Author: Stuart Crawford

As businesses add more layers of cybersecurity to their arsenals, cybercriminals are finding new ways to attack system, networks and devices. There is a constant stream of emerging threats that can mean trouble for companies of any size.

Why Is Data Security a Major Challenge Going Forward?

Businesses today are realizing the vast opportunities that come from leveraging, monetizing and collaborating on their collected data. That means companies need to protect their data not only from privacy breaches but also from data misuse, data manipulation and loss of intellectual privacy.

Data validity, for example, is one particular area of cyberattack emerging. Data need not be stolen to hurt the business reputation. Instead, hackers could alter data such that it becomes invalid or inaccurate in such ways to delegitimize business outcomes and partnerships.

Industries need to identify and deploy new technologies that protect data while it’s at rest and in transit. Privacy risks related to data in use are hindering the full realization of data collaboration, limiting the opportunities available to companies.

Here are 8 other cybersecurity challenges that businesses need to combat now or shortly.

1.  Chatbots at Risk

Artificially intelligent chatbots have become commonplace, helping to answer questions and guide web visitors to required information and action. Hijacked chatbots, however, could mimic existing tools to drive victims to click on links, download malicious files or share private information.

Web application flaws could also be exploited to insert malicious chatbots into sites that don’t have one.

While these intrusions will likely be text-based bots for now, shortly, speech-enabled bots could lead to further victimization over the phone or other voice-enabled technologies.

2. Artificial Intelligence Mean Powerful Malware

The rise of AI, the Internet of Things and machine learning means more opportunities for business transformation. They also invite more smart attacks using intelligent malware. Cybersecurity providers need to develop new means of detecting these threats and training personnel to recognize and prevent them. Many of these preventative measures need to be automated to provide continuous detection and prevention.

Part of the challenge is the sophisticated tools hackers are using. Updated exploit kits, artificial intelligence and natural-language algorithms have allowed hackers to automate convincing emails. Simple processes allow for the generation of emails to millions of stolen addresses with compelling phishing attempts.

3. Data Exposure

AI-enabled applications rely on data pools to power advanced functionality, both for smaller companies and giants like Amazon and Facebook. The increasing use of data pools means more potential for developers to expose information, often customer data. These data aren’t necessarily subject to hack, but instead are vulnerable and accessible to anyone who can find the vulnerabilities.

4. Cyberwarfare

Bad actors are no longer content on ransomware and phishing attempts. Technology advancements provide new opportunities for targeted and individualized attacks.

These attacks may leverage artificial intelligence to target individuals or corporations. Data integrity attacks, for example, could force organizations to completely replace computer hardware. Physical assaults could use drones and other tools for physical assaults.

5. Infrastructure at Risk

Nation-states will continue to wage cyber attacks on enemies with state-sponsored attacks on infrastructure. Attacks on national security, emergency communications, public health and financial systems could cripple governments and create spiraling consequences for the private sector.

Smaller conflicts could also be used as testing grounds for nation-states to assess new tactics, procedures and technologies that could be used in more significant geopolitical conflicts.

6. Data and Privacy Regulation

In 2018, the launch of GDPR, covering privacy issues for European Union citizens, forced companies to reevaluate their privacy and disclosure procedures. Similar privacy laws were approved in Canada and California. These new regulatory mandates are likely the first wave of protections that will force companies to spend more on cybersecurity, data transparency and reporting. As control of data begins to shift from institutions to individuals, companies are going to need better ways to monitor and report on compliance from multiple jurisdictions.

7. Connected Devices in the Crosshairs

With connected refrigerators, stoves, thermostats, doorbells and washing machines becoming the mainstay in many homes, the possibility of exploits is grave. Hackers will begin to identify and exploit vulnerabilities in these smart devices. Manufacturers will need to build in additional safeguards and architecture to meet growing consumer demand while keeping bad actors away.

8. Industrial Control System Risks

While there are more automated systems to allow for greater control of buildings, utilities and factories, there are inherent risks of exposure. Many of the players providing the technology in this space are new, making high-value targets all the more enticing to hackers.

Each year brings with it new technical innovations sure to drive better business outcomes. At the same time, hackers will find more sophisticated means to create more effective intrusions.

