Monday, March 23, 2015 Board and Senior Management ...
Transcript of Monday, March 23, 2015 Board and Senior Management ...
© Copyright 2015 by K&L Gates LLP. All rights reserved.
Board and Senior Management Oversight of Cybersecurity at the Adviser, the Registered Fund and Their Service Providers
Mark C. Amorosi, Investment Management Partner, K&L Gates LLPJeffrey B. Maletta, Securities and Transactional Litigation Partner, K&L Gates LLPLaura L. Grossman, Assistant General Counsel, Investment Adviser AssociationAndras P. Teleki, Investment Management Partner, K&L Gates LLP
Monday, March 23, 2015
klgates.com
Investment Management Cybersecurity Seminar Series Overview Session 1 (February 27, 2015) Untangling the Gordian Knot – Where to Begin When Building Your
Cybersecurity Program Session 2 (Today) Board and Senior Management Oversight of Cybersecurity at the
Adviser, the Registered Fund and Their Service Providers Session 3 (April 29, 2015) Testing Your Cybersecurity Infrastructure and Enforcement Related
Developments Session 4 (May 20, 2015) Breach – What to Do When Things Go Wrong and Cybersecurity
Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap – Evolving Trends in Cybersecurity
Practices and Public Policy Developments
2
klgates.com
Session 2 Topics Oversight responsibilities of board and senior management of
investment advisers
Cybersecurity oversight responsibilities of mutual fund boards
Chief Compliance Officer oversight of cybersecurity
Cybersecurity and Rule 38a-1 and Rule 206(4)-7 reviews
Cybersecurity considerations with respect to service providers (e.g., transfer agent, administrator and custodians) and vendors (e.g., IT, due diligence providers, rating agencies)
Contractual considerations with respect to cybersecurity matters
3
Responsibilities of Directors and Management for Cybersecurity
Cybersecurity: Who Is Responsible (and Liable)?
Directors and officers of registered funds and public companies
Officers and managers of registered advisers
Chief compliance officers
Everyone else
How Do We Determine Responsibility?
klgates.com 5
Context: The Spectrum of Cyber Attacks Advanced Persistent Threats (“APT”) Cybercriminals, exploits and malware Denial of service attacks Domain name hijacking Corporate impersonation and phishing Mobile and disgruntled employees Lost or stolen laptops and mobile devices Third-party vendors weaknesses
6
Context: Potential Effects Loss of customer funds or assets Compromise of customer information Loss of web presence and online business Interception of email and data communications Brand tarnishment and reputational harm Legal and regulatory complications Loss of “crown jewels” IP and trade secrets
7
No Generally Applicable Privacy and Data Law and No Standard Compliance Program
Securities industry subject to rules that set certain standards and responsibilities
Standards of care develop in civil litigation Regulatory enforcement may set standards and
define responsibilities Compliance/risk management best practices
provide guidance
8
Responsibilities Defined Through Liabilities
Civil litigation against company
Director/officer liability
State corporation law
Federal securities laws
Federal regulatory enforcement Securities and Exchange Commission Federal Trade Commission
State regulatory enforcement
klgates.com 9
Responsibility Defined By Civil Liability
Civil Liability Of The Entity State law claims Breach of contract Misrepresentation Negligence State consumer laws State privacy laws
11
Civil Liability Of The Entity (cont’d)
Individual injury/damage issues may limit recovery Plaintiff generally must prove economic loss Loss of personal information may not be injury
Business to business claims more complex Breach of contract Business disruption
12
Director and Officer Liability
“[B]oards that choose to ignore or minimize the importance of cybersecurity liability do so at their own peril”−SEC Commissioner Luis A. Aguilar, Speech at “Cyber Risk and the Board Room” Conference, NYSE, June 10, 2014
How should a director approach cybersecurity?
