HalcyonFT Quarterly Newsletter - Q2 2024 - Updates and Recommendations

Jun 28

As warmer weather approaches, we know many of our clients are looking forward to their summer vacations. Whether you’re spending time with family, taking a well-deserved trip, or just enjoying a backyard barbecue, we hope you all have a great summer! Rest assured that the HalcyonFT team remains hard at work, keeping abreast of the latest industry developments and how they affect your business. Read on for the most recent items of interest.

In this issue:

SEC Rule Changes Require Incident Response Plans
Protect Yourself from Deepfake Scams
HalcyonFT Earns ISO 27001 Certification
What You Need to Know About Microsoft Recall

SEC Rule Changes Require Incident Response Plans

Under the latest amendments to Regulation S-P, SEC-registered investment advisors must have an incident response plan to notify customers of data breaches.

New SEC amendments to Regulation S-P require registered investment advisors (RIAs) to have an incident response plan in place to notify customers of data breaches. The plan must include procedures for assessing the nature and scope of the incident, containing and controlling the incident, and notifying affected individuals whose sensitive customer information was compromised as soon as practicable, but generally not later than 30 days after the financial institution becomes aware that there has been an unauthorized breach of customer information.

These new regulations, which will become effective in December 2025, aim to protect customer information from unauthorized access and ensure that RIAs can respond quickly and effectively in the event of a breach.

The final rule does not require a financial institution to enter into a contract with its third-party service providers to deliver data breach notices. However, it is the responsibility of the financial institution to ensure that such notices are sent either by the institution or by its service providers in the event of a breach. We recommend that this be included in your annual, third-party critical vendor reviews.

To comply with these new regulations, RIAs must review and update their existing policies and procedures to ensure they are fully compliant. This may require changes to your existing incident response plans and procedures. Please reach out to your HalcyonFT point of contact if you would like our assistance.

For more information, please see www.sec.gov/news/statement/uyeda-statement-reg-s-p-051624 and https://www.sec.gov/files/rules/final/2024/34-100155.pdf

Protect Yourself from Deepfake Scams

As artificial intelligence becomes increasingly adept at imitating human writing styles, cloning voices, and creating faces with nearly perfect accuracy, deepfake scams pose a growing threat to individuals and businesses of all sizes.

Deepfake scams are a form of cybercrime in which artificial intelligence (AI) is used to create convincing fake videos, images, or audio recordings. These scams often involve manipulating a person’s likeness or voice to create realistic-looking or -sounding media that can be used to deceive individuals or the public. Also known as deepfake phishing, these techniques are being used to manipulate victims, exploit their trust, and bypass traditional security measures.

The Federal Trade Commission (FTC) reports that such “impersonation scams have cost consumers billions of dollars in recent years.” Indeed, Forbes reports that “instances of deepfake phishing and fraud have surged by an astounding 3,000% in 2023,” and the threat continues to grow.

Here’s what HalcyonFT is doing to protect you:

Mimecast: HalcyonFT leverages Mimecast to safeguard clients against phishing and spoofing attacks. Mimecast provides advanced email security, threat intelligence, and URL filtering to detect and block malicious emails. By analyzing email content and sender behavior, Mimecast helps to prevent fraudulent emails from reaching clients’ inboxes.
Client Branding: HalcyonFT works to ensure consistent client branding across all available services. By customizing login pages and other communication channels, clients can easily recognize legitimate communications. This branding reinforces trust and helps clients differentiate between authentic messages and potential threats.
Future-Proofing Strategies: HalcyonFT maintains a proactive stance by researching and implementing state-of-the-art technologies to prevent these attacks. As deepfakes continue to evolve, we will keep you up to date on the most effective methods of combatting these attacks.

And here’s what you can do to protect yourself:

Be Skeptical: Always question the authenticity of unexpected or unusual media, especially if it involves financial transactions or personal information. To spot a fake video, watch for unnatural facial expressions, mismatched lighting, shadows, blurriness, or artifacts that suggest editing. Also, listen for audio that doesn’t sync with the visuals and keep an eye out for any oddities in the background that could indicate manipulation.
Verify Sources: Double-check the source of the media. Contact the purported individual or organization directly through verified channels to confirm the legitimacy of the content.
Limit Personal Data Online: Reduce the amount of personal information you share on social media and other platforms. Scammers can use this data to create more convincing deep fakes.
Consider a Security Word or Phrase: A security word or passphrase serves as an additional layer of protection against impersonation attacks. By requiring users to provide this unique piece of information during authentication, organizations can verify their identity more effectively.

If you encounter content that you suspect to be a deepfake, please report it to h elp@halcyonft.com.

HalcyonFT Earns ISO 27001 Certification

HalcyonFT continues to earn recognition for its high security standards.

Earlier this month, HalcyonFT earned ISO 27001 certification, further demonstrating the firm’s ongoing commitment to the industry's highest security standards. As the internationally recognized standard for Information Security Management Systems (ISMS), ISO 27001 ensures that organizations implement rigorous security controls to protect sensitive data.

“Achieving the ISO 27001 certification underscores HalcyonFT’s unwavering commitment to safeguarding information entrusted to the company by its clients and emphasizes our team’s dedication to quality, efficiency, and continuous improvement,” said Joe James, Partner and Director of Projects.

For more information, please read the full press release.

What You Need to Know About Microsoft Recall

A new feature promises to enhance your productivity and memory, but it also raises some concerns.

What is Microsoft Recall?

Microsoft Recall is a new feature on the upcoming Microsoft Copilot+ PCs. Designed as a visual timeline, it captures “snapshots” of your screen every five seconds and analyzes them with on-device AI.

It promises to instantly find anything you've seen on your PC, whether in apps, websites, images, or documents. Think of it as a virtual and private photographic memory for your digital activities.

To enable Recall, you will need a Copilot+ PC enrolled in Windows Hello, a biometric authentication system that uses your face, fingerprint, or PIN. Microsoft says that snapshots will be decrypted only when you authenticate, ensuring that only you can access your visual history.

What are the Pros and Cons of Microsoft Recall?

Microsoft Recall has potential benefits and drawbacks. For example, Recall can boost your productivity and memory by allowing you to quickly revisit previous tasks, projects, or research. However, it poses challenges for data privacy and security.

Recall captures a lot of data from your screen, which may include sensitive or personal information, such as passwords, emails, chats, or financial records. Recall can also create legal and regulatory compliance issues for data retention and governance.

Microsoft recently announced that Recall will not be active by default. Instead, your users may opt in and customize the settings. Microsoft claims your users will have total control of its functionality, with the ability to pause or disable snapshots, filter applications, and delete snapshots at any time. Our recommendation at this time is to disable Recall snapshots by policy. As your technology partner, we can and will systematically disable Recall snapshots.

Should You Try Microsoft Recall?

Before deciding to use Recall, carefully weigh the pros and cons, and be aware of the potential legal and ethical implications. You should also review the privacy and security settings of Recall, and make sure that you understand how your data is collected, stored, and protected.