Cybersecurity…..Is your PE Firm Ready?

October 30, 2014

The Panel

Melinda Scott, Founding Partner, Scott Goldring

Eric Feldman, Chief Information Officer, The Riverside Company

Joe Campbell, CTO, PEF Services

Mark Heil, EVP, PEF Services (moderator)

SEC’s Office of Compliance Inspections and Examinations

Cybersecurity Initiative

Melinda Scott Scott Goldring Associates

SEC sponsored Cybersecurity Roundtable conclusions (March 2014):

• Integrity of our market system and customer data needs protection

• Stronger partnerships between the government and private sector required to address cyber threats

• Commissioner Aguilar emphasized: • The importance for the Commission to gather

information • Consider what additional steps the Commission

should take to address cyber-threats.

Background

• Pilot examinations study of 50 registered investment advisors (April 2014)

• The OCIE’s cybersecurity initiative is designed to: • Assess cybersecurity preparedness among RIAs • Obtain information about the industry's recent

experiences with certain types of cyber threats • Promote compliance • Share with the industry where it sees risk

To comply: • Assess your supervisory, compliance and other risk

management systems related to cybersecurity • Make changes to address weakness and strengthen the

systems

Examinations

• Cybersecurity Governance

• Identification and Assessment of Risk

• Protection of Networks and Information

• Risks Associated with remote customer access

• Fund transfer requests

• Risks associated with vendors and third parties

• Detection of unauthorized activity

• Experiences with cybersecurity threats

Examination Focus Areas

• Two-fold goal: • Protect sensitive client data • Protect funds and accommodate distributions

• Identify responsible person for cybersecurity compliance • Create a written security policy

• Procedures to protect the information • Perform periodic risk assessments and document results • Develop plan in event of a breach

Cybersecurity Governance

• Inventory of your firm’s Physical devices and systems, software platforms and applications

• Prioritize hardware, data and software for protection based on their sensitivity and business value

• Map of network resources, connections and data flows • Update inventory and map annually • Assess for adequacy, retention and secure maintenance your

logging capabilities.

Identification and Assessment of Risk

• Roles and Responsibilities/Business Continuity • Create a diagram of cybersecurity roles and responsibilities: • Explicitly state who has been the assigned the role to inventory

the devices, • Who has been assigned the role to assess threats, and • Who do they report to when they find a problem. • Does your firm have an adequate business continuity plan?

Governance Policies and Procedures

• The SEC suggests that you use or model your processes after those published by: the National Institute of Standards and Technology (NIST) or; the International Organization for Standardization (ISO)

• Provide written guidance and periodic training to employees concerning security risks.

• Keep dated copies of your training materials and an attendance sheet, signed and dated.

• Maintain protection against Distributed Denial of Service (DDoS) attacks for critical internet-facing IP addresses?

• Test the functionally of your backup system • Incident Response Policy

Protection of the Firm’s Networks and Information

• If you provide your clients with any type of on-line access, you must keep the following information:

• The name of any third party that manages the service • A description of the functionality of the platform, what information is

available, balances, address, contact information, withdrawal requests

• How your customers are authenticated • List any software or other practice employed for detecting anomalous

transaction requests that may be the result of compromised customer account access

• Include a description of any security measures used to protect customer PINs

• Make sure you have a statement to circulate to your clients about reducing cybersecurity risks in conducting transaction with the firm

Risks Associated with Remote Customer Access and Funds Transfer Requests

• Do you conduct a cybersecurity risk assessment with your vendors before you hire them and give them access to your firm’s network?

• Appoint someone within your firm to regularly assess and monitor the actions of your vendors.

• Have the Vendor sit in on your cybersecurity training so they are aware of your policies, or provide them with a written copy of your policies and request a statement that their practices will be compliant with your policies.

Risks Associated with Vendors and Third Parties

• You should have an unauthorized activity policy that includes the title, department and job function of the person who is responsible for carrying out the procedures.

• Maintain baseline information about expected events on the Firm’s network so you can recognized unexpected events.

• Monitor your network to detect potential cybersecurity events • Monitor your physical environment to detect potential cybersecurity

events

Detection of Unauthorized Activity

• The SEC wants you to tell them about any cybersecurity breaches that occurred since January 1, 2013.

