sec - X-Industry - Red Sky Alliance2024-03-28T19:06:52Zhttps://redskyalliance.org/xindustry/feed/tag/secSEC’s Final Cyber Ruleshttps://redskyalliance.org/xindustry/sec-s-final-cyber-rules2024-01-16T13:00:00.000Z2024-01-16T13:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12360309462,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12360309462,RESIZE_400x{{/staticFileLink}}" width="250" alt="12360309462?profile=RESIZE_400x" /></a>For over a decade, the Security and Exchange Commission (SEC) has been working with corporations and their many stakeholders to seek ways to appropriately influence corporate governance around cybersecurity. On 26 July 2023, the SEC voted to implement new rules for all publicly traded corporations.<a href="#_ftn1">[1]</a> <a href="#_ftn2">[2]</a> </p>
<p>In 2011, the SEC issued guidance to help companies understand they should take responsibility for reducing cyber risk. This was guidance vice formal regulation, but it helped raise awareness and underscore for corporations that they had responsibilities to shareholders to seek to mitigate cyber risk. In 2018, the SEC issued new guidance to expand on and strengthen their previous guidance. But still, there is a difference in guidance and regulation. Many companies either did not notice or perhaps felt that their protections mitigated risk well enough, and the guidance was not that impactful.<a href="#_ftn3">[3]</a></p>
<p>In March 2022 the SEC published a draft set of proposed new rules that would make aspects of cybersecurity reporting and governance mandatory. After extensive industry feedback, the SEC held an open meeting on 26 July 2023 and voted on and approved the final rules.</p>
<p>The new rules are far stronger than previous interpretive guidance. The stated objective of these rules is to strengthen investors' ability to evaluate public company cybersecurity practices and incident reporting. The rules will ensure corporations provide consistent, comparable, and useful information to shareholders in two major categories:</p>
<ul>
<li>Information on incidents that may have a material impact on shareholder opinions and</li>
<li>Information on governance processes designed to mitigate cyber risks.</li>
</ul>
<p> </p>
<p>In the first category, companies must disclose any materially relevant cyber incident. These would have to be disclosed within four days after the decision is made that they are materially relevant and will be disclosed on a Form 8K (the term materiality is used in the same way as it has been in previous SEC guidance on security: If an investor would consider it essential to know, it is considered material). The final rules make it clear that determinations on materiality are expected to happen expeditiously.</p>
<p>In the second category, companies will have to disclose information on their risk management and governance strategies. The SEC is looking for a lot more disclosure on these topics than they have in the past, including details on how the corporation assesses, identifies, and manages material risks from cybersecurity threats and the material effects from threats. The role of boards in director oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from threats must also be disclosed. These rules will be effective quickly. Disclosures will begin with the Form 10-k and 20-f disclosures with annual reports for fiscal years ending on or after 15 December 2023 (smaller companies are being given some leeway here).</p>
<p>The rules clarify that the corporate board will have new responsibilities in cyber risk management. However, the rules differ from the drafts in that boards do not have to disclose whether there is cyber expertise on their board. Boards should be talking with management now to ensure clarity on new reporting requirements for incidents and for cyber risk mitigation governance. A gap assessment should be conducted.</p>
<p>All directors should seek to understand and mitigate cyber risk by leveraging expert advice from experienced risk management professionals. External advisors can rapidly evaluate board expertise relevant to the cybersecurity qualifications expected by the SEC. They can recommend additional training for the full board or the board-designated cyber expert.</p>
<p>Although not required by SEC guidance, many boards have already decided to form cybersecurity committees so a few designated board members can work on issues outside of board meetings. External advice can help the board evaluate whether this is the right approach for the mission and function of the board.</p>
<p>See: <a href="https://www.redskyalliance.com/redxray">https://www.redskyalliance.com/redxray</a></p>
<p>What can boards do better? Be a part of the solution by assigning a board member access to Red Sky Alliance’s RedXray service that will allow a user to monitor their own company’s cyber health daily. It is easy to use, and only targeted cyber threat intelligence will be delivered. Since the SEC wants boards to be informed and active in preventing cyberattacks, why not use RedXray as a C-suite information service to overlay the company’s current cyber threat department and services?</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.oodaloop.com/wp-content/uploads/2023/07/sec-final-rules-cybersecurity-33-11216.pdf">https://www.oodaloop.com/wp-content/uploads/2023/07/sec-final-rules-cybersecurity-33-11216.pdf</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.oodaloop.com/wp-content/uploads/2023/07/public-company-cyber-disclosures-33-11216-fact-sheet.pdf">https://www.oodaloop.com/wp-content/uploads/2023/07/public-company-cyber-disclosures-33-11216-fact-sheet.pdf</a></p>
<p><a href="#_ftnref3">[3]</a> <a href="https://www.oodaloop.com/archive/2023/07/26/the-sec-announces-final-cybersecurity-rules-what-the-c-suite-needs-to-know-and-do/">https://www.oodaloop.com/archive/2023/07/26/the-sec-announces-final-cybersecurity-rules-what-the-c-suite-needs-to-know-and-do/</a></p></div>AI and Cyber Risks to SMBshttps://redskyalliance.org/xindustry/ai-and-cyber-risks-to-smbs2024-01-09T17:05:00.000Z2024-01-09T17:05:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12346594062,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12346594062,RESIZE_400x{{/staticFileLink}}" width="250" alt="12346594062?profile=RESIZE_400x" /></a>Recently, executives from SentinelOne, Protect AI and IBM Consulting provided lawmakers on the cybersecurity and infrastructure protection subcommittee with a laundry list of recommendations to better combat AI threats. Attacks by malicious hackers using artificial intelligence could swamp smaller companies that are already overwhelmed by cybercrime, experts warned lawmakers during a congressional hearing on 26 December 2023.<a href="#_ftn1">[1]</a></p>
<p>Testifying before the House Homeland Security and Governmental Affairs subcommittee on cybersecurity and infrastructure protection, experts from the private sector discussed AI-related threats, including increased efficiency for malicious hackers to develop malware, spread disinformation and elevate the scale of attacks at a time when smaller businesses are constantly being impacted by hacks.</p>
<p>Bringing up the famous and complex Stuxnet virus that took down the Iranian nuclear plant, Alex Stamos, chief trust officer at SentinelOne, said that developing the worm required a substantial amount of resources. With AI, Stamos warned, such operations could become less costly for attackers. “My real fear is that we’re going to have AI-generated malware that won’t need that,” Stamos said. “That if you drop it inside of an air gap network in a critical infrastructure network, it will be able to intelligently figure out, ‘Oh, this bug here, this bug here and take down the power grid even if you have an air gap.'” Stamos also noted that in recent years, criminal cybercrime groups have become “professionalized” with the technical sophistication that one would expect from nation-backed hackers. “The truth is, we’re not doing so hot,” Stamos said. “We’re kinda losing.”</p>
<p>Small and medium businesses, Stamos said, are “not ready to play at that level.” He advocated for moving those smaller players to the cloud so there is less responsibility on individual organizations and more “collective defense.” Stamos said that one key thing that the Cybersecurity Infrastructure and Security Agency can do is get an incident reporting regime up and running. The agency is set to require critical infrastructure owners and operators to notify them of any major cyber incident.</p>
<p>The reporting is intended to fuel a better understanding of the current threat landscape, as there are few requirements currently for companies to report breaches to the federal government. Stamos did note that the Securities and Exchange Commission’s own incident reporting requirements are likely to have a negative impact on cybersecurity efforts due to the “over-legalization” that the ruling will have.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/fbi-guidance-on-delaying-sec-required-data-breach-disclosure">https://redskyalliance.org/xindustry/fbi-guidance-on-delaying-sec-required-data-breach-disclosure</a></p>
<p>Stamos also said that CISA should help break information silos apart, saying that one of the issues in cybersecurity is that firms “don’t talk to each other enough.”</p>
<p>Ian Swanson, the CEO and founder of Protect AI, said in his opening statement that in order to secure AI, there should be a “comprehensive inventory” that lists out the “ingredients” of AI. “Only then do we have visibility and auditability of these systems, and then you can add security,” Swanson said.</p>
<p>Swanson recommended that the US Department of Homeland Security (DHS) create a machine learning bill of materials and invest and protect the open source software ecosystem that AI relies on. He noted that the Biden administration should be talking to all players in the AI space startups as well as Big Tech companies like Open AI.</p>
<p>Debbie Taylor Moore, senior partner and vice president of global cybersecurity at IBM Consulting, noted in her opening statement that CISA should focus on AI education and workforce development, particularly within the critical infrastructure sectors, and share information like vulnerabilities and best practices. “Addressing the risks posed by adversaries is not a new phenomenon,” Moore said. “Using AI to improve security operations is also not new. But both will require focus and what we need today is urgency, accountability and precision in our execution.”</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://cyberscoop.com/ai-cyber-risks-small-companies-house-hearing/">https://cyberscoop.com/ai-cyber-risks-small-companies-house-hearing/</a></p></div>Cybersecurity and Corporate Boards of Directorshttps://redskyalliance.org/xindustry/cybersecurity-and-corporate-boards-of-directors2023-12-21T13:00:00.000Z2023-12-21T13:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12331833873,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12331833873,RESIZE_400x{{/staticFileLink}}" width="250" alt="12331833873?profile=RESIZE_400x" /></a>In the face of unrelenting pressure from significant cyber incidents and regulatory action to mitigate them, enterprises are assessing whether they are doing enough to deal with cybersecurity. Public companies are evaluating responses to new SEC rules calling for disclosures regarding cybersecurity strategy, risk management, and governance practices. The SEC’s action against Solar Winds is setting off alarm bells throughout the cybersecurity community, causing CISOs to worry about personal liability and companies to reassess their D&O policies and the increasing rates of Cyber Insurance.</p>
