Cybersecurity and the SEC- What Investment Advisers and Broker-Dealers Need to Know in 2016

Speaker Firms and Organization:

Willkie Farr & Gallagher LLPJames R. Burns

Partner

Thank you for logging into today’s event. Please note we are in standby mode. All Microphones will be muted until the event starts. We will be back with speaker instructions @ 11:55am. Any Questions? Please email: [email protected] Group Registration Policy

Please note ALL participants must be registered or they will not be able to access the event. If you have more than one person from your company attending, you must fill out the group registration form. We reserve the right to disconnect any unauthorized users from this event and to deny violators admission to future events.

To obtain a group registration please send a note to [email protected] or call 646.202.9344.

Presented By:

January 14, 20161

Partner Firms:

Bryant Rabbino LLPDenver Edwards

Partner

Willkie Farr & Gallagher LLPChristopher S. Petito

Of Counsel

mailto:[email protected]


January 14, 20162

Please note the FAQ.HELP TAB located to the right of the main presentation. On this page you will find answers to the top questions asked by attendees during webcast such as how to fix audio issues, where to download the slides and what to do if you miss a secret word. To access this tab, click the FAQ.HELP Tab to the right of the main presentation when you’re done click the tab of the main presentation to get back.

Follow us on Twitter, that’s @Know_Group to receive updates for this event as well as other news and pertinent info.

If you experience any technical difficulties during today’s WebEx session, please contact our Technical Support @ 866-779-3239. We will post the dial information in the chat window to the right shortly and it’s available in the FAQ.Help Tab on the right.

You may ask a question at anytime throughout the presentation today via the chat window on the lower right hand side of your screen. Questions will be aggregated and addressed during the Q&A segment.

Please note, this call is being recorded for playback purposes.

If anyone was unable to log in to the online webcast and needs to download a copy of the PowerPoint presentation for today’s event, please send an email to: [email protected]. If you’re already logged in to the online Webcast, we will post a link to download the files shortly and it’s available in the FAQ.Help Tab

https://twitter.com/know_group




January 14, 20163

If you are listening on a laptop, you may need to use headphones as some laptops speakers are not sufficiently amplified enough to hear the presentations. If you do not have headphones and cannot hear the webcast send an email to [email protected] and we will send you the dial in phone number.

About an hour or so after the event, you'll be sent a survey via email asking you for your feedback on your experience with this event today - it's

designed to take less than two minutes to complete, and it helps us to understand how to wisely invest your time in future events. Your feedback is

greatly appreciated. If you are applying for continuing education credit, completions of the surveys are mandatory as per your state boards and

bars. 6 secret words (3 for each credit hour) will be given throughout the presentation. We will ask you to fill these words into the survey as proof

of your attendance. Please stay tuned for the secret word. If you miss a secret word please refer to the FAQ.Help tab to the right.

Speakers, I will be giving out the secret words at randomly selected times. I may have to break into your presentation briefly to read the secret

word. Pardon the interruption.


January 14, 20164

Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You: FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:

Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts. Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.

50% discount for purchase of all Live webcasts and downloaded recordings.

PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:

Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.

Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each event without a subscription).

Free Certificate of Attendance Processing (Normally $49 Per Course without a subscription). Access to over 15,000 pages of course material from Knowledge Group Webcasts. Ability to invite a guest of your choice to attend any live webcast Free of charge (Exclusive benefit only available for PAID

UNLIMITED subscribers). 6 Month Subscription is $499 with No Additional Fees Other options are available. Special Offer: Sign up today and add 2 of your colleagues to your plan for free Check the “Triple Play” box on the sign-up

sheet contained in the link below.

https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964


January 14, 20165

Knowledge Group UNLIMITED PAID Subscription Programs Pricing: Individual Subscription Fees: (2 Options)Semi-Annual: $499 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials. Annual: $799 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.

Group plans are available. See the registration form for details.

Best ways to sign up:1. Fill out the sign up form attached to the post conference survey email.2. Sign up online by clicking the link contained in the post conference survey email. 3. Click the link below or the one we just posted in the chat window to the right. https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964

Questions: Send an email to: [email protected] with “Unlimited” in the subject.



Partner Firms:

January 14, 20166

Willkie Farr & Gallagher LLP is a leading international law firm that provides comprehensive legal services. Founded in 1888, the firm has approximately 650 lawyers located in nine offices in six countries.

Bryant Rabbino LLP is a boutique law firm that represents sophisticated clients in complex matters. We practice in the areas of asset management, creditors’ rights, capital markets and finance, employee benefits and executive compensation, mergers & acquisitions, real estate, and litigation, including defending government investigations initiated by law enforcement and financial services regulators.

Brief Speaker Bios:

Christopher S. Petito

Christopher S. Petito is of counsel in the Washington, DC office of Willkie Farr & Gallagher LLP. He specializes in the regulation of investment companies, investment advisers, broker-dealers and insurance companies under U.S. and state securities laws, including advising on all aspects of the design, organization and registration of investment companies and related insurance products, as well as providing regulatory and compliance counseling. Mr. Petito also represents firms in mergers and acquisitions and restructurings in the life insurance, investment management and related industries. Before reentering private practice in 1994, Mr. Petito served for six and one-half years as an enforcement lawyer in the SEC’s New York Regional Office, where he last served as the Assistant Regional Administrator in charge of that office’s Investment Management Enforcement group.

January 14, 20167

James R. Burns

James R. Burns is a partner in Willkie’s Asset Management Group, focusing on counseling investment managers, broker-dealers, self-regulatory organizations, and other registered entities on regulatory, compliance and enforcement matters. Prior to joining Willkie, Jim served most recently as Deputy Director of the SEC’s Division of Trading and Markets and previously as Deputy Chief of Staff and Counsel to Chairman Mary Schapiro. He was an adviser to Commissioner Kathy Casey and worked for many years on enforcement and regulatory matters in the securities practice at a leading law firm. He brings an acute knowledge and understanding of the equity, fixed income, and derivatives markets, having played an integral role in the development of current SEC positions and regulatory initiatives affecting those areas.

