CYBER RESILIENCE AND CRISIS MANAGEMENT

IN THE SECURITIES INDUSTRY

FEBRUARY 6, 2014

Karl Schimmeck

• Karl Schimmeck is Managing Director of Financial Services Operations at SIFMA. He brings over 15 years of experience in operations, technology, finance and risk management. He is responsible, as staff advisor, for supporting SIFMA’s work on technology, business resiliency, operational risk and cybersecurity issues.

• Prior to joining SIFMA, Mr. Schimmeck held finance and operational risk positions at Goldman Sachs specifically in the areas of Derivative Operations and Shared Services. Additionally, he worked for PTC, a firm focused on providing product development and data management solutions, from 2000 to 2006, holding program management and strategy positions within their global services advisory practice. Prior to that he served in the United States Marine Corps during which time he achieved the rank of Captain.

• He holds an MBA from the NYU Stern School of Business and a BS in Industrial Engineering from Cornell University.

2

Timothy J. Nagle

• Member of the Data Privacy, Security and Management team and the Global Regulatory Enforcement group.

• Previously in house counsel with a global financial services firm where he supported security, privacy and technology executives including the Chief Information Security Officer and the privacy breach response team.

• Served as counsel to the Deputy Director for Information Systems Security at NSA; directly supported the network penetration testing team.

• Broad background in technology, security, investigations and privacy in both government and industry.

• Supports financial institution clients as well as clients in the energy, government contracting, retail and health care sectors on data security and privacy matters.

• Certified Information Privacy Professional; maintains active federal government security clearance.

tnagle@reedsmith.com

(202) 414 9225

Washington, D.C.

3

Agenda

4

• Background and current threat environment

• Results of Quantum Dawn 2

• Components of an Effective Cyber Incident Response Plan

• Outlook for 2014

• Five Takeaways for Your Organization

Cybersecurity as a Risk Consideration

• Loss of data confidentiality, integrity or availability impacts proprietary data, client information, and system functionality

• FINRA Regulatory and Examination priorities for 2014 include cybersecurity.

• OCC lists security and reliability as systemic operational risks (e.g. DDOS Guidance)

• SEC CF Disclosure Guidance on Cybersecurity o “a computer system failure or security breach could

disrupt the company’s business and damage its reputation”

5

Intelligence Community Threat Assessment

6

Intelligence Threat Assessment (cont.)

7

FINRA Regulatory and Exam Priorities (2014)

Cybersecurity Cybersecurity remains a priority for FINRA in 2014 given the ongoing cybersecurity issues reported across the financial services industry. In recent years, many of the nation’s largest financial institutions were targeted for disruptions through a range of different types of attacks. The frequency and sophistication of these attacks appears to be increasing. In light of this ongoing threat, FINRA continues to be concerned about the integrity of firms’ infrastructure and the safety and security of sensitive customer data. Our primary focus is the integrity of firms’ policies, procedures and controls to protect sensitive customer data. FINRA’s evaluation of such controls may take the form of examinations and targeted investigations.

8

OCC Semiannual Risk Perspective – Fall 2013

Increasingly sophisticated cyber-threats, expanding reliance on technology, and changing regulatory requirements heighten operational risk. • Cyber-threats continue to increase in sophistication and frequency and require heightened awareness and appropriate resources to identify, mitigate, and respond to the associated risks. Known impacts include reduced availability or diminished response times of online banking Web sites, identity theft, fraud, and theft of intellectual property. The costs and resources needed to manage the risks continue to increase; at the same time, the tools and knowledge to conduct the attacks are more readily available. Additionally, institutions’ early adoption of new technology and their growing reliance on third-party providers may expand the overall system’s vulnerabilities to these attacks. According to industry threat reports, attackers may increasingly target smaller institutions that they perceive to lack the resources necessary to identify and prevent successful attacks. Sometimes attackers execute denial-of-service attacks to divert attention away from other systems, such as wire transfers. Moreover, the interconnectedness of systems across the banking industry creates growing concern that cyber-attacks may increasingly affect multiple organizations at once.

9

Positive Results of Quantum Dawn 2

10

Brought together key members of business, operations, technology, security, and crisis management teams, allowing them to escalate and respond to cyber-attack scenarios effectively.

The ongoing public-private partnership between the sector and various government and regulatory agencies that play a critical role in protecting the markets and investor confidence was furthered.

Highlighted the value of information sharing via the Financial Services Information Sharing and Analysis Center (FS-ISAC), SIFMA, established peer-to-peer relationships and other trade organizations as an enabler to a more effective response.

Participants executed on the core components of the incident command structure as defined in the sector playbook and other relevant protocols.

Lessons Learned from Quantum Dawn 2

11

Improve coordination between business and technology leaders during cyber incident analysis and response.

Firms need to be more fully aware of the impacts.

Enhance protocols to promote increased communication and information sharing among market participants.

The speed of sharing needs to increase.

Invest in next-generation capabilities to support systemic risk analytics, information sharing, and crisis management.

The speed of analysis needs to increase.

Formalize public awareness and communications strategies with a view to promote trust and confidence in the markets.

Communicating to entities impacted is not optional.

Scope

• Internal Systems

• Employees or System Users (Insider Threat) o Internal versus external actor may change response

actions

• Vendors o Supporting critical functions

o Providing response and recovery capabilities

• Counterparties, exchanges, trading platforms o Your systems may not be impacted, but you must have

options for continued operations

12

Components of an Effective

Cyber Incident Response Plan

13

“There are two kinds of companies. Those that have been hacked, and those that have been hacked but don’t know it yet.”

