cybersecurity threats and loss prevention …...cybersecurity threats and loss prevention (medium...

© 2017 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

Cybersecurity Threats and Loss Prevention (Medium and Large Firm Focus) Tuesday, May 16 3:00 p.m. – 4:00 p.m.

Every firm needs a cybersecurity program. Is your current plan as comprehensive or robust as it could be? Are you effectively protecting your firm and your clients from threats? This session provides guidance on useful practices for protecting customer information, what to do in the event of a data breach, and tackling other cybersecurity situations. Whether you're just starting out or updating a well-documented approach, this session provides strong, actionable practices, and highlights in-depth tools to help you strengthen your cybersecurity program. Moderator: David Kelley Surveillance Director FINRA Kansas City District Office Panelists: Richard Hannibal Assistant Director, Office of Compliance Inspections and Examinations U.S. Securities and Exchange Commission (SEC) Stephanie Mumford Chief Compliance Officer and Senior Legal Counsel T. Rowe Price Investment Services, Inc. Andy Zolper Senior Vice President and Chief Information Security Officer Raymond James Financial, Inc.


Cybersecurity Threats and Loss Prevention (Medium and Large Firm Focus) Panelist Bios: Moderator: Dave Kelley is the Surveillance Director based out of FINRA’s Kansas City District office, and has been with FINRA for six years. Mr. Kelley also leads FINRA’s Sales Practice exam program for cybersecurity and the Regulatory Specialist team for Cyber Security, IT Controls and Privacy. Prior to joining FINRA, he worked for more than 19 years at American Century Investments in various positions, including Chief Privacy Officer, Director of IT Audit and Director of Electronic Commerce Controls. He led the development of website controls, including customer application security, ethical hacking programs and application controls. Mr. Kelley is a CPA and Certified Internal Auditor, and previously held the Series 7 and 24 licenses. Panelists: Richard Hannibal has been an Assistant Director in the SEC’s Office of Compliance Inspections and Examinations for 18 years and has been with the Commission for 22 years. After serving 17 years in the Broker-Dealer Examination Program, he recently moved over to OCIE’s Technology Controls Program. Previously, he was a branch chief conducting inspections of the Self-Regulatory Organizations. Prior to coming to the Commission, Mr. Hannibal spent five years at the Legal Services Corporation (government funded legal aid) in a senior regulatory position and seven years as a litigator with a small DC law firm. Mr. Hannibal is a graduate of Wheaton College (Illinois) and Georgetown University Law Center (JD). Stephanie Mumford is the Chief Compliance Officer and Senior Legal Counsel of T. Rowe Price Investment Services, Inc., within the Legal Division of T. Rowe Price. In this role, Ms. Mumford provides legal counsel and guidance related to T. Rowe Price Investment Services, Inc., and distribution-related initiatives and business activities in the U.S. Intermediaries and the Individual & Retirement Plan Services divisions. Prior to joining T. Rowe Price in 2013, Ms. Mumford served as special counsel for the Securities and Exchange Commission (SEC) in the Division of Trading and Markets. She previously held the position of senior counsel in SEC’s Office of Compliance Inspections and Examinations. Before her experience at the SEC, Ms. Mumford worked at the Financial Industry Regulatory Authority (FINRA) as counsel in FINRA’s Market Regulation Department. In addition, she previously held compliance positions at Linsco/Private Ledger and The Vanguard Group. Ms. Mumford received her B.A. from Washington and Jefferson College, her M.B.A. from Clemson University and her J.D. from the University of San Diego School of Law. She is a Series 4, 7, 24, and 53 registered representative and is a member of the New York State Bar Association. Andy Zolper is Chief Information Security Officer for Raymond James Financial, Inc., a diversified financialservices provider with subsidiaries engaged in investment and financial planning, investment banking and asset management. Through its three broker-dealer subsidiaries, Raymond James Financial has more than 6,300 financial advisers, serving more than 2.5 million accounts in more than 2,500 locations throughout the United States, Canada and overseas. As CISO, Mr. Zolper provides strategic direction to identify appropriate security measures, sponsors implementation of security solutions, manages daily security operations and provides governance to manage technology risk—all in order to help Raymond James achieve its business objectives. Mr. Zolper was previously at UBS as CISO of its Wealth Management Americas division, and later as global head of IT Risk Management. Prior to joining UBS, he led teams in IT risk management, global program management and business process reengineering at JPMorgan Chase. Before working at JPMC, Mr. Zolper was responsible for application development at Sterling Resources Inc., and developed the company's process reengineering, e-learning and knowledge management software products. Before joining Sterling Resources, he served in various management roles at Verizon, ranging from staff director of competitive intelligence analysis to field management of "fiber to the curb" deployment. Mr. Zolper graduated from the Virginia Military Institute. He is a U.S. Marine Corps veteran, having served as a communications and signals intelligence officer. He is a graduate of SIFMA's Securities Industry Institute at The Wharton School, a Registered Operations Professional (Series 99), a certified Six Sigma Black Belt and a Certified Information Security Manager (CISM). He represents Raymond James on the Advisory Council of BITS, the technology policy division of The Financial Services Roundtable, and is a member of SIFMA’s Cyber Security Working Group.