How should management approach cybersecurity and work with the board?
klgates.com 13
Respective Roles of the Board and Management
Traditional view Board not involved in day to day operations Board has an oversight role Management is responsible for risk management
Trend toward greater board involvement Case law developments SEC statements and enforcement actions Best practice pronouncements
klgates.com 14
Directors Duties Concerning Oversight and Risk Management Principally a function of state law
Duty of care Acting on informed basis Acting in good faith Acting in best interest of company
Duty of loyalty Placing the company interests first Acting in good faith
klgates.com 15
Duty of Oversight
Directors have a duty to insure that adequate information systems exist to detect violations of law
Directors have a duty to monitor systems to keep informed
Directors face liability when they consciously fail to act to implement systems or consciously fail to monitor systems
Tantamount to not acting in good faith – no protection of the “business judgment” rule
No protection under exculpatory charter provisions
In re Caremark Int’l Derivative Litigation (Del. Ch. 1996);Stone v. Ritter (Del. 2006)
klgates.com 16
Cases Against Directors
Target Corporation: Collier v. Steinhafel et al.
“This action arises out of the Individual Defendants’ responsibility for, release of false and misleading statements concerning, and the bungling of the aftermath of the worst data breach in retail history.” (emphasis in original complaint)
“All of the Individual Defendants violated and breached their fiduciary duties of loyalty, good faith, due care, oversight, fair dealing, and candor.”
Institutional Shareholders Services recommends voting against seven incumbent Target directors
klgates.com 17
Public Company Disclosure Obligations
Cybersecurity risks and their impacts should be disclosed Division of Corporation Finance Disclosure Guidance No. 2
(October 13, 2011) Areas where disclosure may be needed
Risk Factors Management Discussion and Analysis Description of Business Legal Proceedings Financial Statements
Expenses for compliance Expenses to mitigate Loss contingencies
Disclosure and Internal Controls
klgates.com 18
SEC Disclosure Obligations (cont’d)
Directors and Certain officers may be personally liable for misstatements in and omissions from SEC filings. Sections 11 and 12(a)(2) of Securities Act Sections 10(b) of the Securities Exchange Act and Rule 10b-5
In re Heartland Payment Systems, Inc. Securities Litigation
SEC may consider enforcement action
klgates.com 19
Private Advisers and Funds/State Law Liability Investment advisers, and their senior management
also are subject to fiduciary duties of care and loyalty to take reasonable steps to prevent harm to clients
Fiduciary responsibilities generally extend to cybersecurity-related matters
Some types of liability may be limited by fund organizational documents or by contract
20
The Regulatory Framework
Cybersecurity at the Top of the SEC’s Mind Corp Fin Guidance (2011) Commission Roundtable (2014) OCIE Sweep and Risk Alert (2014/15) OCIE Examination Priority (2015) Numerous references in staff remarks (passim)
22
Overview of the Legal Framework Regulation S-P (including “Safeguards Rule”) Regulation S-ID (Identity Theft Red Flags) IAA Rule 206(4)-7 and ICA Rule 38a-1 IAA Rule 204-2(g) and ICA Rule 31a-2(f) ICA Rule 30a-3 (Internal Controls) Disclosure Requirements
23
Overview of Legal Framework (cont’d)
Business continuity plans Suspicious activity reporting CFTC Regulations, Part 160.30 FTC enforcement of Section 5 of FTCA Practically every state has enacted laws relating to
cybersecurity, including information security program and data breach notification requirements
24
Regulation by Enforcement
Standards may be set through settlements of enforcement actions
FCPA paradigm “Our actions against entities have had a tremendous impact in
the last 10 years…[C]ompanies have increased their compliance spending exponentially” Andrew Ceresney, Director, SEC Division of Enforcement, Remarks at 31st International Conference on FCPA (Nov. 19, 2014)
FTC cases provide “guidance” for cybersecurity
klgates.com 25
Director/Management/Supervisory Responsibility
Rules sometimes assign responsibility ICA Rule 38a-1: compliance program approved by
the board ICA Rule 30a-3: internal controls designed by fund’s
principal executive and financial officers and “effected” by directors, management and others
Risk management best practices place responsibility on senior management
Liability under “Controlling Person,” “Aiding and Abetting,” and/or “Causing” Theories
26
“Causing a Violation”“If the Commission finds, after notice and opportunity for hearing, that any person is violating, has violated, or is about to violate any provision of this title, or any rule or regulation thereunder, the Commission may publish its findings and enter an order requiring such person, and any other person that is, was, or would be a cause of the violation, due to an act or omission, the person knew or should have known would contribute to such violation, to cease and desist from committing or causing such violation and any future violation of the same provision, rule, or regulation.” IAA § 203(k)(1) ICA § 9(f)(1)
27
Internal ControlsThe term internal control over financial reporting . . . includes those policies and procedures that:(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the investment company;(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the investment company are being made only in accordance with authorizations of management and directors of the investment company; and(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the investment company's assets that could have a material effect on the financial statements. ICA Rule 30a-3(d)
28
Requirements For Electronic Storage MediaIn the case of records on electronic storage media, the investment adviser must establish and maintain procedures:(i) To maintain and preserve the records, so as to reasonably
safeguard them from loss, alteration, or destruction;(ii) To limit access to the records to properly authorized
personnel and the Commission (including its examiners and other representatives).
