© Copyright 2015 by K&L Gates LLP. All rights reserved.

Testing Your Cybersecurity Infrastructure and Enforcement Related Developments

Mark C. Amorosi, Investment Management Partner, K&L Gates LLPLaura L. Grossman, Assistant General Counsel, Investment Adviser AssociationJason Harrell, Corporate SIRO – Investment Management, BNY MellonJeromie Jackson- CISSP, CISM, Director of Security & Analytics, Nth GenerationJeffrey B. Maletta, Securities and Transactional Litigation Partner, K&L Gates LLPAndras P. Teleki, Investment Management Partner, K&L Gates LLP

Wednesday, April 29, 2015

klgates.com

Investment Management Cybersecurity Seminar Series Overview Session 1 (February 27, 2015) Untangling the Gordian Knot – Where to Begin When Building Your

Cybersecurity Program Session 2 (March 23, 2015) Board and Senior Management Oversight of Cybersecurity at the

Adviser, the Registered Fund and Their Service Providers Session 3 (Today) Testing Your Cybersecurity Infrastructure and Enforcement Related

Developments Session 4 (May 20, 2015) Breach – What to Do When Things Go Wrong and Cybersecurity

Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap – Evolving Trends in Cybersecurity

Practices and Public Policy Developments

2

klgates.com

Session 3 Topics Cybersecurity Compliance Testing under Rule 206(4)-7 and Rule 38a-1 –

CCO Responsibilities for Cybersecurity Matters

Leveraging the OCIE 2014 Cybersecurity Sweep Examination Letter

Vulnerability Assessments and Penetration Testing – What are the Differences and What do these Tests Tell You about Your Cybersecurity Defenses

“Blackbox” vs. “Glassbox” Testing

Interpreting and Prioritizing Testing Results

What the SEC, FINRA, CFTC, FTC and Other Regulators Have Said about Enforcement Priorities around Cybersecurity

Cybersecurity Litigation and Enforcement Round-Up

3

The Regulatory Framework

Cybersecurity at the Top of the SEC’s Mind Corp Fin Guidance (2011) Commission Roundtable (2014) OCIE Sweep and Risk Alert (2014/15) OCIE Examination Priority (2015) Numerous references in staff remarks IM Guidance Update (New – April 28, 2015)

5

Overview of the Legal Framework Regulation S-P (including “Safeguards Rule”) Regulation S-ID (Identity Theft Red Flags) IAA Rule 206(4)-7 and ICA Rule 38a-1

(Compliance Rules) IAA Rule 204-2(g) and ICA Rule 31a-2(f)

(Electronic Recordkeeping Rules) ICA Rule 30a-3 (Internal Controls) Disclosure Considerations

6

Overview of Legal Framework (cont’d)

Business continuity plans Suspicious activity reporting CFTC Regulations, Part 160.30 FTC enforcement of Section 5 of FTCA Practically every state has enacted laws relating to

cybersecurity, including information security program and data breach notification requirements

7

IM Guidance Update (April 28, 2015) SEC staff identified a number of measures that advisers and funds

may wish to consider in addressing cybersecurity risk, including:

Conduct a periodic assessment of: (1) the information held and systems used by the firm; (2) threats and vulnerabilities; (3) existing controls; (4) potential impact of an incident; and (5) the cybersecurity governance structure

Create a strategy designed to prevent, detect and respond to threats, which may include: (1) access and technical network controls; (2) encryption; (3) restricting use of removable storage media and deploying software that monitors for threats and incidents; (4) data backup and retrieval; and (5) the development of an incident response plan. Routine testing of strategies could also enhance the effectiveness of any strategy

Implement the strategy through written policies and procedures and training

8

IM Guidance Update (cont.) Potential implications for compliance programs and regulatory risk

exposure:

“In the staff’s view, funds and advisers should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks….[F]unds and advisers may wish to consider reviewing their operations and compliance programs and assess whether they have measures in place that are designed to mitigate their exposure to cybersecurity risk.”

Staff stated that compliance policies and procedures could address cybersecurity risks relating to identity theft and data protection (Regulations S-P and S-ID), business continuity, and fraud (Codes of Ethics – insider threats), “as well as other disruptions in service that could affect, for instance, a fund’s ability to process shareholder transactions” (Section 22(e) and Rule 22c-1).

