© Copyright 2015 by K&L Gates LLP. All rights reserved.

Board and Senior Management Oversight of Cybersecurity at the Adviser, the Registered Fund and Their Service Providers

Mark C. Amorosi, Investment Management Partner, K&L Gates LLPJeffrey B. Maletta, Securities and Transactional Litigation Partner, K&L Gates LLPLaura L. Grossman, Assistant General Counsel, Investment Adviser AssociationAndras P. Teleki, Investment Management Partner, K&L Gates LLP

Monday, March 23, 2015

klgates.com

Investment Management Cybersecurity Seminar Series Overview Session 1 (February 27, 2015) Untangling the Gordian Knot – Where to Begin When Building Your

Cybersecurity Program Session 2 (Today) Board and Senior Management Oversight of Cybersecurity at the

Adviser, the Registered Fund and Their Service Providers Session 3 (April 29, 2015) Testing Your Cybersecurity Infrastructure and Enforcement Related

Developments Session 4 (May 20, 2015) Breach – What to Do When Things Go Wrong and Cybersecurity

Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap – Evolving Trends in Cybersecurity

Practices and Public Policy Developments

2

klgates.com

Session 2 Topics Oversight responsibilities of board and senior management of

investment advisers

Cybersecurity oversight responsibilities of mutual fund boards

Chief Compliance Officer oversight of cybersecurity

Cybersecurity and Rule 38a-1 and Rule 206(4)-7 reviews

Cybersecurity considerations with respect to service providers (e.g., transfer agent, administrator and custodians) and vendors (e.g., IT, due diligence providers, rating agencies)

Contractual considerations with respect to cybersecurity matters

3

Responsibilities of Directors and Management for Cybersecurity

Cybersecurity: Who Is Responsible (and Liable)?

Directors and officers of registered funds and public companies

Officers and managers of registered advisers

Chief compliance officers

Everyone else

How Do We Determine Responsibility?

klgates.com 5

Context: The Spectrum of Cyber Attacks Advanced Persistent Threats (“APT”) Cybercriminals, exploits and malware Denial of service attacks Domain name hijacking Corporate impersonation and phishing Mobile and disgruntled employees Lost or stolen laptops and mobile devices Third-party vendors weaknesses

6

Context: Potential Effects Loss of customer funds or assets Compromise of customer information Loss of web presence and online business Interception of email and data communications Brand tarnishment and reputational harm Legal and regulatory complications Loss of “crown jewels” IP and trade secrets

7

No Generally Applicable Privacy and Data Law and No Standard Compliance Program

Securities industry subject to rules that set certain standards and responsibilities

Standards of care develop in civil litigation Regulatory enforcement may set standards and

define responsibilities Compliance/risk management best practices

provide guidance

8

Responsibilities Defined Through Liabilities

Civil litigation against company

Director/officer liability

State corporation law

Federal securities laws

Federal regulatory enforcement Securities and Exchange Commission Federal Trade Commission

State regulatory enforcement

klgates.com 9

Responsibility Defined By Civil Liability

Civil Liability Of The Entity State law claims Breach of contract Misrepresentation Negligence State consumer laws State privacy laws

11

Civil Liability Of The Entity (cont’d)

Individual injury/damage issues may limit recovery Plaintiff generally must prove economic loss Loss of personal information may not be injury

Business to business claims more complex Breach of contract Business disruption

12

Director and Officer Liability

“[B]oards that choose to ignore or minimize the importance of cybersecurity liability do so at their own peril”−SEC Commissioner Luis A. Aguilar, Speech at “Cyber Risk and the Board Room” Conference, NYSE, June 10, 2014

How should a director approach cybersecurity?

How should management approach cybersecurity and work with the board?

klgates.com 13

Respective Roles of the Board and Management

Traditional view Board not involved in day to day operations Board has an oversight role Management is responsible for risk management

Trend toward greater board involvement Case law developments SEC statements and enforcement actions Best practice pronouncements

klgates.com 14

Directors Duties Concerning Oversight and Risk Management Principally a function of state law

Duty of care Acting on informed basis Acting in good faith Acting in best interest of company

Duty of loyalty Placing the company interests first Acting in good faith

klgates.com 15

Duty of Oversight

Directors have a duty to insure that adequate information systems exist to detect violations of law

Directors have a duty to monitor systems to keep informed

Directors face liability when they consciously fail to act to implement systems or consciously fail to monitor systems

Tantamount to not acting in good faith – no protection of the “business judgment” rule

No protection under exculpatory charter provisions

In re Caremark Int’l Derivative Litigation (Del. Ch. 1996);Stone v. Ritter (Del. 2006)

klgates.com 16

Cases Against Directors

Target Corporation: Collier v. Steinhafel et al.

