Cybersecurity..Is your PE Firm Ready? October 30, 2014

Transcription

1 Cybersecurity..Is your PE Firm Ready? October 30, 2014

2 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services Mark Heil, EVP, PEF Services (moderator)

3 SEC s Office of Compliance Inspections and Examinations Cybersecurity Initiative Melinda Scott Scott Goldring Associates

4 Background SEC sponsored Cybersecurity Roundtable conclusions (March 2014): Integrity of our market system and customer data needs protection Stronger partnerships between the government and private sector required to address cyber threats Commissioner Aguilar emphasized: The importance for the Commission to gather information Consider what additional steps the Commission should take to address cyber-threats.

5 Examinations Pilot examinations study of 50 registered investment advisors (April 2014) The OCIE s cybersecurity initiative is designed to: Assess cybersecurity preparedness among RIAs Obtain information about the industry's recent experiences with certain types of cyber threats Promote compliance Share with the industry where it sees risk To comply: Assess your supervisory, compliance and other risk management systems related to cybersecurity Make changes to address weakness and strengthen the systems

6 Examination Focus Areas Cybersecurity Governance Identification and Assessment of Risk Protection of Networks and Information Risks Associated with remote customer access Fund transfer requests Risks associated with vendors and third parties Detection of unauthorized activity Experiences with cybersecurity threats

7 Cybersecurity Governance Two-fold goal: Protect sensitive client data Protect funds and accommodate distributions Identify responsible person for cybersecurity compliance Create a written security policy Procedures to protect the information Perform periodic risk assessments and document results Develop plan in event of a breach

8 Identification and Assessment of Risk Inventory of your firm s Physical devices and systems, software platforms and applications Prioritize hardware, data and software for protection based on their sensitivity and business value Map of network resources, connections and data flows Update inventory and map annually Assess for adequacy, retention and secure maintenance your logging capabilities.

9 Governance Policies and Procedures Roles and Responsibilities/Business Continuity Create a diagram of cybersecurity roles and responsibilities: Explicitly state who has been the assigned the role to inventory the devices, Who has been assigned the role to assess threats, and Who do they report to when they find a problem. Does your firm have an adequate business continuity plan?

10 Protection of the Firm s Networks and Information The SEC suggests that you use or model your processes after those published by: the National Institute of Standards and Technology (NIST) or; the International Organization for Standardization (ISO) Provide written guidance and periodic training to employees concerning security risks. Keep dated copies of your training materials and an attendance sheet, signed and dated. Maintain protection against Distributed Denial of Service (DDoS) attacks for critical internet-facing IP addresses? Test the functionally of your backup system Incident Response Policy

11 Risks Associated with Remote Customer Access and Funds Transfer Requests If you provide your clients with any type of on-line access, you must keep the following information: The name of any third party that manages the service A description of the functionality of the platform, what information is available, balances, address, contact information, withdrawal requests How your customers are authenticated List any software or other practice employed for detecting anomalous transaction requests that may be the result of compromised customer account access Include a description of any security measures used to protect customer PINs Make sure you have a statement to circulate to your clients about reducing cybersecurity risks in conducting transaction with the firm

12 Risks Associated with Vendors and Third Parties Do you conduct a cybersecurity risk assessment with your vendors before you hire them and give them access to your firm s network? Appoint someone within your firm to regularly assess and monitor the actions of your vendors. Have the Vendor sit in on your cybersecurity training so they are aware of your policies, or provide them with a written copy of your policies and request a statement that their practices will be compliant with your policies.

13 Detection of Unauthorized Activity You should have an unauthorized activity policy that includes the title, department and job function of the person who is responsible for carrying out the procedures. Maintain baseline information about expected events on the Firm s network so you can recognized unexpected events. Monitor your network to detect potential cybersecurity events Monitor your physical environment to detect potential cybersecurity events

14 Danger! Danger! Will Robinson The SEC wants you to tell them about any cybersecurity breaches that occurred since January 1, Before you discuss any of these issues with an outside vendor, discuss it with your General Counsel or attorney

15 Information Security Landscape Riverside Company

16 Background on Cyber Attacks Why Attack Small and Mid-sized Enterprises (SME)? Because they are easy targets

17 Why SMEs? Lack of funding for information security Lack of employee training Stepping stone attacks Lack of process for contractor access to systems

18 What s at Risk? Financial account data Company reputation Intellectual property and proprietary information Legal or regulatory enforcement actions LP commitments

19 What Riverside is doing

20 Management Company Information Security Pyramid

21 Portfolio Companies Introducing information security assessments into our due diligence processes Current state assessments for existing portfolio companies and tracking remediations Assisting with the development of incident response plans

22 Immediate Next Steps Start with the basics: understand where your data sits and who has access to it Engage a 3rd party to perform a current state assessment to include risk and overall security posture Get C-level sponsorship it s critical Research cyber-liability insurance policy options

23 What to expect in 2015 LPs asking more targeted questions Portfolio companies being asked to respond to 3 rd party risk assessment questionnaires Follow-up to the OCIE s Risk Alert early 2015

24 PEF Services Approach to Cybersecurity

25 Improving Cybersecurity Feb 2014 National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity voluntary AND risk-based - driven by business collaboration between government and private sector focuses on business drivers to guide cybersecurity activities

26 The Framework New Risk Program Improve existing Risk Program Different risks for different firms... threats vulnerabilities risk tolerances mitigate avoid transfer accept NOT 1 size fits all

27 Core consists of 5 concurrent, continuous Functions: Identify, Protect, Detect, Respond, Recover Matches them with References NIST COBIT ISO SOC The Framework Each part reinforces the connection between business drivers and cybersecurity activities. Implementation Tiers increases in sophistication in... from informal-reactive responses to agile, risk-informed approaches T1: no formal approach to risk T3: formally approved policies provide context for firm to view its current risk approach Profiles Current Profile GAP Target profile develop a roadmap help align business requirements AND risk tolerance

28 Framework Core Function Category Subcategory

29 Use the Framework use as a systematic process for identifying, assessing, and managing risk The Framework is NOT to replace existing processes use current process and overlay it onto the Framework to determine gaps in its current CS risk approach use to develop a roadmap to improvement use to determine activities that are most important to critical service delivery use to prioritize expenditures to maximize the impact of the investment designed to complement existing cybersecurity operations -OR- use as the foundation for a new cybersecurity program for improving existing program use to provide a means of expressing CS requirements to business partners and clients

30 Case Study: Dammed Creek (DC) Middle Market Buyout Fund ($500 MM AUM) Fund I: 50 investors, 1 institutional Fund II: 60 investors, 5 institutional Portfolio companies do business with government and military

31 DC Advisory Board Meeting LPs raise cybersecurity issues Dammed Creek recently hired a CTO Previously used reputable consultants Portfolio companies do business with government and military

32 The Breach Co-founder downloaded infected software onto personal computer Using VPN transferred virus to firm s network

33 The Breach Part II Hacker denied access to personnel files BUT, was able to download key documents related to a portfolio company whose primary customer is the US government

34 The SEC Exam Shortly after the breach, the SEC notifies firm that it wants to do a cybersecurity exam Requests a list of documents

35 Thank You PEF Services LLC Joe Campbell x 106 joe@pefundservices.com PEF Services LLC Mark Heil mark@pefundservices.com The Riverside Company Eric Feldman efeldman@riversidecompany.com www. riversidecompany.com Scott Goldring Associates Melinda Scott mscott@scottgoldringassociates.com