• U.K. Court Finds No Privilege Protection for Internal Investigation
• Wherefore Art Thou, Due Process? Please Hold Addition
• Spotlight on the False Claims Act
• Going Rogue—Financial Crimes by Government Employees
• SEC Issues “WannaCry” Ransomware Alert

U.K. Court Finds No Privilege Protection for Internal Investigation

By John F. Libby, Partner | Jacqueline C. Wolff, Partner | Kenneth B. Julian, Partner

Why it matters: On May 8, 2017, a London High Court made a landmark ruling in favor of the Serious Fraud Office—England’s equivalent of the Fraud Section of the U.S. Department of Justice (DOJ)—in its quest to obtain documents prepared in an internal investigation that were claimed to be protected by the U.K.’s legal professional privilege. The SFO was seeking the documents in connection with its own criminal corruption investigation into the activities of London-based mining conglomerate Eurasian National Resources Corp. in Kazakhstan and Africa. The court found that the vast majority of the documents sought by the SFO, which had been prepared by the company’s then-outside counsel and forensic accountants during an internal investigation, were not protected by the legal professional privilege and must be turned over to the SFO. The broad ruling, which was seen as one of the first tests of the SFO’s enforcement reach into documents prepared in connection with such internal investigations, understandably caused consternation among the U.K. white collar bar and has raised concerns across the pond among the U.S. white collar bar as well.

Detailed discussion: In what is being hailed as a landmark ruling in England, on May 8, 2017, a London High Court found in favor of the SFO—England’s equivalent of the DOJ’s Fraud Section—in its quest to obtain documents from an internal investigation that were claimed to be privileged. The SFO was seeking the documents in connection with an investigation under the U.K. Bribery Act commenced in 2013 into the activities of London-based mining conglomerate Eurasian National Resources Corp. in Kazakhstan and Africa.

The civil ruling concerned documents (Disputed Documents) the SFO was seeking that had been prepared by ENRC’s then-outside counsel and forensic accountants during an internal investigation conducted between 2011 and 2013. ENRC claimed the Disputed Documents were protected by the legal professional privilege, specifically the “litigation privilege,” and the “legal advice privilege” that fell under the LPP umbrella. The corollaries to the LPP under U.S. law are the “attorney-client” and “work product” privileges; although, as is apparent from the court’s ruling, the contours of the doctrines may differ.

As the court put it, “[t]he issue that the Court has been asked to determine is whether ENRC is entitled to resist production of the Disputed Documents (or any of them) to the SFO on grounds of LPP.” The court said that the issue was one of first impression as “this is the first case in which the Court has had to consider a claim for litigation privilege against a background in which the adversarial litigation said to have been reasonably in contemplation by the party claiming privilege was criminal, rather than civil, in nature.”

The court said that the Disputed Documents fell into four broad categories:

