Cybersecurity: Ransomware Alert

Regulatory Briefs
Written By Jon Hurd

The U.S Securities and Exchange Commission (“SEC”) has focused on cybersecurity issues for many years, but with increased observation of cyber threats, the Office of Compliance Inspections and Examinations (“OCIE”) is committed to responding to such threats while also monitoring cybersecurity developments and improving operational resiliency. The OCIE works strictly to monitor cybersecurity developments and improve operational resiliency. Many recent reports indicate there have been threat actors that have deployed phishing and other campaigns to access internal resources and eventually deploy ransomware. There has also been an increase of observed ransomware attacks on SEC registrants. These target include broker-dealers, investment advisors, and investment companies.

Ransomware is a type of malicious malware that allows an unauthorized user to access the system, giving the institution itself denied access until ransom is paid. The criminals behind the ransomware will demand payment to maintain the integrity and/or confidentiality of customer data or for the return of control over registrant systems. This type of attack often begins with someone clicking on what seems to look like an innocent message or attachment, but, once opened, an automatic download could potentially encrypt a whole network.

The alerts published by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (“CISA”) are encouraged to be monitored by the OCIE, SEC registrants and other financial services market participants. Registrants should also share these alerts with their third-party service providers.

The most recent alert was published on June 30th, 2020 :

CISA Alert – Dridex Malware available at https://www.us-cert.gov/ncas/alerts/aa19-339a

There are a number of different ways to enhance cybersecurity preparedness and operational resiliency to address ransomware attacks. Along with reviewing the CISA Alerts, the OCIE recommends registrants utilize the following measures:

Incident Response and Resiliency Policies, Procedures and Plans. Contingency and disaster recovery plans should be consistently updated which may include the following:

  • response plans for various scenarios including other denial of service attacks

  • procedures for the timely response if an event occurs

  • procedures to contact law enforcement, new and existing clients, or whomever is appropriate to contact

  • procedures for addressing compliance with federal and state reporting requirements for cyber incidents

Operational Resiliency. The process of determining which systems and processes can be restored during a disruption. This includes focusing directly on how to continue if the primary system is unavailable. This also includes backing up data to a storage system in case the primary data sources become unavailable.

Awareness and Training Programs. Programs that provide the appropriate cybersecurity training and encourage phishing exercises to help employees gain knowledge and heighten awareness of cyber threats.

Vulnerability Scanning and Patch Management. Programs implemented consistently and frequently to take into consideration the current risks to the environment. All scans and updates should be set to take place automatically and all operating systems, application software and firmware should have the most current updates.

Access Management.  Managing user access through policies and technologies to ensure that:

  • the proper people have appropriate access. This includes all stages like on-boarding, transfers and terminations.

  • Implement separation of duties for user access approvals

  • Re-certify user access rights periodically

  • Change passwords periodically

  • Utilize multi-factor authentication

  • Revoke system access immediately for those terminated, including former contractors

Perimeter Security. Security should be implemented to control, monitor and inspect all incoming and outgoing network traffic to prevent any unauthorized or harmful traffic. This includes firewalls, intrusion detection systems, email security capabilities and web proxy systems with content filtering. Employing best practices for use of Remote Desktop Protocol (“RDP”), which provides a user with a graphical interface to connect to another computer over a network connection. RDP should be supported only through an encrypted Virtual Private Network (“VPN”) connection.

In addition to the OCIE alerts and CISA alerts, the SEC maintains a Cybersecurity Spotlight webpage which can be accessed by clicking this link.

Key Topics: Broker dealer compliance, Investment banking compliance, FINRA compliance consultants, Broker dealer compliance consultants, Outsourced compliance officer, Broker dealer compliance consulting firms, , Investment banking regulatory compliance, Broker dealer compliance requirements, Broker dealer compliance checklist, FINRA compliance training, Broker dealer compliance services, Continuing Education, Firm Element, Regulatory Element, Termination of Registrations, Training and Education Requirements, Securities Industry Professionals

Jon Hurd
Previous

SEC Charges App Developers for Unregistered Security-Based Swap Transactions
Next

ThinkAdvisor Article: “CCO Hit by FINRA for Business Email Infractions”