© Copyright 2015 by K&L Gates LLP. All rights reserved.

Investment Management Cybersecurity Series:Untangling the Gordian Knot – Where to Begin Building Your Cybersecurity Program

Mark C. Amorosi, Investment Management Partner, K&L Gates LLPJeffrey Bedser, CEO, iThreat Cyber GroupLaura L. Grossman, Assistant General Counsel, Investment Adviser AssociationAndras P. Teleki, Investment Management Partner, K&L Gates LLPE.J. Yerzak, Vice President of Technology, Ascendant Compliance Management

Friday, February 27, 2015

klgates.com

Investment Management Cybersecurity Seminar Series Overview Session 1 (Today) Untangling the Gordian Knot – Where to Begin When Building Your

Cybersecurity Program Session 2 (March 23, 2015) Board and Senior Management Oversight of Cybersecurity at the

Adviser, the Registered Fund and Their Service Providers Session 3 (April 29, 2015) Testing Your Cybersecurity Infrastructure and Enforcement Related

Developments Session 4 (May 20, 2015) Breach – What to Do When Things Go Wrong and Cybersecurity

Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap – Evolving Trends in Cybersecurity

Practices and Public Policy Developments

2

klgates.com

Session 1 Topics Understanding the business and legal environment relating to cybersecurity

Establishing a cybersecurity governance and risk management framework, including how to leverage existing policies and procedures such as Regulation S-P, Regulation S-ID, Massachusetts Information Security Regulations and business continuity plans

Establishing and maintaining a cybersecurity risk assessment program, including how to conduct an inventory of the adviser’s information technology systems, software, websites and interconnectivity

Implementing strategies to protect information technology systems, including technical controls around access management and encryption as well as regular penetration testing

Introduction to developing an incident response plan to manage a cybersecurity event

Oversight of third party vendors, staff training on cybersecurity risks and procedures, introduction to cyber insurance and involvement in cybersecurity information sharing networks

3

Why Cybersecurity is Top of Mind for Investment Management Firms, Investors,

Regulators and the General Public

klgates.com 5

klgates.com 6

klgates.com

Source: Ponemon Institute LLCCost of Data Breach Study:Global Analysis(May 2014)

7

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

klgates.com

Source: Ponemon Institute LLCGlobal Report on the Cost ofCyber Crime(October 2014)

8

Risks of a Cybersecurity Event Clients or employees may suffer identity theft, fraud, and financial

impacts (e.g., loss of funds, account information and personally identifiable information)

Firm may suffer fraud and financial impacts (e.g., loss of web presence and business, reimbursements and costs of correction)

Firm reputation and brand may suffer

Firm may incur regulatory fines and/or litigation expenses

Strategic business plans or intellectual property may be compromised

9

Key Cybersecurity Facts for the Investment Management Industry

Financial services sector is among the most targeted sectors by cyber criminals

Financial services firms are experiencing year-over-year increases in the number of cybersecurity incidents

Regulators are increasing their focus on cybersecurity matters, including in the enforcement context

Private litigants (and the plaintiffs’ bar) continue to target firms that have experienced cybersecurity incidents

Firms are increasing the amount of resources dedicated to cybersecurity preparedness

10

The Regulatory Framework

Overview of the Federal Framework Regulation S-P (including “Safeguards Rule”) Regulation S-ID (Identity Theft Red Flags) IAA Rule 206(4)-7 and ICA Rule 38a-1 IAA Rule 204-2(g) and ICA Rule 31a-2(f) Business Continuity Plans Suspicious Activity Reporting CFTC Regulations, Part 160.30

12

Regulation S-P – Key Component “Safeguards Rule” -- Rule 30 of Regulation S-P Applies to every investment adviser, investment company, broker

and dealer registered with the SEC that has natural person clients Requires firms to adopt written policies and procedures that

address administrative, technical, and physical safeguards for the protection of customer records and information, reasonably designed to: Ensure the security and confidentiality of customer records and

information; Protect against any anticipated threats or hazards to the security or

integrity of customer records and information; and Protect against unauthorized access to or use of customer records or

information that could result in substantial harm or inconvenience to any customer.

