Presentation & Materials - Sutherland Asbill & Brennan LLP
Transcription
Presentation & Materials - Sutherland Asbill & Brennan LLP
Moderator: Harry S. Pangas Speakers: Mark Thibodeaux Mary Jane Wilson-Bilik Daniel E. Frank Brian L Rubin March 26, 2015 BDCs and Cybersecurity Preparedness Presenters Harry S. Pangas Daniel E. Frank Washington, DC 202.383.0805 harry.pangas@sutherland.com Washington, DC 202.383.0838 daniel.frank@sutherland.com Mark Thibodeaux Brian L. Rubin Houston, TX 713.470.6104 mark.thibodeaux@sutherland.com Washington, DC 202.383.0124 brian.rubin@sutherland.com Mary Jane Wilson-Bilik Washington, DC 202.383.0660 mj.wilson-bilik@sutherland.com ©2015 Sutherland Asbill & Brennan LLP Overview • • • • • 3 Overview of the Changing Landscape Legal Considerations NIST Framework as a Guide Enforcement Actions What You Should be Doing Now ©2015 Sutherland Asbill & Brennan LLP Overview of the Changing Cybersecurity Landscape We’ve all seen the headlines: • “Massive data hack of health insurer Anthem potentially exposes millions,” Wash. Post, 2/5/15 • “Sony Hack: 'Critical' Systems Won't Be Back Online Until February,” NBC News, 1/23/15 • “JPMorgan says 76 million households were affected by cyber breach,” Wash. Post, 10/2/14 • Home Depot, eBay, Neiman Marcus, LinkedIn, Jimmy John’s, Michaels Stores, P.F. Chang’s, etc. 4 ©2015 Sutherland Asbill & Brennan LLP But I’m Not JPMorgan or Home Depot • Everyone is a target • Analysis of attacks by one hacking group, “Comment Crew,” showed successful compromises of more than 140 organizations across industries, including: Engineering Financial Services Energy Chemicals Healthcare Media and Entertainment Scientific Research Food and Agriculture Legal Services Transportation Construction Education • Somewhere between 30% and 63% of hacked companies have 250 or fewer employees 5 ©2015 Sutherland Asbill & Brennan LLP Sources of Attacks • Criminals Cyber-extortion – gangs in Eastern Europe, etc. Theft – wire transfers; attacks on bank or brokerage accounts; identity theft Disgruntled former employees/bored students • Hackivists Attack on corporate reputation; embarrass leadership • Espionage Theft of intellectual property • War Homeland security and critical infrastructure Non-state actors – cyberterrorism 6 ©2015 Sutherland Asbill & Brennan LLP Attack Profiles • Many cyber attacks are now specifically targeted Phishing/Spear phishing/Whaling Water-holing Ransomware Doxing • Hacking tools are increasingly sophisticated and readily available 7 ©2015 Sutherland Asbill & Brennan LLP Traditional View of Security But it was never really this simple 8 ©2015 Sutherland Asbill & Brennan LLP There is No Moat and Drawbridge • Portable computing laptops, tablets, smart phones • Portable media (thumbdrives, external hard drives, CDs/DVDs/Blu-Ray disks) • Extranets and outsourced services • Recently acquired/merged businesses • Bring-your-own-device • The Cloud • “We have met the enemy and he is us” Employees, contractors, and vendors already have access They do not need malicious intent to be a problem 9 ©2015 Sutherland Asbill & Brennan LLP SEC Considerations • Cybersecurity is an area of intense focus for the SEC March 2014: SEC Cybersecurity Roundtable Chair Mary Jo White: compelling need to address cybersecurity threats announced national exam priority is to assess preparedness in securities industry • April 2014: SEC Cybersecurity Initiative OCIE published list of 26 tough questions on: Cybersecurity governance – written policies/ NIST Protection of networks and information Risks associated with vendors Detecting unauthorized activity 10 ©2015 Sutherland Asbill & Brennan LLP SEC Exam Priorities / NYDFS • January 2015: Cybersecurity is an SEC Exam Priority Designates cybersecurity as a market-wide risk Underscores how important the SEC believes cybesecurity is to the integrity of the market system Not just protection of customer data • New York Department of Financial Services Superintendent Lawsky March 12, 2015: “Cyber 9.11” could happen One of greatest threats to our economy Cybersecurity is regulator’s top priority 11 ©2015 Sutherland Asbill & Brennan LLP SEC Rules and Cyber Preparedness • Rule 38a-1/ Rule 206-4(7) Require