IAA Rule 204-2(g)(3)
29
Possible Theories Cyber attacker gains access to client personal
information, assets or funds are stolen Records are corrupted or manipulated
Adviser failed to protect or limit access to electronic records in violation of IAA Rule 204-2(g)
Fund failed to maintain internal controls, in violation of ICA Rule 30a-3
Compliance procedures are defective Directors, officers, managers “caused” a violation
by failure to implement controls or procedures
30
Key Cybersecurity Governance and Organizational Matters
Board Responsibilities and Process Full board should be involved and informed
Education on risks and risk management
Use of external resources
Addition of directors with expertise Cf. “financial expert,” Sarbanes Oxley Act (“SOX”) § 407
“Risk management” committee(s)
Increased audit committee resources Audit committee retained experts, SOX § 301
32
Management Responsibilities Law and risk management best practices place
responsibility for developing and implementing cybersecurity programs principally on management
Cybersecurity frameworks call for involvement of entire enterprise in risk assessment and program design
Continual reevaluation of programs is necessary as threats change rapidly
Regular reports to senior management and board or appropriate committee to educate and satisfy oversight responsibilities
33
klgates.com
Management Responsibilities (cont’d) Cybersecurity typically requires involvement by
representatives from different parts of the organization with relevant roles and job functions, including information technology, legal, compliance and risk
Cybersecurity should involve coordination among: Senior management Chief Information Officer (or similar function) Chief Legal Officer Chief Compliance Officer Chief Risk Officer (if any)
Responsibilities should be clearly defined Frameworks generally require a single individual with
ultimate responsibility
34
Reliance on Cybersecurity Frameworks Numerous organizations have published cybersecurity frameworks
intended to provide guidance on protecting companies and other organizations against cybersecurity risks
There is no legal requirement that investment management firms follow a specific cybersecurity framework; the SEC has cited cybersecurity frameworks but has not endorsed one in particular
There is no one size fits all approach
Companies and other organizations have unique risks and how they implement cybersecurity strategies and allocate resources will vary based on each firm’s critical activities
SEC has criticized “off the shelf” compliance programs that are not tailored to a firm’s operations
35
Sample Frameworks and Standards National Institute of Standards and Technology (“NIST”)
Framework for Improving Critical Infrastructure Cybersecurity
International Organization for Standardization and International Electrotechnical Commission Information Technology 27001 and 27002 Framework
ISACA (fka International Systems Audit and Control Association) Control Objectives for Information and Related Technology (“COBIT”) 5
SANS Institute Critical Security Controls
GCHQ CESG Ten Steps to Cybersecurity
36
Chief Compliance Officer Oversight Responsibilities for Cybersecurity
Compliance Policies and Testing
IAA Rule 206(4)-7 and ICA Rule 38a-1 together require registered investment advisers and registered funds to (1) designate a chief compliance officer (“CCO”), (2) adopt and implement written policies and procedures reasonably designed to prevent violation of the federal securities laws, and (3) review annually the adequacy and effectiveness of such policies and procedures
Cybersecurity compliance policies and procedures that address requirements under the federal securities laws should be included in compliance programs and evaluated as part of the annual review, which should include risk assessments, policy and procedure reviews, and service provider reviews
38
SEC Sweep Exam Findings on Role of CCOs
Results of the SEC staff cybersecurity sweep exam indicated that a significant majority of advisory firms assign information security responsibilities to Chief Technology Officers or to other senior officers, including Chief Compliance Officers, to liaise with third-party consultants who are responsible for cybersecurity
