By now, we’ve all probably heard about ‘WannaCry,’ which, true to name, is the latest installment of ransomware that makes you just want to cry. Organizations large and small were affected by this far-reaching malware. This is one of the most important topics for financial services firms today – cybersecurity. Firms are talking about it, and regulators are talking about it.
What Exactly is WannaCry?
WannaCry is a wide-reaching ransomware attack that invaded networks and held the user’s information hostage, demanding Bitcoin payment for its safe return. The initial infection of WannaCry – detailed here in Wired – got through either via an email or a network vulnerability. It was particularly disastrous because it exploited a vulnerability that allowed it to travel laterally from computer to computer within a network. So, once it was in, it was everywhere.
What Can Organizations Do to Prevent Ransomware?
- Conduct a cyber risk assessment to understand your current state environment and the risks you face. In the SEC’s May 17 cybersecurity update, they state that out of 75 firms they examined, 5% of BDs and 26% of advisers and funds did not conduct periodic risk assessments (1)
- Ensure that proper patching policies are in place and being followed. Critical updates should be installed ASAP and anti-virus software should be updated daily. Do not keep hitting the snooze button on your suggested computer updates, and make sure that’s clearly articulated in policies and procedures.
- Train your employees! They are the first line of defense. The importance of email vigilance should be conveyed on a periodic basis. You can conduct training and testing to make sure this is working. You’d be surprised how many smart people unwittingly open links or emails from people they don’t know.
- Maintain data backups. If disaster strikes, have data backups that can be used to restore encrypted machines.
- Conduct periodic vulnerability scanning of networks. According to the recent SEC update, 57% of the 75 investment management firms they visited did not conduct penetration tests and vulnerability scans (2)
- Limit or restrict personal email access for your employees. This is a big one and not always cut and dry, so see our Spotlight on this topic below.
Not dealing with these action steps now could mean significant downtime and increased expense in the long run.
What Does This Mean?
Cybersecurity truly is a nation-wide challenge that all industries are facing, even the federal government (if not especially so!). President Trump signed an Executive Order on May 11, 2017 that emphasizes how critical it is to get this right. The Order states that “Agency heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of IT and data” (3). It also requires all government agencies to align to something called the “Framework for Improving Critical Infrastructure Cybersecurity” to produce reports that outline the risk mitigation and acceptance choices made by each government agency.
This is similar to how we at Ascendant think about cybersecurity risks. Clients need to make informed, thoughtful decisions about the risk at hand and weigh the impact of “worst-case scenario” to their employees and clients.
Every firm should ask themselves two questions:
- What are my policies and are they sufficient?
- What are my controls and are they sufficient?
Asking these questions, and identifying and resolving the gaps you find will be a critical part of avoiding a breach. It’s worth noting however that regulators are not only interested in the steps you take to prevent a breach, but also how prepared you are to respond if it does happen.
- Do you know how you would handle a breach?
- How would you determine its scope and impact?
- Would you know who you needed to inform?
Don’t lock the barn after the horse is gone: brainstorm with your compliance and IT staff now on these questions to come up with your game plan.
Spotlight: Personal Emails and Devices at Work
|There’s no question there is risk associated with allowing employees to freely use personal email and devices on corporate networks:|
So, what to do about it? Different firms are approaching this challenge in different ways:
There’s no one-size-fits-all solution and much will depend on risk tolerance, strength of cybersecurity program and individual company’s culture.
Ascendant Services Can Help
- Conduct remote web-based training on social engineering and ransomware
- Social engineering testing services
- Cybersecurity assessments to evaluate your firm’s risk
- Conduct vulnerability scanning
- Update firm policies and procedures in the tool to reflect latest guidelines on cybersecurity (and the audit trail will be automatically captured when it comes time for your Annual Review)
- Firms can create a custom communication for employees on the importance of cybersecurity and email vigilance and use Attestations module to evidence their understanding and agreement
- Firms can use our Risk Matrix to track the cybersecurity risk and maintain a list of up-to-date controls
(1) OCIE, “Cybersecurity: Ransomware Alert,” (May 17, 2017), Volume VI, Issue 4, available via link
(2) OCIE, “Cybersecurity: Ransomware Alert,” (May 17, 2017), Volume VI, Issue 4, available via link
(3) Executive Order No. 13800, 82 FR 22391 (2017), available via link