The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a cybersecurity risk alert on July 10, 2020 regarding ransomware (Alert).¹ In the Alert, OCIE described “recent reports” that indicated that bad actors had “orchestrated phishing and other campaigns designed to penetrate financial institution networks” in order to “access internal resources and deploy ransomware.” OCIE also reported having observed that ransomware attacks on SEC registrants appeared to have become more sophisticated, and that such attacks have impacted a variety of industry participants, including broker-dealers, investment advisers, investment companies and service providers to registrants. As a result of the recent reports, OCIE published the Alert in order to: (i) specifically urge registrants to monitor Department of Homeland Security Cybersecurity and Infrastructure Agency (CISA) alerts, including the June 30, 2020 CISA alert regarding Dridex Malware (CISA Alert)² and share those alerts with their third-party service providers; and (ii) summarize the measures some industry participants have implemented in an effort to enhance their preparedness with respect to ransomware attacks. This OnPoint provides a brief overview of the June 2020 CISA Alert and sets forth some of OCIE’s observations regarding how registrants address ransomware-related risks.

June 2020 CISA Alert

While the CISA Alert is fairly technical in nature, it provides important information regarding tactics used by bad actors in relation to the Dridex malware, which is also relevant to legal and compliance professionals. For example, the CISA Alert makes clear that the Dridex malware is most often distributed through “phishing email spam campaigns” that combine “legitimate business names and domains, professional terminology and language implying urgency.” The CISA Alert also provides an overview of the text that may be used in such fraudulent emails, sample links and file names that may be used and a list of email and IP addresses associated with the malware. In addition, the CISA Alert sets forth certain steps that organizations should take to mitigate the risks associated with the malware, which include incorporating the “indicators of compromise” (e.g., the email and IP addresses associated with the threats) into intrusion detection and security alert systems and, more generally, reporting such suspicious activity, including by contacting law enforcement. Further, the CISA Alert recommends actions that all organizations should take in response to the malware, many of which are consistent with the observations summarized in the OCIE Alert. The list of more than 20 recommendations includes some that are technical in nature, but also practical recommendations (such as “maintaining situational awareness of latest threats”) and a reminder that when a recipient receives an email that may be fraudulent, the recipient should call and confirm the message with the sender before engaging with the message.

Being aware of the risk indicators, recommendations and mitigation steps set forth in the CISA Alert could help industry participants be better prepared to defend themselves from malware attacks. CISA reports that actors who use this malware typically target the financial services sector, including “customer data and [the] availability of data and systems for business processes.” Notably, in its Alert, OCIE makes clear that it is not only recommending that registrants review the alerts issued by CISA, but OCIE also specifically encourages registrants to share CISA alerts with their service providers, given that service providers often maintain the “client assets and records” that such ransomware attacks target.

OCIE Observations

OCIE divides its observations regarding practices used by registrants to address ransomware attacks into six different categories, which are discussed below. It is worth noting that some of the categories (including those regarding incident response, training and access management) have been prior OCIE areas of focus in its cybersecurity examinations as well as other OCIE risk alerts related to cybersecurity.

OCIE noted that it has observed registrants using the following measures to enhance their preparedness for ransomware attacks:

• Incident response and resiliency policies, procedures and plans. Registrants have assessed, tested and updated their incident response and resiliency policies and procedures, which may include “response plans for various scenarios,” including ransomware. OCIE also observed registrants having procedures regarding: the notification and escalation of incidents; compliance with reporting requirements at the state and federal level; and communication with law enforcement, regulators, customer and clients.
• Operational resiliency. Registrants have worked to determine which “systems and processes” could be restored in the event of a ransomware attack, with a focus on the continued operation of “critical applications.”
• Awareness and training programs. Registrants have incorporated cybersecurity into their training programs, including through the use of phishing exercises so that personnel are able to appropriately identify phishing and other fraudulent emails. While not specifically identified by OCIE, registrants also may consider implementing readily-accessible mechanisms to report suspected phishing emails, or adding “external email” headers to relevant incoming messages.
• Vulnerability scanning and patch management. Registrants have implemented “proactive vulnerability and patch management programs" that account for current risks and are deployed “across the technology environment.” Registrants also have taken steps to ensure that firmware, software and applications have implemented the most recent system updates and that anti-virus and anti-malware solutions update automatically.
• Access management. Registrants have managed user access through a variety of methods, including: access limitation; separation of duties; re-certification of existing access; the use of multi-factor authentication; and the immediate revocation of system access for individuals who are no longer with the firm.
• Perimeter security. OCIE observed registrants that are “able to control, monitor and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic” through various methodologies, such as firewalls, email security and intrusion detection systems. This includes using best practices for Remote Desktop Protocol (RDP) and controlling applications to make sure that only software that is approved by the firm is permitted.

Conclusion

As noted in the Alert, many of the above measures also were detailed in OCIE’s January 27, 2020 report on Cybersecurity and Resiliency Observations,³ and the SEC continues to focus on cybersecurity, as it has for many years. As a result, many of the observations are not new. However, the Alert does provide more detailed guidance regarding considerations industry participants should account for when designing and implementing their cybersecurity risk management programs, particularly in response to the current phishing and ransomware-related risks registrants face. Furthermore, by specifically urging registrants to review CISA alerts and pass these along to their third-party service providers, OCIE has encouraged industry participants to not only stay up-to-date regarding current risks, but also to take proactive steps to address those risks and protect customer information, whether it resides on the registrants’ systems or those of a third-party provider whom they have engaged. OCIE recognizes in the Alert that a “one-size-fits-all” approach to ransomware preparedness is not possible, and OCIE does not intend the Alert to “create new or additional obligations.” Nonetheless, registrants should heed OCIE’s recommendations to: monitor the cybersecurity alerts published by CISA; and review their policies, procedures and protocols in light of such alerts. Registrants also should consider the ransomware preparedness practices highlighted by OCIE in the Alert and consider whether enhancements should be made to their cybersecurity policies and practices.