On July 10, 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) released a risk alert highlighting a recent increase in ransomware attacks against financial industry participants.
The risk alert highlights the importance for financial industry participants (“Firms”) to remain vigilant due to the increase in threat activity and notes that attacks are becoming increasingly sophisticated.
The risk alert also implores market participants to review the strengths of their current cybersecurity controls and to make changes as necessary to address these threats.
OCIE’s Risk Alert notes that the Securities and Exchange Commission (“SEC”), in concert with other federal and state regulatory agencies, has assessed the threat landscape and has documented a significant increase in the number and sophistication of ransomware attacks against market participants.
Ransomware attacks involve malware that allows the perpetrator to receive unauthorized access to their victim’s networks and effectively lock them up in order to demand payment for restoration of access.
The malicious actors that perpetrate these types of attacks have been known to use a multitude of methods to gain access including phishing emails, social engineering, and hacking.
OCIE is encouraging Firms to review new releases from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) regarding cybersecurity alerts, including a recent alert published at the end of June regarding ransomware attacks.
Read CISA’s recent alert on Dridex Malware here.
OCIE Recommendations for Shoring Up Cybersecurity Programs
OCIE acknowledges that each cybersecurity program must be customized to each Firm and that there is no cookie-cutter approach that can be employed by all Firms.
Bearing that in mind, the risk alert highlights areas that OCIE feels are important to focus on including incident response, operational resiliency, training and awareness, vulnerability scanning and patch management, access management, and perimeter security.
OCIE has highlighted that Firms should assess, test, and update their incident response policies and procedures at regular intervals to ensure that they remain effective in thwarting cybersecurity threats and attacks, including ransomware.
In their view, effective incident response plans have steps to address various threats and attacks; notification policies and procedures; procedures for compliance with state and federal notification requirements; and steps for notifying clients and law enforcement when a breach occurs.
Firms should ensure that they have policies and procedures to address cybersecurity and business continuity designed to ensure rapid restoration of a firm’s networks, unchangeable storage options, and geographic distribution of resources to ensure continuity of operations in the face of a cyberattack.
Training and Awareness
OCIE recognizes the importance of employees as the front-line of defense against cyber threats and attacks and highlights the importance of consistent and frequent training of Firm staff to ensure that they maintain threat awareness and understand and acknowledge the policies and procedures for an incident response when they are confronted with a cyberattack.
Vulnerability Scanning and Patch Management,
Vulnerability scanning and patch management are crucial tools and the risk alert highlights that Firms need to ensure that vulnerabilities can be addressed in a timely manner and that all systems, software, and hardware are kept up-to-date with the latest patches and updates.
The risk alert also highlights the need to review user access and ensure that a Firm’s cybersecurity policies and procedures define levels of access on the basis of roles and functions, as well as the sensitivity of the information, and that controls are in place to ensure that inadvertent access is not granted to an unauthorized user, including the regular review of access rights, password management, multi-factor authentication, and procedures for immediate revocation of user credentials in case of a violation or termination.
Lastly, OCIE recommends that firms evaluate their controls for traffic coming in and out of their networks including the use of firewalls, intrusion detection systems, and proxy servers.
To read OCIE’s Cybersecurity Ransomware Risk Alert, click here.
What Should I Consider for My Firm’s Cybersecurity?
Firms should start by reviewing OCIE’s risk alert and sharing it with their employees to raise awareness about the ransomware threats and the expectations of regulators.
Next, Firms should consider performing a risk assessment in order to evaluate the risks inherent to the firm’s networks and client PII and evaluate the strength of their existing controls relative to the areas highlighted by OCIE in the risk alert.
Firms should then assess whether their policies and procedures need to be enhanced and work with their IT vendor to ensure that their access management, vulnerability and patch management, and perimeter security controls are up-to-date and/or enhance their controls if necessary.
Lastly, Firms should conduct training with their employees to ensure that they are familiar with steps to prevent cyberattacks and to ensure that they understand the steps to take when one occurs.
Should you or your firm have questions regarding OCIE’s risk alert or require assistance with performing a risk assessment, enhancing your cybersecurity policies and procedures, and/or providing cybersecurity training to your employees, please contact us at (619) 278-0020 to schedule a consultation. Our legal and compliance experts are standing by to help.