OCIE risk alert suggests beefing up cyber P&Ps

The Office of Compliance Inspections and Examinations issued a warning about increasing cyber risks to registrants with the Securities and Exchange Commission, and outlined six areas they should review.

Cyber-baddies targeting financial professionals have stepped up their game, so now’s a good time for investment advisors and broker-dealers to step up, too, the Office of Compliance Inspections and Examinations said in a recent risk alert.

“OCIE has observed an apparent increase in sophistication of ransomware attacks on SEC registrants,” the July 10 risk alert states. “In addition, OCIE has observed ransomware attacks impacting service providers to registrants.”

The OCIE alert, promised earlier this year, comes eight months after the Trump Administration issued an alert about the so-called Dridex malware, backed by international gangsters, that targets financial services companies and their customers (as reported by sister title Regulatory Compliance Watch in March). One Moscow-based outfit, which actually called itself “Evil Corp,” made off with more than $100 million across 40 countries, the Department of Treasury said.

Six pillars

OCIE urged investment advisors to take a new look at six broad cybersecurity-related areas:

  • Incident response and resiliency: firms should review their P&Ps around phishing schemes. They should probably also game-plan for cyber-attacks, with an eye toward keeping hackers out but also minimizing the damage they do if they do breach your firm’s security.
  • Operational resiliency: ask yourself what systems your firm needs to keep up and running and create back-ups for those systems. Also, consider keeping back-up systems far apart and sending back-up data to “an immutable storage system” just in case the primary system is hacked.
  • Awareness and security: make sure you’re offering “specific” training and also consider “undertaking phishing exercises” to help keep your staff on their toes.
  • Vulnerability scanning and patch management: does your firm “proactively” update its systems (including anti-virus and anti-malware technology)? Are they updated automatically, and scanned regularly? Can you upgrade your current malware “to include advanced endpoint detection and response capabilities?”
  • Access management: does your firm limit employee access during staff probationary periods, transfers or terminations? Are you keeping user access approval separate from other duties? Do you regularly re-certify users’ access? Does your firm require “strong, and periodically changed, passwords?” Are you using multi-factor authentication? Are you able to revoke access quickly for former employees and contractors?
  • Perimeter security: does your firm use firewalls, intrusion detection systems, e-mail security capabilities and web proxy system with content filters? Given how many employees are working outside the office, does your firm follow Remote Desktop Protocol best practices, “including auditing networks for systems using RDP, closing unused RDP ports, and monitoring RDP login attempts” (RCW, May 15, 2020)? Additionally, are you using encrypted virtual private network connections to make sure those remote employees aren’t letting the vampires in? What about application controls, to make sure only company-approved software will run on those remote company computers? Or a proxy server to “control and monitor access to the Internet?”

This article first appeared on sister title Regulatory Compliance Watch.