FINRA Annual ConferenceMay 16-18, 2017 • Washington, DC

Cybersecurity Threats and Loss Prevention (Medium and Large Firm Focus)

FINRA Annual Conference © 2017 FINRA. All rights reserved.

Moderator David Kelley, Surveillance Director, FINRA Kansas City District

Office

Panelists Richard Hannibal, Assistant Director, Office of Compliance

Inspections and Examinations, U.S. Securities and Exchange Commission (SEC) Stephanie Mumford, Chief Compliance Officer and Senior Legal

Counsel, T. Rowe Price Investment Services, Inc. Andy Zolper, Senior Vice President and Chief Information Security

Officer, Raymond James Financial, Inc.

1

Panelists


Under the “Schedule” icon on the home screen,

Select the day,

Choose the Cybersecurity Threats and Loss Prevention (Medium and Large Firm Focus) session,

Click on the polling icon:

2

To Access Polling


1. How would you rate your firm’s Cybersecurity Proa. Program is robust and up to date

b. Program exists, but needs enhancements

c. Currently working on establishing a Program

d. Do not have a Program gram (“Program”) today?

3

Polling Question 1


2. What is your firm’s biggest challenge in building a robust Program?

a. Inadequate resources or expertise

b. Engagement of senior management support

c. Achieving employee awareness

d. Need for better IT tools/systems

e. Insufficient sharing of information among BD peers and/or regulators

4

Polling Question #2


Phishing / Spear Phishing

Third Party Wires

Stolen Credentials – Customers, Employees and Reps.

Ransomware

DDOS (Distributed Denial-of-Service) Attacks

Internal Fraud

5

Cybersecurity Issues


3. Has your firm experienced a cyber related incident in the past year?

a. Yes – Phishing

b. Yes – 3rd Party Wire

c. Yes – Internal Fraud

d. Yes – DDOS

e. Yes – Other Incident

f. Multiple Incidents

g. No

6

Polling Question #3

FINRA Annual Conference © 2017 FINRA. All rights reserved. 7

FINRA Cybersecurity Exam Program

Examinations are being conducted by FINRA examiners and may address the following areas:

Governance Risk Management

Internal Risk Assessment (IA) Vendor Management

Asset Management Secure Configuration

Access Control and Physical Security Training and Security Awareness

Infrastructure Controls (Tech Controls) Vulnerability Management

Website controls Data Protection

External Risk Assessments Incident Response

Cloud Branch Controls


The Basics

Encryption

Passwords / Remote Access

Virus / Malware Protection / Spam Filters

Operating System Patching

Hand Held Devices

Incident Response Management

Insurance

Internal Audit’s Role


Governance

Firms should establish Information Security frameworks that support informed decision-making and escalation at appropriate levels within the organization. This would include:

Active senior management and, as appropriate, board level oversight of cyber security

Articulated risk appetite that guides firm decision-making with respect to the acceptance, mitigation, avoidance or transfer of risks

Defined accountabilities, structures, policies and procedures to support decision-making based on risk appetite and industry effective practices

Use of appropriate metrics and thresholds


Risk Assessment

Firms should conduct regular risk assessments to identify vulnerabilities and prioritize risk remediation activities.

As defined by the International Organization for Standardization (ISO), risk assessment is a systematic approach to estimating the magnitude of risks (risk analysis) and comparing risk to risk criteria (risk evaluation). It is an ongoing process, not a single point-in-time review

Scope of a risk assessment would include:

Critical asset inventory and vulnerability assessment of these assets

Threat & Risk evaluation (external & internal) and prioritization

Vendors and their Affiliates


Cybersecurity Training

Firms should provide CYBERSECURITY TRAINING to their staff and provide additional training based on staff’s role. Appropriate types of training are driven by:

Experience with cyber security incidents

Risk assessment

Awareness and intelligence about threats the firm may face

Phishing training

Password tips

Annual compliance meeting and periodic email alerts


Access ManagementAccess to information, physical assets and associated facilities is

limited to authorized users, processes, or devices, and to authorized activities and transactions.

