new friday, february 27, 2015 investment management … · 2019. 6. 20. · untangling the gordian...
TRANSCRIPT
© Copyright 2015 by K&L Gates LLP. All rights reserved.
Investment Management Cybersecurity Series:Untangling the Gordian Knot – Where to Begin Building Your Cybersecurity Program
Mark C. Amorosi, Investment Management Partner, K&L Gates LLPJeffrey Bedser, CEO, iThreat Cyber GroupLaura L. Grossman, Assistant General Counsel, Investment Adviser AssociationAndras P. Teleki, Investment Management Partner, K&L Gates LLPE.J. Yerzak, Vice President of Technology, Ascendant Compliance Management
Friday, February 27, 2015
klgates.com
Investment Management Cybersecurity Seminar Series Overview Session 1 (Today) Untangling the Gordian Knot – Where to Begin When Building Your
Cybersecurity Program Session 2 (March 23, 2015) Board and Senior Management Oversight of Cybersecurity at the
Adviser, the Registered Fund and Their Service Providers Session 3 (April 29, 2015) Testing Your Cybersecurity Infrastructure and Enforcement Related
Developments Session 4 (May 20, 2015) Breach – What to Do When Things Go Wrong and Cybersecurity
Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap – Evolving Trends in Cybersecurity
Practices and Public Policy Developments
2
klgates.com
Session 1 Topics Understanding the business and legal environment relating to cybersecurity
Establishing a cybersecurity governance and risk management framework, including how to leverage existing policies and procedures such as Regulation S-P, Regulation S-ID, Massachusetts Information Security Regulations and business continuity plans
Establishing and maintaining a cybersecurity risk assessment program, including how to conduct an inventory of the adviser’s information technology systems, software, websites and interconnectivity
Implementing strategies to protect information technology systems, including technical controls around access management and encryption as well as regular penetration testing
Introduction to developing an incident response plan to manage a cybersecurity event
Oversight of third party vendors, staff training on cybersecurity risks and procedures, introduction to cyber insurance and involvement in cybersecurity information sharing networks
3
Why Cybersecurity is Top of Mind for Investment Management Firms, Investors,
Regulators and the General Public
klgates.com 5
klgates.com 6
klgates.com
Source: Ponemon Institute LLCCost of Data Breach Study:Global Analysis(May 2014)
7
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
klgates.com
Source: Ponemon Institute LLCGlobal Report on the Cost ofCyber Crime(October 2014)
8
Risks of a Cybersecurity Event Clients or employees may suffer identity theft, fraud, and financial
impacts (e.g., loss of funds, account information and personally identifiable information)
Firm may suffer fraud and financial impacts (e.g., loss of web presence and business, reimbursements and costs of correction)
Firm reputation and brand may suffer
Firm may incur regulatory fines and/or litigation expenses
Strategic business plans or intellectual property may be compromised
9
Key Cybersecurity Facts for the Investment Management Industry
Financial services sector is among the most targeted sectors by cyber criminals
Financial services firms are experiencing year-over-year increases in the number of cybersecurity incidents
Regulators are increasing their focus on cybersecurity matters, including in the enforcement context
Private litigants (and the plaintiffs’ bar) continue to target firms that have experienced cybersecurity incidents
Firms are increasing the amount of resources dedicated to cybersecurity preparedness
10
The Regulatory Framework
Overview of the Federal Framework Regulation S-P (including “Safeguards Rule”) Regulation S-ID (Identity Theft Red Flags) IAA Rule 206(4)-7 and ICA Rule 38a-1 IAA Rule 204-2(g) and ICA Rule 31a-2(f) Business Continuity Plans Suspicious Activity Reporting CFTC Regulations, Part 160.30
12
Regulation S-P – Key Component “Safeguards Rule” -- Rule 30 of Regulation S-P Applies to every investment adviser, investment company, broker
and dealer registered with the SEC that has natural person clients Requires firms to adopt written policies and procedures that
address administrative, technical, and physical safeguards for the protection of customer records and information, reasonably designed to: Ensure the security and confidentiality of customer records and
information; Protect against any anticipated threats or hazards to the security or
integrity of customer records and information; and Protect against unauthorized access to or use of customer records or
information that could result in substantial harm or inconvenience to any customer.
