Wednesday, April 29, 2015 Testing Your Cybersecurity Infrastructure and Enforcement Related Developments Mark C. Amorosi, Investment Management Partner, K&L Gates LLP Laura L. Grossman, Assistant General Counsel, Investment Adviser Association Jason Harrell, Corporate SIRO Investment Management, BNY Mellon Jeromie Jackson- CISSP, CISM, Director of Security & Analytics, N th Generation Jeffrey B. Maletta, Securities and Transactional Litigation Partner, K&L Gates LLP Andras P. Teleki, Investment Management Partner, K&L Gates LLP Copyright 2015 by K&L Gates LLP. All rights reserved.
Investment Management Cybersecurity Seminar Series Overview Session 1 (February 27, 2015) Untangling the Gordian Knot Where to Begin When Building Your Cybersecurity Program Session 2 (March 23, 2015) Board and Senior Management Oversight of Cybersecurity at the Adviser, the Registered Fund and Their Service Providers Session 3 (Today) Testing Your Cybersecurity Infrastructure and Enforcement Related Developments Session 4 (May 20, 2015) Breach What to Do When Things Go Wrong and Cybersecurity Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap Evolving Trends in Cybersecurity Practices and Public Policy Developments klgates.com 2
Session 3 Topics Cybersecurity Compliance Testing under Rule 206(4)-7 and Rule 38a-1 CCO Responsibilities for Cybersecurity Matters Leveraging the OCIE 2014 Cybersecurity Sweep Examination Letter Vulnerability Assessments and Penetration Testing What are the Differences and What do these Tests Tell You about Your Cybersecurity Defenses Blackbox vs. Glassbox Testing Interpreting and Prioritizing Testing Results What the SEC, FINRA, CFTC, FTC and Other Regulators Have Said about Enforcement Priorities around Cybersecurity Cybersecurity Litigation and Enforcement Round-Up klgates.com 3
The Regulatory Framework
Cybersecurity at the Top of the SEC s Mind Corp Fin Guidance (2011) Commission Roundtable (2014) OCIE Sweep and Risk Alert (2014/15) OCIE Examination Priority (2015) Numerous references in staff remarks IM Guidance Update (New April 28, 2015) 5
Overview of the Legal Framework Regulation S-P (including Safeguards Rule ) Regulation S-ID (Identity Theft Red Flags) IAA Rule 206(4)-7 and ICA Rule 38a-1 (Compliance Rules) IAA Rule 204-2(g) and ICA Rule 31a-2(f) (Electronic Recordkeeping Rules) ICA Rule 30a-3 (Internal Controls) Disclosure Considerations 6
Overview of Legal Framework (cont d) Business continuity plans Suspicious activity reporting CFTC Regulations, Part 160.30 FTC enforcement of Section 5 of FTCA Practically every state has enacted laws relating to cybersecurity, including information security program and data breach notification requirements 7
IM Guidance Update (April 28, 2015) SEC staff identified a number of measures that advisers and funds may wish to consider in addressing cybersecurity risk, including: Conduct a periodic assessment of: (1) the information held and systems used by the firm; (2) threats and vulnerabilities; (3) existing controls; (4) potential impact of an incident; and (5) the cybersecurity governance structure Create a strategy designed to prevent, detect and respond to threats, which may include: (1) access and technical network controls; (2) encryption; (3) restricting use of removable storage media and deploying software that monitors for threats and incidents; (4) data backup and retrieval; and (5) the development of an incident response plan. Routine testing of strategies could also enhance the effectiveness of any strategy Implement the strategy through written policies and procedures and training 8
IM Guidance Update (cont.) Potential implications for compliance programs and regulatory risk exposure: In the staff s view, funds and advisers should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks.[f]unds and advisers may wish to consider reviewing their operations and compliance programs and assess whether they have measures in place that are designed to mitigate their exposure to cybersecurity risk. Staff stated that compliance policies and procedures could address cybersecurity risks relating to identity theft and data protection (Regulations S-P and S-ID), business continuity, and fraud (Codes of Ethics insider threats), as well as other disruptions in service that could affect, for instance, a fund s ability to process shareholder transactions (Section 22(e) and Rule 22c-1). 9
Cybersecurity Compliance Considerations under Rule 206(4)-7 and Rule 38a-1
Compliance Program Requirements IAA Rule 206(4)-7 and ICA Rule 38a-1 together require registered investment advisers and registered funds to (1) designate a chief compliance officer ( CCO ), (2) adopt and implement written policies and procedures reasonably designed to prevent violation of the federal securities laws, and (3) review annually the adequacy and effectiveness of such policies and procedures Cybersecurity compliance policies and procedures that address requirements under the federal securities laws should be included in compliance programs and evaluated as part of the annual review, which should include risk assessments, policy and procedure reviews, and service provider reviews 11