In October of 2018, the San Diego Unified School District in California — the state’s second-largest school district — became aware of a severe data breach. As of now, the hackers are unknown, but officials are aware that through criminal means, the hackers were able to obtain the full names, addresses, and Social Security numbers of hundreds of thousands of students and staff at the San Diego Unified School District.

What Caused the Data Breach?

Officials investigating the San Diego school district data breach know that the breach was caused by a phishing scam. They are unaware of exactly when or how the phishing scam occurred, but in some way, hackers were able to obtain access to internal programs and systems in the school district (using a legitimate student or teacher’s login), and from there, they accessed and downloaded the personal information of over 500,000 students and staff members.

What Is a Phishing Attack?

A phishing attack or phishing scam is an illegally engineered attack that aims to obtain personal user data using fooling the target. A hacker will usually find out an account that a target or user group has.

For example, Hacker A might know that their target (an innocent civilian) has an account with Happy Bank in Smithsville. Hacker A will then create an email that looks almost exactly like a real email that would be sent out from Happy Bank. The email will be directed to the name of the target and say something like, “Hi, you need to update your account with Happy Bank. Please login using the following link.”

If the target decides to follow through with the email, they will likely click on the link provided, which will take them to a site that looks almost like the real site of Happy Bank. They will log in using their personal user data (email address or username and password), and probably after that, they will encounter some sort of error message.

By this time, the hackers will already have the user data or personal login information they need from the target. This user data is generally not the endgame for hackers, however.

This user data will merely be used by the hackers to access portals of a larger institution. Although some hackers may use personal login information for a bank, for example, only to steal funds from that person’s bank accounts, other hackers will take things to the next level and attempt to gain broader access and more personal and financial information. Sometimes, these tactics help hackers steal money directly; other times, hackers hold information ransom, extort cash with it, or blackmail individuals or companies by leverage things they know about them.

And remember that the Happy Bank example is just one example of a phishing email scam. Phishing emails and scams can come in many forms, and there are also phishing phone calls that can trip up many people and cause them to divulge personal and financial information willingly.

When Did the Security Breach Happen?

Unfortunately, as of now, the school district does not know exactly when the breach happened. Spokespeople for the school district say that the hack could have occurred anywhere between January 2001 and November 2018 (although the school district did not become fully aware of the breach until October 2018).

This is often the case with phishing attacks. Hackers first need to obtain access to a sensitive information system. To do this, they need login emails and passwords, and phishing emails are the ideal way to achieve this information.

What Information Were the Hackers Able to Obtain?

The San Diego Unified School District is the second largest school district in the state of California and currently serves over 121,000 students.

In this data breach, hackers were able to obtain a large amount of personal information from hundreds of thousands of students in the San Diego Unified School District. Select staff members were affected by the security breach as well, and of those affected, some were even students and staff going back to the 2008-2009 school year. Approximately 50 district employees had their login information taken or compromised.

According to officials, here is some of the additional information that was taken by hackers:

• Staff and full student names, Social Security numbers, addresses, email addresses, personal information, and ID numbers
• Emergency contact information from students and faculty, including full names, addresses, phone numbers, and email addresses, and employment information
• Benefits information for staff members
• Compensation and payroll information for staff members, including deduction and tax information, financial institution information (account numbers and routing numbers), and salary and paycheck information
• Enrollment information about students, including their schedules, any legal notices, and transfer data on file, records of attendance, and health data
• State ID numbers from staff and students

All of the staff members, district employees, and students who were affected by this data breach where notified. Accounts were reset, and cyber-security measures are being taken to prevent any additional breaches of data at the San Diego Unified School District.

How Can You Protect Your Business From Phishing Scams?

Phishing scams are the most notable (and unfortunately, the most effective) modern-day swindle in existence. Whether you own a business, manage or run an organization, or simply want to protect yourself and your family members from hackers, it is essential to learn about phishing emails and how to prevent them.

According to the VP of product management and strategy at Tripwire, Tim Erlin, “The best way to counter this technique … is to have complete and comprehensive logs from all systems.”

