Beginning on May 12, 2017, unidentified hackers launched a massive cyberattack using ransomware known as "WannaCry" that compromised over 200,000 computers across the world. The attack also disrupted critical business operations, particularly in the UK's National Health Service. The ransomware was used to exploit a vulnerability that affects computers running Microsoft Windows and was first identified by the NSA.

In response to the attack, the SEC Office of Compliance and Examinations ("OCIE") warned registrants to be vigilant in mitigating risk, and noted a recent OCIE study that determined a substantial number of registrants did not (i) conduct periodic risk assessments, penetration tests or vulnerability scans, or (ii) ensure that critical security patches were updated properly. The OCIE directed registrants to its webpage with links to various resources that provide guidance on cybersecurity risk management. In addition, the FBI issued a Bulletin that provides guidance on additional protection measures in the aftermath of the attack.

In a recent  memorandum, Cadwalader attorneys Joseph Facciponti and Joseph Moreno explained that the ransomware attack demonstrates the necessity of implementing crucial data protection measures, especially for "public companies and financial institutions [that] are already subject to a host of regulations governing how they safeguard customer data." The memorandum detailed several important cybersecurity steps, including the following:

  • Creating backups of critical data that are maintained separately from the organization's internal computer network and regularly testing the backups to ensure they work correctly;
  • Promptly installing software updates that are intended to address security vulnerabilities; and
  • Screening incoming email traffic for potential phishing attacks and ensuring that employees are trained to detect and report them.

Commentary / Joseph Facciponti

In addition to adopting reasonable security measures to protect their systems and data, companies should consider consulting with legal counsel regarding the adequacy of their cybersecurity programs or, if they have been the victims of a cyber-attack, to mitigate their potential liability to regulators and civil litigants.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.