The SEC’s Office of Compliance Inspections and Examinations (OCIE) recently published an alert on ransomware, informing financial institutions of a recent rise in phishing attempts targeting SEC registrants and their service providers.  The alert is the latest example of the SEC’s focus on cybersecurity issues at public companies and regulated entities.

The Alert appears to have two goals.  First, it suggests that firms should stay updated on current threats by monitoring the cybersecurity alerts published by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA).  In particular, it recommends CISA’s recent guidance on Dridex malware and its derivatives, which have been used against many financial institutions and their customers in recent years.  CISA expects this trend to continue.

Second, the alert offers a reminder of OCIE’s views regarding the different elements of a strong cybersecurity program.  OCIE recommends that financial institutions focus on the follow areas:

  • Incident Response.  Assess, test, and update their incident response and resiliency policies and procedures, which should include response plans for different data breach scenarios (such as ransomware or other denial of services attacks).  These plans should consider appropriate escalation to management, communication with and mandated reporting to law enforcement and regulators, and notification to affected customers.
  • Resiliency.  Consider their plans for operational resiliency, should a disruption occur.
  • Training.  Evaluate their employee cybersecurity awareness and training programs, including considering using phishing exercises to train employees to better identify phishing emails.
  • Patches.  Implement consistent vulnerability and patch management systems.
  • Access.  Manage employee access to data, including creating systems and procedures that limit access to information as appropriate based on job function, require re-certification for access on a periodic basis, require strong, periodically changed passwords and multi-factor authentication, and other controls to limit access to information.
  • Perimeter security.  Implement perimeter security capabilities that can control, monitor, and inspect all incoming and outgoing network traffic.  This should include evaluating Remote Desktop Protocol (RDP) exposure, using an application control capability to restrict unapproved software, and addressing security vulnerabilities of internet connections.

The alert does not cover new ground, but is a reminder of what OCIE looks for when conducting cybersecurity examinations.  A more detailed discussion is in OCIE’s recently published Cybersecurity and Resiliency Observations, which we summarized in a client memorandum earlier this year.

Elsewhere on the Cyber Blog, we have written about cyber-risk controls to consider during a pandemic, which provides timely advice for securing your systems.  And should you ever face the unfortunate situation, we have addressed the best ways to navigate a ransom demand.