Search Our Blog

Ransomware is Out There: Are Your Compliance Policies and Procedures Ready?

By Robert D. Conca, Partner of Shustak Reynolds & Partners, P.C. posted on Thursday, June 3, 2021.

Robert D. Conca

Robert D. Conca

Of Counsel

Location: San Diego, California
[email protected]

Ransomware Attacks Are Becoming More Frequent

Recent news reports are rife with stories about hacker groups launching cyberattacks against all types of companies in industries ranging from major fuel producers to food supply firms.

Ransomware [1] has emerged as the hack-du-jour and seems to be happening with more and more frequency.  On June 7, 2021, the Department of Justice announced the recovery of $2.3 Million in cryptocurrency that was paid in connection with a May 8, 2021 ransomware attack. [2]

Investment Advisers Have Increased Cyber Responsibilities

Any company that experiences a cyber incident will have some difficult decisions to make about what to do and how to respond.  Recovery is not always speedy or even possible.

Registered investment advisers (“RIAs”) face additional challenges when a ransomware (or any other cyber incident) occurs.  The SEC expects RIAs, which are fiduciaries to their clients, to be more prepared to defend against such attacks and to have policies and procedures - that include a tactical “Incident Response Plan” - in place before an electronic attack occurring. [3]

RIAs Need a Well-Designed Cybersecurity Policy

In a 2020 Risk Alert dedicated to the topic of Ransomware, the SEC provided guidance to RIAs about the types of procedures to consider when creating cybersecurity policies and procedures.  While the SEC did acknowledge that no one policy will be appropriate for all RIAs, the SEC suggested that cyber procedures include:

  • Response plans for various scenarios, including, among others, ransomware and other denial of service attacks.
  • Procedures for the timely notification of necessary parties and response if an event occurs, a process to escalate incidents to appropriate levels of management (including legal and compliance functions), and communication with the registrant’s key stakeholders.
  • Procedures for addressing compliance with federal and state reporting requirements for cyber incidents or events, such as financial institution suspicious activity report filing requirements or reporting of material events under federal securities laws.
  • Procedures to contact law enforcement, inform regulators and promptly notify new and existing customers and clients, as appropriate.

We encourage firms to review their Cybersecurity Policies periodically, but no less than annually, and to make regulatory compliance a priority.  We can help. 


Shustak Reynolds & Partners, P.C. focuses its practice on securities and financial services law and complex business disputes.
We represent many broker-dealers, registered representatives, investment advisors, investors and businesses.
Attorney Robert D. Conca can be reached in the firm’s San Diego office at (619) 696-9500.


[1] This form of cyberattack occurs when malware infects a firm’s electronic environment and encrypts the victim’s data until money (or digital currency) is paid to release it. 

[3] See discussion in a 2018 SEC Risk Alert relating to Observations from Cybersecurity Examinations, available here:










Share This Article linkedin