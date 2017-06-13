A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017.

NEW YORK (Thomson Reuters Regulatory Intelligence) - In the wake of the recent WannaCry ransomware attack, the Securities and Exchange Commission's exam team is warning investment advisers that many are failing to perform steps critical to fighting cyber security attacks.

In specific, a relatively high percentage of advisers examined are failing to conduct continuous cyber-risk assessments, nor are they performing penetration or venerability tests. The shortcomings were far higher among investment advisers than among broker-dealers, and concerns raised by the WannaCry attack were particularly relevant to smaller firms.

The weaknesses were discovered during the second round of cyber security exams under a 2014 exam initiative. The SEC conducted 75 examinations of SEC-regulated entities, aimed at assessing cyber security preparedness, including the firm's ability to protect client information.

A cyber security program without these components can expose a firm and its clients to increased risk of an attack like WannaCry. In early May, the attack infected networks of various organizations in more than 100 countries, targeting computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in bitcoin.

SEC ALERT

The SEC alert included data from broker-dealer and investment adviser examinations. The investment adviser category, which also included investment companies, appeared to be the least prepared for a cyber incident.

The exams found advisers are not adequately addressing cyber-risk assessments and penetration tests which are particularly relevant to smaller registrants in relation to the WannaCry ransomware incident, according to the SEC.

However, the SEC found that nearly all investment advisers examined did have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. Just four percent of firms had a significant number missing critical and high-risk security patches or updates.

CYBER-RISK ASSESSMENTS

The SEC found that 26 percent of advisers and funds examined failed to conduct periodic risk assessments of critical systems to identify cyber security threats, vulnerabilities, and the potential business consequences.

In a 2015 risk alert , announcing the second round of cyber security examinations, the SEC highlighted the importance of governance and risk assessment processes that are tailored to the adviser's business when attempting to manage cyber risk. The SEC also included a sample of documents that may be requested during examinations on the topic.

Guidance from the SEC's Division of Investment Management earlier in 2015 has proven to be a great source for the SEC's specific expectations when it comes to periodic assessments. Potential assessment topics include:

• The nature, sensitivity and location of information that the adviser collects, processes or stores, and the technology systems employed to do so;

• Internal and external cyber security threats and vulnerabilities to the firm’s information and technology systems;

• The security controls and processes that the adviser currently has in place;

• The likelihood and impact to the adviser and its clients if any information or technology systems are compromised; and

• The overall effectiveness of the fund’s or adviser’s ability to manage cyber security risk, including whether risks are identified and appropriately addressed.

The guidance does not address initial assessments; the continuing efforts discussed presumably represent an extension of the initial cyber security assessment. In an initial assessment, taking an inventory of devices, connections, software and most importantly, sign-on capabilities that are at risk of cyber attacks is a good start. Having a complete picture of these elements will enable a firm to fully understand its cyber infrastructure and, in turn, help ongoing assessments of the program.

PENETRATION AND VULNERABILITY TESTS

The SEC examination discovered that 57 percent of the investment management firms examined failed to conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.

Generally speaking, a cyber security penetration or vulnerability test is an authorized simulated attack on a network that looks for security weaknesses, potentially gaining access to the system's features and data.

The SEC has not outlined any specific parameters for penetration or vulnerability tests; it assumed many firms would probably outsource the task to a third-party. However, the SEC will look for policies and records of such tests during an examination. In the 2015 risk alert, the SEC stated it will request during exams:

• Information regarding the firm’s policies related to penetration testing, whether conducted by or on behalf of the firm, and any related findings and responsive remediation efforts taken; and

• Information regarding the firm’s vulnerability scans and any related findings and responsive remediation efforts taken.

Lastly, the SEC also encourages broker-dealers and investment advisory firms to review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness and evaluate whether applicable Microsoft patches for Windows XP, Windows 8 and Windows Server 2003 operating systems are properly installed.

--SEC 2014 exam initiative:here

--SEC 2015 risk alert:here

--SEC 2015 Cybersecurity guidance:here

(Jason Wallace is a senior editor for Thomson Reuters Regulatory Intelligence. Jason began his career at TD Waterhouse Securities Inc., now TD Ameritrade Inc., where he held key positions in the Trading, Risk Management and Compliance departments for both retail and institutional sides of the firm. Jason joins Thomson Reuters after serving as an associate director for National Regulatory Services, in San Diego, California. Follow Jason on Twitter @Wallace_iabrief. Email Jason at jason.wallace@thomsonreuters.com)