DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

HEALTH WEALTH CAREER DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS? FREEMAN WOOD HEAD OF MERCER SENTINEL NORTH AMERICA GREGG SOMMER HEAD OF OPERATIONAL RISK ASSESSMENTS MERCER 2015 0

THERE ARE ONLY TWO TYPES OF COMPANIES: THOSE THAT HAVE BEEN HACKED, AND THOSE THAT WILL BE. ROBERT MUELLER FBI DIRECTOR, 2012 MERCER 2015 1

CYBERSECURITY BREACHES TARGET JPMORGAN CODE SPACES SONY PENTAGON SEC reported that 74% of advisors and 88% of broker-dealers have had unauthorized access to their network 1 1 SEC cyber-security examination sweep summary Feb 3, 2015 OCIE Volume IV, Issue 4 MERCER 2015 2

HOW BIG IS THE PROBLEM? 270% increase in identified victims and exposed losses 1 Cyber crime costs the global economy over $400 billion annually 1 122 successful attacks per week 3 90% of large organizations reported a breach 2 Over the last four years cyber attacks on businesses have increased by 144% and the average time to resolve has increased by 221%4 1 Merrill Lynch CIO Reports 2 Security Breaches Survey PWC 2015 3 Ponemon Institute 4 CYREN Cyber Threat Report, 2015 MERCER 2015 3

WHY THE GLOBAL TREND WILL CONTINUE ROLE OF TECHNOLOGY CONTINUES TO EXPAND MOTIVATION Financial gain Malicious intent Promote beliefs Challenge Risk / Reward analysis MERCER 2015 4

CYBERCRIME INCIDENTS INVESTMENTS, BANKING AND FINANCE FINANCIAL FRAUD 36% DENIAL OF SERVICE ATTACKS 29% FINANCIAL LOSSES COMPROMISED RECORDS 23% 23% IDENTITY THEFTS NO INCIDENTS 20% 20% 0% 5% 10% 15% 20% 25% 30% 35% 40% SOURCE: PWC CYBERCRIME REPORT MERCER 2015 5

MULTIPLE POINTS OF ENTRY MOBILE DEVICES BUSINESS CONTACTS WEBSITE & MARKETING SOCIAL MEDIA 3 RD PARTY VENDORS 3 RD PARTY VENDORS EMPLOYEES EMPLOYEES ORGANIZATION 3 RD PARTY VENDORS FAMILY- FRIENDS SOCIAL MEDIA MOBILE DEVICES DATA STORAGE (CLOUD) CLIENTS EMPLOYEES NETWORK HARDWARE MERCER 2015 6

INDUSTRY AND REGULATORY GUIDANCE NIST CYBERSECURITY FRAMEWORK 1 SEC RISK ALERT 2 BEST PRACTICES Identify Protect Detect Respond Recover Cybersecurity governance (policies, procedures, and oversight) Risk associated with remote customer access and fund transfer requests Risks associated with vendors and any third parties Detection of unauthorized activity Experiences with cyber threats Governance and policies Employee training Technology Third party assessment 1 National Institute of Standards and Technology (NIST) website. 2 Morgan Lewis summary of the SEC risk alert Feb 2015 MERCER 2015 7

BEST PRACTICES GOVERNANCE AND POLICIES CULTURE Senior management engagement Accountable oversight Proactive approach PROCESSES Documented information Security policy Cybersecurity and risk assessment test Cyber insurance risk transfer Monitor cash activity daily Third party / Vendor due diligence policy MERCER 2015 8

BEST PRACTICES EMPLOYEE TRAINING AWARENESS Passwords Public Wi-Fi Local drives Email communication Scam preparation Phishing MERCER 2015 9

BEST PRACTICES TECHNOLOGY SECURITY Network, physical, data, logical SYSTEMS Malware / Anti-virus Patching and updates Intrusion prevention system and testing Cloud technology Backup process and testing MERCER 2015 10

BEST PRACTICES THIRD PARTY ASSESSMENT TOOLS Classify vendors Define assessment process SLAs and contract management Monitor business relationships Plan For vendors that fail to meet requirements Independent assessments (SSAE16, SOC testing) MERCER 2015 11

