SEC regulated firms currently unprotected

Cyber Challenges in an SEC-regulated Environment

What does it take to secure an $18bn fund from cyber attack? On the 1st of December, we hosted Dan Bennett, CTO of Castlelake for a webinar to find out. We were joined by Rois Ni Thauma, Head of Cyber Governance here at Red Sift. Beyond this individual challenge, we were interested in how the security of one firm in a tight-knit industry can give charge to a network effect that contributes to protecting all firms and investors from dangerous and costly email impersonation attacks. 

Castlelake is a global private investment firm that specializes in asset-based opportunities. As CTO, Dan is responsible for both the firm’s overall cyber security as well as their use of software to optimize returns and increase the effectiveness of their assets’ operations. 

I started my career in finance, so this is a bit of a return to the nest for me. Before joining Red Sift, I spent about seven years in investment banking and private equity working with firms that on the surface look just like Castlelake. None however leveraged software quite as elegantly and effectively as Dan and his team. 

Teams that bring to bear software as a way of doing things faster and more reliably are more likely to win. I like to believe that it is this approach that led Dan to choose Red Sift’s OnDMARC as the firm’s outbound email authentication and DMARC solution.

On a recent call with Dan we got talking about the number of counterparties trading with weak outbound authentication. I volunteered to dig further and use our technology to scan the entire SEC-regulated universe for email authentication policies, or lack thereof.

What we have here is a failure to authenticate

We started by grabbing a list of all 18,281 firms registered with the Security and Exchange Commission. Then, for the 15,254 firms for which a web domain could be found, we analyzed their DNS to find their DMARC policy and SPF records. For an industry that depends so heavily on trust, the results are quite grim. 

Only 5% of all firms have adopted DMARC in protection mode, a policy whereby unauthenticated emails sent on their behalf are rejected or quarantined by the receiver.

Barely 12% are gathering DMARC reports at all, creating a large blindspot for attackers to exploit. 

It’s worth noting the huge diversity among the body of firms that are regulated by the SEC. They range from large bulge-bracket banks to ‘mom-and-pop’ brokerage firms with retail investor clients as well as fast-moving fintechs with a license to disrupt. This puts a huge array of counterparties at risk of becoming victims of impersonation, all with varying degrees of sophistication in cyber defense. 

During our conversation, we hypothesized that it is perhaps this diversity that has led to slow adoption. Although large banks were some of the first adopters of DMARC, it has failed to ‘trickle-down’ to the vast majority of smaller firms, as our data shows. In other industries, such as construction, large contractors hold huge sway over entire value-chains, leading to rapid adoption of standards like onsite safety. Such effects are weaker in finance where supply chains are more diffuse or even circular in nature. If pressure does not come from the regulator then it is left to firms to secure themselves and influence their immediate network.

Dan noted that “email is by far the predominant way that finance is communicating with its ecosystem of counterparties, vendors, and suppliers. Probably at a volume and level of dependence that surpasses other industries because of the nature of relationships”.

The security network effect

When it comes to email, it really does take two to tango. It is as much the responsibility of a receiver to verify the provenance of a message as it is of the sender to make that provenance verifiable in the first place. That is precisely the role of DMARC and the two protocols, SPF and DKIM, on which the standard is built.

CISOs and CTOs like Dan at Castlelake are increasingly taking this principle a step further by insisting that counterparties get their outbound authentication in order. They are doing so by increasing their alertness on the inbound and placing harsher scrutiny on emails that do not meet basic authentication standards. “People in glass houses can’t be throwing stones. I can’t be turning up the controls on my gateway to restrict an email coming based on inherence to these protocols unless my house is in order”.

Getting your house in order

Outbound email authentication is often a harder sell: Because it is outbound, it seems by definition to be someone else’s problem. But in finance, what seems like someone else’s problem can quickly become a systemic risk. It is therefore a foundational part of today’s security stack and a necessary component of “getting your house in order”.

“We have an obligation to secure every email we send out as well as those we receive. You need to be careful who you let in through your front door, but equally as cautious if you’re sending nasty people out of your house.”

Dan Bennett, CTO at Castlelake

When business returns depend on frequent and seamless transactions with a growing set of trusted partners and counterparties, blocking malicious actors from impersonating Castlelake externally is just as important as defending against outside threats looking in.

Luckily, implementing outbound email authentication is a lot easier than it used to be. Thanks to DMARC reporting and software solutions like OnDMARC, the job can be mostly automated. The biggest fear of most businesses implementing DMARC protection for the first time is accidentally blocking legitimate email either during implementation or afterwards when adding new sending services. Our software is built with dynamic email environments in mind and makes configuration clear, observable and reliable so that team’s like Dan’s can focus on the next threat while making the financial services safer for everyone involved: “It’s now part of the architecture of our firm. It’s something that is running and we simply monitor.”


Nadim Lahoud

11 Dec. 2020



Recent Posts


Preventing certificate related violations in cybersecurity frameworks:  A guide to certificate monitoring…

Rebecca Warren

TLS is one of the most widely adopted security protocols in the world allowing for unprecedented levels of commerce across the internet.  At the core of the TLS protocol is TLS certificates. Organizations must deploy TLS certificates and corresponding private keys to their systems to provide them with unique identities that can be reliably…

Read more

Red Sift ASM & Red Sift Certificates: the missing link in your…

Billy McDiarmid

According to Gartner, Attack Surface Management (ASM) refers to the “processes, technology and managed services deployed to discover internet-facing enterprise assets and systems and associated exposures which include misconfigured public cloud services and servers.” This broad category of tooling is used within Continuous Threat Exposure Management (CTEM) programs, with many vendors within it having…

Read more

The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more