Seven Iranian nationals were criminally charged by the US Department of Justice with engaging in cyber-attacks on 46 major US-based corporations, principally in the financial sector, from late 2011 through mid-2013. The attacks, which allegedly occurred on more than 176 days, involved so-called “DDoS” or distributed denial of service attacks. Through these attacks, the defendants sought to flood the targeted companies’ computer servers with bogus messages, preventing customers of the companies from conducting ordinary business. Among companies purportedly impacted detrimentally by the attacks were Bank of America, NA, NASDAQ, New York Stock Exchange, Capital One Bank, ING Bank, U.S. Bank, NA, Fidelity National Information Services, and PNC Bank. None of the attacks on any company resulted in the theft of customer account data, however, said the DOJ. The criminal indictment against the defendants also charged that they attacked the computer systems of a dam in Rye, NY (Bowman Dam). The DOJ seeks the defendants’ imprisonment if convicted, and their forfeiture of any personal property used to facilitate the alleged wrongdoing. The indictment against the defendants claims they all had ties to the Islamic Revolutionary Guard in Iran. The DOJ in a press release said the DDoS attacks “cost the banks tens of millions of dollars in remediation costs … to neutralize and mitigate the attacks on their servers.”

Compliance Weeds: As I have written before, there are only two types of firms that use computer systems today for their businesses: those that have had experienced cyber-attacks and know about them, and those that have experienced cyber-attacks and don’t know about them. All firms should be mindful of their risk of cyber-attacks and should have implemented by now and maintain an appropriate cybersecurity program. As of March 1 this year, all members of the National Futures Association are required to have implemented and enforce an information systems security program commensurate with their size, customer base and product access. (Click here for details of NFA’s requirements in the article, “NFA Proposes Cybersecurity Guidance” in the September 13, 2015 edition of Bridging the Week.) NFA’s general requirements are not unique and are typical of requirements increasingly being mandated in form or substance for financial services companies globally either expressly, as recommended practices or otherwise.