The U.S. Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) has issued a Risk Alert in the wake of the widespread WannaCry ransomware attack that has inflicted hundreds of thousands of users since last week.
The OCIE stated that the Risk Alert was intended to highlight "the importance of conducting penetration tests and vulnerability scans on critical systems and implementing system upgrades on a timely basis."Specifically, the Risk Alert recommends that broker-dealers and investment management firms review the U.S. Computer Emergency Readiness Team’s Alert TA17-132A "Indicators Associated With WannaCry Ransomware" and evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.
The Risk Alert also discussed a recent survey of 75 SEC registered broker-dealers, investment advisers, and investment companies conducted by OCIE's National Examination Program staff. The survey assessed the entities' cybersecurity preparedness, finding "a wide range of information security practices, procedures, and controls across registrants that may be tailored to the firms' operations, lines of business, risk profile and size." Specifically, the survey found:
OCIE also reiterated its April 2015 Cybersecurity Guidance in which it recommended that investment companies and advisers take the following actions:
-
Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect, and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cybersecurity threats concerning their accounts.
The OCIE's Risk Alert once again highlights the importance of cybersecurity preparedness in this field. The Risk Alert comes only weeks after the Colorado Division of Securities published proposed rules directed at establishing cybersecurity requirements for broker-dealers and investment advisers. The Colorado Division of Securities conducted a public hearing on the proposed rules on May 2, 2017, and received comments on May 9, 2017. The final rules are expected to be published in June.
For a summary of the WannaCry attack and the steps companies can take to avoid future cybersecurity incidents, read Ballard Spahr’s Alert "Is Your Organization Ready for a Systemwide Ransomware Attack?"