9

Cybersecurity Compliance Considerations under Rule 206(4)-7 and Rule 38a-1

Compliance Program Requirements

IAA Rule 206(4)-7 and ICA Rule 38a-1 together require registered investment advisers and registered funds to (1) designate a chief compliance officer (“CCO”), (2) adopt and implement written policies and procedures reasonably designed to prevent violation of the federal securities laws, and (3) review annually the adequacy and effectiveness of such policies and procedures

11

Cybersecurity compliance policies and procedures that address requirements under the federal securities laws should be included in compliance programs and evaluated as part of the annual review, which should include risk assessments, policy and procedure reviews, and service provider reviews

SEC Cybersecurity Sweep Examinations

SEC Sweep Exam Findings on CCO Involvement in Cybersecurity

Significant majority of advisory firms assign information security responsibilities to Chief Technology Officers or to other senior officers, including Chief Compliance Officers, to liaise with third-party consultants who are responsible for cybersecurity

Less than a third of the examined advisers (30%) have a Chief Information Security Officer

12

2014:OCIE Risk Alert and

Sweep Exams

2015:OCIE Sweep Exam Summary and IM Guidance Update

Future Initiatives:OCIE Exam Priority

for 2015Other Regulators?

CCO Potential Liabilities ‘‘I need to be clear that we have brought – and will

continue to bring – actions against legal and compliance officers when appropriate’’ – SEC Enforcement Director Andrew Ceresney, Keynote Address at Compliance Week 2014 (May 20, 2014)

13

Numerous enforcement actions against CCOs for a variety of alleged failures, including (1) failure to implement appropriate procedures to address risks and (2) failure to adequately assess effectiveness of those procedures

CCO Planning Items1. Conduct cybersecurity risk assessment

2. Incorporate cybersecurity compliance risks into the firm’s risk matrix

3. Review adequacy of policies and procedures, including those relating to cybersecurity requirements

4. Assess the effectiveness of implementation of the firm’s cybersecurity policies and procedures, including testing

5. Due diligence on third party vendors

6. Incorporate cybersecurity into annual review of compliance program

7. Incident response planning

14

Testing Considerations Testing - Important aspect of assessing compliance programs Firms routinely conduct testing as part of annual assessment OCIE routinely asks for information about testing results in connection

with inspections Common types of compliance testing: Transactional Tests – Transaction-by-transaction tests conducted

contemporaneously with the transaction Periodic Tests – Transaction-by-transaction tests performed on a

“look back” basis at relevant intervals, such a spot checks or random or regular detailed reviews

Forensic Tests – Tests that analyze data over a period of time looking for trends and patterns

Traditional tests can be used in cybersecurity area (e.g., testing privilege management, document destruction, authentication procedures, red flag identification/response, physical safeguards)

15

Testing Considerations Specialized tests in the cybersecurity area Vulnerability Scans – Automated process of proactively

identifying security vulnerabilities of computing systems in a network to determine if and where a system can be exploited and/or threatened

Penetration Testing – An attack on a firm’s information technology system conducted by an information security specialist retained by the firm with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data

Advantages and disadvantages of each type of test

16

Cybersecurity Testing Challenges Relative lack of information security technical expertise in many

compliance departments

Compliance departments generally do not have experience with the specialized tests that can be used in this area

Many compliance departments lack expertise to interpret the testing results

Testing limitations

Resource constraints

17

Potential Testing and Assessment Techniques Leverage OCIE cybersecurity

sweep exam letter to identify and prioritize areas of focus

Leverage information security resources in other parts of the organization to test compliance

Add information security technical expertise in the compliance department to enhance testing capabilities

Engage third parties to conduct vulnerability and penetration testing

Rely on third party testing conducted for service providers

Interview key personnel with cybersecurity responsibilities

Observe implementation of cybersecurity policies in actual operating environment

Utilize certifications and questionnaires

Review management and third party reports relating to cybersecurity matters

Evaluate trends in, and frequency of, exceptions or violations of cybersecurity requirements

18

Leveraging the 2014 SECCybersecurity Sweep Exam Questions to

Assess Your Cybersecurity Practices

SEC Cybersecurity Sweep Exam Initiative

Most advisers (74%) reported that they have been the subject of a cyber-related incident

The vast majority of examined advisers (83%) have adopted written information security policies, and over half of them (57%) audit compliance with these policies

A high percentage of examined advisers report conducting firm-wide inventorying, cataloging or mapping of their technology resources

The vast majority of the examined advisers conduct periodic risk assessments

Almost all of the examined advisers (91%) made use of encryption in some form

Approximately half of the examined advisers (53%) are using external standards and other resources to model their information security architecture and processes

Approximately a third (32%) of the examined advisers require risk assessments of vendors with access to their networks

