Want to Resist Ransomware? Embrace the NIST Cybersecurity Framework

Over the last months I have written several blogs concerning the burgeoning problem of ransomware attacks. Ransomware has been evolving rapidly of late and is liable to explode. According to Kapersky’s predictions for cybercrime in 2021, “cybercrime is set to evolve, with extortion practices becoming more widespread, ransomware gangs consolidating and advanced exploits being used to target victims.” When you add to this such problems as rising business email compromise problems and the difficulties of information security in the age of Covid, you can picture a pretty bleak outlook for data breaches and ransomware attacks next year.

Unfortunately, compromised business email information, weak remote working security practices and advanced vulnerability exploits can all be employed by organized gangs of cybercriminals to perpetrate ransomware; a type of attack that can present businesses with no-win solutions. If you pay the ransom, what is to keep the cybercriminals from revealing your stolen information publicly anyway, or coming back to you again with additional demands for money? If you pay, you can also possibly be in violation of U.S. laws and regulations. If you don’t pay, your private client information could be exposed publicly, possibly exposing you to regulatory sanctions and legal actions.

Of course, the best protection possible is to harden your business and personnel against successful social engineering attacks and cyber exploits. The problem is, no matter how good your information security program, you still may be compromised. To protect your business responsibly in this environment, you need to embrace all aspects of a good information security program: identify, protect, detect, respond and recover. These activities make up the framework core of the NIST Cybersecurity Framework (Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (nist.gov).

Identify basically refers to knowing your business. It includes asset management (i.e. software and hardware inventories), examining the business environment, identifying risk, coming up with a risk management and governance strategy and examining supply chain and third-party risk. If you don’t know your business deeply and exactly, you have little chance of protecting it properly.

Protect refers to all those programs you put in place to prevent cybercriminals from compromising your systems and information in the first place. These functions include access controls, data security measures (i.e. protection for data at rest and in transit), information protection processes and procedures (i.e. configuration and change management control, security policies and procedures, etc.), protective technologies (i.e. email security systems, SIEM, etc.), security maintenance (i.e. patching and updating), and the ever-important security awareness and training.

This leads into the “detect” part of the framework. As we have pointed out in past blogs, all the security systems in the world won’t keep you safe if you don’t actually monitor them and leverage their output to detect anomalies when they occur. And to perform this function properly, you need to involve humans. The human mind remains the most effective detection tool there is.

The last two parts of the framework core are “respond” and “recover”. These basically refer to your incident response and business continuity/disaster recovery programs. As was stated earlier, no matter how good your program is, there is always the possibility of compromise. That is why responding quickly and effectively is so important. This entails both planning and practice. As does business continuity/disaster recovery. Proper planning and realistic testing programs are essential.

Cybercriminals are looking forward to their best year ever in 2021. Do what you can to thwart their ambitions. A good, well rounded information security program is the best you can do in this respect. We recommend embracing the paradigms included in the NIST Cybersecurity Framework in this effort for their clarity, effectiveness and relative ease of implementation.

Wealth Management Firms and Ransomware Tabletop Simulations

No matter what industry you are in, you need to practice emergency procedures to build proficiency and identify glitches in your planning. For example, we all went though fire drills back in grade school, or if you’ve been on a cruise ship, you have received lifeboat drills. These kinds of exercises have proven their worth time and again over the years. For wealth management firms, one such program that needs practice exercises is the incident response program. And tabletop incident response exercises are an effective way to conduct these practices.

We at MSI have had years of experience in developing and conducting tabletop incident response exercises for organizations in a number of industries. In the financial industry, the most prevalent and dangerous attack type currently is ransomware. Ransomware attacks can lead to data breaches, lawsuits, regulatory involvement, loss of reputation and financial loss. Let MSI assist your firm in tabletop exercises designed to test your response preparations and to make adjustments and improvements in your response.

First, we will work with your firm to design a real-world ransomware attack scenario that is relevant to your particular organization. From there we will construct the scenario and set a time with your firm to conduct the exercise. MSI will provide two personnel for the exercise: the exercise moderator and the exercise observer/recorder. It should be noted here that these exercises can be conducted in either the real or virtual world. During these days of pandemic emergency this can be an important consideration.

Once the tabletop begins, the moderator will unfold the details of the exercise one by one, just as they’d come to notice if a real incident were occurring. Your incident response team will then follow your incident response plan, communicate with each other and relate just how they would address each issue as it unfolds. As the exercise continues, the moderator will continue to introduce complexities built into the ransomware exercise scenario. Once the exercise concludes, MSI will help your team conduct a “lessons learned” discussion that points out what worked well during the exercise and what didn’t seem to work well and needs improvement. Finally, your firm will receive a report from MSI recapping the exercise and including suggestions for improving your response techniques and mechanisms.

