The New York Department of Financial Services (NYDFS) has settled alleged violations of the Department’s strict cybersecurity regulations with National Securities Corp. (NSC) for $3 million, over four separate cybersecurity events suffered by it and its affiliate National Asset Management, Inc. (NAM) between April 3, 2018 and April 30, 2020.

The Consent Order reports that the “First Cyber Event” happened on September 13, 2019 “when a Human Resources representative received a suspicious email from an employee requesting assistance with a change to the employee’s direct deposit.” The H/R representative reached out to the employee by telephone and confirmed that the request was not legitimate. However, the employee’s email account had been compromised through a phishing scheme and affected customers were notified. At the time, NYDFS noted that NSC did not have multi-factor authentication (MFA) implemented, which was required by the cybersecurity regulations.

A second cyber event occurred on April 30, 2020, when a broker of the firm noticed “a potential unauthorized transfer of funds from a client account in the amount of $200,000.” After review, two additional unauthorized transfers from client accounts were discovered. It was also discovered that forwarding rules were set up from the broker’s account. Although the customers were refunded the amounts that were transferred without authorization (presumably to a cyber-criminal), NAM “did suffer a resulting loss of $400,000.”

During the compromise of the broker’s account, NSC contacted affected individuals, changed their account credentials, and provided them with credit monitoring. At the time of the second cyber event, the brokers had not yet implemented MFA, which was not completed until August 14, 2020.

The Consent Order is a roadmap of NYDFS’ cybersecurity regulations and the requirements that must be met. The Consent Order states: “[P]ursuant to Section 500.12(b) of the Cybersecurity Regulation, MFA must be utilized for any individuals accessing a Covered Entity’s internal network from an external network. This requirement applies to third-party applications, including email platforms such as O365, that access a Covered Entity’s internal network. Section 500.12(b) became effective on March 1, 2018.” NYDFS found that as of that date, NSC did not have MFA implemented in compliance with the regulations. According to the Consent Order, “[D]uring the period between the effective date of Section 500.12(b) and the date MFA was fully implemented on National Securities’ email environment, National Securities did not have controls designed to protect the O365 environment,

During the investigation, it was discovered that NSC “was the victim of two additional Cybersecurity Events, which were not reported to the Department as promptly as possible and no later than 72 hours of their occurrence, as is required by 23 NYCRR § 500.17(a).” One included a phishing incident that occurred on April 3, 2018, and another occurred on March 6, 2019, when a document management systems account that was part of NSC’s tax software program was compromised during a phishing scheme. Although NSC notified affected individuals of the incidents, NSC did not report the incident to NYDFS per the cybersecurity regulations. NYDFS stated that although NSC certified that it was in compliance with the regulations when it filed its annual report in 2019, it was not in compliance for the 2018 calendar year, and therefore the certificate of compliance with the regulations during that year “was false.”

The settlement included a $3 million civil monetary payment, which NSC cannot deduct or credit, nor can it obtain reimbursement from its insurance policy, a requirement to “strengthen its controls to protect its cybersecurity systems and the private data of consumers,” and implement a “comprehensive written Cybersecurity Incident Response Plan.”

NYDFS gave NSC special mention for its “commendable cooperation throughout this investigation,” and “credits National Securities’ ongoing efforts to remediate the shortcomings identified in this Consent Order.”

If you are subject to the NYDFS Cybersecurity Regulations, the Consent Order is a worthwhile read for guidance.

It can be accessed here.

Binary Check Ad Blocker Security News

The New York Department of Financial Services (DFS), which regulates certain covered entities and licensed persons in the financial services sector doing business in New York, recently provided guidance to its regulated entities that the annually required Certificate of Compliance with the DFS Cybersecurity Regulations must be submitted no later than April 15, 2021.

To find out whether a company is covered by the DFS Cybersecurity Regulations, DFS has established a portal to search applicable regulated entities. The portal also is used to file the annual certification. According to DFS, “All Covered Entities and licensed persons who are not fully exempt from the Cybersecurity Regulation are required to submit a Certificate of Compliance no later than April 15, 2021, attesting to their compliance for the 2020 calendar year.”

