The Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) issued a National Exam Program Risk Alert (Risk Alert) on May 17, 2017 in response to “WannaCry,” the ongoing global ransomware attack that began Friday, May 12.

In the Risk Alert, the OCIE staff (staff) encourages broker-dealers and investment management firms (Firms) to review the alert published by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (DHS Alert). The DHS Alert offers a concise overview and description of the WannaCry ransomware, technical details about how an attack occurs, a summary of ransomware’s potential impact and, most importantly, recommended steps for prevention and remediation.

The Risk Alert also encourages Firms to evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed. The staff explained that “[i]nitial reports indicate that the hacker or hacking group behind the [WannaCry] attack is gaining access to enterprise servers either through Microsoft Remote Desktop Protocol (RDP) or through the exploitation of a critical Windows Server Message Block version 1 vulnerability.” Patching such known vulnerabilities may limit a Firm’s risk of a WannaCry attack.

In the Risk Alert, the staff also provided Firms (in particular, smaller registrants) with practical tips for how they might mitigate the risk and impact of future cyber-attacks. First, the staff drew Firms’ attention to the information security practices OCIE observed in connection with its 2014 cybersecurity examination sweep, which revealed that, of those registrants the OCIE staff examined: (i) 5% of broker-dealers and 26% of advisers and funds did not conduct periodic risk assessments of critical systems to identify cyber-threats and vulnerabilities; (ii) 5% of broker-dealers and 57% of advisers did not conduct penetration tests and vulnerability scans on critical systems; and (iii) 10% of broker-dealers and 4% of investment management firms had a significant number of critical and high-risk security patches that were missing important updates. The Risk Alert notes that these findings may be particularly relevant for smaller registrants in relation to the WannaCry ransomware incident. Second, the staff reminded Firms to consider past guidance issued by the Division of Investment Management, OCIE and the Financial Industry Regulatory Authority (FINRA) when addressing their cyber-risk and response capabilities. And third, the staff emphasized that Firms should consider cybersecurity issues in advance, noting that developing a “rapid response capability” may mitigate the impact of future cyber-attacks.

Implications for Registrants

OCIE’s publication of this Risk Alert makes clear the following:

  • Firms should be considering whether they are vulnerable to a WannaCry attack in particular and whether their current practices leave them unnecessarily vulnerable to future ransomware and other cyber-attacks.
  • Notwithstanding the staff’s recognition that “it is not possible for firms to anticipate and prevent every cyber-attack,” firms of all sizes should actively be taking appropriate steps to prepare for and respond to cyber-attack.
  • Smaller registrants should recognize that the Risk Alert not only provides them with practical tips for cyber-readiness, but also effectively puts such registrants on notice that OCIE expects that they, too, are “conducting penetration tests and vulnerability scans and implementing system upgrades on a timely basis.”