On July 10, 2020, the Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert highlighting the dangers of ransomware to SEC-registered entities, including investment advisers. The Risk Alert is a response to a marked uptick in both the prevalence and sophistication of ransomware attacks in recent months. Ransomware is a type of malware used by criminals to gain control of your or your firm’s confidential information and customer data. In order to regain control and/or maintain confidentiality, victims are generally required to pay some form of ransom to the perpetrators. For obvious reasons, it is important for all firms to take proper security measures to protect against such attacks.
Each firm is different and so are their security measures, however OCIE has identified several areas of concern that all firms need to be aware of:
Incident response and resiliency policies, procedures and plans. Firms should be continually assessing, testing, and periodically updating their incident response and resiliency policies, procedures and plans, such as contingency and disaster recovery plans. Possible areas to look at include procedures for timely notification, escalation policies, as well as state and federal notification requirements.
Operational Resiliency. It is important to identify which systems and processes can be brought back online during a disruption, allowing business operations to continue.
Awareness and training programs. Firms should be providing up-to-date targeted cybersecurity training, such as education and exercises on phishing to help employees identify such threats. This training should be administered firm-wide, as all employees are potential entry points for hackers.
Vulnerability scanning and patch management. It is vital that firms work with their software providers to keep their cybersecurity software up to date and install all security patches.
Access management. Maintaining secure access to information, both online and in the real world should be a priority for all firms. Examples of this include allowing employees only as much access as necessary to perform their jobs, utilizing multi-factor authentication wherever possible, and requiring at least annual recertification for users’ access rights.
Perimeter security. Firms should utilize system-wide perimeter security to monitor all incoming and outgoing traffic to protect against dangerous or unwanted traffic, such as the use of firewalls and enabling email security features.
Finally, OCIE points to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as an additional resource for firms. CISA publishes cybersecurity alerts that firms should be aware of, and encourages firms to share them with their third-party service providers.
CISA Alert – https://www.us-cert.gov/ncas/alerts/aa19-339a
OCIE Risk Alert – https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf