In cybersecurity, as in other areas, new and exciting threats carry a visceral appeal that older and more mundane ones do not. Zero day exploits? Stolen from the National Security Agency? Crippling computers around the globe? What chance does the regular business have? The answer may surprise you. The vast majority of cyber incidents can be attributed to years-old vulnerabilities that could have been easily prevented by the digital equivalent of keeping your shots up to date.

This is evident in the Risk Alert the Securities and Exchange Commission issued in response to the WannaCry ransomware attack that crippled hundreds of thousands of computers in dozens of countries two weeks ago.

The SEC referred regulated brokers and investment advisers to the United States Computer Emergency Readiness Team's checklist of "Indicators Associated with WannaCry Ransomware." The checklist noted the WannaCry campaign was exploiting a known Windows SMB vulnerability which had been addressed in a patch released on March 14. 2017. Microsoft also released patches for Windows XP, Windows 8, and Windows Server 2003 in May.

The SEC recommended that firms ensure that the patches were installed, and that a process is in place to update operating system with security updates on a regular, consistent, and timely basis.

         

The SEC Alert referred to a recent assessment of 75 regulated entities. It noted the following shortcomings occurred with distressing frequency:

  • Failure to conduct regular risk assessments;
  • Failure to identify cybersecurity threats and vulnerabilities;
  • Failure to conduct penetration testing;
  • Failure to implement critical security updates (including the patch that would have prevented WannaCry).

Finally, the SEC repeated its previous guidance that brokers and investment advisers undertake basic cybersecurity measures corresponding to their vulnerabilities and risk profile, including:

  • Regular data inventory;
  • Periodic assessment of the organization's IT systems;
  • Security protocols and procedures incorporated into regular business;
  • Threat monitoring;
  • Data encryption;
  • Employee training and drills;
  • Written incident response plans.

The SEC's suggestions may be common sense. But they are also variants on regulatory mandates being imposed by a variety of bodies from the European Union to the New York State Department of Financial Services. It serves as a timely reminder that while "zero day exploits" may grip our imaginations, old familiar vulnerabilities are far more likely to affect our cybersecurity. Likewise, the cure may be a lot more mundane than initial reports would have you believe. Get your vaccine shots, wash your hands, stay hydrated, get plenty of sleep, and don't delay your operating systems updates.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.