In our experience, incident response tabletop exercises have never failed to expose flaws in the incident response plan. These exercises also lead to spirited discussion and innovative thinking among the team members. Remember, the key to minimizing the negative effects of any cyber-attack, including ransomware attack, is quick and accurate response.

Should Wealth Management Firms Pay Ransomware or Not?

If your wealth management firm suffers a ransomware attack, should the firm pay the ransom or not? This seems like a straight-forward question, but in reality, is anything but. A number of factors have to be taken into account, including what kind of ransomware attack you have suffered, the possible financial costs associated with the attack and the attack aftermath, the possible reputational damage and attendant loss of clients, and also legal and regulatory consequences that may arise from the attack.

Let’s start by looking at the two main types of ransomware attacks your firm might encounter. In the “traditional” ransomware attack, cyber-criminals break into your network and encrypt your important data so that you cannot access it without the key they used. They then demand a ransom payment for this key. This is an attack on only one of the three pillars of information security: availability. If your firm doesn’t have safely stored backups, you must pay or suffer likely permanent loss of your data. If your firm has safely stored backups, all you have to do is restore your system from these backups. The decision to pay or not in this case seems simple for a wealth management firms: if you pay you get your data back quickly. If you don’t pay, you still get your data back, but not so quickly. It may take days to go through the restoration process. If you think your clients will stand for this downtime, you don’t pay. If you don’t think the business interruption will be tolerated, then maybe it is better to pay and take the financial loss.

The other type of ransomware attacks we’re seeing today are not so simple. If your important data is not properly encrypted, the attackers may not only re-encrypt your data, they may also copy it and threaten to release it publicly if they are not paid. This is a much thornier problem because it also affects another pillar of information security: confidentiality. Financial institutions are heavily regulated and are required to adequately protect the confidentiality of their client’s financial and personal private information. If the firm pays the ransom, they may get the key to unencrypt their data and a promise not to post this data publicly. But what level of trust can you put in the word of criminals?! What is to prevent them from publicly releasing the data anyway, or keeping the data and demanding further payments in the future? This complicates the decision to pay or not considerably. If the firm doesn’t pay the ransom, they are in for public scandal that might cause present clients to go elsewhere and prospective clients to choose a different firm. They may also be subject to regulatory sanction if their information security program is judged to be inadequate. In addition, the firm may be sued by affected clients which can lead to even more scandal and reputational loss.

But wait, there is more! Paying the ransomware is actually illegal is some instances. Under the International Emergency Economic Powers Act or the Trading with the Enemy Act, U.S. persons are generally prohibited from engaging in transactions with individuals or entities that are on OFAC’s Specially Designated Nationals and Blocked Persons List or with persons from embargoed regions and countries (see the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf for more information). And how is the firm to know if the blackmailers they are dealing with are among those on the proscribed list? I would hate to have to be the one to make the decision to pay ransomware or not in these cases. To quote an old cliché, these decision makers are caught between a rock and hard place!

There is no simple, easy or right decision to make if your firm is caught up in this second type of ransomware attack. The real answer is to not be in such a position in the first place. Financial firms should ensure that their information security program is compliant with regulatory and best practices standards at all times. You should ensure that your data is properly encrypted and backed up, patch and update your systems religiously, test and monitor your systems and ensure that your partners and services providers are doing the same. To quote another old cliché: an ounce of prevention is worth a pound of cure!

Credential Stuffing: Protection, Detection and Response are all Needed

Credential stuffing is a truly thorny security problem that exploits weaknesses in both human nature and Internet access controls. A credential stuffing attack is using user name/password combinations stolen from one website to try to gain access to other websites. It exploits the tendency of all of us to use the same passwords for multiple websites. Although this is a human weakness, it is also perfectly understandable; it is tedious and difficult to remember many complex passwords. It is also difficult to reliably protect password lists that are in any way accessible over the Internet. I see many articles about password management tools or cryptographic techniques that have been compromised while preparing the MSI Infosec Précis. Even MFA is not invulnerable. Attackers have come up with a number of different MFA bypass attacks lately, and more are certain to follow. Couple all this with the fact that there already are literally billions of user name/password pairs available for sale out there that have already been compromised, and you can see why credential stuffing is such a danger to the security of our private information. It is used constantly by attackers to gain the network foothold they need to launch further attacks such as Ransomware.

