SEC’s Ransomware Alert

SEC’s Ransomware Alert

04 August 2020

On July 10th the SEC issued a risk alert focusing on ransomware and the importance of generating awareness within advisory firms of current threats.  The SEC is encouraging registrants to monitor alerts provided by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and share the information gathered with third party service providers that maintain client assets and records of your firm.

Dridex Malware

One alert from CISA highlighted by the SEC is the Dridex Malware. The alert describes how the malware infiltrates systems, typically through Phishing Campaigns, and encourages the user to open an attachment.  The alert provides useful examples of links and filenames used by the Dridex Malware.  The CISA also provides recommendations for best practices to mitigate risks of vulnerability to the Malware.

SEC’s Observations

The SEC understands there is not a one size fits all solution to addressing cybersecurity. However, they do provide a list of measures they found adopted by registered firms. Since the SEC rarely offers policy and process advice, we suggest you review these and seriously consider if you need to adopt or adjust your policies.

  1. Adopt an incident response plan that incorporates the business continuity plan and ensure regular testing.
  2. Provide training to staff to heighten their awareness of the risks and habits they need to adopt.
  3. Establish a system to ensure software, firewalls, operation systems, anti-virus and anti-malware solutions are up to date.
  4. Enact policies and procedures to ensure user rights are being approved, reviewed, properly assigned and removed when employees are no longer with the firm.
  5. Adopt a strong password policy.
  6. Utilize multi-factor authentication.
  7. Implement perimeter security to control and monitor all incoming and outgoing network traffic.

Lessons Learned

  1. Educate yourself and your staff. Knowledge is a powerful tool! Take time and schedule to read the alerts provided by CISA and then educate your employees of current threats and what to look for. This doesn’t have to be the CCO, it can be IT (external or internal). We like regular Compliance Education Emails to remind employees of important tech-safety tips.
  2. Conduct Phishing Simulation Tests. The more frequently you employ phishing tests, the more prepared your employees are with the right tools and habits they need to prevent attacks.
  3. Hire an expert! We will be the first to admit we are not IT experts. As the CCO, it’s your job to know what you don’t know and hire the right people or firm to help you.

Conclusion

This is a good reminder that cybersecurity is a risk all firms face and to review your environment on a regular basis. Ensure the best possible controls have been established to mitigate the possibility of a threat. Cybersecurity has been a focus of the SEC for many years and will be for years to come.