“This action arises out of the Individual Defendants’ responsibility for, release of false and misleading statements concerning, and the bungling of the aftermath of the worst data breach in retail history.” (emphasis in original complaint)

“All of the Individual Defendants violated and breached their fiduciary duties of loyalty, good faith, due care, oversight, fair dealing, and candor.”

Institutional Shareholders Services recommends voting against seven incumbent Target directors

klgates.com 17

Public Company Disclosure Obligations

Cybersecurity risks and their impacts should be disclosed Division of Corporation Finance Disclosure Guidance No. 2

(October 13, 2011) Areas where disclosure may be needed

Risk Factors Management Discussion and Analysis Description of Business Legal Proceedings Financial Statements

Expenses for compliance Expenses to mitigate Loss contingencies

Disclosure and Internal Controls

klgates.com 18

SEC Disclosure Obligations (cont’d)

Directors and Certain officers may be personally liable for misstatements in and omissions from SEC filings. Sections 11 and 12(a)(2) of Securities Act Sections 10(b) of the Securities Exchange Act and Rule 10b-5

In re Heartland Payment Systems, Inc. Securities Litigation

SEC may consider enforcement action

klgates.com 19

Private Advisers and Funds/State Law Liability Investment advisers, and their senior management

also are subject to fiduciary duties of care and loyalty to take reasonable steps to prevent harm to clients

Fiduciary responsibilities generally extend to cybersecurity-related matters

Some types of liability may be limited by fund organizational documents or by contract

20

The Regulatory Framework

Cybersecurity at the Top of the SEC’s Mind Corp Fin Guidance (2011) Commission Roundtable (2014) OCIE Sweep and Risk Alert (2014/15) OCIE Examination Priority (2015) Numerous references in staff remarks (passim)

22

Overview of the Legal Framework Regulation S-P (including “Safeguards Rule”) Regulation S-ID (Identity Theft Red Flags) IAA Rule 206(4)-7 and ICA Rule 38a-1 IAA Rule 204-2(g) and ICA Rule 31a-2(f) ICA Rule 30a-3 (Internal Controls) Disclosure Requirements

23

Overview of Legal Framework (cont’d)

Business continuity plans Suspicious activity reporting CFTC Regulations, Part 160.30 FTC enforcement of Section 5 of FTCA Practically every state has enacted laws relating to

cybersecurity, including information security program and data breach notification requirements

24

Regulation by Enforcement

Standards may be set through settlements of enforcement actions

FCPA paradigm “Our actions against entities have had a tremendous impact in

the last 10 years…[C]ompanies have increased their compliance spending exponentially” Andrew Ceresney, Director, SEC Division of Enforcement, Remarks at 31st International Conference on FCPA (Nov. 19, 2014)

FTC cases provide “guidance” for cybersecurity

klgates.com 25

Director/Management/Supervisory Responsibility

Rules sometimes assign responsibility ICA Rule 38a-1: compliance program approved by

the board ICA Rule 30a-3: internal controls designed by fund’s

principal executive and financial officers and “effected” by directors, management and others

Risk management best practices place responsibility on senior management

Liability under “Controlling Person,” “Aiding and Abetting,” and/or “Causing” Theories

26

“Causing a Violation”“If the Commission finds, after notice and opportunity for hearing, that any person is violating, has violated, or is about to violate any provision of this title, or any rule or regulation thereunder, the Commission may publish its findings and enter an order requiring such person, and any other person that is, was, or would be a cause of the violation, due to an act or omission, the person knew or should have known would contribute to such violation, to cease and desist from committing or causing such violation and any future violation of the same provision, rule, or regulation.” IAA § 203(k)(1) ICA § 9(f)(1)

27

Internal ControlsThe term internal control over financial reporting . . . includes those policies and procedures that:(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the investment company;(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the investment company are being made only in accordance with authorizations of management and directors of the investment company; and(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the investment company's assets that could have a material effect on the financial statements. ICA Rule 30a-3(d)

28

Requirements For Electronic Storage MediaIn the case of records on electronic storage media, the investment adviser must establish and maintain procedures:(i) To maintain and preserve the records, so as to reasonably

safeguard them from loss, alteration, or destruction;(ii) To limit access to the records to properly authorized

personnel and the Commission (including its examiners and other representatives).