<p>See: <a href="https://www.cisecurity.org/solarwinds">https://www.cisecurity.org/solarwinds</a> </p>
<p>Cybersecurity incidents are unavoidable. However, in many recent high-profile cases, these incidents have exposed governance/management weaknesses and disconnects between glowing boilerplate cybersecurity disclosure language and the actual substance of cybersecurity processes. Companies go to great lengths to revamp their cybersecurity only after these incidents. Where is the preparation, notification, and responsible party?<a href="#_ftn1">[1]</a></p>
<p>There is no doubt that SEC registrants will tighten up and expand their disclosure language, particularly considering that SEC disclosure rules 8-K are effective on 15 December 2023, but there are more fundamental problems. Company boards and C-Suites perceive their governance, management, and implementation of cybersecurity processes and procedures to be adequate. If so, they must be surprised when incidents reveal facts that demonstrate otherwise.</p>
<p>Boards can be overwhelmed by the complexity of cybersecurity and the vast array of detailed management presentations addressing compliance, heat maps, penetration testing, and the like without understanding their context. At the same time, they may be comforted by management’s actions to deal with cybersecurity and not feel the need to do more. If so, are board members pushing cybersecurity governance out to the management team? Governance cannot be delegated to the management team. Evidence from well-publicized breaches suggests a lack of governance or delegation to management. Guidance on cybersecurity governance is available from NIST <a href="https://www.nist.gov">https://www.nist.gov</a>, which is in the process of adding a “GOVERN” function to its cybersecurity framework as follows:</p>
<ul>
<li>“GOVERN directs an understanding of organizational context; the establishment of strategy and cybersecurity supply chain risk management; roles, responsibilities and authorities; policies, processes, and procedures; and the oversight of cybersecurity strategy.”</li>
<li>Board adherence to some form of the GOVERN function is necessary to meet its fiduciary responsibility. Experienced board members are well-equipped to ask insightful questions, assess risk, and make governance decisions for most business risks and challenges. However, in the past, the complex nature of cyber risk has caused many board members to shy away from cybersecurity and not devote the time and energy required to understand and deal with the issue entirely. This is unsustainable as incidents and regulatory pressures mount. Adding cybersecurity expertise to the board can be a partial fix for this problem so long as these additions are not viewed as a “Check-the-box” solution that relieves the rest of the board from its fiduciary duty.</li>
</ul>
<p>Here are sample questions board members are asking to make this happen:</p>
<ul>
<li>Is our board adhering to its fiduciary governance responsibility or delegating it to management?</li>
<li>Does the board understand the enterprise’s business functions and interactions to contextualize cyber risk?</li>
<li>Is the board and management adequately structured and organized to deal with cyber risk?</li>
<li>Has the enterprise adopted a robust cybersecurity framework it adheres to rigorously?</li>
<li>How does the framework fit into overall enterprise risk management?</li>
<li>What criteria is used to make changes to cybersecurity spending?</li>
<li>Does the board understand risk tolerance, and does it interact with management to develop a risk appetite?</li>
<li>Does the board understand cybersecurity presentations by management, or are they presented using tech jargon?</li>
<li>Do cybersecurity policies and procedures include customer, third-party, operational, and software interfaces?</li>
<li>How do cybersecurity compliance audits relate to governance?</li>
<li>What procedures are in place to respond to and report cyber breaches?</li>
<li>Does the board participate in tabletop exercises to train for responses to cyber incidents? Boards want to avoid closing the cybersecurity barn door only after an incident. To do so, they must transform their cybersecurity governance perception into reality.</li>
</ul>
<p> </p>
<p>Effective cybersecurity requires organizational changes necessary to govern and manage complex digital systems, educational changes to develop a common contextual “systems” understanding amongst the board and risk experts, and cultural changes to imprint upon the enterprise the importance of shared responsibility for cybersecurity.</p>
<p>The time for an enterprise-wide understanding of systemic cyber risk is today. There is no better way for boards to be involved than to receive daily targeted cyber threat intelligence reporting delivered to their iPhones every morning by the RedXray services of Red Sky Alliance Corp <a href="https://www.redskyalliance.com/redxray">https://www.redskyalliance.com/redxray</a> The notifications can be sent to team members and cyber threat responders. Can use cyber threat intelligence to act appropriately. According to an IBM report written in 2022, an average cyber breach in the USA will cost $4.35 million to repair and recover from the breach. Is it worth only a couple of thousand dollars a month to be informed of breaches before they occur and block them from returning again?</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p> </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.oodaloop.com/archive/2023/12/13/cybersecurity-perception-is-reality-until-facts-intervene/">https://www.oodaloop.com/archive/2023/12/13/cybersecurity-perception-is-reality-until-facts-intervene/</a></p></div>FBI Guidance on Delaying SEC-Required Data Breach Disclosurehttps://redskyalliance.org/xindustry/fbi-guidance-on-delaying-sec-required-data-breach-disclosure2023-12-16T12:00:00.000Z2023-12-16T12:00:00.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}12324148088,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12324148088,RESIZE_400x{{/staticFileLink}}" width="250" alt="12324148088?profile=RESIZE_400x" /></a>In the US, the Federal Bureau of Investigation (FBI) has issued guidance regarding the data breach reporting requirements of the US Securities and Exchange Commission (SEC), providing useful information on how disclosures can be delayed. The SEC announced in late July that it had adopted new cybersecurity incident disclosure rules for public companies, requiring them to disclose, through a Form 8-K filing, any material breach within four business days. The rules are set to go into effect on 18 December 2023.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/8-k-a-need-for-cyber-threat-intel">https://redskyalliance.org/xindustry/8-k-a-need-for-cyber-threat-intel</a></p>
<p>When it announced the new rules, the SEC noted that some companies may be exempt if there is substantial risk to public safety or national security. The FBI has now provided some clarifications on this exemption, explaining that the Justice Department can grant a 30-day delay for national security or public safety reasons. The disclosure can be delayed for another 30 days, or 60 days in extraordinary circumstances involving national security, but the delays cannot exceed a total of 120 business days without an exemptive order from the SEC.<a href="#_ftn1">[1]</a></p>
<p>The FBI is accepting the delay requests on behalf of the Justice Department and organizations seeking to delay disclosure must follow certain procedures. “If the FBI does not receive the delay request from the victim directly or through the US Secret Service (USSS), the Cybersecurity and Infrastructure Security Agency (CISA), or another sector risk management agency (SRMAs) concurrently with the materiality determination, the FBI won’t process the request,” the agency explained. It added, “In other words, failure to report the cyber incident immediately upon determination of materiality will cause a delay-referral request to be denied. The FBI also encourages victims to engage with the FBI directly or through USSS, CISA, or SRMAs prior to making a materiality determination.”</p>
<p>While some applauded the SEC for its initiative when it announced the new rules, others raised concerns about the impact on investors and some warned that the disclosure rules could actually help cybercriminals.</p>
<p>See: <a href="https://www.sec.gov/files/33-11038-fact-sheet.pdf">https://www.sec.gov/files/33-11038-fact-sheet.pdf</a></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p> </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p> </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/fbi-issues-guidance-for-delaying-sec-required-data-breach-disclosure/">https://www.securityweek.com/fbi-issues-guidance-for-delaying-sec-required-data-breach-disclosure/</a></p></div>Ransomware Group Files SEC Complaintshttps://redskyalliance.org/xindustry/ransomware-group-files-sec-complaints2023-11-21T14:26:30.000Z2023-11-21T14:26:30.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12296541079,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12296541079,RESIZE_400x{{/staticFileLink}}" alt="12296541079?profile=RESIZE_400x" width="250" /></a>A well-known ransomware group has recently filed a complaint with the US Securities and Exchange Commission (SEC) over the failure of a victim to disclose an alleged data breach resulting from an attack conducted by the cybercrime gang itself. </p>
<p>The ransomware group known as Alphv and BlackCat claims to have breached the systems of MeridianLink, <a>https://www.meridianlink.com </a> a California-based company that provides digital lending solutions for financial institutions and consumer data verification solutions.<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/blackcat-tools-impacket-remcom-1">https://redskyalliance.org/xindustry/blackcat-tools-impacket-remcom-1</a></p>
<p>The cybercriminals claim to have stolen a significant amount of customer data and operational information belonging to MeridianLink, and they are threatening to leak it unless a ransom is paid. To increase its chances of getting paid, the malicious hackers claim to have filed a complaint with the SEC against MeridianLink, accusing the company of failing to disclose the breach within four business days, as required by rules announced by the agency in July 2023.</p>
