The Securities and Exchange Commission (“SEC”) recently published its sixth risk alert on cybersecurity since 2014. In this alert, the SEC focused on how its regulated firms protect themselves against ransomware risk. I previously wrote about the SEC’s last risk alert on ransomware here.
Ransomware is malware that stops a user from accessing either part or all of the data within their network or other systems until a ransom is paid. For ransomware to be effective, it must gain access to network data in some form or fashion, usually through user error, such as a user clicking a link, downloading a file, or doing something else which affirmatively provides the ransomware access to data. From there, the hacker typically encrypts data and demands payment to unencrypt it.
There are varying studies, but up to 90% of financial services firms, including investment advisers, broker-dealers and investment companies, report that they have been targeted by ransomware. The SEC also reports that these targeted attacks have gotten more sophisticated in nature over the last few years, which necessitates greater allocation of resources from firms to protect themselves.