Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Financial Institutions. Show all posts

Lessons for Banks from the Recent CrowdStrike Outage

 


The recent disruption caused by CrowdStrike has been a wake-up call for financial institutions, highlighting that no cybersecurity system is entirely foolproof. However, this realisation doesn’t lessen the need for rigorous preparation against potential cyber threats.

What Happened with CrowdStrike?

CrowdStrike, a well-known cybersecurity company based in Austin, Texas, recently faced a major issue that caused extensive system crashes. The problem originated from a software update to their Falcon Sensor, which led to a "logic error." This error caused systems to crash, showing the infamous "Blue Screen of Death" (BSOD). The company later revealed that a pre-deployment test, meant to catch such errors, failed, leading to widespread issues.

This incident impacted various organisations, including big names like ICE Mortgage Technology, Fifth Third Bank (with $214 billion in assets), TD Bank, and Canandaigua National Bank in New York, which holds $5 billion in assets.

The Need for Better Planning

Dave Martin, founder of the advisory firm BankMechanics, emphasised that while such events are often discussed in theoretical terms when planning for worst-case scenarios, they can quickly become real, underscoring the ardent need for being well-prepared.

According to Martin, this event has likely prompted bank leaders around the world to focus even more on their contingency plans and backup strategies. The fact that this outage affected so many organisations shows just how unpredictable such crises can be.

As cybersecurity threats become more common, financial institutions are increasingly focused on their defences. The risks of not being adequately prepared are growing. For example, after a cyberattack in June, Patelco Credit Union in California, which manages $9.6 billion in assets, is now facing multiple lawsuits. These lawsuits claim that the credit union did not properly secure sensitive data, such as Social Security numbers and addresses.

Andrew Retrum, a managing director at Protiviti, a consulting firm specialising in technology risk and resilience, pointed out that while organisations face numerous potential threats, they should focus on creating strong response and recovery strategies for the most likely negative outcomes, like technology failures or site unavailability.

Preparing for Future Cyber Incidents

Experts agree on the importance of having detailed action plans in place to restore operations quickly after a cyber incident. Kim Phan, a partner at Troutman Pepper who specialises in privacy and data security, advises financial institutions to be ready to switch to alternative systems or service providers if necessary. In some cases, this might even mean going back to manual processes to ensure that operations continue smoothly.

Phan also suggests that financial institutions should manage customer expectations, reminding them that the convenience of instant online services is not something that can always be guaranteed.

The CrowdStrike outage is a recurring reminder of how unpredictable cyber threats can be and how crucial it is to be prepared. Financial institutions must learn from this incident, regularly updating their security measures and contingency plans. While technology is essential in protecting against cyber threats, having a solid, human-driven response plan is equally important for maintaining security and stability.

By looking at past cyber incidents in the banking sector, we can draw valuable lessons that will help strengthen the industry's overall defences against future attacks.


Financial Institutions Now Required to Disclose Breaches Within 30 Days

Financial Institutions Now Required to Disclose Breaches Within 30 Days

The 30-Day Deadline

The Securities and Exchange Commission (SEC) is demanding financial institutions to report security vulnerabilities within 30 days of discovering them.

Why the Change?

On Wednesday, the SEC adopted revisions to Regulation S-P, which controls how consumers' personal information is handled. The revisions require institutions to tell individuals whose personal information has been compromised "as soon as practicable, but no later than 30 days" after discovering of illegal network access or use of consumer data. The new criteria will apply to broker-dealers (including financing portals), investment businesses, licensed investment advisers, and transfer agents.

"Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially. These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for the investor,” said SEC Chair Gary Gensler. 

Challenges and Compliance

Notifications must describe the occurrence, what information was compromised, and how impacted individuals can protect themselves. In what appears to be a loophole in the regulations, covered institutions are not required to provide alerts if they can demonstrate that the personal information was not used in a way that caused "substantial harm or inconvenience" or is unlikely to do so.

