1. 1

2. The webinar will begin shortly You can join either by VoIP or dial in by telephone Follow call in details if you select to use Telephone audio 3. Cybersecurity and the Regulator, What You Need to Know July 24, 2014 Presented By: Patrick Shea Partner, Cordium James Hogbin Director, IP Sentinel 4. Agenda o Regulatory Focus on Cybersecurity o Key Concerns Related to Financial Services o Basic Practices o Steps to be Taking o Risk Assessment o Controls related to 3rd Party Providers o Dealing with an Incident o Insurance o Training, Testing and Monitoring o Why Security o Threat Surface o Protecting What o From Who o Security Posture o Forensic Readiness o Security Operations o What do bad actors do & how to catch them o Checklist 4 5. Questions 5 You can submit your questions using the Questions area in the GoToWebinar console You can submit your questions using the Questions area in the GoToWebinar console Copyright 6. Part One Patrick Shea Partner, Cordium patrick.shea@cordium.com 6 7. Agenda Part One o Regulatory Focus on Cybersecurity o Key Concerns Related to Financial Services o Basic Practices o Steps to be Taking o Risk Assessment o Controls related to 3rd Party Providers o Dealing with an Incident o Insurance o Training, Testing and Monitoring 7 8. Regulatory Focus on Cybersecurity o Governments o EU : Cyber Security Strategy o US : The Comprehensive National Cybersecurity Initiative o UK : Office of Cyber Security and Information Assurance o Regulators o CFTC : Staff Advisory No. 14-21 Gramm-Leach-Bliley Act Security Safeguards o SEC : OCIE Cybersecurity Initiative o FCA : FCA Risk Outlook 2014 8 9. Regulatory Focus on Cybersecurity o SEC/OCIE Examination Priorities for 2014 include focus on technology, including cybersecurity preparedness. o January 2014, FINRA announces targeted exam assessing its regulated firms approaches to managing cybersecurity threats. o Gather a better understanding and share findings with regulated firms. o March 2014 - SEC Sponsors Cybersecurity Roundtable o Cyber threats are "first on the Division of Intelligences list of global threats, even surpassing terrorism. SEC Chair Mary Jo White (Roundtable opening remarks). 9 10. Regulatory Focus on Cybersecurity o April 2014 Risk Alert from the SEC outlines OCIEs cybersecurity initiative: o Examinations of more than 50 BDs and RIAs focused on: o Entitys cybersecurity governance; o Identification and assessment of cybersecurity risks; o Protection of networks and information; o Risks associated with remote customer access and funds transfer requests; o Risks associated with vendors and other third parties; o Detection of unauthorized activity; and o Experiences with certain cybersecurity threats. o Risk Alert included a sample document request, to be used during exams. Provided to raise awareness and empower compliance professionals. 10 11. Key concerns o Financial services sector is vulnerable o Perception that cybersecurity is lacking and need to raise awareness o Client data at risk Consumer Protection o Well-established reliance on service providers o Sensitive data being transferred & 3rd party security protocols critical o Hackers with the upper-hand o Insider Risk o Employees do things (intentionally or unintentionally) that compromise the firms security. 11 12. Basic Practices o Holistic approach needed. o Threat to cybersecurity is NOT just an IT issue; o Business issue & should be part of your firms risk management function. o Top-down approach to cybersecurity! o Create & perpetuate a culture of involvement and awareness. o Everyone at the firm should be involved, educated and regularly trained. o Policies and procedures to be reviewed, upgraded & tailored to your firm. o Past intrusions/breaches? Learn from them. 12 13. Steps to be Taking: Risk Assessment o Identify your cybersecurity & physical threats, vulnerabilities and potential consequences to your business. o Determine what you have in place today with respect to cybersecurity. o What needs to be protected? o How are you presently managing/monitoring security? o What technology? o Who is responsible? o How are you managing employee access to the systems/data? o What data is leaving the firm? Where it is going? o Answers to these questions help drive your Written Information Security Policy (WISP). 13 14. Steps to be Taking: Controls related to 3rd Party Providers o Need to understand cybersecurity policies and procedures of your vendors & key service providers o Focus on vendors with access to your network, customer data and/or other sensitive information o Gather their WISP and related documentation o Best practice Questionnaire to be sent to vendors o Perform due diligence on, and monitor, their practices o Review your contracts with those vendors o Try and negotiate for prompt notice of any material incidents 14 15. Steps to be Taking: Dealing with an Incident o Simulations are an opportunity to test your plan in action o Detecting & reporting unauthorized activity o Monitoring system (Who? What? How?) o Develop clear escalation procedures and robust cyber-incidence response plans. o Information sharing = Transparency o FINRA notification requirements o OCIE wants to hear about significant issues and data breaches o Information-sharing arrangements with law enforcement such as the FBI? o Possible reporting at State-level o Disclosure to investors/clients needed? 