• Category 1: 184 documents created between August 2011 and March 2013 comprising “notes taken by [attorneys at the outside law firm] of the evidence given to them by [85] individuals (including employees and former employees or officers of ENRC and of its subsidiary companies…; their suppliers; and other third parties with whom they had dealings) when asked about the events being investigated.” The court noted that “[n]one of these individuals has been identified by name or even by job description.” ENRC claimed that these documents were covered by the litigation privilege because the “dominant purpose” of the interviews was for the outside law firm “to obtain relevant information and instructions, and to provide ENRC with advice in connection with anticipated adversarial (criminal) litigation.” ENRC also claimed the “legal advice privilege” because the documents could “be characterised as lawyers’ work product” that would reveal “the trend of the legal advice [the outside lawyers] were providing to ENRC.”
• Category 2: Materials generated by the forensic accountants between May 2011 and January 2013 as part of “books and records” reviews they carried out in London, Zurich, Kazakhstan and Africa, with a focus on identifying controls and systems weaknesses and potential improvements. ENRC maintained that these documents were protected by the litigation privilege because their “dominant purpose” was to “identify issues which could likely give rise to intervention and prosecution by law enforcement agencies (specifically the SFO), with a particular focus on books and records offences, and to enable ENRC to obtain advice and assistance in connection with such anticipated litigation.”
• Category 3: Documents (including PowerPoint slides) presented by the outside counsel’s lead partner to the ENRC Corporate Governance Committee and Board of Directors in March 2013 relating to the results of the internal investigation. ENRC primarily claimed the legal advice privilege with respect to these documents, but also claimed the litigation privilege in the alternative.
• Category 4: 17 documents referred to in a 2014 letter to the SFO sent by ENRC’s successor outside counsel, which included (i) forensic accountants’ reports, cover letters and correspondence, as to which ENRC claimed litigation privilege on the same basis as the Category 2 documents and (ii) email correspondence from 2010 between a senior ENRC officer and ENRC’s head of mergers and acquisitions (who had formerly served as general counsel and would do so again in 2011), as to which ENRC claimed the legal advice privilege because the emails “record requests for, and the giving of, legal advice by a qualified lawyer acting in the role of a lawyer.”

After reviewing in detail the various components of the LPP and the historical and legal precedent leading to its current iteration under U.K. law, as well as the underlying facts supporting ENRC’s claims of LPP in each instance, the court found:

1. NO legal advice privilege for the Category 1 and Category 3 documents to the extent they related to the witness interviews because “the protection afforded to lawyers’ working papers is justified if, and only if, they would betray the tenor of the legal advice. A verbatim note of what the solicitor was told by a prospective witness is not, without more, a privileged document just because the solicitor has interviewed the witness with a view to using the information that the witness provides as a basis for advising his client. In other words, the client cannot obtain the protection of legal advice privilege over interview notes that would not be privileged if he interviewed the witness himself, or got a third party to do so, simply because he procured his lawyer to interview the witness instead.” Moreover, the court found that “there is no evidence that any of the persons interviewed (whoever they were) were authorised to seek and receive legal advice on behalf of ENRC.” The court concluded that “[t]he evidence gathered by [the outside counsel] during its investigations was intended by ENRC to be used to compile presentations to the SFO as part of what it viewed as its engagement in the self-reporting process. If and to the extent that it was also intended by ENRC to take legal advice on the fruits of [the outside counsel’s] investigations, and that was one purpose of making the interview notes, the documents formed part of the preparatory work of compiling information for the purpose of enabling the corporate client to seek and receive legal advice, and are not privileged.”
2. NO litigation privilege for any of the Category 1 or Category 3 documents to the extent they related to the witness interviews because, “[w]hilst I accept that ENRC anticipated that an SFO investigation was imminent, and that such an investigation was reasonably in contemplation by no later than 11 August 2011 when the SFO’s letter arrived, that is not enough to make out a claim for litigation privilege. Such an investigation is not adversarial litigation. The policy that justifies litigation privilege does not extend to enabling a party to protect itself from having to disclose documents to an investigator. Documents that are generated at a time when there is no more than a general apprehension of future litigation cannot be protected by litigation privilege just because an investigation is, or is believed to be imminent.” Moreover, the court said that “[t]he reasonable contemplation of a criminal investigation does not necessarily equate to the reasonable contemplation of a prosecution.” In support of this, the court drew a distinction between criminal and civil proceedings, and noted that in criminal proceedings (as opposed to civil proceedings), the prosecution must find sufficient evidence before a prosecution can be commenced. The court thus found that “[k]nowledge that someone has accused someone within a company’s or its subsidiary’s organisation of corrupt practices, or of turning a blind eye to corrupt practices, may raise a legitimate fear of prosecution if the allegations turn out to have any substance in them; but prosecution only becomes a real prospect once it is discovered that there is some truth in the accusations, or at the very least that there is some material to support the allegations of corrupt practices. In this case, there is no evidence that there was anything beyond the unverified allegations themselves.”
3. NO litigation privilege for the Category 2 documents or the Category 4 documents to the extent they related to the forensic accountants’ reports because “the dominant purpose of the documents generated by [the forensic accountants] was plainly to meet compliance requirements or to obtain accountancy advice on remedial steps as part and parcel of the comprehensive books and records review…[and] had little or nothing to do with the preparation of a defence to, or obtaining legal advice in respect of, prospective criminal litigation.”
4. NO legal advice privilege with respect to the Category 4 emails between the ENRC senior officer and ENRC head of mergers and acquisitions (and former and future general counsel) because when the emails were sent in 2010, the court found that the head of mergers and acquisitions was operating in his capacity as “a man of business” and not in any legal capacity for ENRC.