Approximately a quarter of examined advisers (24%) include cybersecurity requirements in contracts with vendors

Approximately a third of the examined advisers (30%) have an individual assigned as the firm’s Chief Information Security Officer

Written business continuity plans often address the impact of cyberattacks or intrusions, but only about half (51%) of adviser policies discuss mitigating cybersecurity incidents

Approximately a quarter of examined advisers (21%) maintain insurance that covers losses and expenses from cybersecurity incidents

The SEC’s Office of Compliance, Inspections and Examinations examined 49 registered investment advisers and 57 registered broker-dealers in 2014 as part of its Cybersecurity Exam Initiative and issued a Risk Alert summarizing its observations in January 2015. Primary observations included:

20

The 2014 SEC Cybersecurity Sweep Exam Topics

• Identification of Risks/Cybersecurity Governance;

• Protection of Firm Networks and Information;• Risks Associated with Remote Customer Access

and Funds Transfer Requests;• Risks Associated with Vendors and Other 3rd

Parties;• Detection of Unauthorized Activity; and• Experience with Cybersecurity Attacks (network

breach, malware, fraudulent transfer requests, etc.).

The 2014 Sweep focused on the following six topics:

21

The 2014 SEC Cybersecurity Sweep Exam Question Highlights

• Inventories of physical devices, systems, software platforms and applications;

• Maps of network resources, connections and data flows; and

• Logging capabilities and practices.

Baseline Inventory Questions from the Sweep (i.e., what your IT infrastructure consists of)

22

The 2014 SEC Cybersecurity Sweep Exam Question Highlights

• Controls to prevent unauthorized escalation of user privileges;

• Environment for testing and developing software separate from the production environment;

• Controls to prevent unauthorized changes to baseline configurations;

• System patching and maintenance;• Protection against DDoS attacks; and• Use of encryption.

Protection of Firm Networks and Information Questions from the Sweep (i.e., what controls does your organization maintain)

23

The 2014 SEC Cybersecurity Sweep Exam Question Highlights

• Who provides and manages the service;• How are customers authenticated for on-line account access;• Security measures to protect customer pins/passwords; and• Software/practices for detecting fraudulent account access.

Risks Associated with Remote Customer Access and Funds Transfer Requests

24

The 2014 SEC Cybersecurity Sweep Exam Question Highlights

• Maintaining baseline information about expected events on the firm’s network;

• Monitoring the firm’s network environment/physical environment;

• Using software to detect malicious code on firm networks and mobile devices;

• Monitoring for the presence of unauthorized users, devices, connections and software on the firm’s networks; and

• Using the analysis of events to improve the firm’s defensive measures and policies.

Detection of Unauthorized Activity

25

Testing Approaches

Testing Approaches Black Box- Assessor not given any details Grey Box- Assessor given limited knowledge White/Crystal Box- Knowledge is openly shared

with assessor

27

Scoping Internal and/or External # of devices within the network # of locations to visit Sampling of all systems? Including workstations?

28

Vulnerability Assessments

Internal and/or External Determine in-scope environment Include external critical assets Include disaster recovery sites

30

Discovery Identification of Network

Address Space Operating System

Fingerprinting Open Ports Assess all TCP/UDP

ports 1-65535

31

Vulnerability Identification Top Vulnerability Categories Unpatched applications Default credentials Excessive privilege and/or services Vulnerable web application forms

32

Extra Tests on Internal Assessments Wireless Security Assessment Review Policies & Procedures Third Party Connectivity Vendor Management Program Disaster Recovery/Business Continuity Plan Security Countermeasure Configuration

33

Penetration Testing

Penetration Testing Combining vulnerability assessments with

penetration testing

35

Vulnerability & Exploit Correlation Exploits coming on quickly after vulnerability

release Buffer Overflows Memory Leaks Race Conditions SQL Injections

36

Exploitation

37

Credential Manipulation Brute Forcing Passwords Passing the Hash Default Passwords Cookie Harvesting

38

Rogue Wireless Access Point User accesses a rogue device All traffic now intercepted User still able to access systems thus believes

everything is fine

39

Social Engineering

Any act that influences a person to take an action that may or may not be in their

best interest.40

Remote Social Engineering Review of Online Content LinkedIn Facebook GlassDoor Twitter

Creation of Custom Ruse Execution Phishing Phone Scams Fake Customer/Vendor

Engagements

41

On-Site Social Engineering Casing of the building and learning daily office

workflows Google physical mappings Building plans/blueprints/owner details Ruse development Exploitation Tailgating Planting USB/CDRom/etc. Posing as vendor/customer

