Avoid being taken for ransom

In the wake of escalated and more frequent cyberattacks on financial service and government entities, global regulators are stepping up supervision on cybersecurity protocols. By Rebecca Akrofie

Global cyberattacks have consistently made headlines this year. May’s WannaCry ransomware attack took firms by surprise, as government entities, including the UK’s NHS, and large corporations, including Spain’s Telefonica, were hit by the malware assault.

A month later, NotPetya, a global malware attack targeting Windows, struck and  hit law firm DLA Piper and fund administration firm TMF.

In response, regulators mobilized, issuing sharp warnings to registrants. The Securities and Exchange Commission advised fund managers to ensure any security updates were correctly installed. It also used the opportunity to publish the results of its cyber-risk assessment on registrants. It noted that 26 percent of investment management firms conducted no periodic cyber-risk assessments, 57 percent of firms failed to conduct vulnerability tests on their systems, and four percent of firms were missing important security updates.

More recently, the SEC laid out a more detailed approach to enforcement on cyber-related cases. In an October speech, Stephanie Avakian, co-director of the division of enforcement, identified failures by SEC registrants to safeguard information or ensure system integrity, as a top enforcement priority and clarified the regulator’s approach.

“We consult with the Office of Compliance Inspections and Examinations, at the outset to consider the approach that makes the most sense based on the specific facts,” said Avakian. “Depending on the issue, OCIE may be better positioned to take the lead, and areas where improvement is needed may be addressed efficiently and effectively through the deficiency letter process. Other times, an enforcement inquiry is the best approach,” she explained.

The UK’s Financial Conduct Authority has not identified cybersecurity as an enforcement issue, but published a response in the wake of WannaCry, urging every FCA registrant to develop a “security culture, from the board down to every employee.”

With the risk of serious material damage in the event of an attack, as well as being reprimanded by regulators for failing to implement cybersecurity measures, knowing how to prevent a threat is increasingly necessary.

There are four areas to consider regarding prevention. Firstly, firms should invest in their cybersecurity systems, ensuring updates are installed regularly. In the case of the WannaCry attack on Microsoft computers, Microsoft released an emergency update or ‘patch’, but some firms didn’t apply it.

Secondly, firms should understand what their current security offering is capable of. All anti-virus software doesn’t provide the same level of coverage, so make sure it can meet the ever-changing threat level is key.

If a firm has or is considering cyberattack insurance, the terms and conditions need to cover a reasonable number of eventualities. “Cybersecurity insurance is not beneficial in the case of a ransomware attack because many policies won’t pay out until costs to a firm reach $500,000. This is much more than the average ransom demanded from both small and large businesses that are victims of an attack,” said Israel Barak, CISO at Cybereason, a cybersecurity company.

Lastly, firms should test their cybersecurity plans meet their needs, but also train staff on how the plan operates. Firms can conduct ‘penetration’ tests to assess their vulnerability, and find out if their plan of action is effective in the event of an attack