The only documents that the court found to be protected by the LPP were the Category 3 slides prepared by the outside counsel and presented to the ENRC Corporate Governance Committee and Board of Directors in 2013. The court found these slides to have been created for “the specific purpose of giving legal advice to ENRC” and to be “plainly privileged, even if reference is made in them to factual information, or findings from the African investigation that would not otherwise be privileged; they are part and parcel of the confidential solicitor-client communication, and also fall within the ambit of the protection of solicitors’ work product.” The court cautioned, however, that “[t]he results of [the outside counsel’s] investigations, any reports, any fact-findings made by them, and the underlying data upon which they are based, would not be subject to LPP outside this specific context…[and] the privilege extends only to what he said to his client at the meeting(s) in March 2013 at which that slide presentation was made and any record of what he said on that occasion.”

back to top

Wherefore Art Thou, Due Process? Please Hold Addition

By John F. Libby, Partner | Jacqueline C. Wolff, Partner | Kenneth B. Julian, Partner

Why it matters: This month, we check in on the ongoing constitutional challenges to the Securities and Exchange Commission’s in-house administrative proceedings. The circuits are split on the issue, making it ripe for Supreme Court consideration. The latest? On May 3, 2017, the U.S. Court of Appeals, Tenth Circuit, denied rehearing en banc of its December 2016 decision in Bandimere v. SEC, in which it had found, under the Appointments Clause of the U.S. Constitution, the SEC’s administrative law judges (ALJs) to be “inferior officers” who had not been “constitutionally appointed” in violation thereof and thus their decisions were moot. The rehearing denial caused the SEC to take the unusual step on May 22, 2017, of suspending all SEC administrative proceedings arising in the Tenth Circuit until the issue is resolved, presumably by the Supreme Court. In addition, on Feb. 16, 2017, the U.S. Court of Appeals, D.C. Circuit, vacated and granted rehearing en banc of its August 2016 decision in Lucia v. SEC, in which it had found that the SEC’s administrative law judges were employees rather than officers (inferior or otherwise) such that the constitutional appointment issue need not be reached. The en banc panel heard oral argument in Lucia on May 24, 2017, and a decision is pending. Read on for an update.

Detailed discussion: This month, we check in on the ongoing constitutional challenges to the SEC’s in-house administrative proceedings. The circuits are split on the issue—with the majority of those that have considered it siding with the SEC on exhaustion of remedies, rather than constitutional, grounds—making the issue ripe for Supreme Court consideration. We have discussed the constitutional challenges to the SEC’s administrative proceedings in prior newsletters, most recently in our October 2015 newsletter under “‘Wherefore Art Thou, Due Process?’ Part III” and in various updates since. Here is the latest from the Tenth and D.C. Circuits.

