Cybersecurity and Cyber-Enabled Fraud

Regulatory Obligations

Cybersecurity incidents, such as account takeovers, ransomware or network intrusions, and any related exposure of customer information or fraudulent financial activity can expose firms to loss of customer information, financial losses, reputational risks and operational failures that may compromise firms’ ability to comply with a range of rules and regulations, including FINRA Rules 4370 and 3110 (Supervision), as well as Securities Exchange Act (SEA) Rules 17a-3 and 17a-4, Regulation S-P and Regulation S-ID.

Such incidents could also implicate FINRA Rule 4530(b) (Reporting Requirements),which require firms to promptly report to FINRA when they have concluded (or reasonably should have concluded) that they or their associated person have violated any securities-, insurance-, commodities-, financial- or investment-related laws, rules, regulations or standards of conduct of any domestic or foreign regulatory body or self-regulatory organization, where such violative conduct meets the standards in FINRA Rules 4530.01 (Reporting of Firms' Conclusions of Violations) and 3310 (Anti-Money Laundering Compliance Program).

Observations and Effective Practices

Observations

FINRA has observed an increase in the variety, frequency and sophistication of certain cybersecurity attacks and incidents that represent threats to the financial industry, including:

  • Ransomware—cyberattacks where threat actors gain unauthorized access to firm systems, encrypting or otherwise accessing sensitive firm data or customer information, and then holding that hijacked data or customer information for ransom;
  • New Account Fraud—threat actors using falsified customer information or stolen identity information purchased from criminal sites on the dark web to open accounts at financial institutions using a mobile app or internet browser;
  • Insider Threats—incidents where firm employees, advertently or inadvertently, use their access to firms’ systems and data to cause harm to firms, their customers or both;
  • Account Takeovers—threat actors using compromised investor information (e.g., login credentials, such as usernames and passwords) to gain unauthorized access to online accounts;
  • Data Breaches—attacks in which threat actors obtain access to confidential information (e.g., firm data, clients’ personally identifiable information (PII)) through an attack, and then expose, or threaten to expose, this information across the clear and dark nets;
  • Imposter Sites—attacks in which threat actors leverage imposter sites, domains and social media profiles for cyber-enabled fraud (including those that impersonate financial firms, registered representatives and FINRA staff); and 
  • Quishing—compromise attacks that use QR codes to redirect victims to phishing URLs.

Third-party vendors can pose additional cyber threats to firms by introducing vulnerabilities that can lead to data breaches and supply chain attacks. For additional guidance, please see the Third-Party Risk Landscape topic.

FINRA has also observed these emerging threats that may impact firms:

  • Quasi-Advanced Persistent Threats (Quasi-APTs)—well-resourced threat actors that engage in sophisticated, malicious cyber activity targeted and aimed at prolonged network or system intrusion (i.e., APTs), but are not necessarily sponsored by nation states or large organizations.
  • Generative AI (Gen AI)-Enabled Fraud1—threat actors exploiting generative AI’s ease of use and wide range of applications to enhance their cyber-enabled crimes, for example, by:
    • generating fake content (e.g., imposter sites, false identification documents, deep fake audio and video);
    • creating polymorphic malware—a type of malicious software that constantly morphs, evolves or changes appearance to avoid detection by security products; and
    • leveraging generative AI models to develop malicious tools, allowing those without technical ability to become sophisticated cybercriminals.
  • Cybercrime-as-a-Service—criminals with technical expertise selling tools and services to less technical threat actors, allowing them to commit cybercrimes they would not have otherwise been able to conduct (particularly ransomware, under the Ransomware-as-a-Service model).

For additional guidance concerning threat actors’ manipulation of generative AI to commit cyber-enabled fraud, please see the Emerging Risk: Adversarial Use of Generative Artificial Intelligence “callout” box in the Anti-Money Laundering, Fraud and Sanctions topic.

Effective Practices

  • Account Intrusion: Reviewing potentially violative activity when identified to determine whether further action (e.g., trading and fund restrictions on the accounts) is appropriate.
  • Imposter Domains: Monitoring the internet for any new imposter domains that pretend to represent the firm or a registered representative; and maintaining written procedures for responding to reports of imposter domains that include reporting the domains and notifying impacted customers or business partners.
  • Outbound Email Monitoring: Implementing systems that scan outbound email and attachments to identify and potentially block sensitive customer information or confidential firm data.
  • Potential Intrusion Report Card: Leveraging the FINRA Cross Market Options Supervision: Potential Intrusion Report Card, which provides lists of trades related to potentially fraudulent options transactions facilitated by account takeover schemes.
  • Training and Security Awareness: Periodically training staff to identify and thwart tactics, techniques and procedures (TTPs) associated with people-centric attack vectors (e.g., phishing attacks, social engineering).
  • Identity Verification: For firms that allow new accounts to be opened online, developing a comprehensive process for validating the identity of new clients; and using third parties that can verify identities and provide a score related to the level of risk associated with a new account (to help firms determine if additional verification is required).
  • Tabletop Exercise (TTX): Regularly conducting a TTX to bring key internal and external stakeholders together and ensure current and emerging cyber and technology threats and risks are appropriately identified, mitigated and managed.
  • Lateral Movement: Subdividing networks into separate sections (i.e., segment networks) to restrict the ability of threat actors to move across networks to find valuable data.

Additional Resources

Quantum Computing Risks

Quantum computing is an emerging technology that relies on quantum mechanics to perform calculations not possible for the most powerful classical supercomputers:

  • Several financial institutions, including broker-dealers, have started exploring how leveraging quantum for exponential improvements in computing performance could enhance business operations (e.g., optimization systems for trade execution and settlement; simulations of market-related activity).
  • However, as with all technology, quantum computing could be exploited by threat actors to aggravate the risk of cybersecurity-related crimes. In particular, quantum computers may eventually have the ability to quickly break current encryption standards firms and others in the financial services industry currently use.
  • Firms considering whether to incorporate quantum computers into their internal systems and processes, as well as firms contemplating the potential threats the use of quantum computing may raise, may consider putting particular focus on regulatory issues such as cybersecurity, third-party vendor management, data governance and supervision.

For additional guidance, please see:

Previous:
Financial Crimes Prevention
Up:
Cybersecurity and Cyber-Enabled Fraud
Next:
Anti-Money Laundering, Fraud and Sanctions

1 Generative artificial intelligence is a type of artificial intelligence that, based on a user’s prompt, can create content such as text, computer code, audio and video.