On July 10, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published an alert to share its observations for improving operational resiliency and effectively responding to cyber threats in connection with an increase in sophistication of ransomware attacks on SEC registrants, which include broker-dealers, investment advisers and investment companies.
Recent reports indicate that one or more threat actors have orchestrated phishing and other campaigns designed to penetrate financial institution networks to access internal resources and deploy ransomware. The OCIE has also observed ransomware attacks impacting service providers to registrants.
Ransomware is a type of malware designed to provide an unauthorized actor access to institutions’ systems and to deny use of those systems until a ransom is paid. Victims are usually asked to pay ransom in order to maintain the integrity and/or confidentiality of their data or to regain control over their systems.
In light of these threats, the OCIE recommended that registrants, including third-party service providers to registrants, monitor information available related to ransomware attacks including the June 30, 2020 Dridex Malware alert published by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the FBI’s public service announcement on ransomware.
These alerts highlight tactics and techniques used by certain threat actors, along with related indicators of compromise and key mitigation strategies to reduce overall vulnerability as well as provide examples of cyber defense best practices.
In addition, the OCIE reiterated practices registrants can adopt in order to enhance cyber security preparedness to address ransomware attacks, including the following:
- Incident response and resiliency policies, procedures and plans
- Operational resiliency
- Awareness and training programs
- Vulnerability scanning and patch management
- Access management
- Perimeter security
For further information and examples of best practices provided by the SEC, you can find the entire report here.
How Can We Help?
Our Compliance and Regulatory Consulting team combined with cyber security experts from Kroll, a division of Duff & Phelps, can help you ensure that your organization maintains appropriate information security arrangements to meet the SEC’s expectations. Learn more about Kroll's Cyber Risk services here.
Stay Ahead with Kroll
Financial Services Compliance and Regulation
In the ever-evolving financial services landscape, Kroll's award-winning team offers comprehensive regulatory and compliance services, guiding clients through registration, licensing, and compliance support to minimize risks and enhance efficiency globally.
Retained Compliance Support and Managed Services
Kroll provides comprehensive retained and ad hoc regulatory compliance consulting services, ensuring firms maintain a competitive edge amid evolving regulatory landscapes across the UK, Europe, North America, Hong Kong and Singapore.
Retained Compliance Support and Managed Services
Kroll provides comprehensive retained and ad hoc regulatory compliance consulting services, ensuring firms maintain a competitive edge amid evolving regulatory landscapes across the UK, Europe, North America, Hong Kong and Singapore.
Cyber and Data Resilience
Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident response, regulatory compliance, financial crime and due diligence engagements to make our clients more cyber resilient.