cyber readiness in the securities and brokerage industries featuring armstrong teasdale attorneys:...

© 2014 Armstrong Teasdale

LLP


LLP

Cyber-Readiness in the

Securities and Brokerage

IndustryScott K.G. Kozak & Jeffrey Schultz

September 24, 2014


LLP

Current Events

2013

• Target

− 40 million+ customers affected

2014

• Home Depot

− Breach in April 2014, discovered in August 2014

− 50 million + affected ; class action filed 9/10/14 in Eastern District of Missouri

− Offered customers and employees free credit monitoring, fraud protection and identity protection services for 1 year

• Benjamin F. Edwards & Co

− Discovered 3 days after breach took place

− Firm offered customers and employees free credit monitoring, fraud protection and identity protection services for 1 year

• BAE Systems reported hedge fund customer lost millions due to “lag time” malware installed through “spearfishing” email


LLP

Privacy and Information Security

Privacy:

• The right to be left alone

• The right of an individual to be protected

against intrusion into her personal life or affairs

Information/Data Security:

• Defending information from unauthorized access, use,

disclosure, disruption, modification, perusal,

inspection, recording, or destruction


LLP

Internet vs. Privacy:

“a helpful Venn diagram”

By David Hoffman, available at http://bit.ly/bqU5vU

The Internet Privacy

http://bit.ly/bqU5vU


LLP

Who is the Top Information Security

Threat?

Hackers?

Spies?Cyber terrorists?


LLP

INFORMATION SECURITY ENEMY #1


LLP

Evolving Expectations of Privacy?

Zuckerberg’s Law

“I would expect that next year, people will share twice

as much information as they share this year, and the

next year, they will be sharing twice as much as they

did the year before.”

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=r_xSCjp2c1O10M&tbnid=O78tViQ6XY1uXM:&ved=0CAUQjRw&url=http://sustainableink.org/page/4/&ei=OYqeUu7FBcbkyQHZpIDgCg&bvm=bv.57155469,d.aWc&psig=AFQjCNHSFznIo-NkW80_RO0I7CD5SNbotw&ust=1386208155997464

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=r_xSCjp2c1O10M&tbnid=O78tViQ6XY1uXM:&ved=0CAUQjRw&url=http://sustainableink.org/page/4/&ei=OYqeUu7FBcbkyQHZpIDgCg&bvm=bv.57155469,d.aWc&psig=AFQjCNHSFznIo-NkW80_RO0I7CD5SNbotw&ust=1386208155997464


LLP

Social Engineering: an

Increasingly Common Threat

Significant majority of external intrusions contain

social engineering element

Phishing attacks becoming increasingly

sophisticated.

Use of email/web based attacks

Personalized emails: information gleaned from

Facebook or Linked In

Fake Internal Company Emails


LLP

Common Problems

Lack of Employee Training

• Employees unaware of potential problems

No Security Culture

• Employees aren’t thinking about security implications

Ineffective Internal Controls

• Too much access to information


LLP

Overview of Privacy Law

Fundamentally different legal/regulatory schemes in

different jurisdictions:

United States

• No comprehensive “law”

• Patchwork of sector-specific (e.g. HIPAA) and jurisdiction-specific regulations

Europe

• Comprehensive data protection scheme

• Strict privacy protection

• “Privacy as a human right”


LLP

Some Important Privacy and Data

Security Laws in the U.S.

Fair Credit Reporting Act (FCRA)

Health Insurance Portability and Accountability Act

(HIPAA)

Computer Fraud and Abuse Act (CFAA)

Stored Communications Act

Gramm-Leach-Bliley Act (GLBA)

Children’s Online Privacy Protection Act (COPPA)

Section 5 of the Federal Trade Commission Act

State Data Theft, Breach Notification, and Other

Privacy Laws


LLP

Cybersecurity Focus in Securities

Industry

“Cybersecurity [has] become a top concern … mounting

evidence that the constant threat of cyber-attack is real,

lasting and cannot be ignored” – Commissioner Aguilar

2012 Survey: 89% identify cyber-crime as potential

systemic risk, with 53% reporting a cyber-attack in

previous year


LLP

SEC Regulatory Approach

October 2011 – Division of Corporate Finance

• Guidance on disclosure obligations

• Requires disclosure of material information regarding

cybersecurity risks and cyber incidents

Proposed Rule – Regulation Systems, Compliance and

Integrity

• Aims to require covered entities to test automated systems,

continuity and disaster recovery plans and notify SEC of

intrusions

• SEC professed goal as of March 2014 is to make

significant progress in 2014


LLP

SEC Regulatory Approach

Regulation S-ID (http://www.sec.gov/rules/final/2013/34-69359.pdf)

