Cybersecurity Guidance for Small Firms Thursday, February ... · for more than 19 years at American Century Investments in ... Walia holds a BS in Economics and Engineering from Yale

© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

Cybersecurity Guidance for Small Firms Thursday, February 22 11:15 a.m. – 12:15 p.m. It is crucial that small financial firms take proper cybersecurity measures to protect their customers and their firm. During this session, panelists provide risk-based, threat-informed effective practices applicable to small firms and supportive of their overall business model to increase their security and ensure the protection of their customers.

Moderator: David Kelley Surveillance Director FINRA Kansas City District Office Panelists: Melinda (Mimi) LeGaye President Moody Securities, LLC Lisa Roth President Tessera Capital Partners, LLC Hardeep Walia Founder and Chief Executive Officer Motif


Cybersecurity Guidance for Small Firms Panelist Bios: Moderator: Dave Kelley is Surveillance Director based out of FINRA’s Kansas City District office, and has been with FINRA for seven years. Mr. Kelley also leads FINRA’s Sales Practice exam program for cybersecurity and the Regulatory Specialist team for Cyber Security, IT Controls and Privacy. Prior to joining FINRA, he worked for more than 19 years at American Century Investments in various positions, including Chief Privacy Officer, Director of IT Audit and Director of Electronic Commerce Controls. He led the development of website controls, including customer application security, ethical hacking programs and application controls. Mr. Kelley is a CPA and Certified Internal Auditor, and previously held the Series 7 and 24 licenses. Panelists: Melinda (Mimi) G. LeGaye, serves as President of both Moody Securities, LLC, and MGL Consulting, LLC. Ms. LeGaye has more than 30 years’ experience representing the interests of small broker-dealers having held the positions of president, CCO and FINOP for several small broker-dealers over the years. She currently serves as President and CCO of Moody Securities, LLC and as FINOP and a registered representative for Silver Portal Capital, LLC. Ms. LeGaye also serves as a Small Firm Member on FINRA’s District 6 Committee. Prior to forming MGL, Ms. LeGaye served as CCO of Horne Securities Corp. a broker/dealer, which was formed to distribute Reg D private placements of real estate limited partnerships. During the early 1980s to late 1980s, she served on the Regulatory Affairs Committee and as president of the local chapter of the Real Estate Securities & Syndication Institute (RESSI), which was an affiliate of the National Association of Realtors. Ms. LeGaye is actively involved with ADISA (formerly Real Estate Investment Securities Association, aka REISA). As a consultant, Ms. LeGaye has worked primarily with small and mid-size broker-dealers, but she has also worked with many larger broker-dealers providing clearing services to introducing broker-dealers. Having served as president, CCO, FINOP, General Securities Principal, and Municipal Securities Principal for various broker/dealers since the mid 1980’s, Ms. LeGaye has worked extensively with retail and institutional broker-dealers, as well as boutique broker-dealers which provide investment banking, mergers & acquisitions advisory services, or which conduct business in the wholesale/retail distribution of Reg D Private Placements, non-traded REITs or 1031 Exchange Programs. As a municipal securities principal, she worked for a small minority enterprise broker-dealer, which was involved in municipal bond underwritings, capital raising and financial advisory activities. As President, CCO, FINOP and a small business owner, Ms. LeGaye has first-hand experience and an in-depth understanding of the challenges FINRA small firm members (less than 150 RR’s) face on a day to day basis. Ms. LeGaye holds the Series 7, 24, 27, 53, 63, 79 and 99 registrations. She has previously held the Series 22, 39 and 3 registrations as well. She received her BBA from Sam Houston State University. An advocate for small broker-dealers and sensitive to the compliance, operational and regulatory challenges they face, she has spoken at numerous industry seminars and compliance programs over the years on topics ranging from supervision of independent brokers; surveillance using exception reports; compliance testing for small firms; product due diligence; and most recently at the SMARSH 2016 Connect Conference held in December 2016. Lisa Roth serves as the President, AML Compliance Officer and Chief Information Security Officer of Tessera Capital Partners. Tessera is a limited purpose broker dealer offering new business development, financial intermediary relations, client services and marketing support to investment managers and financial services firms. Ms. Roth holds FINRA Series 7, 24, 53, 4, 65, 99 Licenses. Previously, Ms. Roth has served in various executive capacities with Keystone Capital Corporation, Royal Alliance Associates, First Affiliated (now Allied) Securities, and other brokerage and advisory firms. Ms. Roth serves on FINRA's Membership Committee, is a member of the Board of the Third Party Marketer's Association, and FINRA's Series 14 Item Writing Committee. Ms. Roth was unanimously selected by her peers to serve as the Chairman of FINRA's Small Firm Advisory Board for one of a total of four years of service on the Board from 2008-2012. Ms. Roth has also served as a member of the PCAOB Standing Advisory Group, and is an active participant in other industry forums, including speaking engagements and trade associations. Ms. Roth is also the president of Monahan & Roth, LLC, a professional consulting firm offering consulting, expert witness and mediation services on financial and investment services topics including regulatory compliance, product due diligence, suitability, supervision, information security and related topics. Previously, Ms. Roth founded ComplianceMAX Financial Corp. (purchased by NRS in 2007), a regulatory compliance company offering


technology and consulting services to more than 1000 broker‐dealers and investment advisers. Ms. Roth's leadership at CMAX led to the development of revolutionary audit and compliance workflow technologies now

