After ‘WannaCry,’ Everything Is Coming Up Cyber
By now, we’ve all probably heard about ‘WannaCry,’ which, true to name, is the latest installment of ransomware that makes you just want to cry. Organizations large and small were affected by this far-reaching malware. This is one of the most important topics for financial services firms today – cybersecurity. Firms are talking about it, and regulators are talking about it.
What Exactly is WannaCry?
WannaCry is a wide-reaching ransomware attack that invaded networks and held the user’s information hostage, demanding Bitcoin payment for its safe return. The initial infection of WannaCry – detailed here in Wired – got through either via an email or a network vulnerability. It was particularly disastrous because it exploited a vulnerability that allowed it to travel laterally from computer to computer within a network. So, once it was in, it was everywhere.
What Can Organizations Do to Prevent Ransomware?
Image credit: Christoph Scholz
- Conduct a cyber risk assessment to understand your current state environment and the risks you face. In the SEC’s May 17 cybersecurity update, they state that out of 75 firms they examined, 5% of BDs and 26% of advisers and funds did not conduct periodic risk assessments (1)
- Ensure that proper patching policies are in place and being followed. Critical updates should be installed ASAP and anti-virus software should be updated daily. Do not keep hitting the snooze button on your suggested computer updates, and make sure that’s clearly articulated in policies and procedures.
- Train your employees! They are the first line of defense. The importance of email vigilance should be conveyed on a periodic basis. You can conduct training and testing to make sure this is working. You’d be surprised how many smart people unwittingly open links or emails from people they don’t know.
- Maintain data backups. If disaster strikes, have data backups that can be used to restore encrypted machines.
- Conduct periodic vulnerability scanning of networks. According to the recent SEC update, 57% of the 75 investment management firms they visited did not conduct penetration tests and vulnerability scans (2)
- Limit or restrict personal email access for your employees. This is a big one and not always cut and dry, so see our Spotlight on this topic below.
Not dealing with these action steps now could mean significant downtime and increased expense in the long run.
What Does This Mean?
Cybersecurity truly is a nation-wide challenge that all industries are facing, even the federal government (if not especially so!). President Trump signed an Executive Order on May 11, 2017 that emphasizes how critical it is to get this right. The Order states that “Agency heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of IT and data” (3). It also requires all government agencies to align to something called the “Framework for Improving Critical Infrastructure Cybersecurity” to produce reports that outline the risk mitigation and acceptance choices made by each government agency.
This is similar to how we at Ascendant think about cybersecurity risks. Clients need to make informed, thoughtful decisions about the risk at hand and weigh the impact of “worst-case scenario” to their employees and clients.
Every firm should ask themselves two questions:
- What are my policies and are they sufficient?
- What are my controls and are they sufficient?
Asking these questions, and identifying and resolving the gaps you find will be a critical part of avoiding a breach. It’s worth noting however that regulators are not only interested in the steps you take to prevent a breach, but also how prepared you are to respond if it does happen.
- Do you know how you would handle a breach?
- How would you determine its scope and impact?
- Would you know who you needed to inform?
Don’t lock the barn after the horse is gone: brainstorm with your compliance and IT staff now on these questions to come up with your game plan.
Spotlight: Personal Emails and Devices at Work |
There’s no question there is risk associated with allowing employees to freely use personal email and devices on corporate networks:
So, what to do about it? Different firms are approaching this challenge in different ways:
There’s no one-size-fits-all solution and much will depend on risk tolerance, strength of cybersecurity program and individual company’s culture. |
Ascendant Services Can Help
- Conduct remote web-based training on social engineering and ransomware
- Social engineering testing services
- Cybersecurity assessments to evaluate your firm’s risk
- Conduct vulnerability scanning
- Update firm policies and procedures in the tool to reflect latest guidelines on cybersecurity (and the audit trail will be automatically captured when it comes time for your Annual Review)
- Firms can create a custom communication for employees on the importance of cybersecurity and email vigilance and use Attestations module to evidence their understanding and agreement
- Firms can use our Risk Matrix to track the cybersecurity risk and maintain a list of up-to-date controls
(1) OCIE, “Cybersecurity: Ransomware Alert,” (May 17, 2017), Volume VI, Issue 4, available via link
(2) OCIE, “Cybersecurity: Ransomware Alert,” (May 17, 2017), Volume VI, Issue 4, available via link
(3) Executive Order No. 13800, 82 FR 22391 (2017), available via link
ComplianceCast: Advertising & Marketing Compliance
Have questions on Advertising and Marketing Compliance?
Ascendant’s Samantha Addonizio and Peter Guarino take a look at The Rules, Hot Topics & Reviewing Tips for compliance professionals.
This complimentary ComplianceCast covers the following topics:
- Investment Adviser Advertising Rules and No-Action Guidance
- Performance Advertising – General Requirements, Model Performance & Hypothetical Back-tested Performance
- Use of Third-Party Performance in Advertising – Disclosures & Caveats
- Considerations for Different Types of Media
- Anatomy of Reviewing Advertising Materials – Illustration of the Review Process & Key Considerations
For a free download, click here and fill out the download request form.