• Before you discuss any of these issues with an outside vendor, discuss it with your General Counsel or attorney

Danger! Danger! Will Robinson

Information Security Landscape Riverside Company

Why Attack Small and Mid-sized

Enterprises (SME)?

Because they are easy targets

Background on Cyber Attacks

• Lack of funding for information security

• Lack of employee training

• Stepping stone attacks

• Lack of process for contractor access to systems

Why SMEs?

• Financial account data

• Company reputation

• Intellectual property and proprietary information

• Legal or regulatory enforcement actions

• LP commitments

What’s at Risk?

What Riverside is doing…

Management Company

Information Security Pyramid

• Introducing information security assessments into our due diligence processes

• Current state assessments for existing portfolio companies and tracking remediations

• Assisting with the development of incident response plans

Portfolio Companies

• Start with the basics: understand where your data sits and who has access to it

• Engage a 3rd party to perform a current state assessment to include risk and overall security posture

• Get C-level sponsorship – it’s critical

• Research cyber-liability insurance policy options

Immediate Next Steps…

• LPs asking more targeted questions

• Portfolio companies being asked to respond to 3rd party risk assessment questionnaires

• Follow-up to the OCIE’s Risk Alert early 2015

What to expect in 2015…

PEF Services’ Approach to Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

voluntary AND risk-based - driven by business

collaboration between government and private sector

focuses on business drivers to guide cybersecurity activities

National Institute of Standards and Technology (NIST)

Feb 2014

Improving Cybersecurity

• Different risks for different firms . . . threats vulnerabilities risk tolerances

Improve existing Risk Program

New Risk Program

1 size fits all

NOT

The Framework

mitigate

transfer

avoid

accept

Core Implementation Tiers increases in sophistication in . . .

from informal-reactive responses to agile, risk-informed approaches

T1: no formal approach to risk T3: formally approved policies provide context for firm to view its current risk approach Profiles

The Framework

Each part reinforces the connection between business drivers and cybersecurity activities.

Current Profile Target profile

develop a roadmap help align business requirements AND risk tolerance

GAP

consists of 5 concurrent, continuous Functions: • Identify, Protect, Detect, Respond,

Recover

Matches them with References

NIST COBIT ISO SOC

Framework Core

Function Category Subcategory

• use as a systematic process for identifying, assessing, and managing risk

• The Framework is NOT to replace existing processes

• use current process and overlay it onto the Framework to determine gaps in its current CS risk approach

• use to develop a roadmap to improvement

• use to determine activities that are most important to critical service delivery

• use to prioritize expenditures to maximize the impact of the investment

• designed to complement existing cybersecurity operations -OR-

• use as the foundation for a new cybersecurity program for improving existing program

• use to provide a means of expressing CS requirements to business partners and clients

Use the Framework

Case Study: Dammed Creek (DC)

• Middle Market Buyout Fund ($500 MM AUM)

• Fund I: 50 investors, 1 institutional

• Fund II: 60 investors, 5 institutional

• Portfolio companies do business with government and military

DC Advisory Board Meeting

• LPs raise cybersecurity issues • Dammed Creek recently hired a CTO • Previously used reputable consultants • Portfolio companies do business with

government and military

The Breach

• Co-founder downloaded infected software onto personal computer

• Using VPN transferred virus to firm’s network

The Breach Part II

• Hacker denied access to personnel files • BUT, was able to download key documents

related to a portfolio company whose primary customer is the US government

The SEC Exam

• Shortly after the breach, the SEC notifies firm that it wants to do a cybersecurity exam

• Requests a list of documents

Thank You

PEF Services LLC Joe Campbell

212-203-4685 x 106 joe@pefundservices.com www.pefundservices.com

PEF Services LLC

Mark Heil 212-203-4679

mark@pefundservices.com www.pefundservices.com

The Riverside Company Eric Feldman 212 484 2178

efeldman@RiversideCompany.com www. riversidecompany.com

Scott Goldring Associates Melinda Scott 646-652-8567

mscott@scottgoldringassociates.com www.scottgoldringassociates.com