Securities Regulation Daily OCIE issues alert warning SEC registrants of ransomware attacks
News
Tuesday, July 14, 2020

OCIE issues alert warning SEC registrants of ransomware attacks

By Amanda Maine, J.D.

The Risk Alert was prompted by an increase in the sophistication of ransomware attacks and lists a number of measures registrants have taken into consideration to protect themselves against cyber intrusions.

Citing an apparent increase in sophistication of ransomware attacks on SEC registrants, the SEC’s Office of Compliance Inspections and Examinations (OCIE) has issued a Risk Alert outlining several observations designed to assist market participants in enhancing their cybersecurity preparedness and operational resiliency to address the ransomware attacks.

Ransomware. The alert states that ransomware is a type of malware designed to provide an unauthorized author access to institutions’ systems and to deny the institutions the use of those systems until a ransom is paid. SEC registrants, including broker-dealers, investment advisers, and investment companies, have been subject to more sophisticated ransomware attacks recently, as have third-party service providers to registrants, OCIE advised.

Recognizing that a one-size-fits-all approach towards confronting ransomware attacks would be impractical, the Risk Alert instead outlines a number of observations that market participants can take into account when considering their cybersecurity strategies, including protecting against ransomware attacks.

Incident response. OCIE has observed registrants that have assessed, tested, and updated their incident response and resiliency policies and procedures, including their disaster and recovery plans. These plans have included response plans for various scenarios including ransomware attacks; notification procedures for escalating incidents to appropriate levels of management and key stakeholders; addressing compliance with federal and state reporting requirements for cyber events; and contacting law enforcement, regulators, and, if appropriate, new and existing customers and clients.

Operational resiliency. Operational resiliency involves determining which systems and processes are capable of being restored during a disruption. Practices cited by OCIE in the alert include continuing capability on secondary systems when the primary system is unavailable and ensuring geographic separation of back-up data and writing back-up data to an immutable storage system.

Training, vulnerability scanning, and access management. OCIE observed that registrants have provided cybersecurity training and have undertaken phishing exercises to help employees identify phishing emails. Registrants have implemented proactive vulnerability and patch management programs, such as ensuring that antivirus and other security tools are updated automatically and conducting regular scans. Systems and processes that manage user access, such as recertifying user access on a periodic basis and requiring the use of strong, periodically changed passwords, are also tools used by registrants.

Perimeter security. Registrants have implemented perimeter security to control, monitor, and inspect incoming and outgoing network traffic to prevent unauthorized or harmful traffic. These include managing the risks of using Remote Desktop Protocol (RDP) by supporting RDP only through a Virtual Private Network (VPN) connection; using application control capability to ensure only approved software can be executed; and using a security proxy server to control and monitor access to the Internet.

CISA alert. The OCIE Risk Alert also drew attention to a recent alert issued by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) relating to recent ransomware attacks. The CISA alert describes the threats posed by Dridex malware, which first appeared in 2012, and by 2015 had become one of the most prevalent financial Trojans. Dridex malware is typically distributed through phishing e-mail spam campaigns, the CISA alert explains. The alert also outlines a number of best practices intended to combat the exploitation techniques used by malicious cyber actors.

MainStory: TopStory BrokerDealers CyberPrivacyFeed DataBreach FinancialIntermediaries InvestmentAdvisers InvestmentCompanies RiskManagement SECNewsSpeeches

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More

Securities Regulation Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on securities regulation legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.