Simulation Scenario

Simulation Scenario

Fontaine Financial Corp Data Breach Facts

(Fictional Factual Scenario for Classroom Simulation)

  1. The Firm. Fontaine Financial Corp is a financial holding company headquartered in Durham, North Carolina. It holds banking, investment advisory and broker-dealer subsidiary firms. It has offices all over the U.S.A. and in London, Paris, Brussels and Hong Kong, with its headquarters in Durham, North Carolina. The firm trades publicly on the NYSE and has about 20,000 employees and earns annual revenue of $250 million in and enjoys about a $1 billion market capitalization. The firm was started by David Fontaine’s father in 1970 as a merchant bank in Durham, and has grown into an exciting and thriving part of the Research Triangle. Luca Investment Advisors is a Fontaine Financial subsidiary that provides investment advisory services, and is comprised of about 500 employees, half of whom work from home via a third party cloud platform, Beckage Cloud Services.

  1. The Cyber-Attacks. There are two cyber-attacks. First, Chris Ullman, the chief financial officer of Fontaine Financial received an email from the CEO, Cynthia Fontaine, to transfer $500,000 to a bank in Atlanta, Georgia. The email is an actual email from the CEO and it appears that someone has stolen her identity. The money is now gone and the IT department says that the fraud is not going to happen again. There is no evidence of these emails in Cynthia or Bruce’s Office 365 account, the email system, which Fontaine Financial uses. Second, all of the employees of Luca Investment Advisors who work from home cannot access any of their data or systems, even their mobile phones -- the data is all now encrypted somehow. Chris Ullman received a demand via email that Fontaine Financial pay 100 Bitcoin in order to allow Luca Investment Advisors to regain access to their data and systems. Much of this data resides on Beckage's Cloud Services Platform.

  1. CISO. The new CISO, who reports to the firm’s chief administrative officer, recently replaced the old CISO, who was terminated for handing out IT contracts to friends and family, and perhaps even taking kickbacks. He was also selling Fontaine Financial stock at inappropriate times.

  1. Credit Cards. The broker-dealer subsidiary of Fontaine Financial runs one of the more famous charities in the Research Triangle area, a 5-K run on the Spring, which kicks off a weekend of celebration, dubbed Fontaine Weekend, all to benefit Cancer research. The contributions are collected and managed by Fontaine Financial and include taking credit cards for contributions – this is all done through a collaborative IT platform shared with a local Durham marketing firm, called Dook Marketing.

  1. Cyber Insurance. Fontaine Financial has a cyber insurance policy, but it is a few years old and the GC who negotiated the cyber insurance policy no longer works at Fontaine Financial.

  1. Duke Hospital. Fontaine Financial provides certain financial consulting services for Duke University Hospital, and as part of their philanthropic efforts, manages a Ronald McDonald House attached to Duke Hospital.

  1. Fontaine Financial “Franchises.” Fontaine Financial is an operation that is commonly referred to as an “independent agent model,” somewhat akin to the model used by companies like LPL Financial and the Commonwealth Financial Network. This means that Fontaine Financial engages SEC registered representatives and SEC registered investment advisers like outside contractors who set up their own investment advisory shops across the country. Fontaine Financial provides the compliance system; trading platform; clearance services; and other corporate infrastructure and marketing for each of its outside independent operators. The independent operators all function through the umbrella of Fontaine Financial, which receives a management fee from each independent operator and remotely supervises the office of each Fontaine Financial independent operator. In addition to the independent operators, Fontaine Financial also has some of their own Fontaine Financial branch offices across the country, who are not independent operators but are rather full-fledged Fontaine Financial employees.

  1. Vendors. Fontaine Financial out-sources to quite a few vendors a litany of administrative functions including: payroll services; 40l (K) administration; and a range of aspects of HR. Fontaine Financial also uses Microsoft for all data management, including applications, application development and cloud storage. Fontaine Financial also connects online with all of its fund sponsors such as mutual funds and other investment vehicles. Its most active vendor in the mutual fund space is Tridelity, who have a number of mutual funds that Fontaine Financial peddles to their customers. The contracts with Beckage and with Tridelity each require notification of any "data security incident" at any Fontaine-related entity within a reasonable amount of time. Beckage Cloud Services also owns Tridelity.

  1. Data Security Policy. Fontaine Financial maintains a data security policy which all of its independent operators are expected to comply with – however, Fontaine Financial does not audit their independent operators concerning this policy. Moreover, many operators use their own computer networks, printers, etc., social network platforms -- and are even on Mac IOS systems, rather than Windows operating systems.

  1. Incident Response Plan. Fontaine Financial has an incident response plan but has never before had any sort of incident. Carton admits that the incident response plan is boiler plate – and was never really seriously developed.

  1. Prior Transactions and Legacy. Fontaine Financial has recently, over the past several years made a number of acquisitions, and experienced some significant integration issues merging systems from HR to marketing to payroll to financial – in fact, technological integration has been a huge challenge for the company.

  1. Current Transactions. Fontaine Financial has entered into discussions with one of its competitors for a potential merger and is also currently refinancing several loan facilities with its lenders.

  1. SEC Filings. Fontaine Financial has a 10-Q (quarterly reporting form) due for filing in the next couple of weeks.

About John Reed Stark

John Reed Stark's Profile Image John Reed Stark President of John Reed Consulting LLC. Served for 15 years as an SEC enforcement attorney leading cyber-related projects, investigations and enforcement actions; For 11 years as Founder/Chief of SEC Office of Internet Enforcement; For 15 years as Adjunct Professor at Georgetown University Law School teaching cyber law; For 10 years as a Guest Instructor at the FBI Academy; For 5+ years as Managing Director (three as head of the Washington, D.C. office) of Stroz, Friedberg, a global digital risk management firm, leading cybersecurity, incident response and digital compliance engagements for corporations. Appointed since 2017 as Senior Lecturing Fellow at Duke University Law School teaching law of cybersecurity and data breach response. Author of The Cybersecurity Due Diligence Handbook.