SEC Issues Risk Alert on Cybersecurity in Light of “WannaCry” Ransomware Attack

On May 17, 2017, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released a Risk Alert discussing the recent ransomware cyberattack and providing two important protection steps firms should take.  In addition, the Risk Alert outlined that OCIE had observed certain “security practices, procedures, and controls” during their cybersecurity-focused exams performed on broker-dealers, investment advisers, and registered investment companies in 2015 that they believe relevant to smaller firms.  The following are three important practices they outlined:

  • Cyber-risk Assessments
  • Penetration Tests
  • System Maintenance

Further, the Risk Alert referenced that both OCIE and the SEC’s Division of Investment Management, along with the Financial Industry Regulatory Authority (“FINRA”), have issued guidance and additional resources for firms to consider in developing and maintaining their cybersecurity programs.  These include IM Guidance from the Division of Investment Management, which provides steps for addressing cybersecurity risks; an OCIE Risk Alert summarizing their cybersecurity sweep exam findings;, and a website created by FINRA that provides, among other things, a cybersecurity checklist and reports that highlight effective practices.

Cyberattacks are occurring with exceeding frequency and to date, the SEC has issued five Risk Alerts, performed two focused sweep exams, released written guidance, named cybersecurity as an exam priority for the last three years, and even instituted an enforcement action against an investment adviser for not having appropriate cybersecurity policies and procedures.  Senior managers are tasked with the responsibility of ensuring adequate resources have been dedicated to their firm’s cybersecurity programs.

If you don’t yet have a formal program in place, Compliance Compliance can help.  We perform cybersecurity risk assessments, provide employee training, and can assist CCOs with drafting and implementing cybersecurity policies and procedures.  If you have questions or would like to learn more, please contact us at (619) 278-0020 to schedule a consultation.


Leave a Reply

Your email address will not be published. Required fields are marked *