Increase in Sophistication of Ransomware Attacks on SEC Registrants

On July 10, 2020, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a cybersecurity risk alert in which it discussed the flood of bad actors orchestrating phishing campaigns designed to penetrate financial networks to access internal resources and deploy ransomware.  OCIE’s alert indicated that ransomware attacks on SEC registrants appeared to become more widespread and sophisticated, including affecting broker-dealers, investment advisers, investment companies and service providers to registrants.

OCIE’s alert is intended to urge SEC registrants to monitor Department of Homeland Security Cybersecurity and Infrastructure Agency (CISA) alerts, including CISA’s alert about the Dridex Malware (the “CISA Alert”).  The CISA Alert is the result of recent collaboration between the Department of the Treasury Financial Sector Cyber Information Group and the Department of the Treasury’s Financial Crimes Enforcement Network to identify and share information with the financial services sector.  OCIE’s alert is also intended to intended to reveal the safeguards implemented by SEC registrants to prepare for potential ransomware attacks.

According to the CISA Alert, Dridex malware is typically sent via phishing email spam campaigns that contain legitimate business names and domains, professional terminology and language implying urgency.  The CISA Alert contains examples of fraudulent emails, sample links and file names that may be used and a list of email and IP addresses associated with the malware.  It also sets forth certain steps that organizations should take to mitigate the risks associated with the malware, which include incorporating the email and IP addresses associated with the threats and always report all suspicious activity to law enforcement. The CISA Alert recommends actions that are consistent with the OCIE Alert.

The recommendations are vast and technical and practical in nature and contain reminders that when a recipient receives an email that may be fraudulent, the recipient should call and confirm the message with the sender before engaging with the message.

Being aware of the risk indicators, recommendations and mitigation steps set forth in the CISA Alert could help industry participants be better prepared to defend themselves from malware attacks. CISA reports that actors who use this malware typically target the financial services sector, including “customer data and [the] availability of data and systems for business processes.” Notably, in its Alert, OCIE makes clear that it is not only recommending that registrants review the alerts issued by CISA, but OCIE also specifically encourages registrants to share CISA alerts with their service providers, given that service providers often maintain the “client assets and records” that such ransomware attacks target.

Recognizing that there is no such thing as a “one-size fits all” approach, the OCIE alert provides detailed observations to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency to address ransomware attacks, as seen in detail here: https://account.activedirectory.windowsazure.com/r.  See also the CISA Alert here: https://us-cert.cisa.gov/ncas/alerts/aa19-339a