The Office of Compliance Inspections and Examinations (OCIE) Cybersecurity Risk Alert reported increased ransomware attacks to SEC registrants (broker-dealers, investment advisers, and investment companies) and potentially service providers – especially if they maintain client assets or registrant records. Companies should be aware of the potential risks they face.

IN SUMMARY

What is happening:

  • Phishing campaigns are launched targeting SEC registrants and partners to deploy ransomware. Ransomware infiltrates a company’s network to access sensitive data and take it hostage until a ransom is paid, then the data would be returned.

SEC Registrants, Financial Institutions, and Service Providers should:

  • Continually monitor cybersecurity alerts from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) such as the recent update on Dridex Malware.
  • Communicate to their network of the possible attacks and review their cyber safeguards.

As the malware attacks are getting more sophisticated, the alert recommends organizations to enhance their cybersecurity posture through:

  • Incident response and resiliency policies, procedures and plans. Assessing, testing, and periodically updating incident response and resiliency policies and procedures, such as contingency and disaster recovery plans.
  • Operational resiliency. Determining which systems and processes are capable of being restored during a disruption so that business services can continue to be delivered.
  • Awareness and training programs. Providing specific cybersecurity and resiliency training and considering undertaking phishing exercises to help employees identify phishing emails. Training provides employees with information concerning cyber risks and responsibilities and heightens awareness of cyber threats such as ransomware.
  • Vulnerability scanning and patch management. Implementing proactive vulnerability and patch management programs that take into consideration current risks to the technology environment, and that are conducted frequently and consistently across the technology environment.
  • Access management. Managing user access through systems and procedures ensuring authorized users have appropriate access to data and systems.
  • Perimeter security. Implementing perimeter security capabilities that are able to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic. These capabilities include firewalls, intrusion detection systems, email security capabilities, and web proxy systems with content filtering.

Organizations can start the process by using an Incident Response Plan checklist to document their security objectives, needs, and resources. Should you need help in assessing your security and compliance requirements, we can help you navigate compliance requirements and develop a reasonable and appropriate security strategy for your business.

Additional OCIE Risk Alerts that address cybersecurity and other examination issues are available at www.sec.gov/ocie.