More than a quarter of the investment advisers and investment companies examined recently by the US Securities and Exchange Commission failed to conduct periodic risk assessments of critical systems to identify possible cybersecurity threats, the SEC said.
The exams also found more than half didn't run an automated vulnerability scan to look for exposures within critical systems or conduct a penetration test to try to exploit vulnerabilities by mimicking a hacking incident.
The findings, taken from exams of 75 investment management firms and broker-dealers, were contained in an SEC alert sent out just after the WannaCry ransomware attack compromised more than 200,000 computers world-wide.
Broker-dealer deficiencies were not nearly as extensive as those among investment management firms, according to exams begun in late 2015.
The SEC suggested that small investment management firms were most responsible for the identified shortcomings. "The staff observed firm practices during this initiative that the staff believes may be particularly relevant to smaller registrants in relation to the WannaCry ransomware incident," the advisory said in introducing the exam findings.
It added that the exams found "a wide range of information security practices, procedures and controls across registrants that may be tailored to the firms' operations, lines of business, risk profile and size."
With regard to cyber-risk assessments, 26 percent of investment management firms didn't conduct these tests and five percent of broker-dealers failed to do so.
As for vulnerability scans and penetration tests, 57 percent of investment management firms didn't conduct the assessments and five percent of broker-dealers didn't do so.