After ‘WannaCry,’ Everything Is Coming Up Cyber

By now, we’ve all probably heard about ‘WannaCry,’ which, true to name, is the latest installment of ransomware that makes you just want to cry. Organizations large and small were affected by this far-reaching malware. This is one of the most important topics for financial services firms today – cybersecurity. Firms are talking about it, and regulators are talking about it.

What Exactly is WannaCry?

WannaCry is a wide-reaching ransomware attack that invaded networks and held the user’s information hostage, demanding Bitcoin payment for its safe return. The initial infection of WannaCry – detailed here in Wired – got through either via an email or a network vulnerability. It was particularly disastrous because it exploited a vulnerability that allowed it to travel laterally from computer to computer within a network. So, once it was in, it was everywhere.

What Can Organizations Do to Prevent Ransomware?
Image credit: Christoph Scholz
  • Conduct a cyber risk assessment to understand your current state environment and the risks you face. In the SEC’s May 17 cybersecurity update, they state that out of 75 firms they examined, 5% of BDs and 26% of advisers and funds did not conduct periodic risk assessments (1)
  • Ensure that proper patching policies are in place and being followed. Critical updates should be installed ASAP and anti-virus software should be updated daily. Do not keep hitting the snooze button on your suggested computer updates, and make sure that’s clearly articulated in policies and procedures.
  • Train your employees! They are the first line of defense. The importance of email vigilance should be conveyed on a periodic basis. You can conduct training and testing to make sure this is working. You’d be surprised how many smart people unwittingly open links or emails from people they don’t know.
  • Maintain data backups. If disaster strikes, have data backups that can be used to restore encrypted machines.
  • Conduct periodic vulnerability scanning of networks. According to the recent SEC update, 57% of the 75 investment management firms they visited did not conduct penetration tests and vulnerability scans (2)
  • Limit or restrict personal email access for your employees. This is a big one and not always cut and dry, so see our Spotlight on this topic below.

Not dealing with these action steps now could mean significant downtime and increased expense in the long run.

What Does This Mean?

Cybersecurity truly is a nation-wide challenge that all industries are facing, even the federal government (if not especially so!). President Trump signed an Executive Order on May 11, 2017 that emphasizes how critical it is to get this right. The Order states that “Agency heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of IT and data” (3). It also requires all government agencies to align to something called the “Framework for Improving Critical Infrastructure Cybersecurity” to produce reports that outline the risk mitigation and acceptance choices made by each government agency.

This is similar to how we at Ascendant think about cybersecurity risks. Clients need to make informed, thoughtful decisions about the risk at hand and weigh the impact of “worst-case scenario” to their employees and clients.

Every firm should ask themselves two questions:

  1. What are my policies and are they sufficient?
  2. What are my controls and are they sufficient?

Asking these questions, and identifying and resolving the gaps you find will be a critical part of avoiding a breach. It’s worth noting however that regulators are not only interested in the steps you take to prevent a breach, but also how prepared you are to respond if it does happen.

  • Do you know how you would handle a breach?
  • How would you determine its scope and impact?
  • Would you know who you needed to inform?

Don’t lock the barn after the horse is gone: brainstorm with your compliance and IT staff now on these questions to come up with your game plan.

Spotlight: Personal Emails and Devices at Work

There’s no question there is risk associated with allowing employees to freely use personal email and devices on corporate networks:

  • Attachments and malicious links can get in without being scanned or scrubbed by controls that might be in place for corporate e-mail
  • Employees with malicious intent could have unsupervised conversations with clients from their desktop computers and even send firm data or attachments to third parties

So, what to do about it? Different firms are approaching this challenge in different ways:

  • Some firms use policy and training to set the standard for employee behavior:
    • Clearly indicating in policies whether employees can access personal email or connect to the corporate network with personal devices. Note that sometimes, firms want to allow their employees to use their personal e-mail as part of a push for an “entrepreneurial and open culture,” usually to the chagrin of the Chief Compliance Officer!
    • Disallowing corporate communication of any kind on a personal device
    • Conducting training on the importance of cybersecurity and email vigilance
  • Some firms use the policies above, but supplemented by technical controls:
    • Blocking commonly used e-mail hosts such as Gmail, Yahoo mail, etc (can be a challenge if your firm uses Gmail for its company email server, as some do)
    • Blocking the ability to access or upload attachments on corporate networks with access to critical data
  • Some firms even use physical controls:
    • Requiring phones to be locked up before entering an area with client data and trading information
    • Designating one machine in a common area from which personal email can be accessed, which is not on the corporate network

There’s no one-size-fits-all solution and much will depend on risk tolerance, strength of cybersecurity program and individual company’s culture.

Ascendant Services Can Help

Cybersecurity Services

  • Conduct remote web-based training on social engineering and ransomware
  • Social engineering testing services
  • Cybersecurity assessments to evaluate your firm’s risk
  • Conduct vulnerability scanning

ACM

  • Update firm policies and procedures in the tool to reflect latest guidelines on cybersecurity (and the audit trail will be automatically captured when it comes time for your Annual Review)
  • Firms can create a custom communication for employees on the importance of cybersecurity and email vigilance and use Attestations module to evidence their understanding and agreement
  • Firms can use our Risk Matrix to track the cybersecurity risk and maintain a list of up-to-date controls

 


(1) OCIE, “Cybersecurity: Ransomware Alert,” (May 17, 2017), Volume VI, Issue 4, available via link

(2) OCIE, “Cybersecurity: Ransomware Alert,” (May 17, 2017), Volume VI, Issue 4, available via link

(3) Executive Order No. 13800, 82 FR 22391 (2017), available via link

Related Content

Latest Content

SEC’s Latest Risk Alert Focuses on Electronic Communications

The SEC’s most recent risk alert, “Observations from Investment Adviser Examinations Relating to Electronic Messaging,” issued on December 14, 2019, focuses on the use and maintenance of electronic communications for business purposes. The purpose of the alert is to remind advisers of their obligations related to personal use of electronic messaging and the requirements for … Continued

SEC OCIE Issues 2019 Examination Priorities

Well ahead of the New Year, the SEC Office of Compliance Inspections and Examinations (OCIE) announced its 2019 examination priorities. In keeping with OCIE’s four “pillars” of promoting compliance, preventing fraud, identifying and monitoring risk, and informing policy, the Dec. 20 release provides a preview of key areas where OCIE intends to focus its limited … Continued

Highlights of 2018: Predictions for 2019

Our annual year-end review covers investment adviser compliance highlights from 2018, and makes 2019 predictions. We will highlight enforcement actions and SEC risk alerts for retail advisers, private fund managers, and institutional wealth managers. Using these as road markers, our predictions are designed to lead reasonable and effective compliance program development. Evaluate 2018 Compliance and … Continued

A New View of How Technology Will Change the Emerging Crytpo-Economy

From the top of the world, it’s amazing what you can see.  I recently had the opportunity to travel to the United Arab Emirates to speak in Dubai at the 7th Edition of the Alternative Investment Management Summit. While I was there, I took a few moments to ride to the top of the Burj … Continued

SEC Retail Investor Focus Turns Towards Registered Investment Companies

Earlier this year when the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced its 2018 examination priorities, OCIE stated that a core priority was to protect retail investors, including seniors and individuals saving for retirement. OCIE is now continuing this effort by focusing on mutual funds and exchanged-traded funds (together, the “Funds”) as the … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.