Tenth Circuit—Bandimere v. SEC: On May 3, 2017, the Tenth Circuit denied rehearing en banc of its divided December 2016 decision in Bandimere in which it had considered the constitutionality of the SEC’s administrative proceedings and found that under Article II of the U.S. Constitution (Appointments Clause), SEC ALJs are “inferior officers” who must be “constitutionally appointed” in the manner prescribed in the Appointments Clause. Because the SEC ALJ who ruled against defendant David Bandimere was not so constitutionally appointed, the Bandimere panel had vacated the liability ruling against him. The two judges who dissented in the denial of rehearing said that they would have granted the SEC’s petition because it presented “numerous questions of constitutional importance” and the Tenth Circuit’s original panel decision and denial of rehearing “will have an overwhelming impact on the fundamental structure of administrative agencies [like the SEC] and the administrative process” that deserved the full Tenth Circuit’s review.

Case in point: In an unusual move resulting from the rehearing denial in Bandimere, on May 22, 2017, the SEC issued the following order placing on hold all SEC ALJ proceedings arising from the Tenth Circuit until the matter is resolved:

“In light of the U.S. Court of Appeals for the Tenth Circuit’s recent decision denying rehearing en banc in Bandimere v. SEC, we find it prudent to stay all administrative proceedings assigned to an administrative law judge in which a respondent has the option to seek review in the Tenth Circuit of a final order of the Commission [under applicable provisions of the federal securities laws]. The stay is effective immediately and shall remain in effect pending the expiration of time in which the government may file a petition for a writ of certiorari in Bandimere, the resolution of any such petition and any decision issued by the Supreme Court in that case, or further order of the Commission. ... We also elect to stay all administrative proceedings pending before the Commission on review from an initial decision by an administrative law judge in which a respondent has the option to seek review in the Tenth Circuit of a final order of the Commission under the aforementioned provisions of the federal securities laws.”

It is anticipated that the SEC will now file a petition for writ of certiorari with the Supreme Court in an attempt to get a clear mandate on the issue.

D.C. Circuit—Lucia v. SEC: On May 24, 2017, an en banc panel of the D.C. Circuit heard oral argument in Lucia as they reconsidered their August 2016 decision in the case in which they had found, under the Appointments Clause, the SEC’s ALJs to be employees who have no final decision-making capability rather than officers (inferior or otherwise), such that the issue of whether the ALJs were constitutionally appointed need not be reached. Thus, the D.C. Circuit had affirmed the SEC ALJ’s liability ruling against defendant Lucia.

Lucia filed a petition for rehearing en banc, which the D.C. Circuit granted on Feb. 17, 2017, and vacated the panel’s August 2016 decision. In its order granting rehearing, the D.C. Circuit limited briefs and argument to the following question presented relevant to this discussion: “Is the SEC administrative law judge who handled this case an inferior officer rather than an employee for the purposes of the Appointments Clause of Article II of the Constitution?” How the en banc panel answers this question could result in the D.C. Circuit overturning its 2000 decision in Landry v. FDIC, which came to the same conclusion (employees over officers) in the context of the Federal Deposit Insurance Corp.’s use of ALJs and on which the court relied in reaching its decision in Lucia (in its order granting rehearing, the en banc panel also invited briefing and argument as to whether Landry should be overturned). Following the May 24, 2017, oral argument, the en banc panel’s decision in Lucia is pending.

We will keep an eye out for developments in both of these cases—as well as any rollbacks by Congress of the administrative proceedings provisions in Dodd-Frank—and report back.

back to top

Spotlight on the False Claims Act

By John F. Libby, Partner | Jacqueline C. Wolff, Partner | Kenneth B. Julian, Partner

Why it matters: On May 30, 2017, the Department of Justice announced that Medicare Advantage Organization (MAO) Freedom Health Inc. and nine of its related entities, as well as its former chief operating officer, agreed to pay approximately $32.5 million to resolve False Claims Act allegations that they engaged in “illegal schemes to maximize their payment” from Medicare in connection with their Medicare Advantage plans. In addition, Freedom Health and one of its related entities entered into what was called an “innovative” corporate integrity agreement with the Department of Health and Human Services Office of the Inspector General that focused on “compliance issues unique to Medicare Advantage plans.”

