Amid Pandemic, Threats To Banks Extend Well Beyond Cyber-Realm
Amidst the profound growth of potent web-based technologies and solutions made available to consumers and businesses at ever-increasing rates, the growing reliance on web-based processes have contributed significantly to the sharp rise in cyber-fraud seen over the last two decades alone. Cases of cybercrime have risen significantly in 2020, with factors such as mass unemployment, the spread of misinformation, and online dependency due to stay-at-home orders all culminating into unprecedented success levels for criminals exploiting social and economic uncertainty for personal gain. Across the global financial sector, the extraordinary number of business professionals staying-in during the pandemic has given rise to an abundance of new threats with regard to security – both financial and physical. With the workplace of many Americans shifting from highly secure corporate office buildings and facilities to homes and cafes (the latter offering free WiFi to the masses), criminals have sought to capitalize on the fact that tens of thousands of people have been forced to adjust even the most basic of their daily workflow processes during the ongoing COVID saga, often operating on relatively unsecure networks. As such, the confidential information of financial institutions and their customers are at increased risk of exploitation, with cybercriminals attacking unwary citizens from a variety of angles. And with criminals often looking to capitalize on the easiest of targets (or those that pose the least likely threat of detection from the proper authorities), the staff of institutions small and large have become almost equally susceptible to hacking exploits and breaches when failing to implement necessary safeguards for deterring cybercrime – specifically when working outside of the office.
The complexities of the ploys employed by today’s cybercriminals have grown exponentially as compared to those of just a short matter of years ago. When factoring in the variety of particular security weaknesses that can be targeted when working from home, this makes for a potentially lethal combination for financial institutions that have failed to ensure that their employees have all of their tracks covered with regards to taking data protection seriously when working in their home or the community. Arguably the most common mistake made by today’s on-the-go business professionals is connecting to unsecure, public web networks to access internal company databases, placing company data at direct risk of falling into the hands of tech-savvy bad actors. While it is difficult to reign in general employee negligence in this regard, many banks have provided their external employees with access to virtual private networks (VPNs) and external authentication services to create an additional layer of security protection for their core system(s), but even many of these service providers cannot (and should not) be trusted with valuable client information. Today’s hackers are able to penetrate even the most secure of networks should users fall for COVID-themed phishing schemes or make the mistake of downloading disruptive malware from inconspicuous links or attachments to emails from familiar senders. With business communication platforms such as Microsoft Teams, Zoom, and Google Meet almost instantaneously becoming essential tools for remote workforce management, business professionals have fallen victim to phishing attacks in the form of email and/or text links claiming that they’re late for an impromptu meeting with other company officials or that their account has been suspended and must be reactivated to participate in future video conferences. Once the link is followed, most often malware is downloaded to their device or users are taken to a faux-login screen where they must enter their credentials, subsequently giving fraudsters access to their account and potentially others using similar username/password combinations across other websites. To put it simply, when professionals work from home there are far more extraneous variables that bad actors can capitalize on to make a profit.
A recent article released by the Wall Street Journal analyzed another dimension of security with regards to banking during the pandemic. In his article, writer Jack Hagel discusses that while the significant uptick in phishing and ransomware strikes seen since the onset of the pandemic is undeniable, not all attacks affecting the well-being of companies and employees are of the online-variety. Aside from COVID-19, 2020 will go down as one of the most unique periods of civil and social unrest in American history. If this year has demonstrated nothing else, it is that the publicized political positions of, and campaign donations made by, top executives of America’s largest firms, financial or other, will undoubtedly draw the ire of large groups of people – potentially crippling reputational sentiments about a company and leading to major backlash in the process. Given increasing political tensions as well as protests over police injustice and other notable social issues, there has been increased demand from financial firms seeking physical-security assessments and threat-management consultations in response to a sharp rise in physical threat activity against companies and executives this year.1
The article cites a recent survey from the Ontic Center for Protective Intelligence that polled 300 executives of major firms operating in the security, legal and compliance spaces, respectively. Hagel notes that some of these executives’ largest current concerns include “keeping employees safe as they work remotely, identifying potential threats to reduce liability, and managing the volume of threat data, such as social media posts, reports from law enforcement and information on individuals who have threatened the company or its personnel in the past.”1 With the rise in unemployment figures reaching all-time highs this year, other physical threats being monitored are those arising from disgruntled former employees looking for vengeance against those that impacted their livelihood. Yet while it is well within the power of firms to beef up their on-site security, this does little to protect employees working remotely. As a result, corporate security teams are altering their “normal” operations to include making revisions to emergency action plans to encompass the respective workspaces of remote employees, updating location data on employees outside of their branches, hiring private security to protect upper-level management as needed, and upping their monitoring efforts of potential red-flags with respect to threats arising from open sources.1
Treasury, DOJ to Adopt Whistleblower Reward Program
As part of a proposed annual defense-spending bill, whistleblowers that report potential violations of current anti-money laundering legislation to the U.S. Department of the Treasury and/or Department of Justice (DOJ) could be granted a hefty reward. Under the expanded National Defense Authorization Act (NDAA) an individual/multiple individuals are eligible to receive up to 30% of the monetary penalties collected by the Treasury or the attorney general in exchange for information leading to successful enforcement actions of over $1 million – this based on the significance of the information provided and the amount of assistance the whistleblower provides, among other factors.3 Should this measure come to pass (Congress will reportedly vote on the bill coined the NDAA within the next several weeks), it would represent a major expansion to the reporting incentives that are currently offered. The Wall Street Journal writes that “existing regulations permit the Treasury, at its discretion, to pay a reward of either $150,000 or 25% of the fine or penalty, whichever is less”,3 which has provided little incentive for individuals holding pertinent information to face the many risks of coming forward.
