The Office of Compliance Inspections and Examinations (“OCIE”) of the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert on May 17, 2017 related to the widespread ransomware attack known as WannaCry. Firms are encouraged to (1) review the alert published by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team – U.S. Cert Alert TA17-13A – and, (2) evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.
In a recent examination of broker-dealers, investment advisers and investment companies to assess industry practices and legal, regulatory and compliance issues associated with cybersecurity preparedness, the staff observed the following:
- Cyber-risk Assessment: 5% of broker-dealers and 26% of advisers and investment companies examined did not conduct periodic risks assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
- Penetration Tests: 5% of broker-dealers and 57% of advisers and investment companies examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
- System Maintenance: All broker-dealers and 96%of advisers and investment companies examined have a process in place for ensuring regular system maintenance, including installation of software patches to address security vulnerabilities. However, 10% of the broker-dealers and 4% of the advisers and investment companies examined had a significant number of critical and high-risk security patches that were missing important updates.
OCIE has provided guidance and information for firms to consider when addressing cybersecurity risks and response capabilities:
- IM Guidance Update: Cybersecurity Guidance;
- National Exam Program Risk Alert, OCIE’s 2014 Cybersecurity Initiative;
- National Exam Program Risk Alert, Cybersecurity Examination Sweep Summary; and
- National Exam Program Risk Alert, OCIE’s 2015 Cybersecurity Examination Initiative.
Appropriate planning to address cybersecurity issues, including developing a rapid response capability is important and may assist in mitigating the impact of such attacks and any related effects on investors and clients.
Focus 1 Webinar Replays