Updates on Regulation, Trading, and Market Reforms for the Alternative Investment Community

Increase in Sophistication of Ransomware Attacks on SEC Registrants

On July 10, 2020, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a cybersecurity risk alert in which it discussed the flood of bad actors orchestrating phishing campaigns designed to penetrate financial networks to access internal resources and deploy ransomware.  OCIE’s alert indicated that ransomware attacks on SEC registrants appeared to become more widespread and sophisticated, including affecting broker-dealers, investment advisers, investment companies and service providers to registrants.

OCIE’s alert is intended to urge SEC registrants to monitor Department of Homeland Security Cybersecurity and Infrastructure Agency (CISA) alerts, including CISA’s alert about the Dridex Malware (the “CISA Alert”).  The CISA Alert is the result of recent collaboration between the Department of the Treasury Financial Sector Cyber Information Group and the Department of the Treasury’s Financial Crimes Enforcement Network to identify and share information with the financial services sector.  OCIE’s alert is also intended to intended to reveal the safeguards implemented by SEC registrants to prepare for potential ransomware attacks.

According to the CISA Alert, Dridex malware is typically sent via phishing email spam campaigns that contain legitimate business names and domains, professional terminology and language implying urgency.  The CISA Alert contains examples of fraudulent emails, sample links and file names that may be used and a list of email and IP addresses associated with the malware.  It also sets forth certain steps that organizations should take to mitigate the risks associated with the malware, which include incorporating the email and IP addresses associated with the threats and always report all suspicious activity to law enforcement. The CISA Alert recommends actions that are consistent with the OCIE Alert.

The recommendations are vast and technical and practical in nature and contain reminders that when a recipient receives an email that may be fraudulent, the recipient should call and confirm the message with the sender before engaging with the message.

Being aware of the risk indicators, recommendations and mitigation steps set forth in the CISA Alert could help industry participants be better prepared to defend themselves from malware attacks. CISA reports that actors who use this malware typically target the financial services sector, including “customer data and [the] availability of data and systems for business processes.” Notably, in its Alert, OCIE makes clear that it is not only recommending that registrants review the alerts issued by CISA, but OCIE also specifically encourages registrants to share CISA alerts with their service providers, given that service providers often maintain the “client assets and records” that such ransomware attacks target.

Recognizing that there is no such thing as a “one-size fits all” approach, the OCIE alert provides detailed observations to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency to address ransomware attacks, as seen in detail here: https://account.activedirectory.windowsazure.com/r.  See also the CISA Alert here: https://us-cert.cisa.gov/ncas/alerts/aa19-339a

About the author

Debbie represents private investment funds and investment advisers in connection with fund structuring, advertising, private placement procedures, compliance policies and procedures, side letters, placement contracts, related agreements and issues. Debbie’s experience includes private equity funds, venture capital funds complex partnership reorganizations, domestic and offshore hedge funds, Opportunity Zone Funds, real estate investment funds and trusts, EB-5 funds, and large master-feeder structures.  Debbie has extensive experience with private securities offerings and financial products, including through crowdfunding, domestic and international joint ventures, global equity offerings, where she represents placement agents, issuers, broker-dealers, public and private companies, investment banks, financial institutions, private funds, and investment advisers.

Debbie also represents family offices, private funds, investment advisers and other clients in connection with impact investing including establishing Environmental, Social, and Governance (ESG) investment policies and practices and with policies regarding anti-money laundering (AML), Foreign Corrupt Practices Act (FCPA), derivatives and FINRA and SEC-compliant investment regimes and operations.

Add comment

Updates on Regulation, Trading, and Market Reforms for the Alternative Investment Community