13
Regulation S-P – Proposed Amendments SEC proposed to amend Regulation S-P in 2008 to: Impose new security breach response requirements
Expand the application of the “Safeguards Rule” to transfer agents registered with the SEC
Expand the scope of the current disposal of consumer report information and records requirements under Regulation S-P
The proposed amendments were never adopted or withdrawn but provide guidance regarding what the SEC was thinking about cybersecurity at the time and the potential direction of future SEC regulatory action in this area
14
Regulation S-P – Proposed Amendments Proposed amendments to Regulation S-P would have
required: Designating, in writing, which employee(s) are responsible for
coordinating the program Identifying in writing, reasonably foreseeable internal and external risks
to data and systems that could result in the compromise of such information or systems
Designing and implementing safeguards to control the risks identified and maintaining written record of such safeguards
Testing the program on a regular basis and adjusting the program based on the testing, changes in technology and material changes to business operations or arrangements
Training staff to implement the program Overseeing service providers and taking certain steps to ensure that
service providers are properly safeguarding customer information15
Regulation S-ID – Key Components Regulation S-ID focuses on protecting individuals from
identity theft by requiring financial institutions to monitor for “red flags” that are indicative of identity theft or attempts at identity theft, which is a common cybercrime tactic
Regulation S-ID generally applies to investment advisers, investment companies, brokers and dealers registered with the SEC that maintain accounts for individuals in which the accountholder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others
16
Regulation S-ID – Key Components Regulation S-ID requires financial institutions to: Implement and identity theft prevention program
Identify relevant “red flags” for covered accounts and incorporate those red flags into the program
Detect red flags that have been incorporated into the program
Respond appropriately to any red flags that are detected to prevent and mitigate identity theft
Ensure that the program (including the red flags determined to be relevant) is updated periodically to reflect changes in risks to customers and to the safety and soundness of the entity from identity theft
17
IAA Rule 206(4)-7 and ICA Rule 38a-1 Rule 206(4)-7 requires each registered investment adviser to (1) adopt and
implement written policies and procedures reasonably designed to prevent violation of the federal securities laws, and (2) review annually the adequacy of such policies and procedures and the effectiveness of their implementation
Rule 38a-1 requires every registered investment company to (1) adopt and implement written policies and procedures reasonably designed to prevent violation of the federal securities laws by the fund, including policies and procedures that provide for the oversight of compliance by each investment adviser, principal underwriter, administrator, and transfer agent of the fund, and (2) review annually the adequacy of the policies and procedures of the fund and each investment adviser, principal underwriter, administrator and transfer agent and the effectiveness of their implementation
Cybersecurity compliance policies and procedures that address requirements under the federal securities laws should be included in compliance programs and evaluated as part of the annual review
18
IAA Rule 204-2(g) and ICA Rule 31a-2(f) Permit advisers, registered funds and third party
service providers to such entities to maintain required books and records in electronic format
Require the recordkeeper to establish and maintain procedures to, among other things:
Maintain and preserve the records, so as to reasonably safeguard them from loss, alteration, or destruction
Limit access to the records to properly authorized personnel and the SEC and its staff
19
Business Continuity Plans The SEC has taken the position that compliance
programs adopted pursuant to IAA Rule 206(4)-7 must include a reasonable process for responding to emergencies, contingencies, and disasters
The contingency planning process should be appropriately scaled, and reasonable in light of the facts and circumstances surrounding the adviser’s business operations and the commitments it has made to its clients
Business continuity plans should address relevant cybersecurity considerations
20
Suspicious Activity Reporting Suspicious Activity Reporting applies to financial institutions
with AML programs
A transaction requires a SAR if it is conducted or attempted by, at, or through a financial institution, it involves funds or other assets with a value of $5,000 or more, and the financial institution knows, suspects, or has reason to suspect that the transaction (or a pattern of transactions: Involves funds derived from illegal activity or is intended or conducted
in order to hide or disguise funds or assets derived from illegal activity (including, without limitation, the ownership, nature, source, location, or control of such funds or assets) as part of a plan to violate or evade any Federal law or regulation or to avoid any transaction reporting requirement under Federal law or regulation;
21
Suspicious Activity Reporting Is designed, whether through structuring or other means, to evade any
requirements of this chapter or any other regulations promulgated under the Bank Secrecy Act;
(iii) Has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the financial institution knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction; or
(iv) Involves use of the financial institution to facilitate criminal activity.