written compliance policies and procedures reasonably designed to prevent violations of the federal securities laws, annual review and annual report by CCO “Reasonable regulator” standard – take SEC’s expectations about cybersecurity into account • Primary aspects of compliance program relevant to cybersecurity preparedness: Reg. S-P: safeguard customer information Rule 13a-15 and Section 13(b)(2) under 1934 Act: Possible that SEC will interpret “internal controls over financial reporting” to require controls reasonably designed to prevent cyberattacks 12 ©2015 Sutherland Asbill & Brennan LLP SEC Rules and Cyber Preparedness • Rules 31a-2 (ICA)/ 204-2 (IA): Integrity of required records If stored electronically, BDC must maintain procedures to: Maintain and preserve records so as to safeguard them from loss, alteration or destruction Limit access to properly authorized personnel, directors of the BDC and the SEC SEC could require procedures addressing cybersecurity • Business continuity plans If a BDC’s computer system (or one of its service providers) is shut down or corrupted, a BDC’s ability to continue in operation could be affected SEC exam priority 13 ©2015 Sutherland Asbill & Brennan LLP Board Oversight of Cyber Risk Management • Boards generally have responsibility for overseeing risk management processes SEC Commissioner Aguilar: “There can be little doubt that cyber-risk must be considered as part of a board’s overall risk oversight. Given the significant cyber-attacks that are occurring with disturbing frequency…, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board’s risk oversight responsibilities.” • Common law duties of care and loyalty – duty to act with prudence and prevent foreseeable harm A court may extend to duty to ensure that management has an adequate framework, such as NIST Framework, for considering and addressing foreseeable cybersecuity risks 14 ©2015 Sutherland Asbill & Brennan LLP NIST Cybersecurity Framework • Executive Order on “Improving Critical Infrastructure Cybersecurity” (Feb. 2013) • NIST-developed Cybersecurity Framework (Feb. 2014) • It’s voluntary, so why use it? 15 ©2015 Sutherland Asbill & Brennan LLP Framework – Structure • The Framework provides tools to build or improve an organization’s cybersecurity program • Elements of the Framework: The Core Functions Categories/Subcategories Informative References Implementation Tiers Profile 16 ©2015 Sutherland Asbill & Brennan LLP Framework – Five Functions • • • • • 17 Identify Protect Detect Respond Recover ©2015 Sutherland Asbill & Brennan LLP Framework – Categories • Categories and Subcategories within each function • Examples: Category • Governance (Function = Identify) 18 Subcategory • Information security policy established • Roles and responsibilities aligned • Legal and regulatory requirements understood and managed • Governance and risk management processes address cyber risks ©2015 Sutherland Asbill & Brennan LLP Framework – Informative References • Informative References – existing standards, guidelines and practices common among critical infrastructure structures that are linked to Categories and Subcategories For example, ISO standards • Not exhaustive – can include additional standards adopted by the organization or industry 19 ©2015 Sutherland Asbill & Brennan LLP Framework – Implementation Tiers • Implementation Tiers measure the level of “maturity” (the degree of formality and sophistication) in the organization’s cybersecurity program Tier 1 – Partial: not formalized, ad hoc, reactive Tier 2 – Risk-Informed: practices approved, no formal policy Tier 3 – Repeatable: practices and policy established Tier 4 – Adaptive: proactive, adapts to emerging threats • Helps the organization determine what its current and target cybersecurity postures are in each Category 20 ©2015 Sutherland Asbill & Brennan LLP Framework – Profile • The goal of the Framework is to enable an organization to build a cybersecurity profile – basically a “roadmap”: What is my current cybersecurity posture? What do I want it to be? How do I get there? How do I assess progress and the end state? • Not a one-size-fits-all approach 21 ©2015 Sutherland Asbill & Brennan LLP