SEC Issues New Cyber Risk Alert to Financial Firms

Financial firms have a bigger target on their backs at the moment, according to a new risk alert issued July 10, 2020 by the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE).  This new risk alert on ransomware cautions investment advisers, broker-dealers, and investment companies that OCIE has recently observed a marked increase in cyberattacks targeting SEC registrants and the service providers to such registrants. The ransomware usually infiltrates firm networks through phishing, and OCIE highlights that through its coordination with federal, state, and local authorities investigating incidents, the level of sophistication of these recent cyberattacks has increased. The current risk alert follows on the heels of another ransomware risk alert issued by OCIE in 2017 when the WannaCry ransomware was causing widespread disruption to financial firms.

In particular, OCIE warns registrants about new variants of the Dridex ransomware currently being used by hackers, which was previously noted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) at the end of June. This malware is dangerous because it has the ability to detect when users visit financial websites and install keyloggers and capture screenshots (which may include account numbers), in addition to the usual ransomware functionality of locking files to hold for ransom and deleting files.

One large registrant disclosed last week that it suffered a cybersecurity attack, a sign that these attacks aren’t just theoretical.

The good news for financial firms is that OCIE notes several practices to strengthen operational resiliency, including ways to enhance incident response plans and business continuity procedures, security awareness training programs such as conducting phishing testing for staff, and the importance of regular vulnerability scanning and network perimeter testing.

CSS is pleased to be at the forefront of helping clients manage their cybersecurity risks through services including phishing testing, security awareness training, vulnerability scanning, penetration testing, dark web monitoring for compromised credentials and drafting of incident response plans and BCPs. Please contact us at cybersecurity@cssregtech.com to inquire about how we can help make your firm stronger in protecting your data and that of your clients.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Service Provider Due Diligence – Building Effective Partnerships

In 2009, the SEC stated at its CCOutreach Program that “when a service provider is utilized, the adviser still retains its fiduciary responsibilities for the delegated services.” This philosophy is as true today as it was 10-plus years ago. Therefore, the question becomes how do you establish a due diligence oversight program for your firm’s … Continued

SEC Adopts Changes to Reporting Forms

Regulation of Derivatives Use by RICs and BDCs Recognizing the proliferation of new derivate products in our markets, the SEC voted to adopt a new regulatory framework for the use of derivatives by mutual funds, ETFs, closed-end funds, and business development companies. The SEC’s press release stated that, “The new rule and rule amendments will … Continued

Time to Use the Bat Phone: Who to Call When a Compliance Officer Needs Help?

It seems that the burden of work continues to increase for compliance professionals in the investment management industry. While also ensuring that their compliance program is effective, compliance officers must also be aware of cybersecurity threats, business continuity plans, new regulations, changes in business strategy, and more – all while doing this under a work … Continued