Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CYBER SECURITY
FPANJ
Spring Conference 2015
Threat is Real
2
Who Needs A Gun?
 May Cost Sony $100Million
 Leaked Personal Information
• Sensitive Emails
• What actor wants to do bus...
Hackers Compromised 76 Million Household Account
October 15, 2014
4
Passwords
 A joke about passwords has won a
competition for the funniest joke at the
Edinburgh Fringe.
 What would be a ...
Answer
6
Cyber Security Is No Joke
 Reuters - Thu Apr 23, 2015 12:26pm EDT
 U.S. House passes second 'threat-sharing'
cybersecuri...
What are the Regulators Doing?
 SEC held a Cyber Security Roundtable in
March 2014
 Former SEC Commissioner Louis Arguil...
SEC Roundtable
 SEC Chairperson Mary Jo White
• Cybersecurity threats are real
– Criminals and Hired Hackers
– Terrorist
...
SEC Roundtable
 Propose rule on Regulation Systems,
Compliance and Integrity was adopted in
2015
• Requires certain entit...
SEC Cyber Security Activities
 April 14, 2014 SEC issued a National Exam
Program Risk Alert
 Office of Compliance Inspec...
SEC Cyber Activities
 2014 SEC published a sample list of
request for information that OCIE may use
in conducting examina...
SEC Cyber Activities Continued
• Risks Associated with Vendors and Other Third
Parties
• Detection of Unauthorized Activit...
SEC Cyber Activities Continued
 SEC Examination Priorities Letter January
9, 2014 did not mentioned Cyber Security.
 SEC...
SEC Cyber Activities Continued
 February 3, 2015 SEC issues a National
Exam Program Risk Alert
• Cyber Security Examinati...
SEC Cyber Activities Continued
– Policies and procedures generally do not address
how firms determine whether they are res...
SEC Cyber Activities Continued
• Many firms identify best practices through
information sharing networks
– Financial Servi...
SEC Cyber Activities Continued
• A minority of RIAs incorporate requirements
relating to cybersecurity risks in their 3rd ...
FINRA
 Issued a Report on Cybersecurity Practices
in February 2015
 Key points in the Report
• A sound governance framew...
FINRA Continued
• Firms should develop, implement and test
response plans.
– Containment and mitigation, eradication and
r...
SEC Cybersecurity Enforcement
Activities
 Generally, SEC in comment letters requires
public companies to disclose past cy...
SEC Cybersecurity Enforcement Actions
 SEC examining corporate disclosures made
in the wake of recent cyber attacks on
pu...
SEC Cybersecurity Enforcement Actions
• Regulation SP 17 C.F.R. Part 248 Subpart A
– Broker Dealers and RIA required to ad...
Thoughts on Development of a Cyber
Security Defense Program
 Governance and Risk Management
• Define a governance framewo...
Thoughts on Development of a Cyber
Security Defense Program
 Cybersecurity Risk Assessment
• Regular, Periodic Assessment...
Thoughts on Development of a Cyber
Security Defense Program
 Incident Response Planning
• Prepare for incidents that the ...
Thoughts on Development of a Cyber
Security Defense Program
• Vendor Management
– Perform due diligence
– Establish contra...
Conclusion
Thank You
William A. Despo, Esq.
LeClairRyan
One Riverfront Plaza
1037 Raymond Boulevard, 16th Floor
Newark, Ne...
Upcoming SlideShare
Loading in …5
×