A SAR filing may be required where there is a financial loss resulting from the cyber-attack, and are sometimes filed even if there is no discernible dollar value at the time of the loss
22
CFTC Regulations – Part 160.30 CFTC Regulation, Part 160.30 is comparable to the SEC
Safeguards Rule Applies to every commodity pool operator, commodity trading
advisor, futures commission merchant, retail foreign exchange dealer, introducing broker, major swap participant, and swap dealer subject to CFTC jurisdiction
Requires firms to adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information, reasonably designed to: Ensure the security and confidentiality of customer records and information; Protect against any anticipated threats or hazards to the security or integrity of
customer records and information; and Protect against unauthorized access to or use of customer records or
information that could result in substantial harm or inconvenience to any customer.
23
CFTC Regulations – Part 160.30 CFTC Staff Advisory No. 14-21 (Feb. 26, 2014) lists best practices:
Designate a specific employee with privacy and security responsibilities who is part of or reports directly to senior management or the board
Identify, in writing, all reasonably foreseeable internal and external risks to data and systems
Design and implement safeguards to control the identified risks, and maintain a written record of such designs
Train staff to implement the program Regularly test and monitor the safeguards At least once every two years, arrange for
an independent party to test and monitor the safeguards
Oversee service providers by: (1) taking reasonable steps to retain firms able to maintain appropriate safeguards; and (2) contractually requiring firms to implement and maintain appropriate safeguards
Regularly evaluate and adjust the program in light of assessments and circumstances that may materially impact the program
Design and implement policies and procedures for responding to an security incident (including notification to the CFTC and affected individuals in certain cases)
Provide the board of directors an annual assessment of and report on the program
CFTC and NFA staff have identified cybersecurity as a focus area for 2015, including in potential examinations
24
Overview of State Law Framework
Practically every state has enacted laws relating to cybersecurity
State requirements follow two general approaches: Some states require information security programs
Massachusetts’ approach – require specific elements (e.g., firewalls, security patches, protection, secure malware protection, secure authentication)
Some states (e.g., California) impose notice requirements in connection with data breaches
25
Regulatory Trends State notification requirements in the event of a
data breach or loss of customer-related information
Notification thresholds and requirements vary state by state; any loss of data must be reviewed on a state-by-state basis
Interest in development of a federal standard for breach notification across industries
26
Fiduciary Considerations Investment advisers, board members and senior
management are subject to fiduciary duties of care and loyalty to monitor corporate affairs with an eye toward preventing harm to the company and to clients to whom duties are owed
Fiduciary responsibilities generally extend to cybersecurity-related matters
Session 2 of the K&L Gates and Investment Adviser Association Cybersecurity Seminar Series on March 23 will address this topic in more detail
27
What Others are Doing:Insights from the SEC
Cybersecurity Sweep Exams
SEC Cybersecurity Sweep Exam Initiative
Most advisers (74%) reported that they have been the subject of a cyber-related incident
The vast majority of examined advisers (83%) have adopted written information security policies, and over half of them (57%) audit compliance with these policies
A high percentage of examined advisers report conducting firm-wide inventorying, cataloging or mapping of their technology resources
The vast majority of the examined advisers conduct periodic risk assessments
Almost all of the examined advisers (91%) made use of encryption in some form
Approximately half of the examined advisers (53%) are using external standards and other resources to model their information security architecture and processes
Approximately a third (32%) of the examined advisers require risk assessments of vendors with access to their networks
Approximately a quarter of examined advisers (24%) include cybersecurity requirements in contracts with vendors
Approximately a third of the examined advisers (30%) have an individual assigned as the firm’s Chief Information Security Officer
Written business continuity plans often address the impact of cyberattacks or intrusions, but only about half (51%) of adviser policies discuss mitigating cybersecurity incidents
Approximately a quarter of examined advisers (21%) maintain insurance that covers losses and expenses from cybersecurity incidents
The SEC’s Office of Compliance, Inspections and Examinations examined 49 registered investment advisers and 57 registered broker-dealers in 2014 as part of its Cybersecurity Exam Initiative and issued a Risk Alert summarizing its observations in January 2015. Primary observations included:
29
Cybersecurity Threats
Sources of External Threats Most common external cyber threats to financial services
firms are hackers and organized criminals
Other external threats include:
Competitors
Activists/Hacktivists
Terrorists
Foreign Organizations
Foreign Nation States
31
Sources of Internal Threats Most common internal cyber threats to financial services
firms are current and former employees
Other internal threats include:
Current Service Providers/Contractors
Former Service Providers/Contractors
Suppliers/Business Partners
Social Media
32
Common Types of Attacks Web App Attacks – Incidents in which a Web application was the point of the
attack, typically through vulnerabilities in the source code
Insider and Privilege Abuse – Any unapproved or malicious use of organizational resources by insiders or service providers
Physical Theft and Loss – Any incident in which an information asset was lost, intentionally or not
Miscellaneous Errors – Accidental compromise of information security
Crimeware – Installation of malware on a computer or network with the goal to take control of systems or accounts
Cyber Espionage – Unauthorized access to a firm’s systems by nation states
Denial of Service Attacks – Attacks intended to limit the availability of a firm’s systems and networks
33
klgates.com
Spectrum of Cyber Attacks Advanced Persistent Threats (“APT”)
Cybercriminals, exploits and malware
Denial of service attacks (“DDoS”)
Domain name hijacking
Corporate impersonation and phishing
Employee mobility and disgruntled employees
Lost or stolen laptops and mobile devices
Inadequate security and systems: third-party vendors
34
klgates.com
Advanced Persistent Threats
Targeted, persistent, evasive and advanced Nation state sponsored
P.L.A. Unit 61398“Comment Crew”
35
klgates.com
Advanced Persistent Threats
United States Cyber Command and director of the National Security Agency, Gen. Keith B. Alexander, has said the attacks have resulted in the “greatest transfer of wealth in history.”
Source: New York Times, June 1, 2013.
36
klgates.com
Advanced Persistent Threats
Penetration: 67% of organizations admit that their current security
activities are insufficient to stop a targeted attack.* Duration: average = 356 days**
Discovery: External Alerts 55 percent are not even aware of intrusions*
*Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challenges/advance-targeted-attacks/index.html
**Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units”
37
klgates.com
Advanced Persistent Threats: Intrusion
Spear Phishing
Watering Hole Attack Rely on insecurity of frequently visited websites
Infected Thumb Drive
*Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challeng
es/advance-targeted-attacks/index.html
**Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units”
38
klgates.com
Cybercriminals, Exploits and Malware
39
klgates.com
Cybercriminals, Exploits and Malware
60,000 known software vulnerabilities 23 new zero-day exploits in 2014
40
klgates.com
Cybercriminals, Exploits and Malware Ransomware
CryptoLockerLaw Enforcement Spoofing
41
klgates.com
Inadequate Security and Systems: Third-Party Vendors Vendors with firm or client data Vendors with password access Vendors with direct system integration
42
New and Emerging Risks
klgates.com
Cloud Computing Risks
Exporting security function and control
Geographical uncertainty creates exposure to differences and ambiguities in civil and criminal legal standards in different jurisdictions
Risk of collateral damage - for example, the seizure by authorities of data center servers hosting information for a target firm, but also other firms not subject to the investigation
44
klgates.com
Mobile Device Risks
52% of mobile users store sensitive files online
24% of mobile users store work and personal info in same account
21% of mobile users share logins with families
Mobile malware Insufficient mobile platform security
45
klgates.com
Social Media Risks
Consumer harm and reputational damage
46
Practical Steps to EnhanceCybersecurity Preparedness
Practical Next Steps for Advisers and Funds1. Engage senior management and, if appropriate, the board of the
adviser and any funds in the complex2. Conduct a cybersecurity governance and risk assessment3. Review and test the adequacy of existing compliance policies,
business continuity plans, technical controls and other relevant procedures
4. Develop an incident response plan5. Enhance employee training6. Review vendor relationships7. Review insurance coverage8. Assess need for, and adequacy of, any public disclosures9. Attend upcoming K&L Gates and Investment Adviser Association
Cybersecurity Seminar Series programs
48
Cybersecurity Frameworks
Background on Cybersecurity Frameworks Numerous organizations have published cybersecurity frameworks
intended to provide guidance on protecting companies and other organizations against cybersecurity risks
There is no legal requirement that investment management firms follow a specific cybersecurity framework, but the SEC has cited cybersecurity frameworks with apparent approval