Access is granted based on role within the organization, incorporating the principles of least privilege and separation of duties

Employee, contractor, third party, and customer entitlement management

Physical access to assets is managed and protected

Both access to information and physical assets is reviewed and approved on a regular basis.

Multi-Factor Authentication


Branch Controls

Firms should have policies and procedures dealing with cybersecurity issues at branch locations. Topics include:

Processes in place to verify controls have been implemented and are functioning as intended.

• Physical Security • Encryption

• Virus and Malware Protection • Reporting of lost/stolen assets

• Patching • The Use of Passwords

• Training and Awareness • Business continuity Planning/Testing

• Vendor / Cloud Usage • Representative Certifications


Vendor Management

Vendor management covers the lifecycle of the relationship, from initiation through termination, and should be risk-based, i.e., there is greater due diligence and oversight on vendors who have access to sensitive data or processes.

Onboarding: establish controls and associated contractual terms/conditions

Operational Oversight: annual audit and testing along with contingency planning

Termination: access and disposal of sensitive / confidential data


Use of the Cloud

Use of cloud computing, if done right, can provide many benefits to a firm including delivery of strong security controls…(converse also true). Types of cloud usage includes:

Document storage, for instance Drop Box or Google Drive

Software as a Service (SaaS) such as Salesforce, Red Tail or Smarsh

Infrastructure as a Service (IaaS), Amazon AWS or Azure

Controls and processes for monitoring mirror vendor management.


FINRA Report on Cybersecurity: www.finra.org/file/report-cybersecurity-practicesFINRA Small Firm Cybersecurity Checklist:

www.finra.org/industry/cybersecurityNIST: www.nist.gov/cyberframework/index.cfmSIFMA Cybersecurity Resource Center:

www.sifma.org/issues/operations-and-technology/cybersecurity/overview/SANS 20 Critical Security Controls: www.sans.org/critical-

security-controls

16

Supplemental Guidance

http://www.finra.org/file/report-cybersecurity-practices

http://www.finra.org/industry/cybersecurity

http://www.nist.gov/cyberframework/index.cfm

http://www.sifma.org/issues/operations-and-technology/cybersecurity/overview/

https://www.sans.org/critical-security-controls


SEC, National Examination Program (NEP) Risk Alert, Cybersecurity Examination Sweep Summary (February 3, 2015) www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf

SEC, Division of Investment Management, Guidance Update –Cybersecurity Guidance (April 2015) www.sec.gov/investment/im-guidance-2015-02.pdf

Department of Justice, Cybersecurity Unit, Computer Crime & Intellectual Property Section, Criminal Division, Best Practices for Victim Response and Reporting of Cyber Incidents(April 2015) www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/04/30/04272015reporting-cyber-incidents-final.pdf

17

Supplemental Guidance

http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf

http://www.sec.gov/investment/im-guidance-2015-02.pdf

https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/04/30/04272015reporting-cyber-incidents-final.pdf


Cybersecurity Threats and Loss Prevention (Medium and Large Firm Focus) Tuesday, May 16 3:00 p.m. – 4:00 p.m. Resources FINRA Resources

• 2015 Report on Cybersecurity Practices (February 2015)

www.finra.org/file/report-cybersecurity-practices • FINRA Small Firm Cybersecurity Checklist

www.finra.org/industry/cybersecurity

SEC Resources

• SEC, National Examination Program (NEP) Risk Alert, Cybersecurity Examination Sweep

Summary (February 2015)

www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf • SEC, Division of Investment Management, Guidance Update – Cybersecurity Guidance (April

