On July 10, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert noting the increasing sophistication of ransomware attacks on SEC registrants and service providers to SEC registrants. The Risk Alert is notable for its encouragement of financial services market participants more broadly and not just SEC registrants to monitor CISA alerts, and for the specificity of the cybersecurity measures it includes as recognized defenses to current ransomware threats.
The Risk Alert notes the general usefulness of CISA alerts and specifically the June 30, 2020 recap of technical details of the most active threats and the December 2019 CISA and Treasury Report on Dridex malware, and specifically encourages registrants to shares this information with their third-party service providers.
Although this latest Risk Alert reiterates OCIE’s January 2020 observations in its treatment of incident response, access management, and training and awareness as key cybersecurity measures to combat ransomware, it has also provided additional, more detailed observations. This enhanced specificity in response to the specific threat of ransomware may assist financial services market participants in confirming that their information security program and anti-malware defenses are attuned to industry standards–as observed by OCIE–to defend against the troubling spate of recent ransomware attacks.
Operational Resiliency. The Risk Alert includes two new observations related to operational resiliency, first that registrants are determining which systems and processes are capable of being restored during a disruption so business services can continue. Second, it notes that registrants are focusing on the capability to continue operations in the event a primary system is unavailable, which underscores the importance of “geographic separation of back-up data, and writing back-up data to an immutable storage system in the event primary data sources are unavailable.”
Vulnerability Scanning & Patch Management. In addition to reinforcing the importance of vulnerability scanning and patch management, the Risk Alert explicitly notes the use of proactive vulnerability and patch management programs that (i) consider current risks; (ii) are conducted frequently; and (iii) are applied consistently across the environment. This includes the consideration of upgrades to anti-malware capabilities that include “advanced endpoint detection and response capabilities.”
Perimeter Security. The Risk Alert significantly expands on the observations outlined in January 2020 by recognizing the existence of best practices for the use of Remote Desktop Protocol (RDP). These practices include: (i) the capability to audit networks for systems using RDP; (ii) closing unused RDP ports; (iii) monitoring RDP login attempts; and (iv) requiring an encrypted Virtual Private Network (VPN) connection where RDP is used. The Risk Alert also acknowledges (i) the use of application control capability, so that only approved software can be executed; and (ii) the use of a security proxy server to control and monitor access to the internet, to address potential security vulnerabilities of internet connections.
The Risk Alert closes by noting the SEC’s longstanding focus on cybersecurity, OCIE’s view of cybersecurity as a key examination priority, and a key risk area on which registrants should focus.