in use by some of the US's largest (and smallest) broker‐dealers, investment advisors and other financial services companies. Ms. Roth has been engaged as an expert witness on more than 150 occasions, including FINRA, JAMS and AAA arbitrations, and Superior Court and other litigations, providing research, analysis, expert reports, damages calculations and/or testimony at deposition, hearing and trial. As a member of the FINRA Board of arbitrators, Ms. Roth has been named to more than 20 panels as a hearing officer. Ms. Roth resides in CA, but is a native of Pennsylvania, where she attained a Bachelors of Arts Degree and was awarded the History Prize from Moravian College in Bethlehem, PA. Hardeep Walia is founder and CEO of Motif, a next-generation online broker whose mission is to simplify complex investment products and make them universally accessible. The company’s flagship product allows individual investors to act intuitively on their insights by turning them into a “motif” of stocks. Mr. Walia also serves as CEO of Motif Capital, an institutional investment advisor that develops thematic models for clients such as Goldman Sachs, Global Atlantic, and US Bank’s UHNW arm Ascent Private Capital Management. Prior to Motif, Mr. Walia spent more than six years at Microsoft, where he was General Manager of the company's enterprise services business. He also served as Director of Corporate Development and Strategy, helping to oversee Microsoft's investments and acquisitions. He started his career at The Boston Consulting Group. Mr. Walia holds a BS in Economics and Engineering from Yale University and an MBA from the Wharton School of Business. He holds Series 7, 24 and 63 licenses in the securities industry. He serves on FINRA's Technology Advisory Committee and is on the Advisory Boards of Ascent Private Capital and real-estate startup PeerStreet. He is a featured contributor for LinkedIn, and a frequent guest on CNBC.

2018 Cybersecurity ConferenceFebruary 22 | New York, NY

Cybersecurity Guidance for Small Firms

FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.

Moderator

David Kelley, Surveillance Director, FINRA Kansas City District

Office

Panelists

Melinda (Mimi) LeGaye, President, Moody Securities, LLC

Lisa Roth, President, Tessera Capital Partners, LLC

Hardeep Walia, Founder and Chief Executive Officer, Motif

Panelists

1


Under the “Schedule” icon on the home screen,

Select the day,

Choose the Cybersecurity Guidance for Small Firms

session,

Click on the polling icon:

To Access Polling

2


1. How confident are you in your cybersecurity

program for your firm?

a. We have a good plan that addresses our risks.

b. Started our plan but don’t know if we included all risks to our

firm.

c. Just started but have a long way to go.

d. We don’t have any cybersecurity risks.

Polling Question 1

3


2. What part of your cybersecurity plan are you least

comfortable with?

a. Branch Controls

b. Home Office Controls

c. Vendor Controls

d. Concerned about a FINRA exam

e. Other

Polling Question 2

4


Current Cyber Issues

FINRA Exam Standards

Risk Control Self Assessment Results

Implementation of a Reasonable but Effective Program

Security Basics for the Small Firm Headquarters Office

Security Basics for the Branch Office

Vendor Management and Outsourcing

Practical Advice for Small Firms

5


Phishing

Malware & Ransomware

3rd Party Wires

Patch Management

Unencrypted Data sent by Email

Current Issues for Small Firms

6


Exam Standards

Risk Assessment and Governance

Cyber Program Leadership (CISO)

Policies, Procedures and Adherence

IT Certifications

Outsourcing of IT and Controls

Exam Findings

FINRA Exams and Results

7



Percentage of firms who

manage or store PII Source: 2016 RCA

Firm likelihood to outsource

(partial or full) business

functionsSource: 2016 RCA

8


3. How often do your conduct training for cybersecurity

risks?

a. Annually

b. Annually plus other ongoing instances

c. We don’t have formal training for our RRs and staff.

d. Ongoing

Polling Question 3

9



Firm purchase or integration

of Cyber Insurance Policies Source: 2016 RCA

Firm coverage of disruption

scenarios in their incident

response plans Source 2016 RCA

10


Governance

Appointing the CISO, CTO

Framework for risk assessment

Framework for cyber policies

NIST or SANS framework

NASAA guidelines

NY DFS, other state guidelines

Cyber Standards for Small Firm Headquarters

11


Cyber Policy Components

In-house versus outsourced cyber management

Cloud storage versus on site server storage

Incident response

Vendor Management

Training

Cyber Intelligence

Insurance

Testing

Cyber Standards for Small Firm Headquarters

12


Device inventory and ongoing monitoring

Centralized communications and data management

Cyber Awareness Training, training, training

Incident reporting

Technical Controls – Patching, Encryption, Virus Protection

Passwords

eMail

Physical Security

Cloud Usage

Cyber Basics for Branch/Remote Locations

13


Initial Due Diligence

Security and IT Vendors

Other Vendors

Ongoing Monitoring

SOC Reports

Qualifications and Standards

FINRA’s Vendor List

NRF or not?

Contractual obligations

Use of the Cloud

Vendor Management

14


FINRA Cybersecurity Page: www.finra.org/industry/cybersecurity

2015 Report on Cybersecurity Practices

Small Firm Cybersecurity Checklist

Compliance Vendor Directory

NIST Cybersecurity Framework: www.nist.gov/cyberframework

Financial Services Information Sharing and Analysis Center:

www.fsisac.com/

NASAA cybersecurity Checklist for Investment Advisers:

http://www.nasaa.org/industry-resources/investment-advisers/nasaa-

cybersecurity-report/

Resources

15

http://www.finra.org/industry/cybersecurity

https://www.nist.gov/cyberframework

http://www.fsisac.com/

http://www.nasaa.org/industry-resources/investment-advisers/nasaa-cybersecurity-report/


FINRA Exam Findings Report: www.finra.org/industry/2017-report-exam-findings/cybersecurity

National Law Review – Issues Facing Financial Institutions: www.natlawreview.com/article/top-10-issues-facing-financial-institutions-2017-4-cybersecurity

Handouts:

Model cyber procedures

Incident report template

Branch electronic device review template

Electronic device disclosure form

Resources

16

http://www.finra.org/industry/2017-report-exam-findings/cybersecurity

https://www.natlawreview.com/article/top-10-issues-facing-financial-institutions-2017-4-cybersecurity

