The Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a risk alert on May 17, 2017 for the widespread ransomware attack, known as WannaCry, which began on May 12, 2017 (read our overview of the attack). In order to protect against the WannaCry ransomware, the risk alert encouraged broker-dealers and investment managers to review an alert on indicators of the WannaCry attack published by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team and evaluate whether Microsoft patches to Windows operating systems were properly and timely installed.
The staff of OCIE’s National Examination Program (the Staff) has recently examined 75 broker-dealers, investment advisers and investment companies to assess industry practices and legal, regulatory and compliance issues surrounding cybersecurity preparedness. In particular, the Staff observed several practices they believe are especially relevant to smaller registrants in relation to the WannaCry ransomware attack, including conducting cybersecurity risk assessments, penetration testing and system maintenance. The Staff’s observations are outlined in the chart below.
Practices Relevant to Smaller Registrants
Cyber-risk Assessment: Five percent of broker-dealers and 26 percent of advisers and funds (collectively, investment management firms) examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities and the potential business consequences.
Penetration Tests: Five percent of broker-dealers and 57 percent of the investment management firms did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
System Maintenance: All broker-dealers and 96 percent of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, 10 percent of the broker-dealers examined and four percent of the investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.
The ransomware alert notes that the SEC’s Division of Investment Management and OCIE have provided guidance for firms to consider in assessing the effectiveness of cybersecurity programs.1 The Staff also referenced as a resource the Financial Industry Regulatory Authority’s (FINRA) cybersecurity webpage, which includes links to a cybersecurity checklist for small registrants and links to cybersecurity resources.
The SEC has stated in previous risk alerts that funds and advisers should develop effective cybersecurity policies and procedures to mitigate exposure to compliance risks associated with cyber threats. Accordingly, mutual fund boards of directors may consider asking fund service providers for information regarding the most recent cyber risk alert and any impact on funds or fund service providers arising from the WannaCry ransomware attack.
More generally, boards of directors may want to consider, to the extent they have not already done so, the following practices with respect to the cybersecurity programs of funds and fund service providers:
Request that service providers implement a cybersecurity plan that includes the development of cybersecurity policies and procedures and the regular updating thereof;
Ensure there is oversight and enforcement of cybersecurity policies and procedures, including incentives for compliance and accountability for non-compliance;
Regularly monitor the effectiveness of internal and external cybersecurity controls; and
Review whether adequate resources have been allocated for applicable cybersecurity risks that have been identified and the plan for remediation.
Smaller advisory firms and their chief compliance officers may consider their existing resources and, if appropriate, engage outside cyber experts in the development and updating of their cybersecurity policies, procedures and controls.
1 This guidance includes: National Exam Program Risk Alert – OCIE Cybersecurity Initiative (April 2014); National Exam Program Risk Alert – OCIE Cybersecurity Sweep Summary (February 2015); IM Cybersecurity Guidance Update (April 2015); and National Exam Program Risk Alert – OCIE’s 2015 Cybersecurity Examination Initiative.