The Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a risk alert on May 17, 2017 for the widespread ransomware attack, known as WannaCry, which began on May 12, 2017 (read our overview of the attack). In order to protect against the WannaCry ransomware, the risk alert encouraged broker-dealers and investment managers to review an alert on indicators of the WannaCry attack published by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team and evaluate whether Microsoft patches to Windows operating systems were properly and timely installed.
The staff of OCIE’s National Examination Program (the Staff) has recently examined 75 broker-dealers, investment advisers and investment companies to assess industry practices and legal, regulatory and compliance issues surrounding cybersecurity preparedness. In particular, the Staff observed several practices they believe are especially relevant to smaller registrants in relation to the WannaCry ransomware attack, including conducting cybersecurity risk assessments, penetration testing and system maintenance. The Staff’s observations are outlined in the chart below.
The ransomware alert notes that the SEC’s Division of Investment Management and OCIE have provided guidance for firms to consider in assessing the effectiveness of cybersecurity programs.1 The Staff also referenced as a resource the Financial Industry Regulatory Authority’s (FINRA) cybersecurity webpage, which includes links to a cybersecurity checklist for small registrants and links to cybersecurity resources.
The SEC has stated in previous risk alerts that funds and advisers should develop effective cybersecurity policies and procedures to mitigate exposure to compliance risks associated with cyber threats. Accordingly, mutual fund boards of directors may consider asking fund service providers for information regarding the most recent cyber risk alert and any impact on funds or fund service providers arising from the WannaCry ransomware attack.
More generally, boards of directors may want to consider, to the extent they have not already done so, the following practices with respect to the cybersecurity programs of funds and fund service providers:
- Request that service providers implement a cybersecurity plan that includes the development of cybersecurity policies and procedures and the regular updating thereof;
- Ensure there is oversight and enforcement of cybersecurity policies and procedures, including incentives for compliance and accountability for non-compliance;
- Regularly monitor the effectiveness of internal and external cybersecurity controls; and
- Review whether adequate resources have been allocated for applicable cybersecurity risks that have been identified and the plan for remediation.
Smaller advisory firms and their chief compliance officers may consider their existing resources and, if appropriate, engage outside cyber experts in the development and updating of their cybersecurity policies, procedures and controls.
1 This guidance includes: National Exam Program Risk Alert – OCIE Cybersecurity Initiative (April 2014); National Exam Program Risk Alert – OCIE Cybersecurity Sweep Summary (February 2015); IM Cybersecurity Guidance Update (April 2015); and National Exam Program Risk Alert – OCIE’s 2015 Cybersecurity Examination Initiative.