INVESTMENT PROGRAM RISK MANAGEMENT EXTENSIVE AND OVERLAPPING AREAS OF RISK MARKET RISKS Interest rates Commodity Credit spread Correlations Equity FX Liquidity Risk mgmt. failure Leverage 3 rd party internal risk taking / positions ENTERPRISE INVESTMENT RISK MANAGEMENT & GOVERNANCE COUNTERPARTY AND TRANSACTION RISKS Credit default Excess transaction costs Excess fees / costs Poor capabilities Morale Hazard 3 rd party errors Transaction errors Fraud Reputation Compliance Technology OPERATIONAL, FINANCIAL AND COMPLIANCE RISKS Trading errors Excess operations costs Regulatory and Legal risk Financial controls breakdowns MERCER 2015 12

WHERE DOES CYBER RISK ASSESSMENT FIT IN? FRAMEWORK GOVERNANCE ORGANIZATIONAL STRUCTURE OPERATING MODEL OVERSIGHT COMPLIANCE & AUDIT RISK MANAGEMENT FUNCTIONS VALUATION AND ADMINISTRATION TRANSACTION EXECUTION 3RD PARTY SERVICE PROVIDERS FINANCE / ACCOUNTING SUPPORTING RESOURCES TECHNOLOGY HR LEGAL BC & DR December 18, 2015

CONCLUSIONS OPERATIONAL RISK CAN BE MATERIAL AND VERY COMPLEX CYBER RISK WILL CONTINUE TO RISE ASSESSMENT AGAINST INDUSTRY BEST PRACTICES IS IMPORTANT REGULAR MONITORING OF INVESTMENT ORGANIZATIONS AND THIRD PARTIES SHOULD OCCUR PARTNERING WITH EXPERT PROVIDERS MAY BE BENEFICIAL MERCER 2015 14

QUESTIONS? QUESTIONS Please type your questions in the Q&A section of the toolbar and we will do our best to answer as many questions as we have time for. To submit a question while in full screen mode, use the Q&A button, on the floating panel, on the top of your screen. CLICK HERE TO ASK A QUESTION TO ALL PANELISTS FEEDBACK Please take the time to fill out the feedback form at the end of this webcast so we can continue to improve. The feedback form will pop-up in a new window when the session ends. MERCER 2015 15

Important notices References to Mercer shall be construed to include Mercer LLC and/or its associated companies. 2015 Mercer LLC. All rights reserved. This contains confidential and proprietary information of Mercer and is intended for the exclusive use of the parties to whom it was provided by Mercer. Its content may not be modified, sold or otherwise provided, in whole or in part, to any other person or entity, without Mercer s prior written permission. The findings, ratings and/or opinions expressed herein are the intellectual property of Mercer and are subject to change without notice. They are not intended to convey any guarantees as to the future performance of the investment products, asset classes or capital markets discussed. Past performance does not guarantee future results. Mercer s ratings do not constitute individualized investment advice. Information contained herein has been obtained from a range of third party sources. While the information is believed to be reliable, Mercer has not sought to verify it independently. As such, Mercer makes no representations or warranties as to the accuracy of the information presented and takes no responsibility or liability (including for indirect, consequential or incidental damages), for any error, omission or inaccuracy in the data supplied by any third party. This does not constitute an offer or a solicitation of an offer to buy or sell securities, commodities and/or any other financial instruments or products or constitute a solicitation on behalf of any of the investment managers, their affiliates, products or strategies that Mercer may evaluate or recommend. For the most recent approved ratings of an investment strategy, and a fuller explanation of their meanings, contact your Mercer representative. For Mercer s conflict of interest disclosures, contact your Mercer representative or see www.mercer.com/conflictsofinterest. Mercer universes: Mercer s universes are intended to provide collective samples of strategies that best allow for robust peer group comparisons over a chosen timeframe. Mercer does not assert that the peer groups are wholly representative of and applicable to all strategies available to investors. The value of your investments can go down as well as up, and you may not get back the amount you have invested. Investments denominated in a foreign currency will fluctuate with the value of the currency. Certain investments carry additional risks that should be considered before choosing an investment manager or making an investment decision. MERCER 2015 16

MERCER 2015 17