There is no one size fits all approach
Companies and other organizations have unique risks and how they implement cybersecurity strategies and allocate resources will vary based on each firm’s critical activities
50
Sample Frameworks and Standards National Institute of Standards and Technology (“NIST”)
Framework for Improving Critical Infrastructure Cybersecurity
International Organization for Standardization and International Electrotechnical Commission Information Technology 27001 and 27002 Framework
ISACA (fka International Systems Audit and Control Association) Control Objectives for Information and Related Technology (“COBIT”) 5
SANS Institute Critical Security Controls
GCHQ CESG Ten Steps to Cybersecurity
51
klgates.com
NIST Framework Voluntary, risk-based approach for evaluating
cybersecurity preparedness and setting cybersecurity risk management priorities based on organizational goals, legal requirements, and industry practices
Frames cybersecurity issues in risk management terms that may be more understandable for decision-makers (i.e., whether a firm should mitigate, transfer, accept or avoid a risk)
NIST Framework has three major components: Framework Core Framework Implementation Tiers Framework Profiles
52
klgates.com
NIST Framework Core The Framework Core divides cybersecurity activities into five major
functions or areas of activity that firms should address:
Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities
Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services
Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event
Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event
Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
53
Key Cybersecurity Governance and Organizational Matters
Potential Governance Considerations Define a governance framework appropriate for the
firm’s size and risk exposure, including an information security policy
Ensure active senior management and board-level engagement on cybersecurity
Evaluate frameworks and technical standards
Explore the use of metrics and thresholds to inform governance processes
Ensure appropriate allocation of resources to manage cybersecurity risks
Perform regular cybersecurity risk assessments55
klgates.com
Inclusive Organizational Approach Cybersecurity typically requires involvement by
representatives from different parts of the organization with relevant roles and job functions, including information technology, legal, compliance and risk
Cybersecurity should involve coordination among: Senior management Chief Information Officer (or similar function) Chief Legal Officer Chief Compliance Officer Chief Risk Officer (if any)
All information security responsibilities should be clearly defined
56
Information Security and Compliance Policies Firms should establish an information security policy Policy should outline the firm’s approach to managing
information security, including the structure of risk assessment and risk management and an explanation of the security policies, principles, standards, and compliance requirements (including compliance with SEC and other relevant legal requirements)
The information security policy should be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness
57
Performance Measurement and Monitoring Many firms use performance metrics and dashboards
to monitor and assess cybersecurity risk, such as: Incident Management (e.g., number and type)
Vulnerability Management (e.g., known vulnerabilities)
Patch Management (e.g., time to patch)
Application Security (e.g., number of applications)
Configuration Management (e.g., time to complete changes)
Financial Metrics (e.g., budget)
58
Cybersecurity Risk Assessments
Risk Assessment Practices
Identify and maintain an inventory of assets, systems and data types Physical devices and systems; software
platforms and applications; network resources, connections and data flows; network connections from external sources; and logging capabilities
Assess internal and external threats Review past cybersecurity incidents at the firm
and in the industry Obtain threat intelligence through security
organizations (e.g., Financial Services Information Sharing and Analysis Center)
Use third party vendors to identify risks
Firms should conduct regular assessments to identify cybersecurity risks associated with firm assets and vendors
Session 3 of the Cybersecurity Seminar Series on April 29 will address risk assessment and testing in additional detail
60
Example of a Risk Map
61
Inventorying Your Data
Risks to Data and Systems
Risks to data and systems can be classified into four general categories: Risk of Disclosure
Risk of Modification
Risk of Unavailability
Risk of Destruction
Risk events may be triggered either intentionally(malicious) or unintentionally (accidental)
Risks event may come from internal or external sources
63
Example of a Threat Tree
Information Network
Internal
External
Intentional
Accidental
Intentional
Accidental
Asset Path Actor Trigger Outcome
DisclosureModificationUnavailabilityDestruction
DisclosureModificationUnavailabilityDestruction
DisclosureModificationUnavailabilityDestruction