<p>The new rules introduce mandatory cyber-incident reporting requirements for all U.S.-listed companies. Domestic issuers must disclose material cybersecurity incidents in Form 8-K filings, and private foreign issuers must submit Form 6-K filings to disclose material cyber incidents.</p>
<p>The new rules state that issuers must disclose cybersecurity incidents determined to be material by the company. This requirement is similar to the materiality standard for other 8-K disclosures under US securities laws. Issuers must disclose the material impact of the incident on the company’s financial condition and its operations. Disclosures must be filed within four business days after a company determines that it has experienced a material cyber-incident.</p>
<p>BlackCat published screenshots on its leak website on 15 November 2023 to show that the SEC filed and received the complaint. This appears to be the first time a ransomware group has filed an SEC complaint against one of its victims.</p>
<p>The hackers reported that the attack against MeridianLink, which allegedly did not involve file-encrypting ransomware, only data theft, was conducted on 07 November 2023 and was discovered the same day. A spokesman from MeridianLink stated that the intrusion occurred on 10 November 2023. “Upon discovery on the same day, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” the company said, adding that it cannot share further details due to its ongoing investigation.</p>
<p>It is worth mentioning that the new SEC data breach disclosure rules will only go into effect in mid-December 2023. In addition, companies will be required to notify the SEC within four business days of determining that a cybersecurity incident is material to investors, which, based on MeridianLink’s statement, has yet to happen.</p>
<p>BlackCat has been one of the most active ransomware operations. It is not uncommon for the group to try new methods for convincing targets to pay up, including by setting up dedicated leak websites for individual victims.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/ransomware-group-files-sec-complaint-over-victims-failure-to-disclose-data-breach/">https://www.securityweek.com/ransomware-group-files-sec-complaint-over-victims-failure-to-disclose-data-breach/</a></p>
<p> </p></div>The House doesn't always Winhttps://redskyalliance.org/xindustry/the-house-doesn-t-always-win2023-10-17T16:05:00.000Z2023-10-17T16:05:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12258182092,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12258182092,RESIZE_400x{{/staticFileLink}}" width="250" alt="12258182092?profile=RESIZE_400x" /></a>In a US Securities and Exchange Commission 8-K disclosure filing on 05 October 2023, MGM Resorts reported losing around $100 million after the 11 September 2023 breach incident.</p>
<p>In an open letter published recently, MGM CEO Bill Hornbuckle said that "the vast majority of our systems have been restored," adding, "We also believe that this attack is contained. As part of our remediation efforts, we have rebuilt, restored, and further strengthened portions of our IT environment.<a href="#_ftn1">[1]</a> We will offer free identity protection and credit monitoring services to individuals who receive an email from us indicating that their information was impacted."</p>
<p>The breach resulting in some of the following:</p>
<ul>
<li>MGM responded swiftly and shut down its systems to mitigate risk to customer information.</li>
<li>$100M impact to EBITDAR (non-GAAP metrics are getting interesting)</li>
<li>$10M in one-time fees, including technology consulting (too late?), legal, and advisory fees</li>
</ul>
<p>Customers’ data compromised, including name, contact information, gender, date of birth and driver's license number. For a limited number of customers, Social Security numbers and passport numbers were also obtained by the criminal actors. MGM does not believe that customer passwords, bank account numbers, or payment card information were obtained by the criminal actors. MGM currently believes that its cybersecurity insurance will be sufficient to cover the financial impact on its business because of the operational disruptions, the one-time expenses, and future expenses. The full scope of the costs and related impacts of this issue has not been determined.</p>
<p>Here are some additional details about the breach:</p>
<ul>
<li>The breach affected systems at MGM properties in Las Vegas, Mississippi, and Maryland.</li>
<li>The company said that it was not aware of any unauthorized access to guest financial information.</li>
<li>MGM is offering free credit monitoring and identity protection services to affected guests.</li>
<li>The FBI is investigating the breach.</li>
</ul>
<p>The Caesar's Palace cybersecurity breach could have several negative ramifications for the company, including:</p>
<ul>
<li>Financial losses: Caesar's Palace may be liable for damages to customers whose data was stolen in the breach. The company may also have to spend money on additional cybersecurity measures to prevent future breaches.</li>
<li>Reputational damage: The Caesar's Palace cybersecurity breach could damage the company's reputation and make it more difficult to attract and retain customers.</li>
<li>Regulatory scrutiny: The Caesar's Palace cybersecurity breach is likely to attract the attention of regulators, who could investigate the company's cybersecurity practices and impose fines or other penalties.</li>
</ul>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.secureworld.io/industry-news/breach-mgm-resorts-hotel-access">https://www.secureworld.io/industry-news/breach-mgm-resorts-hotel-access</a></p></div>8-K a Need for Cyber Threat Intelhttps://redskyalliance.org/xindustry/8-k-a-need-for-cyber-threat-intel2023-08-19T11:20:00.000Z2023-08-19T11:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12163861074,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12163861074,RESIZE_400x{{/staticFileLink}}" alt="12163861074?profile=RESIZE_400x" width="250" /></a>According to IBM’s Cost of a Data Breach Report 2022, the global average total cost of a data breach increased by USD 0.11 million to USD 4.35 million in 2022, the highest it's been in the history of this report. The increase from USD 4.24 million in the 2021 report to USD 4.35 million in the 2022 report represents a 2.6% increase.</p>
<p>See: <a href="https://www.ibm.com/reports/data-breach">https://www.ibm.com/reports/data-breach</a></p>
<p>In addition to the financial costs the US Government has additional timed reporting planned for all publicly held companies. The US Securities and Exchange Commission (SEC) announced on 26 July 2023 that it has adopted new cybersecurity incident disclosure rules for public companies, but there is some concern that the new rules might actually be helping hackers. The goal of the new rules is “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents”.</p>
<p>Publicly traded companies will be required to disclose, through a Form 8-K filing, any material cybersecurity breach within four business days, unless otherwise instructed by the US attorney general due to substantial risk to national security or public safety.</p>
<p>Would it not make more sense to prevent a cyber breach from happening in the first place? There is a service named RedXray that can notify any organization in the world of cyber threats that have not yet breached the entity’s network. US publicly held companies could save time and embarrassment by not having to report on cyber breaches that could have been prevented.</p>
<p>The SEC filing must describe the incident’s nature, timing, scope and material impact (or likely material impact). It’s worth noting that the timer for the four (4) days starts the moment the victim determines that an incident is material. Companies will also have to regularly provide information on their processes for identifying, assessing and managing risks associated with cyber threats, as well as on material impact from threats and previous incidents.</p>
<p>Information on the board of directors’ oversight of cybersecurity risks and management’s expertise and role in managing cybersecurity-related material risks will also need to be provided.</p>
<p>The Form 8-K disclosures will be required starting 90 days after the publication of the rules in the Federal Register or 18 December 2023. Smaller companies have been given an additional 180 days. “Whether a company loses a factory in a fire or millions of files in a cybersecurity incident it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”</p>
<p>While some have applauded the SEC’s efforts to ramp up expectations for companies, others are not happy with the new rules. The rules passed by a 3-2 vote and one of those who voted against it is SEC commissioner Hester Peirce, who raised concerns that the requirements will harm investors due to the additional costs associated with the disclosure process. In addition, Peirce pointed out that the disclosure requirements could actually help cybercriminals. “The strategy and governance disclosures risk handing them a roadmap on which companies to target and how to attack them. The 8-K disclosures, which are unprecedented in nature, could then tell successful attackers when the company finds out about the attack, what the company knows about it, and what the financial fallout is likely to be (i.e., how much ransom the attacker can get),” Peirce said.</p>
<p>“The requirement to file an amended 8-K when new information comes in will provide the attacker regular updates on the company’s progress. The 8-K disclosures also will signal to other would-be attackers an opportune time to attack. The careful drafting necessary to avert some of these problems will be difficult in the four-day filing timeframe,” Peirce added.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.<br /> Source: </em><a href="https://www.securityweek.com/companies-required-by-sec-to-disclose-cybersecurity-incidents-in-4-days/">https://www.securityweek.com/companies-required-by-sec-to-disclose-cybersecurity-incidents-in-4-days/</a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p> </p></div>A Cyber Bleach Hithttps://redskyalliance.org/xindustry/a-cyber-bleach-hit2023-08-17T16:10:00.000Z2023-08-17T16:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12198530279,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12198530279,RESIZE_400x{{/staticFileLink}}" width="250" alt="12198530279?profile=RESIZE_400x" /></a>Clorox announced a cybersecurity incident this week that forced it to take several systems offline. The company, which reported more than $7 billion in earnings in 2022 through its namesake cleaning product and several others like Pine Sol, Burt’s Bees and more, reported the incident in regulatory filings with the US Securities and Exchange Commission (SEC) on 14 August. “The Clorox Company has identified unauthorized activity on some of its Information Technology (IT) systems. After becoming aware of the activity, the Company began taking steps to stop and remediate the activity, including taking certain systems offline,” the company said in an 8-K filing.<a href="#_ftn1">[1]</a></p>