Detailed discussion: On May 30, 2017, the DOJ announced that Florida-based MAO Freedom Health Inc. and its many related entities enumerated in the press release (collectively, Freedom Health) agreed to pay approximately $31.7 million to resolve allegations that Freedom Health violated the False Claims Act by “engaging in illegal schemes to maximize their payment from the government in connection with their Medicare Advantage plans.” In addition, the DOJ reported that Freedom Health’s former chief operating officer agreed to separately pay $750,000 for “his alleged role in one of the fraudulent schemes.”

According to the government’s allegations, which were neither admitted nor denied by Freedom Health, from 2008 through 2013 Freedom Health submitted unsupported diagnosis codes to the Centers for Medicare & Medicaid Services, which resulted in inflated reimbursements in connection with two of their Medicare Advantage plans operating in Florida. The DOJ further alleged that, in 2008, Freedom Health made “material misrepresentations to CMS regarding the scope and content of its network of providers (physicians, specialists and hospitals)” in its application to expand in 2009 into new counties in Florida and other states. The DOJ said that its settlement with the former chief operating officer “resolves his alleged role in this latter scheme.”

In addition to the payment obligations discussed above, Freedom Health Inc. and one of its related entities, Optimum Healthcare Inc., entered into a five-year corporate integrity agreement with the Department of Health and Human Services Office of the Inspector General, pursuant to which the companies agreed to enhanced compliance and reporting obligations, including (i) the appointment of a compliance officer who would report directly to the chief executive officer of Freedom Health Inc. and be responsible for putting in place and overseeing a rigorous compliance and reporting program; (ii) the appointment of a compliance committee to be headed by the compliance officer and comprising the chief executive officer and senior management from all “relevant departments” including billing, audit, human resources and operations; and (iii) the adoption of stringent compliance obligations for Freedom Health Inc.’s board of directors. Gregory Demske, chief counsel to the Inspector General of HHS-OIG, said in the press release that “the innovative CIA reduces the risks to patients and taxpayers by focusing on compliance issues unique to Medicare Advantage plans.”

The underlying case against Freedom Health was brought under the qui tam provisions of the federal and Florida False Claims acts. As of the date of the press release, the amount of the whistleblower award had not yet been determined.

The Freedom Health settlement follows on the heels of the DOJ’s recent decision to intervene in two related False Claims Act cases in the Central District of California involving allegations that another large MAO, UnitedHealth Group Inc., similarly defrauded Medicare (see our May 2017 newsletter under “Spotlight on the False Claims Act”). As HHS-OIG Chief Counsel Demske said in connection with the Freedom Health settlement, “Medicare Advantage insurers must play by the rules and provide Medicare with accurate information about their provider networks and their patients’ health,” emphasizing that it is a priority for the government to “investigate and hold managed care organizations accountable for fraud.” Added Acting U.S. Attorney Stephen Muldrow, “Medicare Advantage plans play an increasingly important role in our nation’s health care market. This settlement underscores our Office’s commitment to civil health care fraud enforcement.”

back to top

Going Rogue—Financial Crimes by Government Employees

By John F. Libby, Partner | Jacqueline C. Wolff, Partner | Kenneth B. Julian, Partner

Why it matters: May 2017 saw two announcements of financial crimes committed by government employees. On May 24, an employee of the Centers for Medicare & Medicaid Services (part of the U.S. Department of Health and Human Services) was charged in an extensive insider trading scheme with passing on nonpublic information relating to government plans to cut Medicare reimbursement rates. Earlier, on May 9, a former Securities and Exchange Commission Division of Corporation Finance branch chief pled guilty to making false statements in his annual Office of Government Ethics Confidential Financial Disclosure Reports and internal SEC certifications of holdings in order to conceal his trading in prohibited securities and options. As one government official said in connection with the insider trading case, but which is equally applicable to the prohibited trading case, “We continue to hold federal government employees accountable and to the highest standards of conduct and integrity.”

