Cyber Security Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP Speakers: Keith Overly, Executive Director, Ohio Deferred Compensation Program Raj Patel, Partner, Plante & Moran, PLLC Bill Stewart, Senior Vice President, Booz Allen Hamilton Chris Jarmush, Area Vice President, Defined Contribution Practice Leader, Arthur J. Gallagher & Co.
Ohio Deferred Compensation Ohio Deferred Compensation is a plan sponsor and recordkeeper Current Practices Information Security Policy Independent security audit
Ohio Deferred Compensation Information Security Policy Physical and electronic security Staff training Data storage and destruction Offsite use of computers Data use by vendors
Ohio Deferred Compensation Independent Security Audit Compliance review of actual procedures/practices Penetration testing Social engineering testing
Ohio Deferred Compensation Future Considerations Move to cloud-based computing Federal Risk Authorization Management Program or FEDRAMP Standardized approach to security for cloud products Third party assessment Cyber insurance
97% of Breaches Were Avoidable Most victims aren t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them. Verizon Data Breach Investigations Report Weak Infrastructure Weak design (firewalls, wireless routers) Weak user authentication (users, passwords) Lack of Encryption (VPN, secure portals) Out-dated (patch management / anti-virus) Lack of periodic testing User Ignorance Weak user passwords Poor judgment Phishing attacks Not staying current on security trends Technology Advances Mobile devices Cloud computing / public portals Data Collaboration Social Media Third Party Vendors Weak due diligence No Breach notification No Annual breach confirmation
House of Security Different organizations view information security differently. Some of the differences are related to varied risk and threat profiles impacting an organization based on factors such as industry, location, products/services, etc. Other differences are related to management s view of security based on its experience with prior security incidents.
World of Security
9 Secure Network Infrastructure 1. Layer your network - Public, Sensitive, Confidential, Private 2. Perimeter Security - Firewalls, IDS/IPS 3. Wireless Security SSID, Encryption, Default Password 4. Authentication Users & Passwords 5. Encryption - Connectivity & Storage 6. Anti-virus 7. Patch Management 8. Remote Access 9. Network Monitoring 10. Annual Testing External Penetration & Internal Security Assessment
Last Thoughts Strong password practices Device security Accessing from public places Loss of hardware Disposal of devices Use of mobile technology Incident response plan & team 1-800 DATA BREACH I m flattered, really I am. But you probably shouldn t use my name as your password.
Financial Services institutions have an expansive and changing attack surface Third Party Vendors Vendors Employees Test or Virtual Environments Marketing Social Media Third Party Vendors Recruiting Corporate Platforms Data Storage (Cloud) Data Storage (Portable) Knowledge Management Systems Clients Employee Client s Third Party Vendors Employees Business Contacts Social Media Family Website Corporate Fleet Cell Phone Laptop Friends Tablet
Attackers vary in purpose and sophistication Increasing Level of Sophistication Nation States Terror Organizations Organized Crime Hacktivists Employees
Adopting an active defense is imperative Protect Prepare for an attack today with the goal of preventing an attack tomorrow Remediate Know what to do when the inevitable occurs Detect Monitor your systems and emerging threats
Multiple controls must be put in place Protect Application Security Data Centric Protection Insider Threat Management Identity and Access Management Personnel Screening Physical and Environment Security Detect Cyber Analytics Security Intelligence Monitoring Security Monitoring Vulnerability Assessment Third Party Risk Management Remediate Threat Management Incidence Response
The importance of third party risk management cannot be overstated Planning Due Diligence Contract Negotiation Ongoing Monitoring Service Desired Preliminary Risk Inherent Risk Residual Risk Residual Risk Post Remediation Re-Assessment External Controls Internal Controls News Feeds Engagement Risk Profile Business Impact Assessment Control Effectiveness Assessment Final Selection & Remediation Plans
Top Trends in Cybersecurity for Financial Services 1. Third Party Risk 2. Cyber Fusion Center (CFC) Implementations 3. Data Element Protection 4. Alternative Payment System Exposure 5. Cyber Crime Analysis 6. Hacktivism spreads to Middle East 7. Western Cyber problems coming to developing nations 8. Wargaming 9. Privacy Knowledge 10. Cyber Insurance Usage Growth
18 Assessing Cyber-risk across the DC Landscape Are Defined Contribution Plans at Risk of Cyber-Attacks? Yes but the DC complex is not (yet) a primary target of cyber fraud
19 Fiduciary Responsibilities Who are the primary gatekeepers of Participant assets and data? Fiduciary protocols were clearly written with an aim of safeguarding participant assets what about identity? Plan Sponsor Each entity represents a potential point-of-entry for a cyber-attack TPA Participants Recordkeeper Advisor
Vulnerability of Financial Services Firms Cybersecurity Examination Initiative 2014 OCIE 1 90% of broker-dealers and 75% of registered investment advisors have been the subject of a cyber-related incident 54% of broker-dealers and 43% of RIAs received fraudulent e-mails seeking to transfer client funds Vast majority of firms conduct periodic risk assessments to identify cybersecurity threats Only 30% of broker-dealers and 13% of managers have provisions to determine their responsibility for cyberattacks 60 40 20 0 Cyberattack Incidents Reported by Federal Agencies (in 000s) GOA, US-CERT Data 5.5 11.9 16.8 30 41.8 42.9 48.6 2006 2007 2008 2009 2010 2011 2012 1 National Exam Risk Alert by the Office of Compliance Inspections and Examinations February 3, 2015 20
21 Taking a Proactive Approach What steps can Plan Sponsors take to help safeguard participants? Internal Controls Ensure proper security maintenance programs are in place with sufficient resources dedicated to their execution SOC 1 (SSAE 16) Certification Seek service providers who have demonstrated sufficient control procedures Service Standards - Establish written service standards and protocols for what constitutes a reportable event Information Sharing Networks Identify industry groups sharing information on cybersecurity best practices