<p>“The Company is working diligently to respond to and address this issue, and is also coordinating with law enforcement. To the extent possible, and in line with its business continuity plans, Clorox has implemented workarounds for certain offline operations in order to continue servicing its customers.”</p>
<p>The company warned that the cyber incident is causing “disruption to parts of the Company’s business operations” and has forced them to hire a cybersecurity firm to help with the recovery. Their investigation into the incident is “ongoing and is in its early stages.” Clorox did not immediately respond to requests for comment.<a href="#_ftn2">[2]</a></p>
<p>In its annual 10-K report filed with the SEC last week, the company warned that its increasing reliance on an array of technology left it exposed to potential disruptions caused by cyberattacks.</p>
<p>Both its informational and operational technology systems may be “vulnerable to …ransomware, unauthorized access attempts, business email compromise, cyber extortion, denial of service attacks, phishing, social engineering, hacking and other cyberattacks attempting to exploit vulnerabilities,” it said.</p>
<p>The company noted it has seen “an increase in the number of such attacks” since shifting to a remote work model. </p>
<p>Manufacturing companies continue to face an endless barrage of attacks, with dozens of high-profile corporations announcing incidents in recent weeks including mattress giant Tempur Sealy.</p>
<p>Researchers at Akamai said last week they saw a 42% increase in total manufacturing industry victims between Q4 2021 and Q4 2022, outpacing all other industries. Comparitech said based on their data, the 478 ransomware attacks on manufacturing companies from 2018 to July 2023 caused an estimated $46.2 billion in losses from downtime.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/clorox-takes-servers-offline-after-cyber-incident">https://therecord.media/clorox-takes-servers-offline-after-cyber-incident</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.usnews.com/news/technology/articles/2023-08-14/clorox-says-certain-business-operations-disrupted-in-cyber-attack">https://www.usnews.com/news/technology/articles/2023-08-14/clorox-says-certain-business-operations-disrupted-in-cyber-attack</a></p></div>4 Days Cyber Reportinghttps://redskyalliance.org/xindustry/4-days-cyber-reporting2023-07-28T11:30:00.000Z2023-07-28T11:30:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12163746689,RESIZE_192X{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12163746689,RESIZE_192X{{/staticFileLink}}" width="188" alt="12163746689?profile=RESIZE_192X" /></a>The US Securities and Exchange Commission (SEC) this past week approved new rules that require publicly traded companies to publicize details of a cyber-attack within four days of identifying that it has a "material" impact on their finances, marking a major shift in how computer breaches are disclosed. "Whether a company loses a factory in a fire, or millions of files in a cybersecurity incident, it may be material to investors," the SEC chair said. "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way."<a href="#_ftn1">[1]</a></p>
<p>To that end, the new obligations mandate that companies reveal the incident's nature, scope, and timing, as well as its impact. This disclosure, however, may be delayed by an additional period of up to 60 days should it be determined that giving out such specifics "would pose a substantial risk to national security or public safety."</p>
<p>They also necessitate registrants to describe on an annual basis the methods and strategies used for assessing, identifying, and managing material risks from cybersecurity threats, detail the material effects or risks arising as a result of those events, and share information about ongoing or completed remediation efforts. "The key word here is 'material' and being able to determine what that actually means," Safe Security said. "Most organizations are not prepared to comply with the SEC guidelines as they cannot determine materiality, which is core to shareholder protection. They lack the systems to quantify risk at broad and granular levels." That said, the rules do not extend to "specific, technical information about the registrant's planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant's response or remediation of the incident."</p>
<p>The policy, first proposed in March 2022, is seen as an effort to bring more transparency into the threats faced by US companies from cybercrime and nation-state actors, close the gaps in cybersecurity defense and disclosure practices, and harden the systems against data theft and intrusions.</p>
<p>In recent months, more than 500 companies have become victims of a cyber-attack spree orchestrated by a ransomware gang called Cl0p, propelled by the exploitation of critical flaws in software widely used in enterprise environments, with the threat actors leveraging new exfiltration methods to steal data, according to Kroll.</p>
<p>Tenable said the new rules on cyber risk management and incident disclosure is "right on the money" and that they are a "dramatic step toward greater transparency and accountability. When cyber breaches have real-life consequences and reputational costs, investors should have the right to know about an organization's cyber risk management activities," Tenable added.</p>
<p>That said, concerns have been raised that the time frame is too tight, leading to possibly inaccurate disclosures, given that it may take companies weeks or even months to fully investigate a breach. To complicate the matter further, premature breach notifications could tip off other attackers to a susceptible target and exacerbate security risks. "The new requirement set forth by the SEC requiring organizations to report cyber-attacks or incidents within four days seems aggressive but sits in a more lax time frame than other countries," the security awareness advocate at KnowBe4, said. "Within the EU, the UK, Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In other countries like China and Singapore, it's 24 hours. India has to report the breach within six hours. Either way, organizations should have repeatable and well-documented incident response plans with communication plans, procedures, and requirements on who is brought into the incident and when," KnowBe4 added.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2023/07/new-sec-rules-require-us-companies-to.html">https://thehackernews.com/2023/07/new-sec-rules-require-us-companies-to.html</a></p></div>Lending and AIhttps://redskyalliance.org/xindustry/lending-and-ai2023-07-22T12:50:00.000Z2023-07-22T12:50:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12157626870,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12157626870,RESIZE_400x{{/staticFileLink}}" alt="12157626870?profile=RESIZE_400x" width="250" /></a>Buying a house these days is almost insurmountable. Who can afford to pay cash for a decent house, or even the minimum downpayment? That’s where lenders come in. Banks and finance companies have been doing this for years. But now there is an elephant in the room, called AI. The top US bank regulator is warning that lenders need to ensure that artificial intelligence tools don't perpetuate biases and discrimination in credit decisions.<a href="#_ftn1">[1]</a></p>
<p>Federal Reserve Vice Chair for Supervision Michael Barr said that the central bank is working on its supervisory efforts around AI. He added that if used safely, the technology could have a positive impact on access to loans. AI could leverage data "at scale and at low cost to expand credit to people who otherwise can't access it,” Barr said earlier this week in prepared remarks for the National Fair Housing Alliance conference in Washington. "While these technologies have enormous potential, they also carry risks of violating fair lending laws and perpetuating the very disparities that they have the potential to address.”</p>
<p>Barr said machine learning and other artificial intelligence could amplify bias or errors in data or might make incorrect predictions. "There are also risks that the data points used could be correlated with a protected class and lack a sufficient nexus to creditworthiness,” he said.</p>
<p>Gary Gensler, head of the Securities and Exchange Commission, also sounded warnings about the use of AI in finance. He said that companies need to be aware of how their use of AI may not be in line with securities rules. The proliferation of AI means governments will probably have to overhaul regulations to maintain global financial stability, Gensler said.</p>
<p>Artificial intelligence is already widespread across banking, payments and insurance. Whether we know it or not, algorithms make decisions about our finances every day. At present, the technology is most commonly used to market products and to enhance customer service, where AI chatbots have become the first port of call for a growing number of customers.<a href="#_ftn2">[2]</a></p>
<p>As these chatbots help to answer common queries about payment balances, order statuses and returns, human customer service teams are freed up to address more complex issues. Theoretically, this improves the customer experience and lowers costs. And, as the new wave of generative AI — based on large language models such as ChatGPT, is applied to more banking and payment services, it will become capable of taking on these more complex queries, too.</p>
<p> </p>
<p>Applications of AI in banking and payments - Accenture’s generative AI lead for banking in the UK, says: “We can expect even greater and more precise personalization specific to each customer’s unique circumstance. This will be down to how letters and emails are written to give the customer information only they need, at a time when they need it.” </p>
<p>Still, new benefits come with new risks. UK consumer group Which? warns that, if automated decisions are based on biased or inaccurate data, it could lead to some consumers being excluded from certain products or suffering financial losses. </p>
<p>Which? director of policy and advocacy, says: “Ultimately, if consumers are going to benefit from AI, then they need to know that the [regulators] will adopt a robust approach to supervision, with tough enforcement for firms not delivering for their customers.” No wonder most firms are treading carefully. The chief data officer at brokerage Hargreaves Lansdown, says: “Like the vast majority of businesses, we are still understanding how we can best use the technology.”</p>
