OXFORD BIOCHRONOMETRICS SA

Page 1 of 4

Position Paper:
Ramifications of the Securities and Exchange Commissions OCIE Cybersecurity Initiative on the Financial Services
Industry, the current problem and the proposed Oxford BioChronometrics solution.

Background: The Office of Compliance Inspections and Examinations (OCIE) protects investors through
administering the SEC's nationwide examination and inspection program. Examiners in Washington DC and in the
Commission's 11 regional offices conduct examinations of the nation's registered entities, including broker-
dealers, transfer agents, investment advisers, investment companies, the national securities exchanges, clearing
agencies, SROs such as the Financial Industry Regulatory Authority (FINRA) and the Municipal Securities
Rulemaking Board, as well as the Public Company Accounting Oversight Board (PCAOB) (source:
http://www.sec.gov/ocie#.VDq2fY10yM8 ).

Earlier this year the OCIE announced that its 2014 examination priorities would include a focus on technology,
including cybersecurity preparedness which was largely the result of actual security breaches/fraud and
subsequent governmental and regulatory initiatives; particularly the NIST Framework for Improving Critical
Infrastructure Cybersecurity (source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf ).

However, on April 15
th
2014 the OCIE added a new dimension to traditional compliance examinations commonly
performed on financial institutions by issuing a risk alert to all registered entities that contained a sample
questioner/checklist* of firm cybersecurity policies, procedures and requirements *(source:
http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf )

Ramifications: While cyber-dangers to Financial Institutions are not limited to regulatory exposure and real
financial consequences and crises in consumer confidence have already occurred on numerous occasions, it is the
broad swath of entities (including Exchanges and Self-Regulatory Organizations themselves) examined by the OCIE
and its heightened focus on cybersecurity that is causing Financial Institutions to radically reassess their
preparedness and significantly escalate cybersecurity as a priority.

The Problem: The OCIE risk alert outlines specific cybersecurity areas to be audited* and, in the majority of
regulated entities, the audit already has or will involve a variety of different systems which has, as a result, caused
regulated entities to scramble for technology (hardware & software) solutions. However, even when these
multiple, usually overlapping, solutions are deployed, the suggested or required outcomes usually remain
unattained. The complexity of the problem for the regulated entity is only magnified when considering that the
OCIE, like its parent the SEC, is only issuing guidance and, when issuing the sample audit document, was very
clear in stipulating:

This document should not be considered all inclusive of the information that OCIE may request.
Accordingly, OCIE will alter its requests for information as it considers the specific circumstances
presented by each firms particular systems or information technology environment (source:
http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf)

OXFORD BIOCHRONOMETRICS SA

Page 2 of 4

Because the OCIE must audit radically different reporting entities and individual circumstances can vary widely,
guidance is all it is capable of issuing. For the member-firm, this does create the problem of a certain amount of
subjectivity involved with each audit and it is extremely difficult to anticipate all OCIE requests and required
standards prior to the audit.

However, no matter how complex or in-depth the actual audit may be for a firm, nearly all cybersecurity
requirements pertaining to human beings accessing secure systems are constructed to address an extremely
straight forward problem: How to determine that a person (client or employee) accessing a secure system is who
they say they are and doing so for the entire period they are conducting their permissioned activity.

As the cybersecurity problem itself has evolved, regulators and industry stakeholders have recognized that simple
passwords are no longer sufficient to establish identity. As a result, there has been a mass migration to a
methodology known as Multi-Factor Authentication (MFA). Through software, hardware, or a combination of
both, MFA seeks to establish a users identity by cross-validating:
Something only the user knows (e.g., password, PIN, pattern);
Something only the user has (e.g., ATM card, smart card, mobile phone); and
Something only the user is (e.g., biometric characteristic, such as a fingerprint).
While vastly superior to passwords, even MFA has limitations that could potentially prevent it from satisfying
regulatory or market-driven cybersecurity needs. Many MFA approaches remain vulnerable to Phishing, man-in-
the-browser and man-in-the-middle attacks.
In addition to direct attacks, three aspects must be considered for each of the factors in order to fully realize the
potential increase in confidence of authentication:
The inherent strength of the mechanism, i.e. the entropy of a secret, the resistance of a token to
cloning, or the uniqueness and reliability of a biometric.
Quality of provision and management. This has many aspects, such as the confidence one can have
that a token or password has been securely delivered to the correct user and not an imposter, or that
the correct individual has been biometrically enrolled, as well as secure storage and transmission of
shared secrets, procedures for password reset, disabling a lost token, re-enrollment of a biometric,
and prompt withdrawal of credentials when access is no longer required.
Proactive fraud detection, e.g. monitoring of failed authentication attempts or unusual patterns of
behavior which may indicate that an attack is under way, and suitable follow-up action.
Note: Much of the information pertaining to MFA taken directly from http://en.wikipedia.org/wiki/Multi-factor_authentication
Aside from security concerns, MFA poses a real client facing issues for registered entities in that they can require
clients to carry a physical piece of hardware (usually a dongle or USB token-generator), go through onerous
additional steps (additional identity validation questions), or, in many cases, both.
OXFORD BIOCHRONOMETRICS SA

