Tag Archive for: SEC

Concerns emerge over proposed SEC cyber incident disclosure changes

/in


Gary Gensler, chair of the U.S. Securities and Exchange Commission, testifies during ta Senate Banking, Housing, and Urban Affairs Committee hearing on Sept. 14, 2021, in Washington. (Photo by Bill Clark-Pool/Getty Images)

Facing increased breaches on its systems and among its members, the Securities and Exchange Commission (SEC) is considering how it will better handle cyber threats.

The SEC proposed new amendments in March to govern how investment firms and public companies under its purview should improve upon their IT security management and incident reporting.

“Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs,” said SEC Chair Gary Gensler in a March release.

“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks,” Gensler said. “A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.”

SEC gets tough on identity programs and incident reporting

In July, the SEC slammed JP Morgan Chase & Co, UBS and online stock-trader TradeStation with having deficient customer identity programs, each having violated the Identity Theft Red Flags Rule, or Regulation S-ID between January 2017 and October 2019. Regulation S-ID seeks to protect investors from the risk of identity theft. All three financial institutions agreed to cease and desist from future violations, to be censured, and to pay fines of $1.2 million, $925,000, and $425,000, respectively.

Among other commitments, the SEC’s proposed amendments would require that financial institutions offer current reporting about “material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.

In March, the SEC issued that a “proposed rule defines a cybersecurity incident as an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information…

Source…

SEC Proposes To Expand Cybersecurity Obligations Of Registered Investment Advisers And Registered Funds – Technology

/in


The SEC recently proposed a series of new rules and amendments (the Proposed Rules)
under the Investment Advisers Act of 1940 and the Investment
Company Act of 1940 concerning cybersecurity risk management for
registered investment advisers (registered advisers) as well as
registered investment companies (registered funds). If adopted,
these rules would require registered advisers and registered funds
to implement extensive written cybersecurity policies and
procedures and significantly augment their cybersecurity reporting,
disclosure and recordkeeping obligations. Coming on the heels of
SEC Chair Gary Gensler’s recent vow to improve the
“overall cybersecurity posture and resiliency of the financial
sector,” the Proposed Rules are the latest demonstration of
the SEC’s heightened focus on bolstering regulations to better
prevent and respond to cybersecurity attacks on securities markets.
Issuance of the Proposed Rules is also driven by the SEC’s
expressly stated concern that, notwithstanding observations the SEC
has made in recent risk alerts and enforcement actions, registered
advisers and registered funds have not adopted reasonably designed
cybersecurity programs to sufficiently address an increasingly
sophisticated and volatile cyberthreat landscape.
Comments on the Proposed Rules are due on the later of
April 11, 2022 or 30 days after their publication in the Federal
Register.

Background on Registered Advisers and Registered Funds

The Proposed Rules would impose substantially similar
obligations on registered advisers—such as money managers,
investment consultants and financial planners—and registered
funds—such as mutual funds, exchange-traded funds, registered
closed-end funds, business development companies, and unit
investment trusts—but there are some distinctions,
particularly with respect to reporting and disclosure requirements.
While both registered advisers and registered funds would be
obligated to disclose significant cybersecurity incidents to
clients and investors, only registered advisers would be required
to report such incidents to the SEC. Because registered advisers
would have to report incidents of their fund…

Source…

Lazarus Group phishes for hacking tools. Rockethack’s odd position in the C2C market. CISA’s holiday advice. SEC scam warning.

/in


Attacks, Threats, and Vulnerabilities

North Korean Hackers Caught Snooping on China’s Cyber Squad (The Daily Beast) North Korean hackers are under fierce pressure to raise revenue to fund regime goals. Now they’re trying to spy on Chinese security researchers to get better hacking tools.

Void Balaur explained—a stealthy cyber mercenary group that spies on thousands (CSO Online) Unlike other groups, Void Balaur will target individuals and organizations in Russian-speaking countries and seems to have intimate knowledge of telecom systems.

APT41’s cyber attack methods are a blueprint for hacker groups- TechHQ (TechHQ) APT41’s cyberattack methods is becoming the blueprint for other hacker groups to launch attacks on the supply chain and other industries as well.

Reminder for Critical Infrastructure to Stay Vigilant Against Threats During Holidays and Weekends (CISA) As Americans prepare to hit the highways and airports this Thanksgiving holiday, CISA and the Federal Bureau of Investigation (FBI) are reminding critical infrastructure partners that malicious cyber actors aren’t making the same holiday plans as you. Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways—big and small—to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure. 

New ‘SharkBot’ Android Banking Malware Hitting U.S., UK and Italy Targets (SecurityWeek) A newly discovered Android banking trojan has been observed targeting international banks and five different cryptocurrency services.

Github cookie leakage – thousands of Firefox cookie files uploaded by mistake (Naked Security) Be aware before you share! That’s a good rule for developers and techies, just as much as it is for social media addicts.

Space cyber wargame exposes satellite industry risks (README) Space industry executives grappled with a simulated crisis Monday as a hacker compromised a satellite and set it on a collision course.

US SEC warns investors of ongoing govt impersonation attacks (BleepingComputer) The Securities and Exchange Commission (SEC) has warned US investors of scammers impersonating SEC…

Source…

Do app sec like a boss: The top 25 pros to follow

/in


Attacks on the application layer can be the hardest to defend against. User input scenarios for your apps can be difficult to identify with intrusion detection signatures. On top of that, the layer is the most accessible and exposed to the Internet. It’s a recipe for trouble.

That’s why application security soldiers need to stay on top of what’s happening in their field. Here’s our updated list of 25 top pros whose Twitter feeds can help anyone who is interested in keeping their applications safe and their company more resilient.

Katy Anton

Lead security architect, JPMorgan Chase & Co.

@KatyAnton

Anton works with software architects, software developers, and security teams around the world and advises them about securing their software. She’s also one of the leaders on the OWASP Top Ten Proactive Controls Project and an international speaker on topics related to application security at both developer and security conferences.

Kurt Baumgartner

Principal security researcher, Kaspersky Lab’s Global Research and Analysis Team

@k_sec

Baumgartner monitors malware across the Americas. His specialties include reversing and analyzing known and unknown malware and identifying unique behaviors and static characteristics. In addition to tweeting, he blogs.

Michael Coates

Co-founder and CEO, Altitude Networks

@_mwc

In addition to his day job, Coates is an advisory board member of the Millennium Alliance, a networking and education group made up of industry leaders and visionaries. He is also the former head of security at Mozilla and Twitter, as well as a past chairman of the global board of directors at OWASP.

Josh Corman

Senior adviser and visiting researcher, the Cybersecurity and Infrastructure Security Agency

@joshcorman

Corman co-founded I Am The Cavalry, a global grass-roots organization. It’s focused on the intersection of computer security, public safety, and human life, concentrating on medical devices, automobiles, home electronics, and public infrastructure.

Dan Cornell

CTO, the Denim Group

@danielcornell

Cornell is a globally recognized expert in application security. He leads the team at the Denim Group that helps Fortune…

Source…