Presentation & Materials - Sutherland Asbill & Brennan LLP

Transcription

Presentation & Materials - Sutherland Asbill & Brennan LLP
Moderator:
Harry S. Pangas
Speakers:
Mark Thibodeaux
Mary Jane Wilson-Bilik
Daniel E. Frank
Brian L Rubin
March 26, 2015
BDCs and Cybersecurity Preparedness
Presenters
Harry S. Pangas
Daniel E. Frank
Washington, DC
202.383.0805
harry.pangas@sutherland.com
Washington, DC
202.383.0838
daniel.frank@sutherland.com
Mark Thibodeaux
Brian L. Rubin
Houston, TX
713.470.6104
mark.thibodeaux@sutherland.com
Washington, DC
202.383.0124
brian.rubin@sutherland.com
Mary Jane Wilson-Bilik
Washington, DC
202.383.0660
mj.wilson-bilik@sutherland.com
©2015 Sutherland Asbill & Brennan LLP
Overview
•
•
•
•
•
3
Overview of the Changing Landscape
Legal Considerations
NIST Framework as a Guide
Enforcement Actions
What You Should be Doing Now
©2015 Sutherland Asbill & Brennan LLP
Overview of the Changing
Cybersecurity Landscape
We’ve all seen the headlines:
• “Massive data hack of health insurer Anthem
potentially exposes millions,” Wash. Post, 2/5/15
• “Sony Hack: 'Critical' Systems Won't Be Back Online
Until February,” NBC News, 1/23/15
• “JPMorgan says 76 million households were affected
by cyber breach,” Wash. Post, 10/2/14
• Home Depot, eBay, Neiman Marcus, LinkedIn, Jimmy
John’s, Michaels Stores, P.F. Chang’s, etc.
4
©2015 Sutherland Asbill & Brennan LLP
But I’m Not JPMorgan or Home
Depot
• Everyone is a target
• Analysis of attacks by one hacking group, “Comment
Crew,” showed successful compromises of more than
140 organizations across industries, including:
Engineering
Financial Services
Energy
Chemicals
Healthcare
Media and Entertainment
Scientific Research
Food and Agriculture
Legal Services
Transportation
Construction
Education
• Somewhere between 30% and 63% of hacked
companies have 250 or fewer employees
5
©2015 Sutherland Asbill & Brennan LLP
Sources of Attacks
• Criminals
 Cyber-extortion – gangs in Eastern Europe, etc.
 Theft – wire transfers; attacks on bank or brokerage
accounts; identity theft
 Disgruntled former employees/bored students
• Hackivists
 Attack on corporate reputation; embarrass leadership
• Espionage
 Theft of intellectual property
• War
 Homeland security and critical infrastructure
 Non-state actors – cyberterrorism
6
©2015 Sutherland Asbill & Brennan LLP
Attack Profiles
• Many cyber attacks are now specifically targeted
 Phishing/Spear phishing/Whaling
 Water-holing
 Ransomware
 Doxing
• Hacking tools are increasingly sophisticated and
readily available
7
©2015 Sutherland Asbill & Brennan LLP
Traditional View of Security
But it was never
really this simple
8
©2015 Sutherland Asbill & Brennan LLP
There is No Moat and Drawbridge
• Portable computing laptops, tablets, smart phones
• Portable media (thumbdrives, external hard drives,
CDs/DVDs/Blu-Ray disks)
• Extranets and outsourced services
• Recently acquired/merged businesses
• Bring-your-own-device
• The Cloud
• “We have met the enemy and he is us”
 Employees, contractors, and vendors already have access
 They do not need malicious intent to be a problem
9
©2015 Sutherland Asbill & Brennan LLP
SEC Considerations
• Cybersecurity is an area of intense focus for the SEC
 March 2014: SEC Cybersecurity Roundtable
 Chair Mary Jo White: compelling need to address
cybersecurity threats
 announced national exam priority is to assess
preparedness in securities industry
• April 2014: SEC Cybersecurity Initiative
 OCIE published list of 26 tough questions on:
 Cybersecurity governance – written policies/ NIST
 Protection of networks and information
 Risks associated with vendors
 Detecting unauthorized activity
10
©2015 Sutherland Asbill & Brennan LLP
SEC Exam Priorities / NYDFS
• January 2015: Cybersecurity is an SEC Exam Priority
 Designates cybersecurity as a market-wide risk
 Underscores how important the SEC believes cybesecurity
is to the integrity of the market system
 Not just protection of customer data
• New York Department of Financial Services
Superintendent Lawsky
 March 12, 2015: “Cyber 9.11” could happen
 One of greatest threats to our economy
 Cybersecurity is regulator’s top priority
11
©2015 Sutherland Asbill & Brennan LLP
