Which Describes Your Cybersecurity Program –Eager Beaver or Deer in Headlights?

October 29, 2015

Jamie Barnett, Partner Venable LLP

Michael Abboud Founder & CEO, TetherView

Eric Feldman, CIO The Riverside Company

Mark Heil, EVP PEF Services LLC

Our Presenters

Welcome to the Cybersecurity Webinar

Program is scheduled to last for 1.5 hours. – If you ask questions, we will try to address them during the program.

– If time does not permit us to answer a question posed during the webcast, it will be answered offline after the event.

– Program will be recorded and posted to our webpage within a week. The presentation and additional materials will be available tomorrow.

Requirements for CPE Credits: – Remain logged on for at least 1 hour, 15 minutes

– Respond to at least 6 of the 8 polling questions that will be presented

Please complete the evaluation survey following the event. – A link to the survey will be emailed shortly following the program.

– Feedback used to make future presentations better.

Learning Objectives

How to apply the results from The Office of Compliance Inspections and Examinations ("OCIE") 2015 Cybersecurity Examination Initiative to augment your firm’s cybersecurity preparedness

Preparing for OCIE Cybersecurity exams “that will involve more testing to assess implementation of firm procedures and controls.”

Developing the types of policies, documents and reports that need to be created to manage effectively your cybersecurity program and to respond to an OCIE Exam

Assesses risk associated with using a vendor as part of your cybersecurity due diligence

Establishing an incident response program that effectively detects breaches, generates alerts, defines the scope of the incident and provides procedures for communicating the incident to appropriate parties

Self Assessment:

Are you an

“Eager Beaver”

or a

“Deer in Headlights?”

Self Assessment: Eager Beaver or Deer-in-Headlights?

If Yes to all of these questions = Eager Beaver If Yes to 3 or fewer = A Deer in Headlights

1. Has your firm adopted written information cybersecurity policies and procedures?

8. Has your firm conducted firm-wide inventorying or mapping of their technology resources?

9. Has your firm incorporated language into their contracts with vendors regarding cybersecurity risk?

13. Have you obtained Cybersecurity Insurance?

14. Does your firm make use of encryption?

15. Does your firm have a designated Chief Information Security Officer separate from CTO and CCO?

16. Does your firm use a secure portal and file exchange when transferring confidential or personal identification information with clients or vendors?

OCIE Enforcement Action

Fined R.T. Jones, a registered investment adviser -- $75,ooo: – Attacked in July 2013 by a hacker who gained access and copy rights to

the personally identifiable information (PII) of more than 100,000 individuals

– Failed to adopt written policies and procedures to safeguard customer information: e.g., failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.

– Promptly retained several cybersecurity consulting firms to confirm the attack and determine the scope.

– Provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring

– No indications of a client suffering financial harm as a result of the cyber attack.

Summary of OCIE Risk Alert

OCIE will continue its cybersecurity examinations of registered investment advisers – OCIE’s examinations will involve more testing to assess

implementation of firm procedures and controls.

Key topics include – Governance and risk assessment – Access rights and controls – Data loss prevention – Vendor management – Training – Incident response

Governance and Risk Assessment

FINRA's Cybersecurity Governance Framework

Purpose: – To support informed decision making and escalation within the

organization to identify and manage cybersecurity risks.

Effective practices include: – defining a governance framework to support decision making

based on risk appetite; – ensuring active senior management, and as appropriate to the

firm, board-level engagement with cybersecurity issues; – identifying frameworks and standards to address cybersecurity; – using metrics and thresholds to inform governance processes; – dedicating resources to achieve the desired risk posture; and – performing cybersecurity risk assessments.

The Types of Documents OCIE May Request for Cyber Exam

Governance Firm policies re: protection of

“customer” information Patch management practices Board materials regarding

cyber-matters. Information regarding the firm’s

Chief Information Security Officer (“CISO”) Information regarding the firm’s

organizational structure

Access and Controls Policies regarding access to

network and information documenting access controls Policies to verify the

authenticity of customer requests to transfer funds Customer complaints related

to customer access Reviews of access rights Internal audit

Data Loss Prevention Policies and procedures re:

enterprise data loss prevention, including data mapping (especially PII) Policies related to data

classification and risk levels Policies related to monitoring

unauthorized distribution of sensitive information

Vendor Management Policies related to third party

vendors including due diligence, contracts, agreements, approval processes, supervision, and risk assessments Written contingency plans

concerning conflicts of interest, bankruptcy, etc.

