The CFPB’s lawsuit describes how hundreds of thousands of consumers filed fraud complaints and were largely denied help, with some being told to contact the fraudsters directly to recover their money. Bank of America, JPMorgan Chase, and Wells Fargo also allegedly failed to properly investigate complaints or reimburse consumers for fraud and errors as is required by law.

Jane Khodos, a spokesperson for Zelle, said that the CFPB’s arguments are “legally and factually flawed, and the timing of this lawsuit appears to be driven by political factors unrelated to Zelle.”

“Zelle leads the fight against scams and fraud and has industry-leading reimbursement policies that go above and beyond the law,” Khodos said. “The CFPB’s misguided attacks will embolden criminals, cost consumers more in fees, stifle small businesses and make it harder for thousands of community banks and credit unions to compete. Zelle is relied upon by 143 million enrolled American consumers and small businesses, and we are fully prepared to defend this meritless lawsuit to ensure their service does not suffer.”

The Alleged Failures and Neglect

According to statement made by CFPB Director Rohit Chopra, this lawsuit results from an investigation that launched in 2021. The investigation found that three of the nation’s largest banks allegedly “rushed to launch a payment system without implementing basic protections for their customers.”

The CFPB alleges widespread consumer losses since Zelle’s 2017 launch due to the platform’s and the banks’ failure to implement appropriate fraud prevention and detection safeguards. The CFPB alleges that Bank of America, JPMorgan Chase, Wells Fargo, and Early Warning Services violated federal law through critical failures including:

• Leaving the door open to scammers: Zelle’s limited identity verification methods have allowed scammers to quickly create accounts and target Zelle users. For example, criminals often exploited Zelle’s design and features to link a victim’s token to the fraudster’s deposit account, which caused payments intended for the consumer’s account to instead flow to the fraudster account.
• Allowing repeat offenders to hop between banks: Early Warning Services and the banks were too slow to restrict and track criminals as they exploited multiple accounts across the network. The banks did not share information about known fraudulent transactions with other banks on the network. As a result, the fraudsters could carry out repeated fraud schemes across multiple institutions before being detected, if they were detected at all.
• Ignoring red flags that could prevent fraud: Despite receiving hundreds of thousands of fraud complaints, the banks failed to use this information to prevent further fraud. They also allegedly violated the Zelle Network’s own rules by not reporting fraud incidents consistently or on time.
• Abandoning consumers after fraud occurred: Despite obligations under the Electronic Fund Transfer Act and Regulation E, the banks failed to properly investigate Zelle customer complaints and take appropriate action for certain types of fraud and errors.

The lawsuit aims reimburse those who suffered financial losses due to the alleged neglect of fraud. It also seeks to impose penalties on the banks and implement measures to prevent similar violations in the future.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°

The post CFPB Sues Major Banks and Zelle Operator for Alleged Fraud appeared first on Compliance Chief 360.

e all know about the great migration to “work from home” that occurred during COVID-19 pandemic starting in 2020 and lasting into 2021 and 2022. While many organizations have moved employees back to the office for some or part of the work week, the remote work movement has remained a far more prevalent aspect of working life.

According to a 2023 Pew Research Center study, around 22 million employed adults in the U.S. work from home all the time, equal to roughly 14 percent of all employed adults, while 41 percent are at least part-time remote on a hybrid setup. By 2025, that same survey finds 32.6 million Americans will be working remotely.

While the flexibility creates favorable conditions for the acquisition and retention of top talent, it also contributes to some new challenges. Managing a compliance team in a remote work environment can be difficult. This is especially true for highly regulated sectors, such as finance, health care, defense, and others, but it could impact a business operating in any field.

Identifying the challenges of remote work and coming up with a solid compliance plan will allow employers and workers to fully utilize remote or hybrid work models without worries about security risks, audits, or subsequent fines. Whether or not you utilize a third-party risk monitoring solution, it’s critical to understand the risks associated with remote work.

Compliance Challenges of a Remote Work Environment

The EY 2023 Mobility Re-imagined Survey suggests that while 92 percent of participants believe workplace mobility is important, 71 percent lack confidence in their organization’s ability to handle compliance and other risks stemming from a remote work environment.

Some of the most common compliance challenges work from home creates for organizations include:

• Determining which labor laws and regulations apply to employees on the basis of their home office location
• Employee monitoring and oversight
• Ensuring workplace safety
• Data security and privacy
• Safety of communication carried out in a remote work environment
• Employment verification processes

Having a solid compliance plan in place and adapting to the hybrid work model realities are both essential to mitigate those risks.

