Cybercriminals are nothing if not creative. While ransomware and phishing are still two of the most common cyber tactics for unauthorized access to systems — the average ransom payment demanded is now $8 million – bad actors are constantly refining their techniques.
At DFIN’s second annual Activate Executive Summit, Patrick Hynes, Principal and Cyber Leader at EY, discussed the latest tactics criminals use in their cyber-attacks on organizations and offered insights into the U.S. Securities and Exchange Commission’s (SEC) regulations governing incident reporting.
Patrick referenced findings from EY’s audit investigations and penetration testing program, highlighting key vulnerabilities:
- Phishing remains highly effective: 38% of EY's phishing simulations breached organizational defenses.
- Weak or misconfigured multi-factor authentication (MFA): In 70% of cybersecurity exercises, attackers exploited MFA weaknesses, intercepting codes or disabling the system entirely. Stronger authentication protocols are essential.
- Insecure settings and configurations: Many organizations leave security gaps that attackers use to escalate privileges.
Over the past three decades, cybercriminals have advanced from “basement” hackers to highly organized and sophisticated attackers, targeting organizations for financial gain and corporate espionage, market manipulation, and political motives, Patrick noted. While all companies in all industries are potential targets, there has been an increase in overall cyber-attacks in banking and capital markets compared to last year.
He cited six creative cyber-attack methods to watch out for:
- Help Desk Social Engineering: Outsourced Vulnerabilities. As help desk functions are frequently outsourced, cybercriminals have identified a vulnerability: human error in help desk procedures. Attackers often exploit this by calling the help desk, impersonating legitimate users, requesting password resets, or bypassing multifactor authentication. The weak point? Help desk teams fail to follow proper vetting procedures.
- SIM Swapping: Hijacking Executive Identities. SIM swapping is a highly disruptive attack where hackers gain control of a victim's phone number by tricking mobile carriers. Once they control the phone number, they can intercept MFA codes, access sensitive accounts, and even pose as executives. This attack is hazardous for company leaders whose accounts can be a gateway into larger networks.
- Cloud Nesting: Building Unauthorized Digital Hideouts. Attackers gain credentials of IT team members who possess elevated privileges, spin up unauthorized cloud instances, and use them to gather data, deploy malware, or maintain persistent access without detection.
- Security Tool Hijacking: Using the Defender’s Tools Against Them. In this attack, cybercriminals gain access to the credentials of infosec team members or service accounts responsible for managing security tools such as Endpoint Detection and Response systems. After hijacking, they can then use legitimate software to maintain remote access and avoid detection.
- Virtual Machine Destruction: Shutting Down Systems at Scale. One of the most devastating cyber-attacks involves accessing virtual machine (VM) consoles, allowing hackers to destroy VMs at scale. Once they have administrative privileges, attackers can shut down and delete virtual machines, leading to significant disruption across production environments.
- Session Hijacking: Piggybacking on Active Sessions. In a session hijacking attack, hackers intercept and steal valid session tokens, allowing them to masquerade as legitimate users and gain unauthorized access to systems or sensitive data without logging in.
Preparedness: How to Stay Ahead
These latest hacks highlight the creativity and resourcefulness of cyber criminals and their ability to exploit vulnerabilities, according to Dannie Combs, DFIN’s SVP and Chief Information Security Officer. That’s why organizations need to stay vigilant, including having a comprehensive, tech-enabled cybersecurity strategy in place to better protect against modern cybercrime.
This involves implementing continuous risk assessments, a multi-layered security approach (firewalls, DDoS protection, endpoint detection, data encryption, and timely updates), and a zero-trust architecture to validate identities and devices continuously.
Prioritizing identity management with least privilege access, modern authentication schemes, and adherence to global regulatory obligations further strengthens defenses. Additionally, well-prepared incident response plans, regularly tested through tabletop exercises, ensure swift, confident action to minimize damage when security incidents arise.
A recognized leader in cybersecurity, Dannie is responsible for the safety of DFIN’s data as well as the sensitive data of our clients. Visit Top Cybersecurity Questions Answered: The Latest on Ransomware, AI, and Supply Chain Threats, to read Dannie’s thoughts on addressing cyber threats, mitigation strategies, the risks of AI, and top cybersecurity concerns for the C-suite in the coming year.
Disclosing Cybersecurity Incidents to the SEC and Company Stakeholders
Dannie stressed the importance of complying with global regulatory requirements to protect data and avoid penalties. This includes adhering to regulations like the SEC's cybersecurity rules, which recently extended to smaller reporting companies. Integrating compliance into overall cybersecurity strategies ensures a stronger security posture.
In the U.S., if a cyber incident is material, public companies must report it to the SEC within four days. The SEC defines material cybersecurity incidents as those that reasonable investors would consider important when making investment decisions, such as incidents impacting financial conditions, operational performance, reputation, and market position.
The disclosure to the SEC must include information on the incident's nature, scope, timing, and impact. The rule aims to help companies build stakeholder trust and preserve investor confidence. And the SEC is serious about reporting. It recently made updates to its disclosure rules, with compliance dates determined by a company’s size. This year, smaller reporting companies, those with a public float of less than $250 million annually, were required to be fully compliant.
Dannie noted that publicly traded companies often use DFIN’s ActiveDisclosure financial reporting software to report timely and accurate disclosures, including cybersecurity incidents, to the SEC and company stakeholders.
ActiveDisclosure is an important tool for organizations that must stay up to date with the latest regulatory disclosure requirements and compliance obligations. It automatically updates with the most recent SEC regulations and streamlines the entire reporting process, ensuring companies are compliant and company stakeholders are informed.