13

Regulation S-P – Proposed Amendments SEC proposed to amend Regulation S-P in 2008 to: Impose new security breach response requirements

Expand the application of the “Safeguards Rule” to transfer agents registered with the SEC

Expand the scope of the current disposal of consumer report information and records requirements under Regulation S-P

The proposed amendments were never adopted or withdrawn but provide guidance regarding what the SEC was thinking about cybersecurity at the time and the potential direction of future SEC regulatory action in this area

14

Regulation S-P – Proposed Amendments Proposed amendments to Regulation S-P would have

required: Designating, in writing, which employee(s) are responsible for

coordinating the program Identifying in writing, reasonably foreseeable internal and external risks

to data and systems that could result in the compromise of such information or systems

Designing and implementing safeguards to control the risks identified and maintaining written record of such safeguards

Testing the program on a regular basis and adjusting the program based on the testing, changes in technology and material changes to business operations or arrangements

Training staff to implement the program Overseeing service providers and taking certain steps to ensure that

service providers are properly safeguarding customer information15

Regulation S-ID – Key Components Regulation S-ID focuses on protecting individuals from

identity theft by requiring financial institutions to monitor for “red flags” that are indicative of identity theft or attempts at identity theft, which is a common cybercrime tactic

Regulation S-ID generally applies to investment advisers, investment companies, brokers and dealers registered with the SEC that maintain accounts for individuals in which the accountholder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others

16

Regulation S-ID – Key Components Regulation S-ID requires financial institutions to: Implement and identity theft prevention program

Identify relevant “red flags” for covered accounts and incorporate those red flags into the program

Detect red flags that have been incorporated into the program

Respond appropriately to any red flags that are detected to prevent and mitigate identity theft

Ensure that the program (including the red flags determined to be relevant) is updated periodically to reflect changes in risks to customers and to the safety and soundness of the entity from identity theft

17

IAA Rule 206(4)-7 and ICA Rule 38a-1 Rule 206(4)-7 requires each registered investment adviser to (1) adopt and

implement written policies and procedures reasonably designed to prevent violation of the federal securities laws, and (2) review annually the adequacy of such policies and procedures and the effectiveness of their implementation

Rule 38a-1 requires every registered investment company to (1) adopt and implement written policies and procedures reasonably designed to prevent violation of the federal securities laws by the fund, including policies and procedures that provide for the oversight of compliance by each investment adviser, principal underwriter, administrator, and transfer agent of the fund, and (2) review annually the adequacy of the policies and procedures of the fund and each investment adviser, principal underwriter, administrator and transfer agent and the effectiveness of their implementation

Cybersecurity compliance policies and procedures that address requirements under the federal securities laws should be included in compliance programs and evaluated as part of the annual review

18

IAA Rule 204-2(g) and ICA Rule 31a-2(f) Permit advisers, registered funds and third party

service providers to such entities to maintain required books and records in electronic format

Require the recordkeeper to establish and maintain procedures to, among other things:

Maintain and preserve the records, so as to reasonably safeguard them from loss, alteration, or destruction

Limit access to the records to properly authorized personnel and the SEC and its staff

19

Business Continuity Plans The SEC has taken the position that compliance

programs adopted pursuant to IAA Rule 206(4)-7 must include a reasonable process for responding to emergencies, contingencies, and disasters

The contingency planning process should be appropriately scaled, and reasonable in light of the facts and circumstances surrounding the adviser’s business operations and the commitments it has made to its clients

Business continuity plans should address relevant cybersecurity considerations

20

Suspicious Activity Reporting Suspicious Activity Reporting applies to financial institutions

with AML programs

A transaction requires a SAR if it is conducted or attempted by, at, or through a financial institution, it involves funds or other assets with a value of $5,000 or more, and the financial institution knows, suspects, or has reason to suspect that the transaction (or a pattern of transactions: Involves funds derived from illegal activity or is intended or conducted

in order to hide or disguise funds or assets derived from illegal activity (including, without limitation, the ownership, nature, source, location, or control of such funds or assets) as part of a plan to violate or evade any Federal law or regulation or to avoid any transaction reporting requirement under Federal law or regulation;

21

Suspicious Activity Reporting Is designed, whether through structuring or other means, to evade any

requirements of this chapter or any other regulations promulgated under the Bank Secrecy Act;

(iii) Has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the financial institution knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction; or

(iv) Involves use of the financial institution to facilitate criminal activity.

