NEW YORK (Thomson Reuters Regulatory Intelligence) - The cyber attack last month known as the WannaCry ransomware incident did little damage to U.S. financial firms but it sent a warning shot for the securities industry and its regulators. The self-replicating worm infected over 200,000 computers in 150 countries, showing the potential harm fast-moving attacks can inflict and fueling new calls from regulators for firms to manage cyber risk.
The WannaCry attack set off predictable alarms from technology firms and cyber security experts. But it was more than hype and the incident was seen as one of the largest in recent history. Risk professionals at financial firms should not dismiss the chance it offers to assess the state of the art in cyber space’s dark side.
With a month’s hindsight, it’s clear that the WannaCry attack was not a particularly innovative network exploit, known as a “worm,” and it did not approach the kind of damage past cyber attacks have wreaked on computer networks. Still it generated new insights on how regulatory changes, social media and digital currencies used in ransomware — which lets hackers take over a computer until they are paid — are posing new threats that risk professionals need to understand.
The malicious software behind the attack was a permutation of the decades-old “worms,” standalone software that can replicate itself and spread through computer networks.
“This was very much a blast from the past,” said Nicholas Weaver, who heads network security research at University of California’s International Computer Science Institute in Berkeley. “It was the first widespread worm in a while, and it had a motive behind it — ransomware. It was fully self-propagating and moved quickly without any human intervention from system to system.”
The global reach and the speed of the malware attack alone make it worth a full assessment and showed the need for rapid responses to attacks. In its aftermath, regulators are looking at firms’ network security plans to see if they are designed to act quickly in containing and reporting similar incidents.
Most financial firms were well prepared, in part because they are the most regulated of businesses linked to the Internet, say computer security experts. In rankings of sectors that have been most harmed by cyber criminals, financial firms have been in the middle of the pack, or about average. Most U.S. financial firms had updated versions of Microsoft Windows that are frequently patched and had already been immunized against WannaCry.
But computer security consultants see risk rising for financial firms as hackers change techniques and look for new victims and exploits for which patches have not yet been installed — and the finance industry is seen as the juiciest target for a new wave of cyber criminals.
In the past, hacking has often been done for sport, and the prize has been disabling networks and winning respect among notoriety-seeking “black hat” hackers whose aim was to expose vulnerabilities, not to generate profit. The shift in recent years has been toward economic crime made possible by anonymous digital currencies that can hide the identities of hackers in ransom schemes.
The “black hat” malicious hackers can buy or swap malware on the so-called dark web, made up of secretive peer-to-peer sites that are not searchable by Google and other engines and are layered behind passwords and sometimes require special software to navigate.
“Ransomware overall is only going to get worse,” said Weaver. “Ransomware is the biggest threat people face going forward. It’s a big concern for me.”
The first big lesson from last month’s incident is that WannaCry was avoidable. Firms that applied up-to-date virus patches were protected, and quick action by firms in reporting and dismantling the malicious code helped halt its spread so it lost momentum in just a day.
The second is to back up data in case the malicious code defies the existing patches. “You have to apply the patches and you also have to back up data,” said Weaver. With no firewall or anti-virus software entirely fool-proof, every important piece of data should be backed up and stored securely somewhere away from the network, he added.
The third lesson is that the participation of firms was critical in halting the spread of WannaCry, a point not lost on regulators. Regulators want to make certain firms are taking all of those steps, and reporting incidents is becoming increasingly important so that malware can be identified and disabled.
Since the WannaCry outbreak, regulators stepped up their reviews of firms’ response programs and issued warnings that they will begin penalizing laggards. The New York Department of Financial Services, which issued one of the nation’s first comprehensive rule books on cyber protection, requires firms to report attacks “as soon as possible but in no event later than 72 hours.” NYDFS said its new cyber protection regulation rules were “designed to help prevent and mitigate the issues triggered by WannaCry.”
The NYDFS rules, which became effective in March(here), mandate bi-annual vulnerability assessments and "systematic scans" to review their systems' ability to withstand threats. Firms regulated by NYDFS, which oversees a wide swath of the financial services industry, are required to identify and document material deficiencies and institute remediation where needed to meet annual certifications of regulatory compliance.
The new rules include requirements for computer virus stress tests and verification from cyber security experts on the soundness of the cyber programs.
U.S. legislators within days of the WannaCry attack, proposed a new law, The Patch Act, or Protecting our Ability to Counter Hacking Act of 2017(here), introduced by Senator Brian Schatz, Democrat of Hawaii. The law would create a permanent review board of government agencies and private firms to use a federal clearing house that tracks malicious code. The plan has generated bipartisan support and the tech industry has been largely supportive, since it has addressed privacy concerns for firms that share data on network intrusions.
The Securities and Exchange Commission has also stepped up its cyber program since the WannaCry attack. The new co-chief enforcement, Steven Peikin, last week launched an initiative to crack down on cyber crime, starting with a review of cyber protection in the securities industry. He said in an interview with Reuters that “the greatest threat to our markets right now is the cyber threat.”
Compliance teams whose systems were unscathed by WannaCry should take note of the response by regulators, who clearly took the worm attack as a call to action. While U.S. risk professionals may be winning plaudits for shielding their firms, U.S. regulators show no signs of complacency.