Presentation for FPANJ Spring 2015 Conference

  • Be the first to comment

  • Be the first to like this

Presentation for FPANJ Spring 2015 Conference

  1. 1. CYBER SECURITY FPANJ Spring Conference 2015
  2. 2. Threat is Real 2
  3. 3. Who Needs A Gun?  May Cost Sony $100Million  Leaked Personal Information • Sensitive Emails • What actor wants to do business with Sony?  Operations severally hampered  Exposure of Trade Secrets  Target cost $148 Million • 1 to 3 million credit card numbers stolen • plus to millions of customer information 3
  4. 4. Hackers Compromised 76 Million Household Account October 15, 2014 4
  5. 5. Passwords  A joke about passwords has won a competition for the funniest joke at the Edinburgh Fringe.  What would be a great password that is eight characters long? 5
  6. 6. Answer 6
  7. 7. Cyber Security Is No Joke  Reuters - Thu Apr 23, 2015 12:26pm EDT  U.S. House passes second 'threat-sharing' cybersecurity bill • The U.S. House of Representatives voted overwhelmingly on Thursday to pass a bill that extends liability protection for companies that share information about cyber attacks, if they give the data to the U.S. Department of Homeland Security. 7
  8. 8. What are the Regulators Doing?  SEC held a Cyber Security Roundtable in March 2014  Former SEC Commissioner Louis Arguilar • He was particularly concerned about capital markets and regulated entities • A cyber-attack on an exchange or a market participant can have broad consequences that impacts public companies and investors. 8
  9. 9. SEC Roundtable  SEC Chairperson Mary Jo White • Cybersecurity threats are real – Criminals and Hired Hackers – Terrorist – State-Sponsored intruders – Misguided computer experts • Resources devoted to cyber-based threats will eclipse resources devoted to terrorism. • 2011 SEC Guidance to Public Companies 9
  10. 10. SEC Roundtable  Propose rule on Regulation Systems, Compliance and Integrity was adopted in 2015 • Requires certain entities, SRO and Large Alternative Trading Platforms, to test their vulnerabilities, test their business continuity and disaster recovery plans, as well as notifying the SEC of cyber intrusions. • SEC is now considering whether to adopt a similar rule for other regulated entities. 10
  11. 11. SEC Cyber Security Activities  April 14, 2014 SEC issued a National Exam Program Risk Alert  Office of Compliance Inspections and Examinations (“OCIE”) • SEC will inspect 50 broker dealers and registered investment advisors 11
  12. 12. SEC Cyber Activities  2014 SEC published a sample list of request for information that OCIE may use in conducting examinations regarding cyber security. • Identification of Risks/Cybersecurity Governance • Protection of Firm Networks and Information • Risks Associated with Remote Customer Access and Funds Transfer Requests 12
  13. 13. SEC Cyber Activities Continued • Risks Associated with Vendors and Other Third Parties • Detection of Unauthorized Activity • Experiences with certain cybersecurity threats – Does the Firm have an updated Supervisory procedure to reflect Identity Theft Red Flags Rules. – Regulation S-ID 13
  14. 14. SEC Cyber Activities Continued  SEC Examination Priorities Letter January 9, 2014 did not mentioned Cyber Security.  SEC Examination Priorities Letter for 2015 specifically referenced expanding its cyber security examinations. 14
  15. 15. SEC Cyber Activities Continued  February 3, 2015 SEC issues a National Exam Program Risk Alert • Cyber Security Examination Sweep Summary • Summary of Observations – Examined 57 broker dealers – Examined 49 RIAs • Vast Majority have adopted written information security policies. – Business Continuity Plans often address impact of a cyber attack. 15
  16. 16. SEC Cyber Activities Continued – Policies and procedures generally do not address how firms determine whether they are responsible for client losses associated with cyber incidents. – Many firms are utilizing external standards . • Vast majority of firms conduct periodic risk assessments. – Fewer firms apply these requirements to their vendors. • A vast majority of the firm have been subject to a cyber attack. 16
  17. 17. SEC Cyber Activities Continued • Many firms identify best practices through information sharing networks – Financial Services Information Sharing and Analysis Center. • https://www.fsisac.com/ • Firms’ inventory, catalogue, and map their technology resources. • Most brokers incorporate requirements relating to cybersecurity risks in their 3rd party vendor contracts. 17
  18. 18. SEC Cyber Activities Continued • A minority of RIAs incorporate requirements relating to cybersecurity risks in their 3rd party vendor contracts. • Almost all the brokers and RIAs use encryption. • Over 50% of the brokers examined have a Chief Information Security Officer (“CISC”). • Less an 50% of the RIAs examined have a CISC. • Use of cybersecurity insurance varied. 18
  19. 19. FINRA  Issued a Report on Cybersecurity Practices in February 2015  Key points in the Report • A sound governance framework with strong leadership is essential. • Risk assessments serve as foundational tools to understand cybersecurity risks • Technical controls are highly contingent on firm’s individual situation. 19
  20. 20. FINRA Continued • Firms should develop, implement and test response plans. – Containment and mitigation, eradication and recovery, investigation, notification and making customers whole. • Firms should manage cybersecurity risks and exposures when providing vendors with access to sensitive firm or client information. • Well trained staff critical • Take advantage of information sharing networks 20
  21. 21. SEC Cybersecurity Enforcement Activities  Generally, SEC in comment letters requires public companies to disclose past cyber incidents.  Public companies are increasingly disclosing and discussing cyber risks.  SEC currently has a number of enforcement investigations involving data breach events.  SEC noted that its cybersecurity is high on the Enforcement Division’s radar. 21
  22. 22. SEC Cybersecurity Enforcement Actions  SEC examining corporate disclosures made in the wake of recent cyber attacks on public companies and others. • Was the incident material? • Were the disclosures appropriate?  SEC focusing on cyber controls by broker dealers and RIAs. 22
  23. 23. SEC Cybersecurity Enforcement Actions • Regulation SP 17 C.F.R. Part 248 Subpart A – Broker Dealers and RIA required to adopt written supervisory polices and procedures that address the protection of customer records and information. • A Data breach could potentially trigger a Regulation SP violation. 23
  24. 24. Thoughts on Development of a Cyber Security Defense Program  Governance and Risk Management • Define a governance framework. • Ensure senior management actively involved. • Identify standards to address cybersecurity. • Dedicate resources to achieve acceptable risk environment. • Perform cybersecurity risk assessment. 24
  25. 25. Thoughts on Development of a Cyber Security Defense Program  Cybersecurity Risk Assessment • Regular, Periodic Assessment. • Identify and maintain an inventory of assets authorized to access the firm’s network. • Conduct comprehensive assessments that include: – Assessment of internal and external threats – Prioritize recommendations to remediate risks.  Technical Controls • Select controls appropriate to the firm’s technology and threat environment. 25
  26. 26. Thoughts on Development of a Cyber Security Defense Program  Incident Response Planning • Prepare for incidents that the firm believes are most likely to happen. – loss of customer Personal Information. – Network intrusion – Customer account intrusion – Malware infection. • Eradication and Mitigation Plans 26
  27. 27. Thoughts on Development of a Cyber Security Defense Program • Vendor Management – Perform due diligence – Establish contractual terms for sensitive information – On going due diligence – Procedures to terminate vendor’s access to firm systems. • Staff Training • Cyber Intelligence and Information Sharing. • Cyber Insurance 27
  28. 28. Conclusion Thank You William A. Despo, Esq. LeClairRyan One Riverfront Plaza 1037 Raymond Boulevard, 16th Floor Newark, New Jersey (973) 491-3325 william.despo@leclairryan.com

×