Unraveling the Web: Exploring Cybersecurity Risks in Securities Fraud


A dataset with cybercrime and fraud data from several countries includes the cost of cyber attacks, broken down by NAICS code and the size of the enterprise.

A new dataset with a timeline of significant cyberattacks covers several variables, including time frame, attack type, and victim.

Web 1 / The Unraveling

The Internet’s first phase — Web 1 — is often viewed through the Strauss-Howe Generational Theory, which depicts how different times and cultures evolve similarly. As such, this period embodies the Unraveling feature of that theory, which features a weakening of institutions and an emphasis on individualism.

During the Unraveling, many individuals seized control of their online identities and formed their communities on the web. This created the romantic vision of a more democratic and free society. While this was not achieved to the extent that some hoped, it created an ethos that helped to foster technological innovation and inspired cultural movements that are still being actualized in today’s blockchains and decentralized infrastructure.

This unfettered individualism also led to an overreliance on content distribution as the primary function of the Internet. This set the stage for a new wave of companies like Google and Facebook to grow into powerful intermediaries that controlled most of the information available on the Internet in monopolistic fashions.

These market entities have complex and interconnected information systems that present a unique cybersecurity risk to the U.S. securities markets. Threat actors can use these systems to exploit vulnerabilities, steal data and cause financial harm through cyber heists that can destabilize markets. Additionally, public companies that disclose a cybersecurity incident may face derivative actions and securities fraud class action claims by shareholders.

Web 2 / The Crisis

The financial services industry is not immune to cyber threats. So you might even want to ask, what is securities fraud? Whether money laundering through stock manipulation, securities fraud, or phishing attacks, cybercrime is rampant across the market. Investors also face risks from cyber heists that expose confidential information, including investor accounts and other data. The largest financial institutions have much to lose from these incidents.

The SEC is working to help investors and market participants protect themselves from cyber threats. The Commission’s National Exam Program takes a comprehensive approach to cybersecurity, and the Commission’s staff is actively monitoring the risk to investors and market participants from cyber threats, such as phishing attacks, malware-based heists, false account openings, and firm impersonation scams, among other potential issues.

In addition, FINRA has released valuable guidance to help broker-dealers, investment advisers, investment companies, and exchanges protect their customers from these types of threats. These include a risk alert highlighting the risks of cyber threats related to fraudulent account openings and a series of investor bulletins focused on the risks associated with various types of cyber scams.

In light of the increased national focus on cybersecurity, the SEC’s new proposal on materiality for cybersecurity breaches could significantly impact public companies’ disclosure obligations. Companies must determine if an incident is a material by assessing the nature, severity, and potential magnitude of harm caused. This problematic exercise requires open communication lines between legal and IT departments.

Web 3 / The Revolution

Amid growing concern about cyber attacks, fraud, and financial crime, banks face increasingly interconnected threats and burdens. As a result, many are transforming their operating models to gain a more comprehensive view of their threats and how to mitigate them.

One example is Web 3.0, or dapps (decentralized apps), designed to give users more control over their data. Proponents claim Web 3.0 will enable a new generation of decentralized, user-driven applications. The technology could eventually allow a more open internet that is free of the domination of a few significant players, similar to what blockchain protocols are doing for Bitcoin.

Another is a design alternative to blockchain that Berners-Lee is working on with his startup Inrupt. He has envisioned a fast, cheap, and private alternative to blockchain. It could store information such as bank accounts, stock certificates, and personal records.

While these technologies may not completely protect against a cyberattack, they can help minimize damage and improve cybersecurity controls at public companies. In turn, they can help ensure compliance with the SEC’s new rules regarding disclosing cyberattacks and other risks. Moreover, they can also help reduce the risk of securities fraud by preventing hackers from obtaining nonpublic information to use in fraudulent trades. This is a key objective of the SEC’s Cyber Unit, which has already brought numerous enforcement actions related to cryptocurrencies and initial coin offerings, brokerage account takeovers, and trading based on hacked nonpublic information.

Web 4 / The Rebirth

In 2022, cyber threats escalated in frequency, impact, and sophistication. They have become a daily reality for businesses and their people, threatening to undermine business continuity through disruptions of critical services or stealing data that exposes financial and operational secrets.

At the same time, technological innovation is accelerating as enterprises layer new systems on top of their existing infrastructure to support remote working, customer engagement, and generate value. These innovations can be a source of vulnerability if not adequately protected.

The profitability of cybercrime is also attracting criminals from around the world, including entire nation-states. This proliferation of attacks is creating new levels of risk for everyone, from individuals and large companies to the public and private sectors.

Meanwhile, security professionals are experiencing burnout, with their fear of letting the organization down if they miss one threat among thousands every day, exhausting work schedules and constant juggling of technologies, the emotional toll of knowing that their efforts can’t make a difference in the lives of criminals, and the fact that attacks aren’t slowing down. This creates a unique opportunity for providers and investors to create more impact with customers by offering outcome-based pricing, geographic coverage, targeted customer groups, integration, and off-the-shelf analytics.