May 17, 2017: The SEC just issued a Risk Alert (Cybersecurity: Ransomware Alert) to investment advisers and broker dealers informing them of the targeting of companies by hackers propagating a new and aggressive ransomware. On May 12, 2017, this attack, referred to as WannaCry, WCry, or Wanna Decryptor, rapidly affected numerous organizations across over one hundred countries. The WannaCry ransomware infects computers with a malicious software that encrypts computer users’ files and demands payment of ransom to restore access to the locked files.
Initial reports indicate that the hackers that perpetrated the attack are gaining access to enterprise servers either through Microsoft Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows Server Message Block version 1 vulnerability. Most significantly, some networks have been affected through phishing emails and malicious websites.
To protect against the WannaCry threat, investment advisers are urged to (1) review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness Team and (2) evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed. The Microsoft patches to prevent the infection have been available since March for supported operating systems. In addition, within 24 hours of the attack, Microsoft had provided the necessary security patch for non-supported Windows XP. This highlights the need to keep current operating systems and have a disciplined and managed patching strategy.
This latest Risk Alert highlights the importance of conducting penetration tests and vulnerability scans on critical systems and implementing system upgrades on a timely basis. SEC staff also notes that appropriate planning to address cybersecurity issues, including developing a rapid response capability, is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.
On the broader topic of cybersecurity, OCIE’s National Examination Program staff recently examined 75 SEC registered broker-dealers, investment advisers, and investment companies to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness. The SEC observed a wide range of information security practices, procedures, and controls across the industry, varying greatly based on registrant operations, lines of business, risk profiles, and enterprise size.
The following observations gleaned from this sweep certainly informed this week’s SEC guidance relative to mitigating the cyber security risk posed by WannaCry ransomware, especially with respect to small and mid-sized registrants:
- Cyber-risk Assessment: Five percent of broker-dealers and 26 percent of advisers and funds (collectively, “investment management firms”) examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
- Penetration Tests: Five percent of broker-dealers and 57 percent of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
- System Maintenance: All broker-dealers and 96 percent of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, ten percent of the broker-dealers and four percent of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.
The Commission has provided guidance and information that firms must consider when addressing cybersecurity risks and response – https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf . While not a functional regulator for advisers, FINRA has also provided guidance which is especially useful for smaller enterprises with commensurately smaller cyber risk profiles – http://www.finra.org/industry/cybersecurity.
For the past two years, Horrigan Resources has partnered with an IT specialist to offer cybersecurity risk assessments to our clients. Although each firm presents unique risks and challenges, the overarching themes relative to risk mitigation have been rapid response to red flags, and swift handling of ‘low hanging fruit’. Risk mitigation may entail material capital expenditure over time however the key is to know and triage risk, recognize that cyber risk management is ongoing and continuous, and be proactive.
Not unlike compliance, attaining a secure IT environment is a journey without a destination. Continuous and prudent attention to business risk, awareness of the threat environment, and ongoing employee training and awareness are great starting points to reduce cyber risk. Follow this link for the Risk Alert: https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf.
May 19, 2017
prepared by Horrigan Resources, Ltd.
Not customized advice. Not legal advice.
 See, U.S. Department of Homeland Security/ U.S. Computer Emergency Readiness Team (US-CERT), Alert (TA17-132A), Indicators Associated with WannaCry Ransomware (May 12, 2017, last revised May 15, 2017) (“U.S. Cert Alert TA-132A”).