2015)

www.sec.gov/investment/im-guidance-2015-02.pdf

Other Resources

• National Institute of Standards and Technology (NIST): Framework for Improving Critical Infrastructure Cybersecurity (February 2014)

www.nist.gov/cyberframework/index.cfm

• SIFMA Cybersecurity Resource Center:

www.sifma.org/issues/operations-and-technology/cybersecurity/overview/ • SANS 20 Critical Security Controls

www.sans.org/critical-security-controls

http://www.finra.org/file/report-cybersecurity-practices

http://www.finra.org/industry/cybersecurity

http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf

http://www.sec.gov/investment/im-guidance-2015-02.pdf

http://www.nist.gov/cyberframework/index.cfm

http://www.sifma.org/issues/operations-and-technology/cybersecurity/overview/

http://www.sans.org/critical-security-controls


• Department of Justice, Cybersecurity Unit, Computer Crime & Intellectual Property Section, Criminal Division, Best Practices for Victim Response and Reporting of Cyber Incidents (April 2015)

www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/04/30/04272015reporting-cyber-incidents-final.pdf

http://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/04/30/04272015reporting-cyber-incidents-final.pdf

http://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/04/30/04272015reporting-cyber-incidents-final.pdf

Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information

© 2017 Association of Corporate Counsel 1

The Association of Corporate Counsel (ACC) and a group of its members have developed this

Model Information Protection and Security Controls for Outside Counsel Possessing Company

Confidential Information (“Model Controls”) to help in-house counsel as they set expectations

with their outside vendors, including outside counsel, regarding the types of data security controls

these vendors should employ to protect their company ‘s confidential information. The Model

Controls provide a list of baseline security measures and controls some legal departments may

consider requiring from outside vendors. It is ACC’s hope that the Model Controls offer in-house

counsel a streamlined and consistent approach to setting expectations with respect to the data

security practices of their outside vendors.

This document does not constitute legal advice or legal opinion on specific facts, and it is not

intended to be a definitive statement on the subject but rather serves as a resource providing

practical information to in-house counsel. This document is not a substitute for corporate

counsel’s own legal analysis and good judgment; company’s internal requirements and policies;

or regulatory provisions. Further, this document is not intended to establish any industry standards

for any purpose for either the company client or the outside vendor, including, but not limited to,

contract, professional malpractice, or negligence.



MODEL INFORMATION PROTECTION AND SECURITY CONTROLS FOR OUTSIDE

COUNSEL POSSESSING COMPANY CONFIDENTIAL INFORMATION

Definition of “Company Confidential Information”:

“Company Confidential Information” is defined as any information that is proprietary to Company

and is not publicly available including, without limitation, information that is:

• Attorney-client privileged;

• Confidential information, which, if disclosed, could cause damage to the interests of

Company;

• Material non-public information concerning publicly traded corporations;

• Personally Identifiable Information (“PII*”) for any Company employee, contractor,

customer, or supplier. For the purpose of this document, PII is defined as information

that can be used to identify, contact, or locate a natural person, including, without

limitation, a Company customer or website user, natural person’s name, IP address,

email address, postal address, telephone number, account numbers, date of birth,

driver’s license or other government-issued identification card numbers and social

security numbers, or any other information that is linked or linkable to an individual.

• Protected Health Information (“PHI”) shall have the same meaning as the term “protected

health information” at 45 C.F.R.§160.103;

• Information relating to the physical security of Company operations;

• Information relating to the Company’s cyber security;

• Information from any source that may tend to incriminate the Company, subject the

company to fines or penalties, form the basis for litigation against the company, or which

may tend to damage the Company’s reputation or the reputation of its officers, directors,

employees, or agents;

• Information that is legally required to be protected under the laws applicable to the

company data.

1. Policies and Procedures

Outside Counsel shall have in place appropriate organizational and technical measures

to protect Company Confidential Information or other information of a similar nature



against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or

access, and which provide a level of security appropriate to the risk represented by the

processing and nature of the information to be protected. Outside Counsel shall have in

place internal security and privacy policies designed to protect the security,

confidentiality, and integrity of Company Confidential Information or other information of a

similar nature that include: security policy; organization of information security; asset

management; human resources security; physical and environment security;

communications and operations management; access control; information systems

acquisition, development, and maintenance; information security incident management;

business continuity management; personnel training; and compliance.

Outside Counsel shall have incident and problem management procedures that allow for

the reasonable investigation, response, mitigation, and notification of events that

implicate the confidentiality, integrity, and availability of Outside Counsel’s technology

and information assets, or events that cause the unauthorized or unintentional disclosure

of Company Confidential Information. Outside Counsel will review at least annually its

incident response and problem management procedures to ensure they are fit for

purpose.

Outside Counsel shall have adequate resources and management oversight to ensure

the proper development and maintenance of information security and technology policies,

procedures, and standards throughout the course of their relationship with Company.

