© Copyright 2015 by K&L Gates LLP. All rights reserved.
Testing Your Cybersecurity Infrastructure and
Enforcement Related Developments
Mark C. Amorosi, Investment Management Partner, K&L Gates LLP
Laura L. Grossman, Assistant General Counsel, Investment Adviser Association Jason Harrell, Corporate SIRO – Investment Management, BNY Mellon
Jeromie Jackson- CISSP, CISM, Director of Security & Analytics, Nth Generation
Jeffrey B. Maletta, Securities and Transactional Litigation Partner, K&L Gates LLP Andras P. Teleki, Investment Management Partner, K&L Gates LLP
Investment Management Cybersecurity
Seminar Series Overview
Session 1 (February 27, 2015)
Untangling the Gordian Knot – Where to Begin When Building Your Cybersecurity Program
Session 2 (March 23, 2015)
Board and Senior Management Oversight of Cybersecurity at the Adviser, the Registered Fund and Their Service Providers
Session 3 (Today)
Testing Your Cybersecurity Infrastructure and Enforcement Related Developments
Session 4 (May 20, 2015)
Breach – What to Do When Things Go Wrong and Cybersecurity Insurance Coverage
Session 5 (June 25, 2015)
Building a Better Mousetrap – Evolving Trends in Cybersecurity Practices and Public Policy Developments
klgates.com
Session 3 Topics
Cybersecurity Compliance Testing under Rule 206(4)-7 and Rule 38a-1 – CCO Responsibilities for Cybersecurity Matters
Leveraging the OCIE 2014 Cybersecurity Sweep Examination Letter Vulnerability Assessments and Penetration Testing – What are the
Differences and What do these Tests Tell You about Your Cybersecurity Defenses
“Blackbox” vs. “Glassbox” Testing
Interpreting and Prioritizing Testing Results
What the SEC, FINRA, CFTC, FTC and Other Regulators Have Said about Enforcement Priorities around Cybersecurity
Cybersecurity Litigation and Enforcement Round-Up
Cybersecurity at the Top of the SEC’s Mind
Corp Fin Guidance (2011)
Commission Roundtable (2014)
OCIE Sweep and Risk Alert (2014/15)
OCIE Examination Priority (2015)
Numerous references in staff remarks
IM Guidance Update (New – April 28, 2015)
Overview of the Legal Framework
Regulation S-P (including “Safeguards Rule”)
Regulation S-ID (Identity Theft Red Flags)
IAA Rule 206(4)-7 and ICA Rule 38a-1
(Compliance Rules)
IAA Rule 204-2(g) and ICA Rule 31a-2(f)
(Electronic Recordkeeping Rules)
ICA Rule 30a-3 (Internal Controls)
Disclosure Considerations
Overview of Legal Framework (cont’d)
Business continuity plans
Suspicious activity reporting
CFTC Regulations, Part 160.30
FTC enforcement of Section 5 of FTCA
Practically every state has enacted laws relating to
cybersecurity, including information security
program and data breach notification requirements
IM Guidance Update (April 28, 2015)
SEC staff identified a number of measures that advisers and funds
may wish to consider in addressing cybersecurity risk, including:
Conduct a periodic assessment of: (1) the information held and
systems used by the firm; (2) threats and vulnerabilities; (3) existing controls; (4) potential impact of an incident; and (5) the cybersecurity governance structure
Create a strategy designed to prevent, detect and respond to threats, which may include: (1) access and technical network controls; (2) encryption; (3) restricting use of removable storage media and deploying software that monitors for threats and incidents; (4) data backup and retrieval; and (5) the development of an incident response plan. Routine testing of strategies could also enhance the
effectiveness of any strategy
Implement the strategy through written policies and procedures and training
IM Guidance Update (cont.)
Potential implications for compliance programs and regulatory risk
exposure:
“In the staff’s view, funds and advisers should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent,
detect and respond to cyber attacks….[F]unds and advisers may wish to consider reviewing their operations and compliance programs and assess whether they have measures in place that are designed to mitigate their exposure to cybersecurity risk.”
Staff stated that compliance policies and procedures could address cybersecurity risks relating to identity theft and data protection
(Regulations S-P and S-ID), business continuity, and fraud (Codes of Ethics – insider threats), “as well as other disruptions in service that could affect, for instance, a fund’s ability to process shareholder transactions” (Section 22(e) and Rule 22c-1).
