The SEC’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert related to Ransomware on July 10, 2020. In the publication, Cybersecurity: Ransomware Alert, OCIE alerts companies to the increase in sophisticated campaigns orchestrated to invade financial institution networks in order to obtain confidential information and plant ransomware. The attacks generally involve perpetrators using “phishing and other campaigns designed to penetrate financial institution networks … to access internal resources and deploy ransomware.” Once the ransomware is deployed, institutions typically lose control of the ability to use and maintain the integrity of their systems and data until they pay a ransom to the attackers.
Ransomware attacks have not been restricted to SEC registrants, service providers to registrants have also been impacted, particularly those that maintain customer assets and records for registrants. As a result of the increase in Ransomware threats, OCIE urged registrants and other market participants to monitor cybersecurity and work closely with third-party vendors who maintain client data. OCIE also drew attention to the cybersecurity alerts released by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), including CISA’s alert on Dridex Malware, published on June 30, 2020. This alert highlighted Dridex-related phishing tactics, which often includes the distribution of ransomware and mitigation strategies organizations may take to prevent and/or respond to such attacks.
To assist registrants with their security efforts, OCIE reiterated a series of measures that they have observed registrants using to increase cybersecurity preparedness. Many of these measures will be familiar from the examination observations OCIE issued in January 2020:
- Incident response and resiliency policies, procedures and plans: Periodic assessment, testing and updating of registrant’s incident response and resiliency policies such as registrant’s contingency or disaster recovery plan.
- Operational resiliency: Identify which critical systems and operational processes are capable of being restored during a disruption so that business services can continue uninterrupted.
- Awareness and training programs: Provide specific cybersecurity and resiliency training to help employees gain awareness of cyber threats such as ransomware, such as training on identifying phishing e-mails.
- Vulnerability scanning and patch management: Frequently and consistently implement proactive vulnerability and patch management programs across the registrant’s system to ensure the registrant’s anti-virus and anti-malware solutions are up to date and regularly scanning the registrant’s system.
- Access management: Implement systems and procedures to manage user access of the registrant’s system to ensure the following: (i) user access is limited to what is appropriate and necessary, (ii) user access is regularly recertified by administrators, (iii) users use strong and periodically changed passwords, (iv) registrant utilizes multifactor authentication and (v) registrants revoke access immediately when access is no longer necessary (i.e. termination of employment).
- Perimeter security: Implement perimeter security capabilities to enable registrants to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic.
As with the examination observations, OCIE noted that there is no “one size fits all” approach. While several of these measures may be impractical for smaller firms, OCIE does not provide guidance to help organizations assess which measures may be a good fit for enhancing the security of their systems and information. This lack of additional guidance about how smaller organizations can implement the measures may create a challenge for entities forced to make those difficult decisions and defend those choices in the future, but surely some of the most cost-effective mechanisms is to employ email security filtering so that the phishing emails do not ever get to the end users and training so that users can recognize and avoid such phish.