IAA Rule 204-2(g)(3)

29

Possible Theories Cyber attacker gains access to client personal

information, assets or funds are stolen Records are corrupted or manipulated

Adviser failed to protect or limit access to electronic records in violation of IAA Rule 204-2(g)

Fund failed to maintain internal controls, in violation of ICA Rule 30a-3

Compliance procedures are defective Directors, officers, managers “caused” a violation

by failure to implement controls or procedures

30

Key Cybersecurity Governance and Organizational Matters

Board Responsibilities and Process Full board should be involved and informed

Education on risks and risk management

Use of external resources

Addition of directors with expertise Cf. “financial expert,” Sarbanes Oxley Act (“SOX”) § 407

“Risk management” committee(s)

Increased audit committee resources Audit committee retained experts, SOX § 301

32

Management Responsibilities Law and risk management best practices place

responsibility for developing and implementing cybersecurity programs principally on management

Cybersecurity frameworks call for involvement of entire enterprise in risk assessment and program design

Continual reevaluation of programs is necessary as threats change rapidly

Regular reports to senior management and board or appropriate committee to educate and satisfy oversight responsibilities

33

klgates.com

Management Responsibilities (cont’d) Cybersecurity typically requires involvement by

representatives from different parts of the organization with relevant roles and job functions, including information technology, legal, compliance and risk

Cybersecurity should involve coordination among: Senior management Chief Information Officer (or similar function) Chief Legal Officer Chief Compliance Officer Chief Risk Officer (if any)

Responsibilities should be clearly defined Frameworks generally require a single individual with

ultimate responsibility

34

Reliance on Cybersecurity Frameworks Numerous organizations have published cybersecurity frameworks

intended to provide guidance on protecting companies and other organizations against cybersecurity risks

There is no legal requirement that investment management firms follow a specific cybersecurity framework; the SEC has cited cybersecurity frameworks but has not endorsed one in particular

There is no one size fits all approach

Companies and other organizations have unique risks and how they implement cybersecurity strategies and allocate resources will vary based on each firm’s critical activities

SEC has criticized “off the shelf” compliance programs that are not tailored to a firm’s operations

35

Sample Frameworks and Standards National Institute of Standards and Technology (“NIST”)

Framework for Improving Critical Infrastructure Cybersecurity

International Organization for Standardization and International Electrotechnical Commission Information Technology 27001 and 27002 Framework

ISACA (fka International Systems Audit and Control Association) Control Objectives for Information and Related Technology (“COBIT”) 5

SANS Institute Critical Security Controls

GCHQ CESG Ten Steps to Cybersecurity

36

Chief Compliance Officer Oversight Responsibilities for Cybersecurity

Compliance Policies and Testing

IAA Rule 206(4)-7 and ICA Rule 38a-1 together require registered investment advisers and registered funds to (1) designate a chief compliance officer (“CCO”), (2) adopt and implement written policies and procedures reasonably designed to prevent violation of the federal securities laws, and (3) review annually the adequacy and effectiveness of such policies and procedures

Cybersecurity compliance policies and procedures that address requirements under the federal securities laws should be included in compliance programs and evaluated as part of the annual review, which should include risk assessments, policy and procedure reviews, and service provider reviews

38

SEC Sweep Exam Findings on Role of CCOs

Results of the SEC staff cybersecurity sweep exam indicated that a significant majority of advisory firms assign information security responsibilities to Chief Technology Officers or to other senior officers, including Chief Compliance Officers, to liaise with third-party consultants who are responsible for cybersecurity

Less than a third of the examined advisers (30%) have a Chief Information Security Officer