► For more information about the speakers, you can visit: https://theknowledgegroup.org/event-homepage/?event_id=1209

Denver Edwards

Denver Edwards is a litigator who defends corporations and individuals in investigations brought by financial services regulators, including the SEC, FINRA, and state attorneys general. Denver has handled a range of regulatory enforcement matters including insider trading, fraudulent offerings, accounting fraud, and sales practice violations. Denver also advises broker-dealers on market regulation and internal controls. Denver has counseled clients in connection with responding to government inquiries concerning trading activities by the client and its counterparties. Denver was formerly Senior Counsel at the SEC and at the U.S. Office of the Comptroller of the Currency, two national law firms and one international investment bank.

https://theknowledgegroup.org/event-homepage/?event_id=1209

https://theknowledgegroup.org/event-homepage/?event_id=1209

Cyber attacks are happening with more frequency and are affecting prominent businesses with substantial cybersecurity infrastructure, including some of our nation’s largest financial institutions.

Over the past two years, cybersecurity has emerged as a key area of focus for the SEC and FINRA. The Securities and Exchange Commission (SEC) has formal jurisdiction over cybersecurity issues in the market, regarding customer data protection, and in disclosure of material information. Regulation S-P requires broker-dealers and investment advisers to, among other things, adopt policies and procedures to provide safeguards for the protection of customer records and information. In 2013, the SEC adopted Regulation S-ID, requiring some regulated financial institutions and creditors to have identity theft programs and, in 2015 may require public companies to disclose information on data breaches and other cybersecurity threats. Legislation recently passed by Congress would provide for the voluntary sharing in real time of “cyber threat indicators” among private organizations and the federal government.

In light of this, broker dealers and investment advisors must be aware of the increasing trends towards greater regulation of the market with respect to cybersecurity, increased demand for data and information regarding cybersecurity program compliance and any threats, and programs for protection from identity thefts and other crimes.

January 14, 20168

January 14, 20169

Featured Speakers:

January 14, 201610

Christopher S. PetitoOf CounselWillkie Farr & Gallagher LLP

Denver EdwardsPartnerBryant Rabbino LLP

James R. BurnsPartnerWillkie Farr & Gallagher LLP

Introduction

Christopher S. Petito is of counsel in the Washington, DC office of Willkie Farr & Gallagher LLP. He specializes in the

regulation of investment companies, investment advisers, broker-dealers and insurance companies under U.S. and state

securities laws, including advising on all aspects of the design, organization and registration of investment companies and

related insurance products, as well as providing regulatory and compliance counseling. Mr. Petito also represents firms in

mergers and acquisitions and restructurings in the life insurance, investment management and related industries. Before

reentering private practice in 1994, Mr. Petito served for six and one-half years as an enforcement lawyer in the SEC’s New

York Regional Office, where he last served as the Assistant Regional Administrator in charge of that office’s Investment

Management Enforcement group.

January 14, 201611


Introduction

James R. Burns is a partner in Willkie’s Asset Management Group, focusing on counseling investment managers, broker-

dealers, self-regulatory organizations, and other registered entities on regulatory, compliance and enforcement matters.

Prior to joining Willkie, Jim served most recently as Deputy Director of the SEC’s Division of Trading and Markets and

previously as Deputy Chief of Staff and Counsel to Chairman Mary Schapiro. He was an adviser to Commissioner Kathy

Casey and worked for many years on enforcement and regulatory matters in the securities practice at a leading law firm.

He brings an acute knowledge and understanding of the equity, fixed income, and derivatives markets, having played an

integral role in the development of current SEC positions and regulatory initiatives affecting those areas. Through his

experience, he is able to provide clients, including asset managers, broker-dealers, and other registrants — with insights

into current issues in SEC examination and enforcement contexts, as well as strategic advice on the effects of SEC

initiatives on their business operations and compliance programs.

January 14, 201612


Introduction

Denver Edwards is a litigator who defends corporations and individuals in investigations brought by financial services

regulators, including the SEC, FINRA, and state attorneys general. Denver has handled a range of regulatory enforcement

matters including insider trading, fraudulent offerings, accounting fraud, and sales practice violations. Denver also advises

broker-dealers on market regulation and internal controls. Denver has counseled clients in connection with responding to

government inquiries concerning trading activities by the client and its counterparties. Denver was formerly Senior Counsel

at the SEC and at the U.S. Office of the Comptroller of the Currency, two national law firms and one international

investment bank.

January 14, 201613


Recent Notable Cyber-Attacks Cyber-attacks are happening with more frequency and are affecting government and prominent

businesses OPM

Disclosed July 2015 Attacks compromised security clearance files for 21.5 million people and personnel files of 4.2

million people Anthem

Disclosed February 2015 Attacks compromised personal information of 78.8 million healthcare customers

Target November – December 2014 Attacks compromising data tied to 40 million credit cards

January 14, 201614



Recent Notable Cyber-Attacks (cont.) JPMorgan

August 2014 Attacks compromised accounts of 76 million households and 7 million small businesses

Charles Schwab April 2013 Attack prevented all of Schwab’s customers from making online trades for approximately 2 hours

Hacking Team July 2015 Compromised executive emails, client lists and source codes for hacking and spyware tools

January 14, 201615



Genesis and History of SEC Cybersecurity Program

January 14, 201616



Regulation S-P Regulation S-P is designed to protect individual identifying information of “natural persons”

Requires broker-dealers to adopt policies and procedures that: (i) “address administrative, technical, and physical safeguards for the protection of customer records and information;” and (ii) are reasonably designed to

insure the security and confidentiality of customer records and information;

protect against any anticipated threats or hazards to the security or integrity of customer records and information; and

protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

Regulation S-P also requires advisers to deliver an initial privacy notice and annual privacy notices to all natural person investors.

January 14, 201617



Regulation S-ID

Regulation S-ID was adopted in April 2013 and is commonly referred to as the Identity Theft Red Flag Rule.

Broker-dealers and investment advisers that maintain “covered accounts” are required to develop, implement, and administer a written identity theft prevention program.

The program must be designed to detect, prevent, and mitigate identity theft in connection with the opening of investor accounts and the administration of current accounts.

Programs implemented to comply with Regulation S-ID must, among other requirements:

address training of employees to identify red flags;

ensure third-party service providers to covered accounts have their own reasonable red flags programs in place; and

provide for an annual review of the program.

January 14, 201618



Regulation SCI Requires:

Policies and procedures to ensure the entity’s systems can maintain its operational capabilities and promote fair and orderly markets, including, for example:

Business continuity and disaster recovery plans providing for next business day resumption of trading and two-hour resumption of certain “critical SCI systems” following a wide-scale disruption

Response plan to an “SCI Event” Annual SCI compliance review Quarterly notices to the SEC of systems changes

Applies to national securities exchanges, higher-volume equity ATSs, FINRA, securities information processors, each registered and one exempt clearing agency, and the Municipal Securities Rulemaking Board

Does not apply to ATSs trading only fixed-income securities or broker-dealers operating high-volume proprietary trading platforms

January 14, 201619



Regulation SCI (cont.) May require market participants (such as broker-dealers and large investment advisers) to participate

in market wide testing in the future Section 1004 of Regulation SC requires each SCI entity to “[d]esignate members or participants .

. . and require participation by such designated members or partipants in scheduled functional and performance testing of the operation of such [business continuity and disaster recovery plans] . . .

Adopting release indicated that in the future the SEC would evaluate whether to extend Regulation SCI to other categories of broker-dealers or other market participants such as investment advisers

This [step-by-step] approach will enable the Commission to monitor and evaluate the implementation of Regulation SCI, the risks posed by the systems of other market participants, and the continued evolution of the securities markets, such that it may consider, in the future, extending the types of requirements in Regulation SCI to additional categories of market participants, such as non-ATS broker-dealers, security-based swap dealers, investment advisers, investment companies, transfer agents, and other key market participants.

January 14, 201620



Recent Focus Over the last two years, cybersecurity has evolved into a key area of focus for the SEC and FINRA.

January 2014: FINRA announces targeted exams on cybersecurity approaches http://www.finra.org/industry/cybersecurity-targeted-exam-letter

March 2014: SEC hosts a Cybersecurity Roundtable “to discuss cybersecurity and the issues and challenges it raises for market participants and public companies” <https://www.sec.gov/spotlight/cybersecurity-roundtable.shtml>

April 2014: SEC announces an exam sweep of investment advisers and registered funds <https://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf>

January 2015: Cybersecurity identified as a 2015 Examination Priority <http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf>

February 2015: SEC examination staff announces results of the 2014 examination sweep <https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf>

February 2015: FINRA issues report on cybersecurity practices <https://www.finra.org/file/report-cybersecurity-practices>

April 2015: SEC Investment Management Staff publishes cybersecurity “guidance update” <http://www.sec.gov/investment/im-guidance-2015-02.pdf>

January 14, 201621



http://www.finra.org/industry/cybersecurity-targeted-exam-letter

https://www.sec.gov/spotlight/cybersecurity-roundtable.shtml

https://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++&+Appendix+-+4.15.14.pdf

https://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++&+Appendix+-+4.15.14.pdf

http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf

https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf

https://www.finra.org/file/report-cybersecurity-practices

http://www.sec.gov/investment/im-guidance-2015-02.pdf

Recent Focus (cont.) September 2015: SEC OCIE publishes “risk alert” providing information on the areas of focus for

OCIE’s second round of cybersecurity examinations <http://www.sec/gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.

September 2015: SEC brings settled enforcement action against R.T. Jones Capital Equities Management, based on failure to adopt proper cyber security compliance policies and procedures

December 2015: SEC Enforcement official says more cases to come

January 14, 201622



SEC and FINRA Cybersecurity Examination Initiative

January 14, 201623



2014: SEC Initial Examination Sweep SEC announced 2014 cyber security examination sweep through a risk alert published on April 15,

2014, which included a sample examination request Purpose was to assess state of the industry and establish knowledge base for further SEC action

January 14, 201624



2015: SEC Summary of Findings In February 2015, the SEC published a summary of observations from its initial cyber security

examinations. While characterized as observations and not as best practices, SEC “observations” should be considered by firms in establishing cyber security compliance procedures, which will be evaluated by the SEC under a reasonableness standard

“Vast majority” of examined broker-dealers and investment advisers possessed written information security policies

“Vast majority” of examined firms conducted periodic risk assessments on a firm-wide basis to identify cybersecurity threats, vulnerabilities and potential business consequences

Most examined firms had been subject to a cyber security incident Many examined firms identified best practices through information sharing networks “Vast majority” of examined firms conducted firm-wide inventorying of technology resources

January 14, 201625



2015: SEC Summary of Finding (cont.) Many broker-dealers incorporated provisions addressing cyber security risk in their vendor

contracts and/or had policies for providing cyber security training for vendors. Investment advisers did so to a much lesser extent

Almost all examined firms used encryption in some form Many examined firms provided suggestions to their customers for protecting sensitive

information About two-thirds of examined broker-dealers had a CISO. About a third of the examined

investment advisers did Over half of the examined broker-dealers maintained cyber security insurance. About one-fifth of

the examined investment advisers also did so

January 14, 201626



2015: FINRA Report of Cybersecurity Practices In February 2015, FINRA issued a report, based on its 2014 examination sweep of member broker-

dealers, intended to assist member firms in responding to cybersecurity threats Key findings:

A sound governance structure is essential Risk assessments are basic tools for all firms to understand their cybersecurity risks The types of technical controls used by a firm should be tailored to its situation. A defense in

depth strategy can be effective Firms should adopt incident response plans, addressing, containment and mitigation, eradication

and recovery, investigation, notification and customer remediation. Firms should manage cybersecurity risks presented by vendors Staff training is important Intelligence sharing opportunities should be utilized

January 14, 201627



2015: Second Round of SEC Examinations In January 2015, OCIE announced a focus on cybersecurity compliance and controls as part of its

Examination Priorities In September 2015, OCIE published a Risk Alert to provide additional information on areas of focus for

its second round of cybersecurity examinations General focus is on firms’ ability to protect broker-dealer customer and investment adviser client

information and on weaknesses in basic cybersecurity-related controls OCIE specifically identified the following areas of focus:

Governance and risk assessment processes Periodic evaluations Communications to and involvement of senior management and directors Chief Information Security Officer

Access rights and controls Basic controls to prevent unauthorized access to systems or information

January 14, 201628



2015: Second Round of SEC Examinations (cont.) Areas of focus (cont.):

Data loss prevention Controls in areas of patch management and system configuration Transfers of content outside the firm Monitoring procedures

Vendor management Due diligence as to vendor selection Monitoring and oversight of vendors Contract terms

Training Employees and vendors

Incident Response Plans to mitigate the effects of a cybersecurity incident Information about actual cybersecurity incidents, including the extent of customer losses

and remedial efforts Risk Alert also included sample information request

January 14, 201629



Regulatory Cybersecurity Enforcement

January 14, 201630


Regulation by Enforcement Action: Summary of Lessons Learned• SEC and FINRA have disciplined firms for:

Failing to have robust cybersecurity procedures, failing to follow existing cybersecurity procedures, and failing to establish appropriate controls to enforce existing cybersecurity procedures

Failing to perform sufficient periodic assessments of cybersecurity procedures and failing to respond to deficiencies detected through such assessments prior to a breach

Failing to protect networks containing non-public customer information with appropriate technology (encryption, antivirus software and firewalls) and reasonable procedures (user access restrictions)

Failing to respond appropriately to cybersecurity breaches, including how firms enhance their systems and procedures with a view toward preventing the recurrence of similar data breaches

January 14, 201631


Regulation by Enforcement• LPL Financial Corp. Release No. 34-58515 (Sept. 11, 2008)• Facts. Between July 2007 and February 2008, an unauthorized person gained access to the firm’s trading platform, accessed the

accounts of thirteen registered representatives located in multiple states, and attempted to place over $700,000 in trades in securities of nineteen companies. Perpetrators may have accessed PII for at least 10,000 customers. LPL detected the breach and blocked the trades. LPL reversed customer positions and compensated customers approximately $98,000 for their losses.

• Inadequate Policies and procedures. LPL failed to have a customer information policy for its employees and RR that described its overall program that was reasonably designed to protect customer records and information. LPL distributed to its branch offices limited and insufficient written materials (and, in some instances, only suggestions or recommendations, as opposed to mandates) regarding safeguarding customer information. LPL audited other corporate systems, but had failed to audit security related to its trading platform.

• Inadequate Response to Known Deficiencies and Anticipated Security Threats. From July to September 2006, internal auditors identified weaknesses such as: passwords that did not meet industry standards for “strong passwords,” including alphanumeric/special character combinations, passwords that were not set to expire after a set time, users could not change passwords, there was no lockout features for unsuccessful attempts, over 300 IT employees had access to a list of trading platform passwords, and automatic session timeout was set for eight hours (exceeded industry standards). Internal audit presented the weaknesses in a report to the CIO, and later the Executive Risk Committee, noting that an intruder could hack into the trading platform and cause financial loss to customers, and abscond with PII. Executives were alerted that access control issues could lead to a finding or opinion by an independent auditor that LPL had ineffective controls. The audit committee provided gave management a written report that contained recommendations and remediation costs of approximately $500,000. Management failed to take immediate remedial action.

• Sanctions. Cease and desist order, censure, and penalty in the amount of $275,000.• Lesson. Ensure that a firm’s proprietary trading platform is safe. Conduct periodic cyber security audit. Respond to cyber

deficiencies timely. January 14, 2016

32


Regulation by Enforcement• Centaurus Financial Inc., FINRA Letter of Acceptance, Waiver and Consent No. 2007009780901, (Apr. 28, 2009).• Facts. Centaurus set up a computer fax server using a third-party service provider so that its brokers could send computer-

related account documents that included Social Security numbers, addresses and account numbers to the trading and operations department of the home office. Upon being warned by an anonymous third-party that the security of its computer fax server was compromised, and that it hosted a phishing site and exposed confidential information to the public, Centaurus did not act on the warning until two customers, who were also notified by the anonymous third-party, contacted Centaurus about the breach. Subsequently, Centaurus mailed inaccurate data breach notification letters to its customers and RR.

• Inadequate Supervisory System and Procedures. Centaurus improperly configured its firewall and used poor password protocols, including a user name of “Administrator” and password of “password,” which allowed unauthorized individuals on the Internet to connect to the computer fax server and access the images stored on the computer fax server.

• Inadequate Response to Security Breach. While Centaurus was warned by an anonymous third-party that the computer fax server had been compromised and was hosting a phishing site, Centaurus did not take any action until two customers, who were also warned by the anonymous third party that their confidential information was accessible, had their RR complain to Centaurus about the breach.

• Inadequate Investigation. Centaurus limited its review of the computer fax server logs to the month of the breach rather than reviewing for unauthorized access going back to when the computer fax server was installed.

• Sanctions. Censure and fine in the amount of $175,000.• Lesson. Strong password protocols are essential. Have a procedure in place so that your employees know what actions to

take in the event of a computer security breach. Even anonymous tips regarding computer security breaches should be given serious consideration.

January 14, 201633


Regulation by Enforcement• In the Matter of Commonwealth Equity Services LLP, Release Nos. 34-60733 (Sept. 29, 2009)• Facts. An unauthorized individual obtained the login credentials of one of Commonwealth’s RR through the use of a

malware/keystroke logger virus. The virus was placed on a computer that did not have anti-virus software. Using the RR’s login credentials, the intruder entered Commonwealth’s intranet site, learned how to execute trades, and then launched a search query for customer accounts that generated a list of 368 accounts and provided personally identifiable information, including account name, account number, cash balance and last four digits of a customer’s Social Security number. The intruder placed eighteen unauthorized purchase orders in eight accounts totaling over $523,000. Commonwealth detected the activities, and the intruder was blocked from further trading. Commonwealth immediately canceled the unauthorized purchases and transferred them into its error account, which ultimately cost Commonwealth $8,000. Commonwealth reported the incident to the Commission and notified its clients.

• Inadequate Policies and Procedures. Commonwealth policies recommended (as best practices) for its registered representatives the use of anti-virus software on branch office computers, but did not mandate such use.

• Failure to Follow Up on Computer Security Issues. Prior to the intrusion, Commonwealth’s IT help-desk received several calls from the same registered representative whose computer had been hacked and whose computer was compromised by a software virus. The IT help-desk recommended the purchase of anti-virus software, but did not follow up to confirm whether anti-virus software was purchased. In addition, Commonwealth had no written procedures that addressed follow-up regarding computer security issues reported to the IT help-desk or uncovered in branch audits.

• Sanctions. Cease and desist order, censure and a penalty in the amount of $100,000.• Lesson. Compliance policies and procedures work best when employees are required to follow them as opposed to

recommendations that they can choose to ignore. Knowledge of a problem is insufficient, a process must be in place to ensure that the problem is remediated.