SEC Cybersecurity Sweep Examinations 2014: OCIE Risk Alert and Sweep Exams 2015: OCIE Sweep Exam Summary and IM Guidance Update Future Initiatives: OCIE Exam Priority for 2015 Other Regulators? SEC Sweep Exam Findings on CCO Involvement in Cybersecurity Significant majority of advisory firms assign information security responsibilities to Chief Technology Officers or to other senior officers, including Chief Compliance Officers, to liaise with third-party consultants who are responsible for cybersecurity Less than a third of the examined advisers (30%) have a Chief Information Security Officer 12
CCO Potential Liabilities I need to be clear that we have brought and will continue to bring actions against legal and compliance officers when appropriate SEC Enforcement Director Andrew Ceresney, Keynote Address at Compliance Week 2014 (May 20, 2014) Numerous enforcement actions against CCOs for a variety of alleged failures, including (1) failure to implement appropriate procedures to address risks and (2) failure to adequately assess effectiveness of those procedures 13
CCO Planning Items 1. Conduct cybersecurity risk assessment 2. Incorporate cybersecurity compliance risks into the firm s risk matrix 3. Review adequacy of policies and procedures, including those relating to cybersecurity requirements 4. Assess the effectiveness of implementation of the firm s cybersecurity policies and procedures, including testing 5. Due diligence on third party vendors 6. Incorporate cybersecurity into annual review of compliance program 7. Incident response planning 14
Testing Considerations Testing - Important aspect of assessing compliance programs Firms routinely conduct testing as part of annual assessment OCIE routinely asks for information about testing results in connection with inspections Common types of compliance testing: Transactional Tests Transaction-by-transaction tests conducted contemporaneously with the transaction Periodic Tests Transaction-by-transaction tests performed on a look back basis at relevant intervals, such a spot checks or random or regular detailed reviews Forensic Tests Tests that analyze data over a period of time looking for trends and patterns Traditional tests can be used in cybersecurity area (e.g., testing privilege management, document destruction, authentication procedures, red flag identification/response, physical safeguards) 15
Testing Considerations Specialized tests in the cybersecurity area Vulnerability Scans Automated process of proactively identifying security vulnerabilities of computing systems in a network to determine if and where a system can be exploited and/or threatened Penetration Testing An attack on a firm s information technology system conducted by an information security specialist retained by the firm with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data Advantages and disadvantages of each type of test 16
Cybersecurity Testing Challenges Relative lack of information security technical expertise in many compliance departments Compliance departments generally do not have experience with the specialized tests that can be used in this area Many compliance departments lack expertise to interpret the testing results Testing limitations Resource constraints 17
Potential Testing and Assessment Techniques Leverage OCIE cybersecurity sweep exam letter to identify and prioritize areas of focus Leverage information security resources in other parts of the organization to test compliance Add information security technical expertise in the compliance department to enhance testing capabilities Engage third parties to conduct vulnerability and penetration testing Rely on third party testing conducted for service providers Interview key personnel with cybersecurity responsibilities Observe implementation of cybersecurity policies in actual operating environment Utilize certifications and questionnaires Review management and third party reports relating to cybersecurity matters Evaluate trends in, and frequency of, exceptions or violations of cybersecurity requirements 18
Leveraging the 2014 SEC Cybersecurity Sweep Exam Questions to Assess Your Cybersecurity Practices
