Current Developments Concerning Cybersecurity. ICI General Membership Meeting Legal Forum Jillian Bosmann and Nancy O Hara Thursday, May 19, 2016

Transcription

1 Current Developments Concerning Cybersecurity ICI General Membership Meeting Legal Forum Jillian Bosmann and Nancy O Hara Thursday, May 19, 2016

2 AGENDA Why is Cybersecurity Important? Top Cybersecurity Threats for Funds Legal Landscape SEC Cybersecurity Guidance and OCIE Cybersecurity Initiative SEC Enforcement Actions Cyber Preparedness and Resiliency Fund Board Reporting and Oversight Current Developments Concerning Cybersecurity May 19,

3 Why is Cybersecurity Important? Direct impact on business Direct impact on clients Cost of notice and remediation Regulatory actions Potential lawsuits Reputational damage Disruption to business Current Developments Concerning Cybersecurity May 19,

4 Top Cybersecurity Threats for Funds Ability to strike net asset value (NAV) each trading day Protecting trading data and portfolio holdings before being made public Protecting personally identifiable, confidential shareholder information Current Developments Concerning Cybersecurity May 19,

5 Legal Landscape State Breach Notification Acts (SBNAs) Patchwork of federal statutes, including Gramm Leach Bliley; Electronic Communications Privacy Act; Stored Communications Act; Video Privacy Protection Act; Driver s Privacy Protection Act; Family Educational Rights and Privacy Act Regulations, including Regulation S-P, Regulation S-AM, FTC s Red Flag rules and CFPB s Regulation P Industry guidance Current Developments Concerning Cybersecurity May 19,

6 SEC Cybersecurity Guidance SEC Division of Investment Management issued guidance in April 2015 OCIE Cybersecurity Initiative Target Areas: - Governance and Risk Assessment - Access Rights and Controls - Data Loss Prevention - Vendor Management - Training - Incident Response Current Developments Concerning Cybersecurity May 19,

7 SEC Enforcement Actions R.T. Jones Capital Equities Management (Sept. 2015) - Failure to have the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information of approximately 100,000 individuals - Substantial subsequent remedial efforts and no indication that any client had suffered financial harm as a result of the breach - Paid a $75,000 penalty Andrew Ceresney, head of the SEC s Division of Enforcement, stated during a panel discussion at the ICI s Mutual Funds and Investment Management Conference in March that the SEC has other cybersecurity enforcement actions in the pipeline Current Developments Concerning Cybersecurity May 19,

8 Cyber Preparedness and Resiliency Developing a Data Security Policy - Perform overall risk assessment of your organization - Know the most common methods of penetration - Consider including certain key steps - Include a response plan - Educate employees, including partners and C-level executives - Ensure adequate resources are devoted to cybersecurity - Be prepared to update and revise Current Developments Concerning Cybersecurity May 19,

9 Cyber Preparedness Risk Assessment Perform overall risk assessment for your organization - What policies are currently in place? Do they need to be augmented or changed? - Focus on the top 3 cybersecurity threats to funds. Are additional policies or procedures needed to protect this information? - Review SEC guidance. Are policies in place for each area suggested by the SEC? - Review the OCIE sample request list for examinations regarding cybersecurity matters. Would you be able to respond positively to each request? Current Developments Concerning Cybersecurity May 19,

10 Cyber Preparedness Risk Assessment (cont.) Don t Forget Third Parties - Rank your vendors both on the sensitivity of the data they have and how pervasive they are within your organization - Make sure the inventory of information and vendors is accurate - Ask for SOC-2s from your vendors - Perform risk assessments of vendors cybersecurity programs - Ask vendor to do self-assessment of cybersecurity program - Monitor service to identify vendor breaches - Consider limiting access to unnecessary information - Consider revising contracts to mitigate risk Current Developments Concerning Cybersecurity May 19,

11 Cyber Preparedness Common Methods of Penetration Know the most common methods of penetration. - Sending phishing s to employees - Phony free Wi-Fi sites - Loss of laptop, mobile device or USB flash-drives - Password hacking Current Developments Concerning Cybersecurity May 19,

12 Cyber Preparedness Key Steps Require strong passwords Utilize two-factor identification Limit access to systems and data to only those absolutely necessary Monitor employees who are on their way out Have controls over physical entry/exit from sensitive areas Use encryption Data back-up/business continuity plan Current Developments Concerning Cybersecurity May 19,

13 Cybersecurity Preparedness Response Plan Who are the members of the team? Who is the incident manager/coordinator? How will further loss be prevented? How will communication flow inside the firm? What additional resources will be necessary? How will communication flow outside the firm? Who needs to be notified? Current Developments Concerning Cybersecurity May 19,

14 Cyber Preparedness Education and Resources People are often the weakest link, but can be the strongest ally if educated to recognize common schemes Encourage partners and C-level executives to comply with policies Cybersecurity preparedness requires the involvement of the entire firm in risk assessment and implementation Need adequate budget and staffing Current Developments Concerning Cybersecurity May 19,

15 Cyber Preparedness Always Evolving Hacking techniques evolve Risk assessment needs to be repeated periodically Incident response plan should be tested periodically Current Developments Concerning Cybersecurity May 19,

16 Fund Board Reporting and Oversight Education on risks and risk management Key vendors/service providers should report at least once a year Board reporting should include: - Number of attacks detected during period - Number of attacks repelled during period - The nature of each attack, e.g. length of time of penetration and information at risk - Steps taken in response to attack - Any changes to data security policy Consider obtaining additional insurance Current Developments Concerning Cybersecurity May 19,

17 ICI Information Security Resources Standards and Guidelines Information Sharing Resources Information Security Threat Mitigation & Program Development What to Ask When Assessing Information Security Programs ICI Viewpoints Series Current Developments Concerning Cybersecurity May 19,

18 Jillian L. Bosmann Counsel Nancy P. O Hara Counsel Nancy.OHara@dbr.com 2016 Drinker Biddle & Reath LLP All rights reserved. A Delaware limited liability partnership Current Developments Concerning Cybersecurity May 19,