© 2019 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

Chief Compliance Officer’s (CCO’s) Role in Cybersecurity (Cybersecurity Track) Wednesday, May 15 11:15 a.m. – 12:15 p.m. Increased use of technologies such as mobile devices, social media and cloud computing has increased the risk posed by cyber criminals. As a result, in addition to other compliance matters the CCO is now also responsible for protecting company information technology (IT) systems. During this session, panelists discuss steps CCOs should take to prevent or reduce cyber-attack risk. Moderator: Kevin Bogue Regulatory Principal, Sales Practice FINRA Chicago District Office Panelists: Leslie Jallans Chief Compliance Officer NEXT Financial Group, Inc. Judith Villarreal, Esq. General Counsel and Chief Compliance Officer CoreCap Investments, Inc. Daniel Woodring Executive Vice President and Chief Compliance Officer PFS Investments Inc.

© 2019 Financial Industry Regulatory Authority, Inc. All rights reserved. 2

Chief Compliance Officer’s (CCO’s) Role in Cybersecurity (Cybersecurity Track) Panelist Bios: Moderator: Kevin Bogue joined FINRA in January 2017 as a Regulatory Principal in the Chicago District Office. Mr. Bogue is a member of the Sales Practice Cybersecurity team responsible for examining firms' controls over their protection of sensitive client and firm information. Prior to joining FINRA, Mr. Bogue has more than 17 years of information technology (IT) and security experience working as a technology consultant with Accenture, as an internal Global IT auditor, IT Compliance Manager and SOX Program Manager with Abbott Laboratories, as an IT Compliance Manager with Brunswick and as an internal IT Audit Manager with CDW. Mr. Bogue earned an MS in Information Systems from DePaul University in Chicago, IL and a BS in Psychology from Iowa State University in Ames, IA. Panelists: Leslie B. Jallans joined NEXT Financial Group, Inc. in September 2014 as Chief Compliance Officer where she is responsible for the firm’s broker/dealer and investment adviser compliance programs. Prior to that Ms. Jallans served in Chief Compliance Officer roles over a 30-year period with Houston-based dual registrants including Sanders Morris Harris Inc., American General Securities Incorporated, Hines Securities, Inc. and Advantage Capital Corporation. Ms. Jallans earned the degrees of Master of Business Administration and Bachelor of Music Education from Loyola University in New Orleans. She holds the Series 4, 7, 24, 27, 53, 63 and 65 licenses. Ms. Jallans is a securities arbitrator with FINRA Dispute Resolution and she serves on the FINRA Content Committee for the Regulatory Element of Continuing Education. Judith A. Villarreal is a financial services compliance professional and attorney who has worked in this area since the Eighties. Beginning at the Chicago Mercantile Exchange in the Compliance and Legal Department, Ms. Villarreal has worked as inside and outside counsel and compliance officer with banks, broker-dealers, registered investment advisors, commodity trading advisors, commodity pool operators, futures commission merchants, insurance agencies and insurance field marketing organizations. Ms. Villarreal currently practices as General Counsel and Chief Compliance Officer for CoreCap Investments, Inc., a registered broker-dealer and member, FINRA/SIPC, as well as its affiliated federally registered investment adviser, CoreCap Advisors, Inc., and as Compliance Counsel to M&O Marketing, an independent marketing organization, in the state of Michigan. She is admitted to practice in Michigan, having been previously admitted in States of Illinois and Hawaii. In addition to the credentials above, Ms. Villarreal currently holds 13 FINRA series licenses, is a Certified Anti-Money Laundering Specialist (“CAMS”), a Certified Information Privacy Professional/US (“CIPP/US”), and holds additional compliance certifications in insurance and banking. She notes that she is lucky to be good at multiple-choice exams and to work in an industry where that is a marketable skill. Daniel Woodring is Executive Vice President and Chief Compliance Officer of PFS Investments Inc. and Primerica Shareholder Services, Inc. Prior to joining Primerica, Mr. Woodring worked in numerous roles within the financial services industry, including brokerage, banking, insurance and consulting firms. He graduated from the University of Georgia earning a B.B.A. with dual majors in Finance and Risk Management. In 2000, Mr. Woodring received his J.D. from the Georgia State University College of Law. He is a member of the Georgia Bar and has served as Chair of the Financial Services Institute’s Compliance Council and a member of the FINRA South Regional Committee.

Chief Compliance Officer’s (CCO’s) Role in

Cybersecurity (Cybersecurity Track)

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

Moderator

Kevin Bogue, Regulatory Principal, Sales Practice, FINRA Chicago District Office

Panelists

Leslie Jallans, Chief Compliance Officer, NEXT Financial Group, Inc.

Judith Villarreal, Esq., General Counsel and Chief Compliance Officer, CoreCap Investments, Inc.

Daniel Woodring, Executive Vice President and Chief Compliance Officer, PFS Investments Inc.

