The U.S. Securities and Exchange Commission (“SEC”) has begun to focus in earnest on cybersecurity-related issues at the SEC’s regulated investment adviser and broker-dealer firms. In April 2014, the SEC Office of Compliance Inspections and Examinations (“OCIE”) announced its Cybersecurity Initiative in a National Exam Program (“NEP”) Risk Alert. In response, this presentation will cover compliance and technological aspects of a cybersecurity risk assessment and steps firms are taking to enhance cybersecurity protections.

1. 1

2. The webinar will begin shortly…
You can join either by VoIP or dial in
by telephone
Follow call in details if you select
to use Telephone audio

3. Cybersecurity and the Regulator,
What You Need to Know
July 24, 2014
Presented By:
Patrick Shea
Partner, Cordium
James Hogbin
Director, IP Sentinel

4. Agenda
o Regulatory Focus on Cybersecurity
o Key Concerns Related to Financial Services
o Basic Practices
o Steps to be Taking
o Risk Assessment
o Controls related to 3rd
Party Providers
o Dealing with an “Incident”
o Insurance
o Training, Testing and Monitoring
o Why Security
o Threat Surface
o Protecting What
o From Who
o Security Posture
o Forensic Readiness
o Security Operations
o What do bad actors do & how to catch them
o Checklist
4

5. Questions
5
You can submit your questions
using the Questions area in the
GoToWebinar console
You can submit your questions
using the Questions area in the
GoToWebinar console
© Copyright

6. Part One
Patrick Shea
Partner, Cordium
patrick.shea@cordium.com
6

7. Agenda – Part One
o Regulatory Focus on Cybersecurity
o Key Concerns Related to Financial Services
o Basic Practices
o Steps to be Taking
o Risk Assessment
o Controls related to 3rd
Party Providers
o Dealing with an “Incident”
o Insurance
o Training, Testing and Monitoring
7

8. Regulatory Focus on Cybersecurity
o Governments
o EU : Cyber Security Strategy
o US : The Comprehensive National Cybersecurity Initiative
o UK : Office of Cyber Security and Information Assurance
o Regulators
o CFTC : Staff Advisory No. 14-21 Gramm-Leach-Bliley Act Security
Safeguards
o SEC : OCIE Cybersecurity Initiative
o FCA : FCA Risk Outlook 2014
8

9. Regulatory Focus on Cybersecurity
o SEC/OCIE Examination Priorities for 2014 include focus on
technology, including cybersecurity preparedness.
o January 2014, FINRA announces targeted exam assessing its
regulated firms’ approaches to managing cybersecurity threats.
o Gather a better understanding and share findings with regulated firms.
o March 2014 - SEC Sponsors Cybersecurity Roundtable
o Cyber threats are "first on the Division of Intelligence’s list of global threats,
even surpassing terrorism.”
SEC Chair Mary Jo White (Roundtable opening remarks).
9

10. Regulatory Focus on Cybersecurity
o April 2014 Risk Alert from the SEC outlines OCIE’s cybersecurity
initiative:
o Examinations of more than 50 BDs and RIAs focused on:
o Entity’s cybersecurity governance;
o Identification and assessment of cybersecurity risks;
o Protection of networks and information;
o Risks associated with remote customer access and funds transfer requests;
o Risks associated with vendors and other third parties;
o Detection of unauthorized activity; and
o Experiences with certain cybersecurity threats.
o Risk Alert included a sample document request, to be used during exams.
Provided to raise awareness and empower compliance professionals.
10

11. Key concerns
o Financial services sector is vulnerable
o Perception that cybersecurity is lacking and need to raise awareness
o Client data at risk – Consumer Protection
o Well-established reliance on service providers
o Sensitive data being transferred & 3rd
party security protocols critical
o Hackers with the upper-hand
o “Insider” Risk
o Employees do things (intentionally or unintentionally)
that compromise the firm’s security.
11

12. Basic Practices
o Holistic approach needed.
o Threat to cybersecurity is NOT just an IT issue;
o Business issue & should be part of your firm’s risk
management function.
o Top-down approach to cybersecurity!
o Create & perpetuate a culture of involvement and
awareness.
o Everyone at the firm should be involved, educated and regularly
trained.
o Policies and procedures to be reviewed, upgraded & tailored to
your firm.
o Past intrusions/breaches? Learn from them.
12

13. Steps to be Taking: Risk Assessment
o Identify your cybersecurity & physical threats, vulnerabilities and
potential consequences to your business.
o Determine what you have in place today with respect to
cybersecurity.
o What needs to be protected?
o How are you presently managing/monitoring security?
o What technology?
o Who is responsible?
o How are you managing employee access to the systems/data?
o What data is leaving the firm? Where it is going?
o Answers to these questions help drive your Written Information
Security Policy (“WISP”).
13

14. Steps to be Taking: Controls related to 3rd
Party
Providers
o Need to understand cybersecurity policies and procedures of your
vendors & key service providers
o Focus on vendors with access to your network, customer data and/or other
sensitive information
o Gather their WISP and related documentation
o Best practice – Questionnaire to be sent to vendors
o Perform due diligence on, and monitor, their practices
o Review your contracts with those vendors
o Try and negotiate for prompt notice of any
material incidents
14

