SEC Warns of Ransomware Attacks
The U.S. Securities and Exchange Commission is asking broker-dealers, investment advisers and funds to redouble their cybersecurity efforts in wake of the global cyber-attack of the WannaCry virus that has spread to more than 150 countries, disrupting critical sectors of the world economy – from transportations systems to healthcare.
In a “Ransomware Alert” issued yesterday, the Office of Compliance Inspections and Examinations urged firms to undertake “appropriate planning to address cybersecurity issues, including developing a rapid response capability … in mitigating the impact of any such attacks and any related effects on investors and clients,” including vulnerability scans and timely software and system upgrades.
The Alert noted that, in a recent examination of 75 SEC registered firms, the OCIE “observed a wide range of information security practices, procedures and controls” including:
Five percent of broker-dealers and 26% of advisers and funds “did not conduct periodical risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences;
Five percent of broker-dealers and 57$ of advisers and funds did not conduct penetration testing and vulnerability scans on critical systems; and
While all broker-dealers and 96% of advisers and funds had a process for regular system maintenance, 10% of broker-dealers and 4% of investment management firms “had a significant number of critical and high-risk security patches that were missing important updates.”
Firms were urged to review a recent Alert from the U.S. Computer Emergency Readiness Team and ensure that Microsoft patches had been properly and timely installed.