On May 17, 2017, the SEC’s Office of Compliance Inspection and Examination (“OCIE”) issued a risk alert urging broker-dealers, investment advisors and investment companies to safeguard themselves against ransomware in light of the recent global “WannaCry” ransomware attack that impacted entities in over one hundred countries, including Britain’s health system and major companies such as FedEx and Telefonia.
The OCIE examined 75 SEC registered firms to assess “industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.” The OCIE focused on these firms’ cyber-risk assessment, penetration testing, and system maintenance, and found that:
- 5% of the broker-dealers and 26% of advisers and funds did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and potential business consequences;
- 5% of broker-dealers and 57% of investment advisers and funds did not conduct penetration tests and vulnerability scans on critical information systems;
- 10% of the broker-dealers and 4% of investment advisers and funds had not updated a number of critical and high-risk patches to maintain the integrity and security of their information systems even though these firms had a process in place for regular system maintenance.
Given that the WannyCry ransomware attack might have been conducted by a breach via Microsoft Desktop Protocol or Windows Server Message Block version 1, the alert encouraged firms to evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed. The OCIE alert also directed firms to review the alert published by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team, U.S. Cert Alert TA 17-132A, about actions firms might consider in reaction to the latest ransomware incident.
The OCIE’s risk alert and examination of 75 SEC registered firms underscores the fact that the SEC is making cybersecurity and cybersecurity practices (and thus cybersecurity disclosures) undertaken by public companies one of its primary focuses. As Nossaman reported in its May 11, 2017 blog, “because cybersecurity issues remain relatively new and regulators are eager to catch up with emerging technologies, this area could be low hanging fruit” for the SEC.