Detailed discussion: May 2017 saw two announcements of financial crimes committed by government employees, summarized below.

Insider trading by Centers for Medicare & Medicaid Services employee: On May 24, 2017, the SEC announced charges against four individuals in an alleged insider trading scheme in which Christopher Worrall, a health insurance specialist at the Centers for Medicare & Medicaid Services (part of the U.S. Department of Health and Human Services), gave key confidential details about upcoming CMS decisions to David Blaszczak, a close friend and former CMS employee who had left the agency to become a “political intelligence consultant.”

The SEC said that the key confidential details related by Worrall to Blaszczak involved “tips of nonpublic information about government plans to cut Medicare reimbursement rates, which affected the stock prices of certain publicly traded medical providers or suppliers” and included information about “at least three pending CMS decisions that affected the amount of money that companies receive from Medicare to provide services or products related to cancer treatments or kidney dialysis.” In turn, Blaszczak allegedly passed on the tips to two analysts, Theodore Huber and Jordan Fogel, at the healthcare-focused hedge fund advisory firm that paid Blaszczak as a consultant. Huber and Fogel then allegedly used the tips to “recommend that the firm trade in the stocks of four health care companies whose stock prices would likely be affected by the decisions once CMS announced them publicly,” resulting in more than $3.5 million in illicit profits.

In a parallel action, the U.S. Attorney’s Office for the Southern District of New York simultaneously announced the arrest and filing of criminal charges against Worrall, Blaszczak, Huber and a fourth analyst at the hedge fund, Robert Olan. The Department of Justice said that Fogel had pled guilty and was cooperating with government investigators.

According to both the SEC’s and DOJ’s press releases, Worrall began working at CMS in 1999 and was in the Director’s Office for the Centers for Medicare, which gave him “broad access to CMS’s confidential deliberations about upcoming reimbursement decisions.” In addition, Worrall was a project manager on the confidential CMS database, which “contained CMS’s most up-to-date claims data that CMS used to inform its decision-making.” As an “employee of the executive branch of the United States Government,” the DOJ said that, in addition to being prohibited from sharing CMS’s confidential information with people outside of CMS, “WORRALL was subject to Section 21A(h) of the Securities Exchange Act…, which provides, in relevant part, that ‘each executive branch employee…owes a duty arising from a relationship of trust and confidence to the United States Government and the citizens of the United States with respect to material, nonpublic information derived from such person’s position.’”

In their respective press releases, SEC and DOJ officials emphasized the fact that the insider trading scheme involved tips from a federal government employee. Stephanie Avakian, acting director of the SEC Enforcement Division, said that “a federal employee breached his duty to protect confidential information by tipping a political consultant who then passed along those illegal tips…There’s no place on Wall Street or in our government for such blatant misuse of highly confidential information.” Acting U.S. Attorney for the Southern District of New York Joon H. Kim said that “[j]ust like trading on material nonpublic corporate information can be a federal crime, so can trading based on secret government information, as alleged to have happened here. We remain as committed and vigilant as ever in protecting the integrity of the securities markets and our government institutions.” Added FBI Assistant Director-in-Charge William F. Sweeney Jr., “Employees, especially government employees, who have access to this [confidential] information should honor this code of ethics at all times; not just because it’s the right thing to do, but because it’s the lawful thing to do.”

Prohibited trading by former SEC employee: On May 9, 2017, the DOJ announced that former SEC employee David Humphrey had pled guilty in U.S. District Court, District of Columbia to “making false statements in government filings [i.e., annual Office of Government Ethics Confidential Financial Disclosure Reports (Form 450s) and internal SEC certifications of holdings] in order to conceal his prohibited trading of options and other securities.”

