SEC Releases Alert on Ransomware Attacks

The Securities and Exchange Commission’s (SEC) exam division is warning advisors and broker-dealers to immediately review their cybersecurity controls, as phishing and ransomware attacks are on the rise.

In a just-released risk alert, the agency’s Office of Compliance Inspections and Examinations (OCIE) announced that it has observed an apparent increase in the sophistication of ransomware attacks on SEC registrants, which include broker-dealers, investment advisers, and investment companies. The perpetrators behind these attacks typically demand compensation to maintain the integrity and/or confidentiality of customer data or for the return of control over registrant systems.

In light of these attacks, the OCIE is urging SEC registrants, as well as other financial services market participants to monitor the cybersecurity alerts published by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), including the updated alert published on June 30, 2020 relating to recent ransomware attacks. The OCIE is also encouraging registrants to share this information with their third-party service providers, particularly those that maintain client assets and records.

While there is no “one-size-fits-all” approach to protect against phishing and ransomware attacks, organizations can use tactics and techniques across a variety of areas to guard against these attacks, including:

Incident response and resiliency policies, procedures and plans. Assessing, testing, and periodically updating incident response and resiliency policies and procedures, such as contingency and disaster recovery plans.

Operational resiliency. Determining which systems and processes are capable of being restored during a disruption so that business services can continue to be delivered.

Awareness and training programs. Providing specific cybersecurity and resiliency training and considering undertaking phishing exercises to help employees identify phishing emails. Training provides employees with information concerning cyber risks and responsibilities and heightens awareness of cyber threats such as ransomware.

Vulnerability scanning and patch management. Implementing proactive vulnerability and patch management programs that take into consideration current risks to the technology environment, and that are conducted frequently and consistently across the technology environment.

Access management. Managing user access through systems and procedures that: (i) limit access as appropriate, including during onboarding, transfers, and terminations; (ii) implement separation of duties for user access approvals; (iii) re-certify users’ access rights on a periodic basis (paying particular attention to accounts with elevated privileges including users, administrators, and service accounts); (iv) require the use of strong, and periodically changed, passwords; (v) utilize multi-factor authentication leveraging an application or key fob to generate an additional verification code; and (vi) revoke system access immediately for individuals no longer employed by the organization, including former contractors. Configuring access controls so users operate with only those privileges necessary to accomplish their tasks (i.e., least privilege access).

Perimeter security. Implementing perimeter security capabilities that are able to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic. These capabilities include firewalls, intrusion detection systems, email security capabilities, and web proxy systems with content filtering.

To read the full alert, click here.