It is also vital that everyone in your business knows about phishing emails and how to spot them. Never click on emails or links that look suspicious or slightly “off.” If you are asked to go directly to a website to login via a link in an email, avoid doing so, and instead go directly to the website on your own to log in. Check your messages there for whatever was referenced in the email, or give the institution a call directly to inquire about the email.

Finally, if you own a business or run an organization, always employ the professional services of a high-end IT services provider who specializes in cybersecurity. They will put into place some strong security measures that will help you prevent any sort of security breach, including phishing scam breaches.

If there’s a will there’s a way when it comes to scammers, especially with gift cards. Everyone loves gift cards. Consumers love how easy it is to purchase gift cards, use gift cards and even give gift cards. It’s as simple as buying a card at a brick and mortar store or clicking a few buttons and almost instantly having the funds needed to play. Scammers love gift cards too. Gift cards can immediately be activated and spent by these scammers even before the owner of the card knows what happened.

Google Play gift cards are targets right now. Scammers love how easy they are to steal so consumers need to stay one step ahead of these online crooks. Here’s one of the latest Google Play Gift Card Scam that is scouring the internet.

Scam Alert: Currently there is an email scam occurring where thieves, posing as someone the recipient knows and are phishing for personal, financial, and other private information. This includes requests for Google Play Gift Cards. For example, the message will read, “I need you to pick up a couple of gift cards. Can you make this happen? The type of gift card I need is Google Play gift cards. I need 4 cards in $500 denominations…scratch the back of the card to reveal the card codes and email me the gift card codes.”

Take away: Never provide any personal information including gift card codes like Google Play in an email. What seems like the information is going to a trusted source, it could be a scam.

You are driving along and you glance down at your smartwatch. Imagine the horror of it when you hear the sirens wail directly afterward — but you think that can’t be for you: you were not driving over the speed limit. But it can be for you. The police saw you glance at your smartphone, and now you are facing potential license suspension.

It’s here: stricter distracted driving rules in Ontario have the potential to be quite devastating. Here’s what you should know about the new law that took effect on January 1, 2019.

What is the new distracted driving law in Ontario?

The new distracted driving law in Ontario is not necessarily new in the sense of what is considered distracted driving, but new in terms of beefed up penalties. If an officer suspects that you are driving while distracted, then you can be pulled over and cited. The police, however, cannot seize your driver’s license on the roadside. Your case will go before a judge, and upon conviction, you will have your license suspended as well as be subject to fines and demerit points.

What actions are considered distractions according to the new law in Ontario?

When we think of distractions associated with a distracted driving law, we most often think of our smartphones, but there are many other distractions that can result in a conviction. In fact, anything that causes a driver to be less focused on the road is a distraction to driving. The list of distractions according to Ontario’s Ministry of Transportation include the following activities:

• Holding an electronic device — like a smartphone, iPad, tablet, iPod, or another device;
• Using an electronic device to text, talk, send posts on social media outlets, type in addresses into the GPS or look at maps or control playlists;
• Eating; and/or
• Reading books or documents.

Further, if you think you can be safe using your electronics at a traffic light or any other time while in stopped traffic, you are wrong. It is not permitted according to this law to use your electronic devices while stopped. You can, however, use the following:

• A hands-free electronic device that utilizes technology like Bluetooth and requires you to only turn it on or off; or
• A mounted electronic device — whether it’s a phone or GPS system — so long as it is secure and does not move while you are driving.

The only exception to the new law is if you need to contact emergency personnel, like the police, fire department, or medical professionals.

What are the new penalties for distracted driving in Ontario?

Distracted driving has already been an offense in Ontario, but the new law strengthens the penalties to make it more of a deterrent than what it had been. Penalties vary according to the conviction: whether or not you have any prior distracted driving offenses. Plus, aside from the penalties, you can expect your auto insurance rates to increase dramatically. The stakes, therefore, have just multiplied with this new law.

First Distracted Driving Conviction Penalties

For a first distracted driving offense, you can expect the following penalties:

• A fine of up to $1,000
• Three (3) demerit points
• A three (3) day driver’s license suspension, unless you have a graduated license, like a G1- or G2, then the license suspension is for 30 days.

Second Distracted Driving Conviction Penalties

For a second distracted driving offense within five years, you can expect the penalties to double:

• A fine of up to $2,000
• Six (6) demerit points
• A seven (7) day license suspension, unless you are a G1- or G2-license holder, then the license suspension is for 90 days.