Onboarding and Ongoing Training

The first rule of onboarding compliance is understanding applicable rules regarding employment, data privacy, and security. Onboarding processes have to address all those concerns and adhere to regulatory frameworks within the respective jurisdiction.

If your company hires international employees who work from their own location, you’ll have to go through a few important considerations when doing onboarding. Find out if:

• The respective person has the right to work
• Whether they’re entitled to receive home office equipment
• You will have to provide any kind of training during the onboarding process

The agreements and contracts you sign as a part of onboarding should also account for national or regional regulatory specifics. A well-crafted employment contract should have stipulations on job responsibilities, performance expectations, communication protocols, confidentiality clauses, data protection, dispute resolution, and performance reviews.

The next step would be to train remote workers on anything that may lead to compliance issues. Data privacy and security training is non-negotiable. Authentication and access control training can also reduce the risk of violations or security threats stemming from the remote work environment.

The Importance of a Foolproof Remote Work Policy

A remote work policy is a document that outlines expectations and guidelines for all employees to follow. It’s a comprehensive how-to guide that focuses on procedures, safety protocols, workplace specifics, and technologies employed to do one’s job while following a regulatory framework.

As hybrid work is becoming the norm, standard workplace policies have to account for the new reality and the way it’s changing professional interactions.

Well-crafted remote work policies should contain:

• Rules on eligibility for remote work
• Guidelines on mandatory work hours, equipment, and tools made available to each employee
• Provisions on designing and equipping a remote workplace
• Cybersecurity stipulations and protocols
• Guidelines on communication between coworkers
• Guidelines on employee well-being

Good workflow management is also dependent on effective performance tracking, building trust and transparency through daily communication, having clearly defined roles within teams, and offering the right incentives (like career growth opportunities).

Maximizing Cybersecurity in Remote Environments

Cybersecurity is crucial for all organizations, especially those operating in highly regulated sectors.

Remote work has created numerous challenges that concern executives and make IT security managers sweat. In 2023, 72 percent of respondents in a survey responded they are very concerned or at least somewhat concerned about the online risks related to employees working from home. The number of respondents not at all concerned was only 6 percent.

Without concrete policies and being a part of a shared on-site work environment, common cyber threats like ransomware are more likely to evade defense mechanisms, group head of cyber governance at FWD Insurance in Singapore Pritish Purohit told Forbes.

Overcoming these new challenges depends on:

• Educating employees on recognizing cybersecurity threats
• Strengthening the corporate network through good password policies, multi-factor authentication, the selection of the right antivirus applications, frequent updates, and backups
• Securing remote connections by leveraging VPNs and setting device usage boundaries
• Implementing company-wide cybersecurity policies that apply to both in-office and remote workers
• Carrying out regular security assessments and vulnerability audits
• Adhering to data protection laws like HDPR and HIPAA
• Using an extra layer of protection to safeguard the most sensitive information (for example, only having certain individuals accessing such files and maintaining detailed access logs)

A Focus on Employee Well-being Is Crucial

Finally, don’t forget to maintain the focus on employee well-being, regardless of the workplace model your organization has embraced.

To improve the mental and physical well-being of employees, consider the following:

• Maintain regular communication, preferably using video conferencing tools to make everyone feel connected
• If possible, schedule in-person meetings at least a few times per month
• Discourage overwork and promote better work-life balance (by selecting the right compensation models that will keep workers from spending too much time as the lines between personal and professional get blurred)
• Offer personalized health benefits (89 percent of remote workers value having some kind of health benefit as a part of their employment package)
• Make sure everyone is aware of the available paid time off within the organization
• Provide mental health and well-being resources
• Allow work-hour flexibility

Working from home creates legal considerations that some organizations aren’t prepared to face, while others have been attempting to address those ineffectively.

To reduce the risk of compliance issues, come up with a robust remote work policy. Ensure employees are properly trained and stick to those rules to reduce risks. All other challenges can be addressed via regular performance reviews and audits. Identifying challenges and threats quickly is essential to determine viable remedies and implement those before the issue turns into a major compliance problem.   

Giovanni Gallo is the Co-CEO of Ethico, where his team strives to make the world a better workplace with ethics hotline services, sanction screening and license monitoring, and workforce eLearning software and services.

