NRS Technology and Communication Compliance Forum
Cybercrime and Regulatory
Priorities for Cybersecurity
© Copyright 2014 by K&L Gates LLP. All rights reserved.
Sean P. Mahoney
sean.mahoney@klgates.com
K&L Gates LLP
State Street Financial Center
One Lincoln Street
Boston, MA 02111
(617) 261-3202
WHAT WE WILL COVER TODAY







Drivers of cybercrime on your firm
Activities that increase risk
Exploring real life examples
SEC pilot exams and NEP Sweep Alert
Current relevant regulation
Current efforts of FINRA and SEC
Managing implications of increased
accountability
DRIVERS OF CYBERCRIME ON YOUR FIRM
 Verizon 2014 Data Breach Investigations Report
identifies the following threats





POS Intrusions
Cyber-espionage
Web App Attacks
Insider Misuse
Crimeware





Miscellaneous Errors
Card Skimmers
Physical Theft/Loss
DoS Attacks
Other
DRIVERS OF CYBERCRIME ON YOUR FIRM
 Web App attacks and POS intrusions appear to
be on the rise
 Web App attack and DoS attacks are most
prevalent cyber-attacks in financial services
 According to American Bankers Association,
two-thirds of the instances of unauthorized
access are the results of phishing attacks
 Success rate of phishing emails is approximately 18%
according to Verizon
DRIVERS OF CYBERCRIME ON YOUR FIRM
 Motivation for attacks generally falls within three
broad categories
 Financial gain
 Ideologically motivated attacks (social, political or
sport/narcissism)
 State sponsored
ACTIVITIES THAT INCREASE RISK
 Connectivity
 Devices
 Networks/clouds
 Products
 Use of vendors
 Use of humans
EXPLORING REAL LIFE EXAMPLES
 Data management makes responses
manageable
 Need to know what data was access or could be
comprised
 In some cases need to be able to identify data
subjects in order to reduce reporting obligations
 Watch for behaviors indicative of employees
who may be ready to leave the company
EXPLORING REAL LIFE EXAMPLES
 Control access
 Employees
 Vendors
 Monitor application vulnerabilities and log
installation of patches and security updates
 Test process for user access when passwords or
credentials are lost
 Test user susceptibility to phishing attempts
SEC PILOT EXAMS AND SWEEP ALERT
 SEC approach historically has appeared
sporadic
 Sparse regulations (S-P, S-ID, compliance program
rules, Rule 15c3-5 for broker-dealers)
 Enforcement actions under Regulation S-P following
hacking events
 Proposed information security program/data security
breach reporting regulations
 This year:
 SEC Roundtable
 OCIE alert
SEC PILOT EXAMS AND SWEEP ALERT
 Takeaways from SEC Roundtable
 Identify most significant risks and focus
resources on addressing them
 A static set of policies is not sufficient
 Aim for a well-conceived, flexible, and forwardthinking program to address ever-changing risks
 The industry is collaborating
 Financial Services Information Sharing and
Analysis Center
 Have an incident response plan
SEC PILOT EXAMS AND SWEEP ALERT
 April 15, 2014 -- SEC OCIE published a
National Exam Program Risk Alert setting
forth OCIE expectations for RIAs and BDs
with respect to cybersecurity
 50 RIA’s and BD’s will be examined
 Alert includes a sample document request
 Main takeaway is that SEC expects RIAs and
BDs to use the National Institute of Standards
and Technology (NIST) Framework
SEC PILOT EXAMS AND SWEEP ALERT
 Specific documents requested (or
expected)
 Written information security policy (Regulation
S-P, Regulation S-ID, Massachusetts)
 Documentation of responsibilities of
employees and managers for cybersecurity
 Written guidance and periodic training for
employees and vendors
SEC PILOT EXAMS AND SWEEP ALERT
 Specific documents requested (or
expected)
 Data destruction policy (Regulation S-P;
Massachusetts; FACT Act)
 Records management program is essential for
cybersecurity and for a number of other reasons
 Written cybersecurity incident response policy
(i.e., “playbook”)
 Written policy and training addressing
removable and mobile media
SEC PILOT EXAMS AND SWEEP ALERT
 Specific documents requested (or
expected)
 Vendor management
 information security questionnaires
 cybersecurity contractual requirements
 Written incident alert thresholds
SEC PILOT EXAMS AND SWEEP ALERT
 Other requests (or expectations)
 Written inventories and assessments
 Chief Information Security Officer
 Identification of standards (such as NIST)
used by firm
 Expectation that firm has process to keep up with
emerging best practices (e.g., FS-ISAC)
 Protection against DDoS attacks
 Cybersecurity insurance
CURRENT RELEVANT REGULATION
 Laws that protect information




SEC rules
Title V of Gramm-Leach-Bliley
State laws
Fair Credit Reporting Act/Regulation S-ID
 Regulatory data security standards
 FFIEC
 NIST Framework
 Regulatory business continuity standards
CURRENT RELEVANT REGULATION
 Rule 15c3-5 (Exchange Act)
 requires broker-dealers with market access to
maintain policies and procedures to protect
“information and information systems from
unauthorized access, use, disclosure,
disruption, modification, perusal, inspection,
recording or destruction”
 Seems to be viewed as imposing a general
requirement to address cybersecurity
CURRENT RELEVANT REGULATION
 Rule 206(4)-7 (Advisers Act); Rule 38a-1 (’40
Act)
 Require compliance policies and procedures
 SEC noted in preamble to Rule 38a-1 that business
continuity obligations fall under advisers’ fiduciary
duties
 FINRA Rules
 3012/3020 – risk management
 4370 – business continuity
CURRENT RELEVANT REGULATION
 Title V of the Gramm-Leach-Bliley Act
 Title V of the GLBA protects “nonpublic
personal information,” which is defined as any
personally identifiable financial information
 provided by a consumer to a financial institution
 resulting from a transaction by a consumer with a
financial institution
 otherwise obtained from a financial institution
 NPI includes customer lists
CURRENT RELEVANT REGULATION
 GLBA Safeguards Rule
 All financial institutions must develop a written
information security plan that must:




be appropriate to the financial institution's risk profile
designate the employee or employees to coordinate
identify and assess the risks
evaluate the effectiveness of current safeguards for
mitigating risks
 select appropriate service providers and require them to
implement the safeguards
 evaluate the program
CURRENT RELEVANT REGULATION
 State data security and breach reporting laws
 State laws enacted in response to data security
breaches and growing concern of identity theft
 Most statutes impose data security breach notification
requirements
 Some states, most notably Massachusetts, impose an
obligation to adopt policies and procedures to protect
information
 Compliance with Interagency Standards is often sufficient
 Information protected generally consists of a name
plus another identifier that would enable a person to
obtain credit or access an account
CURRENT RELEVANT REGULATION
 Interagency Guidance on Authentication
(applicable only to banks)
 Requires risk assessments taking into
account new and evolving threats
 Sets expectation of layered security
 Fraud detection and monitoring
 Dual authorization through different access
devices
 Use of out-of-band verification for transactions
 IP reputation-based tools
CURRENT RELEVANT REGULATION
 FFIEC Information Security Handbook
 Serves as bank examination manual for
compliance with GLBA safeguards rule
 Establishes information security risk
management process
 Information security risk assessment
 Information security strategy
 Security controls implementation
 Security monitoring
 Security process monitoring and updating
CURRENT RELEVANT REGULATION
 FFIEC Business Continuity Handbook
 Business continuity planning process includes
 Policy by which firm manages identified risks
 Allocation of resources and knowledgeable
personnel
 Independent review
 Training and awareness
 Regular, enterprise-wide testing
 Continuous updating to adapt to changing
environment
CURRENT RELEVANT REGULATION
 FFIEC Business Continuity Handbook
 Policy should address
 Continuity planning process
 Prioritization of business objectives and critical
operations essential for recovery
 Integration with financial markets
 Integration with vendors and outsourced services
 Regular updates in response to changes in
business processes, audit recommendations and
testing
CURRENT RELEVANT REGULATION
 FFIEC Business Continuity Handbook
 Principal tools in continuity planning
 Data synchronization tools
 Pre-established crisis management team
 Incident response procedures
 Remote access
 Employee training
 Clear notification standards
 Insurance
CURRENT RELEVANT REGULATION
 NIST Framework
 Risk management/process management
approach
 Scalable
 “Core” set of cybersecurity activities
 Identify
 Protect
 Detect
 Respond
 Recover
CURRENT EFFORTS OF FINRA AND SEC
 FINRA and the SEC are clearly moving to a riskbased framework for cybersecurity
 Using newly discovered authority as systemic or
prudential regulators of securities industry
 SEC roundtable provided informal guidance
 SEC OCIE NEP Alert provides clearest outline of
regulatory expectations to date
 FFIEC guidance is also worth tracking
CURRENT EFFORTS OF FINRA AND SEC
 Expectation that all financial institutions maintain current
awareness of cybersecurity threats
 FFIEC “encourages” all financial institutions to
participate in the Financial Services Information Sharing
and Analysis Center (FS-ISAC)
 Other sources to monitor:
 FBI Infragard (www.infragard.org)
 U.S. Computer Emergency Readiness Team (www.us-cert.gov)
 U.S. Secret Service Electronic Crimes Task Force
(www.secretservice.gov/ectf.shtml)
CURRENT EFFORTS OF FINRA AND SEC
 After assessing cybersecurity at 500 community
banks, FFIEC commented on the following:
 Cybersecurity Inherent Risk
 Connection types
 Products and services
 Technologies used
 Cybersecurity Preparedness





Risk management
Threat intelligence and collaboration
Cybersecurity controls
External dependency management
Cyber incident management and resilience
CURRENT EFFORTS OF FINRA AND SEC
 SIFMA White Paper
 Industry is asking for regulatory guidance on
cybersecurity
 Outlines 10 risk-based principles
 Avoid prescriptive rules
 Industry needs guidelines to demonstrate
compliance and proper risk-management
 Current inspection and post-breach enforcement
action model does not work
 May be the beginning of the conversation
INCREASED ACCOUNTABILITY
 An integrated approach to data security is key
 Involve human resources -- humans are often the
weak link in cybersecurity
 Business managers need to be involved in technical
solutions -- secure environment has to be usable or
people will work around it
 Compliance
 Information systems
 Physical security
INCREASED ACCOUNTABILITY
 Understand tools and technology available
 IT professionals need to train others on current
capabilities and possible expansion
 Where monitoring is conducted, follow-through is
critical
 Data needs to be managed
 Records retention/destruction schedules
 Many legal implications (spoliation, statutory and
regulatory retention requirements)
INCREASED ACCOUNTABILITY
 Vendors need to be managed
 Document everything
 regulated institutions must prove that they manage
risks
 Have incident response teams in place
 Playbook in place
 Have public relations firm ready
 Include outside counsel and attorney/client privilege