July 16, 2020
Authored by: Vicki Westerhaus, Kelly Sullivan and Jeff Ziesman
The SEC’s Office of Compliance and Examinations (OCIE) issued a risk alert on July 10 about its observation of an apparent increase in sophistication of ransomware attacks on SEC registrants, including broker-dealers, investment advisers, investment companies, and impacting service providers to public financial institutions.
Recognizing the SEC’s alert and other recent cyber incidents, we encourage all public companies, financial institutions and their service providers to consider their cybersecurity preparedness and operational resiliency to address hacking and, in particular ransomware attacks, consistent with the advice of the OCIE and the Department of Homeland Security. This is particularly important given that OCIE once again advised financial institutions, in its 2020 Examination Priorities release, that Information Security was one of its top priorities.
In its risk alert, OCIE cited recent reports of one or more threat actors orchestrating phishing and other campaigns designed to penetrate financial institution networks, primarily to access internal resources and deploy ransomware, a type of malware designed to provide unauthorized access to institutions’ systems and deny the institution use of its system until a ransom is paid. OCIE also noted ransomware attacks impacting service providers to public companies.
OCIE encouraged public companies and their service providers to monitor cybersecurity alerts published by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), including the alert published on June 30, 2020, relating to a particular malware focused on financial institutions and their customers.
The OCIE alert noted that information security is a key risk area on