The post Managing Compliance in a Remote Work Environment appeared first on Compliance Chief 360.

t has been said that if a butterfly flaps its wings in the Serengeti, it can change the climate half a world away. Similarly, if an EU regulator enacts regulation in the EU Commission, it can have a major impact as far away as the United States.

We saw this through the ubiquity of website cookie notices and recent state-level laws like the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), which, if nothing else, took some inspiration from the EU’s General Data Protection Regulation (GDPR).

Get ready for another EU regulation that, while not directly applicable in the United States, will nonetheless have a major impact on compliance at U.S. organizations. The Digital Operational Resilience Act (DORA) will be similarly impactful once it comes into force on January 17, 2025—especially for those in the financial services industry.

Nominally, DORA is a cyber-resilience regulation aimed at protecting the operational stability of the European financial services industry. It is the first ever EU regulation of its kind that targets resilience at a sectoral level and, partially speaking, is an extensive suite of requirements for financial institutions and businesses that provide services to them around how information and communication technology (ICT) contracts should be written, risks assessed, incidents reported and security systems tested, among other things.

Like any good EU regulation, DORA will come with large potential fines (one percent of global turnover) for violators.

DORA Is Not Just an EU Regulation

The key thing auditors need to understand about DORA, especially as they are being asked to take on more risk-based responsibilities, is that DORA is very broad. It creates significant regulatory risk for potentially tens of thousands of entities in and outside the EU.

According to a recent McKinsey survey, most EU financial entities have started their journey towards DORA compliance, but only a third expect they will be ready on time for January 17. Globally, the state of DORA readiness is likely far lower.

This is important because, like the GDPR, DORA does not just apply to the 22,000 or so financial entities based in the EU. Instead, it is enforced based on where an organization’s customers are based. This means that if a financial institution in the United States, the United Kingdom, or any other location outside the EU deals with EU customers, there is a strong chance that DORA applies to them.

The best starting point for a compliance officer or internal auditor to see whether their organization falls under DORA is to look at the list of financial entities that are not in DORA’s scope.

Organizations excluded from DORA include non-financial entities, (some) alternative investment fund managers, very small insurance and reinsurance firms, financial entities outside the EU that do not serve the EU financial sector, and some others like post office GIRO institutions and small occupational pension funds.

As a rule, if a financial institution trades actively and is large enough to have EU-based customers, it will need to comply with DORA’s rule sets. Fintechs, crypto brokers, hedge funds, asset managers, and more traditional banks and financial institutions will all be impacted.

What Types of Companies Does DORA Cover?

Some organizations will have more stringent DORA requirements than others. A large multinational bank, for example, with complicated ICT systems and a lot of interdependent relationships will have relatively tough requirements.

To comply with DORA, an entity like this will likely have to conduct threat-led penetration testing (a form of offensive cybersecurity exercise in which you test IT systems against realistic cyber-attack scenarios and threats) at least every three years and other security testing on an annual basis.

They will also need to be able to report ICT incidents, such as data breaches, within 24 hours for significant events and conduct detailed third-party risk assessments for all critical ICT service providers. Ideally, the entity in question will already be ahead of this task, and the compliance officer or internal auditor’s job will not change to a great degree due to DORA.

A smaller organization, like an investment firm with a more basic ICT infrastructure that is less critical to the overall financial services industry, will have different requirements. They will have longer windows for incident reporting (72 hours) and simpler third-party risk requirements. Testing will still be required but on a less stringent basis.

Although many smaller organizations may have slightly less to do to become DORA compliant, they may find that many of DORA’s requirements, like threat-led penetration testing, are completely new to them.

Microenterprises, “very small entities,” defined as having a revenue of less than €2 million per year ($2.11 million) and less than 10 employees, and simple IT environments will have much lighter compliance requirements.

Critical Third Parties Covered by DORA

Another quirk of DORA is that it’s not just applicable to financial institutions but will also impact businesses that serve them, such as companies that provide services that are essential to the EU financial services industry, but are not financial institutions themselves. Some of these businesses will be designated as Critical ICT Third-Party Service Providers (CTPP) and have especially strict requirements.

An essential requirement for ICT third-party service providers to be considered critical by DORA is that they must provide ICT services that support critical or important functions to at least 10 percent of the financial entities for any given category, as defined in DORA. “Critical or important functions” refer to functions whose discontinued, defective, or failed performance would materially impair the financial entity.