A SAR filing may be required where there is a financial loss resulting from the cyber-attack, and are sometimes filed even if there is no discernible dollar value at the time of the loss

22

CFTC Regulations – Part 160.30 CFTC Regulation, Part 160.30 is comparable to the SEC

Safeguards Rule Applies to every commodity pool operator, commodity trading

advisor, futures commission merchant, retail foreign exchange dealer, introducing broker, major swap participant, and swap dealer subject to CFTC jurisdiction

Requires firms to adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information, reasonably designed to: Ensure the security and confidentiality of customer records and information; Protect against any anticipated threats or hazards to the security or integrity of

customer records and information; and Protect against unauthorized access to or use of customer records or

information that could result in substantial harm or inconvenience to any customer.

23

CFTC Regulations – Part 160.30 CFTC Staff Advisory No. 14-21 (Feb. 26, 2014) lists best practices:

Designate a specific employee with privacy and security responsibilities who is part of or reports directly to senior management or the board

Identify, in writing, all reasonably foreseeable internal and external risks to data and systems

Design and implement safeguards to control the identified risks, and maintain a written record of such designs

Train staff to implement the program Regularly test and monitor the safeguards At least once every two years, arrange for

an independent party to test and monitor the safeguards

Oversee service providers by: (1) taking reasonable steps to retain firms able to maintain appropriate safeguards; and (2) contractually requiring firms to implement and maintain appropriate safeguards

Regularly evaluate and adjust the program in light of assessments and circumstances that may materially impact the program

Design and implement policies and procedures for responding to an security incident (including notification to the CFTC and affected individuals in certain cases)

Provide the board of directors an annual assessment of and report on the program

CFTC and NFA staff have identified cybersecurity as a focus area for 2015, including in potential examinations

24

Overview of State Law Framework

Practically every state has enacted laws relating to cybersecurity

State requirements follow two general approaches: Some states require information security programs

Massachusetts’ approach – require specific elements (e.g., firewalls, security patches, protection, secure malware protection, secure authentication)

Some states (e.g., California) impose notice requirements in connection with data breaches

25

Regulatory Trends State notification requirements in the event of a

data breach or loss of customer-related information

Notification thresholds and requirements vary state by state; any loss of data must be reviewed on a state-by-state basis

Interest in development of a federal standard for breach notification across industries

26

Fiduciary Considerations Investment advisers, board members and senior

management are subject to fiduciary duties of care and loyalty to monitor corporate affairs with an eye toward preventing harm to the company and to clients to whom duties are owed

Fiduciary responsibilities generally extend to cybersecurity-related matters

Session 2 of the K&L Gates and Investment Adviser Association Cybersecurity Seminar Series on March 23 will address this topic in more detail

27

What Others are Doing:Insights from the SEC

Cybersecurity Sweep Exams

SEC Cybersecurity Sweep Exam Initiative

Most advisers (74%) reported that they have been the subject of a cyber-related incident

The vast majority of examined advisers (83%) have adopted written information security policies, and over half of them (57%) audit compliance with these policies

A high percentage of examined advisers report conducting firm-wide inventorying, cataloging or mapping of their technology resources

The vast majority of the examined advisers conduct periodic risk assessments

Almost all of the examined advisers (91%) made use of encryption in some form

Approximately half of the examined advisers (53%) are using external standards and other resources to model their information security architecture and processes

Approximately a third (32%) of the examined advisers require risk assessments of vendors with access to their networks

Approximately a quarter of examined advisers (24%) include cybersecurity requirements in contracts with vendors

Approximately a third of the examined advisers (30%) have an individual assigned as the firm’s Chief Information Security Officer

Written business continuity plans often address the impact of cyberattacks or intrusions, but only about half (51%) of adviser policies discuss mitigating cybersecurity incidents

Approximately a quarter of examined advisers (21%) maintain insurance that covers losses and expenses from cybersecurity incidents

The SEC’s Office of Compliance, Inspections and Examinations examined 49 registered investment advisers and 57 registered broker-dealers in 2014 as part of its Cybersecurity Exam Initiative and issued a Risk Alert summarizing its observations in January 2015. Primary observations included:

29

Cybersecurity Threats

Sources of External Threats Most common external cyber threats to financial services

firms are hackers and organized criminals

Other external threats include:

