Contacting Law Enforcement Post Cyber-Attack

If your home or office were burglarized, your first step would be to call the police, but what happens if your hedge fund or private equity firm is the victim of a data breach, a spear phishing scheme, or another cybercrime? Do you dial 911? Call the local police department’s non-emergency number? Contact the FBI?

Juniper Research estimates that the global cost of cybercrime will surpass $2 trillion by 2019, nearly four times as much as in 2015.  For financial services firms, the story is even worse; the financial industry is victimized 300 times more frequently than other industries, and their data breaches tend to be much more expensive to clean up, averaging $336 per record against $225 per record for the standard U.S. business.

Yet as cybercrimes rapidly escalate in frequency, sophistication, intensity and cost, confusion reigns regarding if and when to call law enforcement to investigate – and even which agency to contact and how to contact them. As a result, massive data breaches and cyber-attacks launched against major financial organizations grab headlines and prompt extensive police investigations, while cybercrimes committed against hedge funds, private equity firms, and other small businesses often go unnoticed and unreported. The FBI Internet Crime Complaint Center (IC3) estimates only 10% to 12% of cybercrimes committed in the U.S. are reported each year.

Underreported & Under-Investigated

The gross underreporting of cybercrimes only emboldens hackers, so the U.S. Department of Justice recommends that all cybercrimes, regardless of size and scope, be reported to local, state, federal or international law enforcement agencies.

However, many state and local law enforcement agencies face significant challenges in dealing with the new world of cybercrime. Online crimes are borderless; a company located in Delaware may be attacked by a hacker in Eastern Europe, or a group of hackers scattered in different locations around the world, creating jurisdiction issues. Local agencies may also lack technical equipment and expertise, human resources or funding. As a result, reporting a cybercrime to a local law enforcement agency is a bit of a long shot; some agencies are staffed with trained cybercrime investigators and digital forensics specialists, but many don’t even know where to start when it comes to cybercrime complaints, ultimately leading to referrals to federal law enforcement.

But the Feds can’t be expected to do it all. Even though most cybercrimes aren’t reported, federal resources are severely strained by the onslaught of incidents that are reported, and only the largest incidents will warrant an active federal investigation. James A. Lewis, Senior Vice President of the Center for Strategic & International Studies, reported being told by an FBI field office the agency has a “million-dollar threshold.” So for the Fed to really step in, it’s about threshold, number of victims affected, and the following:

• National security or public safety or health
• Critical infrastructure
• Securities fraud or investment-related spam email
• Violations of state, local, or federal law

So what’s being done to empower local law enforcement to one day better handle cybercrimes? The Secret Service has partnered with the Department of Homeland Security, the State of Alabama, and the Alabama District Attorney’s Association to establish the National Computer Forensics Institute. Located in Hoover, Alabama, the institute trains state and local law enforcement, judges, and prosecutors on digital forensics techniques and cybercrime investigation. The FBI also offers numerous resources and training opportunities for local law enforcement agencies, including fellowships at the National Cyber Investigative Joint Task Force.

Hedge Funds & Private Equity: Who you going to call?

The FBI

The FBI is the lead federal law enforcement agency in charge of investigating cybercrimes in the U.S. and has significant infrastructure in place to aid local law enforcement as well as other federal agencies. This includes a dedicated Cyber Division at its headquarters in Washington, D.C., specialized cyber squads located at all 56 FBI field offices, nationwide Computer Crimes Task Forces, and new Cyber Action Teams that can be deployed internationally.

All cybercrimes, regardless of size or scope, should be reported to the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov. An IC3 analyst will review the report and forward it to appropriate federal, state, local or international law enforcement or regulatory agencies.

It’s important to note the IC3 does not investigate or prosecute crimes; it simply forwards complaints and maintains records. Hedge funds and private equity firms impacted by larger, more serious and time-sensitive incidents requiring immediate law enforcement intervention should contact their local FBI field office. You can locate yours at https://www.fbi.gov/contact-us/field-offices.

