3. Who Needs A Gun?
May Cost Sony $100Million
Leaked Personal Information
• Sensitive Emails
• What actor wants to do business with Sony?
Operations severally hampered
Exposure of Trade Secrets
Target cost $148 Million
• 1 to 3 million credit card numbers stolen
• plus to millions of customer information
3
5. Passwords
A joke about passwords has won a
competition for the funniest joke at the
Edinburgh Fringe.
What would be a great password that is eight
characters long?
5
7. Cyber Security Is No Joke
Reuters - Thu Apr 23, 2015 12:26pm EDT
U.S. House passes second 'threat-sharing'
cybersecurity bill
• The U.S. House of Representatives voted
overwhelmingly on Thursday to pass a bill that
extends liability protection for companies that
share information about cyber attacks, if they
give the data to the U.S. Department of
Homeland Security.
7
8. What are the Regulators Doing?
SEC held a Cyber Security Roundtable in
March 2014
Former SEC Commissioner Louis Arguilar
• He was particularly concerned about capital
markets and regulated entities
• A cyber-attack on an exchange or a market
participant can have broad consequences that
impacts public companies and investors.
8
9. SEC Roundtable
SEC Chairperson Mary Jo White
• Cybersecurity threats are real
– Criminals and Hired Hackers
– Terrorist
– State-Sponsored intruders
– Misguided computer experts
• Resources devoted to cyber-based threats will
eclipse resources devoted to terrorism.
• 2011 SEC Guidance to Public Companies
9
10. SEC Roundtable
Propose rule on Regulation Systems,
Compliance and Integrity was adopted in
2015
• Requires certain entities, SRO and Large
Alternative Trading Platforms, to test their
vulnerabilities, test their business continuity
and disaster recovery plans, as well as notifying
the SEC of cyber intrusions.
• SEC is now considering whether to adopt a
similar rule for other regulated entities.
10
11. SEC Cyber Security Activities
April 14, 2014 SEC issued a National Exam
Program Risk Alert
Office of Compliance Inspections and
Examinations (“OCIE”)
• SEC will inspect 50 broker dealers and
registered investment advisors
11
12. SEC Cyber Activities
2014 SEC published a sample list of
request for information that OCIE may use
in conducting examinations regarding cyber
security.
• Identification of Risks/Cybersecurity
Governance
• Protection of Firm Networks and Information
• Risks Associated with Remote Customer
Access and Funds Transfer Requests
12
13. SEC Cyber Activities Continued
• Risks Associated with Vendors and Other Third
Parties
• Detection of Unauthorized Activity
• Experiences with certain cybersecurity threats
– Does the Firm have an updated Supervisory
procedure to reflect Identity Theft Red Flags Rules.
– Regulation S-ID
13
14. SEC Cyber Activities Continued
SEC Examination Priorities Letter January
9, 2014 did not mentioned Cyber Security.
SEC Examination Priorities Letter for 2015
specifically referenced expanding its cyber
security examinations.
14
15. SEC Cyber Activities Continued
February 3, 2015 SEC issues a National
Exam Program Risk Alert
• Cyber Security Examination Sweep Summary
• Summary of Observations
– Examined 57 broker dealers
– Examined 49 RIAs
• Vast Majority have adopted written information
security policies.
– Business Continuity Plans often address impact of a
cyber attack.
15
16. SEC Cyber Activities Continued
– Policies and procedures generally do not address
how firms determine whether they are responsible for
client losses associated with cyber incidents.
– Many firms are utilizing external standards .
• Vast majority of firms conduct periodic risk
assessments.
– Fewer firms apply these requirements to their
vendors.
• A vast majority of the firm have been subject to
a cyber attack.
16
17. SEC Cyber Activities Continued
• Many firms identify best practices through
information sharing networks
– Financial Services Information Sharing and Analysis
Center.
• https://www.fsisac.com/
• Firms’ inventory, catalogue, and map their
technology resources.
• Most brokers incorporate requirements relating
to cybersecurity risks in their 3rd party vendor
contracts.
17
18. SEC Cyber Activities Continued
• A minority of RIAs incorporate requirements
relating to cybersecurity risks in their 3rd party
vendor contracts.
• Almost all the brokers and RIAs use encryption.
• Over 50% of the brokers examined have a
Chief Information Security Officer (“CISC”).
• Less an 50% of the RIAs examined have a
CISC.
• Use of cybersecurity insurance varied.
18
19. FINRA
Issued a Report on Cybersecurity Practices
in February 2015
Key points in the Report
• A sound governance framework with strong
leadership is essential.
• Risk assessments serve as foundational tools
to understand cybersecurity risks
• Technical controls are highly contingent on
firm’s individual situation.
19
20. FINRA Continued
• Firms should develop, implement and test
response plans.
– Containment and mitigation, eradication and
recovery, investigation, notification and making
customers whole.
• Firms should manage cybersecurity risks and
exposures when providing vendors with access
to sensitive firm or client information.
• Well trained staff critical
• Take advantage of information sharing
networks
20
21. SEC Cybersecurity Enforcement
Activities
Generally, SEC in comment letters requires
public companies to disclose past cyber
incidents.
Public companies are increasingly disclosing
and discussing cyber risks.
SEC currently has a number of enforcement
investigations involving data breach events.
SEC noted that its cybersecurity is high on the
Enforcement Division’s radar.
21
22. SEC Cybersecurity Enforcement Actions
SEC examining corporate disclosures made
in the wake of recent cyber attacks on
public companies and others.
• Was the incident material?
• Were the disclosures appropriate?
SEC focusing on cyber controls by broker
dealers and RIAs.
22
23. SEC Cybersecurity Enforcement Actions
• Regulation SP 17 C.F.R. Part 248 Subpart A
– Broker Dealers and RIA required to adopt written
supervisory polices and procedures that address the
protection of customer records and information.
• A Data breach could potentially trigger a
Regulation SP violation.
23
24. Thoughts on Development of a Cyber
Security Defense Program
Governance and Risk Management
• Define a governance framework.
• Ensure senior management actively involved.
• Identify standards to address cybersecurity.
• Dedicate resources to achieve acceptable risk
environment.
• Perform cybersecurity risk assessment.
24
25. Thoughts on Development of a Cyber
Security Defense Program
Cybersecurity Risk Assessment
• Regular, Periodic Assessment.
• Identify and maintain an inventory of assets
authorized to access the firm’s network.
• Conduct comprehensive assessments that include:
– Assessment of internal and external threats
– Prioritize recommendations to remediate risks.
Technical Controls
• Select controls appropriate to the firm’s technology
and threat environment.
25
26. Thoughts on Development of a Cyber
Security Defense Program
Incident Response Planning
• Prepare for incidents that the firm believes are
most likely to happen.
– loss of customer Personal Information.
– Network intrusion
– Customer account intrusion
– Malware infection.
• Eradication and Mitigation Plans
26
27. Thoughts on Development of a Cyber
Security Defense Program
• Vendor Management
– Perform due diligence
– Establish contractual terms for sensitive information
– On going due diligence
– Procedures to terminate vendor’s access to firm
systems.
• Staff Training
• Cyber Intelligence and Information Sharing.
• Cyber Insurance
27
28. Conclusion
Thank You
William A. Despo, Esq.
LeClairRyan
One Riverfront Plaza
1037 Raymond Boulevard, 16th Floor
Newark, New Jersey
(973) 491-3325
william.despo@leclairryan.com