The Office of Compliance Inspections and Examinations ("OCIE") alerted market participants to reports of sophisticated ransomware attacks targeting SEC registrants and their service providers.

In a Risk Alert, OCIE defined ransomware as a "type of malware designed to provide an unauthorized actor access to institutions' systems and to deny the institutions use of those systems until a ransom is paid." Ransomware perpetrators typically demand ransom to "maintain the integrity and/or confidentiality of customer data or for the return of control over registrant systems," OCIE said.

OCIE recommended that registrants and other market participants monitor the cybersecurity alerts released by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency. OCIE also outlined the following measures that registrants may take to reduce ransomware risks:

  • periodically assess and test policies for responding to ransomware attacks;
  • evaluate the firm's ability to maintain operations and restore systems after an attack;
  • provide employee training, including on how to identify phishing emails;
  • implement programs that scan for and patch vulnerabilities;
  • manage user access to systems; and
  • establish "perimeter security" capabilities that can surveil network traffic to detect unauthorized activity.

OCIE also reminded registrants that it manages a "Cybersecurity Spotlight" webpage, which contains related guidance and resources.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.