Third Distracted Driving Conviction Penalties

For a third distracted driving offense within five years, the penalties increase progressively, and include:

• A fine of up to $3,000
• Six (6) demerit points
• A thirty (30) day driver’s license suspension, unless you are a G1- or G2-license holder, then your license could be canceled — and it can be difficult to get the license back.

Subsequent Distracted Driving Conviction Penalties

For each new conviction, fines and driver’s license suspension increases. You could potentially — if you become a repeat offender — be looking at driver’s license suspension up to two (2) years and fines of up to $50,000.

What to Do When Driving on the Roads in Ontario

There is a reason behind the new law and that is safety. The following are some statistics provided by CAA that you should keep in mind:

• “Drivers engaged in visual-manual interactions with cell phones (e.g., texting) are up to eight times as likely to be involved in a crash.” (AAA, 2017)
• Twenty-seven percent “of fatal crashes in BC was due to distraction. Police across Canada say that distracted driving has caused more collisions than impaired drivers.” (ICBC, 2016)
• Thirty-three percent “of Canadians admit they have texted while stopped at a red light, despite believing it is unacceptable.” (CAA, 2016)

These are serious statistics. The obvious way to prevent the above from happening and from you obtaining a distracted driving citation and subsequent conviction in Ontario is simple: don’t use your electronic devices while driving, but also, don’t eat, read, or write, or even groom yourself by putting on makeup or brushing your hair. Refraining from these activities can help bring down the above statistics and can help make our roads safer.

There was something of a cultural shift in the technology sector during 2018 that will undoubtedly impact 2019. Up until last year, cybersecurity issues seemed to predominately plague significant corporations and organizations. The Democratic National Committee hack fallout and Russian bots on Facebook were coupled with big-time breaches at Equifax and others that garnered headlines. Even the recent reports coming out of U.S. intelligence agencies point to enemy states such as China and Iran stealing American intellectual property.

Cyber threats ramped up in 2018 and the World Economic Forum ranked technology breaches as a top risk to economies worldwide.

“Attacks are increasing, both in prevalence and disruptive potential. Cyber breaches recorded by businesses have almost doubled in five years, from 68 per business in 2012 to 130 per business in 2017,” the Forum reported.

Consider for a moment that climate change and severe weather events such as hurricanes and tsunamis were also listed. That should put the danger in context for any business leader. And that’s why the mainstream perception about breaches has shifted significantly.

These days, small and mid-sized companies recognize that their personal information and critical data are targeted at a much higher rate than Fortune 500 outfits and national-level organizations. Ransomware has emerged as an almost routine method to extort money, and now fraud from crypto-mining is trending high. Business owners and decision-makers are prioritizing cybersecurity because the stakes are just too high. Cyber threats are likely to escalate during 2019, and these are some dire predictions.

1: Strict Data Breach Fines

Last year, regulations such as the California Consumer Privacy Act implemented harsh penalties for companies that fail to protect personal employee data. The conventional wisdom is that businesses and non-profit organizations alike have a responsibility to safeguard the information they ask of team members.

Cyber attacks that penetrated Uber, for example, reportedly resulted in the transportation organization settling out of court to the tune of $148 million as a result of a 2016 breach. Leading online companies such as Facebook and Equifax have been under fire and they both reportedly were fined a maximum penalty of £500,000 in the UK.

Currently, Google, British Airways and Facebook once again are under government scrutiny for cybersecurity failures and hefty fines could be coming. While this may not seem like a direct and discernible danger to small and mid-level outfits, think again. Although household-name organizations make headlines, everyday companies can expect to get hit with penalties for lack of cybersecurity as well. The moment a company asks employees to provide personal information, that organization becomes responsible for protecting it.

2: Rise of the Machines

The days of a rogue hacker halfway around the world infiltrating a system are expected to evolve in to (artificial intelligence) AI cyber attacks. If this sounds a lot like the sci-fi “Terminator” movie franchise, that’s not far from the truth.

Hackers are expected to deploy machines under their control to more rapidly and covertly penetrate business systems and cull valuable information. But beyond mining, these human-controlled devices will increasingly have the ability to impact the lives of everyday people.

