Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
CYBER SECURITY
FPANJ
Spring Conference 2015
Threat is Real
2
Who Needs A Gun?
 May Cost Sony $100Million
 Leaked Personal Information
• Sensitive Emails
• What actor wants to do bus...
Hackers Compromised 76 Million Household Account
October 15, 2014
4
Passwords
 A joke about passwords has won a
competition for the funniest joke at the
Edinburgh Fringe.
 What would be a ...
Answer
6
Cyber Security Is No Joke
 Reuters - Thu Apr 23, 2015 12:26pm EDT
 U.S. House passes second 'threat-sharing'
cybersecuri...
What are the Regulators Doing?
 SEC held a Cyber Security Roundtable in
March 2014
 Former SEC Commissioner Louis Arguil...
SEC Roundtable
 SEC Chairperson Mary Jo White
• Cybersecurity threats are real
– Criminals and Hired Hackers
– Terrorist
...
SEC Roundtable
 Propose rule on Regulation Systems,
Compliance and Integrity was adopted in
2015
• Requires certain entit...
SEC Cyber Security Activities
 April 14, 2014 SEC issued a National Exam
Program Risk Alert
 Office of Compliance Inspec...
SEC Cyber Activities
 2014 SEC published a sample list of
request for information that OCIE may use
in conducting examina...
SEC Cyber Activities Continued
• Risks Associated with Vendors and Other Third
Parties
• Detection of Unauthorized Activit...
SEC Cyber Activities Continued
 SEC Examination Priorities Letter January
9, 2014 did not mentioned Cyber Security.
 SEC...
SEC Cyber Activities Continued
 February 3, 2015 SEC issues a National
Exam Program Risk Alert
• Cyber Security Examinati...
SEC Cyber Activities Continued
– Policies and procedures generally do not address
how firms determine whether they are res...
SEC Cyber Activities Continued
• Many firms identify best practices through
information sharing networks
– Financial Servi...
SEC Cyber Activities Continued
• A minority of RIAs incorporate requirements
relating to cybersecurity risks in their 3rd ...
FINRA
 Issued a Report on Cybersecurity Practices
in February 2015
 Key points in the Report
• A sound governance framew...
FINRA Continued
• Firms should develop, implement and test
response plans.
– Containment and mitigation, eradication and
r...
SEC Cybersecurity Enforcement
Activities
 Generally, SEC in comment letters requires
public companies to disclose past cy...
SEC Cybersecurity Enforcement Actions
 SEC examining corporate disclosures made
in the wake of recent cyber attacks on
pu...
SEC Cybersecurity Enforcement Actions
• Regulation SP 17 C.F.R. Part 248 Subpart A
– Broker Dealers and RIA required to ad...
Thoughts on Development of a Cyber
Security Defense Program
 Governance and Risk Management
• Define a governance framewo...
Thoughts on Development of a Cyber
Security Defense Program
 Cybersecurity Risk Assessment
• Regular, Periodic Assessment...
Thoughts on Development of a Cyber
Security Defense Program
 Incident Response Planning
• Prepare for incidents that the ...
Thoughts on Development of a Cyber
Security Defense Program
• Vendor Management
– Perform due diligence
– Establish contra...
Conclusion
Thank You
William A. Despo, Esq.
LeClairRyan
One Riverfront Plaza
1037 Raymond Boulevard, 16th Floor
Newark, Ne...
Próxima SlideShare
Cargando en…5
×

Presentation for FPANJ Spring 2015 Conference

  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Presentation for FPANJ Spring 2015 Conference