<p>That may be in ways that have not yet be identified. Simon Lyons, lecturer at The London Institute of Banking & Finance, says: “When we think of AI, we assume that its usage is to take over tasks that humans do and do them better. However, the true value in AI is the identifying of trends and making judgments from them.”</p>
<p>AI is helping with number crunching, processing, and the heavy lifting of data analysis. Investment fund Augmentum Fintech, says: “The vast majority of AI deployments today involve predictive AI, where machine-learning models are trained on historic data and then used to support rules-based decision making in use cases such as underwriting, fraud detection and trading strategies.”</p>
<p>Checking payments and transactions for evidence of financial crime, by spotting suspicious behavior patterns, is a top use case. Banks are using AI and the data they collect when processing transactions and authorizations to predict fraud. In fact, Accenture says: “Many of the frauds and scams discovered in recent years would not have been found without the advanced algorithms which look for signal in the noise.”</p>
<p>Applications of AI in insurance - Similarly, AI’s ability to process data, spot patterns and make decisions is finding practical applications in insurance. It is already being used to better assess claims liability, to optimize pricing, and to personalize cover.</p>
<p>Debbie Kennedy, chief executive of insurance broker LifeSearch, says insurers are “leveraging the ability to use advanced analytics to consume and learn from vast data sources.” </p>
<p>Risks from the use of AI - But there are downsides to the pursuit of delivering the perfect price for each risk. Consumer group Fairer Finance is calling for boundaries around what insurers can price on and transparency around what data is being input to pricing algorithms. Fairer Finance, warns: “The more we move away from the pooling of risk to individualized pricing, the more we exclude people at the margins. We also end up penalizing people for things they have no control over, or by using statistical correlations to place consumers in the wrong bucket. You may well be able to show that people from profession A are prone to have more car accidents than people from profession B, but there’s unlikely to be any causality in that link.”</p>
<p> </p>
<p>29% - Percentage of savers comfortable with an adviser using AI. However, in future, it is likely that AI could prove beneficial in supporting consumers with financial decisions. Financial education website Boring Money found 29% savers and investors are comfortable with their financial adviser using AI technology to provide a cheaper and better service. And 28% are comfortable taking investment recommendations given as a result of using AI technology. Even so, there will be natural limits on how transformative the technology can be, says Boring Money. For example, one of the biggest barriers to taking financial advice remains trust and “AI is not going to solve this problem,” it notes.</p>
<p>The director of OneStep Financial Planning at Charles Stanley, agrees. “Money is emotional and personal,” she says. “AI can be many things, but it can’t be human, and it can’t understand you as an individual.”</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://menafn.com/1106623689/Feds-Barr-Says-Ai-Risks-Amplifying-Bias-And-Errors-In-Lending">https://menafn.com/1106623689/Feds-Barr-Says-Ai-Risks-Amplifying-Bias-And-Errors-In-Lending</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.ft.com/content/15ae2b65-7722-4870-8741-b0ddcd54a534">https://www.ft.com/content/15ae2b65-7722-4870-8741-b0ddcd54a534</a></p></div>Nothing but FUDhttps://redskyalliance.org/xindustry/nothing-but-fud2023-07-14T12:10:00.000Z2023-07-14T12:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12144719480,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12144719480,RESIZE_400x{{/staticFileLink}}" alt="12144719480?profile=RESIZE_400x" width="250" /></a>The co-founder and CEO of Binance, Changpeng Zhao, the world's largest centralized cryptocurrency exchange by trading volume, cleared the FUD (fear, uncertainty, doubt) making rounds online that the crypto empire is dumping Bitcoin to artificially bolster and stabilize the price of its native token Binance Coin (BNB).</p>
<p>Even before the US Securities and Exchange Commission filed 13 charges against Binance.US, Zhao, and other associated businesses, the crypto empire had been the subject of many speculations on various social media outlets and even in mainstream media.<a href="#_ftn1">[1]</a></p>
<p>This further intensified last week following the SEC lawsuit and after the financial regulator filed a motion asking the court to freeze the assets of Binance.us and sought its approval to use "alternative means" to summon CZ.</p>
<p>With the crypto market struggling to get out of the red puddle caused by the cloud of regulatory uncertainty hovering over the industry, another allegation has been thrown toward Binance. This time, it involves some sort of market manipulation to make it appear that its token BNB is surviving the ongoing crypto crackdown and regulatory enforcement.</p>
<p>Zhao, more popularly known as CZ in the crypto space, immediately cleared these claims and dispelled them by saying that these are nothing but FUD. "4. Binance have not sold BTC or BNB. We even still have a bag of FTT," the CEO said in a tweet, sharing his disbelief on how "amazing they can know exactly who sold based on just a price chart involving millions of traders. FUD."</p>
<p>In June of 2023, several crypto traders, including users of Twitter handles @52kskew and @JW100x shared the short-term price correlations between a sell-off in Bitcoin and a purchase in BNB. The tweets immediately went viral and amassed over 3 million views based on Twitter data. "USDT reserves have been pumped into BNB aggressively since 27th May," a Twitter user who uses the handle @52kskew said, adding that "BNB is being sold off for BUSD to suppress volatility in BTC." The user further said that "BUSD is pumped into BTC to suppress downside volatility so BTC can be swapped out for USDT."</p>
<p>Meanwhile, the Twitter user with the handle @JW100x claimed that "as spot Bitcoin is sold off, BNB is purchased, which defends the $220 liquidation but also caps the upside potential of Bitcoin. It is a total house of cards."</p>
<p>Despite the ongoing chaos Binance and its affiliated businesses are currently facing, its token is slowly climbing up. BNB saw a 4.11% gain. It was trading in the green zone at $247.47 over the past 24 hours (14 June) with its 4-hour trading volume up by 30.99% at $965 million as of 4:56 a.m. ET in June, according to data from CoinMarketCap. </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.ibtimes.com/cz-clears-fud-denies-claims-that-binance-dumping-bitcoin-artificially-boost-bnb-price-3699807">https://www.ibtimes.com/cz-clears-fud-denies-claims-that-binance-dumping-bitcoin-artificially-boost-bnb-price-3699807</a></p></div>SEC - Accountability on Corporate Board Members for Cyber Breacheshttps://redskyalliance.org/xindustry/sec-accountability-on-corporate-board-members-for-cyber-breaches2023-01-31T15:34:07.000Z2023-01-31T15:34:07.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10952079470,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10952079470,RESIZE_400x{{/staticFileLink}}" width="250" alt="10952079470?profile=RESIZE_400x" /></a>The US Securities and Exchange Commission (SEC) in 2023 requires corporate boards to improve their cybersecurity act and increase transparency by disclosing cybersecurity incidents with full details to the SEC and investors within four (4) business days.</p>
<p>In addition to reporting there was an incident, publicly traded corporations must identify who on their board or which subcommittee is responsible for cybersecurity and their relevant expertise. Adding to the growing importance of the CISO role, required disclosures will also include how often and by which processes board members are informed of and discuss cyber risk.</p>
<p>The new notice of proposed rulemaking was published by the Office of Management and Budget's Office of Information and Regulatory Affairs as part of the SEC's rulemaking agenda. It will include finalizing two sets of cybersecurity rules proposed in 2022 that increase requirements for SEC-regulated public companies, broker-dealers, funds, investment advisors, self-regulatory organizations (SROs), and others.</p>
<p>When finalized, the rules will go a bit deeper than simply identifying who on the board is responsible and who was informed of corporate cybersecurity procedures. For instance, registered investment advisors (RIAs) and funds must adopt cybersecurity policies and procedures, conduct documented risk assessments, implement access controls, monitor and remediate vulnerabilities, and detect, respond to, and report cybersecurity incidents. Covered RIAs and funds will be required to report cybersecurity incidents within 36 hours.</p>
<p>According to the Co-Chair of the Data Privacy and Cybersecurity Practice at Spencer Fane, LLP <a href="https://www.spencerfane.com">https://www.spencerfane.com: </a> "While this is an oversimplification of all of the requirements and nuances of the forthcoming SEC rules, the SEC's objectives are to require companies to provide meaningful and actionable information to shareholders to understand better companies' cyber risks and how companies are managing and responding to them. From a very high level, this can be broken down into two categories of what companies want to see companies disclose information about: proactive cyber risk governance and risk management, and reactive incident response and reporting."</p>
<p>The new rules show the increasing importance of the CISO's role, particularly regarding communication with the board.</p>
<p>According to a leading Cyber Attorney and Global Leader of the Privacy Practice Group at Ocotillo Law <a href="https://octillolaw.com">https://octillolaw.com: </a> "The proposed SEC rules are just another in a long trend of regulators increasingly focusing on cybersecurity across industries and businesses. With these new rules, the SEC is taking a step to elevate cyber to the board level, requiring boards to disclose any cybersecurity expertise on the board and the company's cybersecurity risk management and governance practices. Finally, the period to disclose 'material' breaches will last four days. All of this combines to add heightened visibility, and oversight, into companies and their compliance practices. How this will impact publicly traded companies, and how the SEC will enforce these rules, will be key for all businesses to watch to influence their approach to cyber within their operations."</p>
