SEC Issues Cybersecurity Alert on Ransomware Attacks

The U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspection and Examination (“OCIE”) issued an alert urging broker-dealers, investment advisers, and investment companies to take steps to protect themselves against ransomware and other cyber threats in the wake of this past month’s WannaCry ransomware attack.  The WannaCry ransomware attack infected computers with a malicious software that encrypted computer files and demanded payments of ransom for restored access to the locked files.  The hacking attack affected more than 200,000 computers in 150 countries.

Based on a 2015 survey of 75 SEC registered firms, the OCIE observed certain risks and issues firms should consider when assessing their cybersecurity preparedness, particularly in light of the WannaCry ransomware attack:

• 5% of broker-dealers and 26% of advisors and funds did not conduct periodic risk assessments of crucial systems to identify cybersecurity threats, vulnerabilities, and potential business consequences.
• 5% of broker-dealers and 57% of investment management firms examined did not conduct penetration tests and vulnerability scans on critical systems.
• 10% of broker-dealers and 4% of investment management firms had not updated a number of critical and high-risk security patches, despite the fact that these firms had a process in place for ensuring regular system maintenance.

The OCIE alert also encouraged firms to review an alert from the U.S. Department of Homeland Security’s Computer Emergency Readiness Team about preventative cybersecurity actions and to ensure that patches for certain Microsoft operating systems have been properly installed.

The full OCIE alert is available here: https://www.pbwt.com/content/uploads/2017/05/SEC-Risk-alert-cybersecurity-ransomware-alert.pdf.