In the wake of the global impact from the spread of the WannaCry ransomware, the Securities and Exchange Commission (the SEC) has alerted public companies and the financial sector regarding heightened cybersecurity risks. The SEC's alert reminds regulated firms of the importance of updating their information systems and their associated security measures, and of the need to test and mitigate vulnerabilities of those systems.

Cybersecurity is not a new concern for the SEC. That authority, specifically the Office of Compliance Inspections and Examinations (the OCIE), has been reviewing cybersecurity measures at regulated firms for several years now, including within its annual Examination Priorities. In 2015, the OCIE launched a specific cybersecurity examination initiative, which reviewed the relevant technical and legal and compliance measures at 75 registered broker-dealers, investment advisers, and investment funds. More generally, the SEC has messaged on several fronts that it increasingly views material risks to information security of regulated entities to implicate requirements for disclosures to investors.

The SEC's latest Risk Alert notes that the OCIE's 2015 examination found, amongst other things, that:

  • 26 percent of investment management firms did not periodically assess the risks to their critical information systems;
  • 57 percent of investment management firms did not conduct penetration tests of their critical systems; and
  • Ten percent of broker-dealers had significant issues regarding security patches and updates.

In light of the broad impact of the WannaCry incident, and the recent introduction of sector-specific regulations by the New York State Department of Financial Services, financial services firms should consider their policies, procedures, and incident response plans in relation to cybersecurity. Firms should also be aware of regulatory interest elsewhere. In the United Kingdom, for example, the Financial Conduct Authority also published updated cyber resilience guidance for firms after the WannaCry incident, emphasizing the need to create a 'security culture' from the board level down to each member of staff. Overall, firms will need to consider whether and how their existing risk management, including senior executive responsibility, addresses risks to their information that most experts agree will continue to grow.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.