House Intelligence Committee Chairman Mike Rogers (R. - MI)

Components of an Effective

Cyber Incident Response Plan

14

1. Assign an executive to be responsible for the development, maintenance and implementation of the plan, integrating incident-response efforts across business units and geographies and communicating internally.

2. Identify risks, threats/vulnerabilities, and potential failure modes. Review them continually to reflect changes in the threat and operating environment.

3. Develop easily accessible quick-response guides for likely scenarios.

4. Identify a core team and establish processes and authority for significant decisions such as when to isolate compromised areas of the network.

5. Maintain relationships with key external entities such as law enforcement, industry groups (FS-ISAC), outside counsel and security firms.

Components of an Effective

Cyber Incident Response Plan

15

6. Maintain a repository of agreements with critical service providers and event response firms to identify expected service levels and recovery objectives.

7. Ensure that business continuity and response plans are readily accessible to all business units and are routinely updated.

8. Plan for how you would interact with law enforcement, either because their involvement is necessary or because they informed you of the activity.

9. Identify the individuals on the core team or business units who are critical to incident response and ensure redundancy.

10. Routinely test scenarios and responses to evaluate plans and identify changes in operational or personnel requirements (include critical service providers).

Considerations for Event Response

• Initial Response

o Consider Legal Department direction of the “Investigation” to preserve the option of asserting Attorney-Client Privilege

o Create agreed protocol to limit confusion, prevent redundant or inconsistent internal or external communications and maintain regularity of process

o Breach response by security and investigations groups must also include corporate communications, line of business, regulatory relations, Compliance, and Legal

• Use of External Resources

o Vendor security and investigations staff if they have a role

o Law enforcement or industry group support

• Notifications to Clients, Customers, Counterparties, Regulators or State Entities

o Consider both state and federal requirements

o May be based on contract or operating rules

o Interested regulators may include FRB, FDIC, SEC/FINRA, CFPB and FTC

16

Post Event Considerations

• If you have Cybersecurity event insurance, what notifications or documentation are required?

• Prepare for the possibility of claims or litigation by counterparties or shareholders.

• Is external reporting required or prudent?

• Document remediation and lessons learned.

17

Outlook for 2014

18

• NIST Cybersecurity Framework

o Expected publication on February 13, 2014

o Voluntary but may establish a de facto, cross sector model

• Critical Infrastructure, Cybersecurity or Information Sharing Legislation

• Third Party and Vendor Risk Management

• Regulatory action (?)

o Revised Regulation S-P

Incident Response within the NIST

Cybersecurity Framework

19

Respond – Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event. The Respond function includes the following categories of outcomes:

1. Response Planning 2. Communications 3. Analysis 4. Mitigation 5. Improvements.

The Respond function is performed consistent with the business context and risk strategy defined in the Identify function. The activities in the Respond function support the ability to contain the impact of a potential cybersecurity event.

Incident Response within the NIST

Cybersecurity Framework

20

Incident Response within the NIST

Cybersecurity Framework

21

Note: The Informative References presented in the Framework Core are not exhaustive but are example sets, and organizations are free to implement other standards, guidelines, and practices. Other possible reference include: • NIST 800-61v2 – Computer Security Incident Handling Guide • ISO/IEC 27035 – Information Security Incident Management • FFIEC Information Technology Examination Handbook

Legislative and Executive Branch Developments in Cybersecurity • Personal Data Privacy and Security Act of 2014 (S. 1897)

o Introduced in the Judiciary Committee by Senator Leahy o Enhances punishment for ID Theft and other violations o Expands Data Privacy and Security Program requirement to new industries o National Breach Notification standard

• National Cybersecurity and Critical Infrastructure Protection Act of 2013 o Introduced by Rep. McCaul to Committee on Homeland Security o Codifies Department of Homeland Security’s role through the NCCIC. o Public-Private Information Sharing, response and collaboration

• Final NIST Framework o Expected publication on February 13th o Implementation through Treasury and FSSCC

• Senate Intelligence and Judiciary Committee Hearings o Intelligence Threat Report and DoJ Investigation of Target breach o Sen Rockefeller (Commerce Cmte Chmn) letter to SEC Chairman (April 2013)

22

OCC Bulletin on Third Party Relationships

• Applies to all such relationships including joint ventures, processors, and vendors

• Emphasis on risk management process and effective contract terms

• Adds board of directors supervision for “critical activities”

• Expands requirements to smaller institutions

• Failure to manage risk may be “unsound”

23

Five Takeaways for Your Organization

24

1. Implement or update an enterprise Information Security Program and related policies (e.g. access management, incident response, acceptable use).

2. Assess outsourcing agreements with vendors that are critical to the firm against standard terms for data security and business continuity/disaster response depending on identified and acceptable risk tiering.

3. Maintain and exercise a comprehensive Cyber Incident Response Plan which includes all stakeholders (internal and external).

4. Develop and conduct regular (at least annual) mandatory training on data security and, as appropriate to the position, business continuity practices for employees and vendor personnel.

5. Develop and maintain relationships with external parties such as industry groups, law enforcement agencies, law firms, and security/forensics

Presenter Contact Information

25

Timothy J. Nagle (202) 414-9225 (Direct) (410) 991-5376 (Mobile) Tnagle@reedsmith.com Reed Smith LLP 1301 K Street, N.W. Suite 1100, East Tower Washington, DC 20005-3317 (202) 414-9200 Fax (202) 414-9299

Karl Schimmeck (212) 313-1183 (Office) (646) 430-1014 (Cell) (212) 313-1272 (Fax) kschimmeck@sifma.org SIFMA Managing Director, Financial Services Operations 120 Broadway, 35th Floor New York, NY 10271 www.sifma.com