Consider that the IoT continues to create an accessible matrix that can be manipulated. Autonomous vehicles, smart-home technology, and even friendly Alexa are being weaved into the fabric of human lives. This opens the door for hacker-driven AI to penetrate lives outside of the workplace. The necessity of cybersecurity in our personal lives is expected to grow exponentially going forward.

3: Governments Expected to Ramp Up Cyber Weapons

The mainstream media has been brushing up against the subject of enemy states attacking infrastructure such as power grids. It goes without saying that governments across the world are not sitting idly by as others hone their hacking talents.

From voting booths to water supplies, governments around the world are expected to meddle more and more in each other’s affairs. When someone loses, expect malware, ransomware and debilitating viruses to be unleashed.

While your small or mid-sized company may not be the target of a rogue state attack, it could end up being collateral damage. Don’t be taken by surprise, secure your company and personal data before the first wave hits.

4: Email Expected to Remain Top Data Breach Vehicle

Criminal hackers view email as the gift that keeps on giving. New hires tend to need time to understand the protection protocols around email usage. And, too many outfits lack adequate policies or fail to update usernames and passwords effectively. Employee email has ranked among the most vulnerable backdoors into an organization’s sensitive data and the best way to deploy ransomware.

Even though cybersecurity and IT teams warn decision-makers about the dangers of sub-par email protections, it is expected to remain a primary threat in 2019. Every day companies cannot take email security seriously enough in 2019.

5: Tougher Laws and Regulations Expected

The 2018 U.S. congressional hearings that involved Facebook, Google and others demonstrated that lawmakers recognize that cyber threats are prevalent and current regulations appear inadequate. Intellectual property and critical data are now outpacing oil regarding value.

In the U.S., states are creating more stringent laws to deal with hacking. The federal government and countries abroad are also wrestling with policies to manage cyber threats. It’s essential for small and mid-sized outfits to follow the trend and communicate with lawmakers at the local, state and federal level. The laws that come out of cybersecurity hearings are likely to impact the business community in a significant fashion.

Only a few short weeks ago, we wrote about the introduction of WordPress 5.0 in early December and discussed whether or not your company should upgrade now, never or at a later date. Our recommendation was to wait until some of the bugs had been worked out of the system and until your business has a slow time of year to ramp up to the new way of posting with this new update. It seems that we were on the right track since WordPress has just made WordPress 5.0.2 available to the public, a maintenance release that addresses 73 known bugs associated with WordPress 5.0.

What is WordPress 5.0.2?

WordPress 5.0.2 seeks to address some of the problems that users have been having with the new WordPress 5.0 release. Most of these issues are associated with the block editor feature. Unlike previous WordPress releases, 5.0 is a WYSIWYG editor and requires no HTML or coding knowledge. According to WordPress, the new maintenance release increases the posting speed by 330 percent (for a post with 200 blocks). It also includes 45 block editor improvements, fixes 17 known block editor bugs and addresses some internationalization issues. You can view a complete list of the problems discussed with 5.0.2 on the WordPress website.

Should we upgrade to WordPress 5.0.2?

Our original opinion on whether to upgrade to WordPress 5.0 now or wait still stands. We still feel it’s prudent to expect since many businesses are otherwise occupied with end-of-the-year tasks in December and January and a radical revamping like 5.0 is likely to have a few growing pains. Also, 5.0 uses Gutenburg, which is not compatible with many WordPress plug-ins. As with any upgrade, we also recommend backing up all of your WordPress files before you download WordPress 5.0.

However, if you have already upgraded to WordPress 5.0, it is a good idea to go ahead and download the 5.0.2 maintenance release. This is likely to make your WordPress experience less troublesome and less time-consuming. To upgrade to WordPress 5.0.2, download WordPress 5.0.2 or go to your WordPress dashboard, go to Updates and click Update Now. In fact, you may already have the new maintenance release. Websites that support automatic background updates have already started to update automatically.

To learn more about using WordPress, deciding whether WordPress 5.0.2 is the right choice for you and your company, and to learn ways to make your website more efficient for both you and your readers, contact Ulistic.com or call us at (enter contact info). We can also help you with backing up your data before your upgrade.

