Anna Delaney: Prosecutors accused FTX's founder of crypto-based deception, and how can security leaders guard against their own liability? These stories and more on this week's ISMG Security Report.
(Theme music)
Delaney: Hi, I'm Anna Delaney. One month ago, cryptocurrency exchange giant FTX unexpectedly collapsed, leaving many individuals seriously out of pocket. ISMG executive editor Mathew Schwartz has been part of our team covering the collapse of FTX. Matt, on the investigatory front things seem to come to a head this week, didn't they?
Mathew Schwartz: Definitely Anna. As you say FTX collapsed suddenly last month - hard to miss. It created billions of dollars of losses. The platform's customers, lenders and investors, U.S. federal prosecutors, together with the FBI and financial regulators say they sprang into action immediately to try and determine what had happened. Well, on Tuesday, prosecutors unsealed a federal grand jury indictment charging California native Sam Bankman-Fried - the founder of FTX - with misappropriating billions of dollars of customer funds deposited with FTX beginning in May 2019. The 30 year old has also been charged with inappropriately using that money to fund Alameda Research - a cryptocurrency hedge fund he founded. Based on these charges, Bankman-Fried was arrested Monday by police in the Bahamas where FTX has been headquartered since 2021.
Delaney: Is it likely that more suspects just like Bankman-Fried might be charged?
Schwartz: Definitely. Investigators say these are only the first steps in their fast-moving probe into what U.S. Attorney Damian Williams on Tuesday, characterized as one of the biggest financial frauds in American history.
Damian Williams: This morning, we unsealed an eight-count indictment charging Samuel Bankman-Fried, FTX's founder, with a series of interrelated fraud schemes that contributed to FTX's collapse.
Schwartz: The charges unveiled against Bankman-Fried are wide ranging. They include alleged wire fraud, commodities fraud, securities fraud, and money laundering and campaign finance violations, among others. That is just the federal grand jury indictment. Bankman-Fried also faces civil lawsuits from the Securities and Exchange Commission and the Commodity Futures Trading Commission. SEC chair Gary Gensler accused Bankman-Fried of having built a house of cards on a foundation of deception while telling investors that it was one of the safest buildings in crypto.
Delaney: To what extent did this being a cryptocurrency platform facilitate Bankman-Fried's alleged crimes?
Schwartz: Cryptocurrency is hot and if you're allegedly going to run a scam and want to amass billions of dollars of other people's money, maybe that makes crypto and obvious play. But despite the crypto veneer, prosecutors are alleging that this was straight up fraud. That's being echoed too by Attorney John Ray. He's an Enron bankruptcy veteran who was hired by FTX's Board of Directors when Bankman-Fried was forced to step down on November 11, and the company immediately began chapter 11 bankruptcy proceedings. Subsequently, Bankman-Fried began conducting numerous interviews, acknowledging that he'd screwed up, but claiming that this amounted to what were innocent errors and denying any and all suggestion that it might have involved fraud. Ray, however, has suggested otherwise. Last month, the FTX CEO wrote in a court filing that never in his career had he seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred at FTX. Strong words! Ray is now overseeing FTX's liquidation. And he testified Tuesday in front of the U.S. House Financial Services Committee, detailing what he learned from studying FTX's financial records and reviewing its security controls, which he said were grossly inaccurate and inadequate.
John Ray: This is really old-fashioned embezzlement. This is just taking money from customers and using it for your own purpose. Not sophisticated at all. Sophisticated perhaps in the way that they were able to sort of hide it from people, frankly, right in front of their eyes, but this isn't sophisticated whatsoever. This is just plain old embezzlement.
Delaney: What happens next with the case against Bankman-Fried?
Schwartz: He was arraigned on Tuesday and sought to remain free on bail, telling the judge in the Bahamas that he needed to remain free so he could continue to keep a vegan diet and have guaranteed access to allergy medicine and prescription. The judge reportedly wasn't swayed by these treaties. He denied the request. Bankman-Fried remains incarcerated, and he's due back in court in February for what is likely going to be an extradition hearing. The Bahamian Attorney General this week promised that when an extradition request gets received, which it expects to happen, the Bahamas intends to process it promptly. But Bahamian Prime Minister Phillip Davis has also said his country will continue its own regulatory and criminal probe of FTX.
Delaney: Thanks, Matt, for the latest details on the unfolding FTX crypto calamity.
