cyber readiness in the securities and brokerage industries featuring armstrong teasdale attorneys:...
TRANSCRIPT
© 2014 Armstrong Teasdale
LLP
© 2014 Armstrong Teasdale
LLP
Cyber-Readiness in the
Securities and Brokerage
IndustryScott K.G. Kozak & Jeffrey Schultz
September 24, 2014
© 2014 Armstrong Teasdale
LLP
Current Events
2013
• Target
− 40 million+ customers affected
2014
• Home Depot
− Breach in April 2014, discovered in August 2014
− 50 million + affected ; class action filed 9/10/14 in Eastern District of Missouri
− Offered customers and employees free credit monitoring, fraud protection and identity protection services for 1 year
• Benjamin F. Edwards & Co
− Discovered 3 days after breach took place
− Firm offered customers and employees free credit monitoring, fraud protection and identity protection services for 1 year
• BAE Systems reported hedge fund customer lost millions due to “lag time” malware installed through “spearfishing” email
© 2014 Armstrong Teasdale
LLP
Privacy and Information Security
Privacy:
• The right to be left alone
• The right of an individual to be protected
against intrusion into her personal life or affairs
Information/Data Security:
• Defending information from unauthorized access, use,
disclosure, disruption, modification, perusal,
inspection, recording, or destruction
© 2014 Armstrong Teasdale
LLP
Internet vs. Privacy:
“a helpful Venn diagram”
By David Hoffman, available at http://bit.ly/bqU5vU
The Internet Privacy
© 2014 Armstrong Teasdale
LLP
Who is the Top Information Security
Threat?
Hackers?
Spies?Cyber terrorists?
© 2014 Armstrong Teasdale
LLP
INFORMATION SECURITY ENEMY #1
© 2014 Armstrong Teasdale
LLP
Evolving Expectations of Privacy?
Zuckerberg’s Law
“I would expect that next year, people will share twice
as much information as they share this year, and the
next year, they will be sharing twice as much as they
did the year before.”
© 2014 Armstrong Teasdale
LLP
Social Engineering: an
Increasingly Common Threat
Significant majority of external intrusions contain
social engineering element
Phishing attacks becoming increasingly
sophisticated.
Use of email/web based attacks
Personalized emails: information gleaned from
Facebook or Linked In
Fake Internal Company Emails
© 2014 Armstrong Teasdale
LLP
Common Problems
Lack of Employee Training
• Employees unaware of potential problems
No Security Culture
• Employees aren’t thinking about security implications
Ineffective Internal Controls
• Too much access to information
© 2014 Armstrong Teasdale
LLP
Overview of Privacy Law
Fundamentally different legal/regulatory schemes in
different jurisdictions:
United States
• No comprehensive “law”
• Patchwork of sector-specific (e.g. HIPAA) and jurisdiction-specific regulations
Europe
• Comprehensive data protection scheme
• Strict privacy protection
• “Privacy as a human right”
© 2014 Armstrong Teasdale
LLP
Some Important Privacy and Data
Security Laws in the U.S.
Fair Credit Reporting Act (FCRA)
Health Insurance Portability and Accountability Act
(HIPAA)
Computer Fraud and Abuse Act (CFAA)
Stored Communications Act
Gramm-Leach-Bliley Act (GLBA)
Children’s Online Privacy Protection Act (COPPA)
Section 5 of the Federal Trade Commission Act
State Data Theft, Breach Notification, and Other
Privacy Laws
© 2014 Armstrong Teasdale
LLP
Cybersecurity Focus in Securities
Industry
“Cybersecurity [has] become a top concern … mounting
evidence that the constant threat of cyber-attack is real,
lasting and cannot be ignored” – Commissioner Aguilar
2012 Survey: 89% identify cyber-crime as potential
systemic risk, with 53% reporting a cyber-attack in
previous year
© 2014 Armstrong Teasdale
LLP
SEC Regulatory Approach
October 2011 – Division of Corporate Finance
• Guidance on disclosure obligations
• Requires disclosure of material information regarding
cybersecurity risks and cyber incidents
Proposed Rule – Regulation Systems, Compliance and
Integrity
• Aims to require covered entities to test automated systems,
continuity and disaster recovery plans and notify SEC of
intrusions
• SEC professed goal as of March 2014 is to make
significant progress in 2014
© 2014 Armstrong Teasdale
LLP
SEC Regulatory Approach
Regulation S-ID (http://www.sec.gov/rules/final/2013/34-69359.pdf)
• Requires certain regulated financial institutions to adopt and implement identity theft programs
• SEC expects institutions to know “Identity Theft Red Flags” and incorporate into policies
− http://www.sec.gov/info/smallbus/secg/identity-theft-red-flag-secg.htm
Regulation S-P (http://www.sec.gov/rules/final/34-42974.htm)
• Privacy of consumer financial information
• Notice to customers of privacy policy and practices
− Consumer knowledge and “opt-out” option
© 2014 Armstrong Teasdale
LLP
SEC Actions
March 2014 – SEC Roundtable
• Integrity of Market Systems
• Customer Data Protection
• Disclosure of Material Information
April 2014 – OCIE Cybersecurity Initiative
• Designed to assess cybersecurity preparedness
• Method to collect information of industry experience
• Examinations to be conducted of more than 50 broker-
dealers and registered investment advisors
© 2014 Armstrong Teasdale
LLP
OCIE Cybersecurity Governance
Focus Areas
• Identification of Risks
• Policies and Procedures
• Documentation
• Third-Party Exposure
• Detection
© 2014 Armstrong Teasdale
LLP
Identification of Risks
System Access
• What can account holders do?
− Fund Transfers, Beneficiary Changes, Emailed action
requests
• What can employees do?
− Remote access, Client account management
Third Party Management
• Hardware and Software
• Storage and Backup
© 2014 Armstrong Teasdale
LLP
Policies and Procedures
Network & Information Security
Risk management process standard?
What is the source or model of this standard?
What practices and controls are utilized by the firm?
© 2014 Armstrong Teasdale
LLP
Policies and Procedures
Access
• Employees
− Training
− Security protocols (passwords, 2-step verification) and User privileges (escalation control)
• Customers
− Remote access security (2-step verification, key fob)
− Verification of email requests
− Limitations (Transfers, Beneficiary changes, Account holder)
• Third Parties
− Financial management applications (Mint, Personal Capital, etc.)
− Periodic access restriction requiring verification
© 2014 Armstrong Teasdale
LLP
Policies and Procedures
IT Assets
Software
• Loss prevention software
• Internet protection software (DoS)
• Malware / Virus protection and detection
Encryption
• Types of data encrypted
• Methods of encryption
• Devices (iPhone, iPad, laptops, open internet portals)
© 2014 Armstrong Teasdale
LLP
Policies and Procedures
IT Assets Architecture
• Environment
− Segregation of application and testing
• “Locked” basic configuration
− Baseline access and data organization
• Maintenance (patching, upgrades)
• Backup System
Quality Control
• Periodic testing and compliance assessments
• Penetration and Vulnerability scans
− Who and How Often (Internal IT, Third Party Vendors)
© 2014 Armstrong Teasdale
LLP
Documentation
Security/Hacking guarantees and policy
• What security is offered to customers
• What information is provided to customers in the event of a breach
Written data destruction policy
• Lawful destruction limits potential for large-scale data breach
Incoming/Departing employee policy
• Employees are security threat – not just outsiders
Cybersecurity incident response policy
• Update schedule
• Response guidelines
Training for vendors and authorized partners
• Clear identification of expectations and requirements
© 2014 Armstrong Teasdale
LLP
Documentation
Reporting
Customer
Law Enforcement
Treasury Financial Crimes Enforcement Network (FinCEN)
• Suspicious Activity Report
− http://www.fincen.gov/news_room/rp/sar_guidance.html
SEC/FINRA
State Securities Commissioner
Public Interest Group
© 2014 Armstrong Teasdale
LLP
Documentation
Records, Records, Records
Number of experienced events
• SEC Focus: After January 1, 2013
Significance of event(s)
• Repeated incidents or sources (10+)
• Amount of losses ($5K+)
• What was accessed
• How was Firm service compromised
© 2014 Armstrong Teasdale
LLP
Third Party Exposure
Risk Assessment
• Who conducts
• Assessment standards
− Questionnaire
− Minimum security requirements
− Independent audits and security verification
• Contractual provisions and requirements
• Segregation of network resources
− Universal access or firewalled
• Remote maintenance policy
© 2014 Armstrong Teasdale
LLP
Detection
Who is responsible for oversight
• Specific responsibility assignments
• Organizational chain for detection + reporting
Baseline development
• Standard expectations
− Access timing (market-based, geographical base)
− Outside access (remote vs. office)
− Weekday/Weekend/After Hours
© 2014 Armstrong Teasdale
LLP
Detection
Establish thresholds
• “Incident Alert” threshold
− Internal / Satellite
− Identification of anomalies
Monitoring
• Software
− Unauthorized access
− Unauthorized software
• Hardware
− Unauthorized connections or devices
© 2014 Armstrong Teasdale
LLP
Industry Snapshot
Identification of Risks
85% used multiple electronic devices to access client information
42% did not use any authentication procedures for client
instructions received via email or electronic messaging
• Only 41.1% required dual-factor authentication
Only 41.5% had a policy on accessing client information or
communications from a non-business device
Only 38% had policy for detecting unauthorized activity on
networks or devices
© 2014 Armstrong Teasdale
LLP
Industry Overview
Vendors and Third Parties
37% did not conduct risk assessments
40% of those that conducted risk assessments did so only
on an annual basis
23% had no confidentiality agreements with third-party
providers and servicers
• BUT -- 76% use on-line or remote backup of electronic files
© 2014 Armstrong Teasdale
LLP
Industry Overview
Polices and Procedures
Only 44.6% had cybersecurity policies, procedures or
training programs
23.1% had no policies whatsoever
© 2014 Armstrong Teasdale
LLP
Industry Overview
Policies and Procedures
Only 47.4% had data storage device destruction
policies
Only 39.2% had loss of electronic device policies
(e.g., laptop, smartphone)
© 2014 Armstrong Teasdale
LLP
OCIE Examination Process
Factors favoring examination
• Statutory directive
• Entity risk profile
• Tip, complaint or referral
• Review of specific risk area
Examination
• Announced or unannounced
• Initial interview – “critical … determine[s] tone and focus of examination”
• Tour – analysis of workflow and control environment
• Cooperation, including provision of persons with knowledge, is key
• Follow-up may include telephone interviews
http://www.sec.gov/about/offices/ocie/ocie_exambrochure.pdf
© 2014 Armstrong Teasdale
LLP
OCIE Examination Process
Third Party Providers
• OCIE will request relevant information from examinee or from
agents/custodians
Clients & Customers
• OCIE will “routinely contact” to gather and/or verify information
Exit Interview
• Last day of site visit
• Entity afforded opportunity to discuss issues raised by exam staff
− Includes actions entity has taken or plans to take to address
issues
http://www.sec.gov/about/offices/ocie/ocie_exambrochure.pdf
© 2014 Armstrong Teasdale
LLP
OCIE Examination Process
Examination Conclusion
• SEC Section 4E – completion due on later of two dates
− 180 days after completion of on-site portion of exam; or
− 180 days after all records requested are examined or inspected
• 180-day extension available for “complex examinations”
Exam Results
• Deficiency Letter
− Entity to respond timely, addressing all identified issues
• Referral to Division of Enforcement
− Direct referral without exit exam may be made in “exigent circumstances”
• Referral to SRO, State regulatory agency or law enforcement
http://www.sec.gov/about/offices/ocie/ocie_exambrochure.pdf
© 2014 Armstrong Teasdale
LLP
Challenge: Decision Makers’ Lack of
Familiarity with the Technology
“If I'm applying the First Amendment, I have to apply it to a world where there's an Internet, and there's Facebook, and there are movies like ... The Social Network, which I couldn't even understand .”
—Justice Stephen Breyer
Justice Roberts: “I thought, you know, you push a button; it goes right to the other thing.”
Justice Scalia: “You mean it doesn't go right to the other thing?”
—Justice John Roberts to Justice Antonin Scalia Regarding How a
Text-Messaging Service Works
© 2014 Armstrong Teasdale
LLP
To Do List
Identify/Organize Persons with Knowledge
• Cybersecurity Committee and/or Response Team
Audit Cybersecurity Status
• Review internal and external Policies
• Review access, verification and recovery
Third Party Vendors
• Review contracts and policies
Quality Control and Assessment
• Update records … or get started
Insurance
• Mind the gap
© 2014 Armstrong Teasdale
LLP
Be Proactive
© 2014 Armstrong Teasdale
LLP
How Can We Help?
Securities Regulatory & Litigation Group
• Former MO Securities Commissioner
• Former federal prosecutor
• Experienced securities litigators
Data Security and Privacy Group
• CIPP|US and Ethical Hacker Certified
• International and Domestic experience
© 2014 Armstrong Teasdale
LLP
Questions?
Scott K.G. Kozak
Partner, Litigation
314.259.4714
Jeffrey Schultz
Partner, Litigation
314.259.4732
CLE Webinar Confirmation Code: KS0912