In April of 2018, South Carolina became the first state in the nation to require insurance companies to establish data security standards to protect consumers from the consequences of cyber attacks. The legislation named the Insurance Data Security Act, also put requirements in place for how insurance companies must investigate cybersecurity attacks. South Carolina insurance carriers have until July of 2019 to fully implement the Insurance Data Security Act. The law officially went into effect on January 1, 2019.

State legislators drafted and passed this new law in response to a series of recent attacks in the insurance industry that exposed the private demographic and financial data of millions of Americans. The 2015 attack on the insurance giant Anthem appears to be the most significant catalyst for initiating and enforcing the new regulations.

What the Insurance Data Security Act Means for South Carolina Insurers

Under the provisions of the new security act, insurance companies, agents, and all other licensed entities that conduct business in South Carolina must establish a comprehensive security program and put it in writing by July 1, 2019. As quoted from state legislation, the new security program must “commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including the use of third-party service providers, and the sensitivity of the nonpublic information” within the control, possession, or use of the licensee.

Additionally, South Carolina insurers must base the company’s cybersecurity program on individual assessment of risk. Based on these results, the licensee must design an information security risk that reduces these risks as much as possible with the stated goal to completely eliminate the risks. It is the responsibility of each insurance licensee to determine appropriate measures related to the following:

• Access controls
• Cybersecurity event audit trails
• Data
• Device
• Encryption of nonpublic information at rest on removable data and mobile devices
• Encryption of nonpublic information in transit
• Multi-factor authentication
• Personnel inventories and mapping
• Physical access restrictions
• Routine system and testing monitoring
• Secure application development practices
• Secure disposal of all nonpublic information
• Systems upgrades

This is a significant undertaking for insurance companies and agents in South Carolina to achieve in the next six months. Many will find that they need to reach out to information technology specialists to help them come into compliance in the time required under state law.

Requirements for Insurance Company Director Boards

The Insurance Data Security Act not only imposes what insurers must do to implement a plan to safeguard consumer privacy, but it also dictates required actions for people with specific roles within the company as well. For example, the board of directors of each insurance company in South Carolina are personally responsible for supervising the development and implementation of the new cybersecurity program. Supervising duties of the board also include issuing a directive to senior management to produce an annual written report that contains the following information:

• A high-level overview of the cybersecurity program status and whether each agent or licensee appears to be in full compliance with the new program.
• All material matters to include individual cybersecurity events and the response to each, risk assessments, risk management decisions and controls, service provider arrangements with third parties, and results of all testing. Most importantly, senior management must recommend specific changes to the program in response to any ongoing issues they have observed that have posed a challenge to compliance.

It is crucial to the success of the new cybersecurity program that board members and senior officials with South Carolina insurance companies take their role seriously. This is the only way to ensure successful implementation of the program as well as address any early compliance concerns.

Specific Licensee Requirements under the Insurance Data Security Act

The act also spells out highly specific responsibilities for insurance licensees. For example, every licensee in the state should have produced a written document outlining a plan on how to respond to and recover from a cyber attack. This covers attacks that threaten the security of any nonpublic information that the licensee retains on his or her person or within the company’s computer information systems. These plans were due by January 1, 2019, and must contain all of the following information:

• The process of internal response to a cyber attack
• Specific goals for the prevention and response plan
• An outline of the specific responsibilities and roles of each person who has the authority to make cybersecurity decisions
• Internal and external communication and sharing of information
• Requirements for remediation
• Detailed documentation of any recent cyber attacks, including each step of the response
• Any revisions made to the plan since its original creation date or any anticipated future changes

The new law gives licensees until July 1, 2020, to create and implement a cybersecurity program with a third-party service provider. The expectation is for licensees to choose the provider using due diligence. It is the responsibility of licensees to ensure that the new service provider possesses the ability to offer administrative, physical, and technical support as required under the provisions of the cybersecurity act. This is necessary to ensure that third-party service providers protect computer systems as well as all nonpublic customer information.

Finally, the licensee must regularly monitor the work of the service provider to ensure compliance. Upon discovery of any issues, the licensee must initiate adjustments to the agreement between the two companies. The new law makes it incumbent upon every insurer in South Carolina to provide an annual compliance certification as well.

