On May 17, 2017, the SEC’s Office of Compliance Inspections and Enforcement (OCIE) issued a cybersecurity alert to the securities firms it regulates. OCIE advised broker-dealers and investment companies to take certain actions in connection with the recent WannaCry and Wanna Decryptor ransomware attacks that affected numerous organizations in over one hundred countries. Specifically, OCIE encouraged firms as follows:
To protect against the WannaCry ransomware, broker-dealers and investment management firms are encouraged to (1) review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness Team — U.S. Cert Alert TA17-132A — and (2) evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.
The Alert also noted that it had recently examined 75 SEC registered firms to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness. OCIE indicated that this cybersecurity initiative yielded the following observations:
- Cyber-risk Assessment: Five percent of broker-dealers and 26 percent of advisers and funds (collectively, “investment management firms”) examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
- Penetration Tests: Five percent of broker-dealers and 57 percent of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
- System Maintenance: All broker-dealers and 96 percent of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, ten percent of the broker-dealers and four percent of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.
Registered firms would be well advised to review both the SEC’s cybersecurity guidance and FINRA’s. That guidance can be found at the following links:
- Division of Investment Management, IM Guidance Update: Cybersecurity Guidance (April 2015): https://www.sec.gov/investment/im-guidance-2015-02.pdf
- OCIE, National Exam Program Risk Alert, OCIE’s 2014 Cybersecurity Initiative (April 15, 2014): https://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert–Appendix—4.15.14.pdf
- National Exam Program Risk Alert, Cybersecurity Examination Sweep Summary (Feb. 3, 2015): https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf
- National Exam Program Risk Alert, OCIE’s 2015 Cybersecurity Examination Initiative (Sept. 15, 2015): https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf
- FINRA, Topic Page: Cybersecurity: http://www.finra.org/industry/cybersecurity
To the extent that regulated entities can demonstrate their deliberate focus on and implementation of SEC cybersecurity guidance, they will be better positioned to avoid and mitigate cyber-risks, and they will be in a better regulatory posture in the event they experience incidents.