The SEC’s Cybersecurity Exam Sweep • Examined BDs and RIAs for general cybersecurity practices More to come in 2015 • 74% of RIAs reported experiencing a cyberattack either directly or through a vendor (compare with 88% of BDs) • RIAs have some catching up to do in certain areas: 93% of BDs have written information security policies; 83% of RIAs do 89% of BDs conduct periodic audits “to determine compliance” with these policies; 57% of RIAs do 84% of BDs perform risk assessments of their vendors with access to firm networks; 32% of RIAs do • Some near universally-accepted practices: Use of encryption (98% of BDs and 91% of RIAs) Inventorying physical devices (96% of BDs and 92% of RIAs) 22 Inventorying software platforms and applications (91% of BDs and 92% of RIAs) ©2015 Sutherland Asbill & Brennan LLP Traditional Cybersecurity Enforcement Actions Based on Violations of Reg. S-P • Portable electronic devices and portable media get lost or stolen • Not protecting information provided to vendors • Bad firm employees “Bad leavers” “Bad stayers” • Inadequate restrictions on user access • Failure to maintain adequate cybersecurity policies and procedures • Failure to respond to known deficiencies 23 ©2015 Sutherland Asbill & Brennan LLP Potential Non-Traditional Cybersecurity Enforcement Actions • Books and records Cyberattack on BDC Bad Leaver or Bad Stayer BDC could be charged with failing to preserve its records “so as to reasonably safeguard them from loss” or with failing to “limit access to . . . properly authorized personnel” • Attacks on service providers through which BDC conducts its activities Hacker accesses network of BDC service provider and then accesses BDC’s network BDC could be charged with having inadequate policies and procedures for overseeing its service providers’ compliance • Business Continuity Planning Cyberattack could cause firm’s network to go offline or require firm to shut down its system while identifying and mitigating the breach 24 BDC could be charged with violating Rule 206(4)-7 if RIA’s BCP did not contain a contingency plan for maintaining operations during a network shutdown ©2015 Sutherland Asbill & Brennan LLP What Every BDC/RIA Should Be Doing Now • Prioritize cybersecurity within the company Tone from the top matters Board of directors and senior management should periodically discuss cybersecurity • Identify team in charge of information security Legal Compliance Management • Catalogue your information assets Focus on critical information Critical information may be stored on outside of corporate “data” centers such as smart phones and vendors’ systems 25 ©2015 Sutherland Asbill & Brennan LLP What Every BDC/RIA Should Be Doing Now (cont.) • Review existing written security policies with the team and assess the company’s security posture Policies should reflect current regulatory requirements and best practices Assessment should include training, policies, procedures and implementation • Based on assessment, determine whether existing policies are adequate or need improvement Consider using the NIST Cybersecurity Framework Conduct cost/benefit analysis before making improvements Focus on vendors and the need to obtain representations and warranties from them regarding their cybersecurity controls, etc. 26 ©2015 Sutherland Asbill & Brennan LLP What Every BDC/RIA Should Be Doing Now (cont.) • Conduct regular employee training regarding the company’s information security procedures and responsibilities Including generally training in data protection measures Keep them informed in real-time about cyberattacks at other companies, including how the attacks were perpetrated • Develop and test an incident response plan (and make improvements based on the results of the test) 27 ©2015 Sutherland Asbill & Brennan LLP Questions? Harry S. Pangas Daniel E. Frank Washington, DC 202.383.0805 harry.pangas@sutherland.com Washington, DC 202.383.0838 daniel.frank@sutherland.com Mark Thibodeaux Brian L. Rubin Houston, TX 713.470.6104 mark.thibodeaux@sutherland.com Washington, DC 202.383.0124 brian.rubin@sutherland.com Mary Jane Wilson-Bilik Washington, DC 202.383.0660 mj.wilson-bilik@sutherland.com ©2015 Sutherland Asbill & Brennan LLP