• Requires certain regulated financial institutions to adopt and implement identity theft programs

• SEC expects institutions to know “Identity Theft Red Flags” and incorporate into policies

− http://www.sec.gov/info/smallbus/secg/identity-theft-red-flag-secg.htm

Regulation S-P (http://www.sec.gov/rules/final/34-42974.htm)

• Privacy of consumer financial information

• Notice to customers of privacy policy and practices

− Consumer knowledge and “opt-out” option


LLP

SEC Actions

March 2014 – SEC Roundtable

• Integrity of Market Systems

• Customer Data Protection

• Disclosure of Material Information

April 2014 – OCIE Cybersecurity Initiative

• Designed to assess cybersecurity preparedness

• Method to collect information of industry experience

• Examinations to be conducted of more than 50 broker-

dealers and registered investment advisors


LLP

OCIE Cybersecurity Governance

Focus Areas

• Identification of Risks

• Policies and Procedures

• Documentation

• Third-Party Exposure

• Detection


LLP

Identification of Risks

System Access

• What can account holders do?

− Fund Transfers, Beneficiary Changes, Emailed action

requests

• What can employees do?

− Remote access, Client account management

Third Party Management

• Hardware and Software

• Storage and Backup


LLP

Policies and Procedures

Network & Information Security

Risk management process standard?

What is the source or model of this standard?

What practices and controls are utilized by the firm?


LLP


Access

• Employees

− Training

− Security protocols (passwords, 2-step verification) and User privileges (escalation control)

• Customers

− Remote access security (2-step verification, key fob)

− Verification of email requests

− Limitations (Transfers, Beneficiary changes, Account holder)

• Third Parties

− Financial management applications (Mint, Personal Capital, etc.)

− Periodic access restriction requiring verification


LLP


IT Assets

Software

• Loss prevention software

• Internet protection software (DoS)

• Malware / Virus protection and detection

Encryption

• Types of data encrypted

• Methods of encryption

• Devices (iPhone, iPad, laptops, open internet portals)


LLP


IT Assets Architecture

• Environment

− Segregation of application and testing

• “Locked” basic configuration

− Baseline access and data organization

• Maintenance (patching, upgrades)

• Backup System

Quality Control

• Periodic testing and compliance assessments

• Penetration and Vulnerability scans

− Who and How Often (Internal IT, Third Party Vendors)


LLP

Documentation

Security/Hacking guarantees and policy

• What security is offered to customers

• What information is provided to customers in the event of a breach

Written data destruction policy

• Lawful destruction limits potential for large-scale data breach

Incoming/Departing employee policy

• Employees are security threat – not just outsiders

Cybersecurity incident response policy

• Update schedule

• Response guidelines

Training for vendors and authorized partners

• Clear identification of expectations and requirements


LLP

Documentation

Reporting

Customer

Law Enforcement

Treasury Financial Crimes Enforcement Network (FinCEN)

• Suspicious Activity Report

− http://www.fincen.gov/news_room/rp/sar_guidance.html

SEC/FINRA

State Securities Commissioner

Public Interest Group


LLP

Documentation

Records, Records, Records

Number of experienced events

• SEC Focus: After January 1, 2013

Significance of event(s)

• Repeated incidents or sources (10+)

• Amount of losses ($5K+)

• What was accessed

• How was Firm service compromised


LLP

Third Party Exposure

Risk Assessment

• Who conducts

• Assessment standards

− Questionnaire

− Minimum security requirements

− Independent audits and security verification

• Contractual provisions and requirements

• Segregation of network resources

− Universal access or firewalled

• Remote maintenance policy


LLP

Detection

Who is responsible for oversight

• Specific responsibility assignments

• Organizational chain for detection + reporting

Baseline development

• Standard expectations

− Access timing (market-based, geographical base)

