Fri, Jul 17, 2020

OCIE Risk Alert - Cyber Security: Ransomware Alert

On July 10, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published an alert to share its observations for improving operational resiliency and effectively responding to cyber threats in connection with an increase in sophistication of ransomware attacks on SEC registrants, which include broker-dealers, investment advisers and investment companies. 

Recent reports indicate that one or more threat actors have orchestrated phishing and other campaigns designed to penetrate financial institution networks to access internal resources and deploy ransomware. The OCIE has also observed ransomware attacks impacting service providers to registrants.

Ransomware is a type of malware designed to provide an unauthorized actor access to institutions’ systems and to deny use of those systems until a ransom is paid. Victims are usually asked to pay ransom in order to maintain the integrity and/or confidentiality of their data or to regain control over their systems. 

In light of these threats, the OCIE recommended that registrants, including third-party service providers to registrants, monitor information available related to ransomware attacks including the June 30, 2020 Dridex Malware alert published by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the FBI’s public service announcement on ransomware.

These alerts highlight tactics and techniques used by certain threat actors, along with related indicators of compromise and key mitigation strategies to reduce overall vulnerability as well as provide examples of cyber defense best practices.

In addition, the OCIE reiterated practices registrants can adopt in order to enhance cyber security preparedness to address ransomware attacks, including the following: 

  • Incident response and resiliency policies, procedures and plans 
  • Operational resiliency
  • Awareness and training programs
  • Vulnerability scanning and patch management
  • Access management
  • Perimeter security

For further information and examples of best practices provided by the SEC, you can find the entire report here.

How Can We Help?

Our Compliance and Regulatory Consulting team combined with cyber security experts from Kroll, a division of Duff & Phelps, can help you ensure that your organization maintains appropriate information security arrangements to meet the SEC’s expectations. Learn more about Kroll's Cyber Risk services here.



Financial Services Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.

Retained Compliance Support and Managed Services

With expertise in diverse regulatory frameworks, including the FCA, the SEC, AMF, SFC, MAS and more, Kroll offers practical support, from initial authorization to ongoing compliance support.

Retained Compliance Support and Managed Services

With expertise in diverse regulatory frameworks, including the FCA, the SEC, AMF, SFC, MAS and more, Kroll offers practical support, from initial authorization to ongoing compliance support.


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.