In a broad sense, a CTPP is a service that, if it fails, would cause serious damage to a significant portion of the EU financial services industry. A company is designated as such, either by voluntarily declaring itself to be a CTPP or by being appointed as such by a European Supervisory Authority, such as the European Banking Authority. Major cloud service providers like Google Cloud, for example, will likely become CTPPs and have been taking steps to comply with DORA for quite some time.

Compliance Matters

Sectoral, global, and coming into force in less than six months by the European Commission, DORA will become a mainstay of boardroom conversation in 2025.

Hopefully, this article will help compliance officers and internal auditors better understand who is and isn’t covered by DORA. In practice, DORA compliance is a significant top-down effort. The average major financial services industry organization will dedicate significant resources to DORA compliance.  

Nikos Vassakis is the Head of Consulting Services at SECFORCE, an IT security and cybersecurity firm based in London, U.K.

The post Are You Ready for Compliance with EU’s DORA? appeared first on Compliance Chief 360.

he Securities and Exchange Commission has charged four public companies with making materially misleading disclosures regarding cybersecurity risks and intrusions. The charges against the four companies—Unisys, Avaya, Check Point Software, and Mimecast—result from an investigation involving public companies impacted by the compromise of SolarWinds’ Orion software.

The SEC also charged Unisys with disclosure controls and procedures violations. The companies agreed to pay the following civil penalties to settle the SEC’s charges:

• Unisys will pay a $4 million civil penalty;
• Avaya. will pay a $1 million civil penalty;
• Check Point will pay a $995,000 civil penalty; and
• Mimecast will pay a $990,000 civil penalty.

“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement. “Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”

According to the SEC’s orders, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.

The SEC’s order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data. The order also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls.

The SEC’s order against Avaya finds that it stated that the threat actor had accessed a “limited number of [the] Company’s email messages,” when Avaya knew the threat actor had also accessed at least 145 files in its cloud file sharing environment.

The SEC’s order against Check Point finds that it knew of the intrusion but described cyber intrusions and risks from them in generic terms. The order charging Mimecast finds that the company minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed.

Don’t Downplay the Seriousness of a Breach

“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge Tenreiro, acting chief of the Crypto Assets and Cyber Unit. “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized.  The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”

The SEC’s orders find that each company violated certain applicable provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules. Without admitting or denying the SEC’s findings, each company agreed to cease and desist from future violations of the charged provisions and to pay the penalties described above. Each company cooperated during the investigation, including by voluntarily providing analyses or presentations that helped expedite the staff’s investigation and by voluntarily taking steps to enhance its cybersecurity controls.  

The post SEC Charges Four Companies With Misleading Cyber Disclosures appeared first on Compliance Chief 360.

he U.S. Department of Defense issued final rules for its Cybersecurity Maturity Model Certification (CMMC) Program, which is indented to ensure that defense contractors meet standards for safeguarding sensitive information.

The CMMC Program aligns with the DoD’s existing information security requirements for private sector defense contractors. It is designed to enforce the protection of sensitive unclassified information shared by the department with its contractors and subcontractors. The program was developed to provide the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for non-federal systems processing controlled unclassified information.

“CMMC provides the tools to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches,” the DoD said in a statement. “The CMMC Program implements an annual affirmation requirement that is a key element for monitoring and enforcing accountability of a company’s cybersecurity status.”

Central features of the CMMC Program:

• Tiered Model: CMMC requires companies entrusted with sensitive unclassified DoD information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also outlines the process for requiring protection of information flowed down to subcontractors.
• Assessment Requirement: CMMC assessments allow the DoD to verify implementation of existing cybersecurity standards by contractors and subcontractors.
• Implementation through Contracts: DoD contractors and subcontractors handling sensitive unclassified DoD information must achieve a specific CMMC level as a condition of contract award.

Businesses in the defense industrial base should take action to gauge their compliance with existing security requirements and preparedness to comply with CMMC assessments.  Members of the defense industrial base may use cloud service offerings to meet the cybersecurity requirements that must be assessed as part of the CMMC requirement.  

The post DoD Finalizes Cybersecurity Certification Program for Contractors appeared first on Compliance Chief 360.

According to the SEC’s order, in September 2022, an unknown third-party hijacked a pre-existing email chain between what was then American Stock Transfer and a U.S.-based public-issuer client. The hacker, pretending to be an employee at the issuer, then instructed American Stock Transfer to issue millions of new shares of the issuer, liquidate those shares, and send the proceeds to an overseas bank. As a result,  American Stock Transfer followed these instructions and transferred approximately $4.78 million to bank accounts located in Hong Kong, of which American Stock Transfer was able to recover approximately $1 million.