Schwartz: It's my pleasure. Thanks, Anna.
Delaney: Former Uber CSO Joe Sullivan's conviction in the U.S. back in October sparked panic amongst chief information security officers. If they fail to report a breach, might they go to jail? I spoke with Jonathan Armstrong, a partner at Cordery Compliance, this week. He shared some practical steps that security leaders can and should take to guard against their own liability.
Jonathan Armstrong: In some respects, almost a conflict of interest for a lot of CISOs, they're trying to do their best for the corporation. That's right and proper that they do that and that will be things like putting the best technical and organizational measures in place, rehearsing a data breach, making sure that you're taking account of the transparency obligation. They'll also be doing the "cover my own backside" type stuff as well. I've seen quite a lot of people say, "Oh, that's all about creating written memos." I don't think that is necessarily the case, because those memos probably wouldn't be privileged. You need privilege in a data breach situation if you're going to defend civil actions. So I don't think it's necessarily about creating endless streams of memos. First of all, when you're starting a position, when you've got some bargaining power, making sure that your contract is robust that you've got the protections you need there. I think it might involve looking at reporting lines. Who reports to who, who is going to report a data breach. Again, rehearsals are important so that individuals know their own roles and responsibilities in the team. You're clear what you will do and what you won't do. I think it's about due diligence. When you move to an organization, is there a data breach there that hasn't been reported? And how you're going to manage that if you're the new girl coming into the team and sorting all this out? I think it's about director and officer liability insurance - DNO insurance - so making sure that your name is on the policy and making sure that the organization will support you if there is an incident financially, because defenses like the defense that Sullivan's cost an awful lot of money - litigation in Europe and in the U.S. costs cash. I think finally, the thing that's a bit off the wall, is looking at your remuneration package. I have a theory that prosecutors are more likely to act when they think that an individual has gained as a result of covering up a data breach. For example, quite often, a data breach will alter the share price or the stock price in an organization that might be 5% or 6& or 7%. If you personally are going to gain by that, for example, the world doesn't know about the data breach, you dispose of stock, whether actively or just automatically, because that's the way your options work or whatever, and you gain financially, you're much more likely to be prosecuted. The conventional wisdom I think, is tie your remuneration to stock price because that's your way of making big bucks if it's bonanza time in the corporation, but that might expose you to greater risk of criminal prosecution. I think if your package is structured in that way. Be thoughtful about how you're getting remunerated for your work.
Delaney: Finally, as we head into 2023, how is the privacy and security landscape is different than it was a year ago? This was a question posed by our business editor Michael Novinson to legal and privacy expert Lisa Sotto of law firm Hunton Andrews Kurth. Here's her take on the most significant changes of this year.
Lisa Sotto: On the security side, we see ransomware still taking first prize. We had arrests back in March in London of members of the Lapsus$ group. That was the high point for the year. Conti brought the Costa Rican government to a halt, as well as the French Ministry of Finance. China has also been very active, hitting telecom companies and media companies. From the federal perspective, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act. That requires reporting for certain critical infrastructure companies within 72 hours of of detecting certain events and within 24 hours of paying a ransom. The regulations are not out yet. We'll see how that plays out. But that law has been passed. The SEC has raised the stakes with its proposed rules that would require disclosure of a material cyber event within four business days of an attack. I'll just note also on the privacy side of the House, we saw the first BIPA case go to trial. That's the biometric privacy law in Illinois. And that resulted in a jury verdict of $228 million in damages. This was a result of scanning truck drivers' fingerprints for identity verification purposes. This also will give us a sense of how damages might be calculated under BIPA going forward. A couple of other things to mention - the White House recently unveiled its blueprint for an AI Bill of Rights, that's going to be very important in thinking about AI systems going forward. In a very significant development, President Biden signed an executive order that provides a new framework for data transfers between the EU and the U.S. to replace the Privacy Shield framework. The legal basis for data transfers has been uncertain since the European Court of Justice in 2020 declared the Privacy Shield to be invalid. This executive order is intended to speak to the issues that were criticized by the Court of Justice. For example, there's a new redress mechanism in the United States for complaints by Europeans and there's a new court that would be stood up - which is an independent court, the data protection review court - that's a very significant move. There's just so much happening. It's hard to pinpoint just a few items to highlight.
Delaney: That's it from the ISMG Security Report. I am Anna Delaney. Until next time!