Regulatory agencies, including the SEC and FINRA, are becoming increasingly focused on important issues in the cybersecurity arena. Jeff Schultz and Scott Kozak review the SEC and FINRA's efforts and discuss the issues invovled in assessing cybersecurity. They also will review the guidelines you to need to comply with anticipated regulatory requirements and increasing scrutiny of cybersecurity programs.

1. Cyber-Readiness in the
Securities and Brokerage
Industry
September 24, 2014
Scott K.G. Kozak & Jeffrey Schultz
© 2014 Armstrong Teasdale
LLP
© 2014 Armstrong Teasdale
LLP

2. Current Events
 2013
• Target
− 40 million+ customers affected
 2014
• Home Depot
− Breach in April 2014, discovered in August 2014
− 50 million + affected ; class action filed 9/10/14 in Eastern District of Missouri
− Offered customers and employees free credit monitoring, fraud protection and identity
protection services for 1 year
• Benjamin F. Edwards & Co
− Discovered 3 days after breach took place
− Firm offered customers and employees free credit monitoring, fraud protection and
identity protection services for 1 year
• BAE Systems reported hedge fund customer lost millions due to “lag time” malware
installed through “spearfishing” email
© 2014 Armstrong Teasdale
LLP

3. Privacy and Information Security
 Privacy:
• The right to be left alone
• The right of an individual to be protected
against intrusion into her personal life or affairs
 Information/Data Security:
• Defending information from unauthorized access, use,
disclosure, disruption, modification, perusal,
inspection, recording, or destruction
© 2014 Armstrong Teasdale
LLP

4. Internet vs. Privacy:
“a helpful Venn diagram”
The
Internet Privacy
By David Hoffman, available at http://bit.ly/bqU5vU
© 2014 Armstrong Teasdale
LLP

5. Who is the Top Information Security
Threat?
Hackers?
© 2014 Armstrong Teasdale
LLP
Spies?
Cyber
terrorists?

6. INFORMATION SECURITY ENEMY #1
© 2014 Armstrong Teasdale
LLP

7. Evolving Expectations of Privacy?
Zuckerberg’s Law
“I would expect that next year, people will share twice
as much information as they share this year, and the
next year, they will be sharing twice as much as they
did the year before.”
© 2014 Armstrong Teasdale
LLP

8. Social Engineering: an
Increasingly Common Threat
 Significant majority of external intrusions contain
social engineering element
 Phishing attacks becoming increasingly
sophisticated.
 Use of email/web based attacks
 Personalized emails: information gleaned from
Facebook or Linked In
 Fake Internal Company Emails
© 2014 Armstrong Teasdale
LLP

9. Common Problems
 Lack of Employee Training
• Employees unaware of potential problems
 No Security Culture
• Employees aren’t thinking about security implications
 Ineffective Internal Controls
• Too much access to information
© 2014 Armstrong Teasdale
LLP

10. Overview of Privacy Law
 Fundamentally different legal/regulatory schemes in
different jurisdictions:
United States
• No comprehensive “law”
• Patchwork of sector-specific
(e.g. HIPAA) and jurisdiction-specific
regulations
© 2014 Armstrong Teasdale
LLP
Europe
• Comprehensive data protection
scheme
• Strict privacy protection
• “Privacy as a human right”

11. Some Important Privacy and Data
Security Laws in the U.S.
 Fair Credit Reporting Act (FCRA)
 Health Insurance Portability and Accountability Act
(HIPAA)
 Computer Fraud and Abuse Act (CFAA)
 Stored Communications Act
 Gramm-Leach-Bliley Act (GLBA)
 Children’s Online Privacy Protection Act (COPPA)
 Section 5 of the Federal Trade Commission Act
 State Data Theft, Breach Notification, and Other
Privacy Laws
© 2014 Armstrong Teasdale
LLP

12. Cybersecurity Focus in Securities
Industry
“Cybersecurity [has] become a top concern … mounting
evidence that the constant threat of cyber-attack is real,
lasting and cannot be ignored” – Commissioner Aguilar
2012 Survey: 89% identify cyber-crime as potential
systemic risk, with 53% reporting a cyber-attack in
previous year
© 2014 Armstrong Teasdale
LLP

13. SEC Regulatory Approach
 October 2011 – Division of Corporate Finance
• Guidance on disclosure obligations
• Requires disclosure of material information regarding
cybersecurity risks and cyber incidents
 Proposed Rule – Regulation Systems, Compliance and
Integrity
• Aims to require covered entities to test automated systems,
continuity and disaster recovery plans and notify SEC of
intrusions
• SEC professed goal as of March 2014 is to make
significant progress in 2014
© 2014 Armstrong Teasdale
LLP