Cybersecurity Compliance Considerations
under Rule 206(4)-7 and Rule 38a-1
Compliance Program Requirements
IAA Rule 206(4)-7 and ICA Rule 38a-1 together require registered
investment advisers and registered funds to (1) designate a chief
compliance officer (“CCO”), (2) adopt and implement written policies
and procedures reasonably designed to prevent violation of the
federal securities laws, and (3) review annually the adequacy and
effectiveness of such policies and procedures
11
Cybersecurity compliance policies and
procedures that address requirements
under the federal securities laws should be
included in compliance programs and
evaluated as part of the annual review,
which should include risk assessments,
policy and procedure reviews, and service
provider reviews
SEC Cybersecurity Sweep Examinations
SEC Sweep Exam Findings on CCO Involvement in Cybersecurity
Significant majority of advisory firms assign information security
responsibilities to Chief Technology Officers or to other senior officers, including Chief Compliance Officers, to liaise with third-party
consultants who are responsible for cybersecurity
Less than a third of the examined advisers (30%) have a Chief Information Security Officer
2014:
OCIE Risk Alert and Sweep Exams
2015:
OCIE Sweep Exam Summary and IM Guidance Update
Future Initiatives: OCIE Exam Priority
for 2015 Other Regulators?
CCO Potential Liabilities
‘‘I need to be clear that we have brought – and will
continue to bring – actions against legal and compliance
officers when appropriate’’ – SEC Enforcement Director
Andrew Ceresney, Keynote Address at Compliance
Week 2014 (May 20, 2014)
13
Numerous enforcement actions
against CCOs for a variety of alleged
failures, including (1) failure to
implement appropriate procedures to
address risks and (2) failure to
adequately assess effectiveness of
those procedures
CCO Planning Items
1. Conduct cybersecurity risk assessment 2. Incorporate cybersecurity compliance risks
into the firm’s risk matrix
3. Review adequacy of policies and
procedures, including those relating to cybersecurity requirements
4. Assess the effectiveness of implementation of the firm’s cybersecurity policies and
procedures, including testing
5. Due diligence on third party vendors 6. Incorporate cybersecurity into annual
review of compliance program 7. Incident response planning
Testing Considerations
Testing - Important aspect of assessing compliance programs
Firms routinely conduct testing as part of annual assessment
OCIE routinely asks for information about testing results in connection with inspections
Common types of compliance testing:
Transactional Tests – Transaction-by-transaction tests conducted contemporaneously with the transaction
Periodic Tests – Transaction-by-transaction tests performed on a “look back” basis at relevant intervals, such a spot checks or random or regular detailed reviews
Forensic Tests – Tests that analyze data over a period of time looking for trends and patterns
Traditional tests can be used in cybersecurity area (e.g., testing
privilege management, document destruction, authentication
procedures, red flag identification/response, physical safeguards)
Testing Considerations
Specialized tests in the cybersecurity area
Vulnerability Scans – Automated process of proactively
identifying security vulnerabilities of computing systems in a
network to determine if and where a system can be exploited
and/or threatened
Penetration Testing – An attack on a firm’s information
technology system conducted by an information security
specialist retained by the firm with the intention of finding
security weaknesses, potentially gaining access to it, its
functionality and data
Cybersecurity Testing Challenges
Relative lack of information security technical expertise in many
compliance departments
Compliance departments generally do not have experience with
the specialized tests that can be used in this area
Many compliance departments lack expertise to interpret the
testing results
Testing limitations
Resource constraints
Potential Testing and Assessment Techniques
Leverage OCIE cybersecurity sweep exam letter to identify and prioritize areas of focus
Leverage information security resources in other parts of the organization to test compliance Add information security technical
expertise in the compliance department to enhance testing capabilities
Engage third parties to conduct vulnerability and penetration testing
Rely on third party testing
conducted for service providers
Interview key personnel with cybersecurity responsibilities Observe implementation of
cybersecurity policies in actual operating environment
Utilize certifications and questionnaires
Review management and third party reports relating to
cybersecurity matters
Evaluate trends in, and frequency of, exceptions or violations of
Leveraging the 2014 SEC
Cybersecurity Sweep Exam Questions to
Assess Your Cybersecurity Practices
SEC Cybersecurity Sweep Exam Initiative
Most advisers (74%) reported that they have been the subject of a cyber-related incident The vast majority of examined advisers (83%)
have adopted written information security policies, and over half of them (57%) audit compliance with these policies
