Compliance Solutions Strategies (CSS) is now part of Confluence

After ‘WannaCry,’ Everything Is Coming Up Cyber

May 18, 2017

After ‘WannaCry,’ Everything Is Coming Up Cyber

By now, we’ve all probably heard about ‘WannaCry,’ which, true to name, is the latest installment of ransomware that makes you just want to cry. Organizations large and small were affected by this far-reaching malware. This is one of the most important topics for financial services firms today – cybersecurity. Firms are talking about it, and regulators are talking about it.

What Exactly is WannaCry?

WannaCry is a wide-reaching ransomware attack that invaded networks and held the user’s information hostage, demanding Bitcoin payment for its safe return. The initial infection of WannaCry – detailed here in Wired – got through either via an email or a network vulnerability. It was particularly disastrous because it exploited a vulnerability that allowed it to travel laterally from computer to computer within a network. So, once it was in, it was everywhere.

What Can Organizations Do to Prevent Ransomware?

Image credit: Christoph Scholz

  • Conduct a cyber risk assessment to understand your current state environment and the risks you face. In the SEC’s May 17 cybersecurity update, they state that out of 75 firms they examined, 5% of BDs and 26% of advisers and funds did not conduct periodic risk assessments (1)
  • Ensure that proper patching policies are in place and being followed. Critical updates should be installed ASAP and anti-virus software should be updated daily. Do not keep hitting the snooze button on your suggested computer updates, and make sure that’s clearly articulated in policies and procedures.
  • Train your employees! They are the first line of defense. The importance of email vigilance should be conveyed on a periodic basis. You can conduct training and testing to make sure this is working. You’d be surprised how many smart people unwittingly open links or emails from people they don’t know.
  • Maintain data backups. If disaster strikes, have data backups that can be used to restore encrypted machines.
  • Conduct periodic vulnerability scanning of networks. According to the recent SEC update, 57% of the 75 investment management firms they visited did not conduct penetration tests and vulnerability scans (2)
  • Limit or restrict personal email access for your employees. This is a big one and not always cut and dry, so see our Spotlight on this topic below.

Not dealing with these action steps now could mean significant downtime and increased expense in the long run.

What Does This Mean?

Cybersecurity truly is a nation-wide challenge that all industries are facing, even the federal government (if not especially so!). President Trump signed an Executive Order on May 11, 2017 that emphasizes how critical it is to get this right. The Order states that “Agency heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of IT and data” (3). It also requires all government agencies to align to something called the “Framework for Improving Critical Infrastructure Cybersecurity” to produce reports that outline the risk mitigation and acceptance choices made by each government agency.

This is similar to how we at Ascendant think about cybersecurity risks. Clients need to make informed, thoughtful decisions about the risk at hand and weigh the impact of “worst-case scenario” to their employees and clients.

Every firm should ask themselves two questions:

  1. What are my policies and are they sufficient?
  2. What are my controls and are they sufficient?

Asking these questions, and identifying and resolving the gaps you find will be a critical part of avoiding a breach. It’s worth noting however that regulators are not only interested in the steps you take to prevent a breach, but also how prepared you are to respond if it does happen.

  • Do you know how you would handle a breach?
  • How would you determine its scope and impact?
  • Would you know who you needed to inform?

Don’t lock the barn after the horse is gone: brainstorm with your compliance and IT staff now on these questions to come up with your game plan.

Spotlight: Personal Emails and Devices at Work
There’s no question there is risk associated with allowing employees to freely use personal email and devices on corporate networks:

  • Attachments and malicious links can get in without being scanned or scrubbed by controls that might be in place for corporate e-mail
  • Employees with malicious intent could have unsupervised conversations with clients from their desktop computers and even send firm data or attachments to third parties

So, what to do about it? Different firms are approaching this challenge in different ways:

  • Some firms use policy and training to set the standard for employee behavior:
    • Clearly indicating in policies whether employees can access personal email or connect to the corporate network with personal devices. Note that sometimes, firms want to allow their employees to use their personal e-mail as part of a push for an “entrepreneurial and open culture,” usually to the chagrin of the Chief Compliance Officer!
    • Disallowing corporate communication of any kind on a personal device
    • Conducting training on the importance of cybersecurity and email vigilance
  • Some firms use the policies above, but supplemented by technical controls:
    • Blocking commonly used e-mail hosts such as Gmail, Yahoo mail, etc (can be a challenge if your firm uses Gmail for its company email server, as some do)
    • Blocking the ability to access or upload attachments on corporate networks with access to critical data
  • Some firms even use physical controls:
    • Requiring phones to be locked up before entering an area with client data and trading information
    • Designating one machine in a common area from which personal email can be accessed, which is not on the corporate network

There’s no one-size-fits-all solution and much will depend on risk tolerance, strength of cybersecurity program and individual company’s culture.
Ascendant Services Can Help

Cybersecurity Services

  • Conduct remote web-based training on social engineering and ransomware
  • Social engineering testing services
  • Cybersecurity assessments to evaluate your firm’s risk
  • Conduct vulnerability scanning

ACM

  • Update firm policies and procedures in the tool to reflect latest guidelines on cybersecurity (and the audit trail will be automatically captured when it comes time for your Annual Review)
  • Firms can create a custom communication for employees on the importance of cybersecurity and email vigilance and use Attestations module to evidence their understanding and agreement
  • Firms can use our Risk Matrix to track the cybersecurity risk and maintain a list of up-to-date controls

 

(1) OCIE, “Cybersecurity: Ransomware Alert,” (May 17, 2017), Volume VI, Issue 4, available via link

(2) OCIE, “Cybersecurity: Ransomware Alert,” (May 17, 2017), Volume VI, Issue 4, available via link

(3) Executive Order No. 13800, 82 FR 22391 (2017), available via link