A Threefold Cord—Working Together to Meet the Pervasive Challenge of Cyber-Crime

Luis A. Aguilar is a Commissioner at the U.S. Securities and Exchange Commission. This post is based on Commissioner Aguilar’s recent address at SINET Innovation Summit 2015; the full text, including footnotes, is available here. The views expressed in the post are those of Commissioner Aguilar and do not necessarily reflect those of the Securities and Exchange Commission, the other Commissioners, or the Staff.

Cybersecurity is an issue of profound importance in today’s technology-driven world. What was once a problem only for IT professionals is now a fact of life for all of us. I say “us” because, as you may know, hackers breached a government database a few weeks ago and stole the personal information of roughly four million government employees, which may well include me.

There’s hardly a day that goes by that we don’t hear of some new cyberattack. These incidents are clear illustrations of how the internet has become an integral part of our professional and personal lives. And while the benefits have been enormous, so, too, have the risks.

In fact, there is almost no aspect of our lives that cybersecurity does not touch. Each day, cyber-criminals try to invade our privacy, steal our savings, pilfer our business secrets, and jeopardize our national security. Cyber-criminals can even cost us our livelihood. One study has estimated that cybercrime and cyber-espionage may lead to the loss of as many as 508,000 jobs in America each year. And, in a more ominous turn, cyber-criminals may have an increasing ability to threaten our physical safety. Recent reports have highlighted how the Internet of Things is creating new opportunities for cyber-criminals to attack the devices we rely on every day, including medical equipment, cars, and home security systems.

In light of all this, it is not an overstatement to say that cybersecurity is one of the defining issues of our time. This is the very reason I have worked so hard in recent years to bring greater attention to this topic. Last year, I persuaded the Commission to convene a roundtable to discuss the risks that cyber-attacks pose to the companies we regulate, such as broker-dealers and investment advisers, as well as to public companies and the integrity of our markets. Also last year, I called upon the boards of directors of our nation’s public companies to play a far greater role in their companies’ cybersecurity efforts. I have also urged the Commission to sharpen its own focus on the cybersecurity threat, including by forming an internal working group to bring the agency’s combined expertise to bear on this critical area.

These efforts were important first steps toward a more agile and robust response to cyber-crime. But, much more needs to be done. Cyber-attacks are becoming more pervasive, dynamic, and clandestine with each passing year. We must remain focused on cybersecurity if we are to keep pace with this constantly evolving threat. In addition, all stakeholders must work together. No single organization has the resources or the expertise to combat the advanced and persistent cyberattacks that are being launched today. A vibrant partnership between the public and private sectors is therefore essential to an effective defense.

Today, I would like to talk about the various ways in which the SEC has been addressing this threat, and some areas where additional work—and additional collaboration—would be beneficial.

Anni Horribiles—Past and Present

Last year, like in recent years, we witnessed a number of massive data breaches at public companies and financial institutions. One of the largest known breaches, which was experienced by eBay, affected 145 million customers, while breaches at JP Morgan and Home Depot affected 82 million and 56 million customers, respectively. And it will come as no surprise to those in this room that this year is predicted to be just as bad, if not worse. Many of these attacks were focused on stealing personal information. The reason for this is all too obvious: the market for stolen credit cards and other personal data, such as medical information, is massive. In fact, the market for stolen credit cards, which is estimated to be $114 billion, exceeds the estimated global market for cocaine by roughly $29 billion. Cyber-criminals thus have a compelling incentive to continue their efforts in the future.

A review of the cybersecurity landscape over the past few years reveals some very interesting—and troubling—trends. For example:

  • Cyber-attackers are exploiting vulnerabilities more quickly, but our defenses are increasingly sluggish. One report observed that, on average, it took 55% longer in 2014 to issue patches for so-called zero-day vulnerabilities, like the Heartbleed defect, than in 2013. As a result, attackers last year were able to exploit the top five zero-day vulnerabilities for a combined 295 days before patches became available, a more than 1,400% increase over the prior year. Furthermore, nearly 90% of last year’s successful cyber-attacks exploited known vulnerabilities that are more than a decade old. It would seem that organizations are not installing the patches that are available as promptly as they should.
  • Another disconcerting trend is that cyber-criminals are now collaborating to a far greater degree, and are reinvesting their proceeds into their illicit operations. The result has been a marked increase in the quality, quantity, and complexity of attacks. Last year, for example, cyber-criminals devised a new form of distributed denial of service attack that is capable of generating traffic at a staggering 400 gigabytes per second. This means that distributed denial of service attacks are now 50 times as large as they were just a decade ago. And, more than 317 million new pieces of malware were created last year alone, meaning that nearly one million new threats were released each day.
  • In addition, cyber-attackers are now leapfrogging defenses in ways that many companies lack the foresight to anticipate. The result is that network security is now estimated to be effective only 24% of the time. There appear to be several reasons for this, but studies have noted that savvy cyber-attackers are using new and innovative techniques to evade detection, including hiding malicious code inside software vendors’ updates, designing malware that relies on tools users trust, and even hijacking companies’ own servers to build attack software.
  • Finally, the advent of the so-called “dark web” has allowed amateur cyber-criminals to anonymously purchase do-it-yourself malware kits. Earlier this year, a new website was launched that was specifically aimed at selling malware designed to exploit zero-day vulnerabilities. According to the head of Europol’s cybercrime division, wannabe hackers purchasing malware off the internet are becoming one of the biggest threats to businesses.

