintiffs’ negligence and contract claims must also fail because “harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft did not constitute a compensable injury under either a negligence claim or a contract claim brought pursuant to Indiana law.” The district court also found that the plaintiffs’ negligence claims are barred under Indiana’s economic loss rule because it did not point to an independent duty outside of contract. The plaintiffs were, however, given leave to amend their complaint and attempt to remedy its deficiencies.
FAFT restricts Russia’s membership privileges, takes action against corruption and virtual asset misuse
On June 17, the U.S. Treasury Department announced that the Financial Action Task Force (FATF) concluded another plenary meeting, in which it, among other things, took steps to restrict Russia’s FATF membership privileges. During the meeting, FATF again criticized Russia’s war against Ukraine and issued a statement, stressing that “Russian actions run counter to the FATF core principles aiming to promote security, safety, and the integrity of the global financial system. They also represent a gross violation of the commitment to international cooperation and mutual respect upon which FATF Members have agreed to implement and support the FATF standards.” Treasury Secretary Janet Yellen also stated that she “welcome[s] the serious steps the FATF took to restrict Russia’s presence in its community.” FATF members agreed that Russia can no longer hold any leadership or advisory roles, nor take part in decision making on any standard-setting, peer-review processes, governance, or membership matters. Russia is also prohibited from providing assessors, reviewers, or other experts for FATF peer-review processes. FATF stated it “will monitor the situation and consider at each of its Plenary meetings whether grounds exist for modifying these restrictions.”
FATF also produced policy recommendations for combatting corruption and countering corrupt actors or illicit funds. FATF stated it will continue to fight the abuse of shell companies, trusts, or other legal arrangements employed by bad actors, and intends to seek input on guidance to implement recommendations related to the collection and verification of beneficial ownership information for companies or other legal entities. FATF members will release a white paper for public consultation on important issues concerning “the misuse of trusts and other legal arrangements to facilitate illicit finance,” and will published guidance on ways governments and firms can mitigate money laundering risks within the real estate sector.
Additionally, FATF adopted a report on virtual assets during the meeting, calling “for accelerated compliance by the public and private sectors with the FATF standards, particularly the ‘travel rule,’ for virtual assets and virtual asset service providers.” The travel rule requires virtual asset service providers to collect or send information on the identities of the originator and beneficiary of virtual asset transfers. However, FATF noted that, despite some progress, not all countries have introduced the travel rule, creating significant vulnerabilities for criminal misuse and underscoring the need for universal implementation and enforcement of the travel rule. FATF also approved a new project related to ransomware finance and related money laundering, with an objective of raising global awareness and understanding of how payments for ransomware are made and how these proceeds are often laundered.
U.S. and EU collaborate to combat ransomware attacks
On June 16, the DOJ announced that representatives from the U.S. and EU met at a recent workshop in the Hague to share best practices and to plan enhanced collaboration efforts to confront ransomware attacks. According to the DOJ, attorneys from the DOJ’s Computer Crime and Intellectual Property Section, along with representatives from the FBI, the U.S. Secret Service, the U.S. Homeland Security Investigations, European Judicial Cybercrime Network, Eurojust’s Cybercrime Team, and Europol’s European Cybercrime Centre shared “experiences, best practices, and lessons learned in directing an investigation to a successful outcome including collaborating with the tech and private sector.” Participants also discussed “relevant changes in the law, including issues related to electronic evidence, charging options, and cross-border considerations."