<p>Spencer Fane agrees: "On the proactive side, companies need to disclose their policies and procedures to identify and manage cyber risks, management's role in implementing such policies and procedures, and the Board of Directors cybersecurity expertise and its oversight over cyber risk. This latter sentence can mean either who on the Board has cyber expertise or, how great of a role the CISO has directly with the Board that is, does the CISO finally have a seat at the parents' table?" The differentiator of the new rule is that it is not based upon a privacy breach but a "material cybersecurity incident" that might affect the business and its investors. "On the reactive side, companies are required to disclose to their shareholders when there is a 'material cybersecurity incident,' which may or may not constitute an otherwise reportable event under the various privacy-based breach notification laws," he said. “The point of this requirement is to let the investing public know about cyber events that will impact the company so that they can be informed and consider them."</p>
<p>The SEC's latest rulemaking agenda, released by the Office of Management and Budget's Office of Information and Regulatory Affairs, shows a few items specifically targeting cybersecurity-related issues. Since the SEC wants to name responsible parties publicly after cyber breaches, it is up to the board members of all organizations to take steps and adopt procedures to protect themselves from cyberattacks. </p>
<p>The following is what Red Sky Alliance recommends:</p>
<ul>
<li>All data in transmission and at rest should be encrypted.</li>
<li>Proper data backup and off-site storage policies should be adopted and followed.</li>
<li>Implement a 2-Factor authentication-company wide.</li>
<li>For USA readers, join and become active in your local Infragard chapter; there is no charge for membership. infragard.org</li>
<li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.</li>
<li>Institute cyber threat and phishing training for all employees, with testing and updating.</li>
<li>Recommend/require cyber security software, services, and devices to be used by all at-home working employees and consultants.</li>
<li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li>
<li>Ensure that all software updates and patches are installed immediately.</li>
<li>Enroll your company/organization in RedXray for daily cyber threat notifications directed at your domains. RedXray service is $500-1,500 a month and provides threat intelligence on ten (10) cyber threat categories, including Keyloggers, with having to connect to your network.</li>
<li>The responsible BoD member can also receive these daily cyber threat notifications to ensure that he/she is informed daily of cyber threats against their organization.</li>
<li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li>
</ul>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p></div>Stablecoins and future US Federal Regulationshttps://redskyalliance.org/xindustry/stablecoins-and-future-us-federal-regulations2021-12-30T14:11:00.000Z2021-12-30T14:11:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}9969017887,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9969017887,RESIZE_400x{{/staticFileLink}}" width="250" alt="9969017887?profile=RESIZE_400x" /></a>A US republican senator will soon introduce a bill that, for the first time, attempts to regulate the cryptocurrency space. The bill would reportedly add investor protections, rein in Stablecoins,<a href="#_ftn1">[1]</a> which are pegged to a stated currency, and create a self-regulatory body under the jurisdiction of the US Securities and Exchange Commission and its sister agency, the Commodity Futures Trading Commission.</p>
<p>The proposal stems from a Wyoming senator who is a longtime crypto-evangelist and one of two US senators to have reportedly invested in virtual currency. Her crypto-assets reportedly total a quarter of a million dollars. In legislation she plans to introduce in early 2022, the senator intends to provide regulatory clarity on Stablecoins long the subject of congressional debate over concerns around risks and liquidity and define the different asset classes, while introducing additional protections to insulate investors against substantial losses, scams and potentially lax cybersecurity. She also reportedly plans to create an organization under the joint jurisdiction of the SEC and CFTC to oversee the market. This a legislative move that, if successful, would help resolve ongoing debate over which US regulators have authority over digital assets. </p>
<p>The same senator recently asked for bipartisan co-sponsors for the bill and encouraged constituents to contact their elected officials to back the proposal. An aide reported that the proposal "is highly detailed and fully integrates digital assets into the US financial system." The aide also confirmed that through eight separate titles or sections, the bill will address definitions, tax requirements, consumer protection, Inter-agency coordination as a starting point. The aide said that the bill "gives clear guidance to regulators, protects consumers through strong standards and provides mechanisms for policing bad actors. These and other policies in the legislation will guarantee that America's burgeoning digital asset industry has the room it needs to grow, while making sure consumers are protected and scammers are prosecuted.”</p>
<p>As a member of the Senate Banking, Housing and Urban Affairs Committee, this senator has worked with Democratic colleagues, including senators from Virginia and Arizona, to address what several lawmakers have called deficiencies in the crypto provisions of the recently passed $1.2 trillion Infrastructure Investment and Jobs Act. The law carries a broad definition of a cryptocurrency "broker," imposing tax reporting requirements on crypto professionals, which many believe cannot be met.</p>
<p>In response, the six senators sent a letter to the US Treasury Secretary this month to address investor concerns around the reporting requirements. The lawmakers said the provision will stifle innovation at a time when clear guidance is necessary in the space. The new law, they said, captures individuals who are "solely involved with validating distributed ledger transactions through mining, staking, or other methods, and entities solely providing software or hardware solutions enabling users to maintain custody of their own digital asset wallets.”</p>
<p>This legislative proposal comes as a top US Treasury Department official also said this month that financial regulators hope the US Congress will move quickly on key legislation to regulate Stablecoins and its infrastructure. The comments came from the undersecretary for domestic finance at the Treasury Department. She formerly served as a top financial stability official at the Federal Reserve. She told media that legislation is needed to reduce systemic risks ranging from fraud to illicit finance.</p>
<p>In December 2021, the Senate Banking Committee held a hearing on risks related to Stablecoins. The Committee Chairman suggested that the volatility of the cryptocurrency market poses a clear risk to investors, saying market dips or crashes help make these tokens "untethered from reality." A senator from Massachusetts, who is an outspoken critic of crypto volatility, said during the hearing that decentralized finance, known as DeFi, which does not rely on traditional intermediaries and instead is built off peer-to-peer smart contracts, is "the most dangerous part of the crypto world," and one that relies on Stablecoins. Cybersecurity experts have long warned against lax security controls in DeFi protocols, which often run open-source software. The space currently houses some $103.7 billion in assets across DeFi apps, or DApps, according to DeFi Pulse.<a href="#_ftn2">[2]</a></p>
<p>In other crypto news, Visa announced it will partner with 60 cryptocurrency trading platforms and allow consumers to make purchases with digital currency at more than 80 million global merchant locations. Earlier in the month, Visa also launched a crypto advisory service, offering customers the ability to acquire advice about digital assets. Visa's head of Crypto, Cuy Sheffield, told NDTV that this move will make it easier for consumers to spend virtual currency and will "support the crypto ecosystem."</p>
<p>A principal at the firm Netenrich, says the move, which comes amid wider adoption of crypto could still pose governance, risk management and compliance challenges, as regulators continue to assess digital assets and their interaction with traditional financial institutions. "[Cryptocurrency] started as a way to get out of the banking system. … In the end, the banking system will be the ones that operate and profit [off crypto]," he noted. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and offers pro-active solutions to protect your networks. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.coinbase.com/learn/crypto-basics/plp-what-is-a-stablecoin/">https://www.coinbase.com/learn/crypto-basics/plp-what-is-a-stablecoin/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.bankinfosecurity.com/gop-senator-to-introduce-comprehensive-crypto-regs-bill-a-18211">https://www.bankinfosecurity.com/gop-senator-to-introduce-comprehensive-crypto-regs-bill-a-18211</a></p></div>Have I got a Deal for Youhttps://redskyalliance.org/xindustry/have-i-got-a-deal-for-you2021-09-22T19:13:37.000Z2021-09-22T19:13:37.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}9597232090,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9597232090,RESIZE_400x{{/staticFileLink}}" width="249" alt="9597232090?profile=RESIZE_400x" /></a>The US Securities and Exchange Commission has issued a new warning that fresh criminal schemes are continuing to target digital assets. Security experts say with social engineering attempts on the rise, individuals and organizations must remain vigilant against crypto-related scams or other "get rich quick" schemes.</p>
<p>In its recent bulletin, the SEC's Office of Investor Education and Advocacy and Division of Enforcement's Retail Strategy Task Force says, "Fraudsters continue to exploit the rising popularity of digital assets to lure investors into scams, often leading to devastating losses." The regulator warns users to beware of potential phishing or impersonation scams that appear to offer "something new" or "cutting edge." The SEC adds, "If you are considering a digital asset-related investment, take the time to understand how the investment works and to evaluate its risks. Look for warning signs that it may be a scam."</p>
<p>The vice president of solutions architecture at the security firm Cerberus Sentinel, warns, "Individuals and organizations both must stay on guard for any unsolicited inbound communications promising financial windfalls and requiring urgent action." Especially important, he adds, "is to identify 'trusted paths' for any legitimate funds or investment opportunities and to properly research their validity."</p>
