SEC’s Office of Compliance Inspections and Examinations Publishes Cybersecurity Alert Following Ransomware Attack

On May 17, 2017, the Securities and Exchange Commission’s (“SEC’s”) Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert pertaining to cybersecurity.  According to the Risk Alert, an extensive ransomware attack called WannaCry, WCry, or Wanna Decryptor “rapidly affected numerous organizations across over one hundred countries.”  In light of the WannaCry attack, OCIE is urging registered investment advisers, broker-dealers, and investment companies, to address cybersecurity vulnerabilities.

According to the Risk Alert and an alert published by the Department of Homeland Security, U.S. Cert Alert TA17-132A, the hacker or hacking group who instigated the WannaCry attack obtained access to enterprise servers by way of exploiting a Windows Server Message Block vulnerability. WannaCry infects computers using software that encrypts data on a server using a .WCRY file-name extension, which prevents the rightful owner from accessing the data. Once infected, the ransomware software demands payment from the business in return for access to the business’ data. Microsoft released a patch to this vulnerability in March of 2017, but many users of Microsoft operating systems do not diligently update their software.

Because of the rapidly increasing threat malware poses to the financial services industry, OCIE considers the adoption and implementation of a cybersecurity policy by registered investment advisers and broker-dealers a priority.  Investment advisers who have not completely adopted and implemented a cybersecurity policy are advised to obtain compliance and technological assistance.  The SEC has issued prior regulatory guidance relating to cybersecurity, and Parker MacIntyre discussed this regulatory guidance in 2014, 2015, and 2016.

OCIE realizes it is impossible for investment advisers and broker-dealers to foresee every cyber-attack and stop them before they happen.  However, OCIE also acknowledged and emphasized that adequate preparation to deal with cybersecurity issues, such as establishing a rapid response capability, may help firms to minimize the effect of cyber-attacks and any secondary effects on investors and clients.  In particular, OCIE urged broker-dealers and investment advisers to determine whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are correctly updated.


Parker MacIntyre provides legal and compliance services to investment advisers, broker dealers, registered representatives, hedge funds, and issuers of securities, among others. Our regulatory practice group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state laws and rules. Please visit our website for more information.