U.S. Securities Firms Appear to Have Escaped Global Cyberattack
The worldwide “ransomware” attacks that infected companies, governments and nonprofits worldwide on May 12 did not hit U.S. securities firms but should set off cybersecurity alarms, according to regulators.
“We have not seen any impact on the financial services sector from this latest attack,” Bill Wollman, head of member firm risk oversight and operation regulation at the Financial Industry Regulatory Authority said at a panel discussion at the self-regulator’s annual meeting on Thursday.
At the same time that government intelligence communities were holding emergency meetings over the Mother’s Day weekend to assess the threat posed by the Friday WannaCry virus cyberattack, regulators from Finra reached out to several large and small firms and then compared notes with the Securities and Exchange Commission, Wollman said.
The cyberattack, described as “startling” in its scale,” affected hundreds of thousands of computer systems worldwide, including Britain’s public health system and corporations in Asia, Europe and the U.S. It has set off alarms at the top levels of the U.S. government because hackers are believed to have attacked Microsoft Windows programs using software stolen from the National Security Agency.
Effects of the ransomware attack, in which hackers demand to be paid in order to help remove harmful programs or open access to infected files, are still unwinding but Finra officials at the annual meeting’s closing session said all brokerage firms should be reacting.
Technology must be up to date, software patches must be installed and checked for operational soundness, and attack-response guidelines should be in place. Both regulators and firms need better predefined playbooks spelling out what roles officials will play during and in the aftermath of an attack and how to coordinate with each other, Wollman said.
The Federal Reserve Board of Governors and other banking regulators have said they are creating rules on on Enhanced Cyber Risk Management Standards as required by Congress and telling banks and firms to adopt risk-based approaches to cybersecurity.
Finra is is helping firms large and small discover how to do a better job from operations and business perspectives, the officials said. It has issued notices on how to respond to attacks and plans to tape a webinar regarding cybersecurity examination findings at the end of this month, according to Susan Axelrod, executive vice president of regulatory operations.
Finra also is taking a close look at how firms deal with vendors, whose own computer systems and access to member-firm data could compromise systems, said Michael Rufino, head of member regulation sales practices.