On 10th July 2020, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued an alert noting a sophisticated cybersecurity ransomware attack campaign targeting investment advisers and other financial firms. In this alert, OCIE described “recent reports” indicating malicious actors had “orchestrated phishing and other campaigns designed to penetrate financial institution networks” to “access internal resources and deploy ransomware.” OCIE also reported having observed that ransomware attacks on SEC registrants appeared to have become more sophisticated and that such attacks have impacted various industry participants, including broker-dealers, investment advisers, investment companies and service providers to registrants.
RFA has discussed in prior blogs and webinars the evolution in the technology and strategy driving ransomware, especially during the Covid-19 pandemic. Modern attacks have become far more targeted and use the threat actor’s access to the data and intent to keep the victim hostage.
RFA recommends reviewing and implementing these core recommendations from the Risk Alert:
- Review and implement incident response and resiliency policies, procedures, and plans. The OCIE Alert highlights the importance of assessing, testing, and updating incident response and resiliency policies and procedures, inclusive of testing scenarios like a successful ransomware attack.
- Ensuring operational resiliency. The OCIE Alert reiterates the importance of taking steps to ensure your critical applications continue to operate during an incident and having a plan in place to identify and restore systems to minimize any downtime.
- Reviews and implement awareness and training programs. The OCIE Alert highlighted the role of specific cybersecurity and resiliency training, including phishing exercises that help firms and their employees identify phishing emails.
- Vulnerability scanning and patch management. Vulnerability and patch management programs should be administered regularly and account for changes to technology, tactics, and strategies employed by threat actors. At a minimum, firms should make certain that firmware, operating systems, and application software, and anti-virus and other security tools are all properly updated.
- Access management. Because many malicious actors infiltrate by hijacking legitimate accounts through phishing emails and similar tactics, configuring your firm’s network’s access controls such that users operate with only those privileges necessary to accomplish tasks is a key part of any cyber-defense strategy. Other components of access management strategies highlighted by the OCIE Alert include:
- Re-certifying users’ access rights periodically
- Using multi-factor authentication
- Leveraging an application or key fob to generate additional verification code
- Removing system access immediately for individuals no longer employed by the firm
- Perimeter security. Perimeter security capabilities must be able to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or potentially harmful traffic. Firewalls, intrusion monitoring and detection systems, and web proxy systems with content filtering are key components of this effort.
If you have questions or would like more information on how we can assist you, please contact us here or reach out to your RFA Account Manager.