Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
© Copyright 2015 by K&L Gates LLP. All rights reserved.
Testing Your Cybersecurity Infrastructure and Enforcement Related Developments
Mark C. Amorosi, Investment Management Partner, K&L Gates LLPLaura L. Grossman, Assistant General Counsel, Investment Adviser AssociationJason Harrell, Corporate SIRO – Investment Management, BNY MellonJeromie Jackson- CISSP, CISM, Director of Security & Analytics, Nth GenerationJeffrey B. Maletta, Securities and Transactional Litigation Partner, K&L Gates LLPAndras P. Teleki, Investment Management Partner, K&L Gates LLP
Wednesday, April 29, 2015
klgates.com
Investment Management Cybersecurity Seminar Series Overview Session 1 (February 27, 2015) Untangling the Gordian Knot – Where to Begin When Building Your
Cybersecurity Program Session 2 (March 23, 2015) Board and Senior Management Oversight of Cybersecurity at the
Adviser, the Registered Fund and Their Service Providers Session 3 (Today) Testing Your Cybersecurity Infrastructure and Enforcement Related
Developments Session 4 (May 20, 2015) Breach – What to Do When Things Go Wrong and Cybersecurity
Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap – Evolving Trends in Cybersecurity
Practices and Public Policy Developments
2
klgates.com
Session 3 Topics Cybersecurity Compliance Testing under Rule 206(4)-7 and Rule 38a-1 –
CCO Responsibilities for Cybersecurity Matters
Leveraging the OCIE 2014 Cybersecurity Sweep Examination Letter
Vulnerability Assessments and Penetration Testing – What are the Differences and What do these Tests Tell You about Your Cybersecurity Defenses
“Blackbox” vs. “Glassbox” Testing
Interpreting and Prioritizing Testing Results
What the SEC, FINRA, CFTC, FTC and Other Regulators Have Said about Enforcement Priorities around Cybersecurity
Cybersecurity Litigation and Enforcement Round-Up
3
The Regulatory Framework
Cybersecurity at the Top of the SEC’s Mind Corp Fin Guidance (2011) Commission Roundtable (2014) OCIE Sweep and Risk Alert (2014/15) OCIE Examination Priority (2015) Numerous references in staff remarks IM Guidance Update (New – April 28, 2015)
5
Overview of the Legal Framework Regulation S-P (including “Safeguards Rule”) Regulation S-ID (Identity Theft Red Flags) IAA Rule 206(4)-7 and ICA Rule 38a-1
(Compliance Rules) IAA Rule 204-2(g) and ICA Rule 31a-2(f)
(Electronic Recordkeeping Rules) ICA Rule 30a-3 (Internal Controls) Disclosure Considerations
6
Overview of Legal Framework (cont’d)
Business continuity plans Suspicious activity reporting CFTC Regulations, Part 160.30 FTC enforcement of Section 5 of FTCA Practically every state has enacted laws relating to
cybersecurity, including information security program and data breach notification requirements
7
IM Guidance Update (April 28, 2015) SEC staff identified a number of measures that advisers and funds
may wish to consider in addressing cybersecurity risk, including:
Conduct a periodic assessment of: (1) the information held and systems used by the firm; (2) threats and vulnerabilities; (3) existing controls; (4) potential impact of an incident; and (5) the cybersecurity governance structure
Create a strategy designed to prevent, detect and respond to threats, which may include: (1) access and technical network controls; (2) encryption; (3) restricting use of removable storage media and deploying software that monitors for threats and incidents; (4) data backup and retrieval; and (5) the development of an incident response plan. Routine testing of strategies could also enhance the effectiveness of any strategy
Implement the strategy through written policies and procedures and training
8
IM Guidance Update (cont.) Potential implications for compliance programs and regulatory risk
exposure:
“In the staff’s view, funds and advisers should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks….[F]unds and advisers may wish to consider reviewing their operations and compliance programs and assess whether they have measures in place that are designed to mitigate their exposure to cybersecurity risk.”
Staff stated that compliance policies and procedures could address cybersecurity risks relating to identity theft and data protection (Regulations S-P and S-ID), business continuity, and fraud (Codes of Ethics – insider threats), “as well as other disruptions in service that could affect, for instance, a fund’s ability to process shareholder transactions” (Section 22(e) and Rule 22c-1).
