Welcome Remarks Thursday, February 22 9:00 a.m. …...Previously, Mr. Randich served as Co-CIO at Citigroup, and CIO and Global Head of Technology for Citigroup's Institutional Clients

© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

Welcome Remarks Thursday, February 22 9:00 a.m. – 9:15 a.m. Speaker: Steven Randich Executive Vice President and Chief Information Officer FINRA Office of the Chief Information Officer Speaker Biography: Steven J. Randich, Executive Vice President and Chief Information Officer (CIO), oversees all technology at FINRA. Previously, Mr. Randich served as Co-CIO at Citigroup, and CIO and Global Head of Technology for Citigroup's Institutional Clients Group. Prior to joining Citigroup, he was Executive Vice President of Operations and Technology and CIO at NASDAQ, where he was responsible for all aspects of NASDAQ technology, including applications development and technology infrastructure. From 1996 to 2000, Mr. Randich served as Executive Vice President and CIO for the Chicago Stock Exchange. He was responsible for all technology, trading-floor and back-office operations, and business product planning and development. Prior to joining the Chicago Stock Exchange, Mr. Randich was a Managing Principal at IBM Global Services and a Manager at KPMG. Mr. Randich has an undergraduate degree in computer science from Northern Illinois University and an M.B.A. from the University of Chicago.

2018 Cybersecurity ConferenceFebruary 22 | New York, NY

Welcome Remarks

FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.

Speaker

Steven Randich, Executive Vice President and Chief

Information Officer, FINRA Office of the Chief Information

Officer

Panelists

1


Keynote Address With Jeff Lanza Thursday, February 22 9:15 a.m. – 9:45 a.m. Speaker: Jeff Lanza Retired FBI Agent Speaker Biography: Jeff was chosen as the best speaker in the 50-year history of Kansas City’s prestigious Plaza Club. He is a professional speaker who has provided over one thousand presentations on the topics of cybercrime, leadership, crisis communication, ethics, identity theft, body language and more. His clients include 20th Century Fox Entertainment, UBS, Merrill Lynch, Morgan Stanley, Nationwide, Citigroup, The Young Presidents Organization, American Century, Hallmark, H & R Block, Hess Oil, Standard and Poor’s, Financial Executives International, U.S. Bank, Wells Fargo and others. He developed and presented a program on identity theft prevention which was used to educate a nationwide audience of Citigroup employees. His program on the topic of leadership integrity has been certified for education credits across the United States. Jeff was the 2017 International Keynote Speaker for a cyber security road show in Australia, during which he spoke to businesses about cyber crime prevention. Jeff was head of operations security for the Kansas City FBI and a graduate of the world-renowned John E. Reid School of Interviewing and Interrogation. He is a certified FBI instructor and has trained numerous government agencies and corporate clients on how to interpret and project body language for more effective interpersonal communication. In addition to his latest book on the topic of cyber security, Jeff authored speeches for FBI executives and has been published in The Kansas City Star, Ingram’s Magazine and on the FBI National Web site. Jeff consulted for academy award winning director Ang Lee during the production of “Ride with the Devil”, and he has provided regular consulting services for television and movie production in Hollywood at Steele Films and Granfalloon Productions. Jeff was a major contributor and appeared on camera in a recent episode of The History Channel’s, “America’s Book of Secrets”. He was featured in the companion documentary to the major theatrical release “Runner - Runner”, which stars Ben Affleck and Justin Timberlake. Jeff has been featured in television commercials on the topic of fraud prevention. Jeff was recruited by the FBI from Xerox Corporation, where he was a Computer Systems Analyst. He has an undergraduate degree in Criminal Justice from the University of New Haven (Connecticut) and a Masters Degree in Business Administration from the University of Texas.


Keynote Address With Jeff Lanza


Speaker

Jeff Lanza, Retired FBI Agent

Panelists

1

Credit Reporting Bureaus

Equifax: (800) 525-6285

(800) 685-1111 to freeze your credit report

P.O. Box 740241 Atlanta, GA 30374

Experian: (888) 397-3742


P.O. Box 9530 Allen, TX 75013

Trans Union: (800) 680-7289;

(888) 909-8872 for freezing your credit report

P.O. Box 2000, Chester, PA 19016

Innovis: (800) 540-2505


P.O. Box 1640 Pittsburgh, PA 15230 You are allowed 3 free reports each year; to order:

Web: www.annualcreditreport.com or 877-322-8228

Your credit report at Innovis must be ordered from:

www.innovis.com/personal/creditReport

To remove your name from lists:

Mail - www.dmachoice.org; Phone - www.donotcall.gov

To stop preapproved credit card offers:

www.optoutprescreen.com or 1-888-5-OPTOUT (567-8688) To Report Internet Fraud: www.ic3.gov Key Numbers

FBI (202) 324-3000 or your local field office

FTC 1-877-IDTHEFT; IRS 1-800-829-0433

Postal Inspection Service 1-877-876-2455

Social Security Administration 1-800-269-0271

Identity Theft Resource: www.identitytheft.gov

1. Protect Your Personal Information

✓ Don’t carry your social security card. ✓ Don’t provide your social security number to anyone unless there is

a legitimate need for it. ✓ Be aware that most Medicare cards use the social security number

as the Medicare number. Take steps to protect your card. 2. Protect Your Documents

✓ Shred your sensitive trash with a cross-cut or micro-cut shredder.