15 16. Steps to be Taking: Insurance o Cyber liability insurance protection -- important step o Review your current policies o SEC Risk Alert o Do you maintain insurance that specifically covers losses and expenses attributable to cybersecurity threats? o Know what is covered & what is excluded o If/when you file claims, document the issues and the resolution 16 17. Steps to be Taking: Training, Testing & Monitoring o Educate all employees on risks & responses o Front line defense o Help employees stay vigilent & teach them what to do if the spot an issue o Bring your plan to life through routine testing o Part of your risk-assessment plan o Focus on key risks as relating to your business o Develop a monitoring program so risks and/or breaches can be promptly identified, reviewed and resolved. o Dont stop there document & consider whether you need to report to authorities and/or clients. 17 18. Part Two James Hogbin Director, IP Sentinel james@ip-sentinel.com 18 19. Agenda Part Two o Why Security o Threat Surface o Protecting What o From Who o Security Posture o Forensic Readiness o Security Operations o What do bad actors do & how to catch them o Checklist 19 20. The Facts o If a skilled hacker/state actor wants to get in to your systems they will. o The biggest threat is your existing staff. o It is a case of when, not if. o It is still important to try to prevent breaches, when they happen it is essential to detect them, know their scope and be able to remediate the damage. 20 21. Why Security? o Government & Regulatory Focus (discussed above) o Market Participants Cyber-crime, Securities Markets and Systemic Risk CPSS-IOSCO & World Federation of Exchanges (WFE) 53 % of 46 exchanges surveyed had been subject to a cyber-attack over the preceding 12 months. Beyond the Horizon: A White Paper to the Industry on Systemic risk Depository Trust & Clearing Corporation (DTCC) Identified cyber-crime as the biggest threat to market stability, putting it ahead of counterparty risk and concentration risk at central counterparty clearing houses (CCPs). 70% of managers do not feel well prepared to deal with a cyber-security threat. cooconnect.com 2014 21 22. Threat Surface 22 23. Protecting What? o Company Information o Trading Models o CRM Data Clients & Prospects o Investment Agreements o Trading Arrangements o Personnel Information o Company Brand o Company Systems o Bank Accounts/Payroll o Trading Infrastructure o Payment Processing 23 24. From Who? Information Leakage oEmployees - 37% of the time o Mistake o Deliberate oSystem Glitch 29% of the time oExternal Bad Actors 34% of the time o Malware o Ransomware o Remote Access/Control o Fraud o Theft o Processing Cycles Bitcoin mining o Data Storage - Hosting Illegal content o Network Capacity - DDoS 24 25. Security Posture Traditional Citadel approach o Hard outer shell o Soft core Once youre in youre in! Current Thinking o Layered security o Digital Sand Traps o SIEM = Log Aggregation & Monitoring o TRAINING It will happen so be prepared 25 26. Security Operations o How does a good hacker behave o As a normal employee NOT L33t Hax0r o Nothing obviously out of the ordinary o Will attempt to o Enter, Elevate Privileges, Retain Access o Look for Odd usage patterns. o e.g. Dev user looking at Sales.xls o Logins @ odd times o Sequential access to systems o Unusual Traffic to or from devices o Network or Protocol (SNMP, HTTP) o Unusual services on devices o Web server, ssh, rdp etc 26 27. Security Operations o How to frustrate L33t Hax0rs o Staff Training o Segmented Networks with Air Gaps o Regular Internal Device Asset scans o Multi layer security o Keep everything patched o Remove server banner information o Outbound as well as inbound firewall 27 28. Security Operations o How to find them o Staff Training o Treat the entire thing as insider threat o Because it is. o Centralise Log Management & use it o http://fingerprint.ip-sentinel.com user=demo, password=demo o Detect rate based metrics across environment o Honey trap servers o Seed CRM data o Network traffic/protocol analysis & monitoring o Regular Device service scanning o Firewall/web proxy configuration 28 29. Hackers need only be lucky once, you have to be good all the time. 29 30. Questions? 30 31. Questions 31 You can submit your questions using the Questions area in the GoToWebinar console You can submit your questions using the Questions area in the GoToWebinar console Copyright