9
Cybersecurity Compliance Considerations under Rule 206(4)-7 and Rule 38a-1
Compliance Program Requirements
IAA Rule 206(4)-7 and ICA Rule 38a-1 together require registered investment advisers and registered funds to (1) designate a chief compliance officer (“CCO”), (2) adopt and implement written policies and procedures reasonably designed to prevent violation of the federal securities laws, and (3) review annually the adequacy and effectiveness of such policies and procedures
11
Cybersecurity compliance policies and procedures that address requirements under the federal securities laws should be included in compliance programs and evaluated as part of the annual review, which should include risk assessments, policy and procedure reviews, and service provider reviews
SEC Cybersecurity Sweep Examinations
SEC Sweep Exam Findings on CCO Involvement in Cybersecurity
Significant majority of advisory firms assign information security responsibilities to Chief Technology Officers or to other senior officers, including Chief Compliance Officers, to liaise with third-party consultants who are responsible for cybersecurity
Less than a third of the examined advisers (30%) have a Chief Information Security Officer
12
2014:OCIE Risk Alert and
Sweep Exams
2015:OCIE Sweep Exam Summary and IM Guidance Update
Future Initiatives:OCIE Exam Priority
for 2015Other Regulators?
CCO Potential Liabilities ‘‘I need to be clear that we have brought – and will
continue to bring – actions against legal and compliance officers when appropriate’’ – SEC Enforcement Director Andrew Ceresney, Keynote Address at Compliance Week 2014 (May 20, 2014)
13
Numerous enforcement actions against CCOs for a variety of alleged failures, including (1) failure to implement appropriate procedures to address risks and (2) failure to adequately assess effectiveness of those procedures
CCO Planning Items1. Conduct cybersecurity risk assessment
2. Incorporate cybersecurity compliance risks into the firm’s risk matrix
3. Review adequacy of policies and procedures, including those relating to cybersecurity requirements
4. Assess the effectiveness of implementation of the firm’s cybersecurity policies and procedures, including testing
5. Due diligence on third party vendors
6. Incorporate cybersecurity into annual review of compliance program
7. Incident response planning
14
Testing Considerations Testing - Important aspect of assessing compliance programs Firms routinely conduct testing as part of annual assessment OCIE routinely asks for information about testing results in connection
with inspections Common types of compliance testing: Transactional Tests – Transaction-by-transaction tests conducted
contemporaneously with the transaction Periodic Tests – Transaction-by-transaction tests performed on a
“look back” basis at relevant intervals, such a spot checks or random or regular detailed reviews
Forensic Tests – Tests that analyze data over a period of time looking for trends and patterns
Traditional tests can be used in cybersecurity area (e.g., testing privilege management, document destruction, authentication procedures, red flag identification/response, physical safeguards)
15
Testing Considerations Specialized tests in the cybersecurity area Vulnerability Scans – Automated process of proactively
identifying security vulnerabilities of computing systems in a network to determine if and where a system can be exploited and/or threatened
Penetration Testing – An attack on a firm’s information technology system conducted by an information security specialist retained by the firm with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data
Advantages and disadvantages of each type of test
16
Cybersecurity Testing Challenges Relative lack of information security technical expertise in many
compliance departments
Compliance departments generally do not have experience with the specialized tests that can be used in this area
Many compliance departments lack expertise to interpret the testing results
Testing limitations
Resource constraints
17
Potential Testing and Assessment Techniques Leverage OCIE cybersecurity
sweep exam letter to identify and prioritize areas of focus
Leverage information security resources in other parts of the organization to test compliance
Add information security technical expertise in the compliance department to enhance testing capabilities
Engage third parties to conduct vulnerability and penetration testing
Rely on third party testing conducted for service providers
Interview key personnel with cybersecurity responsibilities
Observe implementation of cybersecurity policies in actual operating environment
Utilize certifications and questionnaires
Review management and third party reports relating to cybersecurity matters
Evaluate trends in, and frequency of, exceptions or violations of cybersecurity requirements
18
Leveraging the 2014 SECCybersecurity Sweep Exam Questions to
Assess Your Cybersecurity Practices
SEC Cybersecurity Sweep Exam Initiative
Most advisers (74%) reported that they have been the subject of a cyber-related incident
The vast majority of examined advisers (83%) have adopted written information security policies, and over half of them (57%) audit compliance with these policies
A high percentage of examined advisers report conducting firm-wide inventorying, cataloging or mapping of their technology resources
The vast majority of the examined advisers conduct periodic risk assessments
Almost all of the examined advisers (91%) made use of encryption in some form
Approximately half of the examined advisers (53%) are using external standards and other resources to model their information security architecture and processes
Approximately a third (32%) of the examined advisers require risk assessments of vendors with access to their networks
Approximately a quarter of examined advisers (24%) include cybersecurity requirements in contracts with vendors
Approximately a third of the examined advisers (30%) have an individual assigned as the firm’s Chief Information Security Officer
Written business continuity plans often address the impact of cyberattacks or intrusions, but only about half (51%) of adviser policies discuss mitigating cybersecurity incidents
Approximately a quarter of examined advisers (21%) maintain insurance that covers losses and expenses from cybersecurity incidents
The SEC’s Office of Compliance, Inspections and Examinations examined 49 registered investment advisers and 57 registered broker-dealers in 2014 as part of its Cybersecurity Exam Initiative and issued a Risk Alert summarizing its observations in January 2015. Primary observations included:
20
The 2014 SEC Cybersecurity Sweep Exam Topics
• Identification of Risks/Cybersecurity Governance;
• Protection of Firm Networks and Information;• Risks Associated with Remote Customer Access
and Funds Transfer Requests;• Risks Associated with Vendors and Other 3rd
Parties;• Detection of Unauthorized Activity; and• Experience with Cybersecurity Attacks (network
breach, malware, fraudulent transfer requests, etc.).