SEC Rules and Cyber Preparedness
• Rule 38a-1/ Rule 206-4(7)
 Require written compliance policies and procedures
reasonably designed to prevent violations of the federal
securities laws, annual review and annual report by CCO
 “Reasonable regulator” standard – take SEC’s expectations
about cybersecurity into account
• Primary aspects of compliance program relevant to
cybersecurity preparedness:
 Reg. S-P: safeguard customer information
 Rule 13a-15 and Section 13(b)(2) under 1934 Act:
 Possible that SEC will interpret “internal controls over
financial reporting” to require controls reasonably
designed to prevent cyberattacks
12
©2015 Sutherland Asbill & Brennan LLP
SEC Rules and Cyber Preparedness
• Rules 31a-2 (ICA)/ 204-2 (IA): Integrity of required
records
 If stored electronically, BDC must maintain procedures to:
 Maintain and preserve records so as to safeguard them
from loss, alteration or destruction
 Limit access to properly authorized personnel, directors
of the BDC and the SEC
 SEC could require procedures addressing cybersecurity
• Business continuity plans
 If a BDC’s computer system (or one of its service providers)
is shut down or corrupted, a BDC’s ability to continue in
operation could be affected
 SEC exam priority
13
©2015 Sutherland Asbill & Brennan LLP
Board Oversight of Cyber Risk
Management
• Boards generally have responsibility for overseeing
risk management processes
 SEC Commissioner Aguilar: “There can be little doubt that
cyber-risk must be considered as part of a board’s overall
risk oversight. Given the significant cyber-attacks that are
occurring with disturbing frequency…, ensuring the
adequacy of a company’s cybersecurity measures needs to
be a critical part of a board’s risk oversight responsibilities.”
• Common law duties of care and loyalty – duty to act
with prudence and prevent foreseeable harm
 A court may extend to duty to ensure that management has
an adequate framework, such as NIST Framework, for
considering and addressing foreseeable cybersecuity risks
14
©2015 Sutherland Asbill & Brennan LLP
NIST Cybersecurity Framework
• Executive Order on “Improving Critical Infrastructure
Cybersecurity” (Feb. 2013)
• NIST-developed Cybersecurity Framework (Feb.
2014)
• It’s voluntary, so why use it?
15
©2015 Sutherland Asbill & Brennan LLP
Framework – Structure
• The Framework provides tools to build or improve an
organization’s cybersecurity program
• Elements of the Framework:
 The Core
 Functions
 Categories/Subcategories
 Informative References
 Implementation Tiers
 Profile
16
©2015 Sutherland Asbill & Brennan LLP
Framework – Five Functions
•
•
•
•
•
17
Identify
Protect
Detect
Respond
Recover
©2015 Sutherland Asbill & Brennan LLP
Framework – Categories
• Categories and Subcategories within each function
• Examples:
Category
• Governance
(Function = Identify)
18
Subcategory
• Information security policy established
• Roles and responsibilities aligned
• Legal and regulatory requirements
understood and managed
• Governance and risk management
processes address cyber risks
©2015 Sutherland Asbill & Brennan LLP
Framework – Informative References
• Informative References – existing standards,
guidelines and practices common among critical
infrastructure structures that are linked to Categories
and Subcategories
 For example, ISO standards
• Not exhaustive – can include additional standards
adopted by the organization or industry
19
©2015 Sutherland Asbill & Brennan LLP
Framework – Implementation Tiers
• Implementation Tiers measure the level of “maturity”
(the degree of formality and sophistication) in the
organization’s cybersecurity program
 Tier 1 – Partial: not formalized, ad hoc, reactive
 Tier 2 – Risk-Informed: practices approved, no formal policy
 Tier 3 – Repeatable: practices and policy established
 Tier 4 – Adaptive: proactive, adapts to emerging threats
• Helps the organization determine what its current and
target cybersecurity postures are in each Category
20
©2015 Sutherland Asbill & Brennan LLP
Framework – Profile
• The goal of the Framework is to enable an
organization to build a cybersecurity profile – basically
a “roadmap”:
 What is my current cybersecurity posture?
