Breach Assessment
We scope out three main breach methods, with continuous values throughout which can be expanded to edge cases. The first presumes only retroactive action possible by team members. The last implies team members act in intense situations for the benefit of investor protection, which is expected of information carriers bonded under 17 C.F.R. § 240.17f-2.
Theft of Media While Not Present
If one or both of the storage devices are stolen while nobody is present at the TA-1 facility, the team will consider the factors surrounding ongoing traceable activity. First, the team will assess whether one or both of the drives were taken. The physical separation of the media should make it difficult for an intruder to timely confiscate both devices.
In the event one medium remains, it will be timely migrated to replace the acting server. That is, if the computer is stolen, the backup card will be migrated onto a new air-gapped system deployed at the TA-1 location. If the duplicate drive also is stolen, then a new one shall be made with encryption from the remaining primary electronic records.
Notwithstanding the amount of items stolen, the team shall report the incident to local police. The team shall follow the investigation as closely as possible for at least seven days as authorities search for the perpetrator. If the storage media are timely recovered, the team shall assess their usage during the theft by means of electronic access analysis, to determine if the encryption key was broken.
If the media is not timely recovered, the team shall monitor online markets including the dark web for traces of investor information, sourced either from memory or any remaining backup media. Public keys in particular will remain associated with all issued assets, and they are the first piece of information team members should scan for, searching for associated nonpublic identified information associated with addresses. If any data found reasonably matches a leak of PII records, then the team should assume that all information on the device was compromised, and the team shall notify all affected investors.
In order to affirm an attacker's possession of such information, the team is authorized to transmit up to $1,000 in exchange for a proof of missing information, at the sole judgment of fingerprinted members so bonded. Negotiations for the deletion of such data will be handled on a case-by-case basis by such team issuing a supermajority vote for ransom payments, which are denied by default. In the event of a locked vote due to the number of eligible team members voting yes equally in exactly the supermajority but not more, the company may disburse up to 8% of net cash reserves presuming ironclad deletion promises from attackers.
Should no evidence arise as to the semi-public accessibility of investor data made available for sale or otherwise exploited, the team shall monitor for not less than 24 months online accounts of investees on the encrypted drive. If users publicly report increased phishing attacks or requests specifically for their Account Certificate, the team will debate in the incident issue as to if that may be due to the attack. A plain majority vote of eligible members will be taken to later notify investors during the monitoring period if the initial findings lead to dismissals.
Attack With Decryption and Access in View of Team
Should an attacker breach the physical storage location and force the team to reveal the encryption phrase, the team will take reasonable and safe measures to assess what investor information is viewed or otherwise exported. The team may ask the thief what data they are taking or copying. If the intruder refuses to disclose such information and the team cannot visibly see the actions they are performing on a viewing device such as a computer monitor, the team shall assume all investor information is breached.
Extraction and Evasion with Decryption Key
Should the intruder steal an access drive and force declaration of the encryption key, the team may assume that they use that key to access all investor information. The team may, at their discretion, attempt to provide a false key which could leave the attackers in the state of Breach Assessment while team not present.1 However, should this mitigation step be unavailable (for example, due to the thieves checking the provided key and/or data), the team may divulge the access credentials for their own safety.