Third-‐Party Vendor Contracts – Sample Language Confidential Information. As used in this Agreement, "Confidential Information" means information not generally known to the public, and maintained by [Company Name] as confidential, whether of a technical, business or other nature that relates to the engagement or that, although not related to such engagement, is nevertheless disclosed as a result of the Parties' discussions in that regard, and that should reasonably have been understood by the [Service Provider], because of (i) legends or other markings, (ii) the circumstances of disclosure or (iii) the nature of the information itself, to be proprietary and confidential to [Company Name]. Confidential Information includes “nonpublic personal information” about the “customers” and “consumers” (as those terms are defined in Title V of the Gramm-‐Leach-‐Bliley Act and the privacy regulations adopted thereunder) of [Company Name]. Confidential Information may be disclosed in written or other tangible form (including information in computer software or held in electronic storage media) or by oral, visual or other means. For purposes of this Agreement, " [Company Name] " includes employees and controlled affiliates of [Company Name] who disclose Confidential Information to the [Service Provider], and Confidential Information includes information disclosed by such affiliates. Use of Confidential Information. The [Service Provider], except as expressly provided in this Agreement, shall not disclose [Company Name]'s Confidential Information to anyone without [Company Name]'s prior written consent. The [Service Provider] shall take all steps necessary to safeguard and protect such Confidential Information from unauthorized access, use or disclosure by or to others, including but not limited to, maintaining appropriate security measures and providing access on an as-‐needed basis only. The Parties will treat Confidential Information using the same degree of care used to protect its own confidential or proprietary information of like importance, but in any case using no less than a reasonable degree of care. The [Service Provider] shall not reverse-‐engineer, decompile, or disassemble any hardware or software provided or disclosed to it and shall not remove, overprint or deface any notice of copyright, trademark, logo, legend or other notice of ownership from any originals or copies of Confidential Information it obtains from [Company Name]. The [Service Provider] shall not use Confidential Information for any purpose other than with respect to [the Project]. Exceptions. The provisions of the “Use of Confidential Information” Section above shall not apply to any information that (i) is or becomes publicly available without breach of this Agreement; (ii) can be shown by documentation to have been known to the [Service Provider] without confidentiality restrictions at the time of its receipt from [Company Name]; (iii) is rightfully received from a third party who did not acquire or disclose such information by a wrongful or tortious act, or in breach of a confidentiality restriction; (iv) can be shown by documentation to have been independently developed by the [Service Provider] without reference to any Confidential Information; or (v) is identified by [Company Name] as no longer proprietary or confidential. [Service Provider] Personnel. The [Service Provider] shall restrict the possession, knowledge, development and use of Confidential Information to its employees, agents, subcontractors, consultants, advisors and entities controlled by it (collectively, "Personnel") who have a need to know Confidential Information in connection with the Project. The [Service Provider]'s Personnel shall have access only to the Confidential Information they need for such purposes. The [Service Provider] shall ensure that its Personnel are bound by confidentiality obligations substantially similar to those contained herein and that such Personnel comply with this Agreement.

Disclosures Required by Law, Rule or Regulation. If, in the opinion of its counsel, the [Service Provider] becomes legally obligated to disclose Confidential Information, the [Service Provider] shall give [Company Name] prompt written notice sufficient to allow [Company Name] to seek a protective order or other appropriate remedy, and shall, to the extent practicable, consult with [Company Name] in an attempt to agree on the form, content, and timing of such disclosure. Notwithstanding the preceding sentence, notification to [Company Name] shall not be required if such notification is not permitted by law or would interfere with applicable law enforcement activities. The [Service Provider] shall disclose only such information as is required, in the opinion of its counsel, and shall exercise all reasonable efforts to obtain confidential treatment for any Confidential Information that is so disclosed. Ownership of Confidential Information. All Confidential Information disclosed under this Agreement (including information in computer software or held in electronic storage media) shall remain the exclusive property of [Company Name], and the [Service Provider] shall have no rights, by license or otherwise, to use the Confidential Information except as expressly provided herein. No patent, copyright, trademark or other proprietary right is licensed, granted or otherwise conveyed by this Agreement with respect to Confidential or other information. Provisions Applicable to “Nonpublic Personal Information.” Notwithstanding any other provision of this Agreement, with respect to “nonpublic personal information” about the “customers” and “consumers” (as those terms are defined in Title V of the Gramm-‐Leach-‐Bliley Act and the privacy regulations adopted thereunder) of Advisor and any Affiliate of Advisor, Service Provider agrees as follows: (i) Except as may be reasonably necessary in the ordinary course of business to carry out the activities to be performed by Service Provider under this Agreement or as may be required by law or legal process, it will not disclose any such nonpublic personal information to any third party other than affiliates of Service Provider or Advisor (ii) That it will not use any such nonpublic personal information other than to carry out the purposes for which it was disclosed by Advisor or Advisor’s Affiliate unless such other use is (a) expressly permitted by a written agreement executed by Advisor or its Affiliate, or (b) required by law or legal process. (iii) It will take all reasonable measures, including without limitation such measures as it takes to safeguard its own confidential information, to ensure the security and confidentiality of all such nonpublic personal information, to protect against anticipated threats or hazards to the security or integrity of such nonpublic personal information and to protect against unauthorized access to or use of such nonpublic personal information.

TBD Securities Cyber Security Policies

Page 1 of 15 Courtesy of Monahan & Roth, LLC February, 2018

TBD Securities Cyber Security Policies and Procedures

CONTENTS

OVERVIEW 2

AUDIT TRAIL 4

ACCESS MANAGEMENT 5

END-‐USER: MOBILE DEVICE AND APPLICATION SECURITY 7

COLLABORATION SITES AND END-‐USER DATA STORAGE 7

SECURITY RISK ASSESSMENT 8

OR (FOR FINANCIAL SERVICES FIRMS REGISTERED IN NY) 9

EMPLOYEE SECURITY AWARENESS TRAINING 10

VENDOR SELECTION AND MANAGEMENT 10

TECHNOLOGY ASSET INVENTORY, CLASSIFICATION AND TRACKING 11

TECHNOLOGY END-‐OF-‐LIFE PROCESS 12

EMPLOYEE TERMINATION 12

DISASTER RECOVERY AND BACKUP TESTING 13

CYBER SECURITY INSURANCE 13

CYBER SECURITY BREACH FRAMEWORK 13

REGULATORY REPORTING REQUIREMENT(S) 14



Overview TBD Securities has implemented this program, designed to promote the protection of customer information as well as its information technology systems which include any discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems. At a high level, the goal of this program is to:

(1) identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored on TBD Securities’ Information Systems, the sensitivity of such Nonpublic Information, and how and by whom such Nonpublic Information may be accessed; (2) use defensive infrastructure and the implementation of policies and procedures to protect TBD Securities’ Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts; (3) detect Cyber security incidents; (4) respond to identified or detected Cyber security incidents to mitigate any negative effects; (5) recover from Cyber security incidents and restore normal operations and services; and (6) fulfill all regulatory reporting obligations.