Outside Counsel shall provide and maintain information security training for all employees

and provide a summary of such training to Company upon request.

2. Retention and Return/Destruction

2.1 Retention

Outside Counsel shall retain Company Confidential Information only for as long as

specified by Company for the matter(s) on which Outside Counsel is working or as

otherwise necessary to satisfy the purposes for which it was provided to Outside

Counsel, except to the extent that longer retention is required by applicable law,

regulations, or professional ethical rules.



2.2 Return/Destruction

At the conclusion of the engagement and as instructed by Company, Outside Counsel

shall (at its sole cost) return, delete, or destroy Company Confidential Information then in

its possession or under its control including, without limitation, originals and copies of

such Company Confidential Information. The following types of information are excluded

from this requirement: (i) day-to-day exchanges of emails, except for those containing

attachments that contain Company Confidential Information; (ii) Outside Counsel work

product; (iii) Company Confidential Information that becomes a part of the public domain,

including through court filings; and (iv) Company Confidential Information that Outside

Counsel is required to maintain, by law, regulations, or professional ethical rules but for

only the time period required. With respect to (i) herein, excluded emails should be

handled consistently with Outside Counsel’s professional duty of confidentiality. For the

avoidance of doubt, anything that is stored on routine back-up media solely for the

purpose of disaster recovery will be subject to destruction in due course rather than

immediate return or destruction pursuant to this paragraph, provided that employees are

precluded from accessing such information in the ordinary course of business prior to

destruction. Notwithstanding the foregoing, latent data such as deleted files, and other

non-logical data types, such as memory dumps, swap files temporary files, printer spool

files, and metadata that can only be retrieved by computer forensics experts and is

generally considered inaccessible without the use of specialized tools and techniques will

not be within the requirement for return or destruction of Company Confidential

Information as set forth by this provision.

2.3 Certification

Outside Counsel agrees to certify that Company Confidential Information has been

returned, deleted, or destroyed from its systems, servers, off-site storage facilities, office

locations, and any other location where Outside Counsel maintains Company

Confidential Information within 30 days of receiving Company’s request that the

information be returned, deleted, or destroyed.

3. Data Handling

3.1 Encryption



3.1.1 Encryption in Transit

When transferring Company Confidential Information, and in communications between

Company and Outside Counsel, Outside Counsel will use encryption based on guidance

provided by Company, if any.

The Company reserves the right to request implementation of Transport Layer Security to

automatically encrypt emails between Company and Outside Counsel.

Note: Section 3.1.2 below is highly recommended. Minimally, law firms should have

mechanisms in place that provide for technologically equivalent mitigations in the absence of

encryption at rest.

3.1.2 Encryption at Rest

Outside Counsel will encrypt all Company Confidential Information that resides on

Outside Counsel’s systems, servers, backup tapes, etc., including Company Confidential

Information that resides on the systems and servers of any third party with which Outside

Counsel has subcontracted to store electronic data. Outside Counsel shall encrypt at

rest using solutions that are certified against U.S. Federal Information Processing

Standard 140-2, Level 2, or equivalent industry standard, and verify that the encryption

keys and any keying material are not stored with any associated data.

3.1.3 Encryption of Data Stored on Portable Devices or Transmitted Over Non-Secure

Communication Channels

Outside Counsel will encrypt all Company Confidential Information when stored on

portable devices and media or when transmitted over non-secure communication channels

(e.g., internet email, or wireless transmission) including remote connectivity using

solutions that are certified against the U.S. Federal Information Processing Standard 140-

2, Level 2, or equivalent industry standard, and verify that the encryption keys and any

keying material are not stored with any associated data.

3.1.4 Encryption of Company Confidential Information Transferrable to Removable

Media and Mobile Devices

In the event that Company Confidential Information could be transferred to removable



media, a mobile device, tablet, or laptop, Outside Counsel will implement, monitor, and

maintain encryption and information leakage prevention tools using solutions that are

certified against the U.S. Federal Information Processing Standard 140-2, Level 2, or

equivalent industry standard, and verify that the encryption keys and keying material are

not stored with any associated data. Moreover, two-factor authentication should be

employed for remote connectivity using a mobile device, tablet, or laptop.