14. SEC Regulatory Approach
 Regulation S-ID (http://www.sec.gov/rules/final/2013/34-69359.pdf)
• Requires certain regulated financial institutions to adopt
and implement identity theft programs
• SEC expects institutions to know “Identity Theft Red Flags”
and incorporate into policies
− http://www.sec.gov/info/smallbus/secg/identity-theft-red-flag-secg.
© 2014 Armstrong Teasdale
LLP
htm
 Regulation S-P (http://www.sec.gov/rules/final/34-42974.htm)
• Privacy of consumer financial information
• Notice to customers of privacy policy and practices
− Consumer knowledge and “opt-out” option

15. SEC Actions
March 2014 – SEC Roundtable
• Integrity of Market Systems
• Customer Data Protection
• Disclosure of Material Information
April 2014 – OCIE Cybersecurity Initiative
• Designed to assess cybersecurity preparedness
• Method to collect information of industry experience
• Examinations to be conducted of more than 50 broker-dealers
© 2014 Armstrong Teasdale
LLP
and registered investment advisors

16. OCIE Cybersecurity Governance
 Focus Areas
• Identification of Risks
• Policies and Procedures
• Documentation
• Third-Party Exposure
• Detection
© 2014 Armstrong Teasdale
LLP

17. Identification of Risks
System Access
• What can account holders do?
− Fund Transfers, Beneficiary Changes, Emailed action
requests
• What can employees do?
− Remote access, Client account management
Third Party Management
• Hardware and Software
• Storage and Backup
© 2014 Armstrong Teasdale
LLP

18. Policies and Procedures
Network & Information Security
 Risk management process standard?
 What is the source or model of this standard?
 What practices and controls are utilized by the firm?
© 2014 Armstrong Teasdale
LLP

19. Policies and Procedures
Access
• Employees
− Training
− Security protocols (passwords, 2-step verification) and User
privileges (escalation control)
• Customers
− Remote access security (2-step verification, key fob)
− Verification of email requests
− Limitations (Transfers, Beneficiary changes, Account holder)
• Third Parties
− Financial management applications (Mint, Personal Capital,
etc.)
− Periodic access restriction requiring verification
© 2014 Armstrong Teasdale
LLP

20. Policies and Procedures
IT Assets
 Software
• Loss prevention software
• Internet protection software (DoS)
• Malware / Virus protection and detection
 Encryption
• Types of data encrypted
• Methods of encryption
• Devices (iPhone, iPad, laptops, open internet portals)
© 2014 Armstrong Teasdale
LLP

21. Policies and Procedures
IT Assets
 Architecture
• Environment
− Segregation of application and testing
• “Locked” basic configuration
− Baseline access and data organization
• Maintenance (patching, upgrades)
• Backup System
 Quality Control
• Periodic testing and compliance assessments
• Penetration and Vulnerability scans
− Who and How Often (Internal IT, Third Party Vendors)
© 2014 Armstrong Teasdale
LLP

22. Documentation
 Security/Hacking guarantees and policy
• What security is offered to customers
• What information is provided to customers in the event of a breach
 Written data destruction policy
• Lawful destruction limits potential for large-scale data breach
 Incoming/Departing employee policy
• Employees are security threat – not just outsiders
 Cybersecurity incident response policy
• Update schedule
• Response guidelines
 Training for vendors and authorized partners
• Clear identification of expectations and requirements
© 2014 Armstrong Teasdale
LLP

23. Documentation
Reporting
 Customer
 Law Enforcement
 Treasury Financial Crimes Enforcement Network
(FinCEN)
• Suspicious Activity Report
− http://www.fincen.gov/news_room/rp/sar_guidance.html
 SEC/FINRA
 State Securities Commissioner
 Public Interest Group
© 2014 Armstrong Teasdale
LLP

24. Documentation
Records, Records, Records
 Number of experienced events
• SEC Focus: After January 1, 2013
 Significance of event(s)
• Repeated incidents or sources (10+)
• Amount of losses ($5K+)
• What was accessed
• How was Firm service compromised
© 2014 Armstrong Teasdale
LLP

25. Third Party Exposure
Risk Assessment
• Who conducts
• Assessment standards
− Questionnaire
− Minimum security requirements
− Independent audits and security verification
• Contractual provisions and requirements
• Segregation of network resources
− Universal access or firewalled
• Remote maintenance policy
© 2014 Armstrong Teasdale
LLP

26. Detection
 Who is responsible for oversight
• Specific responsibility assignments
• Organizational chain for detection + reporting
 Baseline development
• Standard expectations
− Access timing (market-based, geographical base)
− Outside access (remote vs. office)
−Weekday/Weekend/After Hours
© 2014 Armstrong Teasdale
LLP