Some statistics will help to further underscore the scope and urgency of the cybersecurity threat. One study found that the number of known cybersecurity incidents rose by 48% last year, and while many incidents were the result of employee negligence, it is believed that attackers were responsible for the majority of these incidents. Equally troubling is that the average total cost of a data breach has risen by 23% over the last two years. Last year also saw a 20% rise in the number of websites with critical vulnerabilities, a record high number of zero-day vulnerabilities, and a 4,000% increase in crypto-ransomware attacks. Notably, even law enforcement agencies have fallen victim to crypto-ransomware. And, in a development that highlights the increasingly vulnerable nature of mobile devices, one study last year found that 17% of all apps for Android devices were nothing more than malware in disguise.

The Commission’s Response

These statistics emphasize that cybercrime is a serious and persistent threat. This is especially true for the financial industry, which has traditionally been the primary target for cyber-criminals. In fact, in testimony provided during a June 16 Congressional hearing, it was revealed that one major U.S. bank was recently subjected to 30,000 cyberattacks in a single week, which amounts to a new attack every 34 seconds.

So what has the SEC been doing to help protect investors and our markets? To address the growing cybersecurity threat, the Commission is using a multi-faceted approach that brings to bear all the tools at its disposal. This includes implementing new rules, inspecting and examining regulated entities, bringing enforcement actions, and working to educate both the industry and the public by issuing guidance on cybersecurity matters.

Let me add some specifics by highlighting some of the SEC’s efforts in each of these areas.

Regulation Systems Compliance and Integrity

I’ll start with our rulemaking efforts. In fact, the Commission has had rules addressing cybersecurity for many years. Maintaining the integrity of the technology systems that drive our capital markets has been a concern for the SEC for some time. But to ensure that the Commission’s regulatory framework keeps pace with the sweeping technological changes that securities markets have witnessed in recent years, the SEC finalized a new rule last November, called Regulation Systems Compliance and Integrity, or Reg SCI. Firms will need to begin complying with this rule in November of this year. Reg SCI will require certain key market participants, such as stock exchanges, to implement a robust set of cybersecurity protocols to ensure that their systems are secure from cyberattacks, and are also sufficiently resilient to recover should an attack succeed. In addition, Reg SCI will require that these entities monitor their systems for possible cyberattacks, respond promptly to any significant intrusions, and report such intrusions to the SEC within 24 hours, among other things.

I would like to point out a few of the more noteworthy aspects of Reg SCI, because I believe they can serve as a model for how regulators may want to approach cybersecurity issues. First, this rule employs a risk-based approach, so that the most critical systems are held to a higher standard. This ensures that organizations focus their limited resources where they will do the most good. Second, the rule avoids an overly prescriptive approach. Instead, entities must develop procedures that are tailored to their unique risks. This is essential, as it avoids a check-the-box approach to cybersecurity, in which entities do only what is necessary to meet the minimum regulatory requirements, but still leave themselves vulnerable to attack. Finally, the rule mandates that an entity’s senior management and board of directors be actively engaged in cybersecurity issues. This is consistent with my earlier calls for greater board involvement in cybersecurity issues. It also recognizes the simple truth that board involvement ensures greater accountability, and, as one study has shown, makes breaches less likely, and can even reduce the cost of breaches when they occur.

Unfortunately, Reg SCI doesn’t apply to many important segments of the capital markets. For example, it doesn’t apply to over-the-counter market-makers, stockbrokers, or transfer agents. Obviously, more work is needed to ensure that the Commission’s cybersecurity rules address all key areas of the market we regulate.

Cybersecurity Inspections and Examinations

Turning to the topic of inspections and examinations, the SEC has recently conducted examinations of several of the entities we oversee to assess their cybersecurity methods. For example, last year, the SEC’s Office of Compliance Inspections and Examinations, or OCIE, examined 57 broker-dealers and 49 investment advisers to better understand their cybersecurity protocols. The SEC published the results of this sweep earlier this year, and it is noteworthy that the sweep found that most firms had been the targets of a cyberattack, either directly or through a vendor.