<p>The SEC's bulletin comes after the regulator leveled charges against the now-defunct cryptocurrency platform BitConnect over alleged fraud totaling $2 billion. The SEC called the scam "one of the largest Bitcoin-related Ponzi-like schemes," alleging that defendants took approximately $2 billion worth of investors' funds through a platform a "technology bot" it claimed would generate exorbitant returns. The crypto platform allegedly marketed itself through "testimonial"-style YouTube videos and other social media in multiple countries.<a href="#_ftn1">[1]</a></p>
<p>The SEC alleges that BitConnect conducted a pyramid scheme-like referral program and paid investor withdrawals out of incoming investor funds, and "did not trade investors' Bitcoin consistent with its representations."</p>
<p>In early September 2021, the US Department of Justice said BitConnect's top US promoter, Glenn Arcaro, pleaded guilty to related criminal charges. He faces up to 20 years in prison and must repay investors $24 million gained from the offense, officials say.</p>
<p>The SEC says suspicious digital asset operations often:</p>
<p>The education director for the Florida Cyber Alliance and security awareness advocate for the firm KnowBe4, says, "Cybercriminals will always find emotional lures to exploit users through social engineering. Asking yourself the question, 'Is this too good to be true?' is the first step to determine if the organization is worthwhile."</p>
<p>The director of cryptocurrency intelligence at the firm CipherTrace, warns against ongoing scams in which victims are lured by a convincing fraudster sending them direct messages on social media or through a friend's hacked account, promoting massive gains.</p>
<p>A cybersecurity evangelist for the firm Egnyte says: "Significant change [in the space] will only occur when cryptocurrency platforms become subject to the same standardized IT requirements as traditional investment platforms, and when cryptocurrency exchanges no longer represent a safe haven for payments to ransomware attackers."</p>
<p>The co-founder and chief scientist at the blockchain analytics firm Elliptic, notes, "As the SEC points out, the fraudsters have started to make cryptocurrencies the focus of these [Ponzi] schemes because the value of many legitimate crypto assets has risen dramatically, and because the technology behind them can be difficult to understand - a potent combination that helps them to lure victims." He says, "there is no need for new crypto-specific regulation to address [these incidents] regulators are already using existing laws to prosecute these fraudsters." He says over $2.5 billion in penalties have been imposed by US regulators primarily for fraud and unregistered securities offerings.</p>
<p>But officials including Sen. Elizabeth Warren, D-Mass., continue to push for comprehensive regulation of the cryptocurrency space. In a recent interview with The New York Times, Warren likened many cryptocurrency operations to "shadow banks" that lack traditional investor protections.</p>
<p>Last week, the SEC Chairman echoed previous statements on imminent cryptocurrency regulation, telling The Financial Times that to both secure and ensure the longevity of digital assets, they must fall within a public policy framework. He has previously requested additional congressional authority to reduce investor risks in virtual currencies. Additionally, in speaking with the European Parliament's Committee on Economic and Monetary Affairs last week, he said cryptocurrencies "have no borders or boundaries. [And] absent clear investor protection obligations on these platforms, the investing public is left vulnerable," he added. "Unfortunately, this asset class has been rife with fraud, scams, and abuse in certain applications."</p>
<p>Caveat Emptor, “Let the buyer beware.”</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.govinfosecurity.com/sec-warns-fraudulent-cryptocurrency-schemes-a-17479?&web_view=true">https://www.govinfosecurity.com/sec-warns-fraudulent-cryptocurrency-schemes-a-17479?&web_view=true</a></p></div>Don’t Pay Fines for ‘Deficient Cybersecurity Procedures'https://redskyalliance.org/xindustry/don-t-pay-fines-for-deficient-cybersecurity-procedures2021-09-03T20:56:51.000Z2021-09-03T20:56:51.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}9531793500,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9531793500,RESIZE_400x{{/staticFileLink}}" alt="9531793500?profile=RESIZE_400x" width="250" /></a>The US Securities and Exchange Commission (SEC) sanctioned eight financial firms for alleged failures related to cybersecurity policies and procedures, each stemming from email account takeovers and related incident response, the regulator announced on 01 September 2021.<a href="#_ftn1">[1]</a></p>
<p>The sanctioned firms did not admit or deny the commission's findings, but "agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty," according to the SEC. Cumulative fines total $750,000.</p>
<p>The SEC says related email account takeovers did not appear to result in unauthorized trades or fund transfers. The commission-registered firms include five entities of the El Segundo, California-based shared services organization Cetera; two entities of the Fairfield, Iowa-based financial advisory firm Cambridge; and Seattle-based investment advisory firm KMS. Specific entities include:</p>
<ul>
<li>Cetera Advisor Networks LLC;</li>
<li>Cetera Investment Services LLC;</li>
<li>Cetera Financial Specialists LLC;</li>
<li>Cetera Advisors LLC;</li>
<li>Cetera Investment Advisers LLC;</li>
<li>Cambridge Investment Research Inc.;</li>
<li>Cambridge Investment Research Advisors Inc.;</li>
<li>KMS Financial Services Inc.</li>
</ul>
<p>According to the SEC, the Cetera entities will pay a $300,000 penalty; Cetera posted $1.92 billion in revenue in 2019, Financial Planning says. The SEC says Cambridge will pay a $250,000 penalty; in 2019, Cambridge’s revenue reached $1 billion, according to Financial Planning.</p>
<p>KMS will pay a $200,000 penalty, the SEC says. KMS revenue in 2019 came in at $119.2 million, according to InvestmentNews. A spokesperson for the SEC did not comment further on its findings. A representative for Cambridge says the firm does not comment on regulatory matters. The other financial firms could not immediately be reached for comment.</p>
<p>Order Against Cetera - The SEC says between November 2017 and June 2020, cloud-based email accounts of over 60 Cetera personnel were compromised by unauthorized third parties, resulting in the exposure of personally identifiable information of at least 4,388 customers and clients. Its order says that similar to the other sanctioned entities, accounts were taken over "via phishing, credential stuffing or other modes of attack." And "none of the compromised [Cetera] email accounts had multifactor authentication turned on," it states, despite being required "where possible" since 2018.</p>
<p>The SEC says the compromised accounts "were [not] protected in a manner consistent with the Cetera Entities' policies." The regulator says two entities sent breach notification letters to clients with "misleading language" around initial incident detection - including "template language" that inaccurately labeled the incident as "recent." In its order, the SEC alleges that the Cetera entities' policies and procedures "were not reasonably designed" to protect clients. "Cetera Entities had a significant number of security tools at their disposal that allowed them to implement controls that would mitigate these higher risks," the order alleges. "However, [it] failed to use these tools in the manner tailored to their business, exposing their customers' PII to unreasonable risk."</p>
<p>Cambridge Order - The SEC's Cambridge order alleges that between January 2018 and July 2021, cloud-based email accounts of more than 121 Cambridge representatives were "taken over by unauthorized third parties," with PII exposure of at least 2,177 customers and clients. "Although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021," the SEC states. This included the adoption of multifactor authentication, which became a requirement for cloud-based email accounts in 2021. A Cambridge spokesperson tells ISMG that "Cambridge has and does maintain a robust information security group and procedures to ensure clients' accounts are fully protected."</p>
<p>KMS Order - In its findings on KMS, the SEC says between September 2018 and December 2019, email accounts of 15 of the firm's financial advisers or their assistants were compromised by unauthorized third parties, exposing the PII of approximately 4,900 customers and clients. "KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020 and did not fully implement those additional security measures … until August 2020," the SEC states.</p>
<p>The KMS order notes, "[The firm's] incident response policy was not reasonably designed to ensure that the email account compromises were remediated in a timely manner to ensure the protection of customer PII."</p>
<p>'Must Fulfill Obligations' - Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit, says, "Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are partially implemented, especially in the face of known attacks."</p>
<p> Additionally, security experts say the SEC's actions preview future regulatory enforcement around cybersecurity.</p>
<p>John Berry, former associate regional director for the SEC’s Los Angeles office and currently a partner with the firm Munger, Tolles & Olson, adds, "These recent cases show that the SEC continues to be willing and interested in going after companies or firms that [it] believes do not have strong enough controls in place to stop cyberattacks, even if they are victims of the attacks themselves."</p>
<p>Alec Alvarado, an intelligence officer with the US Army Reserve and the threat intelligence team lead at the security firm Digital Shadows, says, "Account takeover continues to emerge as a significant problem for organizations as the exposed credential database grows. Threat actors can use brute-force tools with known exposed passwords to conduct account compromises." He adds, "[The SEC's actions] reaffirm the expectation that organizations should be following through with their claims of data protection. Following basic security practices is a good start in avoiding data loss incidents, which continue to be prevalent."</p>
<p>Similarly, Sounil Yu, a visiting fellow for the National Security Institute at George Mason University and CISO at the security firm JupiterOne, says, "The SEC actions show that they are accelerating the use of their enforcement powers to penalize those who are being lackadaisical in their cybersecurity posture. "The SEC penalties signal that their patience and tolerance for inadequate cybersecurity controls is wearing thin. Companies should expect greater regulatory scrutiny from the SEC … and should be proactive in developing a robust risk management program."</p>