27. Detection
 Establish thresholds
• “Incident Alert” threshold
− Internal / Satellite
− Identification of anomalies
 Monitoring
• Software
− Unauthorized access
− Unauthorized software
• Hardware
− Unauthorized connections or devices
© 2014 Armstrong Teasdale
LLP

28. Industry Snapshot
Identification of Risks
 85% used multiple electronic devices to access client information
 42% did not use any authentication procedures for client
instructions received via email or electronic messaging
• Only 41.1% required dual-factor authentication
 Only 41.5% had a policy on accessing client information or
communications from a non-business device
 Only 38% had policy for detecting unauthorized activity on
networks or devices
© 2014 Armstrong Teasdale
LLP

29. Industry Overview
Vendors and Third Parties
 37% did not conduct risk assessments
 40% of those that conducted risk assessments did so only
on an annual basis
 23% had no confidentiality agreements with third-party
providers and servicers
• BUT -- 76% use on-line or remote backup of electronic files
© 2014 Armstrong Teasdale
LLP

30. Industry Overview
Polices and Procedures
 Only 44.6% had cybersecurity policies, procedures or
training programs
 23.1% had no policies whatsoever
© 2014 Armstrong Teasdale
LLP

31. Industry Overview
Policies and Procedures
 Only 47.4% had data storage device destruction
policies
 Only 39.2% had loss of electronic device policies
(e.g., laptop, smartphone)
© 2014 Armstrong Teasdale
LLP

32. OCIE Examination Process
 Factors favoring examination
• Statutory directive
• Entity risk profile
• Tip, complaint or referral
• Review of specific risk area
 Examination
• Announced or unannounced
• Initial interview – “critical … determine[s] tone and focus of examination”
• Tour – analysis of workflow and control environment
• Cooperation, including provision of persons with knowledge, is key
• Follow-up may include telephone interviews
© 2014 Armstrong Teasdale
LLP
http://www.sec.gov/about/offices/ocie/ocie_exambrochure.pdf

33. OCIE Examination Process
 Third Party Providers
• OCIE will request relevant information from examinee or from
agents/custodians
 Clients & Customers
• OCIE will “routinely contact” to gather and/or verify information
 Exit Interview
• Last day of site visit
• Entity afforded opportunity to discuss issues raised by exam staff
− Includes actions entity has taken or plans to take to address
issues
© 2014 Armstrong Teasdale
LLP
http://www.sec.gov/about/offices/ocie/ocie_exambrochure.pdf

34. OCIE Examination Process
 Examination Conclusion
• SEC Section 4E – completion due on later of two dates
− 180 days after completion of on-site portion of exam; or
− 180 days after all records requested are examined or inspected
• 180-day extension available for “complex examinations”
 Exam Results
• Deficiency Letter
− Entity to respond timely, addressing all identified issues
• Referral to Division of Enforcement
− Direct referral without exit exam may be made in “exigent circumstances”
• Referral to SRO, State regulatory agency or law enforcement
© 2014 Armstrong Teasdale
LLP
http://www.sec.gov/about/offices/ocie/ocie_exambrochure.pdf

35. Challenge: Decision Makers’ Lack of
Familiarity with the Technology
“If I'm applying the First Amendment, I have to apply it to a world where
there's an Internet, and there's Facebook, and there are movies like ... The
Social Network, which I couldn't even understand .”
© 2014 Armstrong Teasdale
LLP
—Justice Stephen Breyer
Justice Roberts: “I thought, you know, you push a button; it goes right to the
other thing.”
Justice Scalia: “You mean it doesn't go right to the other thing?”
—Justice John Roberts to Justice
Antonin Scalia Regarding How a
Text-Messaging Service Works

36. To Do List
 Identify/Organize Persons with Knowledge
• Cybersecurity Committee and/or Response Team
 Audit Cybersecurity Status
• Review internal and external Policies
• Review access, verification and recovery
 Third Party Vendors
• Review contracts and policies
 Quality Control and Assessment
• Update records … or get started
 Insurance
• Mind the gap
© 2014 Armstrong Teasdale
LLP

37. Be Proactive
© 2014 Armstrong Teasdale
LLP

38. How Can We Help?
 Securities Regulatory & Litigation Group
• Former MO Securities Commissioner
• Former federal prosecutor
• Experienced securities litigators
 Data Security and Privacy Group
• CIPP|US and Ethical Hacker Certified
• International and Domestic experience
© 2014 Armstrong Teasdale
LLP

39. Questions?
Scott K.G. Kozak
Partner, Litigation
314.259.4714
skozak@ArmstrongTeasdale.com
Jeffrey Schultz
Partner, Litigation
314.259.4732
jschultz@ArmstrongTeasdale.com
CLE Webinar Confirmation Code: KS0912
© 2014 Armstrong Teasdale
LLP