39

SEC Guidance on Role of CCO No specific SEC guidance on the role of the CCO in the context of

cybersecurity programs

The 2004 Adopting Release for Rule 206(4)-7 and Rule 38a-1 and other formal and informal statements by the SEC and its staff provide guidance that can be applied in the context of compliance with cybersecurity requirements under the federal securities laws

Adviser CCOs: “An adviser's chief compliance officer should be competent and knowledgeable regarding the Advisers Act and should be empowered with full responsibility and authority to develop and enforce appropriate policies and procedures”

Responsible for administering policies and procedures adopted to comply with the Advisers Act and the rules thereunder, which include cybersecurity requirements

40

SEC Guidance on Role of CCO SEC has provided more specific guidance on the responsibilities of

mutual fund CCOs, which extends to cybersecurity compliance obligations under the federal securities laws

Oversight: “The chief compliance officer, in exercising her responsibilities under the rule, will oversee the fund's service providers, which will have their own compliance officials”

Oversight responsibilities extend to each investment adviser, principal underwriter, administrator and transfer agent

Oversight extends to compliance with the “Federal Securities Laws” (e.g., Regulation S-P, but not state data breach laws)

41

SEC Guidance on Role of CCO Administration: “A [CCO] should diligently administer this

oversight responsibility by taking steps to assure herself that each service provider has implemented effective compliance policies and procedures administered by competent personnel”

Familiarity with Service Providers: “The [CCO] should be familiar with each service provider's operations and understand those aspects of their operations that expose the fund to compliance risks” and “maintain an active working relationship with each service provider's compliance personnel”

42

SEC Guidance on Role of CCO Monitoring: “Arrangements with the service provider should

provide the fund's [CCO] with direct access to these personnel, and should provide the [CCO] with periodic reports and special reports in the event of compliance problems”

“[T]he fund's contracts with its service providers might also require service providers to certify periodically that they are in compliance with applicable federal securities laws, or could provide for third-party audits arranged by the fund to evaluate the effectiveness of the service provider's compliance controls”

Testing: “The [CCO] could conduct (or hire third parties to conduct) statistical analyses of a service provider's performance of its duties to detect potential compliance failures”

43

CCO Potential Liabilities ‘‘I need to be clear that we have brought – and will

continue to bring – actions against legal and compliance officers when appropriate’’ – SEC Enforcement Director Andrew Ceresney, Keynote Address at Compliance Week 2014 (May 20, 2014)

Numerous enforcement actions against CCOs for a variety of alleged failures, including (1) failure to implement appropriate procedures to address risks and (2) failure to adequately assess effectiveness of those procedures

44

Annual Review Considerations

Risk-based approach, including with respect to cybersecurity matters

Review should focus on (1) the adequacy of policies and procedures, including those relating to cybersecurity requirements, and (2) the effectiveness of their implementation

45

Annual Review – Risk-Based Approach Conduct/review cybersecurity risk assessment: “[E]ach adviser should identify its unique set of risks, both as

the starting point for developing its compliance policies and procedures and as part of its periodic assessment of the continued effectiveness of these policies and procedures”

Incorporate cybersecurity compliance risks in the firm’s risk matrix: “Provide a current inventory of the Adviser’s compliance risks.

If changes were made to this inventory of risks during the Examination Period, please indicate what these changes were and the corresponding date of the change.”

46

Annual Review – Risk-Based Approach Identify key risks based on:

Interviews with persons responsible for cybersecurity matters

Review of inventory of firm assets, systems and data types Types of sensitive information; physical devices and systems; software

platforms and applications; network resources, connections and data flows; network connections from external sources; and logging capabilities

Review and assessment of internal and external threats Review past cybersecurity incidents at the firm and in the industry Obtain threat intelligence through security organizations (e.g., Financial

Services Information Sharing and Analysis Center) Use third party vendors to identify risks

Structure and size of the firm

Other relevant factors

47

Annual Review – Policies and Procedures

Review adequacy of policies and procedures, including those relating to cybersecurity requirements: Confirm that the firm is following its cybersecurity compliance

procedures

Account for all action items required in procedures

Perform a gap analysis of the firm’s compliance procedures around cybersecurity to determine whether any additions are necessary or appropriate (e.g., benchmark procedures against peers and identify any business changes that require procedure changes)