A high percentage of examined advisers report conducting firm-wide inventorying, cataloging or mapping of their technology resources The vast majority of the examined advisers
conduct periodic risk assessments
Almost all of the examined advisers (91%) made use of encryption in some form
Approximately half of the examined advisers (53%) are using external standards and other resources to model their information security architecture and processes
Approximately a third (32%) of the examined advisers require risk assessments of vendors with access to their networks
Approximately a quarter of examined advisers (24%) include cybersecurity requirements in contracts with vendors
Approximately a third of the examined advisers (30%) have an individual assigned as the firm’s Chief Information Security Officer
Written business continuity plans often address the impact of cyberattacks or intrusions, but only about half (51%) of adviser policies discuss mitigating cybersecurity incidents Approximately a quarter of examined advisers
(21%) maintain insurance that covers losses and expenses from cybersecurity incidents
The SEC’s Office of Compliance, Inspections and Examinations examined 49 registered investment advisers and 57 registered broker-dealers in 2014 as part of its Cybersecurity Exam Initiative and issued a Risk Alert summarizing its
The 2014 SEC Cybersecurity Sweep Exam
Topics
• Identification of Risks/Cybersecurity Governance;
• Protection of Firm Networks and Information;
• Risks Associated with Remote Customer Access and Funds Transfer Requests;
• Risks Associated with Vendors and Other 3rd
Parties;
• Detection of Unauthorized Activity; and
• Experience with Cybersecurity Attacks (network breach, malware, fraudulent transfer requests, etc.).
The 2014 Sweep focused on the following six topics:
The 2014 SEC Cybersecurity Sweep Exam
Question Highlights
• Inventories of physical devices, systems, software platforms and applications;
• Maps of network resources, connections and data flows; and
• Logging capabilities and practices.
Baseline Inventory Questions from the Sweep (i.e., what your IT
infrastructure consists of)
The 2014 SEC Cybersecurity Sweep Exam
Question Highlights
• Controls to prevent unauthorized escalation of user privileges;
• Environment for testing and developing software separate from the production environment;
• Controls to prevent unauthorized changes to baseline configurations;
• System patching and maintenance;
• Protection against DDoS attacks; and
• Use of encryption.
Protection of Firm Networks and Information Questions from the
Sweep (i.e., what controls does your organization maintain)
The 2014 SEC Cybersecurity Sweep Exam
Question Highlights
• Who provides and manages the service;
• How are customers authenticated for on-line account access;
• Security measures to protect customer pins/passwords; and
• Software/practices for detecting fraudulent account access.
Risks Associated with Remote Customer Access and Funds
Transfer Requests
The 2014 SEC Cybersecurity Sweep Exam
Question Highlights
• Maintaining baseline information about expected events on the firm’s network;
• Monitoring the firm’s network
environment/physical environment;
• Using software to detect malicious code on firm networks and mobile devices;
• Monitoring for the presence of
unauthorized users, devices, connections and software on the firm’s networks; and
• Using the analysis of events to improve the firm’s defensive measures and
policies.
Detection of Unauthorized Activity
Testing Approaches
Black Box- Assessor not given any details
Grey Box- Assessor given limited knowledge
White/Crystal Box- Knowledge is openly shared
with assessor
Scoping
Internal and/or External
# of devices within the network
# of locations to visit
Sampling of all systems?
Including workstations?
Internal and/or External
Determine in-scope environment
Include external critical assets
Include disaster recovery sites
Discovery
Identification of Network
Address Space
Operating System
Fingerprinting
Open Ports
Assess all TCP/UDP
ports 1-65535
Vulnerability Identification
Top Vulnerability Categories
Unpatched applications
Default credentials
Excessive privilege and/or services
Extra Tests on Internal Assessments
Wireless Security Assessment
Review
Policies & Procedures
Third Party Connectivity
Vendor Management Program
Disaster Recovery/Business Continuity Plan
Security Countermeasure Configuration
Penetration Testing
Combining vulnerability assessments with
penetration testing
Vulnerability & Exploit Correlation
Exploits coming on quickly after vulnerability
release
Buffer Overflows
Memory Leaks
Race Conditions
Exploitation
Credential Manipulation
Brute Forcing Passwords
Passing the Hash
Default Passwords
Cookie Harvesting
Rogue Wireless Access Point
User accesses a rogue device
All traffic now intercepted
User still able to access systems thus believes
everything is fine
Social Engineering
Any act that influences a person to take
an action that may or may not be in their
Remote Social Engineering
Review of Online Content
GlassDoor
Creation of Custom Ruse
Execution
Phishing
Phone Scams
Fake Customer/Vendor
Engagements
41On-Site Social Engineering
Casing of the building and learning daily office
workflows
Google physical mappings
Building plans/blueprints/owner details
Ruse development
Exploitation
Tailgating
Planting USB/CDRom/etc.
