The SEC’s Office of Compliance Inspections and Examinations (OCIE) recently published a Risk Alert pertaining to “WannaCry,” the ransomware worm that infected hundreds of thousands of computers in over 150 nations earlier in May, 2017. WannaCry infects computers with malicious software that encrypts users’ files and demands payment to regain access to the data. The alert provides cybersecurity best practices, including a new initiative towards “rapid response” methods that firms should use to respond to cybersecurity challenges. It also describes factors that firms may consider to (1) assess their supervisory, compliance and/or other risk management systems related to cybersecurity risks, and (2) make any changes, as may be appropriate, to address or strengthen such systems.
The SEC encourages broker-dealers and investment advisors to review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness and evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed. OCIE emphasized the importance of firms conducting penetration tests and vulnerability scans on critical systems and stressed the necessity of upgrading systems on a timely basis.
Based on a 2015 survey of 75 SEC registered broker-dealers, investment advisers and investment firms, the SEC National Exam Program staff recognized certain firm practices that registrants may find relevant when dealing with threats such as the WannaCry ransomware attack:
Cyber Risk Assessment
According to the SEC, 5% of broker-dealers and 26% of advisors and funds examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities and the potential business consequences.
The SEC also found that 5% of broker-dealers and 57% of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
All broker-dealers and 96% of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, 10% of the broker-dealers and 4% of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.
OCIE staff acknowledges “it is not possible for firms to anticipate and prevent every cyber-attack,” but suggests firms of all sizes should actively be taking appropriate steps to prepare for and respond to cyber-attack. OCIE has provided guidance and information that firms may wish to consider when addressing cybersecurity risks and response capabilities. Similarly, for its member firms, the Financial Industry Regulatory Authority (FINRA) has created a webpage with links to cybersecurity-related resources, including a cybersecurity checklist for small firms and a report on cybersecurity practices that highlights effective practices for strengthening cybersecurity programs.