  1. 1. CYBER SECURITY FPANJ Spring Conference 2015
  2. 2. Threat is Real 2
  3. 3. Who Needs A Gun?  May Cost Sony $100Million  Leaked Personal Information • Sensitive Emails • What actor wants to do business with Sony?  Operations severally hampered  Exposure of Trade Secrets  Target cost $148 Million • 1 to 3 million credit card numbers stolen • plus to millions of customer information 3
  4. 4. Hackers Compromised 76 Million Household Account October 15, 2014 4
  5. 5. Passwords  A joke about passwords has won a competition for the funniest joke at the Edinburgh Fringe.  What would be a great password that is eight characters long? 5
  6. 6. Answer 6
  7. 7. Cyber Security Is No Joke  Reuters - Thu Apr 23, 2015 12:26pm EDT  U.S. House passes second 'threat-sharing' cybersecurity bill • The U.S. House of Representatives voted overwhelmingly on Thursday to pass a bill that extends liability protection for companies that share information about cyber attacks, if they give the data to the U.S. Department of Homeland Security. 7
  8. 8. What are the Regulators Doing?  SEC held a Cyber Security Roundtable in March 2014  Former SEC Commissioner Louis Arguilar • He was particularly concerned about capital markets and regulated entities • A cyber-attack on an exchange or a market participant can have broad consequences that impacts public companies and investors. 8
  9. 9. SEC Roundtable  SEC Chairperson Mary Jo White • Cybersecurity threats are real – Criminals and Hired Hackers – Terrorist – State-Sponsored intruders – Misguided computer experts • Resources devoted to cyber-based threats will eclipse resources devoted to terrorism. • 2011 SEC Guidance to Public Companies 9
  10. 10. SEC Roundtable  Propose rule on Regulation Systems, Compliance and Integrity was adopted in 2015 • Requires certain entities, SRO and Large Alternative Trading Platforms, to test their vulnerabilities, test their business continuity and disaster recovery plans, as well as notifying the SEC of cyber intrusions. • SEC is now considering whether to adopt a similar rule for other regulated entities. 10
  11. 11. SEC Cyber Security Activities  April 14, 2014 SEC issued a National Exam Program Risk Alert  Office of Compliance Inspections and Examinations (“OCIE”) • SEC will inspect 50 broker dealers and registered investment advisors 11
  12. 12. SEC Cyber Activities  2014 SEC published a sample list of request for information that OCIE may use in conducting examinations regarding cyber security. • Identification of Risks/Cybersecurity Governance • Protection of Firm Networks and Information • Risks Associated with Remote Customer Access and Funds Transfer Requests 12
  13. 13. SEC Cyber Activities Continued • Risks Associated with Vendors and Other Third Parties • Detection of Unauthorized Activity • Experiences with certain cybersecurity threats – Does the Firm have an updated Supervisory procedure to reflect Identity Theft Red Flags Rules. – Regulation S-ID 13
  14. 14. SEC Cyber Activities Continued  SEC Examination Priorities Letter January 9, 2014 did not mentioned Cyber Security.  SEC Examination Priorities Letter for 2015 specifically referenced expanding its cyber security examinations. 14
  15. 15. SEC Cyber Activities Continued  February 3, 2015 SEC issues a National Exam Program Risk Alert • Cyber Security Examination Sweep Summary • Summary of Observations – Examined 57 broker dealers – Examined 49 RIAs • Vast Majority have adopted written information security policies. – Business Continuity Plans often address impact of a cyber attack. 15
  16. 16. SEC Cyber Activities Continued – Policies and procedures generally do not address how firms determine whether they are responsible for client losses associated with cyber incidents. – Many firms are utilizing external standards . • Vast majority of firms conduct periodic risk assessments. – Fewer firms apply these requirements to their vendors. • A vast majority of the firm have been subject to a cyber attack. 16
  17. 17. SEC Cyber Activities Continued • Many firms identify best practices through information sharing networks – Financial Services Information Sharing and Analysis Center. • https://www.fsisac.com/ • Firms’ inventory, catalogue, and map their technology resources. • Most brokers incorporate requirements relating to cybersecurity risks in their 3rd party vendor contracts. 17
  18. 18. SEC Cyber Activities Continued • A minority of RIAs incorporate requirements relating to cybersecurity risks in their 3rd party vendor contracts. • Almost all the brokers and RIAs use encryption. • Over 50% of the brokers examined have a Chief Information Security Officer (“CISC”). • Less an 50% of the RIAs examined have a CISC. • Use of cybersecurity insurance varied. 18
  19. 19. FINRA  Issued a Report on Cybersecurity Practices in February 2015  Key points in the Report • A sound governance framework with strong leadership is essential. • Risk assessments serve as foundational tools to understand cybersecurity risks • Technical controls are highly contingent on firm’s individual situation. 19
  20. 20. FINRA Continued • Firms should develop, implement and test response plans. – Containment and mitigation, eradication and recovery, investigation, notification and making customers whole. • Firms should manage cybersecurity risks and exposures when providing vendors with access to sensitive firm or client information. • Well trained staff critical • Take advantage of information sharing networks 20
  21. 21. SEC Cybersecurity Enforcement Activities  Generally, SEC in comment letters requires public companies to disclose past cyber incidents.  Public companies are increasingly disclosing and discussing cyber risks.  SEC currently has a number of enforcement investigations involving data breach events.  SEC noted that its cybersecurity is high on the Enforcement Division’s radar. 21
  22. 22. SEC Cybersecurity Enforcement Actions  SEC examining corporate disclosures made in the wake of recent cyber attacks on public companies and others. • Was the incident material? • Were the disclosures appropriate?  SEC focusing on cyber controls by broker dealers and RIAs. 22
  23. 23. SEC Cybersecurity Enforcement Actions • Regulation SP 17 C.F.R. Part 248 Subpart A – Broker Dealers and RIA required to adopt written supervisory polices and procedures that address the protection of customer records and information. • A Data breach could potentially trigger a Regulation SP violation. 23
  24. 24. Thoughts on Development of a Cyber Security Defense Program  Governance and Risk Management • Define a governance framework. • Ensure senior management actively involved. • Identify standards to address cybersecurity. • Dedicate resources to achieve acceptable risk environment. • Perform cybersecurity risk assessment. 24
  25. 25. Thoughts on Development of a Cyber Security Defense Program  Cybersecurity Risk Assessment • Regular, Periodic Assessment. • Identify and maintain an inventory of assets authorized to access the firm’s network. • Conduct comprehensive assessments that include: – Assessment of internal and external threats – Prioritize recommendations to remediate risks.  Technical Controls • Select controls appropriate to the firm’s technology and threat environment. 25
  26. 26. Thoughts on Development of a Cyber Security Defense Program  Incident Response Planning • Prepare for incidents that the firm believes are most likely to happen. – loss of customer Personal Information. – Network intrusion – Customer account intrusion – Malware infection. • Eradication and Mitigation Plans 26
  27. 27. Thoughts on Development of a Cyber Security Defense Program • Vendor Management – Perform due diligence – Establish contractual terms for sensitive information – On going due diligence – Procedures to terminate vendor’s access to firm systems. • Staff Training • Cyber Intelligence and Information Sharing. • Cyber Insurance 27
  28. 28. Conclusion Thank You William A. Despo, Esq. LeClairRyan One Riverfront Plaza 1037 Raymond Boulevard, 16th Floor Newark, New Jersey (973) 491-3325 william.despo@leclairryan.com

×