15. Steps to be Taking: Dealing with an “Incident”
o Simulations are an opportunity to test your plan “in action”
o Detecting & reporting unauthorized activity
o Monitoring system (Who? What? How?)
o Develop clear escalation procedures and robust cyber-incidence
response plans.
o Information sharing = Transparency
o FINRA notification requirements
o OCIE wants to hear about significant issues and data breaches
o Information-sharing arrangements with law enforcement such as the FBI?
o Possible reporting at State-level
o Disclosure to investors/clients needed?
15

16. Steps to be Taking: Insurance
o Cyber liability insurance protection -- important step
o Review your current policies
o SEC Risk Alert
o Do you maintain insurance that specifically covers losses and expenses
attributable to cybersecurity threats?
o Know what is covered & what is excluded
o If/when you file claims, document the issues and the resolution
16

17. Steps to be Taking: Training, Testing &
Monitoring
o Educate all employees on risks & responses
o Front line defense
o Help employees stay vigilent & teach them what to do if the spot an issue
o Bring your plan to life through routine testing
o Part of your risk-assessment plan
o Focus on key risks as relating to your business
o Develop a monitoring program so risks and/or breaches
can be promptly identified, reviewed and resolved.
o Don’t stop there – document & consider whether you
need to report to authorities and/or clients.
17

18. Part Two
James Hogbin
Director, IP Sentinel
james@ip-sentinel.com
18

19. Agenda – Part Two
o Why Security
o Threat Surface
o Protecting What
o From Who
o Security Posture
o Forensic Readiness
o Security Operations
o What do bad actors do & how to catch them
o Checklist
19

20. The Facts
o If a skilled hacker/state actor wants to get in to your
systems they will.
o The biggest threat is your existing staff.
o It is a case of when, not if.
o It is still important to try to prevent breaches,
when they happen it is essential to
detect them, know their scope and
be able to remediate the damage.
20

21. Why Security?
o Government & Regulatory Focus (discussed above)
o Market Participants
“Cyber-crime, Securities Markets and Systemic Risk”
CPSS-IOSCO & World Federation of Exchanges (WFE)
53 % of 46 exchanges surveyed had been subject to a cyber-attack over the preceding
12 months.
“Beyond the Horizon: A White Paper to the Industry on Systemic risk”
Depository Trust & Clearing Corporation (DTCC)
Identified cyber-crime as the biggest threat to market stability, putting it ahead of
counterparty risk and concentration risk at central counterparty clearing houses
(CCPs).
“70% of managers do not feel ‘well prepared’ to deal with a cyber-security threat.”
cooconnect.com 2014
21

22. Threat Surface
22

23. Protecting What?
o Company Information
o Trading Models
o CRM Data – Clients & Prospects
o Investment Agreements
o Trading Arrangements
o Personnel Information
o Company Brand
o Company Systems
o Bank Accounts/Payroll
o Trading Infrastructure
o Payment Processing
23

24. From Who?
Information Leakage
oEmployees - 37% of the time
o Mistake
o Deliberate
oSystem Glitch – 29% of the time
oExternal Bad Actors – 34% of the time
o Malware
o Ransomware
o Remote Access/Control
o Fraud
o Theft
o Processing Cycles – Bitcoin mining
o Data Storage - Hosting Illegal content
o Network Capacity - DDoS
24

25. Security Posture
Traditional “Citadel” approach
o Hard outer shell
o Soft core
Once you’re in you’re in!
Current Thinking
o Layered security
o Digital Sand Traps
o SIEM = Log Aggregation & Monitoring
o TRAINING
It will happen so be prepared
25

26. Security Operations
o How does a good hacker behave
o As a normal employee NOT L33t Hax0r
o Nothing obviously out of the ordinary
o Will attempt to
o Enter, Elevate Privileges, Retain Access
o Look for Odd usage patterns.
o e.g. Dev user looking at Sales.xls
o Logins @ odd times
o Sequential access to systems
o Unusual Traffic to or from devices
o Network or Protocol (SNMP, HTTP)
o Unusual services on devices
o Web server, ssh, rdp etc
26

27. Security Operations
o How to frustrate L33t Hax0rs
o Staff Training
o Segmented Networks with Air Gaps
o Regular Internal Device Asset scans
o Multi layer security
o Keep everything patched
o Remove server banner information
o Outbound as well as inbound firewall
27

28. Security Operations
o How to find them
o Staff Training
o Treat the entire thing as insider threat
o Because it is.
o Centralise Log Management & use it
o http://fingerprint.ip-sentinel.com
user=demo, password=demo
o Detect rate based metrics across environment
o Honey trap servers
o Seed CRM data
o Network traffic/protocol analysis & monitoring
o Regular Device service scanning
o Firewall/web proxy configuration
28

29. Hackers need only be
lucky once, you have to
be good all the time.
29

30. Questions?
30

31. Questions
31
You can submit your questions
using the Questions area in the
GoToWebinar console
You can submit your questions
using the Questions area in the
GoToWebinar console
© Copyright