Panelists

1

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

Under the “Schedule” icon on the home screen,

Select the day,

Choose the Chief Compliance Officer’s (CCO’s) Role in

Cybersecurity (Cybersecurity Track) session,

Click on the polling icon:

To Access Polling

2

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

Key Topics for any Cybersecurity Program

Governance

Risk Assessment

Vendor Management

Branch Office

Incident Response Planning

Training and Security Awareness

Agenda – CCO’s Role in Cybersecurity

3

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

1. Does your firm have a formal technology risk

governance structure (i.e., steering committee) to

which important cybersecurity matters are

escalated?

a. Yes

b. No

Polling Question 1

4

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

Resources assigned and overall cybersecurity

program governance

Leaders, resources and organization

Information security roles defined

Governance groups and process (senior leadership / board

involvement)

Policies, standards and procedures

Governance

5

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

What is a risk assessment?

A systematic approach to estimating the magnitude of risks (risk analysis) and comparing risk to risk criteria (risk evaluation). It is an ongoing process, not a single point-in-time review.

Scope of a risk assessment

Critical asset inventory (Data, Hardware, Software, Systems)

Threat evaluation – both external and internal

Vulnerability assessment of assets

Risk evaluation and prioritization – governance

Technical Controls

Vendors and their Affiliates

Risk Assessment

6

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

2. Is your firm’s compliance department involved in the

vendor management program?

a. Yes

b. No

c. I don’t know

Polling Question 2

7

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

Firm’s processes to manage and oversee critical vendors:

Firm’s list of critical technology vendors

– Application systems (e.g., clearing systems, etc.) and Technology services (e.g., datacenters, network, etc.)

Life Cycle for Vendor Management:

– Onboarding: establish controls and associated contractual terms/conditions

– Operational Oversight: annual audit and testing along with contingency planning

SOC Reports

– Termination: access and disposal of sensitive / confidential data

Vendor Management

8

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

3. Does your firm provide formal cybersecurity

guidance to branch offices?

a. Yes

b. No

Polling Question 3

9

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

Branch Office

Cyber Control Areas would include:

Firm policy directly related to branch operations

Physical security and maintaining an inventory of critical data, software and hardware

Inventory of critical data, software and hardware existing at a branch

The use of complex passwords to protect devices (desktop, laptop, mobile)

Security of assets and data (both on premise and in the Cloud)

Encryption of hard drives (desktop, laptop and mobile)

Secure transmission and storage of data (including email)

Incident reporting of lost or stolen data and hardware

Patch and virus protection processes

Firm branch exams with a specific cybersecurity focus

RR training and certification (e.g., annual attestation of expected cybersecurity controls)

10

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

4. Does your firm have a written cybersecurity incident

response plan?

a. Yes

b. No

Polling Question 4

11

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

Creation of plans and procedures, and regular testing, of potential responses to cyber incidents

How to identify, react to, manage and recover from a cybersecurity incident

Internal, public media, business partner and customer communication plans

Engagement with Industry groups, law enforcement and regulators

Cyber incident handling should be integrated into firm’s existing processes

Business continuity and disaster recovery

Plans for maintaining and recovering critical business operations during and after an interruption as a result of a cyber incident

Tools, training and practice exercises

Incident Response Planning

12

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

5. Does your firm have a formal cybersecurity training

program?

a. Yes

b. No

Polling Question 5

13

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

Include employees, contractors, third-parties and potentially customers

Include cyber threats (phishing, attachments, links, etc.), privacy, and information handling

All firms should employ a formal annual training and certification program

Multiple learning approaches helpful

Class room and online self study (internally and/or externally developed)

Lunch and learns and informal roadshows

Periodic email addressing specific cyber risks

Periodic testing to raise awareness

Staged phishing emails, bad links, or “lost” flash drives delivering instructive messages

Training and Security Awareness

14

2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.

FINRA Cybersecurity Page: www.finra.org/industry/cybersecurity

Small Firm Cybersecurity Checklist

Report on Cybersecurity Practices (2015)

Report on Selected Cybersecurity Practices – 2018

Compliance Vendor Directory

NIST Cybersecurity Framework: www.nist.gov/cyberframework

2019 FINRA Cybersecurity Half-Day Seminars

References

15

© 2019 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

Chief Compliance Officer’s (CCO’s) Role in Cybersecurity (Cybersecurity Track) Wednesday, May 15 11:15 a.m. – 12:15 p.m. Resources FINRA Resources

FINRA Cybersecurity Webpage www.finra.org/industry/cybersecurity

Small Firm Cybersecurity Checklist www.finra.org/sites/default/files/smallfirm_cybersecurity_checklist.xlsx

Report on Selected Cybersecurity Practices – 2018 www.finra.org/sites/default/files/Cybersecurity_Report_2018.pdf

Report on Cybersecurity Practices (2015)

www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf

Compliance Vendor Directory www.finra.org/industry/cvd

2019 FINRA Cybersecurity Half-Day Seminars Webpage www.finra.org/industry/2019-finra-cybersecurity-half-day-seminars

Other Resource

NIST Cybersecurity Framework Webpage www.nist.gov/cyberframework