RIA Compliance and Practice Management Blog

SEC RIA Cybersecurity Risk Alert Flags Ransomware Attacks

Posted by RIA in a Box

Jul 16, 2020 8:24:24 AM

SEC risk alert on RIA Form CRS audits and focus areasOn July 10,2020, the Securities and Exchange Commission ("SEC") Office of Compliance Inspections and Examinations ("OCIE") released a new risk alert with information indicating "that one or more threat actors have orchestrated phishing and other campaigns designed to penetrate financial institution networks to, among other objectives, access internal resources and deploy ransomware." In addition, the risk alert identifies an "increase in sophistication of ransomware attacks on SEC registrants, which include broker-dealers, investment advisers, and investment companies." 

Learn More About Our Cybersecurity Platform

Ransomware is a specific type of malware that when installed on a computer or server, allows a bad actor to prevent an advisory firm from accessing network data often through the use of encryption. In other ransomware attacks, access to a staff member's entire computer is locked or their computer is prevented from being able to load. Ransomware malware is often circulated via phishing emails and most commonly installed when a staff member downloads a malicious file via an email attachment, web link, or by clicking on a link within a phishing email. Once exploited, the user often receives a message on the computer screen with instructions on how to pay the ransom to unlock the data. The Federal Bureau of Investigation generally encourages businesses to not pay such ransoms. And even if the ransom is paid, there is no guarantee that the data will be released.

In light of the recent ransomware threats, OCIE highly encourages registered investment adviser ("RIA") firms to monitor cybersecurity alerts issued by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency ("CISA"), more specifically their recent alert issued on June 30, 2020 on ransomware which covers "tactics and techniques used by certain threat actors, along with related indicators of compromise ("IOCs") and key mitigation strategies to reduce overall vulnerability."

The SEC staff provides some additional guidance to RIA firms on how to enhance cybersecurity preparedness and operational resiliency to address ransomware attacks:

  • Incident response and resiliency policies, procedures and plans: Assessing, testing, and periodically updating incident response and resiliency policies and procedures, such as contingency and disaster recovery plans.
  • Operational resiliency: Determining which systems and processes are capable of being restored during a disruption so that business services can continue to be delivered.
  • Awareness and training programs: Providing specific cybersecurity and resiliency training, and considering undertaking phishing exercises to help employees identify phishing emails. Training provides employees with information concerning cyber risks and responsibilities and heightens awareness of cyber threats such as ransomware.
  • Vulnerability scanning and patch management: Implementing proactive vulnerability and patch management programs that take into consideration current risks to the technology environment, and that are conducted frequently and consistently across the technology environment.
  • Access management. Managing user access through systems and procedures that: (i) limit access as appropriate, including during onboarding, transfers, and terminations; (ii) implement separation of duties for user access approvals; (iii) re-certify users’ access rights on a periodic basis (paying particular attention to accounts with elevated privileges including users, administrators, and service accounts); (iv) require the use of strong, and periodically changed, passwords; (v) utilize multi-factor authentication leveraging an application or key fob to generate an additional verification code; and (vi) revoke system access immediately for individuals no longer employed by the organization, including former contractors. Configuring access controls so users operate with only those privileges necessary to accomplish their tasks (i.e., least privilege access).
  • Perimeter security. Implementing perimeter security capabilities that are able to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic. These capabilities include firewalls, intrusion detection systems, email security capabilities, and web proxy systems with content filtering.

This latest risk alert continues to highlight the SEC's continued focus on cybersecurity-related compliance issues for investment advisers. As such, we highly recommend that the Chief Compliance Officer ("CCO") and all advisory firm principals carefully review this latest SEC RIA compliance risk alert. Failure to address ransomware risks and to establish and implement policies and procedures could lead to not only regulatory compliance issues, but even broader business issues.

Be sure to check back soon as we continue to provide updates on relevant RIA regulatory compliance focus areas.

Sign-Up Now for Our Free Vendor Due Diligence Platform


Topics: RIA Operations, RIA Compliance

RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

RIA Compliance & Practice Management

Stay up to date on the latest RIA compliance, operations, and technology topics.

Hear from industry experts as they keep you up to date on the latest regulatory developments and practice management topics.

Subscribe to Email Updates

Recent Posts