How are you supposed to protect yourself and your business from password stuffing attacks? The best solution is for everyone to use strong, unique passwords for each different online account they have. Good luck with that! Even the best of us get lazy or stupid once in a while. Or you can (and probably should) employ strong password managers and MFA. These are good techniques that are largely successful. But as I stated above, even these techniques are not sacrosanct. So, if you can’t stop credential stuffing attacks, you had better be able to detect them quickly and react appropriately.

One way to detect these attacks is through monitoring and analysis. As Scott Matteson, the man who coined the term “credential stuffing,” recommended in a 2019 interview: “Monitor your business metrics for signs that you may already be experiencing credential stuffing or other automation attacks, including poor or declining login success rates, high password reset rates, or low traffic-to-success conversion rates.” Plus: “Analyze the hourly pattern of traffic to your login and other attackable URLs for traffic spikes or volume outside of normal human operating hours for your markets: Real users sleep, automated attacks do not.”

In addition, there are tools and services available that can help you detect password stuffing attacks. As the MSI CEO, Brent Huston, discussed in his blog posted on November 11, MicroSolved’s data leakage detection engine ClawBack™ is one such tool that is useful in detecting stolen credentials that show up on pastebin sites or that have been leaked inadvertently through a variety of ways.

However, detection is not enough. You also need to be able to react quickly and surely when a leak has been detected. This means incorporating credential stuffing into your incident response (IR) plan. The incident response team as a whole should discuss response methods, incorporate them in the written IR plan and include them in their periodic IR training sessions. The combination of awareness of the credential stuffing problem, implementation of rational protection and detection mechanisms and documented response measures are a combination that can help your organization protect itself to best effect.

Utilities Need to Harden Their Systems Against the Exploding IoT Threat

As the complexity of a computer system increases so does the difficulty of securing it against cyber-attack. In fact, difficulty of protection rises at a more than one-to-one ratio with complexity. This is one of the reasons we at MSI so highly tout extensively segmenting complex networks into “enclaves” with individual firewalls and access controls, as well as strict trust rules on how each enclave can communicate with each other and the outside world. Although this process is complex to develop and implement, once in place it greatly simplifies the protection of critical assets such as industrial controls systems and administration networks.

One reason why it behooves utilities to consider cyber-protections at this level is the exponential rise in the availability and use of Internet of Things (IoT) devices. It seems like every kind of device there is now has a computer in it and can be accessed and administered over a network of some kind. And usually this network is the Internet or is routable to the Internet.

Systems at threat include industrial control systems and the enterprise networks that administer them; they employ more remote access devices every day. IoT devices that are connected to enterprise networks can be just about anything. Smart light bulbs, cameras, heat sensors, voice controllers, televisions, robots… the list is daunting and grows constantly.

Exacerbating this problem for most of the last year has been the pandemic emergency. The need for social distancing and remote working has exploded because of it. And as we all know, in an emergency functionality trumps security every time. Concerns have set up remote conferencing and remote administration systems at a record pace. And even if they have performed some form of risk analysis before, during or after implementation, chances are that they may not have been holistic in their threat and risk analysis.

This brings me back to the enclave computing scheme I mentioned above. To set up proper network segmentation, the first things you need to know are what data/devices are on the network, how data flows between these entities and what trust relationships are implemented in their setup. Until you have a grasp on all of these factors, there is no way you can gauge the full range of negative security effects hooking IoT devices to your enterprise network can have.

So, my advice to Utilities and other users of industrial controls systems is this: do a thorough business impact analysis (BIA) of your enterprise network and all of its connections. The BIA will reveal the factors I mentioned above. It reveals what devices and data are there and their relative criticality. It shows you how data moves and what trusts what. This information is the necessary precursor to accurate risk and threat assessment, and can be the beginning of a new level of information security at your enterprise.

Wealth Management Firms Need Quick Communications and Responses During Data Breach

Data breaches are happening every day, and presently, they are often accompanied by ransom demands. It used to be that most ransomware simply encrypted a firm’s data and wanted to get paid for the key to decrypt it again. The answer to this kind of attack is pretty simple: make and securely store backups of your data so that you can reload your systems without paying ransom. This works, but some concerns still pay the ransom to avoid downtime while backups are accessed and systems restored. Unfortunately, the bad guys have a worse trick up their sleeves: threatening to publish your data on the Internet if you don’t pay the ransom.