The sweep also revealed areas that needed improvement. For instance, the sweep determined that, while the vast majority of the firms had adopted written policies regarding information security and cyberattacks, these policies generally failed to specify how firms would determine responsibility for client losses stemming from a cyberattack. Similarly, while the sweep found that most firms conduct periodic risk assessments of their own systems, fewer firms conducted similar assessments of their vendors’ systems. This leaves these firms exposed to a commonly exploited vulnerability. Finally, the sweep noted that only two-thirds of broker-dealers and only one-third of advisers have elected to designate a chief information security officer, and that cybersecurity insurance is carried by just over half of broker-dealers, and by less than a quarter of advisers. Designating an information security officer and carrying cyber-insurance are both commonsense precautions that have been shown to decrease the costs associated with data breaches, and it’s disappointing so many firms fall short in these important areas.

Enforcement Actions

Let’s turn now to the topic of enforcement. It should not be a surprise that cybersecurity has become a focal point for the SEC’s enforcement efforts in recent years, and it has been reported that the SEC’s Division of Enforcement is currently investigating multiple data breaches. Moreover, the SEC has been proactively examining how it can bring more cybersecurity enforcement actions using its existing authority, and how that authority might need to be broadened to meet emerging cybersecurity threats.

The Commission’s cybersecurity enforcement efforts have included situations where stock brokers and investment advisers failed to protect their customers’ confidential information. For example, the SEC brought a lawsuit in 2011 against the senior officers of one brokerage firm that failed to take remedial steps after the firm suffered several serious breaches. The successful prosecution of these incidents sends a strong message that the SEC takes cybersecurity issues very seriously—and that the industry must do so, as well.

The constantly shifting cybersecurity landscape is a particular challenge for the SEC’s Division of Enforcement, because it is often the tip of the spear in dealing with new and emerging threats. New types of attack are constantly popping up. For example, one novel scheme that was recently brought to the Commission’s attention involves a group of cybercriminals that attempts to steal confidential business information that could be used for illegal insider trading. These cybercriminals, dubbed the “FIN 4” group, have attacked over 100 companies using spear-phishing campaigns designed to obtain confidential information about merger negotiations and other market-moving events, such as pending approvals by the Food and Drug Administration.

FIN 4 sends tainted emails to corporate executives, researchers, and attorneys, who are likely to possess sensitive business information. FIN 4’s exploits serve as a reminder of the ingenuity of cybercriminals, and of the importance of continuously monitoring the cybersecurity landscape.

Staff Guidance on Cybersecurity Issues

Let me now turn to the Commission’s efforts to educate market participants about cybersecurity issues. As many of you likely know, from time to time, the SEC furnishes guidance as to cybersecurity obligations under federal securities laws. For example, just two months ago, the Division of Investment Management issued cybersecurity guidance for investment advisers and investment companies, such as mutual funds, that collectively manage over $66 trillion in assets. This guidance highlights their responsibility to protect sensitive client information.

The guidance also identifies a number of measures that advisers and funds should consider, including periodic testing of their IT systems, developing and testing a cybersecurity strategy, and providing employee training.

In addition, in 2011, the SEC’s Division of Corporate Finance provided guidance on the obligation of public companies to disclose their cybersecurity risks. This guidance noted that public companies are required to disclose any risks or events that reasonable investors would find important when deciding whether to invest or how to vote their shares. The guidance made clear that this broad disclosure obligation extends to any significant cybersecurity incidents that a company may experience, as well as any substantial cybersecurity risks that could make investments in a company speculative. However, mindful of the risks associated with such disclosures, the guidance emphasized that companies do not need to disclose information that might provide cyber-attackers a roadmap to infiltrate the company.

Finally, the SEC’s Office of Investor Education and Advocacy issued an Investor Bulletin earlier this year that seeks to help investors avoid being victimized by cybercriminals. This advice includes practical and commonsense measures for the use of online investment accounts, such as using different passwords for each account, requiring two-step verification when possible, and exercising caution when using public networks and wireless connections.

The Challenges Ahead

Although the SEC has not shied away from cybersecurity issues—whether by promulgating rules, inspecting regulated entities, or bringing enforcement cases—much work remains to be done. Cybersecurity is not a problem to be solved, but a continuous threat that demands constant attention. It’s an old joke that only the paranoid survive. In the cybersecurity context, it might just be true.

To that end, I would now like to discuss a few things that could help better protect us from the risk of cyberattacks.

