Mobile Conversion Rate Optimisation - AWA presentation from DCA Spring Conference Apr 2015
Presentation for FPANJ Spring 2015 Conference
-
Upload
bill-despo -
Category
Documents
-
view
2 -
download
0
Transcript of Presentation for FPANJ Spring 2015 Conference
CYBER SECURITYFPANJ
Spring Conference 2015
2
Threat is Real
3
Who Needs A Gun?
May Cost Sony $100Million Leaked Personal Information
• Sensitive Emails• What actor wants to do business with Sony?
Operations severally hampered Exposure of Trade Secrets Target cost $148 Million
• 1 to 3 million credit card numbers stolen • plus to millions of customer information
4
Hackers Compromised 76 Million Household AccountOctober 15, 2014
5
Passwords
A joke about passwords has won a competition for the funniest joke at the Edinburgh Fringe.
What would be a great password that is eight characters long?
6
Answer
7
Cyber Security Is No Joke
Reuters - Thu Apr 23, 2015 12:26pm EDT U.S. House passes second 'threat-sharing'
cybersecurity bill• The U.S. House of Representatives voted
overwhelmingly on Thursday to pass a bill that extends liability protection for companies that share information about cyber attacks, if they give the data to the U.S. Department of Homeland Security.
8
What are the Regulators Doing?
SEC held a Cyber Security Roundtable in March 2014
Former SEC Commissioner Louis Arguilar• He was particularly concerned about capital
markets and regulated entities • A cyber-attack on an exchange or a market
participant can have broad consequences that impacts public companies and investors.
9
SEC Roundtable
SEC Chairperson Mary Jo White• Cybersecurity threats are real
– Criminals and Hired Hackers– Terrorist– State-Sponsored intruders– Misguided computer experts
• Resources devoted to cyber-based threats will eclipse resources devoted to terrorism.
• 2011 SEC Guidance to Public Companies
10
SEC Roundtable
Propose rule on Regulation Systems, Compliance and Integrity was adopted in 2015• Requires certain entities, SRO and Large
Alternative Trading Platforms, to test their vulnerabilities, test their business continuity and disaster recovery plans, as well as notifying the SEC of cyber intrusions.
• SEC is now considering whether to adopt a similar rule for other regulated entities.
11
SEC Cyber Security Activities
April 14, 2014 SEC issued a National Exam Program Risk Alert
Office of Compliance Inspections and Examinations (“OCIE”)• SEC will inspect 50 broker dealers and
registered investment advisors
12
SEC Cyber Activities
2014 SEC published a sample list of request for information that OCIE may use in conducting examinations regarding cyber security.• Identification of Risks/Cybersecurity
Governance• Protection of Firm Networks and Information• Risks Associated with Remote Customer
Access and Funds Transfer Requests
13
SEC Cyber Activities Continued
• Risks Associated with Vendors and Other Third Parties
• Detection of Unauthorized Activity• Experiences with certain cybersecurity threats
– Does the Firm have an updated Supervisory procedure to reflect Identity Theft Red Flags Rules.
– Regulation S-ID
14
SEC Cyber Activities Continued
SEC Examination Priorities Letter January 9, 2014 did not mentioned Cyber Security.
SEC Examination Priorities Letter for 2015 specifically referenced expanding its cyber security examinations.
15
SEC Cyber Activities Continued
February 3, 2015 SEC issues a National Exam Program Risk Alert• Cyber Security Examination Sweep Summary• Summary of Observations
– Examined 57 broker dealers– Examined 49 RIAs
• Vast Majority have adopted written information security policies.– Business Continuity Plans often address impact of a
cyber attack.
16
SEC Cyber Activities Continued
– Policies and procedures generally do not address how firms determine whether they are responsible for client losses associated with cyber incidents.
– Many firms are utilizing external standards .
• Vast majority of firms conduct periodic risk assessments.– Fewer firms apply these requirements to their
vendors.
• A vast majority of the firm have been subject to a cyber attack.
17
SEC Cyber Activities Continued
• Many firms identify best practices through information sharing networks– Financial Services Information Sharing and Analysis
Center.• https://www.fsisac.com/
• Firms’ inventory, catalogue, and map their technology resources.
• Most brokers incorporate requirements relating to cybersecurity risks in their 3rd party vendor contracts.
18
SEC Cyber Activities Continued
• A minority of RIAs incorporate requirements relating to cybersecurity risks in their 3rd party vendor contracts.
• Almost all the brokers and RIAs use encryption.• Over 50% of the brokers examined have a
Chief Information Security Officer (“CISC”).• Less an 50% of the RIAs examined have a
CISC.• Use of cybersecurity insurance varied.
19
FINRA
Issued a Report on Cybersecurity Practices in February 2015
Key points in the Report• A sound governance framework with strong
leadership is essential.• Risk assessments serve as foundational tools
to understand cybersecurity risks• Technical controls are highly contingent on
firm’s individual situation.
20
FINRA Continued
• Firms should develop, implement and test response plans.– Containment and mitigation, eradication and
recovery, investigation, notification and making customers whole.
• Firms should manage cybersecurity risks and exposures when providing vendors with access to sensitive firm or client information.
• Well trained staff critical• Take advantage of information sharing
networks
21
SEC Cybersecurity Enforcement Activities Generally, SEC in comment letters requires
public companies to disclose past cyber incidents.
Public companies are increasingly disclosing and discussing cyber risks.
SEC currently has a number of enforcement investigations involving data breach events.
SEC noted that its cybersecurity is high on the Enforcement Division’s radar.
22
SEC Cybersecurity Enforcement Actions
SEC examining corporate disclosures made in the wake of recent cyber attacks on public companies and others.• Was the incident material?• Were the disclosures appropriate?
SEC focusing on cyber controls by broker dealers and RIAs.
23
SEC Cybersecurity Enforcement Actions
• Regulation SP 17 C.F.R. Part 248 Subpart A– Broker Dealers and RIA required to adopt written
supervisory polices and procedures that address the protection of customer records and information.
• A Data breach could potentially trigger a Regulation SP violation.
24
Thoughts on Development of a Cyber Security Defense Program
Governance and Risk Management• Define a governance framework.• Ensure senior management actively involved.• Identify standards to address cybersecurity.• Dedicate resources to achieve acceptable risk
environment.• Perform cybersecurity risk assessment.
25
Thoughts on Development of a Cyber Security Defense Program
Cybersecurity Risk Assessment• Regular, Periodic Assessment.• Identify and maintain an inventory of assets
authorized to access the firm’s network.• Conduct comprehensive assessments that include:
– Assessment of internal and external threats– Prioritize recommendations to remediate risks.
Technical Controls• Select controls appropriate to the firm’s technology
and threat environment.
26
Thoughts on Development of a Cyber Security Defense Program
Incident Response Planning• Prepare for incidents that the firm believes are
most likely to happen.– loss of customer Personal Information.– Network intrusion– Customer account intrusion– Malware infection.
• Eradication and Mitigation Plans
27
Thoughts on Development of a Cyber Security Defense Program
• Vendor Management– Perform due diligence – Establish contractual terms for sensitive information – On going due diligence– Procedures to terminate vendor’s access to firm
systems.
• Staff Training• Cyber Intelligence and Information Sharing.• Cyber Insurance
ConclusionThank You
William A. Despo, Esq.LeClairRyan
One Riverfront Plaza1037 Raymond Boulevard, 16th Floor
Newark, New Jersey(973) 491-3325