This is a very thorny problem. If you don’t pay, you are going to have private personal and financial data of your clients exposed, which is going to lead to regulatory scrutiny and loss of business. If you do pay, you are out the expense and you have no guarantee that the cybercriminals won’t publish your data anyway.

Besides ensuring that your data doesn’t get compromised in the first place, the only thing that wealth management firms can do to thwart this problem is ensure that their incident response plan is complete and ready to invoke at a moments notice. This takes good communications, especially internally. This is the responsibility of the CISO in most firms.

The first thing the CISO should do once the incident is validated is to notify the incident response team and get them working on containing the incident and researching how it was perpetrated. From there, the CISO should handle communications. All incident-related communications should go through the CISO. The team should communicate their findings with the CISO, and the CISO in turn should communicate pertinent information with the Board of Directors. They are primarily responsible for the information security program at the firm, and decisions on further communications with regulators, law enforcement and clients should come from them. It is also their responsibility to decide how ransomware demands are to be addressed.

To perform all these functions quickly and efficiently, communications methods and responses to incidents should all be pre-planned and included in the incident response plan. It is also important to practice responses to various likely incident scenarios (table-top exercises are generally used for this). These practice sessions help to speed up actual incident responses and expose holes in the plan that could cripple the response if not corrected.

Take Advantage of National Cybersecurity Awareness Month

As I’m sure most of you know, October is National Cybersecurity Awareness Month. The point of this yearly event is to stimulate awareness of the importance of cybersecurity in the workplace and at home. Every year, it seems, cybersecurity becomes more important in the lives of all of us. Identity theft, ransomware, denial of service attacks and a plethora of other cyber-dangers are running rampant and becoming more sophisticated every day. Awareness of these problems and following a few simple security rules can go a surprisingly long way in keeping your networks safe. So why not take advantage of National Cybersecurity Awareness Month to bring awareness to your own personnel and families?

The number one tip I wish to emphasize is this: be wary, think and make sure before you click on a link or answer questions posed by unknown telephone callers. We are all human which means we get in a hurry, we get bored, we lose focus, we get preoccupied and a dozen other frailties. Cybercriminals rely on these human weaknesses to make their cash, and very successful they are at it. As an addendum to this advice, I want to emphasize caution when clicking on links or accessing websites having to do with the Covid-19 emergency or the impending national election. These two subjects are the subjects of more than half of all current phishing attacks.

Next tip: ensure that all of your devices, software applications, operating systems and firmware applications are included in your security maintenance program. Relying solely on WSUS and patching Windows vulnerabilities just doesn’t do the job. All your non-Windows network entities should be updated and patched as well. Also, updating and patching should be applied as soon as possible. You can bet that cybercriminals will not be slow in attacking vulnerable systems.

Tip number three: be very wary of social media use. The amount of private information that we blithely upload to social media sites is astounding! Having been in the intelligence field myself, I know how much information analysts can glean and infer from seemingly harmless business or family facts. You should remember that the information you provide your friends or colleagues on social media is only as private as their own security settings and habits. A good rule of thumb is to not post anything you wouldn’t want a stranger to see. Once again, think before you post!

The last tip I’ll provide here is to use very strong access controls and encrypt every connection and bit of private information you can. With so many of us working from home now, web conferencing is at an all time high. Make sure you use a service that will allow you to encrypt communications. If at all possible, employ multi-factor authentication for web conferences and other sensitive communications as well. If MFA is impossible, use a nice long passphrase instead of some weird nonsensical eight-digit password you can’t remember anyway. Entropy is where it’s at!

Automobile Dealerships Need Strong Wireless and Physical Network Security

Automobile dealerships have problems when it comes to information security. One of these problems is that, being relatively small organizations, they have limited resources to expend on information security. Exacerbating this problem is the fact that dealerships are difficult to secure and are juicy targets for cyber-criminals and identity thieves.

What do I mean by “juicy targets?” Dealerships of necessity must collect a great deal of personal private information about their customers in order to do business. This not only includes names, addresses, phone numbers and email addresses, but also potentially includes information such as Social Security Numbers, credit ratings and other financial information. Criminals can exploit this level of information to cause all sorts of mischief and make lots of money.

What do I mean by difficult to secure? Dealerships typically have various sales departments (i.e. new, used, fleet), service departments, finance departments and body shops. All of these departments employ computers and most of these departments are also accessible to customers. In addition, dealership personnel are often called upon to leave customers and computers unattended while they perform various tasks away from their areas. This means that there are lots of “attack surfaces,” both physical and cyber, for cyber-criminals to try to exploit.

