I just completed my PCI Compliance ( Payment Card Industry Data Security Standards report that requires specific security and use of qualified vendors who accept credit card payments on our behalf.) So data security has been on my plate and on my mind. I was particularly concerned after hearing about the recent ransom-ware attack that affected business, governments, hospitals and other entities computers in 75 countries including the US…. Scary stuff.
So it seems important to pass on the new SEC information on cyber-security.
“The staff observed a wide range of information security practices, procedures and controls across registrants that may be tailored to the firms’ operations, lines of business, risk profile and size,” as well as “firm practices during this Initiative that the staff believes may be particularly relevant to smaller registrants in relation to the recent WannaCry ransomware incident.”
Key findings from the examination, as reported in the alert, are as follows:
- Cyberrisk assessment: “5 percent of broker-dealers and 26 percent of advisers and funds (collectively, ‘investment management firms’) examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.”
- Penetration tests: “5 percent of broker-dealers and 57 percent of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.”
- System maintenance: “All broker-dealers and 96 percent of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, 10 percent of the broker-dealers and 4 percent of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.”
The SEC also noted that the Financial Industry Regulatory Authority (FINRA) has created a webpage with links to resources related to cybersecurity. It includes a cybersecurity checklist for small firms and a report on cybersecurity practices, which highlights effective practices for strengthening cybersecurity programs.
It is estimated that the ransomware attack affected more than 200,000 computers in about 150 countries, beginning May 12. The malicious software is known as “WannaCry,” “WCry” and “Wanna Decryptor,” which works by encrypting files and demands payment from users to regain access to their data.
“Initial reports indicate that the hacker or hacking group behind the attack is gaining access to enterprise servers either through Microsoft Remote Desktop Protocol (RDP) compromise or the exploitation of a critical Windows Server Message Block version 1 vulnerability,” the alert states. “Some networks have also been affected through phishing emails and malicious websites.
“To protect against the WannaCry ransomware, broker-dealers and investment management firms are encouraged to:
(1) review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness Team and
(2) evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.”