Skip to main content

You are here

Advertisement

Do You WannaCry About Cybersecurity Protocols?

BY
NAPA Net Staff
June 08, 2017

In the wake of the "WannaCry" ransomware attack last month, the Securities and Exchange Commission found a wide range of information security practices, procedures and controls among broker-dealers, investment companies and advisors.

The study, conducted by OCIE’s National Examination Program staff, involved a review of 75 SEC registered broker-dealers, investment advisers and investment companies to assess industry practices and legal, regulatory and compliance issues associated with cybersecurity preparedness.

As noted above, they found a wide range of information security practices, procedures and controls, though they said those may be tailored to the firms’ operations, lines of business, risk profile and size.

The SEC noted that firm practices were observed during this Initiative that the staff believes may be particularly relevant to smaller registrants in relation to the WannaCry ransomware incident, including:


  • Cyber-risk assessment: The review found that 5% of broker-dealers and more than a quarter (26%) of advisers and investment management firms examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities and the potential business consequences.

  • Penetration tests: Five percent of broker-dealers and 57% of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.

  • System maintenance: All broker-dealers and 96% of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, 10% of the broker-dealers and 4% of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.


The SEC’s Division of Investment Management and OCIE have provided guidance and information that firms may wish to consider when addressing cybersecurity risks and response capabilities.

You Might Want to Check Out…

Addressing Missing Participants: The Why and the How
4/22/2024
John Iekel
The Evolving Workscape - WiR Third Thursdays Podcast
3/27/2024
NAPA Net Staff
Retirement Plan Committees: Crucial Failsafe
3/4/2024
John Iekel

Advertisement

0 Comments
Discussion Policy

Advertisement

Most Popular

Biden’s 2025 Budget Targets Back-Door Roths, ‘Excess Retirement Accumulations’
Breaking News! The 2024 Top DC Advisor Multi-Office Firms
Republicans Call for an Increase in Social Security Retirement Age
SEC Penalizes Two Investment Advisers Over False AI Claims
Multi-Billion Dollar 401(k) Settles Excessive Fee Suit

Advertisement

 

Recent Headlines

8 Important Changes in DOL’s Final Fiduciary Rule
Retirement Confidence Bounces Back…Some
NAPA Nonqualified Plan Consultant Conference—Registration Now Open!
Could Expanded Sources of ‘Retirement Income’ Unlock Trillions?
Treichel, Eickman to Team on Retirement Income (and More)

NAPA's 401(k) Rollover Specialist (k)RS Credential

Sign up for The Daily

Subscribe to the NAPA Net Daily.

Recent Comments

Why is an SSA representative allowed to give out inaccurate information? This should be called to...
IRA distributions will not affect the SS earnings test, but they could result in federal income...
Thank you for bringing this up, but once again, where are the specifics to this groups proposal,...
"helping to ensure that workers’ retirement plans are always protected" - unless of...
When can the plan’s participants expect to be paid?