Address any new regulatory requirements that might arise

48

Annual Review – Effectiveness

Assess the effectiveness of implementation of the firm’s cybersecurity policies and procedures: Interview personnel with cybersecurity responsibilities to

determine their understanding and assessment of existing procedures

Observe implementation of cybersecurity policies and procedures in actual operating environment

Test compliance with cybersecurity procedures Review reports produced by business units/areas and third

parties relating to cybersecurity matters Evaluate trends in, and frequency of, exceptions or violations

of cybersecurity requirements

49

Annual Review – Testing

Compliance rules do not require testing, but OCIE routinely asks for information about testing results in connection with compliance reviews Transactional Tests – Transaction-by-transaction tests

conducted contemporaneously with the transaction Periodic Tests – Transaction-by-transaction tests performed on

a “look back” basis at relevant intervals, such a spot checks or random or regular detailed reviews

Forensic Tests – Tests that analyze data over a period of time looking for trends and patterns that are difficult to identify when viewing smaller numbers of transactions or short periods of time

50

Annual Review – Testing Vulnerability Scans – Automated process of proactively identifying

security vulnerabilities of computing systems in a network to determine if and where a system can be exploited and/or threatened

Penetration Testing – An attack on a firm’s information technology system conducted by an information security specialist retained by the firm with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data

Session 3 of the Cybersecurity Seminar Series on April 29 will address risk assessments and testing in more detail

51

Annual Review – Documenting Results Results of annual review, including cybersecurity

compliance, should be documented by advisers in a written report (required for funds) or other documentation

Findings and results should be documented carefully

Any weaknesses or other compliance issues identified should have corresponding follow up action items responding to the weakness or other issue

52

Annual Review – Potential Areas for Review

OCIE Cybersecurity Initiative – Sample Document Request: “The sample document request…is intended to empower

compliance professionals in the industry with questions and tools they can use to assess their firms’ level of preparedness….”

Resource for compliance assessments and preparing for OCIE exam covering cybersecurity

Very broad and not necessarily indicative of SEC staff views on scope of annual compliance review

53

Annual Review – Potential Areas for Review

Sample Document Request identified five areas for potential review and consideration1. Identification of Risks/Cybersecurity Governance

2. Protection of Firm Networks and Information

3. Risks Associated with Remote Access and Funds Transfer Requests

4. Detection of Unauthorized Activity

5. Risks Associated with Vendors and Other Third Parties

54

Oversight of Third Party Service Providers

Why You Should Worry About Your Third Party Service Provider

Chief Information Officers and hackers are discovering that the quickest path to a firm’s data is often through a third party, such as a vendor.

The risk is that your data gets hacked, not necessarily because of something you’ve done, but because of something your vendor did not do.

56

Examples of Third Party Relationships That Have a Data-Security/Cybersecurity ElementsFor Mutual Funds:

Transfer Agent Administrator Fund Accounting Custody Distributor

For Investment Advisers: Custody/Prime-Broker Trading Systems Trade Confirmation/Settlement Pricing IT/Website Hosting Data Centers/Cloud Storage

57

Critical Points for Vendor Cybersecurity Risk Oversight

Risk Based Selection of Vendor/Service ProviderDue Diligence

Monitoring (i.e., Ongoing Due Diligence)The Service Provider/Vendor Contract

Policies and Procedures – Establish a methodology for standardized reviews and evaluations.

58

The Team Compliance Legal IT Risk Business Line(s)

59

The ApproachRisk Based – For Example:

Low Risk – Contract Review & Third Party Reports

Medium – Documentary Due Diligence & Questionnaires

High Risk – On-Site Visit

Don’t forget to include vendor relationships in ongoing firm risk assessments and to establish protocols to terminate vendor access to firm systems upon contract termination.