3.2 Data Security Breach Reporting

Upon discovering any suspected or actual unauthorized disclosure, loss, or theft of Company

Confidential Information (a “Data Security Breach”), Outside Counsel will promptly (within 24

hours of discovering an actual or suspected event) send an e-mail to (insert email address

of company contact). Outside Counsel shall fully cooperate with Company to provide all

information in a timely manner and shall fully cooperate with Company, as directed by

Company, to make any notifications required by applicable law. Outside Counsel will fully

cooperate with Company to identify a root cause and remediate any Data Security Breach at

their sole cost. Outside Counsel shall designate an individual who will serve as Company’s

ongoing single point of contact for purposes of addressing issues with respect to the use and

security of Company Confidential Information during the term and following the termination or

expiration of these standards. Such individual shall be accessible to Company on a 24X7

basis. Outside Counsel shall certify that this individual can obtain relevant information

specific to any incidents within 48 hours. This individual is to also have access to or direct

knowledge of Outside Counsel’s network architecture and information technology system.

3.3 Compliance with Laws

Outside Counsel will comply with all laws, regulations, statutes, and ordinances (“Laws”)

applicable to its business or the performance of its obligations pursuant to Company’s

engagement of Outside Counsel, as such Laws may be revised from time to time.

4. Physical Security

4.1 General

Company Confidential Information must be physically secured against unauthorized

access.



Note: The Physical Security Protections in Section 4.2 are recommended for law firms that host

Company Confidential Information on its systems and servers.

4.2 Physical Security Protections

Outside Counsel will implement at least the following:

1. Picture identification badges issued through Outside Counsel’s formal approval

processes.

2. Processes to remove leaver (i.e., departing staff member) personnel from facility

access within 24 hours of notification or within one hour in emergency/priority

situations.

3. 24x7 security guards monitoring entrance(s) to the facility where Company

Confidential Information is accessed, or comparable controls where Company

Confidential Information is stored, processed, or destroyed.

4. Identity verification using government-issued IDs prior to entry to a facility where

Company Confidential Information is accessed, stored, processed, or destroyed for all

visitors, and visitors are supervised by a formal escort while on-site.

5. Electronic access control to any facility where Company Confidential Information is

accessed, stored, processed, or destroyed using badge/access cards.

6. Enhanced access control for access to computer rooms within a facility that houses

information systems hardware (“computer room”) (e.g., biometric safeguards such as

palm readers, iris recognition, or fingerprint readers).

7. Camera surveillance (CCTV) with active monitoring or integration into a detection

system.

8. A perimeter intruder alarm system (e.g., open door alarms).

9. No exterior access points (e.g., windows, exterior doors) are present within a computer

room.

10. Backups are physically secured against unauthorized access.

11. Procedures are in place to verify that receiving/delivery of/removal of hardware and

other equipment are authorized.

12. Physical access to facilities where Company Confidential Information is accessed,

stored, processed, or destroyed must be logged. Logs must be retained for at least

ninety days.



5. Logical Access Controls

Outside Counsel must have logical access controls designed to manage access to

Company Confidential Information and system functionality on a least privilege and need-to-

know basis, including through the use of defined authority levels and job functions, unique

IDs and passwords, two-factor or stronger authentication for its employee remote access

systems (and elsewhere where appropriate). These controls shall enable Outside Counsel

to promptly revoke or change access in response to terminations or changes in job functions

as applicable. Outside Counsel will encrypt all passwords, passphrases, and PINs using

solutions that are certified against U.S. Federal Information and Processing Standard 140-2,

Level 2, or equivalent industry standard, and verify that the encryption keys and keying

material are not stored with any associated data. Outside Counsel will implement any

Company request to revoke or modify user access within twenty-four hours of receipt of

Company’s request. Outside Counsel will disable user accounts after at most 10

consecutive invalid authentication attempts.

6. Monitoring

Unless prohibited by applicable law, Company expects Outside Counsel to continuously

monitor its networks and employees, subcontractors, and contingent workers for malicious

activity and other activity that may cause damage or vulnerability to Company Confidential

Information.

7. Vulnerability Controls and Risk Assessments

At least annually, Outside Counsel will perform vulnerability tests and assessments of all

systems that contain Company Confidential Information. Outside Counsel must have

application security software development controls designed to eliminate and minimize the

introduction of security vulnerabilities. For any of Outside Counsel’s applications that

process Company Confidential Information, such testing must also include manual ethical

hacking/penetration tests using intercept proxies to identify security vulnerabilities that

cannot be discovered using automated tools, and code review or other manual verifications

to occur at least annually or upon any major software change, including customizations for

Company.



