SEC OCIE Warns of Increased Ransomware Risks

July 13, 2020 by ACA Aponix


On July 10, the U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) issued an alert warning of an increase in the sophistication of ransomware attacks against SEC registrants. In these attacks, threat actors have used advanced phishing and other social engineering tactics to penetrate financial institution networks and install malware that limits company access to data until a ransom is paid. Recent updates to these malware strains, e.g., the development of Dridex malware into BitPaymer/Friedex ransomware, have increased the severity and potency of the threat.

The increase in frequency and sophistication of these ransomware attacks has been noted among SEC registrants including investment advisers, investment companies, and broker-dealers. The impact has been felt among service providers to these registrants as well.

OCIE Recommendations

The OCIE recommends that registrants take active steps to address this concern. Recommendations include suggestions in the following areas:

  1. Operational resiliency
    • Ensure that the adviser is capable of performing critical business functions during a disruption.
    • Focus on critical applications that can be restored in the event of the unavailability of primary systems.
    • Back up data in a geographically separate location, such that data availability will be maintained in the event of a local disruption. Write backup data to an immutable system, such that it cannot be changed once recorded.
  2. Incident response and resiliency policies, procedures, and plans
    • Assess, test, and update incident response plans (IRPs), business continuity plans (BCPs), and disaster recovery plans (DRPs).
    • Include planning for ransomware attack response, as well as for denial of service and related attacks.
    • Ensure that a communication plan is in place, to escalate incident response to appropriate teams and to notify executives, staff, and financial stakeholders as needed.
    • Confirm that proper mechanisms are in place to comply with state and federal reporting requirements.Fphi
  3. Awareness and training programs
    • Ensure that staff is aware of appropriate response in the event of a cybersecurity incident or other business disruptions.
    • Train employees to identify and prevent phishing attacks, and thereby reduce exposure to ransomware and other risks.
  4. Vulnerability scanning and patch management
    • Frequently and consistency scan firewalls, networks, hardware, and application software for vulnerabilities, and take remedial steps as needed.
    • Mandate a patch management program, in which operating system updates, firmware updates, and software updates occur automatically.
    • Include anti-virus and anti-malware updates in patch management programming.
    • Upgrade anti-malware tools to include advanced endpoint detection and response capabilities.
  5. Access management
    • Ensure that access to data is managed in a manner that enhances security of information and limits unwarranted reach by those without rights to do so.
    • Limit access as needed during all staff onboarding, transfers, and terminations.
    • Separate access per user rights. Recertify access rights periodically as needed. Use the principle of least privilege access to ensure that staff operate with only the access level needed for their tasks.
    • Implement strong password policies, including the need to change passwords at a specified interval.
    • Use multi-factor authentication, in which additional credential verification is required.
  6. Perimeter security
    • Inspect, monitor, and control all incoming and outgoing network traffic to prevent harmful or unauthorized elements.
    • Include the use of firewalls, intrusion detection systems, email security systems, and web proxy systems with content filtering.
    • Ensure that security is enhanced when using remote desktop protocol (RDP), including auditing RDP use, closing unused RDP ports, and monitoring RDP login attempts.
    • Control and monitor access to the internet via a security proxy server.
    • Implement an application control policy, such that only approved software can be used across the organization.

The alert further reminds registrants that cybersecurity remains an area of continuing OCIE focus. It will continue to be a key examination priority in the future.

ACA Guidance

ACA  recommends that SEC registrants take heed of the OCIE alert, both as an indicator of future examination priority, and as a strong set of guidelines toward preventing ransomware and other cyber-attacks in general. ACA has observed in recent examination questions that the SEC has been inquiring about BCPs, third-party risk, cyber risks, and attacks.

Firms should:

  • Maintain a strong focus on operational resiliency and prepare for any potential business disruptions with plans in place to continue to provide services.
  • Enhance and test their IRPs, BCPs, and DRPs, and likewise increase internal readiness via awareness training, phishing prevention programs, and related efforts.
  • Ensure access rights are managed appropriately, that patch management and vulnerability scanning are in place, and that perimeter security are in place.
  • Recognize the continuing threat of ransomware and other forms of cyber-attack, and continually take efforts to enhance security and reduce risk.
  • Be prepared for upcoming SEC exams to address BCP plans, third-party risk, and cyber threats

How We Help

Identify threats with our 8 Ways to Identify a Phishing Attack  guide and ensure business continuity with our BCP Checklist.

Schedule a call with an ACA Aponix rep to discuss your concerns and how we can help you.  

Contact Us