On May 17, the Securities and Exchange Commission Office of Compliance Inspections and Examinations (OCIE), issued a Risk Alert in response to the widespread ransomware attack known as WannaCry, WCry, or Wanna Decryptor that started on May 12. The attack infected computers and servers of various organizations in more than 100 countries. The Risk Alert encourages broker-dealers and investment management firms (collectively, “Firms”) to review the May 12 alert published by the US Department of Homeland Security’s Computer Emergency Readiness Team and evaluate whether applicable patches for their operating systems are properly and timely installed.
The Risk Alert also references OCIE’s recently conducted examination of 75 SEC registered Firms to assess industry practices and legal, regulatory and compliance issues related to cybersecurity practices. The OCIE examination found that 26 percent of investment advisers did not conduct periodic risk assessment of critical systems, and 57 percent of investment management firms did not conduct penetration tests and vulnerability scans on critical systems. In addition, a much smaller number of Firms had a significant number of critical and high-risk security patches that were missing important updates. The Risk Alert indicates that in addressing cybersecurity risks and preparedness, Firms should consider (1) implementing periodic cybersecurity risk assessments and a process for ensuring the regular installation of software patches; and (2) conducting penetration tests and vulnerability scans.
The US Department of Homeland Security’s alert is available here.
The SEC Risk Alert is available here.