SEC’s Office of Compliance Inspections and Examinations Issues Ransomware Risk Alert

SEC’s Office of Compliance Inspections and Examinations Issues Ransomware Risk Alert

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on print

On July 10, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a ransomware risk alert. As background, ransomware is a type of malware that is designed to provide an unauthorized party access to an institution’s system and deny access until a ransom is paid. OCIE stated that it has seen an increase in the sophistication of ransomware attacks on broker-dealers, investment advisers and investment companies. It has also observed attacks on service providers. The risk alert reinforces the SEC’s focus on cybersecurity-related matters. It is also not the first time that a ransomware risk alert has been issued. In May 2017, OCIE issued a risk alert pertaining to ransomware, although it was specific to a certain type of ransomware and provided fewer areas of focus for registrants.

CISA Alert – Dridex Malware

OCIE issued another ransomware risk alert following the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency’s (CISA) revised Dridex Malware Alert on June 30. The Dridex malware, and its various iterations, has the capability to impact confidentiality of customer data and availability of data and systems for business processes. According to industry reporting, Dridex first appeared in 2012, and by 2015 had become one of the most prevalent financial Trojans. CISA expects actors using Dridex malware and its derivatives to continue targeting the financial services sector, including both financial institutions and customers. 

OCIE Observations

The risk alert highlights key areas where registrants have implemented policies and procedures to mitigate these risks or improve responses when ransomware attacks. These include the following areas:

  • Incident response resiliency policies, procedures and plans: Policies and procedures should be designed to address various scenarios, including ransomware, as well as other malware and denial of service attacks. Procedures should institute timely notification, response and escalation based on the type of attack. There should be procedures for notifications to key personnel at the firm in additional to investors, clients and prospects, where appropriate. Lastly, certain instances may necessitate disclosure to regulators, particularly at the state level where there may be unique reporting requirements.
  • Operational resiliency: This involves determining what systems can operate or be restored during a disruption so that business services can continue. Firms would identify what critical applications could operate should the primary system be unavailable. Likewise, firms should ensure that primary data and back-up data are properly separated so that an attack on one would not impair the other. Geographical separation is also an important consideration.
  • Awareness and training programs: Regular and specific training on cybersecurity and resiliency should be implemented. Phishing exercises were particularly called out as a key way to reduce the chances of employees falling victim to such attacks.
  • Vulnerability scanning and patch management: Firms should ensure that all systems and software have the most current updates. Additionally, anti-virus and malware solutions should be updated automatically and include advanced endpoint detection and response capabilities.
  • Access management: Access management is a key area of any cybersecurity program. OCIE specifically identified limiting access where appropriate, periodically re-certifying user access, implementing separation of duties for user access approvals, requiring strong passwords that are periodically changed, instituting multi-factor authentication that utilizes an application or fob for a verification code and revoking system access for former employees or service providers.
  • Perimeter security: These are measures that allow a firm to control, monitor and inspect all incoming and outgoing network traffic utilizing firewalls, intrusion detection systems and email security. Remote Desktop Protocol (“RDP”) best practices should also be implemented to cover auditing of the network, closing unused RDP ports and monitoring login attempts. Encrypted Virtual Private Networks, known as VPNs, would significantly improve security when using RDP. Additionally, ensuring only approved software can be executed and using a security proxy server to control and monitoring internet access would address other key vulnerabilities.

What the Risk Alert Means and What to Do

This risk alert is the third time this year that OCIE has released material related to cybersecurity. The first was OCIE’s 2020 Examination Priorities and the second was the Cybersecurity and Resiliency Observations release in January. Cybersecurity policies and procedures should be regularly reviewed to determine that all of the concerns and areas identified by OCIE are addressed in order to ensure firms are adequately protect from malware and other types of breaches. Likewise, reviewing cybersecurity due diligence questionnaires for service providers is key. While a firm may take sufficient measures to ensure that its own cybersecurity infrastructure is secure, if a service provider is deficient in some of these key areas, there is the clear potential for a breach. Therefore, firms need to conduct cyber diligence, especially with critical service providers, on an ongoing basis.

In terms of this risk alert specifically, it mainly pertains to items that have been industry best practices for some time. Things like vulnerability scans, phishing tests, training and multi-factor authentication are industry standard best practices. That said, the COVID-19 pandemic and the ongoing work-from-home environment can compromise cybersecurity. Firms may have set up adequate controls from their office, but when employees are using their own networks or using firm devices for personal use, issues can arise. Having VPNs, sufficient monitoring of internet traffic and disciplined patching will help protect a firm’s systems. Finally, incident response was a key element of this risk alert. While many firms conduct incident response tests and tabletop exercises while in the office, these may have ceased since work from home started. Therefore, it may be worth conducting these tests soon to see if the incident response plan is adequate for the current environment.

The full risk alert can be found here.

Related Posts

Darren Mooney

Partner and Co-Head of Business Development

Darren Mooney is a Partner and the Co-Head of Business Development at Greyline. Before joining Greyline, Darren served as deputy chief compliance officer of Partner Fund Management where he held primary responsibility for the compliance program of the second-largest hedge fund in the Bay Area. Prior to that, Darren spent five years providing compliance consulting services at Cordium and then ACA Compliance Group, where he led the company’s San Francisco office and west coast operations. In addition to providing ongoing consulting services to a variety of investment managers, including hedge fund, private equity, venture capital, real estate, quantitative and other wealth managers, Darren also regularly guided clients through the SEC registration process, implemented tailored compliance programs, supported clients’ live SEC exams, and served as an SEC-mandated independent compliance consultant following an SEC enforcement action. Darren’s other experience includes serving as deputy chief compliance officer and associate counsel at F-Squared Investments where he directly supported the compliance program during the investigation and subsequent enforcement regarding historical advertising practices. Darren has a B.S. in Economics from the University of Delaware and a J.D. from Suffolk University Law School. He is a member of the Massachusetts bar.

Annie Kong

Partner and Head of Venture Capital
Annie Kong is a Partner and Head of the Venture Capital Division at Greyline. She provides ongoing compliance consulting to investment advisers and manages client relationships. Prior to joining Greyline, Annie was part of compliance and operations at a long-only manager-of-managers that advised pension fund clients. While there, she conducted compliance and operational due diligence on SEC-registered investment advisers on the platform. She also oversaw and counseled on various legal matters across the firm. Annie has a B.A. in Economics from the University of California, San Diego, and a J.D. from the University of San Diego School of Law. She is an active member of the State Bar of California.
Greyline is pleased to announce that we are the recipient of the 2021 HFM U.S. Service Award in the Best Technology Firm – Newcomer category.