One  inexpensive and effective way for dealerships to fight these problems is to ensure that access to your computer networks is well secured. There are basically two ways for attackers to access your computer networks: through a physical connection or a wireless connection. If your dealership still uses wired connections for workstations (many don’t), you should ensure that these connections are secure from tampering. You don’t want unattended customers to be able to successfully plug their devices into an open port and get access to your network. Access via these ports should be limited to approved MAC addresses, or should employ some other access controls to prevent casual network access.

Even more important than this, though, is ensuring that your dealership wireless networks are properly configured and secured. On top of having the same vulnerabilities as wired networks, wireless networks have the added weakness of working via electromagnetic signals that can be accessed by anybody in range. To secure your wireless networks, you should follow best practices advice including:

  • Use strong access controls to limit access to wireless networks to only authorized users. Multi-part authentication is strongly recommended for this.
  • Ensure that your wireless network employs strong protocols like WPA2 and is fully encrypted.
  • Ensure that wireless access points and other networking equipment are fully secured. It is preferable to have this equipment secured in locked rooms or cabinets. It’s even better if access to this equipment is logged to individuals.
  • Ensure that your wireless systems are securely configured. Change all vendor default passwords, and ensure other device settings conform to best practices recommendations.
  • Ensure that your wireless devices and software applications receive proper security maintenance, and are well updated and patched.
  • Separate your wireless networks into segments and ensure that only those with a business need to know can access each segment.
  • Ensure that guest networks are available and properly secured. Each user of the guest network should have separate access control to prevent other guest network users from illicitly spying and compromising others on the network.
  • If you are allowing your employees to use their own devices to access the production wireless networks, ensure that these devices are secured according to best practices recommendations. Also ensure that users are fully educated in their responsibilities for maintaining wireless security.
  • Monitor your wireless networks with an eye for anomalies and misconfigurations.

Following these and other good network security recommendations can greatly increase information security at your dealership without having to expend inordinate amounts of money and employee time.


Credit Unions – Protect Private Member Info from Ransomware Attacks

Ransomware has been a sad fact of business life for some time now. It has proven to be an effective money maker for cyber-attackers, and so is constantly being developed and improved by the bad guys. We think of the typical ransomware attack as someone compromising your network, encrypting your data and demanding ransom payment for the key to decrypt it again. But credit unions are one of those businesses that are regulated; they must protect private Member information according to FFIEC and NCUA 748 recommendations and requirements. That makes them especially sensitive to another, enhanced type of ransomware attack in which the attackers also threaten to release private information to the public unless paid off. This type of coercion bypasses incident response and business continuity measures. It doesn’t matter if you can restore your systems from backup if you already have a public data breach.

Even if a compromised credit union has kept an average information security program in place and therefore is not heavily trod upon by the regulators, the business will still be damned by the court of public opinion if data breach occurs. This loss of reputation could seriously affect the credit union and could also lead to large expenditures in credit monitoring and spin doctoring efforts. So, for credit unions, the best answer is to protect your network and private information from being compromised in the first place.

First, strong encryption and key management are a must with this type of regulated information. Private member information should be well encrypted not only when being transmitted, but also when at rest on all systems. Over years of security testing, we have noticed many businesses that do a pretty good job of encryption, but then miss something crucial like databases or backups. This is like building a safe with a screen door in it! Another encryption problem we have noticed is poor key management practices. We have seen keys stored on production systems and not properly protected in other ways. An encryption system is only as good as its key management system. If you do the encryption and key management part correctly, the attackers won’t be able to read Member data even if they manage to get their hands on it.

Next is network security mechanisms and monitoring practices. It’s not good enough to simply build a series of walls to keep the bad guys out; you need to post guards to keep an eye on things as well. It’s the same with network security; you not only need to have effective security mechanisms in place, you need to have humans in the loop to add that detection ability that no machine can truly equal. That is why we recommend that credit unions don’t spend all of their infosec dollars on extravagant machines or software, and ensures adequate resources are set aside to properly staff the information security department. A decent, well configured firewall, full logging and log aggregation, an adequate AV package and egress filtering and monitoring can go a long way when properly employed and monitored by competent staff.