 What do I want it to be?
 How do I get there?
 How do I assess progress and the end state?
• Not a one-size-fits-all approach
21
©2015 Sutherland Asbill & Brennan LLP
The SEC’s Cybersecurity Exam Sweep
•
Examined BDs and RIAs for general cybersecurity practices
 More to come in 2015
• 74% of RIAs reported experiencing a cyberattack either directly
or through a vendor (compare with 88% of BDs)
• RIAs have some catching up to do in certain areas:
 93% of BDs have written information security policies; 83% of RIAs
do
 89% of BDs conduct periodic audits “to determine compliance” with
these policies; 57% of RIAs do
 84% of BDs perform risk assessments of their vendors with access
to firm networks; 32% of RIAs do
•
Some near universally-accepted practices:
 Use of encryption (98% of BDs and 91% of RIAs)
 Inventorying physical devices (96% of BDs and 92% of RIAs)
22
 Inventorying software platforms and applications (91% of BDs and
92% of RIAs)
©2015 Sutherland Asbill & Brennan LLP
Traditional Cybersecurity Enforcement
Actions Based on Violations of Reg. S-P
• Portable electronic devices and portable media get
lost or stolen
• Not protecting information provided to vendors
• Bad firm employees
 “Bad leavers”
 “Bad stayers”
• Inadequate restrictions on user access
• Failure to maintain adequate cybersecurity policies
and procedures
• Failure to respond to known deficiencies
23
©2015 Sutherland Asbill & Brennan LLP
Potential Non-Traditional Cybersecurity
Enforcement Actions
•
Books and records
 Cyberattack on BDC
 Bad Leaver or Bad Stayer
 BDC could be charged with failing to preserve its records “so as to
reasonably safeguard them from loss” or with failing to “limit access to . . .
properly authorized personnel”
•
Attacks on service providers through which BDC conducts its
activities
 Hacker accesses network of BDC service provider and then accesses
BDC’s network
 BDC could be charged with having inadequate policies and procedures for
overseeing its service providers’ compliance
•
Business Continuity Planning
 Cyberattack could cause firm’s network to go offline or require firm to shut
down its system while identifying and mitigating the breach
24
 BDC could be charged with violating Rule 206(4)-7 if RIA’s BCP did not
contain a contingency plan for maintaining operations during a network
shutdown
©2015 Sutherland Asbill & Brennan LLP
What Every BDC/RIA Should Be
Doing Now
• Prioritize cybersecurity within the company
 Tone from the top matters
 Board of directors and senior management should
periodically discuss cybersecurity
• Identify team in charge of information security
 Legal
 Compliance
 Management
• Catalogue your information assets
 Focus on critical information
 Critical information may be stored on outside of corporate
“data” centers such as smart phones and vendors’ systems
25
©2015 Sutherland Asbill & Brennan LLP
What Every BDC/RIA Should Be
Doing Now (cont.)
• Review existing written security policies with the team
and assess the company’s security posture
 Policies should reflect current regulatory requirements and
best practices
 Assessment should include training, policies, procedures
and implementation
• Based on assessment, determine whether existing
policies are adequate or need improvement
 Consider using the NIST Cybersecurity Framework
 Conduct cost/benefit analysis before making
improvements
 Focus on vendors and the need to obtain representations
and warranties from them regarding their cybersecurity
controls, etc.
26
©2015 Sutherland Asbill & Brennan LLP
What Every BDC/RIA Should Be
Doing Now (cont.)
• Conduct regular employee training regarding the
company’s information security procedures and
responsibilities
 Including generally training in data protection measures
 Keep them informed in real-time about cyberattacks at other
companies, including how the attacks were perpetrated
• Develop and test an incident response plan (and
make improvements based on the results of the test)
27
©2015 Sutherland Asbill & Brennan LLP
Questions?
Harry S. Pangas
Daniel E. Frank
Washington, DC
202.383.0805
harry.pangas@sutherland.com
Washington, DC
202.383.0838
daniel.frank@sutherland.com
Mark Thibodeaux
Brian L. Rubin
Houston, TX
713.470.6104
mark.thibodeaux@sutherland.com
Washington, DC
202.383.0124
brian.rubin@sutherland.com
Mary Jane Wilson-Bilik
Washington, DC
202.383.0660
mj.wilson-bilik@sutherland.com
©2015 Sutherland Asbill & Brennan LLP