Demonstrative of its continuing focus on cybersecurity risk management, the Securities and Exchange Commission (SEC) issued yet another Risk Alert addressing a specific strain of cybersecurity threats: ransomware attacks. Following the Wannacry epidemic that occurred on May 12th, which is being reported as the largest ransomware attack in history, the SEC swiftly stepped in providing guidance to investment advisers, investment companies and broker-dealers (collectively, “Investment Firms”) on how to address this specific threat.
Photo Credit: © panandrii - stock.adobe.com
Some of the salient points from this latest Risk Alert and our observations:
- The SEC provided a brief technical explanation of how the Wannacry attacks work, noting that its creators are gaining access to enterprise servers either through the Microsoft Remote Desktop Protocol, or by exploiting another Windows Server Message Block vulnerability and/or through phishing and social engineering tactics. This demonstrates the SEC’s capabilities in understanding the technical aspects of how Investment Firms are designing and configuring their IT architecture, as well as, how they are operating and monitoring their networks. Clearly, the SEC’s technical and technological acumen in this regard has increased.
- The SEC also shared some observations from its most recent Cybersecurity Sweep (referred to as the “Initiative”) of 75 Investment Firms
- First, this shows us that the Cybersecurity Sweeps are continuing and Investment Firms should be prepared for these examination exercises.
- Second, the SEC observed that although many Investment Firms have adopted cybersecurity policies, procedures and practices, many are not regularly assessing and testing these controls.
- Third, these Cybersecurity Sweeps revealed that generally, broker-dealers are designing and implementing customized Cybersecurity Programs at a higher rate than investment advisers and investment companies.
- The SEC reiterated that Investment Firms should consider a wide range of information security practices, procedures and controls and, drawing from these options, should customize an appropriate Cybersecurity Program that is tailored to such Investment Firm’s operations, lines of business, unique risk profile and size.
- The SEC made specific recommendations to smaller Investment Firms in responding to the Wannacry ransomware attacks, which included: (i) the need for periodic Cybersecurity Risk Assessments; (ii) conducting Penetration Testing; and (iii) being vigilant with System Maintenance exercises, including conducting system and security updates.
- The SEC also referred Investment Firms to its prior principal-based guidance materials regarding designing and developing a meaningful Cybersecurity Program. These materials, in the aggregate, provide a framework of the necessary elements of such a program.
- Finally, the SEC also reiterated two key points regarding its expectations, to wit, that it (i) does not expect Investment Firms to anticipate and prevent every cyber-attack; and (ii) does, however, expect effective response capabilities that have been thoughtfully designed, implemented and tested.
We believe the takeaway here is that the SEC continues to aggressively pursue cybersecurity as a top priority and that its Cybersecurity Sweeps are continuing. Compliance expectations surrounding cybersecurity are increasing and the SEC will be looking for evidence of a customized, periodically assessed and regularly-tested Cybersecurity Program that includes elements of technology, governance and training. Moreover, smaller Investment Firms are not immune and remain in the crosshairs of the SEC Cybersecurity Sweeps.
Align Cybersecurity™ – Your Trusted Advisor
Clearly, cybersecurity risk management (or, as the SEC refers to it “cybersecurity preparedness”) is a significant part of the current regulatory regime applicable to Investment Firms. Align Cybersecurity has assembled an elite team of legal, IT, compliance, security and technology specialists, providing Cybersecurity Advisory Services catered to Investment Firms. The practice leaders of Align Cybersecurity include a practicing investment management attorney and a well-known IT expert and technologist, both of whom have been working with fund managers for over 30 years in the aggregate.
Align Cybersecurity works in conjunction with esteemed partners to provide a full spectrum of Cybersecurity Advisory Services to its clients, encompassing hands-on guidance, advice and counsel in assessing their cybersecurity disposition, designing and implementing an appropriate and cost-effective Cybersecurity Program for firms and managers of all sizes and levels of sophistication, whether start-up funds, emerging managers or larger and more sophisticated advisors and funds. The overall objective is to design a cost-effective and unimpeachable Cybersecurity Program that will meet regulatory requirements, educate and train employees, and satisfy investor expectations. For more information, visit: www.aligncybersecurity.com