On July 10, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published an alert to share its observations for improving operational resiliency and effectively responding to cyber threats in connection with an increase in sophistication of ransomware attacks on SEC registrants, which include broker-dealers, investment advisers and investment companies.
Recent reports indicate that one or more threat actors have orchestrated phishing and other campaigns designed to penetrate financial institution networks to access internal resources and deploy ransomware. The OCIE has also observed ransomware attacks impacting service providers to registrants.
Ransomware is a type of malware designed to provide an unauthorized actor access to institutions’ systems and to deny use of those systems until a ransom is paid. Victims are usually asked to pay ransom in order to maintain the integrity and/or confidentiality of their data or to regain control over their systems.
In light of these threats, the OCIE recommended that registrants, including third-party service providers to registrants, monitor information available related to ransomware attacks including the June 30, 2020 Dridex Malware alert published by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the FBI’s public service announcement on ransomware.
These alerts highlight tactics and techniques used by certain threat actors, along with related indicators of compromise and key mitigation strategies to reduce overall vulnerability as well as provide examples of cyber defense best practices.
In addition, the OCIE reiterated practices registrants can adopt in order to enhance cyber security preparedness to address ransomware attacks, including the following:
- Incident response and resiliency policies, procedures and plans
- Operational resiliency
- Awareness and training programs
- Vulnerability scanning and patch management
- Access management
- Perimeter security
For further information and examples of best practices provided by the SEC, you can find the entire report here.
How Can We Help?
Our Compliance and Regulatory Consulting team combined with cyber security experts from Kroll, a division of Duff & Phelps, can help you ensure that your organization maintains appropriate information security arrangements to meet the SEC’s expectations. Learn more about Kroll's Cyber Risk services here.