Simulation Scenario

Simulation Scenario

Fontaine Financial Corp Data Security Incident

(Fictional Factual Scenario for Classroom Simulation)

The Firm. Fontaine Financial Corp is a financial holding company headquartered in Durham, North Carolina. It holds banking, investment advisory and broker-dealer subsidiary firms. It has offices all over the U.S.A. and in London, Paris, Brussels and Hong Kong, with its headquarters in Durham, North Carolina. The firm trades publicly on the New York Stock Exchange and has about 20,000 employees and earns annual revenue of $250 million in and enjoys about a $1 billion market capitalization. The firm was started by David Fontaine’s father in 1970 as a merchant bank in Durham, and has grown into an exciting and thriving part of the Research Triangle. Luca Investment Advisors is a Fontaine Financial subsidiary that provides investment advisory services, and is comprised of about 500 employees, half of whom work from home via a third party cloud platform, Beckage Cloud Services. Fontaine Financial has experienced two cyber-attacks.

Cyberattack #1. Heather Sussman, the General Counsel of Fontaine Financial received an email from the CEO, Cynthia Fontaine, to transfer $500,000 to a bank in Atlanta, Georgia. The email is an actual email from the CEO and it appears that someone has stolen her identity. The money is now gone and the IT department says that the fraud is not going to happen again. There is no evidence of these emails in Cynthia or Bruce’s Office 365 account, the email system, which Fontaine Financial uses.

Cyberattack #2. All of the employees of Luca Investment Advisors who work from home cannot access any of their data or systems, even their mobile phones -- the data is all now encrypted somehow. Sussman received a demand via email that Fontaine Financial pay 100 Bitcoin in order to allow Luca Investment Advisors to regain access to their data and systems. Much of this data resides on Beckage's Cloud Services Platform. The attackers, known as the “Bug Bounty Crew,” are also asking for the 100 bitcoin in accordance with the terms of the Fontaine CyberShield Program, asserting that they detected a vulnerability and have encrypted the relevant data to illustrate how terrible the vulnerability is.

The Fontaine CyberShield Program. The CISO, Rick Lando, who reports to Sussman, only recently replaced the old CISO. For his first project with Fontaine Financial, Lando created the CyberShield Program to serve as a vulnerability disclosure program and to make the company’s systems more robust and more secure. CyberShield offers payments of up to $1.5 million for anyone who lawfully identifies a data security vulnerability in Fontaine Financial Systems.

Rick Lando. Rick Lando is rumored to have once worked with the “Bug Bounty Crew,” and also recently sold Fontaine Financial stock.

Credit Cards. The broker-dealer subsidiary of Fontaine Financial runs one of the more famous charities in the Research Triangle area, a 5-K run on the Spring, which kicks off a weekend of celebration, dubbed Fontaine Weekend, all to benefit Cancer research. The contributions are collected and managed by Fontaine Financial and include taking credit cards for contributions – this is all done through a collaborative IT platform shared with a local Durham marketing firm, called Dook Marketing.

Cyber Insurance. Fontaine Financial has a cyber insurance policy, but it is a few years old and the GC who negotiated the cyber insurance policy no longer works at Fontaine Financial.

Duke Hospital. Fontaine Financial provides certain financial consulting services for Duke University Hospital, and as part of their philanthropic efforts, manages a Ronald McDonald House attached to Duke Hospital.

Vendors. Fontaine Financial out-sources to quite a few vendors a litany of administrative functions including: payroll services; 40l (K) administration; and a range of aspects of HR. Fontaine Financial also uses Microsoft for all data management, including applications, application development and cloud storage. Fontaine Financial also connects online with all of its fund sponsors such as mutual funds and other investment vehicles. Its most active vendor in the mutual fund space is Tridelity, who have a number of mutual funds that Fontaine Financial peddles to their customers. The contracts with Beckage and with Tridelity each require notification of any "data security incident" at any Fontaine-related entity within a reasonable amount of time. Beckage Cloud Services also owns Tridelity.

Data Security Policy. Fontaine Financial maintains a data security policy which every office is supposed to follow – however, Fontaine Financial does not audit their company offices or home offices concerning this policy. Moreover, many home offices use their own computer networks, printers, etc., social network platforms -- and are even on Mac IOS systems, rather than Windows operating systems.

Incident Response Plan. Fontaine Financial has an incident response plan but has never before had any sort of incident. Sussman admits that the incident response plan is boiler plate – and was never really seriously developed.
Prior Transactions and Legacy. Fontaine Financial has recently, over the past several years made a number of acquisitions, and experienced some significant integration issues merging systems from HR to marketing to payroll to financial – in fact, technological integration has been a huge challenge for the company.

Current Transactions. Fontaine Financial has entered into discussions with one of its competitors for a potential merger and is also currently refinancing several loan facilities with its lenders.

SEC Filings. Fontaine Financial has a 10-Q (quarterly reporting form) due for filing in the next couple of weeks.

About John Reed Stark

John Reed Stark's Profile Image John Reed Stark President of John Reed Consulting LLC. Served for 15 years as an SEC enforcement attorney leading cyber-related projects, investigations and enforcement actions; For 11 years as Founder/Chief of SEC Office of Internet Enforcement; For 15 years as Adjunct Professor at Georgetown University Law School teaching cyber law; For 10 years as a Guest Instructor at the FBI Academy; For 5+ years as Managing Director (three as head of the Washington, D.C. office) of Stroz, Friedberg, a global digital risk management firm, leading cybersecurity, incident response and digital compliance engagements for corporations. Appointed since 2017 as Senior Lecturing Fellow at Duke University Law School teaching law of cybersecurity and data breach response. Author of The Cybersecurity Due Diligence Handbook.