(844) 627-8267
(844) 627-8267

SEC notices spark alarm for cyber executives | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Welcome to The Cybersecurity 202! We’re taking a brief break here and returning on Wednesday. In the meantime, keep enjoying the temporary lifting of The Post’s paywall. You can even read stuff I wrote there, including early exclusive details about the Biden administration’s national cybersecurity strategy that I provided alongside Ellen Nakashima and a story with Karen DeYoung about some of the documents in the Discord leaks regarding spying on the United Nations’ secretary general.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: Kazakh authorities detain a Russian cyber expert, and a university health system claims its cyber insurance policy was not honored. First:

SEC action sends ripples over CISO accountability for data breaches

SolarWinds recently disclosed that the Securities and Exchange Commission notified top executives of pending legal action over the company’s landmark data breach — a step that some have described as unprecedented.

That’s because the company’s chief information security officer is among those who received a notice, “likely the first time a CISO has ever received one of these,” Jamil Farshchi, CISO at Equifax, said on LinkedIn.

By sending the so-called Wells notices, which notify recipients of the commission’s possible intent to bring charges against them, the SEC has stirred up some anxiety in the cybersecurity field.

  • SolarWinds itself has said that “any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure.”
  • “Though it doesn’t mean that the CISO has been charged, it is a new milestone,” Agnidipta Sarkar, a former CISO of pharmaceuticals company Biocon, told Apurva Venkat at CSO Online. “From today onwards, CISOs will increasingly be made accountable for the decisions they take or did not take.”

The breach and the notices

SolarWinds said in an SEC filing last week that its CISO and chief financial officer, Chris Brown and Barton Kalsu, received the notices, which the company said were sent to “current and former executive officers and employees.”

The notices — which come around two-and-a-half years after the discovery of the SolarWinds breach — are the latest action by regulators in the wake of the massive SolarWinds hack.

The SolarWinds breach, which was discovered in late 2020 but which the company has said might have begun as early as January 2019, affected at least nine federal agencies and more than 100 companies, according to the White House. 

“The cybersecurity breach of SolarWinds’ software is one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and private sector,” as the Government Accountability Office described it.

The hackers compromised an update to the company’s Orion IT management platform, giving them remote access to infected computers. The U.S. government has identified Russia’s SVR intelligence agency as the responsible party.

SolarWinds said in an October SEC filing that the commission had sent a Wells notice to the company. Then, last week, Sean Lyngaas of CNN wrote about an internal email CEO Sudhakar Ramakrishna sent in which he said that “if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves.” Cybersecurity journalist Kim Zetter published the letter on her Zero Day Substack.

A spokesperson for the SEC said the agency “does not comment on the existence or nonexistence of a possible investigation,” David Jones wrote for Cybersecurity Dive.

The SolarWinds disclosures follow closely behind last month’s sentencing of Uber’s former chief security officer, Joseph Sullivan, for covering up a 2016 cyberattack on the company. That conviction, too, was unprecedented and caused alarm in the cybersecurity world.

The Wells notices have prompted a lot of speculation about what’s behind the move.

  • The notices are usually sent to executives over Ponzi schemes, accounting fraud and market manipulation, Equifax’s Farshchi wrote.
  • A violation that might fit in this case is a “[f]ailure to disclose material information,” he said. “Things like failing to disclose the gravity of an incident … or failing to do so in a timely manner, could conceivably fall into this category,” Farshchi wrote.
  • “But *if* this is about disclosure, it shows the SEC isn’t sitting around waiting for cyber regs to be issued,” he wrote (emphasis his). “They’re taking action today.” (The SEC has been expanding cybersecurity regulations within the financial services sector.)

It does look like an emerging trend, said Shawn Tuma, co-chair of the data privacy and cybersecurity practice at Spencer Fane.

“The law evolves in incremental steps and, in my opinion, what this shows is a very early in developing — yet consistent — trend toward trying to name and hold individuals responsible for cybersecurity failures in companies, and it seems the CISO will be at the top of the list,” Tuma said in a story by Cam Sivesind at Secureworld.

SolarWinds has already suffered in the pocketbook as a result of the attack, estimating that the fallout would cost it nearly $20 million. It also is paying $26 million in a settlement from a shareholder lawsuit.

Mark Rasch, a former Justice Department prosecutor who is now an attorney with Kohrman Jackson and Krantz, said the SEC moves reflect an understanding that massive breaches can affect a company’s value or stock price.

“The SolarWinds breach, like the Colonial Pipeline attack, are systemic and endemic attacks that don’t just impact those companies,” Rasch told Zetter. “They impact entire sectors. When you are a company where a breach can impact that much of the population, you have to do a better job.”

Kazakh authorities detain Russian cybersecurity expert wanted in U.S., Moscow

Kazakhstan has detained a Russian cybersecurity expert who is wanted in both the United States and Russia, Reuters reports, citing the detainee’s employer.