January 14, 201634


Regulation by Enforcement• D.A. Davidson & Co., FINRA Letter of Acceptance, Waiver and Consent No. 200815299801, (Apr. 9, 2010)• Facts. A computer that housed a Web server with a persistent Internet connection also housed a database containing

confidential customer information such as account names, account numbers, dates of birth and Social Security numbers. The database was not secured by a password and was not encrypted. Using a structured query language (SQL) injection, an unauthorized intruder exfiltrated the confidential information of 192,000 customers from the database. The SQL injection attacks were visible on Web server logs, but the logs were not monitored. The firm learned of the breach when the perpetrator demanded a sum of money in furtherance of the extortion scheme.

• Inadequate Policies and Procedures. The firm lacked (1) written procedures for review of system Web server logs and (2) a policy for responding to intrusions.

• Failure to Adopt a Recommendation by an Independent Auditor and Outside Security Consultant that the Firm Implement an Intrusion Detection System. While the firm employed an outside security consultant to audit network security and make recommendations, the recommendation to employ an intrusion detection system had not been implemented by the time the computer hack occurred.

• Poor Computer Security Protocols. The firm failed to encrypt a database containing nonpublic customer information, even though it was exposed to the Internet. The firm also failed to require a password to access a firm database containing nonpublic customer information.

• Sanctions. Censure and a fine in the amount of $375,000.• Lesson. Consider defense in depth for confidential information — encryption, password protection and segregation from third

party accessible resources, to name a few. Monitor your computer network for unauthorized users, connections, devices and software.

January 14, 201635


Regulation by Enforcement• In the Matter of Marc A. Ellis, Release No. 34-64220 (Apr. 7, 2011)

Facts. Laptop computers belonging to three RR of GunnAllen Financial Inc. were stolen, and the computer password credentials belonging to a fourth RR was misappropriated. One of the stolen laptop computers contained names, dates of birth and Social Security numbers of 1,120 of GunnAllen’s customers. For the thefts involving the computer with customer information, GunnAllen filed a report with the local police but did not take any other steps concerning the theft, and the laptop computer was never recovered. A letter notifying customers of the potential data breach was drafted but never mailed to the affected clients. In addition, a RR who was terminated a year earlier had misappropriated another employee’s passwords and was monitoring an employee’s email. Other than changing the registered representative’s password, no other follow-up action was ever taken by compliance. Marc Ellis, GunnAllen’s chief compliance officer, was responsible for maintaining GunnAllen’s customer information protection procedures.

• Inadequate Policies and Procedures. The policies addressing the protection of customer information contained in GunnAllen’s written supervisory procedure manual were “less than a page long” and “general and vague,” and they “simply recited the Safeguards Rule” and “provided examples of safeguards that may be adopted, but did not specify policies actually adopted.” In addition, no procedures existed that addressed what RR should do in the event of a possible data breach such as a stolen laptop computer.

• Failure to Implement Written Policies and Procedures. While GunnAllen’s procedures provided for a designated principal who was responsible for monitoring and testing computer safeguards, no one was ever appointed and there was no evidence of such tests occurred.

• Sanctions. Cease and desist order, censure and a penalty in the amount of $15,000.• Lesson. Financial firms need information security policies and procedures that include details and do not merely regurgitate the

requirements of published regulations. Firms must designate suitable staff to monitor cyber issues. SEC will hold CCOs individually liable for their role in violation of Regulation S-P.

January 14, 201636


Regulation by Enforcement• Wells Investment Securities Inc., Letter of Acceptance, Waiver and Consent No. 2009019893801 (Nov. 21, 2011)• Facts. Among other compliance issues, a laptop computer containing names, account numbers, Social Security

numbers, addresses, telephone numbers and other investment data of over 37,000 customers was stolen from an employee’s car. The employee who lost the laptop computer continued to have access to customer information after he was terminated by the firm but employed by an affiliate.

• Inadequate Policies and Procedures Regarding Encryption. Written procedures regarding Regulation S-P were generic as they required employees to secure all non-public financial information. The firm’s encryption policy required encryption only for non-public financial information communicated to third parties. The firm did not require encryption for data contained on a firm laptop computer or confidential customer information shared with an affiliate. Regular computer system audits did not include laptop computer security.

• Weak Password Protocols. There was no enforcement of the use of strong passwords through periodic password changes or forced password expiration.

• Sanctions. Censure and a fine in the amount of $300,000.• Lesson. Encrypt confidential information on mobile devices or, at a minimum, have the ability to wipe the device

remotely. A company must verify that its policies and procedures are being followed by its employees.

January 14, 201637


Regulation by Enforcement• Sterne, Agee & Leach, Letter of Acceptance, Waiver and Consent No. 2014041619501 (May 22, 2015)• Facts. From March 2009 to June 2014, Sterne’s written supervisory procedures were not reasonably designed to

protect confidential customer information, and eventually, on May 29, 2014, 352,551 customers were placed at risk when an IT employee lost an unencrypted laptop containing PII for all accounts opened or closed by Sterne from 1992 to June 2013. When the laptop was lost Sterne’s policies and procedures related to data management, access controls, confidentiality and integrity, infrastructure, threat and vulnerability management, education and awareness. The procedures did not require encryption of laptop hard drives. The firm had initially considered encryption to be a “moderate risk” and even after it adopted its information Security Policy and Standards, it did not require encryption of laptops. The firm eventually purchased software, but he firm was slow to hire additional personnel to implement the software. IT requested funding to outsource intrusion detection and data-loss prevention services, which included laptop encryption. Management did not approve intrusion detection funding until June 2014, a month after the laptop was loss.

• Written Supervisory Procedures. Sterne’s failure to adopt WSPs reasonably designed to insure the security of customer information placed sensitive customer information at risk. The firm did not implement sufficient supervisory systems and written supervisory policies requiring encryption of laptops until July 2014, even though the risk was known as early as 2009.

• Sanction. Censure, a fine in the amount of $225,000, and a certification that it had reviewed and updated its procedures to comply with Regulation S-P within sixty days.

• Lesson. Firms must develop policies and procedures to protect customers’ PII, and when data is stored on a mobile device, the data should be encrypted. Firms must promptly remediate deficiencies in their cybersecurity program once they are discovered to minimize risk to customers.

January 14, 201638


Regulation by Enforcement• R.T. Jones Capital Management, Inc., Release No. 4204 (Sept. 22, 2015)• Facts. R.T. Jones (“Jones”) stored PII, without modification or encryption, on its third party-hosted server from September 2009

to July 2013. Jones discovered a cybersecurity breach of the server in July 2013. Jones promptly retained a cybersecurity consulting firm, which diagnosed that the intrusion originated in China, and the intruder had gained full access rights and copy rights to PII for approximately 100,000 individuals, including thousands of Jones’ clients, rendering clients vulnerable to theft. The full nature of the breach could not be determined because the intruder destroyed all of the log files surrounding the period of the intruder’s activity. Jones provided notice to all of the impacted parties and offered free identity theft monitoring by a third-party provider.