Training Training provided to

employees re: information security and risks, training method, dates, topics, etc. Training provided to third

party vendors or business partners

Incident Response Business continuity plans that

mitigate effects of a cybersecurity incident

Process for testing the incident response plan

System generated reports related to data loss

Incidents of unauthorized access or distribution of PII

Access Controls/Data Loss Prevention Complicate

– Make it difficult for intruders through user authentication, encryption, firewalls and access rights & controls

Detect – Intrusion detection – Open source monitoring

Respond – Minimize continuing damage – Collect and preserve data related to the incident.

• “Image” the network • Keep all logs, notes, and other records • Keep records of ongoing attacks

– DO NOT : Use compromised systems to communicate or Hack Back or Intrude upon another network

Common Vendor Management Issues

• Lack of a formal due diligence and risk assessment process in planning and selection of vendors

• Understand the data inventory and mapping risks (Security) – Where is your data??

• Policies and procedures when onboarding and monitoring vendors (i.e., controls) – Contract Terms, Onsite Audits, etc…

• Compliance with the regulations and understanding the “4th Party” risks

• COST BENEFIT ANALYSIS – ensure you have considered compliance and risk mitigation

Cybersecurity and Vendor Contracts

Identify and Mark all Attributional/Proprietary Information Consider Employee Nondisclosure Agreements Requirement Require Safeguarding of Confidential and PII Information Compel Specific Actions for Cyber Incidents:

– Require a specific incident reporting period (e.g., 72 hours) – Insert a duty to investigate cyber incidents and provide a report – Require customer approval of remediation plan – Conduct forensic investigation to determine cause and affected data and

systems – Provide regular updates of its investigation to customer and permit

reasonable access to the investigation to the customer – Cooperate with customer’s investigation – Customer, not supplier, makes final decision on notification of affected

individuals

Riverside’s Online Cybersecurity Training

Employee Training – Who, What & When

Who: New hire training Existing employees IT Senior Management

What: Responsibility for Company

Data Internal Policies, Document

Management and Notification Procedures

Passwords Unauthorized Software Internet Use, Social Media

Policy; Social Engineering Email, Social Engineering

and Phishing Mobile Devices Protecting Computer

Resources

When: Onboarding Regular Training

Sessions Testing Constant Education

Key Elements of An Incident Response Plan According to National Institute of Standards and Technology (NIST)

Incident Handling and Reporting Procedures

Communication Guidelines with Outside Parties

Team Structure and Staffing Model

Establish Relationships and Lines of Communication, internally and externally

Incident Response Team Scope of Services

Incident Response Team Staffing and Training

NIST Incident Response Team Communications Model

Potential Pitfalls of Incident Response Plans

Outdated – Not integrated into the current practices of the firm

– Changes at vendors or agencies in policies, procedures or contacts

Lack of training of those involved – Practice? Who needs practice? – Evidence lost or destroyed

Single point of failure – Plan depends on one or two key people who may not be

available at time of crisis

Identify the Real Risks Protect what Matters Most • Develop a security strategy focused on business

drivers and protecting high-value data • Define the organization’s overall risk appetite • Identify the most important information and

applications, where they reside and who has/needs access

• Assess the threat landscape and your security program maturity – model your real exposures

• Assume breaches will occur – improve processes that complicate, detect and respond

• Balance the fundamentals with emerging threat and vulnerability management

• Establish and rationalize access control models for applications and information

• Protect key identities and roles because they have access to the crown jewels

Sustain your Security Program Enable Security in the Business • Get governance right – security is a board-level

priority • Allow good security to drive compliance – not

vice versa • Measure leading indicators to catch problems

while they are still small • Accept manageable risks that improve

performance • Know your weaknesses – and address them!

• Make security everyone's responsibility — it's a business problem, not just an IT problem

• Align all aspects of security (information, privacy, physical and business continuity) with the business

• Spend wisely in controls and technology – invest more in people and process

• Selectively consider outsourcing or co-sourcing operational security program areas

Summarizing Today’s Program

Thank you for joining us!

Michael Abboud TetherView

michael@tetherview.com 707-927-0490

www.tetherview.com

Eric Feldman The Riverside Company

efeldman@riversidecompany.com 212-484-2178

www.riversidecompany.com

Jamie Barnett Venable LLP

jbarnett@venable.com 202-344-4695

www.venable.com

Mark Heil PEF Services LLC

mark.heil@pefservices.com (212) 203-4679

www.pefundservices.com