[Name] has been designated as the Chief Information Security Officer (“CISO”) and has primary oversight, maintenance, and execution of this Technology and Information Security Program (the “Program”). The CISO is authorized to delegate physical, technical, and administrative components of this program to qualified third parties as and whenever appropriate. If TBD Securities elects to delegate CISO responsibility to a third-‐party it must:

• Retain ultimate responsibility for implementation of the program • Designate a senior member to supervise the [assigned party], and • Require the [assigned party] to maintain a cyber security program that

substantially complies with relevant rules and regulations. The TBD Securities [TITLE] bears overall responsibility for Business Continuity Plan (“BCP”) / Disaster Recovery (“DR”) planning, information protection, and creating agile security processes and procedures. The CCO has identified the following core functions to guide the Program. These functions will be evaluated and updated by



the CISO as indicated below to adjust to technological, business and/or operational changes at the firm that may have a material impact on the Program. The CISO will also be responsible for preparing a report, at least bi-‐annually that:

(1) assesses the confidentiality, integrity and availability of TBD Securities’ Information Systems; (2) details exceptions to TBD Securities’ cyber security policies and procedures; (3) identifies cyber risks to TBD Securities; (4) assesses the effectiveness of TBD Securities’ cyber security program; (5) proposes steps to remediate any inadequacies identified therein; and (6) includes a summary of all material Cyber security incidents that affected TBD Securities during the time period addressed by the report.

The CISO shall present the report to [Firm Name’s] senior management or board of directors as applicable. Functions Designated

Person Frequency of Document Review

Frequency of Execution

Access management: password and technology access

CISO Periodically

Access management: physical access

CISO Periodically

End-‐user: desktop, web, network and server security

CISO

End-‐user: mobile devices and application security

CISO

Collaboration sites and storage networks

CISO

Security risk assessment

CISO

Cyber security testing and audit

CISO

Network vulnerability scan

CISO Quarterly

Employee security awareness training

CISO

Vendor selection and maintenance

COO

Technology asset inventory

CISO



Technology end-‐of-‐life process

CISO

Employee termination

COO

Disaster recovery and backup testing

COO

Cyber security insurance

CISO

Information Security CCO Vendor and third-‐party service provider management

CISO Annually

Cyber incident response

CCO

Penetration testing Annually CISO Report to Senior Management

CISO Bi-‐Annually

Application security CISO Annually

Audit Trail The CSIO shall be responsible for implementing an audit trail that:

(1) tracks and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting necessary to enable TBD Securities to detect and respond to a Cyber security incident; (2) tracks and maintain data logging of all privileged Authorized User access to critical systems; (3) protects the integrity of data stored and maintained as part of any audit trail from alteration or tampering; (4) protects the integrity of hardware from alteration or tampering, including by limiting electronic and physical access permissions to hardware and maintaining logs of physical access to hardware that allows for event reconstruction; (5) logs system events including, at a minimum, access and alterations made to the audit trail systems by the systems or by an Authorized User, and all system administrator functions performed on the systems; and (6) maintains records produced as part of the audit trail for not fewer than six years.



Access Management TBD Securities has an approach to entitlement management that helps establish controls around access activities. The goal of this program is focused on the following:

• Protect remote, mobile, cloud and social access

• Provide transparency and up-‐to-‐date information on entitlements

• Provide centralized administration for permissions

• Ensure that employees have access only relevant to their job functions

• Protect against insider threats and unauthorized escalation of user privileges Each employee’s profile will be managed in a central directory that will be used to create, delete and modify employee access data. The CCO is the primary owner of the central directory. Authorization: TBD Securities manages authorization information that defines what functions an employee can perform in the context of a specific application. The CCO maintains a record of the authorizations. Passwords: For accessing any firm desktop or device, employees are required to use unique passwords, requiring the following characteristics:

• Contains at least 8 characters

• Uses a combination of lower and uppercase letters

• Uses at least one number and one symbol

• Expires every 180 days (the reuse of any previous password is disallowed)

• After 10 failed login attempts within 15 minutes, the user account will be locked until released by the CISO or a [assigned party] administrator.

Each administrator will have a unique login account and password. Any [assigned party]’s employees (employees of a consultant or other party delegated responsibility for [Firm Name’s] program, on an as needed basis, will each have a unique login and password to access the firm’s password management list. Physical access: TBD Securities will secure the firm’s physical premises with locks and inventory keys issued to authorized persons on an ongoing basis.