Competitors

Activists/Hacktivists

Terrorists

Foreign Organizations

Foreign Nation States

31

Sources of Internal Threats Most common internal cyber threats to financial services

firms are current and former employees

Other internal threats include:

Current Service Providers/Contractors

Former Service Providers/Contractors

Suppliers/Business Partners

Social Media

32

Common Types of Attacks Web App Attacks – Incidents in which a Web application was the point of the

attack, typically through vulnerabilities in the source code

Insider and Privilege Abuse – Any unapproved or malicious use of organizational resources by insiders or service providers

Physical Theft and Loss – Any incident in which an information asset was lost, intentionally or not

Miscellaneous Errors – Accidental compromise of information security

Crimeware – Installation of malware on a computer or network with the goal to take control of systems or accounts

Cyber Espionage – Unauthorized access to a firm’s systems by nation states

Denial of Service Attacks – Attacks intended to limit the availability of a firm’s systems and networks

33

klgates.com

Spectrum of Cyber Attacks Advanced Persistent Threats (“APT”)

Cybercriminals, exploits and malware

Denial of service attacks (“DDoS”)

Domain name hijacking

Corporate impersonation and phishing

Employee mobility and disgruntled employees

Lost or stolen laptops and mobile devices

Inadequate security and systems: third-party vendors

34

klgates.com

Advanced Persistent Threats

Targeted, persistent, evasive and advanced Nation state sponsored

P.L.A. Unit 61398“Comment Crew”

35

klgates.com

Advanced Persistent Threats

United States Cyber Command and director of the National Security Agency, Gen. Keith B. Alexander, has said the attacks have resulted in the “greatest transfer of wealth in history.”

Source: New York Times, June 1, 2013.

36

klgates.com

Advanced Persistent Threats

Penetration: 67% of organizations admit that their current security

activities are insufficient to stop a targeted attack.* Duration: average = 356 days**

Discovery: External Alerts 55 percent are not even aware of intrusions*

*Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challenges/advance-targeted-attacks/index.html

**Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units”

37

klgates.com

Advanced Persistent Threats: Intrusion

Spear Phishing

Watering Hole Attack Rely on insecurity of frequently visited websites

Infected Thumb Drive

*Source: Trend Micro, USA. http://www.trendmicro.com/us/enterprise/challeng

es/advance-targeted-attacks/index.html

**Source: Mandiant, “APT1, Exposing One of China’s Cyber Espionage Units”

38

klgates.com

Cybercriminals, Exploits and Malware

39

klgates.com

Cybercriminals, Exploits and Malware

60,000 known software vulnerabilities 23 new zero-day exploits in 2014

40

klgates.com

Cybercriminals, Exploits and Malware Ransomware

CryptoLockerLaw Enforcement Spoofing

41

klgates.com

Inadequate Security and Systems: Third-Party Vendors Vendors with firm or client data Vendors with password access Vendors with direct system integration

42

New and Emerging Risks

klgates.com

Cloud Computing Risks

Exporting security function and control

Geographical uncertainty creates exposure to differences and ambiguities in civil and criminal legal standards in different jurisdictions

Risk of collateral damage - for example, the seizure by authorities of data center servers hosting information for a target firm, but also other firms not subject to the investigation

44

klgates.com

Mobile Device Risks

52% of mobile users store sensitive files online

24% of mobile users store work and personal info in same account

21% of mobile users share logins with families

Mobile malware Insufficient mobile platform security

45

klgates.com

Social Media Risks

Consumer harm and reputational damage

46

Practical Steps to EnhanceCybersecurity Preparedness

Practical Next Steps for Advisers and Funds1. Engage senior management and, if appropriate, the board of the

adviser and any funds in the complex2. Conduct a cybersecurity governance and risk assessment3. Review and test the adequacy of existing compliance policies,

business continuity plans, technical controls and other relevant procedures

4. Develop an incident response plan5. Enhance employee training6. Review vendor relationships7. Review insurance coverage8. Assess need for, and adequacy of, any public disclosures9. Attend upcoming K&L Gates and Investment Adviser Association

Cybersecurity Seminar Series programs

48

Cybersecurity Frameworks

Background on Cybersecurity Frameworks Numerous organizations have published cybersecurity frameworks

intended to provide guidance on protecting companies and other organizations against cybersecurity risks

There is no legal requirement that investment management firms follow a specific cybersecurity framework, but the SEC has cited cybersecurity frameworks with apparent approval

