I am happy to share this post from my colleague, Greg Stein, about ransomware.  While ransomware is not something unique to the financial services industry, because, as criminal Willie Sutton famously answered when asked why he robbed banks, our industry is “where the money is,” BDs, IAs and banks do seem to attract more than their fair share of ransonware attention.  I do not profess to be an expert in this area, but, happily, Greg is just a phone call away.  – Alan

Ransomware is hot.  And unlike some trends, it is unlikely to be a short-term trend.  Criminals have been able to easily deploy ransomware attacks, which encrypt a users’ data and hold it hostage until the victim pays a ransom, and unlike stealing personal information, there is direct payment to the criminals and no need to sell anything on the dark web.  Those characteristics have made ransomware increasingly attractive to criminals.  It is unsurprising, then, that ransomware attacks were up 50% in the first half of 2017, according to a July 2017 breach insight report prepared by insurer Beazely.  The Beazely Report merely confirms what has become obvious to all businesses: ransomware is one of the most significant cyberthreats to every business and it is critical to develop plans to prevent ransomware attacks and to respond if an organization gets hit with a ransomware attack.

Unfortunately, 2017 has been the year of the ransomware threat, with the WannaCry and Petya outbreaks, widespread ransomware attacks that infected computers throughout the world.  Recognizing the threat that WannaCry posed to broker-dealers, investment advisers, and investment companies, the SEC issued a Cybersecurity: Ransomware Alert on May 17, 2017 describing the threat and steps Firms should be taking to prevent the attack.

The SEC Alert explained that the WannaCry hack was exploiting vulnerabilities through Microsoft’s Remote Desktop Protocol and a critical Windows Server Message Block version 1 vulnerability.  To prevent the threat, it recommended that Firms (1) review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness Team; and (2) determine whether they had properly and timely installed Microsoft patches for Window XP, Windows 8, and Windows Server 2003.

Further, the SEC Alert identified important practices that would help protect against ransomware threats generally:

  • Cyber-risk assessments – Performing periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
  • Penetration Tests – Performing penetration tests and vulnerability scans of critical systems.
  • System Maintenance – Implementing a program to timely apply software patches as part of system maintenance.

Like WannaCry, Petya is a strain of ransomware that impacted systems throughout the world. One notable victim was TNT Express B.V., a transportation company acquired by FedEx Corp. in May 2016.  In FedEx’s 10-K, it explained that TNT was a victim of the Petya attack, that it cannot yet determine the financial impact of the crime other than it will likely be “material,” and  FedEx did not have cyber or other insurance that would mitigate the costs of the attack.

Ransomware poses a significant threats to broker-dealers and their customers and implicate many different legal issues.  FINRA reviews firms’ ability to protect the confidentiality, integrity, and availability of sensitive customer information. The legal authority for that review includes Regulation S-P, Regulation S-ID, and the Securities Exchange Act of 1934.  In other words, ransomware is not an information technology issue.  It is a critical business issue with significant legal implications.

Best practices for firms include performing cyber-risk assessments, penetration testing, and system maintenance and having the work performed by a party engaged by an attorney. By having an attorney hire the party perform these tasks, there is an argument that the results of such assessments and testing are protected under attorney-client privilege.  Without an attorney’s involvement in such projects, the results undoubtedly will be discoverable in civil litigation and regulatory investigations.

Further, as illustrated by FedEx, it is important to review whether an entity has cyberliability insurance in place that protects against ransomware attacks.  Not all cyberliability policies are the same, so it is important to closely analyze whether your policy will cover restoring impacted systems and lost revenue in the event operations are disrupted by a ransomware attack.

The threat from ransomware is rising, a trend that appears to continue into the future.  Planning to prevent and, if necessary, recover from a ransomware attack should be a legal issue that is treated as a priority for broker-dealers.