The 2014 Sweep focused on the following six topics:
21
The 2014 SEC Cybersecurity Sweep Exam Question Highlights
• Inventories of physical devices, systems, software platforms and applications;
• Maps of network resources, connections and data flows; and
• Logging capabilities and practices.
Baseline Inventory Questions from the Sweep (i.e., what your IT infrastructure consists of)
22
The 2014 SEC Cybersecurity Sweep Exam Question Highlights
• Controls to prevent unauthorized escalation of user privileges;
• Environment for testing and developing software separate from the production environment;
• Controls to prevent unauthorized changes to baseline configurations;
• System patching and maintenance;• Protection against DDoS attacks; and• Use of encryption.
Protection of Firm Networks and Information Questions from the Sweep (i.e., what controls does your organization maintain)
23
The 2014 SEC Cybersecurity Sweep Exam Question Highlights
• Who provides and manages the service;• How are customers authenticated for on-line account access;• Security measures to protect customer pins/passwords; and• Software/practices for detecting fraudulent account access.
Risks Associated with Remote Customer Access and Funds Transfer Requests
24
The 2014 SEC Cybersecurity Sweep Exam Question Highlights
• Maintaining baseline information about expected events on the firm’s network;
• Monitoring the firm’s network environment/physical environment;
• Using software to detect malicious code on firm networks and mobile devices;
• Monitoring for the presence of unauthorized users, devices, connections and software on the firm’s networks; and
• Using the analysis of events to improve the firm’s defensive measures and policies.
Detection of Unauthorized Activity
25
Testing Approaches
Testing Approaches Black Box- Assessor not given any details Grey Box- Assessor given limited knowledge White/Crystal Box- Knowledge is openly shared
with assessor
27
Scoping Internal and/or External # of devices within the network # of locations to visit Sampling of all systems? Including workstations?
28
Vulnerability Assessments
Internal and/or External Determine in-scope environment Include external critical assets Include disaster recovery sites
30
Discovery Identification of Network
Address Space Operating System
Fingerprinting Open Ports Assess all TCP/UDP
ports 1-65535
31
Vulnerability Identification Top Vulnerability Categories Unpatched applications Default credentials Excessive privilege and/or services Vulnerable web application forms
32
Extra Tests on Internal Assessments Wireless Security Assessment Review Policies & Procedures Third Party Connectivity Vendor Management Program Disaster Recovery/Business Continuity Plan Security Countermeasure Configuration
33
Penetration Testing
Penetration Testing Combining vulnerability assessments with
penetration testing
35
Vulnerability & Exploit Correlation Exploits coming on quickly after vulnerability
release Buffer Overflows Memory Leaks Race Conditions SQL Injections
36
Exploitation
37
Credential Manipulation Brute Forcing Passwords Passing the Hash Default Passwords Cookie Harvesting
38
Rogue Wireless Access Point User accesses a rogue device All traffic now intercepted User still able to access systems thus believes
everything is fine
39
Social Engineering
Any act that influences a person to take an action that may or may not be in their
best interest.40
Remote Social Engineering Review of Online Content LinkedIn Facebook GlassDoor Twitter
Creation of Custom Ruse Execution Phishing Phone Scams Fake Customer/Vendor
Engagements
41
On-Site Social Engineering Casing of the building and learning daily office
workflows Google physical mappings Building plans/blueprints/owner details Ruse development Exploitation Tailgating Planting USB/CDRom/etc. Posing as vendor/customer
42
Web Application Assessments Identify roles, forms and system details Run scanning tools to identify potential
weaknesses Attempt exploitation to gain system or data access
• Cross-Site Scripting• SQL Injection• Role Escalation• API Abuse
43
Physical Security Red Team or Physical Security Walkthrough Assess Locks Doors Windows Physical Security Badging Hinges Cameras Motion Sensors Other
44
Enforcement and Litigation Outlook
Cybersecurity Enforcement
SEC Activity Has Been Limited Principally Violations of Reg S-P Safeguards Rule Focus on Failure to Address Known Deficiencies Actions Predate Current Regulatory Focus FTC Remains Most Aggressive Agency
46
Safeguards Rule: 17 CFR § 248.30(a)
Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to: (1) Insure the security and confidentiality of customer records and
information; (2) Protect against any anticipated threats or hazards to the security or
integrity of customer records and information; and (3) Protect against unauthorized access to or use of customer records or
information that could result in substantial harm or inconvenience to any customer.