End-‐user: desktop, web, network and server security: TBD Securities has developed practices in TBD Securities firm to protect the sensitivity of all information by implementing the following processes: • Implement the use of password protection for all sensitive data, applications, and collaboration tools • Reconcile the inventory of hardware, software and devices with [assigned party] • Educate end-‐users on appropriate use of desktops and web browsing for business purposes • Track and log USB portable flash drive uses that access the firm’s desktop to detect any unauthorized use • Maintain white-‐list of desktop approved applications and blacklist policy for websites (i.e. adult content, social media, gambling, etc.) Working closely with the CISO, [assigned party] will proactively manage the following items: • Maintain inventory of hardware, software and devices • Closely monitor application and systems log activity (i.e. control the execution of code with an application white-‐listing policy) • Deploy critical operating system security patches within 48 hours of release • Non-‐critical patches are delivered monthly • Implement appropriate protections for electronic systems, including anti-‐virus software and firewalls • Anti-‐virus software is set to auto-‐update and firewalls are updated at least quarterly by [assigned party] To combat social engineering, the [assigned party] will do the following: – Employ up-‐to-‐date anti-‐malware systems (continuously updated by auto-‐update plus quarterly reviews) – Employ spam filters and other email gateways (continuously updated by auto-‐update and periodically reviewed by [assigned party]) (a) Multi-‐Factor Authentication. Each Covered Entity shall: (1) require Multi-‐Factor Authentication for any individual accessing TBD Securities’ internal systems or data from an external network; (2) require Multi-‐Factor Authentication for privileged access to database servers that allow access to Nonpublic Information; (3) require Risk-‐Based Authentication in order to access web applications that capture, display or interface with Nonpublic Information; and (4) support Multi-‐Factor Authentication for any individual accessing web applications that capture, display or interface with Nonpublic Information.



End-‐user: mobile device and application security Firm-‐owned devices include, but are not limited to, laptops, tablets, cellular phones, and smartphones. Personal devices may utilize mobile access as long as they are password-‐encrypted and firm-‐approved. At the time of hiring, and annually thereafter, TBD Securities requests disclosure of all electronic devices, including the % business and personal use for purposes of maintaining an up-‐to-‐date inventory. Employees are advised to report any lost, stolen, or compromised electronic device to the CISO or CCO immediately. The CISO or CCO will update the firm inventory and shut off inbound and outbound access to the device as necessary. Firm personnel will receive training on the secure use of mobile devices and removable media on an as-‐needed basis including during the annual compliance meeting.

Collaboration sites and end-‐user data storage The CISO will be primarily responsible for vetting any collaboration site and data storage along with the CCO. Each site must have identified “data owners,” who manage, control, and review access. Only firm approved collaboration sites listed below will be utilized: [Name ANY RELEVANT CITATIONS] Protecting firm data includes the proper use of collaboration sites and data storage sites. The following are requirements for collaboration sites and storing data: Desktop, laptop, remote desktop and tablets

• Ensure storage only in an approved, sandboxed or otherwise encrypted location instead of the desktop • Save information to be shared to an access-‐controlled network location such as a network shared drive • Store data and information with retention requirements in a records management repository • Only use applications obtained through firm-‐approved channels

Mobile devices (smart phones and tablets)

• Only store data within firm-‐approved applications • TBD Securities intends to have remote-‐wipe capability for all employee devices

Records retention



• • Certain types of data have retention periods

• • All records including digital should be stored in an approved records

repository

• • Collaboration sites are not approved repositories

• Employees are responsible for preventing inappropriate use of or access to data by

• • Only accessing information needed for your job function

• • Preparing, handling, using and releasing data

• • Using correct storage locations

• • Following appropriate use or restrictions of electronic communications,

including but not limited to email, instant messaging, text, chat, audio/video conferencing and social media

Security risk assessment The firm will use an independent [assigned party] to perform a comprehensive enterprise risk assessment. The [assigned party] will assess any potential or existing cyber-‐security threats to identify potential risks and business impacts. At the discretion of the CISO and CCO, the following items under review may include, as relevant, the following: Category Subcategory Network Security Network Infrastructure

Firewalls Network Diagram Frequency of Documentation Wireless

Data Security Data Classification Backup and Restoration Encryption Mobile Security Disposal Protection of Transmission

Access Control Active Directory Authentication Network Access Control



Account/Password Management Application Access

System Development Systems Installation Software Development Maintenance and Patching Decommissioning Change Control Management

Protection Antivirus software Updates and patches Web Filter and traffic

Testing and Monitoring Server Monitoring Network Monitoring Penetration Testing Vulnerability Testing Alerting

Vendors Vendor Assessment Client Data

Employees Termination / Role Transfer Physical Premise Security Data Center

Building Security and Staff Building and Office Access Server Room

Information Security Program Info Security Policy Cyber security Insurance Coverage Review

OR (For Financial Services Firms registered in NY) (At least annually, each Covered Entity shall conduct a risk assessment of TBD Securities’ Information Systems. Such risk assessment shall be carried out in accordance with written policies and procedures and shall be documented in writing. The risk assessment shall minimally include:

(1) criteria for the evaluation and categorization of identified risks; (2) criteria for the assessment of the confidentiality, integrity and availability of TBD Securities’ Information Systems, including the adequacy of existing controls in the context of identified risks; and (3) requirements for documentation describing how identified risks will be mitigated or accepted based on the risk assessment, justifying such decisions in light of the risk assessment findings, and assigning accountability for the identified risks.



Employee security awareness training To assist firm employees in understanding their obligations regarding sensitive firm information, the CISO will provide each employee with a copy of this Program upon commencement of employment and whenever changes are made. In addition, the CISO and/or CCO will implement programs to perform training functions on an as-‐needed basis. At the discretion of the CCO and CISO, employee security awareness training may include any of the following: • Instruct employees to take basic steps to maintain the security, confidentiality and integrity of client and investor information, including: – Secure all files, notes, and correspondence – Change passwords periodically and do not post passwords near computers – Avoid the use of speaker phones and discourage discussions in public areas – Recognize any fraudulent attempts to obtain client or investor information and report to appropriate management personnel – Access firm, client, or investor information on removable and mobile devices with care and on an as-‐needed basis using firm protocols (passwords, etc.) • Instruct employees to close out of files that hold protected client and investor information, investments, investment strategies, and other confidential information when they are not at their desks • Educate employees about the types of cyber security attacks and appropriate responses

Vendor selection and management For vendors interacting with TBD Securities systems, network and data, the firm will perform the following activities to protect sensitive information: • Assess vendors before working with them including a cyber-‐security risk assessment • Review third-‐party vendor contract language to establish each party’s responsibility with respect to cyber-‐security procedures • Segregate sensitive firm systems from third-‐party vendor access and monitor remote maintenance performed by third-‐party contractors



• the use of Multi-‐Factor Authentication as set forth herein to limit access to sensitive systems and Nonpublic Information;

• the use of encryption to protect all Nonpublic Information in transit and at rest; • prompt notice to be provided to TBD Securities in the event of a Cyber security

incident affecting the third party service provider; • identity protection services to be provided for any customers materially

impacted by a cyber security incident that results from the third party service provider’s negligence or willful misconduct;

• representations and warranties from the third party service provider that the service or product provided to TBD Securities is free of viruses, trap doors, time bombs and other mechanisms that would impair the security of TBD Securities’ Information Systems or Nonpublic Information; and

• the right of TBD Securities or its agents to perform cyber security audits of the third party service provider.

