Following the recent cyberattack that affected computer systems nationwide, the Securities and Exchange Commission (SEC) issued a cybersecurity alert to financial professionals and organizations emphasizing the importance of conducting regular cyberrisk assessments, penetration tests and system maintenance to minimize vulnerability to such attacks.
The alert, which came from the SEC Office of Compliance Inspection and Examinations, highlighted results from an examination of 75 SEC-registered broker-dealers, investment advisers and investment companies.
During the examination, the alert states, “The staff observed a wide range of information security practices, procedures and controls across registrants that may be tailored to the firms’ operations, lines of business, risk profile and size,” as well as “firm practices during this Initiative that the staff believes may be particularly relevant to smaller registrants in relation to the WannaCry ransomware incident.”
Key findings from the examination, as reported in the alert, are as follows:
- Cyberrisk assessment: “5 percent of broker-dealers and 26 percent of advisers and funds (collectively, ‘investment management firms’) examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.”
- Penetration tests: “5 percent of broker-dealers and 57 percent of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.”
- System maintenance: “All broker-dealers and 96 percent of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, 10 percent of the broker-dealers and 4 percent of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.”
The SEC also noted that the Financial Industry Regulatory Authority (FINRA) has created a webpage with links to resources related to cybersecurity. It includes a cybersecurity checklist for small firms and a report on cybersecurity practices, which highlights effective practices for strengthening cybersecurity programs.
It is estimated that the ransomware attack affected more than 200,000 computers in about 150 countries, beginning May 12. The malicious software is known as “WannaCry,” “WCry” and “Wanna Decryptor,” which works by encrypting files and demands payment from users to regain access to their data.
“Initial reports indicate that the hacker or hacking group behind the attack is gaining access to enterprise servers either through Microsoft Remote Desktop Protocol (RDP) compromise or the exploitation of a critical Windows Server Message Block version 1 vulnerability,” the alert states. “Some networks have also been affected through phishing emails and malicious websites.
“To protect against the WannaCry ransomware, broker-dealers and investment management firms are encouraged to (1) review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness Team and (2) evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.”