After Russian Hack, It’s Time to Vet Your SEC Filing Vendor
A complaint accusing five Russian nationals in an $80 million insider trading scheme is shining a new spotlight on cybersecurity.
In December, the Securities and Exchange Commission filed a fraud complaint accusing a Russian hacker of gaining access to hundreds of earnings announcements before they were public. He then allegedly spread this non-public information to his conspirators, who gained an unfair trading advantage. This was not some cyber “smash and grab.” It occurred between 2018 and at least August 2020, according to the complaint. What’s more, the hacker wasn’t accused of sneaking into the companies who drafted the earnings announcements but their service providers who submit those announcements to the SEC, according to the complaint.
I sympathize with the SEC filing agents who were notified that hackers found a way into their systems. Every chief information security officer dreads that type of call. It’s why software makers like Workiva take the measures we do to build not just SEC filing software but an entire reporting platform with multiple layers of sophistication. We invest a substantial portion of revenue each year into further development of the platform.
Let’s be clear—no company is completely immune to attack, and anyone who promises otherwise is lying. But there are measures SEC reporting software providers can take to reduce risk.
Vet your vendors
Your SEC filing vendor can make (or break) your reputation. You may want to look for a native cloud service provider that builds its own software solutions and full platform, not just a traditional service provider with digital services bolted on. At the very least, check that your vendor meets or exceeds standards for cloud service providers (CSPs) and that they complete the rigorous SOC 1 Type II and SOC 2 Type II audit processes.
In addition, check for some level of alignment and certification with industry-leading security frameworks, such as FedRAMP (NIST 800-53) and ISO 27001. FedRAMP is a government-wide program that provides a standardized approach to security and risk assessment for cloud services and federal agencies. Though developed by the federal government, FedRAMP indicates a vendor has demonstrated an ongoing commitment to security in processing, storing, and transmitting customer data. The International Organization for Standardization (ISO) provides standards for an information security management system, with ISO 27001 outlining how to manage the security of assets including financial information.
When another cybersecurity incident made headlines a couple of years ago, we created a checklist of what to look for when reviewing a vendor’s cybersecurity and customer service. It’s available on our website in case it’s helpful.
Layer up
Just as a single wool sweater may not be enough to insulate against single-digit temps, one layer of security controls may not be enough to defend systems from sophisticated attackers. The SEC’s complaint notes the accused hackers used a variety of methods to sneak in, including malware and the login information of SEC filing systems’ employees without authorization.
One common method of layering security is using multifactor authentication, which requires users to provide more than one credential (like a password plus an auto-generated code sent via text message, email, or an app) to prove their identity before they can log in. SAML/single sign-on (SSO) authentication can make it easier for employees to remember a single truly strong password without compromising security.
Having a smart information security crew armed with artificial intelligence tools to help detect suspicious activity can act as another shield.
By separating duties, as we do here at Workiva, no one employee has access to all customer data. Again, separation of duties (SoD) alone doesn’t guarantee a hacker can’t do harm, but it can limit the damage if an incident should happen. As a Workiva user, you can use native permission controls embedded in documents, presentations, and spreadsheets to limit which co-workers can view your projects, which can also limit the damage if someone’s login information is somehow compromised.
The SEC complaint states that the Russian hacker used an intermediary internet service that routed his queries of the hacked system through dozens of IP addresses to hide himself. We’ve seen customers configure lists of allowable IP addresses that can access systems.
In short, multiple layers of security are better than one.
A culture of security
It takes vigilance by every single employee—not just an SEC reporting team or IT team—to keep an organization’s confidential information safe. At Workiva, every employee completes annual data security training. We test them with sneaky drills to get them in the habit of staying vigilant. My team also creates short videos to inform every employee of Log4j and other vulnerabilities reported around the world. As every cloud service provider knows, we’re all targets, and it’s important for every employee at every level to be informed and stay on their toes.
As you vet vendors, check whether their security culture matches your expectations. It’s worth pulling the chief information security officer (CISO) aside to ask how closely they’re in touch with their chief operating officer and CEO. (Mine both take security threats VERY seriously.) Is the CISO also in regular touch with leaders of their customer success and corporate communications teams? I like knowing I can always reach out to them so that if the worst should happen, we can quickly communicate with customers.
The Workiva team understands that meeting SEC deadlines with accurate, reliable, and secure data is vital to your business. Together we can work to protect that data—so it’s only in the right hands at the right time.
Stay safe out there.