August 2023 Newsletter - If you’d like to read this newsletter at the same time as our subscribers, please sign up here.
New SEC Cyber Security Disclosure Rules Will Impact Every Business
The United States Securities and Exchange Commission (SEC) issued new cyber crime disclosure rules on July 23, 2023, that will go into effect on September 5. Affected businesses must be prepared to comply and may need to update their internal protocols.
Every publicly traded company in the United States is subject to this new disclosure requirement, but the impact on businesses is not limited to those companies. If you are a franchisee, subsidiary of a publicly traded company, or if you are a vendor who provides services, these rules will impact you.
The new rules require publicly traded companies to report cyber security incidents that would have a "material impact' on their stock or valuation within 4 days of incident detection or awareness. In some cases, the SEC may allow the United States Attorney General to delay reporting for 30 days if there is a risk to national security or public safety, or 60 days only in cases with a national security risk. The term "material impact" is not explicitly defined, but a reasonable interpretation would be any cyber attack or data breach that results in a meaningful loss of customer data, financial loss to fraud or operating loss due to system compromises.
For example, a ransomware attack that shuts down business systems for several days would likely meet the criteria of "material impact," while a low-level employee who discovers fraudulent charges on a personal credit card would not. The loss of inventory or cash due to a pretexting attack or business email compromise (BEC) would need to be reported, but the theft of employee credit cards from an office would not.
The timeline for filing a disclosure begins as soon as a business becomes aware of a cyber attack; either when it is detected or when it is reported by a third party. This requirement puts anyone who works with a publicly traded company under SEC scrutiny, though the consequences will fall to the client.
Consider this: A real estate appraiser suffers a data breach that compromises hundreds of records that were supplied by a major real estate firm. Cyber criminals use those stolen records to run up hundreds of thousands of dollars in fraudulent charges. When the government investigates, they discover that the records originated with the real estate firm. The SEC will demand to know how and when the breach occurred, and they will not accept a vendor’s failure to report as an excuse. The SEC cannot punish the vendor directly, but they can fine the real estate firm.
Publicly traded companies do not want a visit from the SEC. As a result, they will require all vendors, franchisees and subsidiaries to maintain strong cyber security, including regular disclosures of readiness, employee training and protocols to report and mitigate any significant data breach. If you are a small-business owner, who works with publicly traded companies, I encourage you to check our latest blog post, How the New SEC Cyber Security Disclosure Rule Will Impact Every Business.
BREAKING: Real estate trade publication Inman reports....
The Multiple Listing Service (MLS) used by some real estate agents to list properties, prices, open houses and transactions, has been offline since August 9, when a cyber attack against MLS parent company Rapattoni made it impossible to update or add data in the system.
Inman reports that Federal investigators have joined Rapattoni in investigating the attack, while Rapattoni’s insurance company is negotiating with hackers to restore access. This would suggest a ransomware attack, where hackers lock all users out of a system and demand payment for an access key. In some cases, ransomware gangs will also encrypt all data held in an online database, erase the data if the target fails to pay ransom, or release the data on the Dark Web for other cyber criminals to harvest.
Some real estate agents have worked around the MLS outage by relying more heavily on Zillow.com, and at least one Reddit user told a client to list a property as For Sale By Owner until MLS can be restored.
Real estate agents should note that the portal used to log in to those MLS systems served by Rapattoni have also been knocked offline, which could mean that hackers have access to login credentials. Although no personal information has been reported stolen in the Rapattoni attack, any chance of a criminal getting passwords should prompt you to immediately update all passwords that you commonly share between your accounts. Those who employ two-factor authentication (2FA) or use a password manager are less likely to experience credential theft but should still update any password that could have been exposed to the MLS hackers.
Get Free Guidance to Help with Compliance
Protect Now has created two valuable, free white papers that offer step-by-step, easy-to-follow guidance for small businesses that need help understanding cyber security reporting and recovery protocols. If your clients are demanding written documents on your cyber response, these white papers will help you get started.
Preparing Your Systems to Stop and Recover from Cyber Attacks outlines the practices you should have in place before an attack occurs so you can respond.
Decision-Making Framework is designed to help businesses of all sizes understand who needs to take action, and what actions to take, in the event of a cyber attack.
Stat of the Month
The number of individual attacks against government and public services organizations stopped by BlackBerry from March 1, 2023, to May 31, 2023. The figure represents an increase of 40% in public-sector attacks over the prior 3-month period, according to the latest BlackBerry Global Threat Intelligence Report. The greatest number of attacks that BlackBerry stopped were directed at organizations in North America, including Canada, and the Asia-Pacific region.
Keep an Eye on Your Surroundings, and Your Router Traffic
A significant amount of fraud and hacking activity is discovered by accident. A client calls to report a missing shipment, or someone in IT discovers unusual data movements. Most small businesses rely on automated alerts to let them know if something suspicious occurs, but this will not deter or catch every hacker.
One step that can thwart an attack is router monitoring. To do this, you first need to know the range of your wireless router. Many business owners may be surprised to learn that their signals extend well into parking lots or public places. If possible, you should move the router so that it reaches the edges of your office but limits access outside.
Pay attention to anyone who spends a lot of time in or near you business using a laptop or smart phone. If you see the same person in the parking lot at the same time every day, or on a regular schedule, it could be a sign that they are accessing your router. You can confirm these suspicions by using the built-in traffic monitor on your router, typically accessible by any web browser on the network, to monitor who is using your system and what they are doing. If you see large amounts of data moving and you cannot explain why, it is time to take a closer look at what may be happening, especially if that data migration happens when suspicious individuals are nearby.
Affordable Small-Business Cyber Security Awareness Training
As government regulations increase, one theme remains constant: Employee training is a must. For small businesses and sole proprietors, online training is the most cost-effective solution, but only if the training is worthwhile.
Our CSI Protection Certification eLearning Program delivers the same advanced cyber, social and identity protection training we provide in our live seminars. With video-based, self-directed modules, you can complete the training at your own pace, and you will always have access to these videos if you need a refresher. Try a free demo today to learn valuable ways to protect your email communications and to experience these powerful training tools for yourself.
The SEC has adopted its new rule for two reasons. First, the Federal Government believes that cyber crime is underreported. Second, they believe current reporting standards do not provide enough information for investors to make informed decisions about cyber risks.
This new rule may roll downhill to encompass nearly every U.S. business by design. Enforcement against publicly traded companies forces those companies to apply stronger standards to their vendors, which raises overall compliance. It is the most sweeping and significant mandate for cyber security the U.S. government has ever introduced.
Do not expect a noisy public-relations campaign to alert you to your responsibility. If past behavior is any example, the SEC will respond to a few, small violations with warnings, then seek to make an example of someone. Once that happens, the stampede to services begins. You do not want to be caught up in the services stampede, as providers will be overwhelmed and more likely to delay or turn down requests for help.
Take action now to secure systems, train employees and develop the protocols and reports your clients will soon demand. If you are unsure of where to begin, please contact me through Protect Now. I can help you understand your responsibilities and refer you to exceptional providers who will help you manage compliance.
Stay safe out there,
Robert & the Protect Now Team