Moderator:Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP

Speakers:Keith Overly, Executive Director, Ohio Deferred Compensation Program

Raj Patel, Partner, Plante & Moran, PLLCBill Stewart, Senior Vice President, Booz Allen Hamilton

Chris Jarmush, Area Vice President, Defined Contribution Practice Leader, Arthur J. Gallagher & Co.

Cyber Security

Ohio Deferred Compensation

• Ohio Deferred Compensation is a plan sponsor and recordkeeper

• Current Practices– Information Security Policy– Independent security audit

Ohio Deferred Compensation

• Information Security Policy– Physical and electronic security– Staff training– Data storage and destruction– Offsite use of computers– Data use by vendors

Ohio Deferred Compensation

• Independent Security Audit– Compliance review of actual procedures/practices– Penetration testing – Social engineering testing

Ohio Deferred Compensation

• Future Considerations– Move to cloud-based computing

• Federal Risk Authorization Management Program or FEDRAMP

– Standardized approach to security for cloud products– Third party assessment

– Cyber insurance

Weak InfrastructureWeak design (firewalls, wireless routers)Weak user authentication (users, passwords)Lack of Encryption (VPN, secure portals)Out-dated (patch management / anti-virus)Lack of periodic testing

User IgnoranceWeak user passwordsPoor judgmentPhishing attacksNot staying current on security trends

9 7 % o f B r e a c h e s We r e A v o i d a b l e Most victims aren’t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them.Verizon Data Breach Investigations Report

Technology AdvancesMobile devicesCloud computing / public portalsData CollaborationSocial Media

Third Party VendorsWeak due diligenceNo Breach notificationNo Annual breach confirmation

House of Security

Different organizations view information security differently. Some of the differences are related to

varied risk and threat profiles impacting an organization — based on factors such as industry,

location, products/services, etc.

Other differences are related to management’s view of security based on its experience with prior

security incidents.

World of Security

1. Layer your network - Public, Sensitive, Confidential, Private

2. Perimeter Security - Firewalls, IDS/IPS

3. Wireless Security – SSID, Encryption, Default Password

4. Authentication – Users & Passwords

5. Encryption - Connectivity & Storage

6. Anti-virus

7. Patch Management

8. Remote Access

9. Network Monitoring

10. Annual Testing – External Penetration & Internal Security Assessment

Secure Network Infrastructure

9

Last Thoughts• Strong password practices• Device security• Accessing from public places• Loss of hardware• Disposal of devices• Use of mobile technology• Incident response plan & team• 1-800 DATA BREACH

I’m flattered, really I am. But you

probably shouldn’t use my name as your password.

Test or Virtual Environments

Financial Services institutions have an expansive and changing attack surface

Client’s Third Party Vendors

Third Party Vendors’Vendors

Friends

Business Contacts

Family

CellPhone

Tablet

Laptop

Social Media

Marketing

Social Media

Website

Recruiting Data Storage (Cloud)

Data Storage (Portable)

Corporate Fleet

EmployeeKnowledge Management Systems

Third Party Vendors

Employees

ClientsEmployees

Corporate Platforms

Attackers vary in purpose and sophistication

Nation States

Incr

easi

ng L

evel

of S

ophi

stic

atio

n

Terror Organizations

Organized Crime

Hacktivists

Employees

Adopting an active defense is imperative

ProtectPrepare for an attack today with the goal of preventing

an attack tomorrow

RemediateKnow what to do when the

inevitable occursDetect

Monitor your systems and emerging threats

Multiple controls must be put in place

ProtectApplication Security

Data Centric Protection

Insider Threat Management

Identity and Access Management

Personnel Screening

Physical and Environment Security

Detect

Cyber Analytics

Security Intelligence Monitoring

Security Monitoring

Vulnerability Assessment

Third Party Risk Management

Threat Management

Incidence Response

Remediate

The importance of third party risk management cannot be overstated

Preliminary Risk

ResidualRisk

New

s Fee

ds

Re-A

sses

smen

t

Internal Controls

External Controls

Service Desired

ResidualRisk

Post Remediation

Inherent Risk

Planning Due Diligence

EngagementRiskProfile

Control Effectiveness Assessment

Final Selection & Remediation PlansBusiness Impact Assessment

Contract Negotiation

Ongoing Monitoring

Top Trends in Cybersecurity for Financial Services1. Third Party Risk

2. Cyber Fusion Center (CFC) Implementations

3. Data Element Protection

4. Alternative Payment System Exposure

5. Cyber Crime Analysis

6. Hacktivism spreads to Middle East

7. “Western” Cyber problems coming to developing nations

8. Wargaming

9. Privacy Knowledge

10. Cyber Insurance Usage Growth

Are Defined Contribution Plans at Risk of Cyber-Attacks?

Assessing Cyber-risk across the DC Landscape

Yes – but the DC complex is not (yet) a primary target of cyber fraud

18

Who are the primary gatekeepers of Participant assets and data?

Fiduciary Responsibilities

Participants

Plan Sponsor

Record-keeper

Advisor

TPA

• Fiduciary protocols were clearly written with an aim of safeguarding participant assets – what about identity?

• Each entity represents a potential point-of-entry for a cyber-attack

19

Cybersecurity Examination Initiative 2014 – OCIE1

Vulnerability of Financial Services Firms

• 90% of broker-dealers and 75% of registered investment advisors have been the subject of a cyber-related incident

1National Exam Risk Alert by the Office of Compliance Inspections and ExaminationsFebruary 3, 2015

• 54% of broker-dealers and 43% of RIAs received fraudulent e-mails seeking to transfer client funds

• Vast majority of firms conduct periodic risk assessments to identify cybersecurity threats

• Only 30% of broker-dealers and 13% of managers have provisions to determine their responsibility for cyberattacks

5.511.9

16.8

30

41.8 42.948.6

0

20

40

60

2006 2007 2008 2009 2010 2011 2012

Cyberattack Incidents Reported by Federal Agencies

(in 000s)

GOA, US-CERT Data

20

What steps can Plan Sponsors take to help safeguard participants?

Taking a Proactive Approach

• Internal Controls – Ensure proper security maintenance programs are in place with sufficient resources dedicated to their execution

• SOC 1 (SSAE 16) Certification – Seek service providers who have demonstrated sufficient control procedures

• Service Standards - Establish written service standards and protocols for what constitutes a “reportable event”

• Information Sharing Networks – Identify industry groups sharing information on cybersecurity best practices

21