There is no one size fits all approach

Companies and other organizations have unique risks and how they implement cybersecurity strategies and allocate resources will vary based on each firm’s critical activities

50

Sample Frameworks and Standards National Institute of Standards and Technology (“NIST”)

Framework for Improving Critical Infrastructure Cybersecurity

International Organization for Standardization and International Electrotechnical Commission Information Technology 27001 and 27002 Framework

ISACA (fka International Systems Audit and Control Association) Control Objectives for Information and Related Technology (“COBIT”) 5

SANS Institute Critical Security Controls

GCHQ CESG Ten Steps to Cybersecurity

51

klgates.com

NIST Framework Voluntary, risk-based approach for evaluating

cybersecurity preparedness and setting cybersecurity risk management priorities based on organizational goals, legal requirements, and industry practices

Frames cybersecurity issues in risk management terms that may be more understandable for decision-makers (i.e., whether a firm should mitigate, transfer, accept or avoid a risk)

NIST Framework has three major components: Framework Core Framework Implementation Tiers Framework Profiles

52

klgates.com

NIST Framework Core The Framework Core divides cybersecurity activities into five major

functions or areas of activity that firms should address:

Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities

Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services

Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event

Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event

Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event

53

Key Cybersecurity Governance and Organizational Matters

Potential Governance Considerations Define a governance framework appropriate for the

firm’s size and risk exposure, including an information security policy

Ensure active senior management and board-level engagement on cybersecurity

Evaluate frameworks and technical standards

Explore the use of metrics and thresholds to inform governance processes

Ensure appropriate allocation of resources to manage cybersecurity risks

Perform regular cybersecurity risk assessments55

klgates.com

Inclusive Organizational Approach Cybersecurity typically requires involvement by

representatives from different parts of the organization with relevant roles and job functions, including information technology, legal, compliance and risk

Cybersecurity should involve coordination among: Senior management Chief Information Officer (or similar function) Chief Legal Officer Chief Compliance Officer Chief Risk Officer (if any)

All information security responsibilities should be clearly defined

56

Information Security and Compliance Policies Firms should establish an information security policy Policy should outline the firm’s approach to managing

information security, including the structure of risk assessment and risk management and an explanation of the security policies, principles, standards, and compliance requirements (including compliance with SEC and other relevant legal requirements)

The information security policy should be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness

57

Performance Measurement and Monitoring Many firms use performance metrics and dashboards

to monitor and assess cybersecurity risk, such as: Incident Management (e.g., number and type)

Vulnerability Management (e.g., known vulnerabilities)

Patch Management (e.g., time to patch)

Application Security (e.g., number of applications)

Configuration Management (e.g., time to complete changes)

Financial Metrics (e.g., budget)

58

Cybersecurity Risk Assessments

Risk Assessment Practices

Identify and maintain an inventory of assets, systems and data types Physical devices and systems; software

platforms and applications; network resources, connections and data flows; network connections from external sources; and logging capabilities

Assess internal and external threats Review past cybersecurity incidents at the firm

and in the industry Obtain threat intelligence through security

organizations (e.g., Financial Services Information Sharing and Analysis Center)

Use third party vendors to identify risks

Firms should conduct regular assessments to identify cybersecurity risks associated with firm assets and vendors

Session 3 of the Cybersecurity Seminar Series on April 29 will address risk assessment and testing in additional detail

60

Example of a Risk Map

61

Inventorying Your Data

Risks to Data and Systems

Risks to data and systems can be classified into four general categories: Risk of Disclosure

Risk of Modification

Risk of Unavailability

Risk of Destruction

Risk events may be triggered either intentionally(malicious) or unintentionally (accidental)

Risks event may come from internal or external sources

63

Example of a Threat Tree

Information Network

Internal

External

Intentional

Accidental

Intentional

Accidental

Asset Path Actor Trigger Outcome

DisclosureModificationUnavailabilityDestruction

DisclosureModificationUnavailabilityDestruction

DisclosureModificationUnavailabilityDestruction

DisclosureModificationUnavailabilityDestruction

64

Types of Sensitive Information

Client and Employee Information Personal Identifying Information (PII)

Name, Address, Social Security Number, Birth Date, Usernames, Passwords

Personal Financial Information (PFI) Account Numbers Account Balances and Investments Bank Routing and Account Numbers Credit Card Numbers