SEC Cybersecurity Sweep Exam Initiative The SEC s Office of Compliance, Inspections and Examinations examined 49 registered investment advisers and 57 registered broker-dealers in 2014 as part of its Cybersecurity Exam Initiative and issued a Risk Alert summarizing its observations in January 2015. Primary observations included: Most advisers (74%) reported that they have been the subject of a cyber-related incident The vast majority of examined advisers (83%) have adopted written information security policies, and over half of them (57%) audit compliance with these policies A high percentage of examined advisers report conducting firm-wide inventorying, cataloging or mapping of their technology resources The vast majority of the examined advisers conduct periodic risk assessments Almost all of the examined advisers (91%) made use of encryption in some form Approximately half of the examined advisers (53%) are using external standards and other resources to model their information security architecture and processes Approximately a third (32%) of the examined advisers require risk assessments of vendors with access to their networks Approximately a quarter of examined advisers (24%) include cybersecurity requirements in contracts with vendors Approximately a third of the examined advisers (30%) have an individual assigned as the firm s Chief Information Security Officer Written business continuity plans often address the impact of cyberattacks or intrusions, but only about half (51%) of adviser policies discuss mitigating cybersecurity incidents Approximately a quarter of examined advisers (21%) maintain insurance that covers losses and expenses from cybersecurity incidents 20
The 2014 SEC Cybersecurity Sweep Exam Topics The 2014 Sweep focused on the following six topics: Identification of Risks/Cybersecurity Governance; Protection of Firm Networks and Information; Risks Associated with Remote Customer Access and Funds Transfer Requests; Risks Associated with Vendors and Other 3 rd Parties; Detection of Unauthorized Activity; and Experience with Cybersecurity Attacks (network breach, malware, fraudulent transfer requests, etc.). 21
The 2014 SEC Cybersecurity Sweep Exam Question Highlights Baseline Inventory Questions from the Sweep (i.e., what your IT infrastructure consists of) Inventories of physical devices, systems, software platforms and applications; Maps of network resources, connections and data flows; and Logging capabilities and practices. 22
The 2014 SEC Cybersecurity Sweep Exam Question Highlights Protection of Firm Networks and Information Questions from the Sweep (i.e., what controls does your organization maintain) Controls to prevent unauthorized escalation of user privileges; Environment for testing and developing software separate from the production environment; Controls to prevent unauthorized changes to baseline configurations; System patching and maintenance; Protection against DDoS attacks; and Use of encryption. 23
The 2014 SEC Cybersecurity Sweep Exam Question Highlights Risks Associated with Remote Customer Access and Funds Transfer Requests Who provides and manages the service; How are customers authenticated for on-line account access; Security measures to protect customer pins/passwords; and Software/practices for detecting fraudulent account access. 24
The 2014 SEC Cybersecurity Sweep Exam Question Highlights Detection of Unauthorized Activity Maintaining baseline information about expected events on the firm s network; Monitoring the firm s network environment/physical environment; Using software to detect malicious code on firm networks and mobile devices; Monitoring for the presence of unauthorized users, devices, connections and software on the firm s networks; and Using the analysis of events to improve the firm s defensive measures and policies. 25
Testing Approaches
Testing Approaches Black Box- Assessor not given any details Grey Box- Assessor given limited knowledge White/Crystal Box- Knowledge is openly shared with assessor 27
Scoping Internal and/or External # of devices within the network # of locations to visit Sampling of all systems? Including workstations? 28
Vulnerability Assessments
Internal and/or External Determine in-scope environment Include external critical assets Include disaster recovery sites 30
Discovery Identification of Network Address Space Operating System Fingerprinting Open Ports Assess all TCP/UDP ports 1-65535 31
Vulnerability Identification Top Vulnerability Categories Unpatched applications Default credentials Excessive privilege and/or services Vulnerable web application forms 32
Extra Tests on Internal Assessments Wireless Security Assessment Review Policies & Procedures Third Party Connectivity Vendor Management Program Disaster Recovery/Business Continuity Plan Security Countermeasure Configuration 33
Penetration Testing
Penetration Testing Combining vulnerability assessments with penetration testing 35
Vulnerability & Exploit Correlation Exploits coming on quickly after vulnerability release Buffer Overflows Memory Leaks Race Conditions SQL Injections 36
Exploitation 37
Credential Manipulation Brute Forcing Passwords Passing the Hash Default Passwords Cookie Harvesting 38
Rogue Wireless Access Point User accesses a rogue device All traffic now intercepted User still able to access systems thus believes everything is fine 39
Social Engineering Any act that influences a person to take an action that may or may not be in their best interest. 40
Remote Social Engineering Review of Online Content LinkedIn Facebook GlassDoor Twitter Creation of Custom Ruse Execution Phishing Phone Scams Fake Customer/Vendor Engagements 41
On-Site Social Engineering Casing of the building and learning daily office workflows Google physical mappings Building plans/blueprints/owner details Ruse development Exploitation Tailgating Planting USB/CDRom/etc. Posing as vendor/customer 42
Web Application Assessments Identify roles, forms and system details Run scanning tools to identify potential weaknesses Attempt exploitation to gain system or data access Cross-Site Scripting SQL Injection Role Escalation API Abuse 43
Physical Security Red Team or Physical Security Walkthrough Assess Locks Doors Windows Physical Security Badging Hinges Cameras Motion Sensors Other 44
Enforcement and Litigation Outlook
Cybersecurity Enforcement SEC Activity Has Been Limited Principally Violations of Reg S-P Safeguards Rule Focus on Failure to Address Known Deficiencies Actions Predate Current Regulatory Focus FTC Remains Most Aggressive Agency 46
Safeguards Rule: 17 CFR 248.30(a) Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to: (1) Insure the security and confidentiality of customer records and information; (2) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. 47
Who is Covered Customers are consumers individuals with a continuing relationship under which you provide financial products or services that are used primarily for personal, family, or household purposes. (i) An individual is your consumer if he or she provides non-public personal information to you in connection with obtaining or seeking investment advice. (ii) An individual is not your consumer if you are an investment company and individual purchases through a broker dealer or investment adviser who is the record owner. 48
SEC Actions Against Advisers LPL Financial Corporation, Adm. Proc. File No. 3013181, IA Rel. No. 2775, (Sept. 11, 2008) Deficiencies identified by internal audit Failure to use strong passwords. Passwords widely disseminated. Excessive session inactivity parameters. Unauthorized persons gain access and place unauthorized trades Settled order imposes $27,000 fine and independent consultant for two years 49
SEC Actions Against Advisers (cont.) Commonwealth Equity Services Adm. Proc. 3-13631, IA Release No. 2929, (September 29, 2009) Dual registrant failed to mandate antivirus software use by registered representatives IT staff failed to follow up aggressively to registered representative s report of virus and requests for assistance Intruder gained access through virus and placed 18 orders for a single stock in customer accounts Clearing broker detected trades and further activity blocked Firm fined $100,000 50
FINRA Enforcement FINRA actions involve Safeguards Rule and NASD Rules 3010 and 3012 on supervisory responsibility Actions focus on deficiencies in programs, even in the absence of customer harm: Only general vague summary policies that do not contain specific procedures on safeguarding of information Policies provide guidance, recommendations, and suggestions as opposed to mandates Lack of encryption, antivirus protection Lack of training, lack of response planning Failure to monitor or review or respond to deficiencies 51
SEC Actions Against Hackers SEC has pursued hackers without sanctioning firms Overseas hackers amass large penny stock position in legitimate online accounts Take control of online brokerage accounts to buy large quantities of these securities to inflate price Sell holdings from legitimate accounts SEC v. Marimuthu, C.A. No. 8:07CV94 (D. Neb. March 12, 2007)(innocent account holders lost $845,000); SEC v. Grand Logistic, Inc., C.A. No. 06-cv-15274 (S.D.N.Y. Dec. 16, 2006) 52
CFTC Enforcement In the Matter of Interbank FX, LLC, CFTC Docket No. 09-11 (June 29, 2009) CFTC Regulation 160.30 requires that FCMs, CTAs, CPOs and introducing brokers adopt policies and procedures that address the administrative, technical, and physical safeguards for the protection of customer records Firm had no policy or procedures concerning the protection of consumer personal identifying information (PII) While working on a systems upgrade, a software engineer is provided access and downloads PII for 13,000 customers to personal website 53
FTC Enforcement Section 5 of FTCA outlaws unfair or deceptive acts or practices affecting commerce FTC is the most aggressive enforcer Fifty cases since 2000 Defective data security practices Deceptive statements about use Far reaching remedies Authority challenged in FTC v. Wyndham Resorts (3d Cir.) and In the Matter of Lab MD, Inc. (FTC) Section 5 unfairness does not reach data security defects No fair notice of what data security practices Section 5 forbids 54
Predictions SEC enforcement staff has been largely silent on cybersecurity investigations SEC will continue focus on protecting individual information and assets SEC will examine firms critical infrastructure that may or may not relate directly to customer accounts or identities SEC will use compliance rules to bring cases based on failures to adopt reasonably designed procedures addressing topics covered in guidance 55
Civil Litigation Class actions by customers Derivative actions against directors and officers Securities actions Lawsuits between targets and banks 56
Civil Litigation Target Consumer Settlement Over 100 million individuals affected Settlement fund of $10 million Claims up to $10,000 on showing of actual loss Target/Mastercard Settlement Small institutions object to settlement Small institutions have higher per card losses Settlement would release further claims by small issuers 57
Key Takeaways and Next Steps
Session 3 Key Takeaways VULNERABILITY / PATCH MANAGEMENT - The identification and remediation of known software weakness Scan all internal and external systems to identify missing software patches Identify software and hardware that is no longer supported by the vendor. Unsupported software does not have patches developed by the vendor Have a documented process for how patches are implemented on your system from patch identification to implementation Request reporting PENETRATION TESTING - The identification and remediation of application functionality flaws (e.g., default configurations, application processing errors) that may lead to application compromises Consider using a reputable 3 rd party to conduct these reviews Start with external, internet facing applications that allow for the movement of funds and/or access personal information (FFIEC) then focus on critical internal applications Make certain that you are clear on what the results mean (i.e., business impact of risk exposure) Develop remediation of identified gaps 59
Session 3 Key Takeaways (cont.) WIRELESS ACCESS TESTING The identification and remediation of gaps related to the use of wireless devices Determine / identify the company stance on the use of wireless networks Does your company permit wireless access points on its network for internal employees? Does your company provide wireless access points on its network for guests or visitors? Is the wireless network for guests / visitors segmented off the internal network? Identify a reputable 3 rd party vendor to test your network against the policy / company posture and identify gaps Develop a project plan to remediate these gaps SOCIAL ENGINEERING Any attempt to trick or deceive an individual to provide information (e.g., account information) or conduct an action (e.g., clicking a malicious link) that may lead to personal or corporate harm Identify how these attacks may happen within your company. (e.g., email, phone, client authentication) Determine what your company and its clients can do to protect themselves Develop training to educate the company on how to protect themselves (ongoing) Develop training to educate your clients on how to protect themselves (ongoing) Develop testing to determine training effectiveness 60
Next Steps for Advisers and Funds 1. Engage senior management and, if appropriate, the board of the adviser and any funds in the complex 2. Conduct a cybersecurity governance and risk assessment 3. Review and test the adequacy of existing compliance policies, business continuity plans, technical controls and other relevant procedures 4. Develop an incident response plan 5. Enhance employee training 6. Review vendor relationships 7. Review insurance coverage 8. Assess need for, and adequacy of, any public disclosures 9. Attend upcoming K&L Gates and Investment Adviser Association Cybersecurity Seminar Series programs 61
Cybersecurity Seminar Series Overview Session 1 (February 27, 2015) Untangling the Gordian Knot Were to Begin When Building Your Cybersecurity Program Session 2 (March 23, 2015) Board and Senior Management Oversight of Cybersecurity at the Adviser, the Registered Fund and Their Service Providers Session 3 (Today) Testing Your Cybersecurity Infrastructure and Enforcement Related Developments Session 4 (May 20, 2015) Breach What to Do When Things Go Wrong and Cybersecurity Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap Evolving Trends in Cybersecurity Practices and Public Policy Developments klgates.com 62
Speaker Contact Information Mark C. Amorosi, Investment Management Partner, K&L Gates LLP 202-778-9351 mark.amorosi@klgates.com Laura L. Grossman, Assistant General Counsel, Investment Adviser Association 202-507-7201 laura.grossman@investmentadviser.org Jason Harrell, Corporate SIRO Investment Management, BNY Mellon 212-635-8316 jason.harrell@bnymellon.com Jeromie Jackson- CISSP, CISM, Director of Security & Analytics, N th Generation 858-451-2383 x135 jeromie.jackson@nth.com Jeffrey B. Maletta, Securities and Transactional Litigation Partner, K&L Gates LLP 202-778-9062 jeffrey.maletta@klgates.com Andras P. Teleki, Investment Management Partner, K&L Gates LLP 202-778-9477 andras.teleki@klgates.com 63
Additional Cybersecurity Resources To access our firm s additional cybersecurity related recorded webinars, presentations, articles and checklists please visit www.klgateshub.com. 64
THANK YOU