Less than a third of the examined advisers (30%) have a Chief Information Security Officer
39
SEC Guidance on Role of CCO No specific SEC guidance on the role of the CCO in the context of
cybersecurity programs
The 2004 Adopting Release for Rule 206(4)-7 and Rule 38a-1 and other formal and informal statements by the SEC and its staff provide guidance that can be applied in the context of compliance with cybersecurity requirements under the federal securities laws
Adviser CCOs: “An adviser's chief compliance officer should be competent and knowledgeable regarding the Advisers Act and should be empowered with full responsibility and authority to develop and enforce appropriate policies and procedures”
Responsible for administering policies and procedures adopted to comply with the Advisers Act and the rules thereunder, which include cybersecurity requirements
40
SEC Guidance on Role of CCO SEC has provided more specific guidance on the responsibilities of
mutual fund CCOs, which extends to cybersecurity compliance obligations under the federal securities laws
Oversight: “The chief compliance officer, in exercising her responsibilities under the rule, will oversee the fund's service providers, which will have their own compliance officials”
Oversight responsibilities extend to each investment adviser, principal underwriter, administrator and transfer agent
Oversight extends to compliance with the “Federal Securities Laws” (e.g., Regulation S-P, but not state data breach laws)
41
SEC Guidance on Role of CCO Administration: “A [CCO] should diligently administer this
oversight responsibility by taking steps to assure herself that each service provider has implemented effective compliance policies and procedures administered by competent personnel”
Familiarity with Service Providers: “The [CCO] should be familiar with each service provider's operations and understand those aspects of their operations that expose the fund to compliance risks” and “maintain an active working relationship with each service provider's compliance personnel”
42
SEC Guidance on Role of CCO Monitoring: “Arrangements with the service provider should
provide the fund's [CCO] with direct access to these personnel, and should provide the [CCO] with periodic reports and special reports in the event of compliance problems”
“[T]he fund's contracts with its service providers might also require service providers to certify periodically that they are in compliance with applicable federal securities laws, or could provide for third-party audits arranged by the fund to evaluate the effectiveness of the service provider's compliance controls”
Testing: “The [CCO] could conduct (or hire third parties to conduct) statistical analyses of a service provider's performance of its duties to detect potential compliance failures”
43
CCO Potential Liabilities ‘‘I need to be clear that we have brought – and will
continue to bring – actions against legal and compliance officers when appropriate’’ – SEC Enforcement Director Andrew Ceresney, Keynote Address at Compliance Week 2014 (May 20, 2014)
Numerous enforcement actions against CCOs for a variety of alleged failures, including (1) failure to implement appropriate procedures to address risks and (2) failure to adequately assess effectiveness of those procedures
44
Annual Review Considerations
Risk-based approach, including with respect to cybersecurity matters
Review should focus on (1) the adequacy of policies and procedures, including those relating to cybersecurity requirements, and (2) the effectiveness of their implementation
45
Annual Review – Risk-Based Approach Conduct/review cybersecurity risk assessment: “[E]ach adviser should identify its unique set of risks, both as
the starting point for developing its compliance policies and procedures and as part of its periodic assessment of the continued effectiveness of these policies and procedures”
Incorporate cybersecurity compliance risks in the firm’s risk matrix: “Provide a current inventory of the Adviser’s compliance risks.
If changes were made to this inventory of risks during the Examination Period, please indicate what these changes were and the corresponding date of the change.”