Technology asset inventory, classification and tracking TBD Securities has a process in place to identify, classify, and track all technology assets (“assets”): • To ensure accurate classification and tracking, TBD Securities will procure/vet all assets through [assigned party] • TBD Securities will maintain an inventory of all assets as well as an identified owner • TBD Securities will cross-‐reference the list of internal assets with [assigned party] • Asset identification and classification process will be scalable to accommodate growth and acquisition • TBD Securities will track assets and their attributes throughout their lifecycle • Automated processes will be used periodically to perform discovery of unknown assets • TBD Securities will create a map of network resources, including data flows, internal connections and external connections TBD Securities will establish and enforce a process of assessing and classifying assets based on their sensitivity to attack and business value. [assigned party] will auto-‐alert TBD Securities if a new device is discovered on the network



TBD Securities shall encrypt all Nonpublic Information it holds or transmits both in transit and at rest,

Technology end-‐of-‐life process TBD Securities has developed and will follow processes for securely disposing of assets once they are no longer being used by the firm or have reached the end of their usable life (the “end-‐of-‐life process”). Working closely with the CISO, [assigned party] will closely monitor the firm hardware and recommend a refresh every 3-‐5 years per individual hardware equipment. A certified end-‐of-‐life management vendor (“EMV”) will properly recycle any old hardware. Notification: The end-‐of-‐life process will notify all necessary and relevant parties to initiate a coordinated execution: • CISO • Asset owner • End user(s) • Relevant vendor(s) Hard Drives: Any decommissioned hard drive will be securely stored for a minimum of 6 years since decommission date. When disposing the hard drive, the EMV will do the following: • Erase all data on the drive • Physically destroy the hard drive • Produce documentation of proper disposal

Employee termination The firm is dedicated to protecting the network and proprietary data at risk upon termination of employees. To prevent any issues of former employees leaking information, TBD Securities has adopted an approach towards access controls and entitlement management. Please refer to the [assigned party] checklist for employee on/off-‐boarding. TBD Securities will maintain this list as new applications, drives, systems, and vendors are incorporated.



The following items will be monitored: • Network access • Desktop access • Mobile device access • Internal and external applications • Vendors, such as prime brokers, executing brokers, etc.

Disaster recovery and backup testing Please see [Firm Name’s] Business Continuity Procedures / Disaster Recovery Plan (“BCP”) for detailed documentation. Any changes can be represented in that BCP / DR plan. The CCO in connection with the CISO will update the firm’s BCP on an as-‐needed basis to ensure that it is consistent with the Program.

Cyber security insurance On an annual basis the CISO will review the firm’s insurance coverage related to cyber security threats and make a determination as to its adequacy in conjunction with the CCO and COO. It is anticipated that cyber security insurance will not be attained unless or until the firm’s risk profile substantially increases, because currently the majority of client sensitive data are retained by competent third party vendors primarily including its clearing firm.

Cyber security breach/incident response framework The firm has implemented a framework to identify, prepare, prevent, detect, respond, and recover from cyber security incidents, any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.

In the event of a cyber security incident, the firm’s information technology personnel (or anyone detecting the incident) will immediately notify the CISO (or qualified designee) who will work with appropriate personnel to:



• Assess the nature and scope of any such incident and maintain a written record of the systems and information involved

• Take appropriate steps to contain and control the incident to prevent further

unauthorized access, disclosure or use, and maintain a written record of steps taken

• Promptly conduct a reasonable investigation, determine the likelihood that

personal information has or will be misused, and maintain a written record of such determination

• Discuss the issue with outside counsel (or a qualified resource) and make a

determination regarding disclosing the issue to regulatory authorities, law enforcement and/or individuals whose information may have been affected

• Evaluate the need for changes to the firm’s policies and procedures in light of

the breach

• The firm will work with outside resource(s) and/or counsel as necessary to determine appropriate next steps including addressing any weaknesses identified in the process

• A record of the response to the incident shall be recorded and retained

among the firm’s central records.

Regulatory reporting requirement(s) (For entities registered to do business in NY and not otherwise exempt: TBD Securities submit to the superintendent of the state of New York, Department of Financial Services (“DFS”) a written statement by January 15, in such form set forth as by the DFS, certifying that TBD Securities is in compliance with the requirements specifically identified by DFS. TBD Securities shall maintain for examination by the DFS all records, schedules and data supporting this certificate for a period of five years.

(1) To the extent TBD Securities has identified areas, systems, or processes that require material improvement, updating or redesign, TBD Securities shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by DFS. (2) To the extent that TBD Securities has identified any material risk of imminent harm relating to its cyber security program, TBD Securities shall notify the superintendent within 72 hours and include such items in its annual report filed pursuant to this section.



TBD Securities January 15, 20 __ Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations The Board of Directors or a Senior Officer(s) of TBD Securities certifies:

(1) The Board of Directors (or name of Senior Officer(s)) has reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary;

(2) To the best of the (Board of Directors) or (name of Senior Officer(s)) knowledge, the Cybersecurity Program of TBD Securities as of [Date] complies with the rules and regulations of the state of New York.

By: Printed Name: Title: Date:

Electronic*Devices*and*Communications*Inspection*Form*

!Electronic*Device*Review:*

Device!Name! Description! %!Business!Use! %!Personal!Use!! ! ! !

