• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

SEC’s OCIE Issues Ransomware Risk Alert

July 13, 2020 By Kate Hanniford

On July 10, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert noting the increasing sophistication of ransomware attacks on SEC registrants and service providers to SEC registrants.  The Risk Alert is notable for its encouragement of financial services market participants more broadly and not just SEC registrants to monitor CISA alerts, and for the specificity of the cybersecurity measures it includes as recognized defenses to current ransomware threats.

The Risk Alert notes the general usefulness of CISA alerts and specifically the June 30, 2020 recap of technical details of the most active threats and the December 2019 CISA and Treasury Report on Dridex malware, and specifically encourages registrants to shares this information with their third-party service providers.

Although this latest Risk Alert reiterates OCIE’s January 2020 observations in its treatment of incident response, access management, and training and awareness as key cybersecurity measures to combat ransomware, it has also provided additional, more detailed observations.  This enhanced specificity in response to the specific threat of ransomware may assist financial services market participants in confirming that their information security program and anti-malware defenses are attuned to industry standards–as observed by OCIE–to defend against the troubling spate of recent ransomware attacks.

Operational Resiliency. The Risk Alert includes two new observations related to operational resiliency, first that registrants are determining which systems and processes are capable of being restored during a disruption so business services can continue.  Second, it notes that registrants are focusing on the capability to continue operations in the event a primary system is unavailable, which underscores the importance of “geographic separation of back-up data, and writing back-up data to an immutable storage system in the event primary data sources are unavailable.”

Vulnerability Scanning & Patch Management.  In addition to reinforcing the importance of vulnerability scanning and patch management, the Risk Alert explicitly notes the use of proactive vulnerability and patch management programs that (i) consider current risks; (ii) are conducted frequently; and (iii) are applied consistently across the environment. This includes the consideration of upgrades to anti-malware capabilities that include “advanced endpoint detection and response capabilities.”

Perimeter Security.  The Risk Alert significantly expands on the observations outlined in January 2020 by recognizing the existence of best practices for the use of Remote Desktop Protocol (RDP).  These practices include: (i) the capability to audit networks for systems using RDP; (ii) closing unused RDP ports; (iii) monitoring RDP login attempts; and (iv) requiring an encrypted Virtual Private Network (VPN) connection where RDP is used.  The Risk Alert also acknowledges (i) the use of application control capability, so that only approved software can be executed; and (ii) the use of a security proxy server to control and monitor access to the internet, to address potential security vulnerabilities of internet connections.

The Risk Alert closes by noting the SEC’s longstanding focus on cybersecurity, OCIE’s view of cybersecurity as a key examination priority, and a key risk area on which registrants should focus.

Filed Under: Advisories, Cyber Risk, Data Security

About Kate Hanniford

Kate Hanniford is a member of the Technology & Privacy Group and Cybersecurity Preparedness & Response Team. She focuses her practice on cybersecurity counseling, as well as federal securities law compliance, enforcement, and litigation.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
  • SolarWinds Hack: Unparalleled Supply Chain Attack Results in Potential Compromise of Private and Public Sector Organizations
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy