In response to the May 12 global ransomware attack principally known as WannaCry, the US Department of Homeland Security, the Securities and Exchange Commission and the UK Financial Conduct Authority issued guidance advising persons how to prevent, detect and potentially remediate the specific malware, as well as how to defend against ransomware generally. To guard against future attacks, Homeland Security encouraged all persons to follow specific precautionary measures:
- make sure anti-virus software is the current version;
- ensure copies of sensitive or proprietary data are routinely prepared and stored on a separate and secure location. Backup copies of sensitive information should not be readily accessible from local networks;
- review with caution links contained in emails, and do not open attachments included in emails that are unsolicited or unrecognized;
- download software—especially free software—only from known and trusted sites; and
- enable automated patches for operating systems and Web browsers
The SEC’s Office of Compliance Inspections and Examinations noted that, during recent examinations of 75 registered broker-dealers, investment advisers and investment companies, it observed that 5 percent of BDs and 26 percent of IAs and funds did not conduct periodic cyber-risk assessments. Moreover 5 percent of BDs and 57 percent of IAs and funds did not conduct penetration tests and vulnerability scans on firm critical systems. OCIE encouraged registrants to review cybersecurity resources it has publicized (click here to access a sample) as well as those made available by the Financial Industry Regulatory Authority (click here to access). (Click here for further background on prior SEC and FINRA assessment of cybersecurity threats to regulated firms in the article “Industry Watchdogs Warn Brokers and Advisory Firms on Cybersecurity Threats” in the February 8, 2015 edition of Bridging the Week.)
FCA also provided links to helpful guidance to deal with the specific WannaCry ransomware (click here to access).
Helpful to Getting the Business Done: Last fall, Katten Muchin Rosenman attorneys published a very helpful guide to avoid and deal with ransomware attacks. (Click here to access the September 27, 2016 article “Is Your Business Prepared for the Ransomware Epidemic.”) The guide recommended that, among other precautions, firms should implement ongoing risk analysis, incident response and business continuity planning, regular backups, workforce training, technical safeguards, access controls, and third-party vendor management. Signing up for insurance should also be explored.
However, no matter how excellent are the precautions taken by firms, all employees must exercise common sense. As recommended by Homeland Security, employees must be trained not to open links in unsolicited or unrecognized emails.
The crooks are getting cleverer and cleverer too. Just last week I received a personal email that appeared to be from my best friend from high school (who now lives abroad), suggesting that I would enjoy opening a particular link. When I reviewed my “friend’s” email address, I noticed his name was there, as expected. However, when I looked behind his name, I saw an email address I did not recognize. After I wrote to my friend at a different email address, he confirmed to me that the earlier email was not from him. I knew then it was malware. I promptly deleted it. If this was a firm computer, I would have first alerted our IT team.
These days, what looks like a duck, waddles like a duck, and sounds like a duck, may still not be a duck. We all must be vigilant!