The U.S. Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) has issued a Risk Alert in the wake of the widespread WannaCry ransomware attack that has inflicted hundreds of thousands of users since last week.
The OCIE stated that the Risk Alert was intended to highlight "the importance of conducting penetration tests and vulnerability scans on critical systems and implementing system upgrades on a timely basis."Specifically, the Risk Alert recommends that broker-dealers and investment management firms review the U.S. Computer Emergency Readiness Team’s Alert TA17-132A "Indicators Associated With WannaCry Ransomware" and evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.
The Risk Alert also discussed a recent survey of 75 SEC registered broker-dealers, investment advisers, and investment companies conducted by OCIE's National Examination Program staff. The survey assessed the entities' cybersecurity preparedness, finding "a wide range of information security practices, procedures, and controls across registrants that may be tailored to the firms' operations, lines of business, risk profile and size." Specifically, the survey found:
OCIE also reiterated its April 2015 Cybersecurity Guidance in which it recommended that investment companies and advisers take the following actions:
-
Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect, and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cybersecurity threats concerning their accounts.
The OCIE's Risk Alert once again highlights the importance of cybersecurity preparedness in this field. The Risk Alert comes only weeks after the Colorado Division of Securities published proposed rules directed at establishing cybersecurity requirements for broker-dealers and investment advisers. The Colorado Division of Securities conducted a public hearing on the proposed rules on May 2, 2017, and received comments on May 9, 2017. The final rules are expected to be published in June.
For a summary of the WannaCry attack and the steps companies can take to avoid future cybersecurity incidents, read Ballard Spahr’s Alert "Is Your Organization Ready for a Systemwide Ransomware Attack?"
Members of Ballard Spahr's Privacy and Data Security Group provide a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors and help clients around the world mitigate cyber risk, investigate and respond to cyber incidents, and navigate post-incident enforcement, compliance, and litigation risk. We regularly advise clients on the development and review of risk-based information security programs, including risk assessments and incident response planning.
Our Investment Management Group attorneys represent investment companies, investment advisers, fund independent directors, trust fund managers, mutual fund service providers, broker-dealers, business development companies, hedge funds, and private equity funds. We advise on all matters of compliance and assist with issues related to ERISA, insurance, and taxation.
Attorneys in our Securities Enforcement and Corporate Governance Litigation Group represent clients in investigations, regulatory proceedings, and litigation involving the SEC, state attorneys general, and state securities regulators.
Copyright © 2017 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.