47
Who is Covered
“Customers” are “consumers” – individuals with a continuing relationship under which you provide financial products or services that are used primarily for personal, family, or household purposes. (i) An individual is your consumer if he or she provides
non-public personal information to you in connection with obtaining or seeking…investment advice.
(ii) An individual is not your consumer if you are an investment company and individual purchases through a broker dealer or investment adviser who is the record owner.
48
SEC Actions Against Advisers
LPL Financial Corporation, Adm. Proc. File No. 3013181, IA Rel. No. 2775, (Sept. 11, 2008) Deficiencies identified by internal audit
Failure to use strong passwords. Passwords widely disseminated. Excessive session inactivity parameters.
Unauthorized persons gain access and place unauthorized trades
Settled order imposes $27,000 fine and independent consultant for two years
49
SEC Actions Against Advisers (cont.)
Commonwealth Equity Services Adm. Proc. 3-13631, IA Release No. 2929, (September 29, 2009) Dual registrant failed to mandate antivirus software use by
registered representatives IT staff failed to follow up aggressively to registered
representative’s report of virus and requests for assistance Intruder gained access through virus and placed 18 orders for
a single stock in customer accounts Clearing broker detected trades and further activity blocked Firm fined $100,000
50
FINRA Enforcement
FINRA actions involve Safeguards Rule and NASD Rules 3010 and 3012 on supervisory responsibility
Actions focus on deficiencies in programs, even in the absence of customer harm: Only general vague summary policies that do not contain specific
procedures on safeguarding of information Policies provide “guidance,” “recommendations,” and
“suggestions” as opposed to mandates Lack of encryption, antivirus protection Lack of training, lack of response planning Failure to monitor or review or respond to deficiencies
51
SEC Actions Against Hackers
SEC has pursued hackers without sanctioning firms Overseas hackers amass large penny stock position in
“legitimate” online accounts Take control of online brokerage accounts to buy large
quantities of these securities to inflate price Sell holdings from “legitimate” accounts
SEC v. Marimuthu, C.A. No. 8:07CV94 (D. Neb. March 12, 2007)(innocent account holders lost $845,000); SEC v. Grand Logistic, Inc., C.A. No. 06-cv-15274 (S.D.N.Y. Dec. 16, 2006)
52
CFTC Enforcement
In the Matter of Interbank FX, LLC, CFTC Docket No. 09-11 (June 29, 2009)
CFTC Regulation 160.30 requires that FCMs, CTAs, CPOs and introducing brokers adopt policies and procedures that address the administrative, technical, and physical safeguards for the protection of customer records
Firm had no policy or procedures concerning the protection of consumer personal identifying information (PII)
While working on a systems upgrade, a software engineer is provided access and downloads PII for 13,000 customers to personal website
53
FTC Enforcement
Section 5 of FTCA outlaws “unfair or deceptive acts or practices” affecting commerce
FTC is the most aggressive enforcer Fifty cases since 2000 Defective data security practices Deceptive statements about use Far reaching remedies
Authority challenged in FTC v. Wyndham Resorts (3d Cir.) and In the Matter of Lab MD, Inc. (FTC) Section 5 “unfairness” does not reach data security defects No fair notice of what data security practices Section 5 forbids
54
Predictions
SEC enforcement staff has been largely silent on cybersecurity investigations
SEC will continue focus on protecting individual information and assets
SEC will examine firms’ “critical infrastructure” that may or may not relate directly to customer accounts or identities
SEC will use compliance rules to bring cases based on failures to adopt “reasonably designed” procedures addressing topics covered in “guidance”
55
Civil Litigation
Class actions by customers Derivative actions against directors and officers Securities actions Lawsuits between targets and banks
56
Civil Litigation
Target Consumer Settlement Over 100 million individuals affected Settlement fund of $10 million Claims up to $10,000 on showing of actual “loss”
Target/Mastercard Settlement Small institutions object to settlement Small institutions have higher per card losses Settlement would release further claims by small