Page 3 of 4

The Oxford BioChronometrics Position: We believe the most credible solution for protecting a regulated entity
from real cybersecurity threats/fraud as well as potentially subjective regulatory examinations is to satisfy and
exceed all true MFA requirements, passively, by deploying Human Recognition Technology (HRT).
HRT is a combination of algorithms that continually analyze user interactions with any device in real-time. After
a certain threshold of data pertaining to user/device interaction is exceeded an e-DNA (electronically-Defined
Natural Attributes) identifier is assigned to the user. Once a firm e-DNA is established, HRT continually monitors
user/device interaction for a deviance from the known e-DNA. Should a deviation be detected (signaling a
different person is now using the logged-in device) the session can be immediately terminated.
An e-DNA meets all known Multi-Factor Authentication benchmarks:
Something only the user knows (e.g., password, PIN, pattern) Users begins session normally
Something only the user has (e.g., ATM card, smart card, mobile phone) Strong device recognition
has already been achieved through HRT during the users previous device registration/session(s).
Something only the user is (e.g., biometric characteristic, such as a fingerprint) An
established e-DNA is entirely unique to a particular individual, cannot be replicated or stolen, and
requires no additional hardware or software (fingerprint scanner, token generator software, etc.) thus
making it platform neutral.
HRT/e-DNA exceeds all known MFA methodologies because the technology addresses existing MFA limitations.
Unlike many MFA approaches that can be vulnerable to Phishing, man-in-the-browser and man-in-the-middle
attacks HRT immediately recognizes and blocks all non-human (automated) attempts to gain access or attempts
to change user-entered information and can detect human e-DNA deviations consequently preventing human
fraud attempts .
HRT/e-DNA further addresses the weaknesses of true MFA:
The inherent strength of the mechanism, i.e. the entropy of a secret, the resistance of a token to
cloning, or the uniqueness and reliability of a biometric.
An individuals e-DNA is roughly the equivalent of a 16,000,000 character token that changes
depending on the weighting of different factors including location and time of day.
Quality of provision and management. This has many aspects, such as the confidence one can have
that a token or password has been securely delivered to the correct user and not an imposter, or
that the correct individual has been biometrically enrolled, as well as secure storage and
transmission of shared secrets, procedures for password reset, disabling a lost token, re-enrollment
of a biometric, and prompt withdrawal of credentials when access is no longer required.
OXFORD BIOCHRONOMETRICS SA

Page 4 of 4

Being that e-DNA is derived from how an individual interacts with a device there is no known quality of
provision and management issue that is not addressed in a superior manner (Examples: If an individual
wishes to change passwords, HRT is monitoring how the individual is interacting with the device while
attempting to do so in order to confirm the e-DNA matches. The unique physical interaction with the
device is the secret unique information, so there is nothing that can be compromised or stolen. The
token changes based on algorithmic weighting of different factors and there is no known way to
replicate it. The delivery of the token to the correct location/device is confirmed by the user
interaction, etc.)
Proactive fraud detection, e.g. monitoring of failed authentication attempts or unusual patterns of
behavior which may indicate that an attack is under way, and suitable follow-up action.
HRT is always-on security that continuously monitors user behavior. There is no known superior
methodology/technology for the proactive detection and prevention of fraud.
Finally, because an established e-DNA is passive and does not require the user to carry additional physical
hardware or go through onerous additional steps it also creates a much more seamless client-facing experience.
This also assists the regulated entity in the deployment of the cybersecurity solution because it makes no
difference which device the client/employee uses (platform neutral).
Conclusion: It is our position that BioChronometrics (HRT/e-DNA) meets and exceeds all known regulatory and
real-world standards for cybersecurity and is believed to represent the next industry benchmark for on-line
security.

For additional information, please visit the companys website at: www.oxford-biochron.com
Or contact us directly:
David Scheckel, President

Telephone: +352 621 887 744
Email: david.scheckel@oxford-biochron.com

Address for Correspondence:

Oxford BioChronometrics SA
58 Boulevard de la Ptrusse
Luxembourg L-2320