SEC warns cybersecurity is biggest threat to financial system

Comes as regulator introduces new crowdfunding rules


The chair of the US Securities and Exchange Commission (SEC), Mary Jo White, has warned that the biggest risk the financial system faces is cybersecurity.

Speaking at the Financial Regulation Summit in Washington DC, White warned the industry that their policies and procedures were not up to scratch and without them they faced the same fate as the Bangladeshi bank that recently lost $81m through a cyber attack.

"What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks," she told the conference, according to Reuters. "As we go out there now, we are pointing that out."

The SEC is "very pro-active" in assessing how open those acting in the financial sector are to a cyberattack, she said, adding: "we can't do enough in this sector."

White also warned that the SEC was looking at companies that are using non-standard accounting methods to report their earnings. She noted that companies are increasingly using non-Generally Accepted Accounting Principles (GAAP) to report their figures – an approach which enables them to keep what can be very large expenses out of public reporting.

Companies are supposed to meet certain criteria if they choose to publish non-GAAP figures, and the SEC is starting to dig into whether they are being followed. Non-GAAP "is not supposed to supplant GAAP and obviously not obscure GAAP," she said.

The speech, as well as recent SEC actions against people caught short-selling ahead of an initial public offering (IPO), is just the latest in a number of recent warnings that White has placed against the tech sector.

Unicorns or cons?

Last month she visited Silicon Valley and was openly critical of the billion-dollar valuations of many startup companies.

The sheer number of so-called "unicorns" was "a topic of concern," she noted, adding: "Beyond the hype and the headlines, our collective challenge is to look past the eye-popping valuations and carefully examine the implications of this trend for investors, including employees of these companies, who are typically paid, in part, in stock and options."

She also warned that the SEC was closely watching "fintech" – startups targeting the financial markets – name-checking in particular blockchain, automated investment advice and marketplace lending.

Just one month later, the CEO of the largest marketplace lending company in the country, Lending Club, was fired after an internal investigation revealed poor business practices and dubious policies, including the fact that the company had sold $22m in loans to an investor, none of which met the specific criteria he had set.

Crowdfunding

White's warning also comes as the SEC put in place new federal crowdfunding rules which will make it easier for small businesses to raise capital. On Monday – the first day that the rules came into effect – the SEC received 17 applications for "Form C offerings" and the next day another 10.

Previously, small companies were not able to offer investors a share in their profits, leading to them offering products or more intangible things like meet-ups or mementos. In the eyes of the law they were simply "contributing."

The new rules allow for securities-based crowdfunding, giving companies a number of new options to raise money. But they will require companies to go through SEC-registered intermediaries and will come with limits – $1m per year and $10,000 per investor.

The rules have been eagerly anticipated by startups and small companies for several years. The irony, of course, is that the driver was in many cases the booming tech sector, and that market has slowed down dramatically in the new year with many expecting an end to the boom and maybe even a bust.

It's not known whether the new crowdfunding rules will help revive the many startups across the country – but particularly in and around Silicon Valley – who are struggling to find funding through VC routes, or whether the rules will just sit on the books awaiting the next tech boom. ®


Other stories you might like

  • IBM buys Randori to address multicloud security messes
    Big Blue joins the hot market for infosec investment

    RSA Conference IBM has expanded its extensive cybersecurity portfolio by acquiring Randori – a four-year-old startup that specializes in helping enterprises manage their attack surface by identifying and prioritizing their external-facing on-premises and cloud assets.

    Big Blue announced the Randori buy on the first day of the 2022 RSA Conference on Monday. Its plan is to give the computing behemoth's customers a tool to manage their security posture by looking at their infrastructure from a threat actor's point-of-view – a position IBM hopes will allow users to identify unseen weaknesses.

    IBM intends to integrate Randori's software with its QRadar extended detection and response (XDR) capabilities to provide real-time attack surface insights for tasks including threat hunting and incident response. That approach will reduce the quantity of manual work needed for monitoring new applications and to quickly address emerging threats, according to IBM.

    Continue reading
  • OMIGOD: Cloud providers still using secret middleware
    All the news you may have missed from RSA this week

    RSA Conference in brief Researchers from Wiz, who previously found a series of four serious flaws in Azure's Open Management Infrastructure (OMI) agent dubbed "OMIGOD," presented some related news at RSA: Pretty much every cloud provider is installing similar software "without customer's awareness or explicit consent."

    In a blog post accompanying the presentation, Wiz's Nir Ohfeld and Shir Tamari say that the agents are middleware that bridge customer VMs and the provider's other managed services. The agents are necessary to enable advanced VM features like log collection, automatic updating and configuration syncing, but they also add new potential attack surfaces that, because customers don't know about them, can't be defended against.

    In the case of OMIGOD, that included a bug with a 9.8/10 CVSS score that would let an attacker escalate to root and remotely execute code. Microsoft patched the vulnerabilities, but most had to be applied manually.

    Continue reading
  • Costa Rican government held up by ransomware … again
    Also US warns of voting machine flaws and Google pays out $100 million to Illinois

    In brief Last month the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica's government if a ransom wasn't paid. This month, another band of extortionists has attacked the nation.

    Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica's Social Security system, and also struck the country's public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak.

    The Costa Rican government said at least 30 of the agency's servers were infected, and its attempt at shutting down systems to limit damage appears to have been unsuccessful. Hive is now asking for $5 million in Bitcoin to unlock infected systems.

    Continue reading
  • Facebook phishing campaign nets millions in IDs and cash
    Hundreds of millions of stolen credentials and a cool $59 million

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

    Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

    The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

    Continue reading
  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Feds raid dark web market selling data on 24 million Americans
    SSNDOB sold email addresses, passwords, credit card numbers, SSNs and more

    US law enforcement has shut down another dark web market, seizing and dismantling SSNDOB, a site dealing in stolen personal information.

    Led by the IRS' criminal investigation division, the DOJ, and the FBI, the investigation gained control of four of SSNDOB's domains, hobbling its ability to generate cash. The agents said it raked in more than $19 million since coming online in 2015.

    Continue reading
  • Musk repeats threat to end $46.5bn Twitter deal – with lawyers, not just tweets
    Right as Texas AG sticks his oar in

    Elon Musk is prepared to terminate his takeover of Twitter, reiterating his claim that the social media biz is covering up the number of spam and fake bot accounts on the site, lawyers representing the Tesla CEO said on Monday.

    Musk offered to acquire Twitter for $54.20 per share in an all-cash deal worth over $44 billion in April. Twitter's board members resisted his attempt to take the company private but eventually accepted the deal. Musk then sold $8.4 billion worth of his Tesla shares, secured another $7.14 billion from investors to try and collect the $21 billion he promised to front himself. Tesla's stock price has been falling since this saga began while Twitter shares gained and then tailed downward.

    Morgan Stanley, Bank of America, Barclays, and others promised to loan the remaining $25.5 billion from via debt financing. The takeover appeared imminent as rumors swirled over how Musk wanted to make Twitter profitable and take it public again in a future IPO. But the tech billionaire got cold feet and started backing away from the deal last month, claiming it couldn't go forward unless Twitter proved fake accounts make up less than five per cent of all users – a stat Twitter claimed and Musk believes is higher.

    Continue reading

Biting the hand that feeds IT © 1998–2022