SEC Highlights Lack of Pen Testing in Latest Cyber Alert

May 19, 2017

 hero Image

The following article originally appeared in HFM Technology and was written by Carly Minsky.

More than half (57%) of the investment management firms examined by the SEC do not conduct penetration tests and vulnerability scans on critical systems, according to research from the regulator.

In a risk alert released by the Office of Compliance Inspections and Examinations (OCIE) in response to the recent WannaCry ransomware attack, OCIE staff highlighted areas of concern, particularly for smaller firms.

Although 96% of firms do have a process in place for ensuring regular system maintenance and software patches, 4% nonetheless had a significant number of critical and high­risk vulnerabilities due to missing patch updates.

“The staff recognises that it is not possible for firms to anticipate and prevent every cyber­ attack,” the OCIE wrote in the risk alert. “The staff also notes that appropriate planning to address cyber­security issues, including developing a rapid response capability is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.”

According to Vinod Paul, chief operating officer at IT managed services consultancy Align, the hedge fund community has made “moderate progress” on cyber­security in response to regulatory attention and investor expectations, but simply reacting to this pressure is “entirely insufficient”.

“It is a sign of the times,” he said. “Hedge funds are certainly vulnerable to every type of cyber­ security attack, including ransomware.

“Responsible fund managers are absolutely taking steps to transform their boilerplate written policy into a meaningful, defensible cyber­security programme that will satisfy regulators and please investors.”

Nonetheless, Paul warned that a “stubborn false sense of security” as a persistent risk factor. 

The founder and chief security strategist at a cyber­security consultancy said he knew that a number of firms had been “scrambling to install patches” over the weekend, although none had been infected by WannaCry ransomware.

He predicted that the recent wave of attacks would force a change in practice around system updates and patches on servers, which are commonly seen as cumbersome or disruptive to operations.
Craig Rogers, partner in Eversheds IT and Outsourcing practice, added: “I think it’s fair to say that everyone will be scrambling to make sure that their systems are protected, and particularly those running Windows XP; and/or seeking to isolate affected systems / disable SMBs.”

Rogers also acknowledged that a new variant of WannaCry without a kill switch could cripple firms who had previously assumed they were not vulnerable.

As of 18 May, a new version of the EternalBlue exploit appeared online which could forward­port to Windows 2012 R2 and Windows 8.1. There are also rumours that a new variant of the virus can run on WINE and encrypt Linux or Linux­like files.

“The WannaCry malware is indiscriminate as to the organisations it targets, so hedge funds which are wholly or partially based on Windows infrastructure are just as vulnerable as other organisations,” said Andrew Moir, head of the global cyber security practice at Herbert Smith Freehills.

“This is compounded by the malware’s ability to replicate itself within an organisation as soon as any one device becomes infected. For hedge funds, this could include live trading servers or other critical infrastructure, to the extent they are susceptible to the Eternal Blue vulnerability that the malware uses to replicate.”

Moir advises hedge funds to follow the latest NCSC guidance on ransomware. In its risk alert, the OCIE recommended the Financial Industry Regulatory Authority’s resources for small firms.

Some IT professionals at hedge funds have also been pointing to the positives of the recent attacks in terms of staff education.

One senior technologist told HFM Technology: “I was talking to a CTO of a London hedge fund on Monday who said this is actually really helpful to argue for an increase in the cyber­security budget. It is good for general awareness.”

Looking to align cybersecurity with your firm's business needs? 
Speak To A Consultant


Tags: Cybersecurity