• Inadequate policies and procedures. The firm failed to adopt any written policies and procedures reasonably designed to safeguard clients’ information. Jones’ policies and procedures did not include: (1) conducting periodic risk assessment; (2) employing a firewall to protect the Web server containing PII; (3) encrypting PII stored on its Web server; or (4) establishing incident response procedures. The Commission determined that Jones’ policies and procedures related to the Safeguard Rule were not reasonable.

• Prompt remedial action. Jones undertook remedial actions, including; (1) appointment of a information security manager to oversee and protect PII; (2) adopted a written information security policy; (3) refrained from storing PII on a Web server; (4) PII stored on internal network is encrypted; (5) implementing a new firewall and logging system to prevent and detect malware; and (6) retained a cybersecurity firm to report and advise on the firm’s IT security.

• Sanctions. Cease and desist order, censure, and a penalty in the amount of $75,000.• Lessons. Firms must adopt, implement, and monitor policies and procedures to safeguard customers’ PII. Firms must layer

independent controls, such as encryption and firewalls, around technology systems that are consistent with the firm’s risk profile. SEC may bring an enforcement action without evidence of economic loss to clients; prompt remediation may influence the amount of the penalty.

January 14, 201639


Regulation by Enforcement Action: Future Activity• Future Cybersecurity Enforcement Activity

Focus on adequacy of policies, procedures and controls; compliance with existing policies; adequacy of periodic assessments of procedures and controls; response to cybersecurity deficiencies detected and remedial actions taken; protect PII with technology and user access; and incident response

Actions may be based on actual data breaches rather than vulnerabilities that could have resulted from breaches

Discipline may occur even if customer is not harmed or PII misused Prompt and appropriate incident response may not save a firm from regulatory enforcement

action Actions may be brought against individuals (e.g., CCO and privacy officers) tasked with

supervisory responsibilities over cybersecurity Enforcement action may result is significant fines

January 14, 201640


Cybersecurity Governance

January 14, 201641


• “Boards that choose to ignore or minimize the existence of cybersecurity oversight responsibility do so at their own peril.” (Commission Aguilar, Speech at “Cyber Risk and the Board Room” Conference NYSE June 10, 2014)

• Survey of more than 1,000 information technology leaders found that nearly 80% had not briefed their Board of Directors on cybersecurity in the last 12 months (Ponemon Institute’s 2015 Global Megatrends in Cybersecurity)

• Attacks focused on large companies, but small companies are also vulnerable – 31% of attacks committed on companies with between 1 and 250 employees (2013 Internet Security Threat Report by Symantec)

• SEC 2015 cybersecurity survey of 57 registered broker-dealers and 49 investment advisers found that 88% of broker-dealers and 74% of advisers have experienced cyber attacks, either directly or through a vendor How should a director approach cybersecurity?

January 14, 201642


Cybersecurity: Board’s Fiduciary Duties• Role of the Board

Board has oversight responsibilities to ensure management serves the interests of shareholders or beneficial owners of an entity

Management is responsible for risk management and day-to-day operations• Director’s Fiduciary Duties Concerning Oversight and Risk Management

Duties are determined state laws (and industry standards) Duty of Care

Make informed business decisions Act in good faith Act in the best interest of the company Business Judgment Rule (BJR) protects directors from liability unless actions are in bad

faith or irrational Companies have adopted charter provisions to insulate directors from personal liability

resulting from a breach of their duty of care No liability if the company took reasonable steps to develop and implement a cybersecurity

plan but still experienced a breach

January 14, 201643


Cybersecurity: Board’s Fiduciary Duties Duty of Loyalty

Place the company’s interest first Act in good faith No protection from the BJR or exculpatory charter provisions

Duty of Oversight Duty to monitor systems and keep informed Directors found liable for a “sustained or systemic failure … to exercise oversight” if the

Board (1) failed to ensure a reasonable information and reporting system was implemented, and (2) failed to monitor an existing system

In re Caremark Int’l Derivative Litigation (Del. Ch. 1996)

Courts will focus on “red flags” to see if directors should have anticipated the threat of a data breach

The frequency, sophistication, and impact of cyber incidents are widespread and qualify as “red flags” under fiduciary duty standards, and therefore directors have an affirmative duty to oversee cybersecurity efforts

January 14, 201644


Cybersecurity: Board’s Fiduciary Duties Private Advisers and Funds/State Law Liability

Investment advisers and their senior management are subject to fiduciary duties of care and loyalty to take reasonable steps to prevent harm to clients

Fiduciary responsibilities generally extend to cybersecurity matters Some types of liability may be limited by fund organizational documents or by contract

January 14, 201645


Cybersecurity Governance• Is cybersecurity risk part of firm’s Risk Management Framework?• Within the company, which department or group is responsible for cybersecurity?

Create a cybersecurity program Appoint a Chief Information Security Officer responsible for identifying risks and managing the

cybersecurity effort Consider whether a risk committee is appropriate for the firm. The aim would be to evaluate

cyber risks in conjunction with other enterprise-wide risks and emerging threats Committee should include executives with functions relevant to risk management but not directly

involved with information technology (e.g., CLO, CFO, CCO) to bring broad perspective to addressing cybersecurity risks from an enterprise-wide perspective

Committee responsibilities should be clearly defined Ensure that the Risk committee is adequately funded and IT budgets periodically reviewed to

ensure resources are allocated to the committee and IT commensurate with the risks to the firm

January 14, 201646


Cybersecurity Governance• What standard or Framework does the firm use to measure preparedness?• How does the company’s practices measure against the standards in the NIST Framework?