46
Annual Review – Risk-Based Approach Identify key risks based on:
Interviews with persons responsible for cybersecurity matters
Review of inventory of firm assets, systems and data types Types of sensitive information; physical devices and systems; software
platforms and applications; network resources, connections and data flows; network connections from external sources; and logging capabilities
Review and assessment of internal and external threats Review past cybersecurity incidents at the firm and in the industry Obtain threat intelligence through security organizations (e.g., Financial
Services Information Sharing and Analysis Center) Use third party vendors to identify risks
Structure and size of the firm
Other relevant factors
47
Annual Review – Policies and Procedures
Review adequacy of policies and procedures, including those relating to cybersecurity requirements: Confirm that the firm is following its cybersecurity compliance
procedures
Account for all action items required in procedures
Perform a gap analysis of the firm’s compliance procedures around cybersecurity to determine whether any additions are necessary or appropriate (e.g., benchmark procedures against peers and identify any business changes that require procedure changes)
Address any new regulatory requirements that might arise
48
Annual Review – Effectiveness
Assess the effectiveness of implementation of the firm’s cybersecurity policies and procedures: Interview personnel with cybersecurity responsibilities to
determine their understanding and assessment of existing procedures
Observe implementation of cybersecurity policies and procedures in actual operating environment
Test compliance with cybersecurity procedures Review reports produced by business units/areas and third
parties relating to cybersecurity matters Evaluate trends in, and frequency of, exceptions or violations
of cybersecurity requirements
49
Annual Review – Testing
Compliance rules do not require testing, but OCIE routinely asks for information about testing results in connection with compliance reviews Transactional Tests – Transaction-by-transaction tests
conducted contemporaneously with the transaction Periodic Tests – Transaction-by-transaction tests performed on
a “look back” basis at relevant intervals, such a spot checks or random or regular detailed reviews
Forensic Tests – Tests that analyze data over a period of time looking for trends and patterns that are difficult to identify when viewing smaller numbers of transactions or short periods of time
50
Annual Review – Testing Vulnerability Scans – Automated process of proactively identifying
security vulnerabilities of computing systems in a network to determine if and where a system can be exploited and/or threatened
Penetration Testing – An attack on a firm’s information technology system conducted by an information security specialist retained by the firm with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data
Session 3 of the Cybersecurity Seminar Series on April 29 will address risk assessments and testing in more detail
51
Annual Review – Documenting Results Results of annual review, including cybersecurity
compliance, should be documented by advisers in a written report (required for funds) or other documentation
Findings and results should be documented carefully
Any weaknesses or other compliance issues identified should have corresponding follow up action items responding to the weakness or other issue
52
Annual Review – Potential Areas for Review
OCIE Cybersecurity Initiative – Sample Document Request: “The sample document request…is intended to empower
compliance professionals in the industry with questions and tools they can use to assess their firms’ level of preparedness….”
Resource for compliance assessments and preparing for OCIE exam covering cybersecurity
Very broad and not necessarily indicative of SEC staff views on scope of annual compliance review
53
Annual Review – Potential Areas for Review
Sample Document Request identified five areas for potential review and consideration1. Identification of Risks/Cybersecurity Governance
2. Protection of Firm Networks and Information
3. Risks Associated with Remote Access and Funds Transfer Requests
4. Detection of Unauthorized Activity
5. Risks Associated with Vendors and Other Third Parties
54
Oversight of Third Party Service Providers
Why You Should Worry About Your Third Party Service Provider
Chief Information Officers and hackers are discovering that the quickest path to a firm’s data is often through a third party, such as a vendor.
The risk is that your data gets hacked, not necessarily because of something you’ve done, but because of something your vendor did not do.
56
Examples of Third Party Relationships That Have a Data-Security/Cybersecurity ElementsFor Mutual Funds:
Transfer Agent Administrator Fund Accounting Custody Distributor
For Investment Advisers: Custody/Prime-Broker Trading Systems Trade Confirmation/Settlement Pricing IT/Website Hosting Data Centers/Cloud Storage
57
Critical Points for Vendor Cybersecurity Risk Oversight
Risk Based Selection of Vendor/Service ProviderDue Diligence
Monitoring (i.e., Ongoing Due Diligence)The Service Provider/Vendor Contract
Policies and Procedures – Establish a methodology for standardized reviews and evaluations.
58
The Team Compliance Legal IT Risk Business Line(s)
59
The ApproachRisk Based – For Example:
Low Risk – Contract Review & Third Party Reports
Medium – Documentary Due Diligence & Questionnaires
High Risk – On-Site Visit
Don’t forget to include vendor relationships in ongoing firm risk assessments and to establish protocols to terminate vendor access to firm systems upon contract termination.
