Readers of this blog know that sales practice issues represent my sweet-spot.  Today, in what is probably a welcome departure from my rants, my partner (and co-chair of Ulmer’s Financial Services & Securities Litigation Group) Fran Goins, who knows all things about data privacy and cybersecurity, offers some helpful advice on dealing with the WannaCry virus, as it relates to the financial services world. – Alan

We are now one week into the worldwide cyberattack known as the WannaCry virus, which targets computers running Microsoft Windows operating systems, encrypts their data, and demands ransom payments in Bitcoin currency.  Many of the attacks were perpetrated through phishing emails and malicious websites.  In response, the SEC Office of Compliance Inspections and Examinations issued an alert on May 15 to broker-dealers and investment management firms, admonishing them to update their security protocols and assessments, and to conduct regular penetration testing and system maintenance.

The alert notes that the SEC’s recent examinations of 75 registered BDs and investment firms revealed a number of issues.  More than a quarter of advisers and funds fail to conduct periodic risk assessments; over half of such firms do not conduct penetration testing or vulnerability scans; and some firms failed to implement critical security patches on a regular basis.  BDs scored significantly better.  The SEC staff noted that correcting such failures would be particularly relevant to smaller registrants in connection with the recent attacks, as would enhanced employee training on spotting phishing emails and malicious websites.  The alert also referred registrants to FINRA’s webpage created before these attacks, with links to cybersecurity resources including a checklist for smaller firms

Many of the entities affected by the attacks had not implemented a Microsoft security update issued two months ago on March 14, 2017.  In response to WannaCry virus, Microsoft took the unusual step of releasing patches for other operating systems on May 13, including some they no longer support.  Reportedly, ransom payments have been largely ineffective to restore the encrypted data, although a 22-year old web security researcher discovered an effective kill switch for the virus shortly after the attacks began.  Today, a group of French researchers reported that they had found a way to save at least some encrypted Windows files, and published a blog with technical details of the fix titled “wanakiwi.”

Globally, the WannaCry virus is believed to have infected more than 300,000 computers in 150 nations, with the vast majority in China and Russia.  Reportedly, only 7% of the infections occurred within the United States.  Nonetheless, the attacks disrupted major businesses, including FedEx and Hitachi, as well as UK hospitals.  Although the disruptions associated with this particular virus appear to have passed,  the attacks should be a wake-up call for US financial firms and businesses to make cybersecurity a critical component of their enterprise risk management.