Lawyers say Apple CEO Tim Cook may have flouted the Securities and Exchange Commission’s fair-disclosure regulation when he sent a CNBC correspondent an email containing company performance information. In other GRC news from the past few weeks: Charles Schwab is fined $2 million for capital deficiencies; a court ruling reinforced the FTC’s cybersecurity authority; and new malware targeting jailbroken iOS phones stole more than 225,000 Apple users’ credentials.
Apple’s Tim Cook may have infringed SEC disclosure rule
A private email Apple CEO Tim Cook sent to CNBC reporter Jim Cramer last week may have violated federal fair-disclosure rules, reported MarketWatch.
The email, which was read on air and later tweeted by CNBC, contained a mid-quarter update on Apple’s performance that reported an increase in iPhone activations in recent weeks and predicted strong business growth in the Chinese market. Cook also said that in the past two weeks, the Apple App Store saw its best performance of the year in China.
Lawyers told MarketWatch that the email could have violated Securities and Exchange Commission’s Regulation Fair Disclosure (Regulation FD), which stipulates how public companies can disclose company information to certain individuals or entities. The media is typically exempt from Regulation FD, but CNBC’s Cramer is also co-manager of a portfolio that has a long position at Apple. The SEC has declined to comment, but lawyers predicted that SEC will, at the very least, investigate the context of the private exchange.
FINRA fines Charles Schwab $2 million
Charles Schwab & Co. was fined $2 million for capital deficiencies and related supervisory failures, the Financial Industry Regulatory Authority (FINRA) announced last week.
FINRA found Charles Schwab net-capital deficient by up to $775 million on three occasions between May 15, 2014, and July 1, 2014. The deficiency stemmed from cash inflows that surpassed the amounts the financial firm could invest with its existing facilities. According to FINRA, Charles Schwab consequently transferred $1 billion to its parent company for overnight investment that was approved as an unsecured loan by the company’s Treasury group.
FINRA representatives said that Charles Schwab did not have any established procedures that required its Treasury group to consult its regulatory reporting group or to prevent the former from approving unsecured transfers that could lead to net-capital deficiencies.
A Charles Schwab representative told The Wall Street Journal that the company self-identified the issue and immediately reported it, as well as implemented revised procedures and processes.
U.S. appeals court asserts FTC’s corporate cybersecurity powers
The Third U.S. Court of Appeals ruled that the FTC could proceed with a lawsuit against Wyndham Worldwide Corp. that alleges the hotel chain is partly responsible for three payment card data breaches that occurred between 2008 and 2010. The FTC claims that the breaches have led to more than $10 million in fraud losses, and that Wyndham failed to implement reasonable protections against data theft, such as firewalls and updated security software. Wyndham challenged the FTC’s claims, arguing that the agency’s allegations are government overreach. All three judges on the court panel disagreed, and the decision reinforces the FTC’s authority to regulate business cybersecurity in the absence of comprehensive data security legislation. The FTC has exercised this authority by pursuing enforcement actions in more than 50 data security cases, according to the WSJ.
Malware steals 225,000 Apple users’ credentials
A new malware called KeyRaider has successfully stolen the credentials of more than 225,000 Apple users. The theft has been dubbed by representatives of security company Palo Alto Networks as the “largest known Apple account theft caused by malware,” affecting users in 18 countries.
The malware targets jailbroken iOS devices. The attacker added KeyRaider to two jailbreak tweaks, which he or she claimed will let users download non-free apps without purchase from the Apple App Store.
According to Palo Alto Networks, these tweaks hijacked users’ app purchase requests and downloaded stolen accounts or purchase receipts. Palo Alto said the tweaks have been downloaded by more than 20,000 users. KeyRaider was also integrated in ransomware to disable unlocking operations, even if the user entered the correct password or passcode.
Palo Alto researchers followed a trail of distributed malware samples that led them to the command-and-control server in which the stolen data is located. They found that the server itself contains vulnerabilities that expose user data, including a SQL vulnerability that the researchers were able to hack into.