Cybersecurity standards by independent organizations, such as NIST, SANS Institute Critical Security Controls, Control Objectives for Information Related Technologies (COBIT), International Organization for Standardization (ISO), may add to SEC-Regulated Entities’ fiduciary duty obligations by setting new standards that become part of an entity’s regulatory mandates

Adopt standard / Framework and calibrate it to firm’s risk profile OCIE incorporated questions from the NIST Framework for Improving Critical

Infrastructure Cybersecurity questionnaires that it sent to investment advisers in April 2015

NIST may become the de facto standard for cybersecurity and privacy regulation and may impact legal definitions and enforcement guidelines for cybersecurity

Courts could identify the Framework as a “baseline” for “reasonable” cybersecurity standards, and organizations which have not adopted the Framework (or a similar standard) to a sufficient degree may be held liable for fines and damages

January 14, 201647


Cybersecurity Governance• What is firm’s cyber hygiene? • How does the firm know what data is leaving the company and what associated security monitoring

activities are in place?• How do industry participants protect assets and can the firm be better than its competitors?• Where is the company’s data stored, and which jurisdiction has regulatory and legal authority over

that data protection? Inventory of information assets and analyze risks Determine “crown jewels” that would create the most harm if stolen, lost, compromised or

destroyed Prioritize assets based on sensitivity and business value Evaluate logging capabilities and practices, data retention, security maintenance Identify physical devices and systems Map network, resources, connections, and data flows Learn what and who is connected to the firm’s network, particularly vendors

January 14, 201648


Cybersecurity Governance• How does the Board remain informed about cybersecurity risks/threats?• How are cybersecurity breaches identified or reported within the company, and if necessary, to the

Board or committees?• What is the firm’s involvement with information sharing organizations?

Obtain regular communication from risk committee about emerging threats Share information about cybersecurity threats with employees, vendors, and stakeholders with

access to the company’s sensitive data Ensure that cybersecurity plan is continually reassessed in light of on-going testing and

monitoring of threats Periodically retain independent consultants to assess the company’s data-protection systems,

suggest areas of improvement, educate directors about emerging cybersecurity threats, and share experiences, including industry-specific regulatory or jurisdictional cybersecurity risks that are particularly relevant to the company

Ensure that meeting minutes reflect Board’s discussion of cybersecurity Eliminates view that board did not monitor cybersecurity plan

January 14, 201649


Cybersecurity Governance• What is the firm’s cybersecurity incident response playbook?• What is the company’s plan to address privacy risks (particularly litigation and regulatory)?• Given recent cyber breaches, what is the company’s exposure to similar threats, and how would the

company manage recovery from these threats? Ensure the firm has a written cybersecurity response plan Appoint a person with sufficient authority to lead the response Investigate thoroughly any allegation of a cybersecurity breach, meet with incident response

professionals or senior executives, document efforts to address breach, and track remediation steps

Require penetration testing (tabletop and simulation); conduct debrief for lessons learned May be helpful to learn when to bring in technical experts and legal support, when and

how to share information with law enforcement, regulatory agencies, and shareholders Shows 3rd parties that company implemented and monitor cybersecurity plan

January 14, 201650


Cybersecurity Governance• Does the firm have Cybersecurity Insurance? If so, what is covered? If not, why not?

Insurance plans cover network liability, electronic media liability, technical errors and omissions, business income loss, data and network restoration, forensic investigation expenses, crisis management and extortion threats

Insurance should be commensurate with company’s risk profile and should cover internal costs (business interruption, legal expenses, response costs) and external costs

Quantify possible costs of a cyber breach and evaluate the ROI on cybersecurity insurance relative to breach costs

ROI = Potential Costs x Probability of Cyber Incident(s)

January 14, 201651


Cybersecurity Governance - Takeaways• Cybersecurity assessment and monitoring is within a board director’s fiduciary duties. Directors must

oversee management to ensure that adequate systems and procedures are in place to limit cybersecurity intrusions

• Directors must understand the risks, the potential benefits (and costs) of prevention, and ensure a plan is in place to respond if preventative efforts fail

• Demonstrate diligence by raising cybersecurity at board meetings. Retain independent consultants to evaluate the firm’s risk profile, provide specific recommendations, and learn what the firm is doing in the area of cybersecurity

• Understand your regulator and the standards that the agency expects to be met

January 14, 201652


Developing A Cyber Security Compliance Program

January 14, 201653



What do FINRA and the SEC expect? FINRA: A strong framework for a broker-dealer’s cyber security program will include:

Regular risk assessments

Technical controls

Incident response planning

Vendor management

Training

Intelligence gathering and information sharing

Cyber insurance

January 14, 201654



What do FINRA and the SEC expect? (cont.) The SEC expects broker-dealers and investment advisers to consider cyber security programs that

incorporate three key elements:

Conduct a periodic cyber security assessment

Create a strategy designed to prevent, detect, and respond to threats

Incorporate cyber security into policies and procedures

January 14, 201655



Periodic Cyber Security Assessment

The SEC believes advisers should consider conducting a periodic assessment of:

the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses

internal and external cyber security threats to, and vulnerabilities of, the firm’s information and technology systems

security controls and processes currently in place

potential impact on firm business activities if information and/or technology systems are compromised

the effectiveness of the firm’s governance structure for the management of cyber security risk

January 14, 201656



Cyber Security Strategy The SEC also believes advisers should consider creating a strategy that is designed to prevent, detect

and respond to cyber security threats.

This includes:

controlling access to systems and data via user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system “hardening” (i.e., removing all non-essential software programs and services, unnecessary usernames and logins and ensuring that software is updated continuously)

data encryption protecting against the loss or exfiltration of sensitive data by restricting the use of removable

storage media deploying software that monitors systems for unauthorized intrusions, loss or exfiltration of data,

or other unusual events data backup and retrieval the development of an incident response plan

January 14, 201657



Policies and Procedures

The SEC believes advisers can mitigate exposure to the compliance risks associated with cyber threats through policies and procedures

In particular, an adviser’s compliance program should address cybersecurity risk relating to:

identity theft and data protection, fraud, and business continuity, and other disruptions in service that could affect, for instance, the firm’s ability to process investor redemptions and other transactions

adequacy of cyber security measures instituted by service providers

Policies and procedures should be tailored based on the nature and scope of the adviser’s business

January 14, 201658



Practical tips Active engagement by senior management

Strategic decision-making Directing/enforcing implementation of governance and procedural changes across business units Support Chief Intelligence Security Officer Practice what you preach

Follow written cyber security procedures

January 14, 201659



Practical tips Identify and restrict all potential access points

Access management Encryption of data Employees’ remote access devices (BYOD) Social networks and the cloud Former employees Wireless access

Evaluate and address vendor cyber security risks Due diligence Contractual provisions Ongoing review

