OCIE and Cybersecurity: A Key Issue for All

The Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert titled CyberSecurity: Ransomware Alert (July 10, 2020)(here). The OCIE Alert follows one issued on the same topic by Homeland Security (AA19-339A), dated June 30 2020 (here), which is a joint product of Treasury and FinCEN. That alert provides an overview of malware, related activity and a list of previously unreported indicators of compromise reported to FinCEN.

The OCIE Alert draws on its experience and the Homeland Security Alert. There has been an apparent increase in sophisticated ransomware attacks on SEC registrants, including broker-dealers, investment advisers and investment companies, according to OCIE. The perpetrators of those attacks typically demand compensation to maintain the integrity and/or confidentiality of customer data or for the return of control over the systems.

OCIE distilled its observations and comments into six points:

Incident response and resiliency policies: Policies and procedures relied by the organization should center on incident response and resiliency policies and procedures. They typically include: Response plans for various scenarios; procedures for timely transmitting the information up the management ladder in the organization; ensuring compliance with federal and state legal requirements; and procedures for contacting law enforcement.

Operational resiliency: The organization must determine which systems can be restored during the disruption. This includes: Focusing on which applications can continue to operate and which are unavailable. It also includes ensuring the geographic separation of back-up data and writing it to an immutable storage system if the primary data is unavailable.

Awareness and training: Employees should be provided with specific cybersecurity and resiliency training and information regarding cybersecurity and responsibilities.

Vulnerability scanning and patch management: The firm should implement proactive vulnerability and patch management programs by ensuring that all firmware, operating systems and application software have the most current updates. Anti-virus and anti-malware solutions should be set to update automatically.

Access management: Managing access through a series of steps is important. Those include limiting access as appropriate, having a separation of duties, re-certifying access periodically, having strong passwords that periodically change, having an additional verification, and revoking access immediately when an employee is terminated.

Perimeter security: The firm should implement perimeter security capabilities that can control, monitor and inspect all traffic. This should include adopting best practices for remote desktop protocols, ensuring that only approved software can be executed and using a security proxy server to control and monitor access to the internet.

Cybersecurity is a continuing issue as highlighted by the Homeland Security alert cited above. It is also an OCIE exam item.