issuers
57
Key Takeaways and Next Steps
Session 3 – Key Takeaways VULNERABILITY / PATCH MANAGEMENT - The identification and remediation of known software
weakness
Scan all internal and external systems to identify missing software patches
Identify software and hardware that is no longer supported by the vendor. Unsupported software does not have patches developed by the vendor
Have a documented process for how patches are implemented on your system from patch identification to implementation
Request reporting
PENETRATION TESTING - The identification and remediation of application functionality flaws (e.g., default configurations, application processing errors) that may lead to application compromises
Consider using a reputable 3rd party to conduct these reviews
Start with external, internet facing applications that allow for the movement of funds and/or access personal information (FFIEC) then focus on critical internal applications
Make certain that you are clear on what the results mean (i.e., business impact of risk exposure)
Develop remediation of identified gaps
59
Session 3 – Key Takeaways (cont.) WIRELESS ACCESS TESTING – The identification and remediation of gaps related to the use of
wireless devices
Determine / identify the company stance on the use of wireless networks– Does your company permit wireless access points on its network for internal employees?
– Does your company provide wireless access points on its network for guests or visitors?
– Is the wireless network for guests / visitors segmented off the internal network?
Identify a reputable 3rd party vendor to test your network against the policy / company posture and identify gaps
Develop a project plan to remediate these gaps
SOCIAL ENGINEERING – Any attempt to trick or deceive an individual to provide information (e.g., account information) or conduct an action (e.g., clicking a malicious link) that may lead to personal or corporate harm
Identify how these attacks may happen within your company. (e.g., email, phone, client authentication)
Determine what your company and its clients can do to protect themselves
Develop training to educate the company on how to protect themselves (ongoing)
Develop training to educate your clients on how to protect themselves (ongoing)
Develop testing to determine training effectiveness
60
Next Steps for Advisers and Funds1. Engage senior management and, if appropriate, the board of the
adviser and any funds in the complex2. Conduct a cybersecurity governance and risk assessment3. Review and test the adequacy of existing compliance policies,
business continuity plans, technical controls and other relevant procedures
4. Develop an incident response plan5. Enhance employee training6. Review vendor relationships7. Review insurance coverage8. Assess need for, and adequacy of, any public disclosures9. Attend upcoming K&L Gates and Investment Adviser Association
Cybersecurity Seminar Series programs
61
klgates.com
Cybersecurity Seminar Series Overview Session 1 (February 27, 2015) Untangling the Gordian Knot – Were to Begin When Building Your
Cybersecurity Program Session 2 (March 23, 2015) Board and Senior Management Oversight of Cybersecurity at the
Adviser, the Registered Fund and Their Service Providers Session 3 (Today) Testing Your Cybersecurity Infrastructure and Enforcement Related
Developments Session 4 (May 20, 2015) Breach – What to Do When Things Go Wrong and Cybersecurity
Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap – Evolving Trends in Cybersecurity
Practices and Public Policy Developments62
Speaker Contact Information
63
Mark C. Amorosi, Investment Management Partner, K&L Gates [email protected]
Laura L. Grossman, Assistant General Counsel, Investment Adviser [email protected]
Jason Harrell, Corporate SIRO – Investment Management, BNY [email protected]
Jeromie Jackson- CISSP, CISM, Director of Security & Analytics, Nth Generation858-451-2383 [email protected]
Jeffrey B. Maletta, Securities and Transactional Litigation Partner, K&L Gates [email protected]
Andras P. Teleki, Investment Management Partner, K&L Gates [email protected]
Additional Cybersecurity ResourcesTo access our firm’s additional cybersecurity related recorded webinars, presentations, articles and checklists please visit www.klgateshub.com.
64
THANK YOU