January 14, 201660



Practical tips Utilize external resources

Framework for Improving Critical Infrastructure Cybersecurity, National Institute of Standards and Technology (Feb. 12, 2014)

SIFMA, Small Firms Cybersecurity Guidance (July 2014) National Cybersecurity & Communications Integration Center (provides continuous updates on

cyber incidents, cybersecurity information and recovery efforts) Financial Services Information Sharing and Analysis Center

Collects and disseminates cyber security information Membership organization providing a resource for global financial services industry (e.g.,

banks, broker-dealers and investment advisory firms) United States Computer Emergency Readiness Team FBI National Cyber Forensics and Training Alliance DHS Peer network

January 14, 201661



Practical tips First steps

Password protect all computers and personal devices used for firm business; require frequent changes

Restrict use of USB ports Set computers to lock after specified time of inactivity Limit access to sensitive information to need to know basis Forbid use of firm systems for personal email Limit size of email attachments Disable auto-fill features Train employees not to open email from unknown sources Bar access to suspect sites Regular backups Monitor outgoing data File logging Keep software current

January 14, 201662



Current Developments: Cybersecurity Information Sharing Act of 2015 (CISA) Intended to establish, among other things, a federal mechanism for sharing cyber threat indications

and defensive measures between and among the federal government, the states and private entities As of this writing (December 17, 2015), not yet enacted into law:

Description in these slides reflect conference bill pending before both houses of Congress, which may be subject to further amendment

Would require the Director of National Intelligence, the Attorney General and the Secretaries of Defense and Homeland Security to promulgate, subject to Congressional approval, procedures for the timely sharing of cyber threat indicators and other cyber threat information, and sharing of best practices

January 14, 201663



Current Developments: CISA (cont.) Would require the Department of Homeland Security and the Attorney General to develop procedures,

subject to Congressional approval, for federal receipt of cyber threat indicators Department of Homeland Security would be responsible for the receipt of real time cyber threat

indicators and defensive mechanisms from non-Federal entities Would permit states, local governments and private entities to share cyber threat indicators and

defensive measures with each other and the federal government For cyber security purposes Consistent with protection of classified information Notwithstanding any other provision of law With known personal information not related to a cyber threat removed or the provider must

implement and use technical means to remove such information

January 14, 201664



Current Developments: CISA (cont.) Would include limits on use of information and protections against unauthorized access

Shared information would be FOIA exempt under Federal and state law Federal entities sharing cyber threat indicators or defensive measures would be required to

maintain controls against unauthorized access Information shared by private entities could not be used for regulatory or enforcement purposes,

other than development of regulations addressed to cyber threats, except as specifically provided in the CISA

Exception would permit federal entities to use information for cybersecurity purposes, prevention of death or serious bodily or economic harm, or the prevention or prosecution of certain criminal violations

Non-federal entities monitoring an information system, operating a defensive measure, or sharing or providing cyber threat indicators or defensive measures would be required to implement security controls to protect such cyber threat indicators or defensive measures against unauthorized access

January 14, 201665



Current Developments: CISA (cont.) Limitations on use of information (cont.)

Attorney General and Department of Homeland Security would be required to promulgate guidelines on privacy and civil liberties to govern Federal handling of cyber threat indicators obtained under the Act

Some have questioned the adequacy of these limitations and protections Would include protections against civil liabilities

No cause of action against private entities for monitoring of information systems or information sharing in accordance with CISA or implementing procedures, [except in the case of gross negligence or willful misconduct]

Expressly does not limit the availability of defenses otherwise available to claims of improper disclosure

Provides exemption from antitrust laws Would prohibits federal entities from requiring non-federal entities to share information or making

sharing a condition of awarding grants or contracts Sunsets September 30, 2025

January 14, 201666



January 14, 201667

Contact Info:


E: [email protected] T: 202 303 1117








► You may ask a question at anytime throughout the presentation today. Simply click on the question mark icon located on the floating tool bar on the bottom right side of your screen. Type your

question in the box that appears and click send.

► Questions will be answered in the order they are received.

Q&A:

January 14, 201668




January 14, 201669

Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You: FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:

Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts. Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.

50% discount for purchase of all Live webcasts and downloaded recordings.

PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:

Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.

Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each event without a subscription).

Free Certificate of Attendance Processing (Normally $49 Per Course without a subscription). Access to over 15,000 pages of course material from Knowledge Group Webcasts. Ability to invite a guest of your choice to attend any live webcast Free of charge (Exclusive benefit only available for PAID

UNLIMITED subscribers). 6 Month Subscription is $499 with No Additional Fees Other options are available. Special Offer: Sign up today and add 2 of your colleagues to your plan for free Check the “Triple Play” box on the sign-up

sheet contained in the link below.



January 14, 201670

Knowledge Group UNLIMITED PAID Subscription Programs Pricing: Individual Subscription Fees: (2 Options)Semi-Annual: $499 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials. Annual: $799 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.

Group plans are available. See the registration form for details.

Best ways to sign up:1. Fill out the sign up form attached to the post conference survey email.2. Sign up online by clicking the link contained in the post conference survey email. 3. Click the link below or the one we just posted in the chat window to the right. https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964

Questions: Send an email to: [email protected] with “Unlimited” in the subject.



January 14, 201671

ABOUT THE KNOWLEDGE GROUP

The Knowledge Group is an organization that produces live webcasts which examine regulatory

changes and their impacts across a variety of industries. “We bring together the world's leading

authorities and industry participants through informative two-hour webcasts to study the impact of

changing regulations.”

If you would like to be informed of other upcoming events, please click here.

Disclaimer:

The Knowledge Group is producing this event for information purposes only. We do not intend to provide or offer business advice. The contents of this event are based upon the opinions of our speakers. The Knowledge Group does not warrant their accuracy and completeness. The statements made by them are based on their independent opinions and does not necessarily reflect that of The Knowledge Group‘s views. In no event shall The Knowledge Group be liable to any person or business entity for any special, direct, indirect, punitive, incidental or consequential damages as a result of any information gathered from this webcast.

Certain images and/or photos on this page are the copyrighted property of 123RF Limited, their Contributors or Licensed Partners and are being used with permission under license. These images and/or photos may not be copied or downloaded without permission from 123RF Limited

http://theknowledgegroup.org/

http://theknowledgegroup.org/

http://theknowledgegroup.org/all-events-list/

Documents

Cybersecurity and the SEC- What Investment Advisers and Broker-Dealers Need to Know in 2016