Today the OCIE issued a Ransomware Alert, highlighting an uptick in sophisticated social engineering and other cyber campaigns, designed to infiltrate the networks of financial institutions to access sensitive information and/or to deploy ransomware.
As a reminder, ransomware actors typically demand monetary payment for the return of data.
We can spend time regurgitating what was said in this document; however, we are not going to do so. If you’d like to read the publication, you can access it here.
What we will spend our time doing is telling you why you should not ignore this! A recent filing with the SEC showed that two days ago TCW Funds, Inc (“TCW”) reported that they were a victim of a cyber breach. TCW, a firm that probably has a cybersecurity budget numerous times more than the average private fund was still breached. How? We do not quite know, but we are eager to find out.
So why is the OCIE alert important? Because they are indirectly telling you that what happened to TCW can happen to any firm, and that if you are not doing much now, you should reconsider before something bad happens.
The SEC continuously reminds both public and private companies to make sure their cybersecurity program is in order, for these exact reasons, but what are firms actually doing? In our experience we found that firms are in one of three camps:
- There are firms hoping that the SEC will visit them years later so they can do as little as possible now.
- There are firms that do certain things to check a box to satisfy investor and some (yes, we said some) regulatory requirements.
- The other firms take it very seriously because they know a breach can harm both their business and investors either reputationally or monetarily.
The questions are, which camp are you in, and have you done enough?
In the alert the OCIE highlights all of the areas that you should consider implementing to enhance your own cybersecurity program:
- Having appropriate incident and business continuity policies, procedures, and plans.
- Having appropriate disaster recovery systems in place, so you can recover your systems.
- Making your employees your first line of cyber defenders by arming them with knowledge they need to detect cyber-attacks.
- Knowing what network vulnerabilities exist internally and externally, so you can appropriately address anything that could put your firm at risk.
- Securing your network perimeter (we have an issue with this one).
Are you doing any of the above? Do you know how effectively it is being done, if being done at all? How are you testing these things? These are our questions for you.
- Having policies, procedures, and plans are great, but how many people in your firm actually know what is in them? If you do not know the answer to this, you should probably revisit this area.
- Lots of firms say they test disaster recovery and business continuity plans, but testing with a small set of people, or testing in an isolated environment, or thinking since everyone can work from home, we’re good. This just provides a false sense of preparedness, it just does not cut it. If you have not entirely failed over a data center, or turned off your OMS on purpose to test whether you can manage a portfolio and still trade, or purposely not use Bloomberg, to determine how you will get that desperately needed market data, you should probably be revisiting this area.
- Are your employees still failing phishing tests? Do they know all of the ways they or your firm can be socially engineered or hacked? How do you know they know? Have you tested their knowledge? Training is a continuous thing. It must be done frequently and in an effective manner. If your training program doesnt seem to be working as well as you thought it would, you should be revisiting this area.
- When people think about internal and external vulnerabilities, they are mostly focused on internet and network devices, but what about all of the information available on you and your firm that is available to bad actors in the deep and dark web, or what about the unhappy employee that can wreak havoc in your environment? Insiders and hackers are not attacking the network as often anymore; they are attacking people and stealing data. You need to extend the vulnerability analysis to people as well. If you have not considered this, you should be revisiting this area.
- When we said we have an issue with securing the network perimeter, what we meant by that is, there is no longer a traditional network perimeter. The work from home situation that everyone is dealing with currently is a perfect example of this. It is not how you protect the perimeter anymore, it is how should you protect a distributed network that you have no control over? If you have not considered this, you should be revisiting this area as well.
Again, these alerts published by the SEC are done so for a reason. They want to remind you that you need to build a strong cyber program. Many feel lots of money is needed to make this happen. We can tell you this is not the case, and there are many ways to build an effective cyber program with even the smallest of budgets.
What are you waiting for? Assess and understand your risk posture before its too late. The most important element of a cybersecurity program is knowing!
Do not hesitate to reach out and say: “Hello, we want to pick your brain!”