DisclosureModificationUnavailabilityDestruction
64
Types of Sensitive Information
Client and Employee Information Personal Identifying Information (PII)
Name, Address, Social Security Number, Birth Date, Usernames, Passwords
Personal Financial Information (PFI) Account Numbers Account Balances and Investments Bank Routing and Account Numbers Credit Card Numbers
65
Types of Sensitive Information Company Information Portfolio Strategy Information Investment Process, Trading Strategies and Programs,
Quantitative Models and Proprietary Research Company Financial Information Bank and Other Accounts, Revenues and Earnings,
and Other Material Non-Public Information Confidential Business Information Strategic Plans, Intellectual Property, Board
Documents, Legal Matters, Personnel Information Company Systems Information Systems Architecture, Trade Execution, Information
Storage66
Common Vulnerabilities
klgates.com
Examples of Exploitable Vulnerabilities Connectivity Websites Twitter Feeds and Social Media VPN and Other Remote Access
Software Unpatched Software Software with Known Vulnerabilities
Vendors and Service Providers 3rd Parties with Your Data IT Providers
People Current and Past Employees
68
Control Points Examples of areas in which a firm may add or make
changes to its controls to reduce cyber threat exposure:
Data storage at vendors
Employee training Data encryption Employee access
control Patch and software
updates Privilege management
WiFi protection E-mail content filtering Customer access
control Hand-held device
protection Vendor access control Web/URL filtering
69
Technical Controls: Access Control, Encryption and Penetration Testing
klgates.com
Technical Controls
Examples of controls include: Identity and access
management
Data encryption
Penetration testing
Technical controls are used to protect firm software and hardware that stores and processes data, as well as the data itself
71
klgates.com
Identity and Access Management
Establish appropriate controls to limit users’ access to the firm’s systems and data. Challenges can arise by employees: Being granted inappropriate access upon
hiring Being allowed to carryover or accumulate
privileges as they move from job to job within a company
Being allowed to expand their access without a compelling business need for that access
Having their credentials stolen and misused
Maintaining access after they leave the firm
72
klgates.com
Encryption
Encryption protects the confidentiality of data by ensuring that only approved users (users who hold the decryption key) can view the data. Other benefits include providing a means for ensuring information integrity (if the encrypted data cannot be read, it cannot be meaningfully altered).
Data-at-Rest vs. Data-in-Transit Encryption
Encryption of Portable Media (Laptops, USB Drives, Backup Tapes)
Encryption is a critically important effective practice in a firm’s cybersecurity control arsenal.
73
klgates.com
Penetration Testing Penetration testing is a practice that simulates a real-
world attack against a firm’s computer systems. It can be used to: Assess susceptibility to certain types of attacks Assess the magnitude of potential business and operational
impacts of successful attacks Test the ability of network defenders to successfully detect and
respond to the attack Provide evidence to support increased investments in security
personnel and technology Penetration testing considerations:
Broad vs. targeted Find vs. exploit External vs. internal “Blackbox” vs. “Glassbox” Secret vs. Open
Attorney-client privilege considerations for “pen testing”
74
Introduction to Incident Response Planning
Incident Response Planning Firms should establish policies and procedures, as
well as roles and responsibilities for escalating and responding to cybersecurity incidents
Session 4 of the K&L Gates and Investment Adviser Association Cybersecurity Seminar Series on May 20 will address this topic in detail
Potential considerations in development an incident response plan include: Preparing for those types of incidents to which the firm is most
likely to be subject (e.g., loss of customer PII, data corruption, DDoS attack, network intrusion, customer account intrusion or malware infection)
Responsive to current threat assessment and vulnerabilities76
Incident Response Planning Containment and mitigation strategies for multiple incident types Eradication and recovery plans for systems and data Investigation and damage assessment Preparation of communication and notification plans (e.g.,
customers, regulators, law enforcement, intelligence agencies, industry information sharing bodies)
Involvement in industry and firm-specific simulation exercises as appropriate to the role and scale of a firm’s business
Implementation of measures to maintain client confidence, including provision of credit monitoring for individuals whose personal information has been compromised; and reimbursement to customers for financial losses incurred
Assemble a response team of internal and external resources in advance
77
Introduction to Cybersecurity Insurance
Cybersecurity Insurance Coverage Firms should evaluate the cyber insurance to transfer
