Cybercrime and Regulatory Priorities for Cybersecurity

Transcription

1 NRS Technology and Communication Compliance Forum Cybercrime and Regulatory Priorities for Cybersecurity Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney K&L Gates LLP State Street Financial Center One Lincoln Street Boston, MA (617)

2 WHAT WE WILL COVER TODAY Drivers of cybercrime on your firm Activities that increase risk Exploring real life examples SEC pilot exams and NEP Sweep Alert Current relevant regulation Current efforts of FINRA and SEC Managing implications of increased accountability

3 DRIVERS OF CYBERCRIME ON YOUR FIRM Verizon 2014 Data Breach Investigations Report identifies the following threats POS Intrusions Miscellaneous Errors Cyber-espionage Card Skimmers Web App Attacks Physical Theft/Loss Insider Misuse DoS Attacks Crimeware Other

4 DRIVERS OF CYBERCRIME ON YOUR FIRM Web App attacks and POS intrusions appear to be on the rise Web App attack and DoS attacks are most prevalent cyber-attacks in financial services According to American Bankers Association, two-thirds of the instances of unauthorized access are the results of phishing attacks Success rate of phishing s is approximately 18% according to Verizon

5 DRIVERS OF CYBERCRIME ON YOUR FIRM Motivation for attacks generally falls within three broad categories Financial gain Ideologically motivated attacks (social, political or sport/narcissism) State sponsored

6 ACTIVITIES THAT INCREASE RISK Connectivity Devices Networks/clouds Products Use of vendors Use of humans

7 EXPLORING REAL LIFE EXAMPLES Data management makes responses manageable Need to know what data was access or could be comprised In some cases need to be able to identify data subjects in order to reduce reporting obligations Watch for behaviors indicative of employees who may be ready to leave the company

8 EXPLORING REAL LIFE EXAMPLES Control access Employees Vendors Monitor application vulnerabilities and log installation of patches and security updates Test process for user access when passwords or credentials are lost Test user susceptibility to phishing attempts

9 SEC PILOT EXAMS AND SWEEP ALERT SEC approach historically has appeared sporadic Sparse regulations (S-P, S-ID, compliance program rules, Rule 15c3-5 for broker-dealers) Enforcement actions under Regulation S-P following hacking events Proposed information security program/data security breach reporting regulations This year: SEC Roundtable OCIE alert

10 SEC PILOT EXAMS AND SWEEP ALERT Takeaways from SEC Roundtable Identify most significant risks and focus resources on addressing them A static set of policies is not sufficient Aim for a well-conceived, flexible, and forwardthinking program to address ever-changing risks The industry is collaborating Financial Services Information Sharing and Analysis Center Have an incident response plan

11 SEC PILOT EXAMS AND SWEEP ALERT April 15, SEC OCIE published a National Exam Program Risk Alert setting forth OCIE expectations for RIAs and BDs with respect to cybersecurity 50 RIA s and BD s will be examined Alert includes a sample document request Main takeaway is that SEC expects RIAs and BDs to use the National Institute of Standards and Technology (NIST) Framework

12 SEC PILOT EXAMS AND SWEEP ALERT Specific documents requested (or expected) Written information security policy (Regulation S-P, Regulation S-ID, Massachusetts) Documentation of responsibilities of employees and managers for cybersecurity Written guidance and periodic training for employees and vendors

13 SEC PILOT EXAMS AND SWEEP ALERT Specific documents requested (or expected) Data destruction policy (Regulation S-P; Massachusetts; FACT Act) Records management program is essential for cybersecurity and for a number of other reasons Written cybersecurity incident response policy (i.e., playbook ) Written policy and training addressing removable and mobile media

14 SEC PILOT EXAMS AND SWEEP ALERT Specific documents requested (or expected) Vendor management information security questionnaires cybersecurity contractual requirements Written incident alert thresholds

15 SEC PILOT EXAMS AND SWEEP ALERT Other requests (or expectations) Written inventories and assessments Chief Information Security Officer Identification of standards (such as NIST) used by firm Expectation that firm has process to keep up with emerging best practices (e.g., FS-ISAC) Protection against DDoS attacks Cybersecurity insurance

16 CURRENT RELEVANT REGULATION Laws that protect information SEC rules Title V of Gramm-Leach-Bliley State laws Fair Credit Reporting Act/Regulation S-ID Regulatory data security standards FFIEC NIST Framework Regulatory business continuity standards

17 CURRENT RELEVANT REGULATION Rule 15c3-5 (Exchange Act) requires broker-dealers with market access to maintain policies and procedures to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction Seems to be viewed as imposing a general requirement to address cybersecurity

18 CURRENT RELEVANT REGULATION Rule 206(4)-7 (Advisers Act); Rule 38a-1 ( 40 Act) Require compliance policies and procedures SEC noted in preamble to Rule 38a-1 that business continuity obligations fall under advisers fiduciary duties FINRA Rules 3012/3020 risk management 4370 business continuity