In addition, the SEC found, around April 2023, in an unrelated incident, someone used stolen Social Security numbers of certain American Stock Transfer accountholders to create fake accounts that were automatically linked by American Stock Transfer to real client accounts based solely on the matching Social Security numbers, even though the names and other personal information associated with the fraudulent accounts did not match those of the legitimate accounts. This allowed the thief to liquidate securities held in the legitimate accounts and transfer a total of approximately $1.9 million in proceeds to external bank accounts, of which American Stock Transfer was able to recover approximately $1.6 million.

“American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” said Monique Winkler, Director of the SEC’s San Francisco Regional Office. “As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”

In finding that Equiniti failed to assure that: (i) all securities in its custody or possession related to its transfer agent activities were held in safekeeping and were handled in a manner reasonably free from risk of theft, loss or destruction and (ii) all funds in it possession were protected against misuse, the SEC concluded that that the transfer agent violatedSection 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12. In addition to the civil penalty referenced above, Equiniti agreed to a cease-and-desist order and censure.  

The post Equiniti Trust Penalized by SEC for Failing to Protect Client Assets from Cyber Theft appeared first on Compliance Chief 360.

The lawsuit arises out of an incident that took place in May 2022 in which hackers downloaded phone call and text message records belonging to “nearly all” the AT&T’s wireless customers. AT&T admitted to the hack and said that the breached data included a record of every AT&T customers’ phone and text logs however, it did not include the content of calls and text messages suchg as social security numbers, dates of birth or customer names.

The lawsuit claims that AT&T was negligent and alleges that the company was not sufficiently transparent about the “nature and extent of data security lapses impacting its customers,” including how the attacks put them in danger of identity fraud. “Plaintiff and other data breach victims provided their [personally identifiable information] to AT&T with the reasonable expectations and mutual understanding that AT&T would comply with its obligations to keep such information confidential and secure from unauthorized access,” the complaint said.

Dina Winger, the plaintiff in the Texas lawsuit emphasized that AT&T should have known the risks within the cellular industry and should have implemented protocols to mitigate such risks. “Because the data breach was an intentional hack by cybercriminals seeking information of value that they could exploit, victims are at imminent risk of severe identity theft and exploitation,” Winger said, adding that AT&T knew or should have known that its systems were targets for cybersecurity attacks.

In the Montana federal court, AT&T was accused of “failing to properly secure and safeguard their personal information, including phone call and text message records for “nearly all” of the company’s 110 million cellular customers.” That lawsuit seeks to collect money from AT&T as compensation in addition to an injunction that requires the company to modify its data security processes and granting the victims credit monitoring and identity theft insurance, as well as attorney fees and litigation costs.

The New Jersey case mainly repeats the Montana and Texas accusations and simply emphasizes that AT&T disregarded its customers’ rights by failing to implement adequate measures to protect their sensitive information. All the plaintiffs aim to represent nationwide classes of data breach victims, potentially getting the class to millions of individuals.

AT&T Explains How the Breach Occurred

According to AT&T, its investigation revealed that a hacker accessed an AT&T workspace on a third-party cloud platform. The hacker then extracted files containing records of customer call and text interactions from approximately May 1 to October 31, 2022. The cellular service company said that it immediately activated its incident response process as well as hired external cybersecurity to help with the issue.

Since then, AT&T has assured its customers that none of their sensitive information has been leaked and that it has now secured its systems in order to discontinue the breach.  

PHOTO BY: BROWNINGS, USED UNDER CC BY-SA 3.0

Jacob Horowitz is a contributing editor at Compliance Chief 360° 

The post AT&T Sued for Failing to Protect Customer Data in Cybersecurity Breach appeared first on Compliance Chief 360.

 The ACA Group and National Society of Compliance Professionals released the results from the survey that exhibited the sense of uncertainty surrounding the enforcement of the SEC’s cybersecurity rules. The results indicated that 44 percent of respondents surveyed said they are uncertain about how the SEC will enforce the rules, while 36 percent of compliance professionals cited concerns with complying with cyber incident reporting requirements and timeframes.

Mike Pappacena, a partner of ACA group, said in a statement that “it’s clear that regulatory compliance remains a top concern,” because nearly half of respondents expressed uncertainty about SEC enforcement. Pappacena said the survey results underline the importance of staying ahead of evolving cybersecurity threats.

