Alerts

SEC Cybersecurity Risk Alert Urges Firms to Protect Against Ransomware

Alerts / May 19, 2017

On May 17, 2017, the Office of Compliance Inspections and Examinations (OCIE) of the United States Securities and Exchange Commission (SEC) issued a risk alert highlighting the importance of registered broker-dealers, investment advisers and investment companies taking appropriate steps to protect themselves against ransomware in light of this past week’s WannaCry attack.[1]

Following its recent cybersecurity sweep exam of 75 firms, OCIE observed that firms of all sizes should implement the following measures:

  • Conduct Risk Assessments. According to the risk alert, 5% of the broker-dealers and 26% of investment advisers and investment companies examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities and the potential business consequences.
  • Perform Penetration Tests. The risk alert also indicated that the sweep found 5% of broker-dealers and 57% of investment advisers and investment companies did not conduct penetration tests and vulnerability scans on critical information systems.
  • Maintain Information Systems. The risk alert further noted that 10% of the broker-dealers and 4% of investment advisers and investment companies had failed to update a number of critical and high-risk patches to maintain the integrity and security of their information systems.

Risk alerts like this are rare and typically focus on regulatory issues that the SEC seeks to emphasize to its registrants – in this case, the compliance measures entities must implement to protect against ransomware and other cyber threats. These findings show that the SEC views risk assessments, penetration tests and patching as key elements of any firm’s cybersecurity program. They also show that investment advisers and investment companies appear to be behind the curve on implementing these measures despite previous guidance by the SEC’s Division of Investment Management and OCIE.[2] Given these repeated warnings, firms that fail to incorporate these measures into their cybersecurity programs risk not only a cyber incident, but also an enforcement action by the SEC for not reasonably safeguarding customer information and planning for business continuity.

As demonstrated by our 2017 Data Security Incident Response Report, which analyzes the more than 450 cyber incidents our Privacy and Data Protection team handled in 2016, BakerHostetler has unparalleled experience when it comes to responding to attacks and managing cybersecurity risks. We regularly work with clients in the financial services sector to conduct risk assessments and develop legally-compliant cybersecurity programs to help identify, prevent and respond to data security incidents.

If you have any questions about this alert, please contact Marc D. Powers at mpowers@bakerlaw.com or +1.212.589.4216, Theodore J. Kobus III at tkobus@bakerlaw.com or +1.212.271.1504, Melinda L. McLellan at mmclellan@bakerlaw.com or +1.212.589.4679, Jonathan A. Forman at jforman@bakerlaw.com or +1.212.847.2855 or any member of BakerHostetler’s Hedge Fund Industry, Securities Litigation and Regulatory Enforcement or Privacy and Data Protection team.

Authorship credit: Melinda L. McLellan and Jonathan A. Forman


[1] SEC National Exam Program Risk Alert, Cybersecurity: Ransomware Alert (May 17, 2017), https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf.
[2] See, e.g., SEC National Exam Program Risk Alert, OCIE’s 2015 Cybersecurity Examination Initiative (Sept. 15, 2015), https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf; SEC Division of Investment Management, Cybersecurity Guidance (Apr. 2015), https://www.sec.gov/investment/im-guidance-2015-02.pdf.

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.

Blog

In The Blogs

Previous Next
Data Counsel
California's AB 587: What You Need to Know About Social Media Content Moderation
By Jiwon (Jamie) Kim, Jeewon K. Serrato
November 21, 2022
On Sept. 13, California Gov. Gavin Newsom signed into law AB 587, which requires social media companies to publicly post their content moderation policies and semiannually report data on their enforcement of the policies to the attorney...
Read More ->
Data Counsel
New York Department of Financial Services Publishes Proposed Second Amendment to Its Cybersecurity Regulation
By Elise R. Elam, Patrick H. Haggerty, Vaughn Stupart
November 17, 2022
On Nov. 9, 2022, the New York State Department of Financial Services (NYDFS) published a proposed second amendment to its cybersecurity regulation. This follows its pre-proposed amendment that was published on July 29. Our prior analysis...
Read More ->
Data Counsel
OCR releases YouTube Addressing "Recognized Security Practices" in HIPAA Enforcement Context
By Adam I. Cohen, Kimberly C. Gordy, Craig A. Robinson
November 14, 2022
As a Halloween treat for HIPAA-covered entities and business associates, on October 31, the Department of Health and Human Services Office for Civil Rights (OCR) released a new video on its YouTube channel, in which senior OCR...
Read More ->
Data Counsel
Could Careless Coders Face False Claims Liability?
By Brian Craig, Stephen E. Ruscus
October 28, 2022
New Software Development Security Attestation and Related False Claims Act Liability for Commercial and Noncommercial Software Developers and Suppliers Key takeaway Software producers at all levels in the federal supply chain should...
Read More ->
Data Counsel
Top NFT-Related Cybersecurity, Phishing, Hacking and Other Risks in 2022
By Robert A. Musiala Jr., Veronica Reynolds
October 26, 2022
The continued growth of the market for nonfungible tokens (NFTs) in 2022 has helped shape the zeitgeist of what has been referenced colloquially by some as the “fourth industrial revolution,”[1] defined largely by network effect (e.g...
Read More ->