42

Web Application Assessments Identify roles, forms and system details Run scanning tools to identify potential

weaknesses Attempt exploitation to gain system or data access

• Cross-Site Scripting• SQL Injection• Role Escalation• API Abuse

43

Physical Security Red Team or Physical Security Walkthrough Assess Locks Doors Windows Physical Security Badging Hinges Cameras Motion Sensors Other

44

Enforcement and Litigation Outlook

Cybersecurity Enforcement

SEC Activity Has Been Limited Principally Violations of Reg S-P Safeguards Rule Focus on Failure to Address Known Deficiencies Actions Predate Current Regulatory Focus FTC Remains Most Aggressive Agency

46

Safeguards Rule: 17 CFR § 248.30(a)

Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to: (1) Insure the security and confidentiality of customer records and

information; (2) Protect against any anticipated threats or hazards to the security or

integrity of customer records and information; and (3) Protect against unauthorized access to or use of customer records or

information that could result in substantial harm or inconvenience to any customer.

47

Who is Covered

“Customers” are “consumers” – individuals with a continuing relationship under which you provide financial products or services that are used primarily for personal, family, or household purposes. (i) An individual is your consumer if he or she provides

non-public personal information to you in connection with obtaining or seeking…investment advice.

(ii) An individual is not your consumer if you are an investment company and individual purchases through a broker dealer or investment adviser who is the record owner.

48

SEC Actions Against Advisers

LPL Financial Corporation, Adm. Proc. File No. 3013181, IA Rel. No. 2775, (Sept. 11, 2008) Deficiencies identified by internal audit

Failure to use strong passwords. Passwords widely disseminated. Excessive session inactivity parameters.

Unauthorized persons gain access and place unauthorized trades

Settled order imposes $27,000 fine and independent consultant for two years

49

SEC Actions Against Advisers (cont.)

Commonwealth Equity Services Adm. Proc. 3-13631, IA Release No. 2929, (September 29, 2009) Dual registrant failed to mandate antivirus software use by

registered representatives IT staff failed to follow up aggressively to registered

representative’s report of virus and requests for assistance Intruder gained access through virus and placed 18 orders for

a single stock in customer accounts Clearing broker detected trades and further activity blocked Firm fined $100,000

50

FINRA Enforcement

FINRA actions involve Safeguards Rule and NASD Rules 3010 and 3012 on supervisory responsibility

Actions focus on deficiencies in programs, even in the absence of customer harm: Only general vague summary policies that do not contain specific

procedures on safeguarding of information Policies provide “guidance,” “recommendations,” and

“suggestions” as opposed to mandates Lack of encryption, antivirus protection Lack of training, lack of response planning Failure to monitor or review or respond to deficiencies

51

SEC Actions Against Hackers

SEC has pursued hackers without sanctioning firms Overseas hackers amass large penny stock position in

“legitimate” online accounts Take control of online brokerage accounts to buy large

quantities of these securities to inflate price Sell holdings from “legitimate” accounts

SEC v. Marimuthu, C.A. No. 8:07CV94 (D. Neb. March 12, 2007)(innocent account holders lost $845,000); SEC v. Grand Logistic, Inc., C.A. No. 06-cv-15274 (S.D.N.Y. Dec. 16, 2006)

52

CFTC Enforcement

In the Matter of Interbank FX, LLC, CFTC Docket No. 09-11 (June 29, 2009)

CFTC Regulation 160.30 requires that FCMs, CTAs, CPOs and introducing brokers adopt policies and procedures that address the administrative, technical, and physical safeguards for the protection of customer records

Firm had no policy or procedures concerning the protection of consumer personal identifying information (PII)

While working on a systems upgrade, a software engineer is provided access and downloads PII for 13,000 customers to personal website

53

FTC Enforcement

Section 5 of FTCA outlaws “unfair or deceptive acts or practices” affecting commerce

FTC is the most aggressive enforcer Fifty cases since 2000 Defective data security practices Deceptive statements about use Far reaching remedies

Authority challenged in FTC v. Wyndham Resorts (3d Cir.) and In the Matter of Lab MD, Inc. (FTC) Section 5 “unfairness” does not reach data security defects No fair notice of what data security practices Section 5 forbids

54

Predictions

SEC enforcement staff has been largely silent on cybersecurity investigations

SEC will continue focus on protecting individual information and assets

SEC will examine firms’ “critical infrastructure” that may or may not relate directly to customer accounts or identities