The publication further states that “if a Covered Entity or licensed person has an exemption that is still valid, they do not need to file a new Notice of Exemption in 2021.”

For more information on the DFS Cybersecurity Regulation requirements, click here.

Binary Check Ad Blocker Security News

You probably heard about the recent hack of Twitter accounts that took place on July 15, 2020. The hackers took over several prominent Twitter accounts, which resulted in a scam that netted over $118,000 in bitcoin for the hackers. One of the most startling things about the cyberattack was that it was led by a 17-year-old along with his accomplices. The hackers took over the accounts of well-known individuals including Barack Obama, Kim Kardashian West, Kanye West, Bill Gates, Elon Musk and many others, and tweeted a “double your bitcoin scam” from these Twitter accounts directing people to send bitcoin to fraudulent accounts.

The New York Department of Financial Services (NYDFS) issued a detailed report last week regarding this hack into the social media giant. The report found that “the Twitter Hack happened in three phases: (1) social engineering attacks to gain access to Twitter’s network; (2) taking over accounts with desirable usernames (or “handles”) and selling access to them; and (3) taking over dozens of high-profile Twitter accounts and trying to trick people into sending the Hackers bitcoin. All this happened in roughly 24 hours.”

How did the hackers do it? According to the report, the first phase of the attack started with the hackers stealing credentials of Twitter employees the old-fashioned way by using social engineering. The hackers posed as Twitter IT employees and contacted several Twitter employees claiming there was a problem with Twitter’s Virtual Private Network (VPN). The report stated that the “hackers claimed they were responding to a reported problem the employee was having with Twitter’s Virtual Private Network (VPN). Since switching to remote working, VPN problems were common at Twitter. The Hackers then tried to direct the employee to a phishing website that looked identical to the legitimate Twitter VPN website and was hosted by a similarly named domain. As the employee entered their credentials into the phishing website, the Hackers would simultaneously enter the information into the real Twitter website. This false log-in generated an MFA [multi-factor authentication] notification requesting that the employees authenticate themselves, which some of the employees did.”

The hackers then went surfing within the Twitter system looking for employees with access to internal tools to take over accounts. This led to the second phase of the attack: taking over and selling access to original gangster (OG) Twitter accounts. According to the report, an OG Twitter account refers to accounts  designated by a single word, letter, or number and adopted by Twitter’s early users. The hackers discussed taking over and selling the OG accounts in various online chat messages. On July 15, the hackers “ hijacked multiple OG Twitter accounts and tweeted screenshots of one of the internal tools from some of the accounts to the accounts’ respective followers.

The final phase of the hack involved  taking over various cryptocurrency company accounts and directing users to a link to a scam bitcoin address. According to a tweet sent out by Twitter on July 16, approximately 130 accounts of high-profile verified users (those Twitter accounts that you see with the blue check mark) were taken over by the hackers with tweets asking people to send bitcoin, with the promise that the high-profile user would double the amount to be given to a charity. The bitcoin address was fraudulent, the tweets were not sent by the actual users, and the hackers were able to collect more than $118,000 in bitcoin.

The NYDFS began its investigation because the cryptocurrency companies are regulated entities. According to the report, the department instructed the cryptocurrency companies to block the hackers’ bitcoin addresses if they hadn’t already done so. This move prevented over a million dollars’ worth of fraudulent bitcoin transfers.

We write all the time about the critical importance of cybersecurity practices and protocols such as multifactor authentication, employee training regarding phishing, and using secure passwords. The general consensus appears to be that the Twitter hack was not a sophisticated one, but that the hackers knew what they were after and knew how to accomplish their goal. The NYDFS report stated that “the Twitter Hack is a cautionary tale about the extraordinary damage that can be caused even by unsophisticated cybercriminals. The Hackers’ success was due in large part to weaknesses in Twitter’s internal cybersecurity protocols.”