Facebook data breach lets hackers control 50 million accounts

Facebook announced that hackers had used a weakness in Facebook’s code regarding its “view as” feature this week to take over control of up to 50 million accounts. The hackers got access tokens to stay in accounts without re-entering a password.

Some 50 million users had their access tokens stolen – they were reset by Facebook, and now users have to re-enter their passwords when they try to access the service.

Facebook said the hack happened because of “complex interaction of multiple issues in our code”.

The complexities of cybersecurity were discussed in a special workshop on AI at our most recent female executive roundtable for Women in Compliance, and also in our round tables in Paris and London with CISOs from large financial services and fashion brands.

To be part of the technical committees or to learn more about CSI, give us a call.

Posted in Uncategorized

GAM CCO steps down two months after joining the firm from the FSA

Natalie Baylis two months after joining Swiss alt asset manager GAM from the UK’s Financial Conduct Authority as Group Head of Compliance and member of GAM Holding AG’s Group Management Board to help with the aftermath of Tim Haywood’s suspension, abruptly announced her departure this week.

Bond PM Haywood had managed over $7 billion for GAM, but was suspended for breaching policies on record-keeping, risk management, and gifts and entertainment (triggered by an internal whistleblower).

Baylis cited “personal reasons” for leaving, and now Schroder’s GC for wealth and asset management, David Kemp, will take over on an interim basis, working partnership with another newcomer, Rachel Wheeler, who two months ago became GAM’s GC from Aviva.

CEO Alex Friedman and Head of Investments Matthew Beesley have been working with key accounts to retain assets and regain trust, and, given the board director issues around Haywood, GAM implemented a new policy that bars PMs from being on boards of any investment-advisory entities.

The Compliance Strategy Institute in its most recent “Women in Compliance” executive roundtable in NY discussed how female leaders can work with their counterparts in risk, investments, tech, data and legal to ensure better communication and processes, to establish regulatory and compliance partnerships with the business side.

Posted in Uncategorized

Compliance 101 – Uber has to pay $148 million for its 2016 data breach/coverup

Hackers in 2016 stole personal data for tens of millions of Uber users (and also drivers). Uber didn’t report the breach and decided to pay two hackers (one of them a 20-year old Floridian) $100K on HackerOne to stay quiet and delete the data.

HackerOne, btw, is described as “the most trusted hacker-powered security platform”, with HackerOne:

Response (a compliant process for receiving/acting on vulnerabilities discovered by third parties)

Challenge (improving pen-test results with a project-based vulnerability assessment program)

Bounty (a private, fully-managed bug bounty program for continuous coverage)

HackerOne receives an IRS W9 or W8BEN forms before payments can be made, and Reuters reported on Uber making payments to the Florida hacker on the platform.

All 50 states and D.C. filed a lawsuit and yesterday the California attorney general announced a settlement of $148 million with the company. Uber also agreed to strengthen its cybersecurity infrastructure and provide updates to the states on a quarterly basis.

Tony West, Uber’s CLO, joined once the prior chief security officer was fired, handled the cleanup process. The company said that the hackers had targeted third-party cloud-based services. Uber still has to deal with private party lawsuits and those of some specific cities.

A lot of important lessons on cybersecurity, compliance setups for financial services providers and the growing importance of Artificial Intelligence.

We discussed AI and cybersecurity/cryptocurrency issues in our most recent CSI roundtable in NY.

Posted in Uncategorized

WomenInCompliance.com – meet speaker Neshie Tiwari, CCO of Ellevest

Neshie Tiwari is the chief compliance officer for Ellevest, the investment management company for women by women, co-founded by Sallie Krawcheck in partnership with Charlie Kroll.

Ellevest was founded in 2016 as a digital financial advisory platform for women.

According to Neshie, “everyone is responsible for compliance…. and ethics.”

In the most recent “What the Elle?” Newsletter from August 21, 2018, she also described situations with potential conflicts of interest and how Ellevest published details on the possible conflicts and its mitigation in Ellevest’s Form ADV.

Other focal points for CCOs, in Neshie’s opinion, are “the benefits of diversity to build a strong business”, to “talk. A lot.” and “rules are good. A ‘true north’ is better.”

She will share her thoughts in panels and workshops at WomenInCompliance.com. While space is limited, we still have a few spots left for C-level female (and male) compliance, risk, data, tech and legal officers.

See you on September 18th.

Posted in Uncategorized

SEC hands out $90 million to whistleblowers in April 2018 alone

Since issuing its first award in 2012, the SEC has awarded more than $266 million to 55 individuals under the whistleblower program. In that time, almost $1.5 billion in monetary sanctions have been ordered against wrongdoers based on actionable information received from whistleblowers, including more than $740 million in disgorgement of ill-gotten gains and interest, the majority of which has been or is scheduled to be returned to harmed investors.

For more details on the program, please visit the SEC’s Whistleblower Program.

Posted in Uncategorized

SEC Standard of Conduct for Inv Pros

Dalia Blass, who last September was named the SEC’s head of investment management (David Blass, her husband, spoke at CSI NY last year about some of the industry developments), addressed the Standards of Conduct for Investment Professionals in NY this month.

The commission on April 18th published “regulation best interest” – proposing enhancements to the standards of conduct for B/Ds, and clarified views on fiduciary duties of financial advisors.

SEC Chair Clayton last week also testified that the best interest proposals are a priority for FY2019. Both said the commission’s efforts are the result of over two decades of thinking and experience, as part of his $1. 7b budget request. A modest increase is earmarked to fill 100 vacancies post hiring freeze.

Blass divided the three areas of the proposals as follows:

1. Clarity for retail investors about investment professionals (what kind of person is advising them, e. G. RIA, registered B/D, et al, and the use of “adviser” and “advisor”), including a “relationship summary”.

2. Enhanced standard of Conduct for B/Ds

3. Clarity around Standards of Conduct for I/As
The public comment period will remain open for 90 days following publication of the documents in the Federal Register.

For access to research, news, data and one of the largest global compliance, data, technology and information networks, please visit the Compliance Strategy Institute.

Posted in Uncategorized

SEC fines Yahoo (aka Altaba) $35 million for failing to disclose massive cybersecurity breach

Russian hackers in late 2014 stole Yahoo’s “crown jewels”, hundreds of millions of usernames, emails, phone numbers, birthdays, passwords, and security questions. Last week, the company in its entirety agreed to pay $35 million in SEC fines for failing to disclose the breach for over two years, filing quarterly and annual reports with the commission without mentioning the data breaches.

Verizon acquired Yahoo in June 2017 and since renamed the firm Altaba Inc.

For more information, including SEC statements and comments on the case, click here.

For access to research, data and one of the largest global compliance, risk, technology and data networks, visit the Compliance Strategy Institute.

Posted in Uncategorized