SEC Issues Risk Alert in Response to WannaCry Ransomware Attack
On May 17, 2017, in response to a recent widespread global ransomware attack, the SEC's Office of Compliance Inspections and Examinations issued a risk alert entitled Cybersecurity: Ransomware Alert (the "SEC Alert"). The full text of the SEC Alert is available at: https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf. The SEC Alert indicated that the SEC recently examined 75 SEC-registered broker-dealers, investment advisers and investment funds to assess industry practices and legal, regulatory and compliance issues in connection with cybersecurity. The SEC Alert further indicated that, based on the foregoing examinations, certain practices may be particularly relevant to smaller registrants with respect to the WannaCry ransomware incident, including the following:
- Cyber-Risk Assessment: Five percent (5%) of broker-dealers and twenty-six percent (26%) of advisers and funds (collectively, "investment management firms") examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
- Penetration Tests: Five percent (5%) of broker-dealers and fifty-seven percent (57%) of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
- System Maintenance: All broker-dealers and ninety-six percent (96%) of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, ten percent (10%) of the broker-dealers and four percent (4%) of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.
According to the SEC Alert, broker-dealers and investment managers should: (1) review the alert published by the United States Department of Homeland Security's Computer Emergency Readiness Team (available at: https://www.us-cert.gov/ncas/alerts/TA17-132A), and (2) evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.
Finally, while the SEC recognized that it is not possible for firms to anticipate and prevent every cyberattack, the SEC Alert indicated that appropriate planning to address cybersecurity issues is important and may assist firms in mitigating the impact of any such attached and any related effects on investors and clients.