19 CURRENT RELEVANT REGULATION Title V of the Gramm-Leach-Bliley Act Title V of the GLBA protects nonpublic personal information, which is defined as any personally identifiable financial information provided by a consumer to a financial institution resulting from a transaction by a consumer with a financial institution otherwise obtained from a financial institution NPI includes customer lists

20 CURRENT RELEVANT REGULATION GLBA Safeguards Rule All financial institutions must develop a written information security plan that must: be appropriate to the financial institution's risk profile designate the employee or employees to coordinate identify and assess the risks evaluate the effectiveness of current safeguards for mitigating risks select appropriate service providers and require them to implement the safeguards evaluate the program

21 CURRENT RELEVANT REGULATION State data security and breach reporting laws State laws enacted in response to data security breaches and growing concern of identity theft Most statutes impose data security breach notification requirements Some states, most notably Massachusetts, impose an obligation to adopt policies and procedures to protect information Compliance with Interagency Standards is often sufficient Information protected generally consists of a name plus another identifier that would enable a person to obtain credit or access an account

22 CURRENT RELEVANT REGULATION Interagency Guidance on Authentication (applicable only to banks) Requires risk assessments taking into account new and evolving threats Sets expectation of layered security Fraud detection and monitoring Dual authorization through different access devices Use of out-of-band verification for transactions IP reputation-based tools

23 CURRENT RELEVANT REGULATION FFIEC Information Security Handbook Serves as bank examination manual for compliance with GLBA safeguards rule Establishes information security risk management process Information security risk assessment Information security strategy Security controls implementation Security monitoring Security process monitoring and updating

24 CURRENT RELEVANT REGULATION FFIEC Business Continuity Handbook Business continuity planning process includes Policy by which firm manages identified risks Allocation of resources and knowledgeable personnel Independent review Training and awareness Regular, enterprise-wide testing Continuous updating to adapt to changing environment

25 CURRENT RELEVANT REGULATION FFIEC Business Continuity Handbook Policy should address Continuity planning process Prioritization of business objectives and critical operations essential for recovery Integration with financial markets Integration with vendors and outsourced services Regular updates in response to changes in business processes, audit recommendations and testing

26 CURRENT RELEVANT REGULATION FFIEC Business Continuity Handbook Principal tools in continuity planning Data synchronization tools Pre-established crisis management team Incident response procedures Remote access Employee training Clear notification standards Insurance

27 CURRENT RELEVANT REGULATION NIST Framework Risk management/process management approach Scalable Core set of cybersecurity activities Identify Protect Detect Respond Recover

28 CURRENT EFFORTS OF FINRA AND SEC FINRA and the SEC are clearly moving to a riskbased framework for cybersecurity Using newly discovered authority as systemic or prudential regulators of securities industry SEC roundtable provided informal guidance SEC OCIE NEP Alert provides clearest outline of regulatory expectations to date FFIEC guidance is also worth tracking

29 CURRENT EFFORTS OF FINRA AND SEC Expectation that all financial institutions maintain current awareness of cybersecurity threats FFIEC encourages all financial institutions to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) Other sources to monitor: FBI Infragard ( U.S. Computer Emergency Readiness Team ( U.S. Secret Service Electronic Crimes Task Force (

30 CURRENT EFFORTS OF FINRA AND SEC After assessing cybersecurity at 500 community banks, FFIEC commented on the following: Cybersecurity Inherent Risk Connection types Products and services Technologies used Cybersecurity Preparedness Risk management Threat intelligence and collaboration Cybersecurity controls External dependency management Cyber incident management and resilience

31 CURRENT EFFORTS OF FINRA AND SEC SIFMA White Paper Industry is asking for regulatory guidance on cybersecurity Outlines 10 risk-based principles Avoid prescriptive rules Industry needs guidelines to demonstrate compliance and proper risk-management Current inspection and post-breach enforcement action model does not work May be the beginning of the conversation

32 INCREASED ACCOUNTABILITY An integrated approach to data security is key Involve human resources -- humans are often the weak link in cybersecurity Business managers need to be involved in technical solutions -- secure environment has to be usable or people will work around it Compliance Information systems Physical security

33 INCREASED ACCOUNTABILITY Understand tools and technology available IT professionals need to train others on current capabilities and possible expansion Where monitoring is conducted, follow-through is critical Data needs to be managed Records retention/destruction schedules Many legal implications (spoliation, statutory and regulatory retention requirements)

34 INCREASED ACCOUNTABILITY Vendors need to be managed Document everything regulated institutions must prove that they manage risks Have incident response teams in place Playbook in place Have public relations firm ready Include outside counsel and attorney/client privilege

35