Vendor Due DiligenceExamples of Cybersecurity Due Diligence Topics:

Physical Security Network Security Systems Security Staff Security Overall Security Policy Results of Third Party Cybersecurity Reviews Membership in Cybersecurity Groups (e.g., FS-ISAC) / Threat

Resources Business Continuity Plan Breach Response Plan Background Checks for Employees Cyber-insurance Use of Encryption Application Development Security Practices Heightened Security procedures around remote maintenance

60

Examples of Vendor Cybersecurity Controls

Limits on data access by vendor employees Virus protection Encryption of data while at rest or in transit Controls in place concerning subcontractors System patch management Testing, including penetration testing Change Management Process Business Continuity Controls Training

61

Contracts to the Rescue? Commercial contracts as a risk mitigation

tool Step beyond confidentiality obligations

(e.g., Reg. S-P compliance) Address data security and data breaches Prescribe preventive measures Address post-breach actions Assign liability

klgates.com 62

Common Contract Challenges

Unequal Bargaining Power

Contract of Adhesion

Click Through Agreements

Legacy Contracts

klgates.com 63

Cybersecurity Provisions in Vendor/Service-Provider Agreements

Preventative Measures and Compliance with Applicable Law

Data Ownership Downtime/Loss-of-Service Breach Notification Right to Audit / 3rd Party Audits & Attestations

(e.g., SSAE 16/SOC 2 Audits) Liability, Indemnification and Remedies Use of 3rd Party Vendors Insurance Coverage Termination Provisions

klgates.com 64

Prescribe Preventative Measures

Require administrative, technical, and physical safeguards, and appropriate technical and organizational measures to protect company/customer data

Require compliance with applicable/industry specific privacy and data security laws (e.g., Reg. S-P, Massachusetts Information Security Regulations)

Require subcontractor flow-down provisions Require consent to security audits / provision of 3rd

party reviews

klgates.com 65

Address Post-Breach Actions

Immediate notice Suspected or confirmed?

Full cooperation between you and the vendor Prompt remedial action Notifications to individuals (your clients/shareholders) Who prepares notices Who pays

Credit Monitoring Termination Rights

klgates.com 66

Vendor as Dumb Insurer “Vendor Bears All Risk” position:

Vendor is charging for its services Vendor should bear all risk of data breach

Vendor position: Vendor’s profit margin on services is less than your profit margin on your

business enterprise Vendor is not an insurer of your entire business risk No insurer will take unlimited risks Services could not be offered at prices less than your cost to provide

services if vendor carries all business risk

The challenge is to find common ground between the two positions.

klgates.com 67

Where Market is Heading

Separate, higher caps on direct damages for data breaches

Specified exceptions from exclusions from indirect/consequential damages (e.g., cost of notification)

Indemnification up to capped amount Risk exposure linked to vendor’s cyber insurance

coverage

klgates.com 68

Key Takeaways and Next Steps

Practical Next Steps for Advisers and Funds1. Engage senior management and, if appropriate, the board of the

adviser and any funds in the complex2. Conduct a cybersecurity governance and risk assessment3. Review and test the adequacy of existing compliance policies,

business continuity plans, technical controls and other relevant procedures

4. Develop an incident response plan5. Enhance employee training6. Review vendor relationships7. Review insurance coverage8. Assess need for, and adequacy of, any public disclosures9. Attend upcoming K&L Gates and Investment Adviser Association

Cybersecurity Seminar Series programs

70

klgates.com

Cybersecurity Seminar Series Overview Session 1 (February 27, 2015) Untangling the Gordian Knot – Were to Begin When Building Your

Cybersecurity Program Session 2 (Today) Board and Senior Management Oversight of Cybersecurity at the

Adviser, the Registered Fund and Their Service Providers Session 3 (April 29, 2015) Testing Your Cybersecurity Infrastructure and Enforcement Related

Developments Session 4 (May 20, 2015) Breach – What to Do When Things Go Wrong and Cybersecurity

Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap – Evolving Trends in Cybersecurity

Practices and Public Policy Developments71

Speaker Contact InformationMark C. Amorosi, Investment Management Partner, K&L Gates LLP202-778-9351mark.amorosi@klgates.com

Laura L. Grossman, Assistant General Counsel, Investment Adviser Association(202) 507-7201laura.grossman@investmentadviser.org

Jeffrey B. Maletta, Securities and Transactional Litigation Partner, K&L Gates LLP(609) 806-4960jrb@icginc.com

Andras P. Teleki, Investment Management Partner, K&L Gates LLP202-778-9477andras.teleki@klgates.com

72

Additional Cybersecurity ResourcesTo access our firm’s additional cybersecurity related recorded webinars, presentations, articles and checklists please visit www.klgateshub.com.

73

THANK YOU