The revisions compel covered institutions to "develop, implement, and maintain written policies and procedures" that are "reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information." The amendments include:

The standards also increase the extent of nonpublic personal information protected beyond what the firm gathers. The new restrictions will also apply to personal information received from another financial institution.

SEC Commissioner Hester M. Peirce expressed concern that the new regulations could go too far.

Best Practices

"Today’s Regulation S-P modernization will help covered institutions appropriately prioritize safeguarding customer information," she said. "Customers will be notified promptly when their information has been compromised so they can take steps to protect themselves, like changing passwords or keeping a closer eye on credit scores. My reservations stem from the rule's breadth and the likelihood that it will spawn more consumer notices than are helpful."

Regulation S-P has not been substantially modified since its adoption in 2000.

Last year, the SEC enacted new laws requiring publicly traded businesses to disclose security breaches that have materially affected or are reasonably projected to damage business, strategy, or financial results or conditions.

The FTC’s new Amendment Requires Financial Institutions to Report Security Breaches Within 30 Days


The Federal Trade Commission has recently enacted an amendment that mandates non-banking entities to notify the Federal Trade Commission of specific data breaches along with other security incidents.

This mandate requires the creation, execution, and upkeep of an extensive security policy to protect consumer data, and it applies to businesses including payday lenders, auto dealers, and mortgage brokers.

The Safeguards Rule, which required financial institutions to report security breaches found in their systems as soon as they occur, was recently amended by the federal government. Organizations must notify the Federal Trade Commission (FTC) "as soon as possible," but no later than 30 days, of any security issue involving the information of 500 or more customers. 

It has been made mandatory for organizations to report the FTC in case any malicious or unauthorized entity gains illicit access to unencrypted customer data. However, this requirement is only applicable if the data is encrypted and hackers have obtained access to the encryption keys.

From April 2024, the new regulation will go into effect 180 days after it is published in the Federal Register.

FTC further informs that following the discovery of a security incident, non-banking financial institutions will have to use the FTC's online site to report pertinent information to the commission. The identity and contact details of the reporting institution, the number of customers affected, a description of the data disclosed, the date of exposure, and the length of the incident should all be included in a thorough breach report.

Moreover, the amendment will also enable firms to notify the FTC in case the public disclosure of the breach jeopardizes their investigation or national security. An official from law enforcement may as well ask for an additional 60-day delay before making the information public. 

The FTC's Bureau of Consumer Protection head, Samuel Levine, stressed that businesses that are entrusted with private financial data must be open and honest "if that information has been compromised." These businesses should be given "additional incentive" by the new disclosure obligation to actually protect the data of their customers.

In October 2021, the FTC released revised guidelines to improve data security while also inviting public feedback on a proposed supplemental amendment to the data breach reporting standards. The new amendment was ultimately accepted by a unanimous vote of three to one.  

Investigating Chainalysis Data Reliability in Cryptocurrency Cases

 

Chainalysis has been a key player in bitcoin investigations in recent years, giving financial institutions and law enforcement authorities vital information and insights. But as its impact expands, concerns regarding the veracity and reliability of the information it offers have surfaced.

The scrutiny over Chainalysis data was thrust into the spotlight by the recent 'Bitcoin Fog' case, which raised concerns about the reliance on Chainalysis in criminal investigations. Critics argue that the reliance on a single source for such critical information may lead to potential biases or inaccuracies. Bloomberg's report on the case highlights the complexities surrounding the use of Chainalysis in legal proceedings, emphasizing the need for a nuanced understanding of the data it provides.

One of the primary concerns regarding Chainalysis data is its potential impact on privacy and civil liberties. As blockchain analysis becomes more prevalent, there are fears that innocent individuals may be caught in the crossfire of investigations. The delicate balance between effective law enforcement and protecting individual rights remains a key challenge.

Chainalysis, however, defends its practices and emphasizes its commitment to transparency and accuracy. In a recent blog post, the company provided insights into its methodology and highlighted its efforts to continuously improve the quality of the data it delivers. Michael Gronager, CEO of Chainalysis, affirmed, "We understand the weight of responsibility that comes with providing data for legal proceedings, and we take every measure to ensure its reliability."