Configuration and privileged access control are also key. In most ransomware attacks, cyber-criminals employ phishing techniques or exploit network vulnerabilities to gain a foothold on businesses’ internal networks. But to mount a successful ransomware attack, they must also be able to maneuver around the network and to elevate their network privileges. On most networks, unfortunately, this is not a daunting task. Attackers can crack password hashes on user machines looking for admin passwords that they can then use to access other hosts and repeat the exercise. They can do this because most networks use common admin passwords on multiple machines. They also have generally “flat” networks that are not properly segmented according to the principles of least privilege and need to know. These practices can allow attackers to gain domain admin-level access to the system, and that is game over. In addition, many businesses are lax when it comes to privileged access control. Many sys-admins use the same password for simple network access as well as for admin access to the system. Plus, when a new admin user is added to the system, or privileges have been highly elevated for a normal user, no alerts are made and nobody is monitoring the access control list. All of these practices should be curtailed if you want to get serious about network protection.

The final control I’ll mention in this blog is user education and buy-in to the information security program at your credit union. Employees and partners can be your worst security enemy or your greatest security asset. To be truly effective, personnel not only should receive infosec training and awareness reminders regularly, they should also be actively enlisted by the credit union as troops in the fight against network compromise. Their worth to the company in this effort should be extolled, and good performance should get praise and recognition. Even little perks like a good parking spot or small bonus can really motivate personnel.

Implementing these kinds of effective controls can seriously increase your resistance to all type of network attacks including ransomware. However, I don’t mean to say that these controls can replace the need for decent incident response and business continuity programs; you need those too. This is because, as we all should know by now, no information security program is or can be perfect!

OCIE Cites Current Risks Facing Wealth Management Firms

As I discussed in my last blog concerning wealth management firms, the Securities and Exchange Commission (SEC) and their Office of Compliance Inspections and Examinations (OCIE) has placed a strong emphasis on information security and privacy practices. As 2020 began, the focus of OCIE examinations seemed to be concentrating on cyber governance, cyber resilience, privacy and data security, and outsourcing risks. Although these considerations still exist, the advent of the COVID-19 crisis has prompted the SEC to augment their thinking on current risks for brokers/dealers and investment advisors. Pursuant to this effort, they released a Risk Alert entitled Select COVID-19 Compliance Risks and Considerations for Brokers-Dealers and Investment Advisers (https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf). The OCIE’s observations and recommendations have been grouped into a number of categories. These are discussed below:

Protection of Investor Assets: The OCIE is encouraging firms to review their operating practices surrounding collecting and processing investor checks and transfer requests to ensure social distancing practices and remote working are not impacting the security of these practices. As well as updating policies to reflect these changes, the OCIE is recommending implementing additional steps to validate the identity of investors and the authenticity of their disbursement instructions.

Supervision of Personnel: The OCIE is recommending that firms should review and adjust their personnel supervision policies and procedures to ensure that the current situation does not seriously impact brokers/dealers’ ability to provide sound advice in a volatile market, and to communicate with their customers effectively.

Fees, Expenses and Financial Transactions: Recent market volatility has put pressure on both investors and wealth management firms. It is thought that this increased pressure may have increased the potential for misconduct among brokers/dealers. Because of this, OCIE recommends that firms should review and adjust their policies and procedures surrounding fees and expenses.

Investment Fraud: Volatile times and business situations can increase the risk of investment fraud through fraudulent offerings. The OCIE recommends that firms should be aware of these risks and take them into consideration when conducting due diligence reviews on investments to ensure that said investments are actually in the best interest of the investors. They solicit firms and investors that suspect fraud to contact the SEC.

Business Continuity: The OCIE is recommending that firms should consider their ability to operate critical business functions during the emergency situation and review their business continuity plans. They cite the fact that working from remote sites could raise compliance issues. They specifically state that compliance policies and procedures used under normal operating conditions may need to be modified to address risks and conflicts of interest present in remote operations. They also state that security and support for facilities and remote sites may need to be modified or enhanced.

Protection of Sensitive Information: The current emergency has forced firms to employ video conferencing and other electronic means to communicate while working remotely. Often personnel are using personal devices and web-based applications as a part of this process. The OCIE points out that employing these means increases the risk that investor PII or private company information may be compromised. These practices also increase email/phone phishing risks. To help fight this, the OCIE recommends that firms enhance their identity protection practices, provide additional training for users and investors, conduct heightened reviews of access rights and privileges, use encrypted communications, ensure patching and updating is well undertaken, consider enhancements such as multi-factor authentication, and address risk issues related to partners and third parties.

MSI points out that the best way to ensure that all your information security practices are effective and compliant with guidance such as that listed above is to conduct regular security reviews and testing. These include risk assessments, application security assessments, network vulnerability and penetration testing and other security testing such as Wi-Fi security testing and social engineering exercises.