Vendor Due DiligenceExamples of Cybersecurity Due Diligence Topics:
Physical Security Network Security Systems Security Staff Security Overall Security Policy Results of Third Party Cybersecurity Reviews Membership in Cybersecurity Groups (e.g., FS-ISAC) / Threat
Resources Business Continuity Plan Breach Response Plan Background Checks for Employees Cyber-insurance Use of Encryption Application Development Security Practices Heightened Security procedures around remote maintenance
60
Examples of Vendor Cybersecurity Controls
Limits on data access by vendor employees Virus protection Encryption of data while at rest or in transit Controls in place concerning subcontractors System patch management Testing, including penetration testing Change Management Process Business Continuity Controls Training
61
Contracts to the Rescue? Commercial contracts as a risk mitigation
tool Step beyond confidentiality obligations
(e.g., Reg. S-P compliance) Address data security and data breaches Prescribe preventive measures Address post-breach actions Assign liability
klgates.com 62
Common Contract Challenges
Unequal Bargaining Power
Contract of Adhesion
Click Through Agreements
Legacy Contracts
klgates.com 63
Cybersecurity Provisions in Vendor/Service-Provider Agreements
Preventative Measures and Compliance with Applicable Law
Data Ownership Downtime/Loss-of-Service Breach Notification Right to Audit / 3rd Party Audits & Attestations
(e.g., SSAE 16/SOC 2 Audits) Liability, Indemnification and Remedies Use of 3rd Party Vendors Insurance Coverage Termination Provisions
klgates.com 64
Prescribe Preventative Measures
Require administrative, technical, and physical safeguards, and appropriate technical and organizational measures to protect company/customer data
Require compliance with applicable/industry specific privacy and data security laws (e.g., Reg. S-P, Massachusetts Information Security Regulations)
Require subcontractor flow-down provisions Require consent to security audits / provision of 3rd
party reviews
klgates.com 65
Address Post-Breach Actions
Immediate notice Suspected or confirmed?
Full cooperation between you and the vendor Prompt remedial action Notifications to individuals (your clients/shareholders) Who prepares notices Who pays
Credit Monitoring Termination Rights
klgates.com 66
Vendor as Dumb Insurer “Vendor Bears All Risk” position:
Vendor is charging for its services Vendor should bear all risk of data breach
Vendor position: Vendor’s profit margin on services is less than your profit margin on your
business enterprise Vendor is not an insurer of your entire business risk No insurer will take unlimited risks Services could not be offered at prices less than your cost to provide
services if vendor carries all business risk
The challenge is to find common ground between the two positions.
klgates.com 67
Where Market is Heading
Separate, higher caps on direct damages for data breaches
Specified exceptions from exclusions from indirect/consequential damages (e.g., cost of notification)
Indemnification up to capped amount Risk exposure linked to vendor’s cyber insurance
coverage
klgates.com 68
Key Takeaways and Next Steps
Practical Next Steps for Advisers and Funds1. Engage senior management and, if appropriate, the board of the
adviser and any funds in the complex2. Conduct a cybersecurity governance and risk assessment3. Review and test the adequacy of existing compliance policies,
business continuity plans, technical controls and other relevant procedures
4. Develop an incident response plan5. Enhance employee training6. Review vendor relationships7. Review insurance coverage8. Assess need for, and adequacy of, any public disclosures9. Attend upcoming K&L Gates and Investment Adviser Association
Cybersecurity Seminar Series programs
70
klgates.com
Cybersecurity Seminar Series Overview Session 1 (February 27, 2015) Untangling the Gordian Knot – Were to Begin When Building Your
Cybersecurity Program Session 2 (Today) Board and Senior Management Oversight of Cybersecurity at the
Adviser, the Registered Fund and Their Service Providers Session 3 (April 29, 2015) Testing Your Cybersecurity Infrastructure and Enforcement Related
Developments Session 4 (May 20, 2015) Breach – What to Do When Things Go Wrong and Cybersecurity
Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap – Evolving Trends in Cybersecurity
Practices and Public Policy Developments71
Speaker Contact InformationMark C. Amorosi, Investment Management Partner, K&L Gates [email protected]
Laura L. Grossman, Assistant General Counsel, Investment Adviser Association(202) [email protected]
Jeffrey B. Maletta, Securities and Transactional Litigation Partner, K&L Gates LLP(609) [email protected]
Andras P. Teleki, Investment Management Partner, K&L Gates [email protected]
72
Additional Cybersecurity ResourcesTo access our firm’s additional cybersecurity related recorded webinars, presentations, articles and checklists please visit www.klgateshub.com.
73
THANK YOU