The online survey consisted of around 310 investment adviser firms. All firm sizes were represented and responding firms belonged to varied business types, with most responses coming from asset managers, broker- dealers, and alternative investment advisors.

According to the survey, around 80% of the participants are confident in their firms’ ability to combat a cyber breach and that the top cyber threat that raised concern is payment fraud and business email compromise.

As a result of the SEC’s adopted rule, public companies are now required to disclose cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The SEC rules now require companies to disclose any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.

The SEC additionally requires companies to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. The companies are provided a four-day grace period to disclose any cybersecurity incidents from the moment it deems the incident as material.

The SEC’s Consideration of Additional Cybersecurity Proposals

Cybersecurity has been a top priority for the SEC. The Commission is currently considering other cybersecurity-related proposals including one that would require brokers, dealers, investment advisers and companies to implement written policies and procedures concerning unauthorized access to or use of customer information. This would include procedures that are purposed for notifying customers of the incident.

The SEC is also proposing to broaden the scope of information covered by making changes to the requirements for safeguarding customer records and information, and for properly disposing of consumer report information.

Although these proposed measures signal a determined effort to enhance protection for investors, many are worried as to exactly how the SEC will enforce these newly adopted rules and proposals.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°    

The post SEC’s Cyber-Rule Enforcement a Prime Worry for Compliance appeared first on Compliance Chief 360.

It is notable in that it is the first settlement the HHS’s Office for Civil Rights (OCR) has reached with an organization affected by ransomware, under its HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.

Doctor’s Management Services (DMS), a Massachusetts medical management company that provides medical billing and payor credentialing, was attacked by the now-defunct GandCrab ransomware gang in April 2017, but the intrusion was not detected until late December the following year, after the group encrypted their files. The $100,000 settlement resolves a large breach reporting failure regarding a ransomware attack that affected the electronic protected health information of 206,695 individuals.

OCR’s investigation found evidence of potential failures by DMS to have in place an analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.

Increased Threat of Ransomware

Ransomware and hacking are the primary cyber-threats in health care. In the past four years, there has been a 239 percent increase in large breaches reported to OCR involving hacking and a 278 percent increase in ransomware, according to HHS. This trend continues in 2023, where hacking accounts for 77 percent of the large breaches reported to OCR. Additionally, the large breaches reported this year have affected over 88 million individuals, a 60 percent increase from last year.

“Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches.” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

The initial unauthorized access to the network occurred on April 1, 2017; however, Doctors’ Management Services did not detect the intrusion until December 24, 2018, after ransomware was used to encrypt their files. In April 2019, OCR began its investigation.

Mandated Reforms to Comply with HIPAA

Under the terms of the settlement agreement, OCR will monitor Doctors’ Management Services for three years to ensure compliance with HIPAA. In addition, Doctors’ Management Services has agreed to pay $100,000 to OCR and to implement a corrective action plan, which identifies steps that Doctors’ Management Services will take to resolve potential violations of the HIPAA Privacy and Security Rules and protect the security of electronic protected health information, including:

• Review and update its Risk Analysis to identify the potential risks and vulnerabilities to Doctor’s Management Services data to protect the confidentiality, integrity, and availability of electronic protected health information.
• Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
• Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
• Provide workforce training on HIPAA policies and procedures.

OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following best practices to mitigate or prevent cyber-threats:

• Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
• Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned.
• Ensure audit controls are in place to record and examine information system activity.
• Implement regular review of information system activity.
• Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
• Encrypt ePHI to guard against unauthorized access to ePHI.
• Incorporate lessons learned from incidents into the overall security management process.
• Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

HHS’s OCR says it “is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information.” Guidance about the Privacy Rule, Security Rule, and Breach Notification Rules can also be found on OCR’s website.  

The post HHS Reaches First Settlement with Health Care Firm Involved in Ransomware Attack appeared first on Compliance Chief 360.

The complaint alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.

As the complaint alleges, SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

In addition, the SEC’s complaint alleges that multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks. For example, according to the SEC’s complaint, in June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient;” and a September 2020 internal document shared with Brown and others stated, “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”

The SEC’s complaint alleges that Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company. As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.

SolarWinds made an incomplete disclosure about the SUNBURST attack in a December 14, 2020, Form 8-K filing, following which its stock price dropped approximately 25 percent over the next two days and approximately 35 percent by the end of the month.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

The SEC’s complaint, filed in the Southern District of New York, alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.  

The post SEC Charges SolarWinds and Its CISO with Fraud, Control Failures appeared first on Compliance Chief 360.