Jay Clayton Sworn in as SEC Chairman
Jay Clayton has taken over the reins of the SEC after being sworn in as the 32nd Chair of the Commission in a May 4 ceremony.
Jay Clayton/SEC
He had been nominated on Jan. 20 and confirmed by the U.S. Senate on May 2.
Prior to his confirmation, he worked for 20 years as a partner at Sullivan & Cromwell LLP, advising public and private companies on securities offerings, mergers and acquisitions, corporate governance, and regulatory and enforcement proceedings. He had also served as an adjunct professor at the University of Pennsylvania Law School from 2009 to 2017.
“The work of the SEC is fundamental to growing the economy, creating jobs, and providing investors and entrepreneurs with a share of the American Dream,” he said in a statement. “I would like to thank Acting Chairman Piwowar for his leadership, and I look forward to working with my fellow Commissioners and the talented SEC staff to ensure that our markets remain the safest and most vibrant markets in the world.”
Prior to joining Sullivan & Cromwell, Mr. Clayton served as a law clerk in the U.S. District Court for the Eastern District of Pennsylvania. He earned a B.S. in Engineering from the University of Pennsylvania, a B.A. and M.A. in Economics from the University of Cambridge, and a J.D. from the University of Pennsylvania Law School.
Clayton succeeds Mary Jo White, who held the post from April 2013 to January 2017. He joins current commissioners Michael Piwowar and Kara Stein, leaving the current presidential administration two more slots to fill.
Past Ascendant Keynote Speaker Jeff Glasbrenner Featured as SI Cover Story
Ascendant Conferences + Education works to offer keynote speakers with original points of view, exceptional stories and unparalleled knowledge. During our San Diego 2016 conference, we featured Jeff Glasbrenner, a below-the-knee amputee who was fresh off becoming the first American amputee ever to scale Mount Everest. He spoke about turning challenges into triumphs, and about succeeding in the face of adversity.
Former keynote speaker and Everest conquerer Jeff Glasbrenner. (Photo credit: Endemol Shine Beyond USA/Sports Illustrated)
This week, we’re thrilled to see Jeff on the cover of Sports Illustrated! His remarkable story, compellingly told by writer Austin Murphy, highlights the incredible achievements due only to perseverance and belief.
We view Glasbrenner as a disruptor. After losing part of his leg, his doctors offered him a long list of activities to stay away from. They thought he’d be limited, but he saw a different path. And then, he conquered the world’s highest peak.
Disruptors are the theme of our upcoming conference in Napa, California from Oct. 9-11 at The Meritage Resort and Spa.
Disruption is synonymous with innovation. Disruptors are the heroes of our time. In October, in the shadow of Silicon Valley—the place that first gave rise to the term—we’ll explore the intersection of disruption and compliance, offering helpful takeaways that can shorten the learning curve and add efficiencies to your organization. And you never know, you might meet a future star along the way.
Overview Of Regulatory Priorities – 2017
In early 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) and FINRA released their annual examination priority letters, highlighting areas of examination focus for the year. Given that there are many common concerns, this article summarizes both letters, highlighting topics common to both investment advisers and broker-dealers, followed by topics specific to investment advisers and, finally, those specific to broker-dealers.
Implementing 2017 SEC Custody Guidance: A Panel Discussion
In February, the SEC offered long-awaited clarity on the issue of custody through a no-action letter to the Investment Adviser Association, updated FAQ guidance, and an interpretive Guidance Update.
Collectively, the information helped offer a clearer view of a topic that is often murky. On March 24, Ascendant rounded up an all-star lineup to analyze the new guidance and offer advisers key takeaways. Panelists include Christopher Gilkerson, SVP & General Counsel, Charles Schwab & Co.; Laura L. Grossman, Assistant General Counsel, Investment Adviser Association; Robert E. Plaze, Partner, Proskauer Rose LLP, and Jacqueline Hallihan, Partner, Ascendant Compliance Management.
The ComplianceCast webinar, “Implementing Recent SEC Custody Guidance: Analysis, Practical Implications, Next Steps,” is now available.
To request a download, click here.
This ComplianceCast will address the complex custody topic, with new coverage of the following:
- SLOAs (authority to transfer client money to a third party)
- First-Person Transfers (authority to transfer money to the same client)
- Custodial Agreement Provisions with Advisory Clients (which impute advisers with custody)
- Avoid Inadvertent Custody with Written Consent
Analyzing Recent SEC Guidance:
- Investment Adviser Association No-Action Letter, February 21, 2017
- IM Guidance Update February 2017, “Inadvertent Custody: Advisory Contract versus Custodial Contract Authority.”
- FAQs, prior no-action letters
Next steps: Good-faith effort and timing; adapting policies and procedures, written consent and IMAs.
Bonus coverage of more industry questions.