In the wake of the pervasive "WannaCry" ransomware cyberattack over the past few days, the Securities and Exchange Commission issued a cybersecurity alert on Wednesday to broker-dealers, advisers and investment funds with a number of recommendations.
The alert from the Office of Compliance Inspections and Examinations emphasized the importance of firms conducting vulnerability scans and penetration tests on their networks and also stressed the necessity of keeping their systems upgraded timely and consistently.
OCIE’s National Examination Program staff recently examined 75 SEC registered broker-dealers, investment advisers, and investment funds to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness. They observed a wide range of information security practices, procedures, and controls. Some of their findings include:
- Cyber-risk Assessment: 5% of broker-dealers and 26% of advisers and funds examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
- Penetration Tests: 5% of broker-dealers and 57% of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
- System Maintenance: All broker-dealers and 96% of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, 10% of the broker-dealers and 4% of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.
Note: As far as System Maintenance goes, if you're an FPA Managed Service client and you're fully on our "FPA Stack", then you're well protected.
What you should do...
- document your approach (one of the best ways for this is through FPA's Technology Security Assessment)
- define and implement the appropriate security policies
- implement an ongoing user training program!
- ensure all endpoints are secure
- control what programs are allowed to run on your firm's computers
- consider implementing dual-factor authentication
- implement a solid backup and disaster recovery solution
For more details, check out some of our recent blog posts:
- The Cliff Notes of ESET's Small Business Cybersecurity Survival Guide and Datto's Ransomware Report
- 8 Ways to Protect Your Network Against Ransomware
- The Cliff Notes of Verizon's 2017 Data Breach Report
What do you think? Has this info been helpful? Let us know in the Comment box below or shoot me an email if you’d like to chat about this in more detail.