Nikita Kislitsin, an employee of Russian cybersecurity firm F.A.C.C.T., was detained on June 22 and Kazakh authorities are considering Washington’s extradition request,” Reuters wrote, citing a statement from F.A.C.C.T. “It said the accusations against Kislitsin, which it did not spell out, stemmed from his time as a journalist and independent researcher. It gave no further details.”

  • Kislitsin is a former editor in chief of Russian magazine “Hacker.”
  • F.A.C.C.T. is a spinoff of cybersecurity firm Group-IB, which finalized its exit from Russia in an effort to focus on non-Russian markets, according to a company announcement in April.

“Separately, Russia’s Vedomosti newspaper said Moscow court arrested Kislitsin in absentia on charges of unauthorised access to digital information, and that Russia would seek his extradition,” the report adds.

University of California sues insurance syndicates that allegedly refused to honor policy after cyber incident

The University of California sued various companies operating through the Lloyd’s of London’s insurance marketplace, alleging they refused to provide payouts on cyber insurance policies taken out following a data breach of its health system nearly 10 years ago, James Rundle reports for the Wall Street Journal.

  • “The university’s board of directors, known as the regents, filed suit in the Superior Court for the State of California … claiming the school should have been covered by policies purchased before the incident,” Rundle writes.
  • “The regents allege the syndicates have refused to engage in dispute resolution by asserting that the statute of limitations applying to the claims had expired,” the report adds.
  • Lloyd’s didn’t respond to the Wall Street Journal’s request for comment. The University of California declined to comment to the outlet.

Data on 4.5 million patients was exposed in the UCLA Health system breach, which was first detected in 2014 and later disclosed in 2015. Multiple lawsuits ensued; they were settled by UCLA Health in 2019 for $7.5 million.

The university filed insurance claims to recoup expenses related to providing identity protection for victims, but the “insurers, which the regents said they couldn’t name in the complaint, have refused every claim, saying that UCLA Health failed to satisfy cybersecurity requirements under the contract terms,” Rundle writes.

It’s been a busy few months in cyberinsurance news. A New Jersey appellate court in May rejected several insurance groups’ argument that pharma giant Merck suffered a cyberattack under warlike conditions, allowing the company to receive insurance payouts in connection to the 2017 NotPetya malware attack.

2,700 swindled into cybercrime syndicates rescued in Philippines

Police and commandos in the Philippines launched a massive raid this week to rescue some 2,700 workers who were allegedly duped into providing labor for fraudulent video game sites and related cybercrime groups, the Associated Press reports.

  • “Brig. Gen. Sydney Hernia, who heads the national Philippine police’s anti-cybercrime unit, said police … rescued 1,534 Filipinos and 1,190 foreigners from at least 17 countries, including 604 Chinese, 183 Vietnamese, 137 Indonesians, 134 Malaysians and 81 Thais. There were also a few people from Myanmar, Pakistan, Yemen, Somalia, Sudan, Nigeria and Taiwan,” the report says, describing what is the largest rescue raid so far this year.

Cybercrime scam operations have become commonplace in strife-torn nations in Asia as workers are forced into carrying out scams across the internet.

“Some of the workers told investigators that when they tried to quit they were forced to pay a hefty amount for unclear reasons or they feared they would be sold to other syndicates, police said, adding that workers were also forced to pay fines for perceived infractions at work,” the report says.

  • The Association of Southeast Asian Nations in May agreed to shore up efforts against cross-border crime syndicates.

U.S. Health Department ensnared by MOVEit hacking campaign (Bloomberg News)

Cyber Command to expand ‘canary in the coal mine’ unit working with private sector (The Record)

U.S. Patent and Trademark Office notifies filers of years-long data leak (TechCrunch)

Top manager at U.S. firm privately sold high tech in Russia (Reuters)

Chinese balloon used American tech to spy on Americans (Wall Street Journal)

Andariel’s mistakes uncover new malware in Lazarus Group campaign (Infosecurity Magazine)

UAE, Israel launch global initiative to fight cyberattacks (Al-Monitor)

Olsztyn, Poland: When a cyberattack derails the smart city (LeMagIT)

Indigo lost $50M last year, in large part due to February cyberattack (CBC News)

Casualties keep growing in this month’s mass exploitation of MOVEit zero-day (Ars Technica)

Hackers say Texas city website targeted over state law on gender-affirming care (The Hill)

You can now manage 1Password family accounts via its apps (The Verge)

Fears grow of deepfake ID scams following Progress hack (Ars Technica)

Barred from grocery stores by facial recognition (New York Times)

  • Former congressman John Katko (R-N.Y.) has registered to lobby for information security company SecurityScorecard, Legistorm’s Keturah Hetrick reports. Katko, the former chairman of the House Homeland Security Committee, works at lobbying firm HillEast Group.
  • Former undersecretary of defense for intelligence Michael Vickers speaks at the Intelligence and National Security Alliance at 9 a.m.
  • Air Force CTO Jason Bonci speaks at a MeriTalk event on cloud security at 1 p.m.

Thanks for reading. See you next week.


Click Here For The Original Source.

National Cyber Security