Current Developments
Concerning Cybersecurity
ICI General Membership Meeting Legal Forum Jillian Bosmann and Nancy O’Hara
AGENDA
Why is Cybersecurity Important?
Top Cybersecurity Threats for Funds Legal Landscape
SEC Cybersecurity Guidance and OCIE Cybersecurity Initiative
SEC Enforcement Actions
Cyber Preparedness and Resiliency Fund Board Reporting and Oversight
Why is Cybersecurity Important?
Direct impact on business Direct impact on clients
Cost of notice and remediation Regulatory actions
Potential lawsuits
Reputational damage Disruption to business
Top Cybersecurity Threats for Funds
Ability to strike net asset value (NAV) each trading day
Protecting trading data and portfolio holdings before being made public
Protecting personally identifiable, confidential shareholder information
Legal Landscape
State Breach Notification Acts (SBNAs)
Patchwork of federal statutes, including Gramm Leach Bliley; Electronic Communications Privacy Act; Stored
Communications Act; Video Privacy Protection Act; Driver’s Privacy Protection Act; Family Educational Rights and
Privacy Act
Regulations, including Regulation S-P, Regulation S-AM, FTC’s “Red Flag” rules and CFPB’s Regulation P
SEC Cybersecurity Guidance
SEC Division of Investment Management issued
guidance in April 2015
OCIE Cybersecurity Initiative
Target Areas:
- Governance and Risk Assessment - Access Rights and Controls
- Data Loss Prevention - Vendor Management - Training
SEC Enforcement Actions
R.T. Jones Capital Equities Management (Sept. 2015)
- Failure to have the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information of approximately 100,000 individuals
- Substantial subsequent remedial efforts and no indication that any client had suffered financial harm as a result of the breach
- Paid a $75,000 penalty
Andrew Ceresney, head of the SEC’s Division of Enforcement, stated during a panel discussion at the ICI’s Mutual Funds and Investment Management Conference in March that the SEC has other cybersecurity enforcement actions “in the pipeline”
Cyber Preparedness and Resiliency
Developing a Data Security Policy
- Perform overall risk assessment of your organization - Know the most common methods of penetration
- Consider including certain key steps - Include a response plan
- Educate employees, including partners and C-level executives - Ensure adequate resources are devoted to cybersecurity
Cyber Preparedness – Risk Assessment
Perform overall risk assessment for your organization
- What policies are currently in place? Do they need to be augmented or changed?
- Focus on the top 3 cybersecurity threats to funds. Are additional policies or procedures needed to protect this information?
- Review SEC guidance. Are policies in place for each area suggested by the SEC?
- Review the OCIE sample request list for examinations regarding cybersecurity matters. Would you be able to respond positively to each request?
Cyber Preparedness – Risk Assessment (cont.)
Don’t Forget Third Parties
- Rank your vendors both on the sensitivity of the data they have and how pervasive they are within your organization
- Make sure the inventory of information and vendors is accurate - Ask for SOC-2s from your vendors
- Perform risk assessments of vendors’ cybersecurity programs - Ask vendor to do self-assessment of cybersecurity program - Monitor service to identify vendor breaches
- Consider limiting access to unnecessary information - Consider revising contracts to mitigate risk
Cyber Preparedness – Common Methods of
Penetration
Know the most common methods of penetration.
- Sending “phishing” emails to employees - Phony free Wi-Fi sites
- Loss of laptop, mobile device or USB flash-drives - Password hacking
Cyber Preparedness – Key Steps
Require strong passwords
Utilize two-factor identification
Limit access to systems and data to only those absolutely necessary
Monitor employees who are “on their way out”
Have controls over physical entry/exit from sensitive areas Use encryption
Cybersecurity Preparedness – Response Plan
Who are the members of the team?
Who is the incident manager/coordinator? How will further loss be prevented?
How will communication flow inside the firm? What additional resources will be necessary? How will communication flow outside the firm? Who needs to be notified?
Cyber Preparedness – Education and Resources
People are often the weakest link, but can be the strongest ally if educated to recognize common schemes
Encourage partners and C-level executives to comply with policies
Cybersecurity preparedness requires the involvement of the entire firm in risk assessment and implementation Need adequate budget and staffing
Cyber Preparedness – Always Evolving
Hacking techniques evolve
Risk assessment needs to be repeated periodically Incident response plan should be tested periodically
Fund Board Reporting and Oversight
Education on risks and risk management
Key vendors/service providers should report at least once a year Board reporting should include:
- Number of attacks detected during period - Number of attacks repelled during period
- The nature of each attack, e.g. length of time of penetration and information at risk
- Steps taken in response to attack - Any changes to data security policy
ICI – Information Security Resources
Standards and Guidelines
Information Sharing Resources
Information Security Threat Mitigation & Program Development
What to Ask When Assessing Information Security Programs
Jillian L. Bosmann Counsel 215.988.3307 [email protected] Nancy P. O’Hara Counsel 215.988.2699 [email protected]