− Outside access (remote vs. office)

− Weekday/Weekend/After Hours


LLP

Detection

Establish thresholds

• “Incident Alert” threshold

− Internal / Satellite

− Identification of anomalies

Monitoring

• Software

− Unauthorized access

− Unauthorized software

• Hardware

− Unauthorized connections or devices


LLP

Industry Snapshot

Identification of Risks

85% used multiple electronic devices to access client information

42% did not use any authentication procedures for client

instructions received via email or electronic messaging

• Only 41.1% required dual-factor authentication

Only 41.5% had a policy on accessing client information or

communications from a non-business device

Only 38% had policy for detecting unauthorized activity on

networks or devices


LLP

Industry Overview

Vendors and Third Parties

37% did not conduct risk assessments

40% of those that conducted risk assessments did so only

on an annual basis

23% had no confidentiality agreements with third-party

providers and servicers

• BUT -- 76% use on-line or remote backup of electronic files


LLP

Industry Overview

Polices and Procedures

Only 44.6% had cybersecurity policies, procedures or

training programs

23.1% had no policies whatsoever


LLP

Industry Overview


Only 47.4% had data storage device destruction

policies

Only 39.2% had loss of electronic device policies

(e.g., laptop, smartphone)


LLP

OCIE Examination Process

Factors favoring examination

• Statutory directive

• Entity risk profile

• Tip, complaint or referral

• Review of specific risk area

Examination

• Announced or unannounced

• Initial interview – “critical … determine[s] tone and focus of examination”

• Tour – analysis of workflow and control environment

• Cooperation, including provision of persons with knowledge, is key

• Follow-up may include telephone interviews

http://www.sec.gov/about/offices/ocie/ocie_exambrochure.pdf


LLP


Third Party Providers

• OCIE will request relevant information from examinee or from

agents/custodians

Clients & Customers

• OCIE will “routinely contact” to gather and/or verify information

Exit Interview

• Last day of site visit

• Entity afforded opportunity to discuss issues raised by exam staff

− Includes actions entity has taken or plans to take to address

issues



LLP


Examination Conclusion

• SEC Section 4E – completion due on later of two dates

− 180 days after completion of on-site portion of exam; or

− 180 days after all records requested are examined or inspected

• 180-day extension available for “complex examinations”

Exam Results

• Deficiency Letter

− Entity to respond timely, addressing all identified issues

• Referral to Division of Enforcement

− Direct referral without exit exam may be made in “exigent circumstances”

• Referral to SRO, State regulatory agency or law enforcement



LLP

Challenge: Decision Makers’ Lack of

Familiarity with the Technology

“If I'm applying the First Amendment, I have to apply it to a world where there's an Internet, and there's Facebook, and there are movies like ... The Social Network, which I couldn't even understand .”

—Justice Stephen Breyer

Justice Roberts: “I thought, you know, you push a button; it goes right to the other thing.”

Justice Scalia: “You mean it doesn't go right to the other thing?”

—Justice John Roberts to Justice Antonin Scalia Regarding How a

Text-Messaging Service Works


LLP

To Do List

Identify/Organize Persons with Knowledge

• Cybersecurity Committee and/or Response Team

Audit Cybersecurity Status

• Review internal and external Policies

• Review access, verification and recovery

Third Party Vendors

• Review contracts and policies

Quality Control and Assessment

• Update records … or get started

Insurance

• Mind the gap


LLP

Be Proactive


LLP

How Can We Help?

Securities Regulatory & Litigation Group

• Former MO Securities Commissioner

• Former federal prosecutor

• Experienced securities litigators

Data Security and Privacy Group

• CIPP|US and Ethical Hacker Certified

• International and Domestic experience


LLP

Questions?

Scott K.G. Kozak

Partner, Litigation

314.259.4714

[email protected]

Jeffrey Schultz

Partner, Litigation

314.259.4732

[email protected]

CLE Webinar Confirmation Code: KS0912

mailto:[email protected]

mailto:[email protected]

cyber readiness in the securities and brokerage industries featuring armstrong teasdale attorneys:...

Law

armstrong teasdale llpprivacy

armstrong teasdale llpwho

armstrong teasdale llpinternet

privacy laws

information security

fraud protection

internet privacy

data security laws