65

Types of Sensitive Information Company Information Portfolio Strategy Information Investment Process, Trading Strategies and Programs,

Quantitative Models and Proprietary Research Company Financial Information Bank and Other Accounts, Revenues and Earnings,

and Other Material Non-Public Information Confidential Business Information Strategic Plans, Intellectual Property, Board

Documents, Legal Matters, Personnel Information Company Systems Information Systems Architecture, Trade Execution, Information

Storage66

Common Vulnerabilities

klgates.com

Examples of Exploitable Vulnerabilities Connectivity Websites Twitter Feeds and Social Media VPN and Other Remote Access

Software Unpatched Software Software with Known Vulnerabilities

Vendors and Service Providers 3rd Parties with Your Data IT Providers

People Current and Past Employees

68

Control Points Examples of areas in which a firm may add or make

changes to its controls to reduce cyber threat exposure:

Data storage at vendors

Employee training Data encryption Employee access

control Patch and software

updates Privilege management

WiFi protection E-mail content filtering Customer access

control Hand-held device

protection Vendor access control Web/URL filtering

69

Technical Controls: Access Control, Encryption and Penetration Testing

klgates.com

Technical Controls

Examples of controls include: Identity and access

management

Data encryption

Penetration testing

Technical controls are used to protect firm software and hardware that stores and processes data, as well as the data itself

71

klgates.com

Identity and Access Management

Establish appropriate controls to limit users’ access to the firm’s systems and data. Challenges can arise by employees: Being granted inappropriate access upon

hiring Being allowed to carryover or accumulate

privileges as they move from job to job within a company

Being allowed to expand their access without a compelling business need for that access

Having their credentials stolen and misused

Maintaining access after they leave the firm

72

klgates.com

Encryption

Encryption protects the confidentiality of data by ensuring that only approved users (users who hold the decryption key) can view the data. Other benefits include providing a means for ensuring information integrity (if the encrypted data cannot be read, it cannot be meaningfully altered).

Data-at-Rest vs. Data-in-Transit Encryption

Encryption of Portable Media (Laptops, USB Drives, Backup Tapes)

Encryption is a critically important effective practice in a firm’s cybersecurity control arsenal.

73

klgates.com

Penetration Testing Penetration testing is a practice that simulates a real-

world attack against a firm’s computer systems. It can be used to: Assess susceptibility to certain types of attacks Assess the magnitude of potential business and operational

impacts of successful attacks Test the ability of network defenders to successfully detect and

respond to the attack Provide evidence to support increased investments in security

personnel and technology Penetration testing considerations:

Broad vs. targeted Find vs. exploit External vs. internal “Blackbox” vs. “Glassbox” Secret vs. Open

Attorney-client privilege considerations for “pen testing”

74

Introduction to Incident Response Planning

Incident Response Planning Firms should establish policies and procedures, as

well as roles and responsibilities for escalating and responding to cybersecurity incidents

Session 4 of the K&L Gates and Investment Adviser Association Cybersecurity Seminar Series on May 20 will address this topic in detail

Potential considerations in development an incident response plan include: Preparing for those types of incidents to which the firm is most

likely to be subject (e.g., loss of customer PII, data corruption, DDoS attack, network intrusion, customer account intrusion or malware infection)

Responsive to current threat assessment and vulnerabilities76

Incident Response Planning Containment and mitigation strategies for multiple incident types Eradication and recovery plans for systems and data Investigation and damage assessment Preparation of communication and notification plans (e.g.,

customers, regulators, law enforcement, intelligence agencies, industry information sharing bodies)

Involvement in industry and firm-specific simulation exercises as appropriate to the role and scale of a firm’s business

Implementation of measures to maintain client confidence, including provision of credit monitoring for individuals whose personal information has been compromised; and reimbursement to customers for financial losses incurred

Assemble a response team of internal and external resources in advance

77

Introduction to Cybersecurity Insurance

Cybersecurity Insurance Coverage Firms should evaluate the cyber insurance to transfer

risk as part of their risk management processes

Firms that have cybersecurity coverage should conduct a periodic analysis of the adequacy of the coverage

Firms that do not have cyber insurance should evaluate the cyber insurance market to determine if coverage is available that would enhance the firm’s ability to manage the financial impact of cybersecurity events

