Business and Legal Insights

On Friday, May 12, 2017, governments, businesses and individuals were shocked when a ransomware attack known as WannaCry rapidly spread through cyberspace like a global pandemic.  Businesses and individuals in more than 100 countries experienced compromised systems, with ransom demands ranging $300 to $600. The WannaCry malware infection has a unique method of propagation, targeting the Server Message Block protocol and exploiting known vulnerabilities in Microsoft Windows, which allowed it to rapidly spread like a worm.

Ransomware – a form of malware that encrypts critical data and systems with a ransom demand for virtual currency in exchange for encryption release – often is deployed through a weaponized phishing e-mail.

The WannaCry attack demonstrates the critical importance of cyber awareness training and system maintenance, including ensuring that anti-virus software is up-to-date, implementing a data back-up and recovery plan, scrutinizing links contained in emails, not opening attachments included in unsolicited emails, downloading software only from sites you know and trust, and enabling automatic patches for your operating system and web browser.

Just five days after the WannaCry outbreak, on May 17, 2017, the U.S. Securities and Exchange Commission (SEC) issued a Cybersecurity Ransomware Alert. The SEC emphasized the importance for broker-dealers, investment advisers, and investment companies to review U.S. Department of Homeland Security Guidance. Transparently, the SEC revealed that it recently completed 75 cybersecurity examinations and found deficiencies with cyber-risk assessments, penetration tests, and system maintenance.  The SEC emphasized these deficiencies by disclosing that: (1) 5% of broker-dealers and 26% of investment advisers and investment companies did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences; (2) 5% of broker-dealers and 57% of investment advisers and investment companies did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical; and (3) 10% of broker-dealers and 4% of investment advisers and investment companies had a significant number of critical and high-risk security patches that were missing important updates.

Looking back, more than two years has lapsed since FINRA issued its Report on Cybersecurity Practices in February 2015. Since then, we have witnessed a geometric expansion in cybercrime through global deployment of malware variants, including ransomware. Now more than ever, it is mission critical for organizations to take all necessary steps to mitigate the risks of falling victim to a future cyber-attack. Inclusion of experienced cybersecurity legal counsel is critical to effective organizational cybersecurity planning, readiness, response, and remediation, when the next cyber-attack hits you.