On July 10, 2020, the Securities and Exchange Commission, through its Office of Compliance Inspections and Examinations (OCIE), issued a warning to advisors and broker-dealers to “immediately” review their cybersecurity controls to prevent and respond to an increase in phishing campaigns and ransomware attacks.
The Risk Alert advises that the OCIE has “observed an apparent increase in sophistication of ransomware attacks on SEC registrants, which include broker-dealers, investment advisors, and investment companies….OCIE has observed ransomware attacks impacting service providers to registrants” and referred SEC registrants and other financial services providers to the Department of Homeland Security Infrastructure Security Agency’s (CISA) guidance published on June 30, 2020 warning of recent ransomware attacks.
OCIE encouraged SEC registrants and providers to share the CISA guidance with their vendors that have access to, collect and maintain client assets and records for SEC registrants.
The OCIE Alert provides “observations to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency to address ransomware attacks. We have observed registrants utilizing the following measures:”
- Incident response and resiliency policies, procedures and plans
- Operational resiliency
- Awareness and training programs
- Vulnerability scanning and patch management
- Access management
- Perimeter security
All of these observations are basic cyber hygiene and are a timely reminder in the wake of a continued rise in ransomware attacks.