8. System Administration and Network Security

Outside Counsel must have operational procedures and controls designed to ensure that

technology and information systems are configured and maintained according to prescribed

internal standards and consistent with applicable Industry Standard Safeguards. Examples

of Industry Standard Safeguards are ISO/IEC 27002:2005, NIST 800-44, Microsoft Security

Hardening Guidelines, OWASP Guide to Building Secure Web Applications and the various

Center for Internet Security Standards. Moreover, Outside Counsel must have application

security and software development controls designed to eliminate and minimize the

introduction of security vulnerabilities.

Antivirus protection shall be installed and configured to automatically search for and

download updates (daily, at a minimum) and perform continuous virus scans. Malware

and threat detection is to be updated continuously, and software patches provided by

vendors shall be downloaded and implemented in a timely manner. If Outside Counsel is

unable to implement these controls in a timely manner, Outside Counsel shall notify the

Company in writing.

Outside Counsel shall have vulnerability management and regular application, operating

system and other infrastructure patching procedures and technologies reasonably designed

to identify, assess, mitigate, and protect against new and existing security vulnerabilities

and threats, including viruses, bots, and other malicious code.

Outside Counsel shall have, shall implement, and shall maintain network security controls,

including the use of firewalls, layered DMZs and updated intrusion, intrusion detection and

prevention systems, reasonably designed to protect systems from intrusion or limit the

scope or success of any attack or attempt at unauthorized access to Company Confidential

Information.

9. Security Review Rights

Company and its agents, auditors (internal and external), regulators, and other

representatives as Company may designate, may inspect, examine, and review the

facilities, books, systems, records, data, practices, and procedures of Outside Counsel (and

any subcontractors that Outside Counsel may use) that are used in rendering services to



Company to verify the integrity of Company Confidential Information and to monitor

compliance with the confidentiality and security requirements for Company Confidential

Information.

Note: Section 10 below is recommended but optional. ISO Certifications reduce the time and

effort required by in-house IT security departments to perform security assessments on third

parties in possession of Company Confidential Information.

10. Industry Certification/Additional Security Requirements

If Outside Counsel has not achieved ISO27001 certification, Company may request that

Outside Counsel undertake the certification process and provide Company with evidence of

certification when attained. Outside Counsel agrees to implement additional security

requirements reasonably requested by Company, and provide Company with relevant

additional information that Company may request such as SOC audits or other evidence that

Outside Counsel has in place appropriate policies and procedures regarding information

protection and security.

11. Background Screening of Outside Counsel Employees, Subcontractors, and

Contingent Workers

Unless precluded by law or regulation, Outside Counsel agrees to conduct background

screening for all of its employees, subcontractors, and contingent workers who work with or

come into contact with Company Confidential Information. Outside Counsel will certify

annually to Company that all of Outside Counsel’s employees, subcontractors, and

contingent workers that work with or come into contact with Company’s Confidential

Information have successfully passed Company’s background screening requirements unless

such background screening is precluded by law or regulation in a specific jurisdiction.

12. Cyber Liability Insurance

Without limiting its responsibilities set out in herein, in countries where cyber liability

insurance coverage is available, Outside Counsel will obtain and maintain in force at all times

cyber liability insurance with an insurance company having a minimum credit rating of A- from

Standard and Poors or other equivalent rating agency, with a minimum coverage level of

$10,000,000. All responsibility for payment of sums under any deductible or self-insured



retention provisions of the policy or policies remains with Outside Counsel. It is expressly

understood and agreed that Company does not in any way represent that the above specified

minimum coverage limit is sufficient or adequate to protect Outside Counsel’s interests or

liabilities. Outside Counsel shall name Company as an additional insured and provide a copy

of its cyber-insurance certificate to Company upon written request.

13. Subcontractors

Outside Counsel shall be responsible for all subcontractors used by Outside Counsel that

have access to Company Confidential Information. Where Outside Counsel subcontracts its

obligations to Company to a third party, it shall do so only by way of written agreement

imposing Company’s Model Information Protection and Security Controls for Law Firms

Possessing Company Confidential Information which pertains to all of Outside Counsel’s

subcontractors that possess or access Company Confidential Information. For the avoidance

of doubt, this section pertains to, without limitation, reprographics vendors, off-site storage

vendors, and cloud server hosting facilities.

cybersecurity threats and loss prevention …...cybersecurity threats and loss prevention (medium...

Documents