SEC will use compliance rules to bring cases based on failures to adopt “reasonably designed” procedures addressing topics covered in “guidance”

55

Civil Litigation

Class actions by customers Derivative actions against directors and officers Securities actions Lawsuits between targets and banks

56

Civil Litigation

Target Consumer Settlement Over 100 million individuals affected Settlement fund of $10 million Claims up to $10,000 on showing of actual “loss”

Target/Mastercard Settlement Small institutions object to settlement Small institutions have higher per card losses Settlement would release further claims by small

issuers

57

Key Takeaways and Next Steps

Session 3 – Key Takeaways VULNERABILITY / PATCH MANAGEMENT - The identification and remediation of known software

weakness

Scan all internal and external systems to identify missing software patches

Identify software and hardware that is no longer supported by the vendor. Unsupported software does not have patches developed by the vendor

Have a documented process for how patches are implemented on your system from patch identification to implementation

Request reporting

PENETRATION TESTING - The identification and remediation of application functionality flaws (e.g., default configurations, application processing errors) that may lead to application compromises

Consider using a reputable 3rd party to conduct these reviews

Start with external, internet facing applications that allow for the movement of funds and/or access personal information (FFIEC) then focus on critical internal applications

Make certain that you are clear on what the results mean (i.e., business impact of risk exposure)

Develop remediation of identified gaps

59

Session 3 – Key Takeaways (cont.) WIRELESS ACCESS TESTING – The identification and remediation of gaps related to the use of

wireless devices

Determine / identify the company stance on the use of wireless networks– Does your company permit wireless access points on its network for internal employees?

– Does your company provide wireless access points on its network for guests or visitors?

– Is the wireless network for guests / visitors segmented off the internal network?

Identify a reputable 3rd party vendor to test your network against the policy / company posture and identify gaps

Develop a project plan to remediate these gaps

SOCIAL ENGINEERING – Any attempt to trick or deceive an individual to provide information (e.g., account information) or conduct an action (e.g., clicking a malicious link) that may lead to personal or corporate harm

Identify how these attacks may happen within your company. (e.g., email, phone, client authentication)

Determine what your company and its clients can do to protect themselves

Develop training to educate the company on how to protect themselves (ongoing)

Develop training to educate your clients on how to protect themselves (ongoing)

Develop testing to determine training effectiveness

60

Next Steps for Advisers and Funds1. Engage senior management and, if appropriate, the board of the

adviser and any funds in the complex2. Conduct a cybersecurity governance and risk assessment3. Review and test the adequacy of existing compliance policies,

business continuity plans, technical controls and other relevant procedures

4. Develop an incident response plan5. Enhance employee training6. Review vendor relationships7. Review insurance coverage8. Assess need for, and adequacy of, any public disclosures9. Attend upcoming K&L Gates and Investment Adviser Association

Cybersecurity Seminar Series programs

61

klgates.com

Cybersecurity Seminar Series Overview Session 1 (February 27, 2015) Untangling the Gordian Knot – Were to Begin When Building Your

Cybersecurity Program Session 2 (March 23, 2015) Board and Senior Management Oversight of Cybersecurity at the

Adviser, the Registered Fund and Their Service Providers Session 3 (Today) Testing Your Cybersecurity Infrastructure and Enforcement Related

Developments Session 4 (May 20, 2015) Breach – What to Do When Things Go Wrong and Cybersecurity

Insurance Coverage Session 5 (June 25, 2015) Building a Better Mousetrap – Evolving Trends in Cybersecurity

Practices and Public Policy Developments62

Speaker Contact Information

63

Mark C. Amorosi, Investment Management Partner, K&L Gates LLP202-778-9351mark.amorosi@klgates.com

Laura L. Grossman, Assistant General Counsel, Investment Adviser Association202-507-7201laura.grossman@investmentadviser.org

Jason Harrell, Corporate SIRO – Investment Management, BNY Mellon212-635-8316jason.harrell@bnymellon.com

Jeromie Jackson- CISSP, CISM, Director of Security & Analytics, Nth Generation858-451-2383 x135jeromie.jackson@nth.com

Jeffrey B. Maletta, Securities and Transactional Litigation Partner, K&L Gates LLP202-778-9062jeffrey.maletta@klgates.com

Andras P. Teleki, Investment Management Partner, K&L Gates LLP202-778-9477andras.teleki@klgates.com

Additional Cybersecurity ResourcesTo access our firm’s additional cybersecurity related recorded webinars, presentations, articles and checklists please visit www.klgateshub.com.

64

THANK YOU