The measure will also significantly expand whistleblower protections for those who come forward with allegations of money laundering or other notable financial crimes, all part of a greater effort to improve the AML/CFT movement at the national level. A similar program enacted by the Securities and Exchange Commission (SEC) under the Dodd-Frank Wall Street Reform and Consumer Protection Act has seen profound returns to date. Since being signed into effect in July of 2010, the SEC’s whistleblower program has awarded over $730 million to 123 individuals who have come forward with information leading to prosecutions and/or settlements for financial wrongdoing.
SEC Fines UK Firm After Alleged Misleading of Investors
BlueCrest Capital Management, a prominent British-American hedge fund, has agreed to pay $170 million as part of a Securities and Exchange Commission (SEC) settlement over violations of U.S. securities laws related to several anti-fraud regulations. Compliance Week writes that between 2011-2015, the firm “failed to disclose to investors the existence of a $1.5 billion hedge fund owned by executives, called BSMA Limited”, adding that the BSMA fund “poached top traders from BlueCrest’s main investment fund, then replaced them with a computer algorithm that underperformed compared to live traders.”2 In making the swap to the use of algorithms over human investors, the company was able to retain a significantly larger percentage of performance fees. Aside from creating countless conflicts of interest, the company also did a disservice to its investors in keeping them out of the loop in regards to the controversial personnel moves made while contributing to increased volatility in the management of investor funds.
As part of the settlement, BlueCrest neither admitted nor denied the charges brought forth by the securities regulator. BlueCrest agreed to a cease-and-desist order, with the breakdown of the financial penalty as follows: $133 million in disgorgement and pre-judgment interest, and a penalty of $37 million.
EU Tightens Sanctions Squeeze on Turkey
The European Union (EU) recently announced its plans to continue imposing sanctions on Turkish citizens and organizations involved in illicit offshore drilling in the Mediterranean. If pushed through, the move would act as an extension to 2019 sanctions issued against Turkish nationals who explored drilling for hydrocarbons in contested waters. The potential decision has been contentious to say the least, with several NATO countries (including notable names such Germany, Spain and Italy) contesting that imposing additional sanctions against would create an awkward, if not hostile environment across the EU. Others, such as Greece and Cyprus, have argued that the sanctions are not punishment enough for these repeated offenses. Turkish President Tayvip Erdogan has shrugged off the sanctions to date, instead turning the blame on the EU for failing to act impartially towards his country. Erdogan has also gone on record stating that “any sanctions decision that can be taken against Turkey do not concern us much.”4 Global RADAR will provide an update on any follow-up moves in the weeks to come.
- Hagel, Jack. “Surge in Physical Threats During Pandemic Complicates Employee Security Efforts.” The Wall Street Journal, Dow Jones & Company, 8 Dec. 2020.
- Nicodemus, Aaron. “U.K. Firm BlueCrest Fined $170M for Violating U.S. Securities Laws.”Compliance Week, 8 Dec. 2020.
- Sun, Mengqi. “Defense Bill Proposes Anti-Money-Laundering Whistleblower Program.”The Wall Street Journal, Dow Jones & Company, 7 Dec. 2020.
- “Turkey’s Erdogan Shrugs off EU Sanctions Threat.”Reuters, Thomson Reuters, 9 Dec. 2020.