SEC Alerts Advisers on WannaCry Ransomware Cyberattacks

Author: Craig Pollack Date: May 17, 2017 Topics: Cybersecurity

SEC Alerts Advisers on WannaCry Ransomware Cyberattacks

In the wake of the pervasive "WannaCry" ransomware cyberattack over the past few days, the Securities and Exchange Commission issued a cybersecurity alert on Wednesday to broker-dealers, advisers and investment funds with a number of recommendations.

The alert from the Office of Compliance Inspections and Examinations emphasized the importance of firms conducting vulnerability scans and penetration tests on their networks and also stressed the necessity of keeping their systems upgraded timely and consistently.

OCIE’s National Examination Program staff recently examined 75 SEC registered broker-dealers, investment advisers, and investment funds to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness. They observed a wide range of information security practices, procedures, and controls. Some of their findings include:

  • Cyber-risk Assessment: 5% of broker-dealers and 26% of advisers and funds examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
  • Penetration Tests: 5% of broker-dealers and 57% of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
  • System Maintenance: All broker-dealers and 96% of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, 10% of the broker-dealers and 4% of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates. 

Note: As far as System Maintenance goes, if you're an FPA Managed Service client and you're fully on our "FPA Stack", then you're well protected. 

What you should do...

  • document your approach (one of the best ways for this is through FPA's Technology Security Assessment)
  • define and implement the appropriate security policies
  • implement an ongoing user training program!
  • ensure all endpoints are secure
  • control what programs are allowed to run on your firm's computers
  • consider implementing dual-factor authentication
  • implement a solid backup and disaster recovery solution

For more details, check out some of our recent blog posts:

What do you think? Has this info been helpful? Let us know in the Comment box below or shoot me an email if you’d like to chat about this in more detail.

New Call-to-action


Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 25 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best secure and leverage their technology to achieve their business objectives.