Readers of this blog know that sales practice issues represent my sweet-spot.  Today, in what is probably a welcome departure from my rants, my partner (and co-chair of Ulmer’s Financial Services & Securities Litigation Group) Fran Goins, who knows all things about data privacy and cybersecurity, offers some helpful advice on dealing with the WannaCry virus, as it relates to the financial services world. – Alan

We are now one week into the worldwide cyberattack known as the WannaCry virus, which targets computers running Microsoft Windows operating systems, encrypts their data, and demands ransom payments in Bitcoin currency.  Many of the attacks were perpetrated through phishing emails and malicious websites.  In response, the SEC Office of Compliance Inspections and Examinations issued an alert on May 15 to broker-dealers and investment management firms, admonishing them to update their security protocols and assessments, and to conduct regular penetration testing and system maintenance.

The alert notes that the SEC’s recent examinations of 75 registered BDs and investment firms revealed a number of issues.  More than a quarter of advisers and funds fail to conduct periodic risk assessments; over half of such firms do not conduct penetration testing or vulnerability scans; and some firms failed to implement critical security patches on a regular basis.  BDs scored significantly better.  The SEC staff noted that correcting such failures would be particularly relevant to smaller registrants in connection with the recent attacks, as would enhanced employee training on spotting phishing emails and malicious websites.  The alert also referred registrants to FINRA’s webpage created before these attacks, with links to cybersecurity resources including a checklist for smaller firms

Many of the entities affected by the attacks had not implemented a Microsoft security update issued two months ago on March 14, 2017.  In response to WannaCry virus, Microsoft took the unusual step of releasing patches for other operating systems on May 13, including some they no longer support.  Reportedly, ransom payments have been largely ineffective to restore the encrypted data, although a 22-year old web security researcher discovered an effective kill switch for the virus shortly after the attacks began.  Today, a group of French researchers reported that they had found a way to save at least some encrypted Windows files, and published a blog with technical details of the fix titled “wanakiwi.”

Globally, the WannaCry virus is believed to have infected more than 300,000 computers in 150 nations, with the vast majority in China and Russia.  Reportedly, only 7% of the infections occurred within the United States.  Nonetheless, the attacks disrupted major businesses, including FedEx and Hitachi, as well as UK hospitals.  Although the disruptions associated with this particular virus appear to have passed,  the attacks should be a wake-up call for US financial firms and businesses to make cybersecurity a critical component of their enterprise risk management.

 

Print:
EmailTweetLikeLinkedIn
Fran Goins

Fran is skilled in resolving complex business disputes for public and private companies, including matters involving securities, corporate governance, cybersecurity, consumer, and contract law. Her practice also includes counseling businesses on compliance and training for data privacy and cybersecurity, ethics, anti-bribery, and governance…

Fran is skilled in resolving complex business disputes for public and private companies, including matters involving securities, corporate governance, cybersecurity, consumer, and contract law. Her practice also includes counseling businesses on compliance and training for data privacy and cybersecurity, ethics, anti-bribery, and governance best practices. She regularly defends clients in SEC and other regulatory enforcement actions, and has conducted many internal corporate and special litigation investigations. Fran has litigated numerous takeover and proxy contests involving public companies. She is an accomplished appellate lawyer, having successfully argued several groundbreaking issues. She also serves as an arbitrator on the American Arbitration Association Commercial and Consumer Panels, and has represented numerous clients in arbitration proceedings.

Fran was tapped by the Department of Homeland Security to speak on “Cybersecurity in the C-Suite and Boardroom” in its C-Cubed webinar series. In independent surveys of in-house counsel and peer attorneys, Fran is ranked as one of Chambers USA’s “Leaders in Their Field” in Ohio for General Commercial Litigation, and a “State Litigation Star” in Ohio by Benchmark Litigation. She has appeared in Benchmark’s “Top 250 Women in Litigation” in the U.S. since 2014. Fran is nationally recognized by The Best Lawyers in America® in Corporate Compliance Law, Corporate Governance Law, Securities Litigation, and Banking & Finance Litigation, and was named Best Lawyers’ 2017 “Lawyer of the Year” for Securities Litigation and 2018 “Lawyer of the Year” for Banking and Finance Litigation (Cleveland).