SEC Issues Risk Alert Following Massive Global Ransomware Attacks
The Securities and Exchange Commission (SEC) released a risk alert encouraging broker-dealers, investment advisers and investment funds to conduct periodic cyber risk assessments and implement systems upgrades on a timely basis in order to reduce the risk of ransomware attacks.
The Office of Compliance Inspections and Examinations (OCIE), the arm of the SEC charged with monitoring risks and
improving compliance among market participants through the agency's National Exam Program, released a cybersecurity risk alert on May 17, 2017, in the wake of the widespread "WannaCry" ransomware attacks that had affected organizations in over 100 countries in the preceding days.10 The alert highlights certain deficiencies in cybersecurity practices across financial firms (as identified in recent examinations) and identifies risk management considerations in order to encourage market participants to strengthen cybersecurity preparedness across the industry.
In a recent examination of 75 SEC-registered broker-dealers, investment advisers and investment funds, OCIE found shortcomings in certain industry cybersecurity practices. Despite nearly all firms having a process in place for regular system maintenance, OCIE's examination found that:
-- 26 percent of investment advisers and funds and 5 percent of broker-dealers did not conduct periodic cyber risk assessments of critical systems;
-- 57 percent of investment management firms and 5 percent of broker-dealers did not conduct penetration tests or vulnerability scans of critical systems; and
-- 4 percent of investment management firms and 10 percent of broker-dealers had a significant number of high-risk security patches missing important updates.
The OCIE alert uses these results to underscore the importance of testing critical systems for vulnerabilities and implementing system upgrades on a timely basis, noting that the WannaCry ransomware has been effective largely due to companies' lack of speed in applying available security patches to the Microsoft systems that were targeted in the attack.
In light of the WannaCry attacks in particular, the alert encourages broker-dealers and investment management firms to evaluate whether they have properly and timely installed applicable patches for affected Windows operating systems, and to review an alert drafted by the U.S. Department of Homeland Security's Computer Emergency Readiness Team11 that provides technical analysis of the WannaCry ransomware. The alert also recommends prevention, protection and remediation solutions. More broadly, OCIE encourages firms to review periodic guidance and other resources provided by OCIE, the SEC's Division