The U.S. Secret Service

Alongside its well-known presidential protective details, the agency has a mandate to fight cybercrimes that impact payment systems and the financial industry. In addition to notifying the FBI, financial organizations victimized by cyber criminals should contact their local U.S. Secret Service Electronic Crimes Task Force office.

The Securities & Exchange Commission (SEC)

Securities fraud and investment-related spam emails should be reported to the SEC using their online complaint form.

The Financial Services Information Sharing and Analysis Center (FS-ISAC)

FS-ISAC is a non-profit organization created in response to the 1998 Presidential Decision Directive-63 (PDD-63), which directed critical infrastructure sectors to establish sector-specific organizations for sharing information about cyber threats and vulnerabilities. Among many other services, FS-ISAC gathers, analyzes, and disseminates physical and cyber threat and vulnerability information to financial organizations worldwide. Members of FS-ISAC can submit reports of cyber incidents both with attribution or anonymously.

Relevant State & Local Agencies

Depending on where your firm is located, you may be required by state law to report data breaches and other cyber incidents to specific state agencies. For example, financial firms that fall under the regulation of the State of New York’s cybersecurity regulation must report all cybersecurity incidents to the state Department of Financial Services using the agency’s online portal.

What Information Do You Need to Report?

Be prepared to share the following basic information with law enforcement:

• Your organization’s basic contact information: legal name, street address, telephone, and website.
• The appropriate point of contact for the incident and that person’s email address and phone number. For many firms, this person is their legal counsel.
• A summary of the impacts on your business and its mission and operations, including whether critical infrastructure was involved.

Furthermore, your security team needs to collect as much detail about the incident as possible, including:

• The initial entry vector or vulnerability exploited; how and when it was initially detected or discovered; and what specific assets appear to be impacted (systems, networks, data).
• Logs, including destination IP and port and destination URL.
• The operating system running on the affected system(s).
• The source ports involved in the attack.
• Any indications (current or historical) of sophisticated tactics, techniques, and procedures (TTPs).
• Any indications (current or historical) that the attack specifically targeted your organization.
• Status change data and time stamps (including time zone).

Build Law Enforcement Relationships Now

Cyber-attacks do not happen in a vacuum. Effectively preventing and combating cybercrime requires everyone to cooperate and share information – federal , state, and local law enforcement; public and private-sector organizations; and even individuals who are victimized.

Hedge funds, private equity firms and other businesses should form partnerships with their state and local law enforcement, as well as their local FBI and Secret Service field offices, before a cyber incident occurs. If local authorities are familiar with your business, and you are familiar with them, critical time will be saved during incidents where law enforcement must be called in to investigate. Additionally, these law enforcement contacts can keep your business updated on potential or emerging cyber threats so you can take proactive measures to avoid being victimized.

Your firm should also consider joining FS-ISAC so you can share and receive threat information specific to the financial industry. Your cybersecurity team will greatly benefit from the organization’s other resources like threat conference calls, webinars, and meeting summits and trainings.

Governance and Incident Response: What do your plans look like?

While this blog is about law enforcement agencies and how they play into the process of responding to a breach, law enforcement cannot secure your firm’s systems or help your company repair the damage after a breach or a hack. Hedge funds and private equity firms must set up their own cyber defenses and ensure they are compliant with SEC guidelines. A proactive governance plan including security testing, policy development, employee cyber-awareness training, and SEC compliance measures is the backbone of your firm’s cybersecurity.

While solid governance can prevent many breaches and hacks, there is still no foolproof defense against cyber criminals. That’s why the second and third components of a robust cybersecurity posture focus on a comprehensive incident response program to mitigate the damage of an incident, and rapid detection and response to quickly contain an attack. Since we know cybersecurity is a lifecycle, your governance program should then be used to regularly test your incident detection and response protocols to ensure they hold up even during chaotic and stressful situations.  And round and round the lifecycle goes.

Learn More About Our Serivces