Web Application Assessments
Identify roles, forms and system details
Run scanning tools to identify potential
weaknesses
Attempt exploitation to gain system or data access
•
Cross-Site Scripting
•
SQL Injection
•
Role Escalation
•
API Abuse
Physical Security
Red Team or Physical Security Walkthrough
Assess
Locks
Doors
Windows
Physical Security Badging
Hinges
Cameras
Motion Sensors
Cybersecurity Enforcement
SEC Activity Has Been Limited
Principally Violations of Reg S-P Safeguards Rule
Focus on Failure to Address Known Deficiencies
Actions Predate Current Regulatory Focus
Safeguards Rule: 17 CFR § 248.30(a)
Every broker, dealer, and investment company, and every
investment adviser registered with the Commission must adopt
written policies and procedures that address administrative,
technical, and physical safeguards for the protection of customer
records and information. These written policies and procedures must
be reasonably designed to:
(1) Insure the security and confidentiality of customer records and information;
(2) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(3) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Who is Covered
“Customers” are “consumers” – individuals with a
continuing relationship under which you provide financial
products or services that are used primarily for personal,
family, or household purposes.
(i) An individual is your consumer if he or she provides
non-public personal information to you in connection with
obtaining or seeking…investment advice.
(ii) An individual is not your consumer if you are an
investment company and individual purchases through a
broker dealer or investment adviser who is the record
SEC Actions Against Advisers
LPL Financial Corporation, Adm. Proc. File No. 3013181,
IA Rel. No. 2775, (Sept. 11, 2008)
Deficiencies identified by internal audit
Failure to use strong passwords.
Passwords widely disseminated.
Excessive session inactivity parameters.
Unauthorized persons gain access and place
unauthorized trades
Settled order imposes $27,000 fine and independent
consultant for two years
SEC Actions Against Advisers
(cont.)
Commonwealth Equity Services Adm. Proc. 3-13631,
IA Release No. 2929, (September 29, 2009)
Dual registrant failed to mandate antivirus software use by
registered representatives
IT staff failed to follow up aggressively to registered
representative’s report of virus and requests for assistance
Intruder gained access through virus and placed 18 orders for
a single stock in customer accounts
Clearing broker detected trades and further activity blocked
Firm fined $100,000
FINRA Enforcement
FINRA actions involve Safeguards Rule and NASD
Rules 3010 and 3012 on supervisory responsibility
Actions focus on deficiencies in programs, even in the
absence of customer harm:
Only general vague summary policies that do not contain specific
procedures on safeguarding of information
Policies provide “guidance,” “recommendations,” and
“suggestions” as opposed to mandates
Lack of encryption, antivirus protection
Lack of training, lack of response planning
Failure to monitor or review or respond to deficiencies
SEC Actions Against Hackers
SEC has pursued hackers without sanctioning firms
Overseas hackers amass large penny stock position in
“legitimate” online accounts
Take control of online brokerage accounts to buy large
quantities of these securities to inflate price
Sell holdings from “legitimate” accounts
SEC v. Marimuthu, C.A. No. 8:07CV94 (D. Neb. March 12,
2007)(innocent account holders lost $845,000); SEC v.
Grand Logistic, Inc., C.A. No. 06-cv-15274 (S.D.N.Y. Dec.
16, 2006)
CFTC Enforcement
In the Matter of Interbank FX, LLC, CFTC Docket No. 09-11
(June 29, 2009)
CFTC Regulation 160.30 requires that FCMs, CTAs, CPOs and
introducing brokers adopt policies and procedures that address
the administrative, technical, and physical safeguards for the
protection of customer records
Firm had no policy or procedures concerning the protection of
consumer personal identifying information (PII)
While working on a systems upgrade, a software engineer is
provided access and downloads PII for 13,000 customers to
personal website
FTC Enforcement
Section 5 of FTCA outlaws “unfair or deceptive acts or
practices” affecting commerce
FTC is the most aggressive enforcer
Fifty cases since 2000
Defective data security practices
Deceptive statements about use
Far reaching remedies
Authority challenged in FTC v. Wyndham Resorts (3d Cir.)
and In the Matter of Lab MD, Inc. (FTC)
Section 5 “unfairness” does not reach data security defects
Predictions
SEC enforcement staff has been largely silent on
cybersecurity investigations
SEC will continue focus on protecting individual
information and assets
SEC will examine firms’ “critical infrastructure” that may
or may not relate directly to customer accounts or
identities
SEC will use compliance rules to bring cases based on
failures to adopt “reasonably designed” procedures
addressing topics covered in “guidance”
Civil Litigation
Class actions by customers
Derivative actions against directors and officers
Securities actions
Civil Litigation
Target Consumer Settlement
Over 100 million individuals affected
Settlement fund of $10 million
Claims up to $10,000 on showing of actual “loss”
Target/Mastercard Settlement
Small institutions object to settlement
Small institutions have higher per card losses
Settlement would release further claims by small
issuers
Session 3 – Key Takeaways
VULNERABILITY / PATCH MANAGEMENT - The identification and remediation of known software weakness
Scan all internal and external systems to identify missing software patches
Identify software and hardware that is no longer supported by the vendor. Unsupported software does not have patches developed by the vendor
Have a documented process for how patches are implemented on your system from patch identification to implementation
Request reporting
PENETRATION TESTING - The identification and remediation of application functionality flaws (e.g., default configurations, application processing errors) that may lead to application compromises
Consider using a reputable 3rd party to conduct these reviews
Start with external, internet facing applications that allow for the movement of funds and/or access personal information (FFIEC) then focus on critical internal applications
Make certain that you are clear on what the results mean (i.e., business impact of risk exposure)
Develop remediation of identified gaps
Session 3 – Key Takeaways (cont.)
WIRELESS ACCESS TESTING– The identification and remediation of gaps related to the use of wireless devices
Determine / identify the company stance on the use of wireless networks
– Does your company permit wireless access points on its network for internal employees? – Does your company provide wireless access points on its network for guests or visitors? – Is the wireless network for guests / visitors segmented off the internal network?
Identify a reputable 3rd party vendor to test your network against the policy / company
posture and identify gaps
Develop a project plan to remediate these gaps
SOCIAL ENGINEERING – Any attempt to trick or deceive an individual to provide information (e.g., account information) or conduct an action (e.g., clicking a malicious link) that may lead to personal or corporate harm
Identify how these attacks may happen within your company. (e.g., email, phone, client authentication)
Determine what your company and its clients can do to protect themselves
Develop training to educate the company on how to protect themselves (ongoing)
Develop training to educate your clients on how to protect themselves (ongoing)
Next Steps for Advisers and Funds
1.
Engage senior management and, if appropriate, the board of the
adviser and any funds in the complex
2.
Conduct a cybersecurity governance and risk assessment
3.
Review and test the adequacy of existing compliance policies,
business continuity plans, technical controls and other relevant
procedures
4.
Develop an incident response plan
5.
Enhance employee training
6.
Review vendor relationships
7.
Review insurance coverage
8.
Assess need for, and adequacy of, any public disclosures
9.
Attend upcoming K&L Gates and Investment Adviser Association
Cybersecurity Seminar Series programs
Cybersecurity Seminar Series Overview
Session 1 (February 27, 2015)
Untangling the Gordian Knot – Were to Begin When Building Your Cybersecurity Program
Session 2 (March 23, 2015)
Board and Senior Management Oversight of Cybersecurity at the Adviser, the Registered Fund and Their Service Providers
Session 3 (Today)
Testing Your Cybersecurity Infrastructure and Enforcement Related Developments
Session 4 (May 20, 2015)
Breach – What to Do When Things Go Wrong and Cybersecurity Insurance Coverage
Session 5 (June 25, 2015)
Building a Better Mousetrap – Evolving Trends in Cybersecurity Practices and Public Policy Developments
Speaker Contact Information
63
Mark C. Amorosi, Investment Management Partner, K&L Gates LLP
202-778-9351
Laura L. Grossman, Assistant General Counsel, Investment Adviser Association
202-507-7201
Jason Harrell, Corporate SIRO – Investment Management, BNY Mellon
212-635-8316
Jeromie Jackson- CISSP, CISM, Director of Security & Analytics, NthGeneration
858-451-2383 x135
Jeffrey B. Maletta, Securities and Transactional Litigation Partner, K&L Gates LLP
202-778-9062
Andras P. Teleki, Investment Management Partner, K&L Gates LLP
202-778-9477