risk as part of their risk management processes
Firms that have cybersecurity coverage should conduct a periodic analysis of the adequacy of the coverage
Firms that do not have cyber insurance should evaluate the cyber insurance market to determine if coverage is available that would enhance the firm’s ability to manage the financial impact of cybersecurity events
79
Cybersecurity Insurance Coverage Existing policies may include coverage for
cybersecurity incidents, but it is likely that existing coverage will be very limited
Market for specialized policies providing broader protections for privacy and network security, crisis management, regulatory liability, network interruption, information asset coverage and extortion
Engage insurance coverage counsel
Session 4 of the K&L Gates and Investment Adviser Association Cybersecurity Seminar Series on May 20 will address this topic in detail
80
Compliance Policies, Disclosure and Training
Compliance Policies and Testing IAA Rule 206(4)-7 and ICA Rule 38a-1 together require registered
investment advisers and registered funds to (1) adopt and implement written policies and procedures reasonably designed to prevent violation of the federal securities laws, and (2) review annually the adequacy of such policies and procedures and the effectiveness of their implementation
Cybersecurity compliance policies and procedures that address requirements under the federal securities laws should be included in compliance programs and evaluated as part of the annual review. Such reviews may include:
Risk assessments, policy and procedure reviews, and service provider reviews
82
Disclosure The SEC’s Division of Corporation Finance released guidance on
cybersecurity disclosure for public companies in October 2011 (CF Disclosure Guidance: Topic No. 2)
There is no existing disclosure requirement that explicitly refers to cybersecurity risks and cyber incidents
Risk and other disclosure requirements, and general materiality standards, may impose an obligation on registrants to disclose cybersecurity risks and incidents
Advisers and funds should evaluate these standards in considering the appropriateness of cybersecurity risk disclosure in Form ADVand fund registration statements
83
Business Continuity Plans
Regulators are asking about how the business continuity plans for investment advisers, registered investment companies and broker-dealers address cyber related events
Backup if the network goes down because of a cyber-attack, hardware or software failure or a problem at a vendor
Integration of the cybersecurity incident response plan and the business continuity plan
Communications between IT and the business units
Post incident review and adjustments to the business continuity plan
84
Training
Employee training is very important because many types of cyberattacks rely on careless employees to gain access to sensitive systems
The following are examples of topics covered in employee training
• Password security• E-mail security• Laptop and mobile device security• Use of USB keys
85
Key Takeaways and Next Steps
Key Takeaways for Cybersecurity Programs
Reasonable measures
Appropriate to threat environment
Informed by experience
Calibrated to sensitivity of information protected
Continuous review and adjustment as necessary
87
Next Steps1. Engage senior management and, if appropriate, the board of the
adviser and any funds in the complex2. Conduct a cybersecurity governance and risk assessment3. Review and test the adequacy of existing compliance policies,
business continuity plans, technical controls and other relevant procedures
4. Develop an incident response plan5. Enhance employee training6. Review vendor relationships7. Review insurance coverage8. Assess need for, and adequacy of, any public disclosures9. Attend upcoming K&L Gates and Investment Adviser Association
Cybersecurity Seminar Series programs
88
klgates.com
Cybersecurity Seminar Series Overview Session 1 (Today) Untangling the Gordian Knot – Were to Begin When Building Your
Cybersecurity Program Session 2 (March 23, 2015) Board and Senior Management Oversight of Cybersecurity at the
Adviser, the Registered Fund and Their Service Providers Session 3 (April 29, 2015) Testing Your Cybersecurity Infrastructure and Enforcement Related
Developments Session 4 (May 20, 2015) Breach – What to Do When Things Go Wrong and Cybersecurity
Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap – Evolving Trends in Cybersecurity
Practices and Public Policy Developments89
Speaker Contact InformationMark C. Amorosi, Investment Management Partner, K&L Gates [email protected]
Jeffrey Bedser, CEO, iThreat Cyber Group(609) [email protected]
Laura L. Grossman, Assistant General Counsel, Investment Adviser Association(202) [email protected]
Andras P. Teleki, Investment Management Partner, K&L Gates [email protected]
E.J. Yerzak, Vice President of Technology, Ascendant Compliance Management(203) [email protected]
90
Additional Cybersecurity ResourcesTo access our firms additional cybersecurity related recorded webinars, presentations, articles and checklists please visit www.klgateshub.com.
91
THANK YOU