According to the facts in the plea agreement, Humphrey worked for 16 years for the SEC in Washington, D.C., serving as the branch chief in the Division of Corporation Finance from 2004 through 2014. The DOJ said that during that time, SEC employee ethics regulations were in place that prohibited Humphrey from purchasing, holding or trading options in securities of companies that the SEC directly regulates, such as financial institutions. Under the regulations, Humphrey was required to “pre-clear securities transactions, make certifications that his holdings were in compliance with these regulations, and annually file Form 450s to disclose assets held for investments with a value greater than $1,000 or that produced more than $200 in income at the end of the reporting period.”

The DOJ said that, despite being fully aware of these regulations and disclosure requirements, Humphrey admitted to “devising and executing” an “options trading strategy” under which he “traded options over 100 times from his SEC computer at various times between 2001 and 2014.” Humphrey further admitted that, during this time, he “signed and submitted multiple Form 450s that failed to disclose reportable assets, including prohibited options.” Finally, Humphrey admitted that, in 2013 and 2014, he “falsely certified that he was in compliance with all applicable SEC regulations relating to prohibited holdings, when in fact Humphrey had traded options in violation of those regulations.”

Humphrey is scheduled to be sentenced on August 8, 2017.

back to top

SEC Issues “WannaCry” Ransomware Alert

By John F. Libby, Partner | Jacqueline C. Wolff, Partner | Kenneth B. Julian, Partner

Why it matters: On May 12, 2017, computers in over 100 countries were infected by “WannaCry,” a “ransomware” so called because computer files that were encrypted or locked by the malicious software could presumably be unlocked or restored only by the payment of ransom demanded by the hackers who spread the virus. On May 17, 2017, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations issued an alert to broker-dealers and investment management firms to provide guidance about what they should do to protect against the WannaCry ransomware in the immediate instance as well as what practices they should adopt to protect against cybersecurity attacks in general.

Detailed discussion: On May 17, 2017, the SEC’s Office of Compliance Inspections and Examinations issued an alert (Ransomware Alert) with respect to the widespread ransomware attack known as “WannaCry” (aka “WCry” and “Wanna Decryptor”), which “infects computers with a malicious software that encrypts computer users’ files and demands payment of ransom to restore access to the locked files.” The OCIE said the attack that was the subject of the Ransomware Alert started on May 12, 2017, and quickly infected computers in more than 100 countries. The OCIE further noted that initial reports indicated the WannaCry hackers gained access to computer servers and networks through certain Microsoft Windows applications or via “phishing” emails and/or malicious websites.

To protect against the WannaCry ransomware in the immediate instance, the OCIE encouraged broker-dealers and investment management firms to “(1) review the alert published [on May 12, 2017, revised on May 15, 2017] by the United States Department of Homeland Security’s Computer Emergency Readiness Team—U.S. Cert Alert TA17-132A—and (2) evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.”

The OCIE also referenced its 2015 Cybersecurity Examination Initiative during which the OCIE staff examined 75 SEC-registered broker-dealers, investment advisers and investment companies “to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.” The OCIE said that during its review, the staff had observed certain firm practices, or lack thereof, that “may be particularly relevant to smaller registrants in relation to the WannaCry ransomware incident” and thus bore repeating in the Ransomware Alert to highlight their importance to minimizing damage from cybersecurity attacks such as WannaCry, including:

• Cyber-risk Assessment: Five percent of broker-dealers and 26 percent of advisers and funds (collectively, “investment management firms”) examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
• Penetration Tests: Five percent of broker-dealers and 57 percent of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
• System Maintenance: All broker-dealers and 96 percent of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, ten percent of the broker-dealers and four percent of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.”

After referencing other cybersecurity-related sources and links that firms could consider when assessing cybersecurity risks and response capabilities, the OCIE concluded the Ransomware Alert by stating that “[t]he staff recognizes that it is not possible for firms to anticipate and prevent every cyber-attack. The staff also notes that appropriate planning to address cybersecurity issues, including developing a rapid response capability is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.”

back to top