On July 10,2020, the Securities and Exchange Commission ("SEC") Office of Compliance Inspections and Examinations ("OCIE") released a new risk alert with information indicating "that one or more threat actors have orchestrated phishing and other campaigns designed to penetrate financial institution networks to, among other objectives, access internal resources and deploy ransomware." In addition, the risk alert identifies an "increase in sophistication of ransomware attacks on SEC registrants, which include broker-dealers, investment advisers, and investment companies."
Ransomware is a specific type of malware that when installed on a computer or server, allows a bad actor to prevent an advisory firm from accessing network data often through the use of encryption. In other ransomware attacks, access to a staff member's entire computer is locked or their computer is prevented from being able to load. Ransomware malware is often circulated via phishing emails and most commonly installed when a staff member downloads a malicious file via an email attachment, web link, or by clicking on a link within a phishing email. Once exploited, the user often receives a message on the computer screen with instructions on how to pay the ransom to unlock the data. The Federal Bureau of Investigation generally encourages businesses to not pay such ransoms. And even if the ransom is paid, there is no guarantee that the data will be released.
In light of the recent ransomware threats, OCIE highly encourages registered investment adviser ("RIA") firms to monitor cybersecurity alerts issued by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency ("CISA"), more specifically their recent alert issued on June 30, 2020 on ransomware which covers "tactics and techniques used by certain threat actors, along with related indicators of compromise ("IOCs") and key mitigation strategies to reduce overall vulnerability."
The SEC staff provides some additional guidance to RIA firms on how to enhance cybersecurity preparedness and operational resiliency to address ransomware attacks:
- Incident response and resiliency policies, procedures and plans: Assessing, testing, and periodically updating incident response and resiliency policies and procedures, such as contingency and disaster recovery plans.
- Operational resiliency: Determining which systems and processes are capable of being restored during a disruption so that business services can continue to be delivered.
- Awareness and training programs: Providing specific cybersecurity and resiliency training, and considering undertaking phishing exercises to help employees identify phishing emails. Training provides employees with information concerning cyber risks and responsibilities and heightens awareness of cyber threats such as ransomware.
- Vulnerability scanning and patch management: Implementing proactive vulnerability and patch management programs that take into consideration current risks to the technology environment, and that are conducted frequently and consistently across the technology environment.
- Access management. Managing user access through systems and procedures that: (i) limit access as appropriate, including during onboarding, transfers, and terminations; (ii) implement separation of duties for user access approvals; (iii) re-certify users’ access rights on a periodic basis (paying particular attention to accounts with elevated privileges including users, administrators, and service accounts); (iv) require the use of strong, and periodically changed, passwords; (v) utilize multi-factor authentication leveraging an application or key fob to generate an additional verification code; and (vi) revoke system access immediately for individuals no longer employed by the organization, including former contractors. Configuring access controls so users operate with only those privileges necessary to accomplish their tasks (i.e., least privilege access).
- Perimeter security. Implementing perimeter security capabilities that are able to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic. These capabilities include firewalls, intrusion detection systems, email security capabilities, and web proxy systems with content filtering.
This latest risk alert continues to highlight the SEC's continued focus on cybersecurity-related compliance issues for investment advisers. As such, we highly recommend that the Chief Compliance Officer ("CCO") and all advisory firm principals carefully review this latest SEC RIA compliance risk alert. Failure to address ransomware risks and to establish and implement policies and procedures could lead to not only regulatory compliance issues, but even broader business issues.
Be sure to check back soon as we continue to provide updates on relevant RIA regulatory compliance focus areas.