2024 FINRA CYBERSECURITY CONFERENCE TAKEAWAYS
Several of the Asgard team members had the opportunity to attend FINRA’s cybersecurity conference on February 6th. The Asgard team found the panelists to be engaging and offer unique insight into the ever-evolving cyber landscape. For at least a year, our team has continued to stress the importance of cyber policies and cyber controls to help mitigate the continuous stream of cyber threats. It is important to note that cyber security should be considered a firm/business priority – not just an IT problem.
Please see below our key takeaways from each session.
Welcome Remarks and Fireside Chat: Latest Trends in Cybersecurity
The former FBI agent that participated in this panel discussed cyber trends as well as several practices that firms can implement to mitigate cyber threats:
Cyber Threats: Business Email Compromise (“BEC”), account takeovers, vendor issues, brand impersonation and ransomware
Best Practices:
Training: Users are the first and second line of defense
Reporting Mechanism: Determine how staff will escalate a cyber issue
Senior Management Enforcement: All levels of the business must understand and abide by the cyber controls in place
Vendor awareness and management
Implementation of multi-factor authorization
Testing: Throughout the conference, several panelists noted the importance of testing the Incident Response Plan (“IRP”) and conducting tabletop exercises to understand how the firm can appropriately respond to an incident.
If a ransomware attack occurs, understand if there was data extraction.
File an IC3 if there is a cyber event or ransomware attempt.
File a SAR and IC3 if the firm is the victim of a cyber event.
Cyber-Enabled Fraud in the Digital Age
The Asgard team agreed that this session was the most eye opening. Artificial Intelligence (“AI”) has become more prevalent with the increased use and buzz surrounding ChatGPT. But it goes far beyond AI as a helpful writing assistant. It is important to think of AI as a hacker’s writing assistant. Just as we can access ChatGPT to help with a writing prompt, or translate a sentence, a hacker can use AI to translate a sentence into perfect English.
Be on the lookout for:
Voice Phishing (“Vishing”): Vishing is social engineering that can happen over the phone. AI generators can utilize a small voice excerpt to mimic an employee’s voice.
Deepfake: Deepfake is an artificial image or video. AI generators can utilize a real image or video to create realistic fake images/videos.
How to combat vishing or a deepfake:
Training
Multi factor authorization
Communicate with vendors face to face
Secure code
Cyber Tabletop Exercise
A common theme throughout the conference was testing. During the tabletop session, panelists took attendees through a fake incident to test response controls. During the exercise, several best practices were discussed, including:
Ensure a command structure is in place
Review access controls on an ongoing basis
Test the IRP
Ongoing log monitoring
Establishing and Strengthening Your Cybersecurity Posture
During this session, Asgard found the panelists gave helpful, realistic guidance on how to strengthen cyber hygiene. Specifically, one of the panelists, who is a CCO for a small firm, gave several suggestions to assist firms that do not have the budget to onboard several cyber security platforms. Suggestions included:
Understand your systems and note which systems house personally identifiable information (“PII”)
Outline your vendors, understand which vendors have access to PII and log access controls for each vendor
Inventory assets
Ensure patch management occurs
Consider that new employees are easy targets for cyber attacks
Deploy regular phishing exams
Ensure the firm has a customized IRP
Open communication between the firm and vendors
Open communication between employees and senior management
The Asgard team is here to help with your cybersecurity needs.