Protocol for the Investigation, Response, and Disclosure of Cybersecurity Attacks

Insurance companies, along with agents and licensees, now have only three business days after a discovery to investigate and report the events surrounding a cyber attack or event. The definition of a cyber event includes any action that resulted in an unauthorized person gaining access to nonpublic information. The purpose of the cyber attack is to disrupt computer systems to make it possible to obtain and misuse the information stored inside of them. The definition does not include any data that a cybercriminal destroyed or returned.

The Insurance Data Security Act includes a somewhat vague definition for what qualifies as nonpublic information. For example, protected data includes anything that usually receives protection under existing laws for data breach notification. However, it does not define the specific types of data.

Other information protected under this new act include any business data that demonstrates proof of unlawful tampering by an insurance licensee. This consists of any unauthorized disclosure of information, use, or access that demonstrates the licensee attempted to manipulate data for the benefit of the insurance business.

Once a licensee has determined that a legitimate cyber event occurred, it is up to him or her to initiate an immediate investigation. The investigation must include each of the following elements:

• Determining whether the incident meets the legal definition of cyber event
• Researching the facts regarding the event
• Determining whether a cybercriminal obtained any nonpublic data and identifying the customers impacted
• Promptly restoring any vulnerabilities that caused the breach of data

Both insurance licensees and third-party service providers must retain a record of all cyber events for a minimum of five years. They must also produce the record promptly when any authorized party requests to see it.

About disclosure of cyber events, a licensee must notify the Director of the Department of Insurance within 72 hours of resolving the issue. This requirement covers all insurance businesses licensed in South Carolina. Additionally, the act requires licensees to notify another government agencies or insurance supervisory boards if the data breach involved more than 250 state residents or a reasonable likelihood of widespread harm exists. The notification to the government agency or insurance supervisory board should include the following information at a minimum:

• The date and specific details of the cyber event
• The methods used to discover the issue
• The types of nonpublic data compromised
• Whether the licensee notified law enforcement, and if so, the data this occurred
• The intended steps of remediation
• A valid copy of the most recent privacy policy of the licensee
• The specific plan for investigation and notification of consumers

Other States Expect to Follow Suit

South Carolina has taken a significant step toward consumer protection by implementing this law as of January 1, 2019. Several other state legislatures are currently considering the same or a similar act, so it should come as no surprise to consumers and those in the insurance industry to see widespread adoption in the future. Even industries outside of insurance may look to the act to determine its usefulness when adapted to that specific industry.

The securities industry has been as vulnerable to cyber attacks in 2018 as any other industry. According to the SEC’s Enforcement Division newly created Cyber Unit (formed in 2017 to enhance the ability of the Commission to identify and investigate all cyber-related threats to firms), 20 actionable cases were brought forward in fiscal year (FY) 2018. 225 open investigations are also being conducted by members of the Cyber Unit at the close of FY 2018.

Firms have an affirmative duty to establish policies and procedures designed to detect and deter cyber-threats. These include both the Safeguards Rule and the Identity Theft Red Flags Rule. Failure to put in place necessary protections designed to safeguard customer information and prevent fraud may result in enforcement action by the SEC.

SEC Cyber Security Enforcement Actions

This was the case with an enforcement action taken against a Des Moines, IA-based firm fined $1 million for its failure to put in place proper cybersecurity policies and procedures. The action came as a result of a cyber intrusion that fraudulently reset customer passwords. This allowed the cyber thieves access to more than 5,600 of the firm’s accounts, which allowed new profiles to be created and specific access to private documents of three customer accounts. The failure to have in place proper procedures in keeping with regulatory requirements made what was preventable inevitable.

As the old year ends and a new one begins, what are some of the cyber threats facing investment professionals? In keeping with mandated requirements from the SEC, FINRA, and state securities commissions, what should be done to keep ahead of the growing potential of a cyber attack or unwanted intrusion that threatens customer safety, privacy, and the integrity of U.S. financial markets?

The State of Cyber Security in 2018

A recently discovered data breach of Marriott International’s Starwood Hotel guest reservation database comprised the information of nearly 500 million customers. A Federal Trade Commission (FTC) consumer advisory released on December 4, 2018, announced that the breach, which began in 2014, impacts all hotel registrations made up to September 10, 2018.