<p>That scrutiny also extends to the cryptocurrency space, particularly decentralized finance, which does not rely on intermediaries to conduct financial services. This week, the SEC announced it has contracted with the blockchain analytics firm AnChain.AI to monitor illicit activity involving smart contracts. Legal experts say the move previews imminent cryptocurrency regulation.</p>
<p>The cost-effective solution is available to organizations of all sizes from Red Sky Alliance. For even the largest firms, RedXray at US$ 500 a month or RedXray-Plus at US$ 1,500 a month is much less than the US$ 200,000 – 300,000 fines some of these firms are now required to pay. <a href="https://www.wapacklabs.com/redxray">https://www.wapacklabs.com/redxray</a> can help your company too. Your cyber team members can enroll online today in less than 5 minutes.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bankinfosecurity.com/sec-sanctions-8-firms-for-deficient-cybersecurity-procedures-a-17423">https://www.bankinfosecurity.com/sec-sanctions-8-firms-for-deficient-cybersecurity-procedures-a-17423</a></p></div>Solid Cyber Protection & Insurance, a ‘New’ Necessity?https://redskyalliance.org/xindustry/solid-cyber-protection-insurance-a-new-necessity2021-02-22T18:37:04.000Z2021-02-22T18:37:04.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}8586196658,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8586196658,RESIZE_400x{{/staticFileLink}}" width="250" alt="8586196658?profile=RESIZE_400x" /></a>With cyber-attacks ramping up and up since the international pandemic, the need for proper cyber protection and cyber insurance coverage is taking on a new meaning, as well as many other business risk factors.<a href="#_ftn1">[1]</a> With all the current business concerns in an ever-changing US administration priorities, the corporate risks and vulnerabilities are closely coupled with cyber security matters. As an example, fossil fuel-energy companies and drug developers are among the most common issuers updating their risk disclosures to warn investors of potential policy changes that could harm their businesses under the current US administration, US securities filings show. At least 97 companies had updated the "risk factors" sections of their Securities and Exchange Commission filings as last week to reflect the current US administration’s arrival in office, based on a review conducted by Law360 with assistance from analytics provider Intelligize, which is owned by Law360 parent company LexisNexis. Cyber security risks are definitely among them. </p>
<p>Companies are responsible for refreshing their disclosures as business circumstances change. The arrival of a new administration or other geopolitical events often serve as a catalyst for reassessing risk factors, which are a standard part of periodic filings and initial registrations. The former US president’s election also generated a wave of new disclosures in 2017.</p>
<p>Risk disclosures satisfy an SEC mandate to educate investors, and they may provide a company a defense in the event its stock drops and shareholders sue alleging they were not adequately warned about potential hazards. The latest disclosures stem from recent annual and quarterly filings with the SEC, as well as new prospectuses.<a href="#_ftn2">[2]</a></p>
<p>Most disclosures in the current wave come from two industries: fossil fuel companies and businesses involved in health-related endeavors, mainly drug developers, medical device companies and technology firms with health insurance platforms. More than 60 energy or health-related companies combined have specifically mentioned the arrival of the new US president in their risk factors, and other industries have cautioned that a rise in corporate income taxes could affect their businesses. Some companies in distinct fields, ranging from banking and real estate to technology and cannabis, have disclosed risks particular to them.</p>
<p>Energy companies that have filed fresh risk disclosures span oil and gas producers to service providers. Their concerns regard a shift in national energy policy toward renewable power, referencing policies like the US's commitment to rejoining the Paris climate accord and related goals of reducing greenhouse gas emissions to fight climate change. Dallas-based energy services and pipeline company Enlink Midstream LLC in its annual report last week also noted Biden's support for federal limits on hydraulic fracturing and banning new leases for minerals production on federal properties. These potential developments could increase operating costs or decrease demand for natural gas, Enlink said, and are common concerns among traditional energy companies. Drilling equipment supplier Now Inc. noted that, by comparison, it benefited from Trump-era deregulation.</p>
<p>Drug-related companies are constantly concerned about health care regulations, including potential changes to Affordable Care Act coverage or stricter regulations on drug pricing. Both have been hot-button topics in Democratic and Republican administrations. Alnylam Pharmaceuticals Inc., which makes medicines to treat rare genetic diseases and central nervous system disorders, noted that the previous White House guidelines pushed for reforms that would cap certain Medicare out-of-pocket pharmacy expenses and limit pharmaceutical price increases. To the extent the current administration’s policies more resemble the Obama administration than the last administration in terms of health care and energy. </p>
<p>A new concern across many industries is the potential for higher corporate taxes. Clothing company Hanesbrands Inc. is among many companies worried about efforts to roll back parts of the Tax Cuts and Jobs Act, a 2017 bill that reduced the corporate income tax to 21%. </p>
<p>Numerous negative factors from the coronavirus pandemic has also been a recurring "risk factor." Some banks are now warning investors that policies aimed at relieving borrowers, which may have a direct affect with their bottom lines. Wisconsin-based holding company Associated Banc-Corp noted a recent US executive order (E.O.) to extend a federal eviction moratorium through 31 March 2021, as well as the president's proposal that such relief be extended until 30 September, as part of the proposed COVID-19 package. Associated Banc-Corp separately indicated that the recent E.O. has requested that federal agencies extend a moratorium on foreclosures on federally guaranteed mortgages, until at least 31 March. Banks expect to see more coronavirus-related disclosures in 2021. Companies that have many employees who transitioned to remote work may need to disclose <strong>cyber security risks</strong>. Ah, yes, work to home (WTH) cyber security RISKS, which are REAL and of grave concern. Red Sky Alliance has written and reported on this negative phenomenon for a year now. Aside from the pandemic, Associated Banc-Corp and other companies have noted that the Consumer Financial Protection Bureau, a consumer protection agency established under the Dodd-Frank Act, is expected to adopt more aggressive enforcement policies under the current US administration. </p>
<p>Home financier The Federal National Mortgage Association, or Fannie Mae, also noted in its annual report that the current administration's attempts to address climate change could lead to a transition away from carbon-intensive industries, potentially disrupting certain US regional economies and affecting the ability of borrowers in those regions to repay their mortgages.</p>
<p>Other industries have disclosed uncertainties particular to their business. Cannabis cultivator Acreage Holdings Inc. said in a recent registration statement that it is unclear whether the current US Department of Justice (DOJ), who has nominated a very liberal DC Circuit judge to serve as the new US Attorney General, will adopt an aggressive marijuana enforcement policy. Red Sky Alliance3 analysts have already reported on the cyber-attack on Aurora cannabis company and distributer. In contrast, New York located Acreage company noted the DOJ may reinstitute the Cole Memorandum, the 2013 US policy memo limiting the criminal charges that could be brought against state-legal marijuana businesses, that was in effect over four years ago. </p>
<p>Technology companies are also disclosing new risks. Cloud communications platform Twilio pointed out that during the last presidential campaign, liberals supported reimposing "net neutrality" rules governing Internet providers, which Twilio said could lessen demand for its services. California based Twilio also noted current administration and liberal members of Congress want to review Section 230 of the Communications Decency Act, which protects internet companies from being held liable for what their users say online. Section 230 was also targeted by the last president who supported its repeal.</p>
<p>More companies are expected to file their annual 10-K reports in the coming weeks. Additionally, companies filing for initial public offerings or follow-on offerings will submit registration statements. As companies reevaluate their risks, analysts predict, they should also be aware of recent changes to "risk factor" rules the SEC enacted last August, purportedly to improve usefulness and readability for investors. Those changes require companies to compile a summary of two pages or less explaining their risks if the full "risk factors" section of their SEC filing exceeds 15 pages. Companies are also being urged by the SEC to focus on "material" risks and avoid generalities applicable to any business.</p>
<p>All of the above risks and vulnerabilities are directly associated with possible cyber-attacks. Why? Because cyber criminals and state sponsored actors read the SEC filing, many of which are public document. They are not dumb criminals or spies. They are very ingenious and resourceful. Our cool collection and analysis tool RedXray and support tool RedPane can help with supporting standing network defenses and MSSP’s - in a proactive manner - by identifying underground threats and vulnerabilities. This is often where bad cyber actors communicate. This service is an excellent complement to a network defense for any foreign or domestic cyber threat. In addition to offering cyber protection, we offer cyber insurance through Cysurance. Call for a quote. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings: <a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.wapacklabs.com/cyber-insurance">https://www.wapacklabs.com/cyber-insurance</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.law360.com/cybersecurity-privacy/articles/1356764/companies-beef-up-risk-disclosures-as-biden-era-begins/">https://www.law360.com/cybersecurity-privacy/articles/1356764/companies-beef-up-risk-disclosures-as-biden-era-begins/</a></p></div>