Presentation for FPANJ Spring 2015 Conference

CYBER SECURITYFPANJ

Spring Conference 2015

2

Threat is Real

3

Who Needs A Gun?

May Cost Sony $100Million Leaked Personal Information

• Sensitive Emails• What actor wants to do business with Sony?

Operations severally hampered Exposure of Trade Secrets Target cost $148 Million

• 1 to 3 million credit card numbers stolen • plus to millions of customer information

4

Hackers Compromised 76 Million Household AccountOctober 15, 2014

5

Passwords

A joke about passwords has won a competition for the funniest joke at the Edinburgh Fringe.

What would be a great password that is eight characters long?

6

Answer

7

Cyber Security Is No Joke

Reuters - Thu Apr 23, 2015 12:26pm EDT U.S. House passes second 'threat-sharing'

cybersecurity bill• The U.S. House of Representatives voted

overwhelmingly on Thursday to pass a bill that extends liability protection for companies that share information about cyber attacks, if they give the data to the U.S. Department of Homeland Security.

8

What are the Regulators Doing?

SEC held a Cyber Security Roundtable in March 2014

Former SEC Commissioner Louis Arguilar• He was particularly concerned about capital

markets and regulated entities • A cyber-attack on an exchange or a market

participant can have broad consequences that impacts public companies and investors.

9

SEC Roundtable

SEC Chairperson Mary Jo White• Cybersecurity threats are real

– Criminals and Hired Hackers– Terrorist– State-Sponsored intruders– Misguided computer experts

• Resources devoted to cyber-based threats will eclipse resources devoted to terrorism.

• 2011 SEC Guidance to Public Companies

10

SEC Roundtable

Propose rule on Regulation Systems, Compliance and Integrity was adopted in 2015• Requires certain entities, SRO and Large

Alternative Trading Platforms, to test their vulnerabilities, test their business continuity and disaster recovery plans, as well as notifying the SEC of cyber intrusions.

• SEC is now considering whether to adopt a similar rule for other regulated entities.

11

SEC Cyber Security Activities

April 14, 2014 SEC issued a National Exam Program Risk Alert

Office of Compliance Inspections and Examinations (“OCIE”)• SEC will inspect 50 broker dealers and

registered investment advisors

12

SEC Cyber Activities

2014 SEC published a sample list of request for information that OCIE may use in conducting examinations regarding cyber security.• Identification of Risks/Cybersecurity

Governance• Protection of Firm Networks and Information• Risks Associated with Remote Customer

Access and Funds Transfer Requests

13

SEC Cyber Activities Continued

• Risks Associated with Vendors and Other Third Parties

• Detection of Unauthorized Activity• Experiences with certain cybersecurity threats

– Does the Firm have an updated Supervisory procedure to reflect Identity Theft Red Flags Rules.

– Regulation S-ID

14


SEC Examination Priorities Letter January 9, 2014 did not mentioned Cyber Security.

SEC Examination Priorities Letter for 2015 specifically referenced expanding its cyber security examinations.

15


February 3, 2015 SEC issues a National Exam Program Risk Alert• Cyber Security Examination Sweep Summary• Summary of Observations

– Examined 57 broker dealers– Examined 49 RIAs

• Vast Majority have adopted written information security policies.– Business Continuity Plans often address impact of a

cyber attack.

16


– Policies and procedures generally do not address how firms determine whether they are responsible for client losses associated with cyber incidents.

– Many firms are utilizing external standards .

• Vast majority of firms conduct periodic risk assessments.– Fewer firms apply these requirements to their

vendors.

• A vast majority of the firm have been subject to a cyber attack.

17


• Many firms identify best practices through information sharing networks– Financial Services Information Sharing and Analysis

Center.• https://www.fsisac.com/

• Firms’ inventory, catalogue, and map their technology resources.

• Most brokers incorporate requirements relating to cybersecurity risks in their 3rd party vendor contracts.

https://www.fsisac.com/

https://www.fsisac.com/

18


• A minority of RIAs incorporate requirements relating to cybersecurity risks in their 3rd party vendor contracts.

• Almost all the brokers and RIAs use encryption.• Over 50% of the brokers examined have a

Chief Information Security Officer (“CISC”).• Less an 50% of the RIAs examined have a

CISC.• Use of cybersecurity insurance varied.

19

FINRA

Issued a Report on Cybersecurity Practices in February 2015

Key points in the Report• A sound governance framework with strong

leadership is essential.• Risk assessments serve as foundational tools

to understand cybersecurity risks• Technical controls are highly contingent on

firm’s individual situation.

20

FINRA Continued

• Firms should develop, implement and test response plans.– Containment and mitigation, eradication and

recovery, investigation, notification and making customers whole.

• Firms should manage cybersecurity risks and exposures when providing vendors with access to sensitive firm or client information.

• Well trained staff critical• Take advantage of information sharing

networks

21

SEC Cybersecurity Enforcement Activities Generally, SEC in comment letters requires

public companies to disclose past cyber incidents.

Public companies are increasingly disclosing and discussing cyber risks.

SEC currently has a number of enforcement investigations involving data breach events.

SEC noted that its cybersecurity is high on the Enforcement Division’s radar.

22

SEC Cybersecurity Enforcement Actions

SEC examining corporate disclosures made in the wake of recent cyber attacks on public companies and others.• Was the incident material?• Were the disclosures appropriate?

SEC focusing on cyber controls by broker dealers and RIAs.

23

SEC Cybersecurity Enforcement Actions

• Regulation SP 17 C.F.R. Part 248 Subpart A– Broker Dealers and RIA required to adopt written

supervisory polices and procedures that address the protection of customer records and information.

• A Data breach could potentially trigger a Regulation SP violation.

24

Thoughts on Development of a Cyber Security Defense Program

Governance and Risk Management• Define a governance framework.• Ensure senior management actively involved.• Identify standards to address cybersecurity.• Dedicate resources to achieve acceptable risk

environment.• Perform cybersecurity risk assessment.

25


Cybersecurity Risk Assessment• Regular, Periodic Assessment.• Identify and maintain an inventory of assets

authorized to access the firm’s network.• Conduct comprehensive assessments that include:

– Assessment of internal and external threats– Prioritize recommendations to remediate risks.

Technical Controls• Select controls appropriate to the firm’s technology

and threat environment.

26


Incident Response Planning• Prepare for incidents that the firm believes are

most likely to happen.– loss of customer Personal Information.– Network intrusion– Customer account intrusion– Malware infection.

• Eradication and Mitigation Plans

27


• Vendor Management– Perform due diligence – Establish contractual terms for sensitive information – On going due diligence– Procedures to terminate vendor’s access to firm

systems.

• Staff Training• Cyber Intelligence and Information Sharing.• Cyber Insurance

ConclusionThank You

William A. Despo, Esq.LeClairRyan

One Riverfront Plaza1037 Raymond Boulevard, 16th Floor

Newark, New Jersey(973) 491-3325

[email protected]

Presentation for FPANJ Spring 2015 Conference

Documents

Transcript of Presentation for FPANJ Spring 2015 Conference