Information that hackers were able to access includes customer names, addresses, phone numbers, email addresses, passport numbers, dates of birth, and the gender of the reservationist. Additionally, any Starwood loyalty program account information and reservation information entered was taken and for some customers, payment information (and possible expiration dates).

The compromise of Starwood customer information by hackers is just the tip of a very tall iceberg of incidents that took place in the U.S. and across the globe. Cybersecurity issues touched nearly every industry sector and business size, from Texas-based Jason’s Deli to social media giant Facebook. State-sponsored attacks have also been exposed in 2018, validating concerns about the integrity of the U.S. election process and the continuing influence of bad-faith actors such as Iran, Russian, and North Korea.

Those issues affecting business worldwide are those that affect financial professionals and the securities industry. Efforts must be taken to tighten up required controls that detect and deter cyber attacks. Paying lip service to these issues will result in the loss of customer confidence as further attacks expose vulnerabilities.

Cyber Security Issues for 2019 Affecting Financial Professionals

There are at least four specific cybersecurity issues that financial professionals should be aware of heading into 2019:

• Testing a firm’s cybersecurity policies and procedures to ensure
• Leveraging technology to police technology
• The impact of artificial intelligence by hackers to access client accounts and information
• The growing influence of the “Dark Web” and the exposure of personal and private information

These issues may be of particular concern for financial professionals looking to maintain strong customer relationships. Awareness of the potential for attack must be met with definitive action to strengthen systems and hold back minor and major intrusions that could have a long-term effect on business and the confidence the investing public has in the U.S. financial system.

Establishing and Testing an Investment Firm’s Cyber Security Policies and Procedures

The SEC noted in its enforcement actions taken against firms in 2018 that failed to protect client data that the failure stemmed from the lack of sufficient cybersecurity policies and procedures. Such policies and procedures are only one part of the solution to building robust IT systems capable of withstanding dedicated cyber attacks.

In addition to well-documented policies and procedures specifically tailored to the financial systems, firms and financial professionals must also work with their IT teams to test their ability to detect, address, and defeat cyber attacks. The loss of customer information to a data breach through a system vulnerability that could have been prevented hurts not only the entity breached but the industry as a whole.

As firms increasingly rely on technology to conduct business, greater reliance must be placed on constant vigilance. The mentality cannot be that since an attack has not occurred, there is no problem; it must be that an attack may happen at any time.

Using Technology to Defeat Technology

Cybersecurity issues cannot be regulated away. The establishment of policies and procedures, as discussed, is one of the ways to identify the severity of these attacks and their potential impact on business. Working on using technology to prevent technology from causing cyber attacks and other unwanted intrusions is the next level for financial professions.

It stands to reason that these attacks are the result of machines finding ways to invade other devices. This may be to spread viruses that cripple or disable a recipient system for a period of time, or to disrupt business operations by denying access to customers, or to set in motion ransomware or other types of malware for the purpose of extortion. Policies and procedures establish recognition of the potential for harm but technology sets in place the necessary firewalls and disaster recovery processes for business to continue operating (with little to no disruption).

Artificial Intelligence

Machines, currently through the aid of those with ill-intent, lead the attack on financial systems, threatening the privacy of customer data. Artificial intelligence (AI) or the ability of machines to develop routines and learning processes that make devices less dependent on human input is also growing as a potential threat.

Facebook confronted this issue in the summer of 2018 when its Facebook AI Research Lab (FAIR) was forced to shut down a project involving the use of AI known as chatbots. Chatbots are a type of AI where programs that are automated to complete a specific task can communicate with each other to make the routine more efficient. The FAIR project attempted to add a negotiation element between the chatbots, which to the horror of researchers, resulted in the AI developing its own language at a rate that was faster than what humans could anticipate and control.

The growing presence of AI in technology and the use of robots, specifically chatbots, to complete basic tasks may very well be the way of the future. Its existence, however, should raise legitimate concerns and warrant additional protections and regulatory action to ensure that the results of an accidental experience (like the outcome of the FAIR project) does not set in motion a sponsored attack that could have the potential of taking down the U.S. financial system in 2019 (and beyond).