☐ Yes ☐ No Anti7malware!software!is!installed!on!this!device.!!

☐ Yes ☐ No Anti7virus!software!is!installed!on!this!device.!!

☐ Yes ☐ No Software!auto7update!is!set!to!“ON”!on!this!device.!!

☐ Yes ☐ No Log!in!privileges!to!this!device!are!password!protected.!!

☐ Yes ☐ No This!device!‘times!out’!after!15!minutes!or!less!time!of!non7use.!

☐ Yes ☐ No ONLY!approved!(company)!email!is!received!on!this!device.!!!


☐ Yes ☐ No ONLY!associated!personnel!have!access!to!this!device.!!

Please!explain!any!“NO”!answer!in!the!space!provided!below:!

Exceptions,!Notes:!

Electronic*Device*Review:*

Device!Name! Description! %!Business!Use! %!Personal!Use!! ! ! !

☐ Yes ☐ No Anti7malware!software!is!installed!on!this!device.!!

☐ Yes ☐ No Anti7virus!software!is!installed!on!this!device.!!

☐ Yes ☐ No Software!auto7update!is!set!to!“ON”!on!this!device.!!

☐ Yes ☐ No Log!in!privileges!to!this!device!are!password!protected.!!


☐ Yes ☐ No ONLY!approved!(company)!email!is!received!on!this!device.!!!


☐ Yes ☐ No ONLY!associated!personnel!have!access!to!this!device.!!

Please!explain!any!“NO”!answer!in!the!space!provided!below:!

Exceptions,!Notes:!

CYBER SECURITY INCIDENT REPORT

Courtesy of Monahan & Roth, LLC

Incident Reported By: Incident Reported To: Date Reported: Time: � am � pm Nature of the incident (Include the scope, systems and information involved): CONTAINMENT Date Contained Time: � am � pm Record the steps taken to contain and control the incident to prevent further unauthorized access, disclosure or use: INVESTIGATION Investigation performed Time: � am � pm Describe the nature of the investigation, including whether or not sensitive information has or might be compromised:

CYBER SECURITY INCIDENT REPORT


DISCLOSURE TO THIRD PARTIES (check all that apply) � Counsel � Other Qualified Resource

� Law Enforcement � Individuals affected

Describe:

RESOLUTION Resolution achieved Time: � am � pm � Related Cyber Policies adequate � Related Cyber Policies require amendment � Follow-‐up required Describe: Principal Acknowledgement of Resolution: Date Notes:


Electronic Device Disclosure

Associated persons are required to disclose the use and/or the termination of use of any electronic device used entirely or in part for business purposes by completing the table below.

� This is an initial report of electronic device(s) I have a new device to report � I have a retired device to report

� I have a change in usage of a previously reported device to report Device Description (example: “primary office computer”). Include smartphones, tablets and other devices

Device Type (example: iMac, or Dell PC desktop)

% Business Use

% Personal Use

Notes (example: shared device with another associated person)

I hereby certify that the above information is correct and accurate to the best of my knowledge and that I adhere to my Broker-‐Dealer’s policies and procedures.

Signature Date

Cyber Security Checklist for Broker Dealers

Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC

1

Identify: Risk Assessment & Management YES NO N/A

1. Risk assessments are conducted frequently (e.g. annually, quarterly).

2. Cybersecurity is included in the risk assessment.

3. The risk assessment includes a review of the data collected or

created, where the data is stored, and if the data is encrypted.

4. Internal “insider” risk (e.g. disgruntled employees) and external risks

are included in the risk assessment.

5. The risk assessment includes relationships with third parties.

6. Adequate policies and procedures demonstrate expectations of employees regarding cybersecurity practices (e.g. frequent password changes, locking of devices, reporting of lost or stolen

devices, etc.).

7. Primary and secondary person(s) are assigned as the central point of contact in the event of a cybersecurity incident.

8. Specific roles and responsibilities are tasked to the primary and secondary person(s).

9. The firm has inventory of electronic devices and software in use in

its home office.

10. The firm has an inventory of electronic devices and software in use in its branch offices.

Notes:



2

Protect: Use of Electronic Mail

YES NO N/A 1. The firm has protective measures in place to govern the distribution

of identifiable information of a client transmitted via email.

2. The firm has protective measures in place to govern authentication practices for access to email on all devices (computer and mobile devices),

3. The firm requires that passwords for access to email are changed no less than quarterly.

4. The firm’s policies and procedures provide instruction to authenticate client instructions received via email.

5. If applicable, the firm’s employees and clients are aware that email communication is not secured.

Protect: Devices

YES NO N/A 1. Device access (physical and digital) is permitted for authorized

employees.

2. Device access (physical and digital) is permitted for authorized clients.

3. Device access is routinely audited and updated appropriately. 4. Devices are routinely backed up and underlying data is stored in a

separate location (i.e. on an external drive, in the cloud, etc.) subject to FINRA requirements for electronic storage, or other related requirements.

5. Backups have been tested in the most recent 12 months. 6. The firm has written policies and procedures regarding the secure

destruction of electronic devices no longer in use (end of life procedures).

Notes:



3

Protect: Use of Cloud Services

YES NO N/A 1. Due diligence Due diligence has been conducted on the

cloud service provider prior to signing an agreement or contract.

2. As part of the due diligence, the firm has evaluated whether the cloud service provider has safeguards against breaches and a documented process in the event of breaches.

3. The firm has a business relationship with the cloud service provider and has the contact information for that entity.

4. The firm is aware of the assignability terms of the contract. 5. The firm understands how the firm’s data is segregated from

other entities’ data within the cloud service.

6. The firm is familiar with the restoration procedures in the event of a breach or loss of data stored through the cloud service.

7. The firm has written policies and procedures in the event that the cloud service provider is purchased, closed, or otherwise unable to be accessed.

8. The firm solely relies on free cloud storage. 9. The firm maintains a 17(a)4 compliant backup of all records

off-‐site.

