The SEC continues to aggressively pursue Cybersecurity as a top priority and Cybersecurity Sweeps are continuing. Demonstrative of its continued focus on Cybersecurity, the SEC issued yet another Risk Alert addressing a specific strain of Cybersecurity threats: ransomware attacks. It is evident that Compliance expectations surrounding Cybersecurity are increasing and the SEC will be looking for a customized, periodically assessed and regularly-tested Cybersecurity Program that includes elements of technology, governance and training.
1.Clearly, the SEC’s technical and technological acumen in this regard has increased.
The SEC provided a brief technical explanation of how the Wannacry attacks work, noting that its creators are gaining access to enterprise servers either through the Microsoft Remote Desktop Protocol, or by exploiting another Windows Server Message Block vulnerability and/or through phishing and social engineering tactics. This demonstrates the SEC’s capabilities in understanding the technical aspects of how Investment Firms are designing and configuring their IT architecture, as well as, how they are operating and monitoring their networks.
2.Surprisingly, smaller Investment Firms are not immune and remain in the crosshairs of the SEC Cybersecurity Sweeps.
The SEC made specific recommendations to smaller Investment Firms in responding to the Wannacry ransomware attacks, which included:
(i) the need for periodic Cybersecurity Risk Assessments;
(ii) conducting Penetration Testing; and
(iii) being vigilant with System Maintenance exercises, including conducting system and security updates.
3.Finally, the SEC also reiterated two key points regarding its expectations:
1. It does not expect Investment Firms to anticipate and prevent every cyber-attack; and
2. It does, however, expect effective response capabilities that have been thoughtfully designed, implemented and tested.
The Cipperman Team
Cipperman Compliance Services LLC
Wayne, PA 19087