The attack was mild compared with some previous incidents, but luck played a part in halting a larger outbreak in the U.S. time zone. WannaCry appeared first in Asia on May 12. Authorities suspect North Korea as the source of the malware, which spread quickly to Europe and the United States.
Like many other recent attacks, the WannaCry attackers, whose identity remains unknown, were believed to have acquired malware on one of the markets that traffic in the malicious code used by hackers. The attacks were launched in multiple locations and timed to launch simultaneously.
The so-called “code execution bug” was designed to disable computers by a preset time unless a ransom of $300 to $500 was paid. The hackers left messages that they would initiate the code remotely, demanded payment in bitcoin.
Those who kept up to date on their Windows virus patches were protected. Still, there were millions of unprotected computers on networks around the world. But U.S. systems managed to avoid the serious problems seen elsewhere.
The virus caused major disruptions in the UK starting May 12, but computer security experts were credited with quickly discovering the “kill switch” that disabled the virus in many locations before it could spread in the United States. That kind of luck can’t be counted on, said computer security experts. Since each viral outbreak has its own unique code, there is no guarantee the next attack will be decoded quite so quickly.
The only fail-safe is to back data up in case of an attack that hits networked data. “You need to build your own infrastructure so your computer can catch on fire and you still have all your data,” said Weaver. “You have to be in a position where if your computer and the attached disks catch fire you should be able to recover your data,” said Weaver.
For years, hackers presented a widespread nuisance factor for computer users. Digital vandalism sometimes led to inconvenient computer outages and lost files. In a typical “denial of service attack” computers sent millions of messages at favored targets such as government agencies or tech firms. The result was mostly embarrassment for the victims.
The more serious attacks in the past have involved hackers working in isolation to steal personally identifiable information such as credit card numbers. Those attacks were more than mere mischief, and involved losses of money or identity theft. But such intrusions were relatively contained to clients and usually could be remediated by reaching out to customers in relatively low-cost settlements.
The rise of bitcoin has transformed the once-annoying hacker attacks to a new level that has led to potential losses that are harder to assess, although industry estimates already place it in the billions of dollars annually. Criminal networks are often loosely connected over networks like now-defunct Silk Road or the still active Shadow Brokers, and scores of dark Web sites have become gathering points for spreading malicious code.
For compliance and risk teams, the solution to an intrusion is no longer as simple as extracting the virus and going ahead with business as usual. Regulators require incident reports as soon as the event happens. The non-compliant firm risks enforcement actions and civil lawsuits if they fail to participate in quelling the attack. There are no innocent bystanders.
“When computers are compromised and used to make an attack on another victim, the liability could be with your system,” said John Carlin, former U.S. assistant attorney general for national security, who chairs Morrison & Foerster’s global risk and crisis management team. “It might not seem like a big problem. But sometimes it turns out to be worse than first thought and if you don’t report it to regulators from their perspective you kept it secret.”
Unlike break-ins aimed at stealing specific data sets, malware attacks are open ended, as the WannaCry attack demonstrated. Cyber insurers have been wary of the potentially vast liability posed by a widespread malware attack launched from an insured clients’ computers. It has made lining up insurance difficult, and expensive.
The rising number of attacks has led to a sharp rise in cyber security insurance, said Aviram Jenik, chief executive officer and founder of Beyond Security. The cyber threat is, “not hopeless, but an urgent situation,” he added. Regulators are nudging firms to insure their risk, he said, and insurers are starting to offer rates more closely calibrated to risk than in the past.
“The industry is maturing from the previous state of ‘OMG hackers will come and destroy us all’ panic to a more level-headed view that cyber security is a business problem,” said Jenik. “And just like any other business problems, it has to be dealt with appropriately.”
With more tools to assess “cyber security readiness,” insurers can more easily know “where an organization stands, in terms of their security readiness and level, thus allowing insurers to offer a more tailored policy, and with better pricing.” Since cyber crime is now decades old, more is known about the workings of cyber crime networks.
But there are vastly more cyber hacker rings carrying out illegal operations, and there is now an anonymous payment system, with bitcoin. For insurers, risk modeling is beginning to resemble other industries where the economics of the market are becoming paramount, as opposed to unknown technology exploits.
While the technology itself has not seen breakthroughs, compliance teams are facing the challenge of training and monitoring the people on cyber awareness, especially in the use of social media. The danger of social media exploits was shown this week as chiefs of numerous banking firms were hit by one or more email pranksters who fooled bosses at Goldman Sachs, Citigroup, Barclays and the Bank of England.
Those breaches did not lead to revelations of sensitive information, but they did raise questions about potential vulnerabilities in email and engaging with clients, employees and counter-parties via social media.
“It is, in many ways, an ongoing game. Software developers continually produce new and improved operating systems and do their best to minimize the risks of security exposures - but it is very difficult, if not impossible, to produce fully bulletproof software,” said John Verver, strategic advisor to ACL “So hackers continually look for weaknesses they can exploit, while security specialists continually test and check to see if they can find any weaknesses the developers missed or never thought about.”
“The moral of the story is really to be ever-vigilant. Many organizations - particularly in sectors such as banking and finance - are doing a good job in their anti-hacking efforts. But inevitably some organizations are not as careful and not as stringent.” Those firms may be the most likely to be hit by hackers, unless regulators get there first.
(Richard Satran is a financial journalist covering daily and emerging issues for Thomson Reuters Regulatory Intelligence.)
This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on June 15. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters