Reminder from the SEC: An Update a Day Keeps Ransomware Away 
 

Published  on  5/23/2017  by  Gul, Saad
Reminder from the SEC: An Update a Day Keeps Ransomware Away
 
By Saad Gul and Michael E. Slipsky
 
In cybersecurity, as in other areas, new and exciting threats carry a visceral appeal that older and more mundane ones do not. Zero day exploits? Stolen from the National Security Agency? Crippling computers around the globe? What chance does the regular business have? The answer may surprise you. The vast majority of cyber incidents can be attributed to years-old vulnerabilities that could have been easily prevented by the digital equivalent of keeping your shots up to date.
 
This is evident in the Risk Alert the Securities and Exchange Commission issued in response to the WannaCry ransomware attack that crippled hundreds of thousands of computers in dozens of countries two weeks ago.
 
The SEC referred regulated brokers and investment advisers to the United States Computer Emergency Readiness Team’s checklist of “Indicators Associated with WannaCry Ransomware.” The checklist noted the WannaCry campaign was exploiting a known Windows SMB vulnerability which had been addressed in a patch released on March 14. 2017. Microsoft also released patches for Windows XP, Windows 8, and Windows Server 2003 in May.
 
The SEC recommended that firms ensure that the patches were installed, and that a process is in place to update operating system with security updates on a regular, consistent, and timely basis.
         
The SEC Alert referred to a recent assessment of 75 regulated entities. It noted the following shortcomings occurred with distressing frequency:
 
·        Failure to conduct regular risk assessments;
·        Failure to identify cybersecurity threats and vulnerabilities;
·        Failure to conduct penetration testing;
·        Failure to implement critical security updates (including the patch that would have prevented WannaCry).
 
Finally, the SEC repeated its previous guidance that brokers and investment advisers undertake basic cybersecurity measures corresponding to their vulnerabilities and risk profile, including:
 
·        Regular data inventory;
·        Periodic assessment of the organization’s IT systems;
·        Security protocols and procedures incorporated into regular business;
·        Threat monitoring;
·        Data encryption;
·        Employee training and drills;
·        Written incident response plans.
 
The SEC’s suggestions may be common sense. But they are also variants on regulatory mandates being imposed by a variety of bodies from the European Union to the New York State Department of Financial Services. It serves as a timely reminder that while “zero day exploits” may grip our imaginations, old familiar vulnerabilities are far more likely to affect our cybersecurity. Likewise, the cure may be a lot more mundane than initial reports would have you believe. Get your vaccine shots, wash your hands, stay hydrated, get plenty of sleep, and don’t delay your operating systems updates.
 
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.
 
 

Links to this post

Comments

Name *:
URL:
Email:
Comments:


CAPTCHA Image Validation