The SEC issued a risk alert on May 17, 2017 in response to the widespread ransomware attack, known as WannaCry. This widespread cyberattack affected numerous companies across over 100 countries. Initial reports indicate that the hacker or hacking group behind the attack gained access to enterprise servers either through Microsoft Remote Desktop Protocol compromise or the exploitation of a critical Windows Server Message Block version 1 vulnerability.
The SEC is encouraging broker-dealers and investment advisers to review the alert published by the United States Department of Homeland Security’s computer Emergency Readiness Team and evaluate whether the Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.
Microsoft has provided updated guidance over the course of the past week as it learns more about how its operating systems were affected. In fact, Microsoft has taken the rare step of issuing a fix for previously “retired” versions of its Windows operating systems in an attempt to halt the global spread of the malware.
The SEC recently examined 75 broker-dealers (“BD’s”), Investment Advisers (“IA”), and Investment Companies (“IC”) to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness. The SEC staff observed a wide range of information security practices, procedures, and controls across registrants that may be tailored to the firms’ operations, lines of business, risk profile and size. To assist firms, the SEC made certain observations that may be helpful particularly to smaller BD’s and IA’s.
Noteworthy Testing Points and Observations
Cyber-risk Assessment: 5% of the BD’s and 26% of IA/IC’s examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
Penetration Tests: 5% of BD’s and 57% of IA/IC’s and investment companies examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
System Maintenance: All BD’s and 96% of IA/IC’s examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, 10% of BD’s and 4% of IA/IC’s examined had a significant number of critical and high-risk security patches that were missing important updates.
Cybersecurity preparedness is essential to all regulated entities. All firms at a minimum must conduct a risk assessment and develop written policies, procedures and internal controls. It is critical that all firms conduct a penetration test and review its system maintenance protocols. We are seeing a much higher concentration of regulatory exams to have a cybersecurity component. There are vulnerabilities that need to be addressed. Each firm needs a health check and now is as good a time as any.
If you should have any questions please do not hesitation to contact us.