After ‘WannaCry,’ Everything Is Coming Up Cyber

By now, we’ve all probably heard about ‘WannaCry,’ which, true to name, is the latest installment of ransomware that makes you just want to cry. Organizations large and small were affected by this far-reaching malware. This is one of the most important topics for financial services firms today – cybersecurity. Firms are talking about it, and regulators are talking about it.

What Exactly is WannaCry?

WannaCry is a wide-reaching ransomware attack that invaded networks and held the user’s information hostage, demanding Bitcoin payment for its safe return. The initial infection of WannaCry – detailed here in Wired – got through either via an email or a network vulnerability. It was particularly disastrous because it exploited a vulnerability that allowed it to travel laterally from computer to computer within a network. So, once it was in, it was everywhere.

What Can Organizations Do to Prevent Ransomware?
Image credit: Christoph Scholz
  • Conduct a cyber risk assessment to understand your current state environment and the risks you face. In the SEC’s May 17 cybersecurity update, they state that out of 75 firms they examined, 5% of BDs and 26% of advisers and funds did not conduct periodic risk assessments (1)
  • Ensure that proper patching policies are in place and being followed. Critical updates should be installed ASAP and anti-virus software should be updated daily. Do not keep hitting the snooze button on your suggested computer updates, and make sure that’s clearly articulated in policies and procedures.
  • Train your employees! They are the first line of defense. The importance of email vigilance should be conveyed on a periodic basis. You can conduct training and testing to make sure this is working. You’d be surprised how many smart people unwittingly open links or emails from people they don’t know.
  • Maintain data backups. If disaster strikes, have data backups that can be used to restore encrypted machines.
  • Conduct periodic vulnerability scanning of networks. According to the recent SEC update, 57% of the 75 investment management firms they visited did not conduct penetration tests and vulnerability scans (2)
  • Limit or restrict personal email access for your employees. This is a big one and not always cut and dry, so see our Spotlight on this topic below.

Not dealing with these action steps now could mean significant downtime and increased expense in the long run.

What Does This Mean?

Cybersecurity truly is a nation-wide challenge that all industries are facing, even the federal government (if not especially so!). President Trump signed an Executive Order on May 11, 2017 that emphasizes how critical it is to get this right. The Order states that “Agency heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of IT and data” (3). It also requires all government agencies to align to something called the “Framework for Improving Critical Infrastructure Cybersecurity” to produce reports that outline the risk mitigation and acceptance choices made by each government agency.

This is similar to how we at Ascendant think about cybersecurity risks. Clients need to make informed, thoughtful decisions about the risk at hand and weigh the impact of “worst-case scenario” to their employees and clients.

Every firm should ask themselves two questions:

  1. What are my policies and are they sufficient?
  2. What are my controls and are they sufficient?

Asking these questions, and identifying and resolving the gaps you find will be a critical part of avoiding a breach. It’s worth noting however that regulators are not only interested in the steps you take to prevent a breach, but also how prepared you are to respond if it does happen.

  • Do you know how you would handle a breach?
  • How would you determine its scope and impact?
  • Would you know who you needed to inform?

Don’t lock the barn after the horse is gone: brainstorm with your compliance and IT staff now on these questions to come up with your game plan.

Spotlight: Personal Emails and Devices at Work

There’s no question there is risk associated with allowing employees to freely use personal email and devices on corporate networks:

  • Attachments and malicious links can get in without being scanned or scrubbed by controls that might be in place for corporate e-mail
  • Employees with malicious intent could have unsupervised conversations with clients from their desktop computers and even send firm data or attachments to third parties

So, what to do about it? Different firms are approaching this challenge in different ways:

  • Some firms use policy and training to set the standard for employee behavior:
    • Clearly indicating in policies whether employees can access personal email or connect to the corporate network with personal devices. Note that sometimes, firms want to allow their employees to use their personal e-mail as part of a push for an “entrepreneurial and open culture,” usually to the chagrin of the Chief Compliance Officer!
    • Disallowing corporate communication of any kind on a personal device
    • Conducting training on the importance of cybersecurity and email vigilance
  • Some firms use the policies above, but supplemented by technical controls:
    • Blocking commonly used e-mail hosts such as Gmail, Yahoo mail, etc (can be a challenge if your firm uses Gmail for its company email server, as some do)
    • Blocking the ability to access or upload attachments on corporate networks with access to critical data
  • Some firms even use physical controls:
    • Requiring phones to be locked up before entering an area with client data and trading information
    • Designating one machine in a common area from which personal email can be accessed, which is not on the corporate network

There’s no one-size-fits-all solution and much will depend on risk tolerance, strength of cybersecurity program and individual company’s culture.

Ascendant Services Can Help

Cybersecurity Services

  • Conduct remote web-based training on social engineering and ransomware
  • Social engineering testing services
  • Cybersecurity assessments to evaluate your firm’s risk
  • Conduct vulnerability scanning

ACM

  • Update firm policies and procedures in the tool to reflect latest guidelines on cybersecurity (and the audit trail will be automatically captured when it comes time for your Annual Review)
  • Firms can create a custom communication for employees on the importance of cybersecurity and email vigilance and use Attestations module to evidence their understanding and agreement
  • Firms can use our Risk Matrix to track the cybersecurity risk and maintain a list of up-to-date controls

 


(1) OCIE, “Cybersecurity: Ransomware Alert,” (May 17, 2017), Volume VI, Issue 4, available via link

(2) OCIE, “Cybersecurity: Ransomware Alert,” (May 17, 2017), Volume VI, Issue 4, available via link

(3) Executive Order No. 13800, 82 FR 22391 (2017), available via link

Related Content

Latest Content

Regulation Best Interest, Cybersecurity Top Concerns at IAA 2019 Compliance Conference

The Investment Adviser Association (IAA) represents the interests of investment advisers in Washington D.C., and the IAA Investment Adviser Compliance Conference 2019 was a forum for the discussion of future potential rulemaking. Cybersecurity and Fiduciary Rule considerations were headline topics, with custody and marketing right behind. The following is a summary of key issues discussed … Continued

The Challenges of Building a Global Compliance Program

Compliance programs face challenges in balancing global requirements with local exceptions while incorporating the fast pace of regulatory change, addressing critical business needs and obtaining the necessary resources necessary to manage the program. Trends and thinking on the subject were center stage at the recent CSS London event “Looking at the Year Ahead – Global … Continued

Coming to America – California Adopts GDPR-Like Privacy Regulation

After a number of firms struggled last year to get their marketing and information systems into compliance with the EU’s General Data Protection Regulation (GDPR), advisers to U.S. clients will soon be facing similar requirements on the home front.  On the heels of the Cambridge Analytica scandal, California enacted the California Consumer Privacy Act of … Continued

SEC and FINRA 2019 Examination Priorities

The SEC and FINRA have recently released their examination priorities for 2019. These releases provide insight into regulatory priorities and serve as guidance for a firm in evaluating its compliance program. We will discuss topics covered in these releases, including: Protecting retail investors Fees and expenses Disclosure Conflicts of interest Suitability Protecting senior investors Trading … Continued

SEC Reopened After 35-Day Government Shutdown

SEC Chairman Jay Clayton announced on Saturday, January 26 that with an agreement reached to end the government shutdown, the “Commission has resumed normal staffing levels and is returning to normal operations.” In total, about 94% of the commission’s approximately 4,400 employees had been furloughed during the 35-day shutdown, according to its operations plan. In a … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.