79

Cybersecurity Insurance Coverage Existing policies may include coverage for

cybersecurity incidents, but it is likely that existing coverage will be very limited

Market for specialized policies providing broader protections for privacy and network security, crisis management, regulatory liability, network interruption, information asset coverage and extortion

Engage insurance coverage counsel

Session 4 of the K&L Gates and Investment Adviser Association Cybersecurity Seminar Series on May 20 will address this topic in detail

80

Compliance Policies, Disclosure and Training

Compliance Policies and Testing IAA Rule 206(4)-7 and ICA Rule 38a-1 together require registered

investment advisers and registered funds to (1) adopt and implement written policies and procedures reasonably designed to prevent violation of the federal securities laws, and (2) review annually the adequacy of such policies and procedures and the effectiveness of their implementation

Cybersecurity compliance policies and procedures that address requirements under the federal securities laws should be included in compliance programs and evaluated as part of the annual review. Such reviews may include:

Risk assessments, policy and procedure reviews, and service provider reviews

82

Disclosure The SEC’s Division of Corporation Finance released guidance on

cybersecurity disclosure for public companies in October 2011 (CF Disclosure Guidance: Topic No. 2)

There is no existing disclosure requirement that explicitly refers to cybersecurity risks and cyber incidents

Risk and other disclosure requirements, and general materiality standards, may impose an obligation on registrants to disclose cybersecurity risks and incidents

Advisers and funds should evaluate these standards in considering the appropriateness of cybersecurity risk disclosure in Form ADVand fund registration statements

83

Business Continuity Plans

Regulators are asking about how the business continuity plans for investment advisers, registered investment companies and broker-dealers address cyber related events

Backup if the network goes down because of a cyber-attack, hardware or software failure or a problem at a vendor

Integration of the cybersecurity incident response plan and the business continuity plan

Communications between IT and the business units

Post incident review and adjustments to the business continuity plan

84

Training

Employee training is very important because many types of cyberattacks rely on careless employees to gain access to sensitive systems

The following are examples of topics covered in employee training

• Password security• E-mail security• Laptop and mobile device security• Use of USB keys

85

Key Takeaways and Next Steps

Key Takeaways for Cybersecurity Programs

Reasonable measures

Appropriate to threat environment

Informed by experience

Calibrated to sensitivity of information protected

Continuous review and adjustment as necessary

87

Next Steps1. Engage senior management and, if appropriate, the board of the

adviser and any funds in the complex2. Conduct a cybersecurity governance and risk assessment3. Review and test the adequacy of existing compliance policies,

business continuity plans, technical controls and other relevant procedures

4. Develop an incident response plan5. Enhance employee training6. Review vendor relationships7. Review insurance coverage8. Assess need for, and adequacy of, any public disclosures9. Attend upcoming K&L Gates and Investment Adviser Association

Cybersecurity Seminar Series programs

88

klgates.com

Cybersecurity Seminar Series Overview Session 1 (Today) Untangling the Gordian Knot – Were to Begin When Building Your

Cybersecurity Program Session 2 (March 23, 2015) Board and Senior Management Oversight of Cybersecurity at the

Adviser, the Registered Fund and Their Service Providers Session 3 (April 29, 2015) Testing Your Cybersecurity Infrastructure and Enforcement Related

Developments Session 4 (May 20, 2015) Breach – What to Do When Things Go Wrong and Cybersecurity

Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap – Evolving Trends in Cybersecurity

Practices and Public Policy Developments89

Speaker Contact InformationMark C. Amorosi, Investment Management Partner, K&L Gates LLP202-778-9351mark.amorosi@klgates.com

Jeffrey Bedser, CEO, iThreat Cyber Group(609) 806-4960jrb@icginc.com

Laura L. Grossman, Assistant General Counsel, Investment Adviser Association(202) 507-7201laura.grossman@investmentadviser.org

Andras P. Teleki, Investment Management Partner, K&L Gates LLP202-778-9477andras.teleki@klgates.com

E.J. Yerzak, Vice President of Technology, Ascendant Compliance Management(203) 314-4440eyerzak@ascendantcompliance.com

90

Additional Cybersecurity ResourcesTo access our firms additional cybersecurity related recorded webinars, presentations, articles and checklists please visit www.klgateshub.com.

91

THANK YOU