Experts in the field also weigh in on the matter. Dr. Sarah Hopkins, a leading blockchain analyst, commented, "While Chainalysis has undoubtedly been a game-changer in tracking illicit activities, it's essential to remember that it's just one piece of the puzzle. It should be used in conjunction with other investigative techniques to ensure a comprehensive understanding of the situation."

The controversy about Chainalysis data's dependability serves as a reminder of how bitcoin research is changing. Despite the fact that it has frequently been useful, it is crucial to view its conclusions critically. The techniques and equipment used to research cryptocurrencies must change as technology improves and the market itself develops. In this quickly evolving industry, a multifaceted strategy that balances privacy concerns with the requirement for efficient law enforcement is still crucial.

Critical Financial Institutions Under Siege: Argentina's Securities Commission Hit by Medusa Ransomware

 


 
The Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to healthcare providers in its new analyst note regarding the MedusaLocker ransomware, the latest variant used to encrypt healthcare systems. 

Interestingly, while the Medusa operation was launched in June 2021, a relatively low level of activity was observed, with not many victims. However, the ransomware gang increased its activity in 2023 and launched a blog called the Medusa Blog. This blog was designed to help victims who refused to pay the ransom.

MedusaLocker must rank under some of the more widely known ransomware variants, such as Royal and Clop. These variants have recently been used against healthcare systems. The system, as it stands, is capable of causing significant damage if left unattended for a long period. 

The MedusaLocker ransomware program was first detected in September 2019 and since then it has become one of the primary targets of healthcare. In particular, the group was able to infiltrate systems by taking advantage of confusion over the COVID-19 pandemic. As a managed service provider, the company provides ransomware as a service (RaaS) to its customers. 

There was a huge ransomware attack on the National Securities Commission last Wednesday, resulting in a $100,000 loss. In this case, Medusa gained access to computers on the agency's network. The agency's systems hosted thousands of documents and databases and the hacking group obtained them. In a statement released Sunday afternoon, authorities said the breach was contained. 

The hackers stated that if they did not receive a payment of US$500,000 within a week, they would release 1.5 terabytes of confidential financial information to the public. According to a press release issued by the CNV, the ransomware attack was effectively "isolated and contained" as the public health agency stated that it had prevented the virus from harming any other computers within the organization. 

Medusa has captured several government computers, according to a press release sent out by CNV. In addition, various government websites have been taken down. A report in the publication stated that "the acting protocol helped isolate the computers from anyone outside of the organization." 

After claiming responsibility for an attack on Minneapolis Public Schools (MPS) this week, Medusa was reported to have garnered media attention after sharing a video showing stolen data that had been stolen from the district. 

Even though the CNV intends to press charges for the justice system to investigate what caused the attack and who was responsible, the press release states that they intend to press charges. 

A ransomware attack occurs when a computer runs programs designed to encrypt files on the victim's machine. As a result of the attack, the files are encrypted, and the attacker asks the victim to pay a ransom in exchange for the key to unlock them.  

First surfacing in June 2021, Medusa ransomware has quickly expanded to target corporations, often demanding ransoms ranging from $10,000 to $1,000,000, and started targeting many companies. Hackers have created a blog where they publish the data of victims who refuse to pay the ransom so that the hacker community can learn about it.

Upon receiving US$500,000 from the agency within a week of the theft, the group threatened to release the stolen CNV information on the platform. 

Despite the devastating damage caused by a ransomware attack on Argentina's Securities Commission on Tuesday, authorities have managed to contain the breach, prevent further proliferation of the malware, and contain any further spread of the infection. A ransom demand of $500,000 has been put forth by the hackers behind Medusa, threatening that if they do not receive their demand, 1.5 terabytes of financial information will be released publicly. 

There have been immediate steps taken by the commission to isolate and protect the system, but they are also laying the groundwork for legal action to identify the perpetrators and bring them to justice. A critical financial institution's cyber security measures need to be heightened to combat the increasing threat of ransomware attacks and to prevent data breaches shortly.