Enhanced Cooperation Among All Stakeholders

First, cybercrime is a common threat that requires a coordinated response. It is widely acknowledged that one of the best defenses against cyberattacks is the prompt sharing of actionable information about threats and possible defenses. As the National Institute of Standards and Technology recently observed, we can bolster our cyber defenses tremendously by harnessing our collective knowledge of the threat landscape, and by coordinating our responses. To be sure, the sharing of cyber threat information is not a cure-all, but it can certainly improve cyber defense.

Unfortunately, we appear to doing a poor job of sharing cyber threat information. A 2014 study found that intelligence sharing remains largely ad hoc and informal. In fact, most threat information is currently shared among peers by phone, email, or in-person meetings, or is provided by IT security vendors. This word-of-mouth approach is parochial, unreliable, and inexcusably slow. Threat intelligence can grow stale within minutes, if not seconds. And almost half of all cyberattacks spread to their second victim within less than an hour. Yet, according to one study, as often as not, firms receive threat intelligence days, weeks, or months after the initial attack, rendering much of it useless. Cybersecurity is far too critical an issue to be relegated to a game of telephone.

This state of affairs results mainly from inadequacies in the current infrastructure for sharing threat information. Although certain industries have formed cyberattack intelligence sharing mechanisms, known as Information Sharing and Analysis Centers, or ISACs, the president of the Financial Services ISAC recently admitted that most firms rely on their peers as their primary source of cyber threat information, rather than an ISAC. Some experts have noted that one reason for this, is that ISACs often do not distribute threat information quickly enough. Another problem is that the information ISACs distribute is not prioritized, and lacks sufficient context to be immediately actionable.

Many experts recognize that our cybersecurity efforts will never be truly effective until we automate the process of sharing of threat intelligence. Prior efforts to develop real-time, computer-to-computer information sharing platforms have faltered, but there is cause for optimism. Certain ISACs, including those for the financial services and healthcare industries, have adopted new software packages that should enable them to more quickly distribute cyber threat intelligence, and will also standardize the format in which intelligence is presented. This is certainly a cause of optimism, yet other problems remain. For instance, many believe that the ISAC’s industry-focused approach inhibits the broader sharing of cyber threat intelligence that could be informative to other industries and other companies.

One way to break down these industry-based silos would be to form additional organizations that could link together the existing ISACs and broaden their reach. An executive order signed by President Obama earlier this year may help to do just that. This order directs the Department of Homeland Security to develop new information sharing and analysis organizations, and to develop common standards for the sharing of cyber threat intelligence. These new information sharing organizations could, if properly designed, foster a much more inclusive approach to the distribution of cyber threat intelligence.

Legislation to Foster Information Sharing

Another barrier to a more robust approach to cybersecurity lies in the legal risks associated with sharing threat intelligence. Many firms claim that such liability is one of the principal hurdles they face when they seek to share information. This is a legitimate concern, and there is but one solution. Obviously, legislation is needed to allow firms to share information with each other and with the government without fear of liability. Several bills have been proposed in Congress that would address this problem, yet nothing has materialized to date. I do not doubt that there are difficult issues that need to be resolved, including how to ensure that our privacy and civil liberties are protected. For the good of this nation and our economy, however, Congress must bridge its differences and work quickly to forge a path forward on this issue. Without such legislation, we are all at risk.

What the SEC Can Do

Congress is not the only one that has work to do. The SEC can also find ways to better address the ever-present danger of cyberattacks. Some simple measures the SEC should consider include the following.

First, as I mentioned earlier, the Commission needs to expand the scope of Reg SCI to reach other crucial market participants. This should be a top priority.

Second, the SEC needs to ensure that public companies provide better and more timely information about the particular cyberattack risks they face, and to be more consistent in disclosing cybersecurity incidents. One 2014 study noted that the Commission’s 2011 guidance on cyber risk disclosures “has resulted in a series of disclosures that rarely provide differentiated or actionable information for investors. This view was shared by some participants at the SEC’s cybersecurity roundtable, as well. Public companies need to tailor their risk disclosures to provide more useful information about the precise nature of the risks their specific business models present. In this regard, SEC staff may wish to consider updating its 2011 guidance regarding public companies’ cyber risk disclosures.

Third, the SEC should provide more guidance to market intermediaries about how to respond to more limited cybersecurity incidents. For example, one participant at the cybersecurity roundtable noted that stock exchanges need more guidance as to how to respond if a broker-dealer’s account were hacked and unauthorized trading occurred, while another sought guidance on how to unwind “data corruption” events limited to one market sector, but which affect other sectors. The SEC should study such eventualities and develop guidance, as appropriate.

Conclusion

I will conclude my remarks by again thanking SINET for inviting me to speak today. I believe that a vibrant partnership between the public and the private sectors is the linchpin to an effective cybersecurity framework. I believe that only by working together can we make meaningful progress.

Both comments and trackbacks are currently closed.