In response to the ransomware attack known as WannaCry that rapidly spread through numerous organizations across more than 100 countries, the Securities and Exchange Commission is cautioning broker-dealers and investment advisors to protect themselves against the WannaCry ransomware.
On Wednesday the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a ransomware alert.
This risk alert highlights the importance of conducting “penetration tests and vulnerability scans on critical systems and implementing system upgrades on a timely basis.”
The SEC encourages broker-dealers and investment management firms to review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness and evaluate whether applicable Microsoft patches for Windows XP, Windows 8 and Windows Server 2003 operating systems are properly and timely installed.
“Initial reports indicate that the hacker or hacking group behind the attack is gaining access to enterprise servers either through Microsoft Remote Desktop Protocol (RDP) compromise or the exploitation of a critical Windows Server Message Block version 1 vulnerability,” the alert states. “Some networks have also been affected through phishing emails and malicious websites.”
OCIE’s National Examination Program staffers also identified several areas where broker-dealers and advisors could be vulnerable to attacks – based on a recent exam of 75 SEC-registered broker-dealers, investment advisers and investment companies to assess industry practices and compliance issues associated with cybersecurity preparedness.
The staff observed firm practices during these examinations that it believes may be particularly relevant to smaller registrants in relation to the WannaCry ransomware incident.
Cyber Risk Assessment
According to the SEC, 5% of broker-dealers and 26% of advisors and funds examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities and the potential business consequences.
The SEC also found that 5% of broker-dealers and 57% of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
All broker-dealers and 96% of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, 10% of the broker-dealers and 4% of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.
— Check out FINRA to Report to Brokers on Major Trouble Spots on ThinkAdvisor.