The staff (“Staff”) of the SEC’s Office of Compliance Inspections and Examinations released a Risk Alert that provides observations to assist SEC registrants (“registrants”) in their consideration of how to enhance cybersecurity preparedness and operational resiliency to address ransomware attacks.1 The Staff stated that recent reports indicate that one or more threat actors have orchestrated phishing and other campaigns designed to penetrate financial institution networks in order to among other objectives access internal resources and deploy ransomware.2
The Staff encouraged registrants to monitor the cybersecurity alerts published by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (“CISA”), including the CISA alert published on June 30, 2020 relating to recent ransomware attacks.3
Recognizing that there is no “one-size fits all” approach, the Staff provided the following observations of measures to enhance cybersecurity preparedness and operational resiliency to address ransomware attacks:
- Incident response and resiliency policies, procedures and plans, including assessing, testing, and periodically updating incident response and resiliency policies and procedures, such as contingency and disaster recovery plans. These policies and procedures may include (i) response plans for various scenarios, procedures for the timely notification and response if an event occurs, a process to escalate incidents to appropriate levels of management (including legal and compliance functions), and communication with the registrant’s key stakeholders, (ii) procedures for addressing compliance with federal and state reporting requirements for cyber incidents or events, and (iii) procedures to contact law enforcement, inform regulators and promptly notify new and existing customers and clients, as appropriate.
- Operational resiliency, including determining which systems and processes are capable of being restored during a disruption so that business services can continue to be delivered. For example, the Staff observed registrants that focused on the capability to continue to operate critical applications if the primary system is unavailable and ensuring geographic separation of back-up data to an immutable storage system in the event primary data sources are unavailable.
- Awareness and training programs, including providing specific cybersecurity and resiliency training, and undertaking phishing exercises to help employees identify phishing emails.
- Vulnerability scanning and patch management, including implementing proactive vulnerability and patch management programs that take into consideration current risks to the technology environment, and that are conducted frequently and consistently across the technology environment. The Staff observed measures to (i) ensure that all firmware, operating systems, application software, and anti-virus and other host-based security tools have the most current updates, (ii) ensure that anti-virus and anti-malware solutions are set to update automatically, and that regular scans are conducted, and (iii) consider upgrading anti-malware capability to include advanced endpoint detection and response capabilities.
- Access management, including managing user access through systems and procedures that (i) limit access as appropriate, including during onboarding, transfers, and terminations, (ii) implement separation of duties for user access approvals, (iii) re-certify users’ access rights on a periodic basis (paying particular attention to accounts with elevated privileges including users, administrators, and service accounts), (iv) require the use of strong, and periodically changed, passwords, (v) utilize multi-factor authentication leveraging an application or key fob to generate an additional verification code, and (vi) revoke system access immediately for individuals no longer employed by the organization, including former contractors. The Staff also observed measures to configure access controls so that users operate with only those privileges necessary to accomplish their tasks (i.e., least privilege access).
- Perimeter security, including implementing perimeter security capabilities that are able to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic. The Staff observed capabilities that include firewalls, intrusion detection systems, email security capabilities, and web proxy systems with content filtering. For example, the Staff observed registrants employing best practices for use of Remote Desktop Protocol (RDP), using an application control capability that ensures only approved software can be executed, and using a security proxy server to control and monitor access to the internet to address potential security vulnerabilities of internet connections.
S&K Observations
The Staff concluded the Risk Alert by noting the SEC’s continued focus on cybersecurity issues, and reminding registrants that cybersecurity and information security have been a key examination priority of the Staff for many years.
Seward & Kissel LLP, and our compliance consulting service SKRC (Seward & Kissel Regulatory Compliance), are available to assist advisers in the design and implementation of written policies and procedures to address the considerations identified in the Risk Alert.