10. Data containing sensitive or personally identifiable information is stored through a cloud service.

11. The firm’s data accessible by the vendor containing sensitive or personally identifiable information, which is stored through a cloud services, is encrypted.

12. The firm has written policies and procedures related to the use of devices by employees or vendors who access data in the cloud.

13. If applicable, the firm’s procedures provide controls when cloud provider (or its staff) may access and/or view the firm’s data stored in the cloud.

14. If the firm allows any user remote access to its network (e.g. through use of VPN), such access is subject to controls including user management.

15. The VPN access of employees is monitored. 16. The firm has written policies and procedures related to the

termination of VPN access when any authorized user resigns or is terminated.



4

Protect: Use of Firm Websites YES NO N/A 1. The firm relies on a parent or affiliated company for the

construction and maintenance of the website.

2. The firm relies on internal personnel for the construction and maintenance of the website.

3. The firm relies on a third-‐party vendor for the construction and maintenance of the website.

4. If the firm relies on a third party for website maintenance, there is an agreement with the third party regarding the services and the confidentiality of information.

5. The firm can directly make changes to the website. 6. The firm can directly access the domain renewal information and

the security certificate information.

7. The firm’s website is used to access client information. 8. SSL or other encryption is used when accessing client information

on the firm’s website.

9. The firm’s website includes a client portal. 10. SSL or other encryption is used when accessing a client portal. 11. When accessing the client portal, user authentication credentials

(i.e., user name and password) are encrypted.

12. Additional authentication credentials (i.e., challenge questions, etc.) are required when accessing the client portal from an unfamiliar network or computer.

13. The firm has written policies and procedures related to a denial of service issue.

Notes:



5

Protect: Custodians & Other Third-‐Party Vendors YES NO N/A 1. The firm’s due diligence on third parties includes cybersecurity as

a component.

2. The firm has requested vendors to complete a cybersecurity questionnaire, with a focus on issues of liability sharing and whether vendors have policies and procedures based on industry standards.

3. The firm understands when/if the vendor has IT staff or outsources some of its functions.

4. The firm has obtained a written attestation from the vendor that it uses software to ensure customer data is protected.

5. If applicable the firm has attained evidence of the vendor’s cyber security risk assessment or audit on a regular basis.

6. The cyber-‐security terms of the agreement with an outside vendor is not voided because of the actions of an employee of the firm.

7. The firm’s contract with third-‐party vendors includes terms of confidentiality.

8. The firm has been provided enough information to assess the cybersecurity practices of any third-‐party vendors.

9. [Relevant to custodians only] The firm has discussed with the custodian matters regarding impersonation of clients and authentication of client orders.

10. The firm’s contact with the vendor includes terms for notification in the event of a cyber breach.

Protect: Encryption YES NO N/A 1. The firm routinely consults with an IT professional knowledgeable

in cybersecurity.

2. The firm has written policies and procedures in place to categorize data as either confidential or non-‐confidential.

3. The firm has written policies and procedures in place to address data security and/or encryption requirements.

4. The firm has written policies and procedures in place to address the physical security of confidential data and systems containing confidential data (i.e., servers, laptops, tablets, removable media, etc.).

5. The firm utilizes encryption on all data systems that contain (or access) confidential information.

6. The identities and credentials for authorized users are recorded and periodically updated.



6



7

Notes:



8

Detect: Anti-‐Virus Protection and Firewalls YES NO N/A 1. The firm mandates the installation and auto update of anti-‐virus , anti-‐spam, anti-‐malware software on all electronic devices accessing the firm’s network or otherwise retaining personally identifiable information or firm records.

2. The firm mandates that all settings are deployed to ensure that software is subject to auto-‐update.

3. Employees are trained and educated on the basic function of anti-‐virus programs and how to report potential malicious events.

4. If the alerts are set up by an outside vendor, there is an ongoing relationship between the vendor and the firm to ensure continuity and updates.

5. A firewall is employed and configured appropriate to the firm's needs.

6. The firm has policies and procedures to address flagged network events.

Notes:



9

Respond: Responding to a Cyber Event YES NO N/A 1. The firm has a plan and procedure for immediately notifying authorities in the case of a disaster or security incident of magnitude.

2. The plans and procedures identify which authorities should be contacted based on the type of incident and who should be responsible for initiating those contacts.

3. The firm has a communications plan, which identifies who will speak to the public/press in the case of an incident and how internal communications will be managed.

4. The communications plan identifies the process for notifying clients and if applicable, for addressing damages.

Notes:



10

Recover: Cyber-‐insurance YES NO N/A 1. The firm has considered whether cyber-‐insurance is necessary or appropriate for the firm.

2. The firm has evaluated the coverage in a cybersecurity insurance policy to determine whether it covers breaches, including; breaches by foreign cyber intruders; insider breaches (e.g. an employee who steals sensitive data); and breaches as a result of third-‐party relationships.

3. The cybersecurity insurance policy covers notification (clients and regulators) costs.

4. The firm has evaluated whether the policy includes first-‐party coverage (e.g. damages associated with theft, data loss, hacking and denial of service attacks) or third-‐party coverage (e.g. legal expenses, notification expenses, third-‐party remediation expenses).

5. The exclusions of the cybersecurity insurance policy are appropriate for the firm’s business model.

6. The firm has put into place all safeguards necessary to ensure that the cyber-‐security policy is not voided through firm employee actions, such as negligent computer security where software patches and updates are not installed in a timely manner.

Recover: Disaster Recovery YES NO N/A 1. The firm has a business continuity plan to implement in the event of a cybersecurity event.

2. The firm has a process for retrieving backed up data and archival copies of information.

3. The firm has written policies and procedures for employees regarding the storage and archival of information.

4. The firm provides training on policies and procedures related to document retention, safekeeping and udpates.

Notes:



11

Documents

Cybersecurity Guidance for Small Firms Thursday, February ... · for more than 19 years at American Century Investments in ... Walia holds a BS in Economics and Engineering from Yale