✓ Don’t leave outgoing mail with personal information in your

mailbox for pickup.

3. Be Vigilant Against Tricks

✓ Never provide personal information to anyone in response to an

unsolicited request.

✓ Never reply to unsolicited emails from unknown senders or open

their attachments.

✓ Don’t click on links in emails from unknown senders.

4. Protect Your Communications ✓ Keep your computer and security software updated.

✓ Don’t conduct sensitive transactions on a computer that is not

under your control.

✓ Protect your Wi-Fi with a strong password and WPA2 encryption.

5. Protect Your Digital World

✓ Use strong passwords with at least eight characters, but the longer

the stronger. Try random words strung together or phrases.

✓ Use different passwords for your various accounts.

✓ If you store passwords in a file on your computer, encrypt the file

when you save it and assign a strong password to protect that file.

This sounds obvious, but, don’t name the file “passwords”.

✓ Consider using password management programs.

Speaker Information: Jeff Lanza Phone: 816-853-3929

Email:[email protected]

Web Site: www.thelanzagroup.com

Terms to Understand:

1. Fraud Alert: Your credit file at all three credit

reporting agencies is flagged and a potential lender

should take steps to verify that you have authorized

the request.

Inside Scoop: Fraud alerts only work if the merchant

pays attention and takes steps to verify the identity

of the applicant. They expire in 90 days unless you

have been a victim of identity theft, in which case you

can file an extended alert - it lasts for seven years.

2. Credit Monitoring: Your credit files are monitored by

a third party - if activity occurs you are notified.

Inside Scoop: Credit monitoring does not prevent

fraud, it only notifies you when your credit reports

have been accessed, which is an indication that fraud

may have occurred.

3. Credit Freeze: A total lockdown of new account

activity in your name. This requires unfreezing before

you can open an account.

Inside Scoop: A proven way to protect against

identity theft. Credit freeze laws vary by state. To

check yours, go to your state Attorney General’s

website and search for “credit report freeze”.

Presented by Retired

FBI Special Agent

Jeff Lanza Preventing Identity Theft 2018

Identity Theft for Tax Related Purposes

If you are the victim of identity theft, or at risk because

your information has been breached, go to this site:

https://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft

Social Networking Security Reminders

1. Login directly, not through links.

2. Only connect to people you know and trust.

3. Don't put your email address, physical address, or phone number or

other personal information in your profile.

4. Sign out of your account after you use a public computer.

http://www.annualcreditreport.com/

http://www.dmachoice.org/

www.donotcall.gov%20

www.ic3.gov

www.identitytheft.gov

http://www.thelanzagroup.com/

https://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft

Problem: Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized

businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from

these accounts. Often these funds may not be recovered. Where cyber criminals once attacked mostly large

corporations, they have now begun to target municipalities, smaller businesses, and non-profit organizations.

Thousands of businesses, small and large, have reportedly fallen victim to this type of fraud.

How it is Done: Cyber criminals will often “phish” for victims using mass

emails, pop-up messages that appear on their computers,

and/or the use of social networking and internet career sites5.

For example, cyber criminals often send employees

unsolicited emails that:

✓ Ask for personal or account information;

✓ Direct the employee to click on a malicious link

provided in the email; and/or

✓ Contain attachments that are infected with malware.

Cyber criminals use various methods to trick employees into

opening the attachment or clicking on the link, sometimes

making the email appear to provide information regarding

current events such as natural disasters, major sporting

events, and celebrity news to entice people to open emails

and click. Criminals also may disguise the email to look as

though it’s from a legitimate business. Often, these criminals

will employ some type of scare tactic to entice the employee

to open the email and/or provide account information. For

example, cyber criminals have sent emails claiming to be

from:

1. UPS (e.g., “There has been a problem with your

shipment.”)

2. Financial institutions (e.g., “There is a problem with your

banking account.”)

3. Better Business Bureaus (e.g., “A complaint has been

filed against you.”)

4. Court systems (e.g., “You have been served a

subpoena.”)

Crooks may also use email addresses or other credentials

stolen from company websites or victims, such as relatives,

co-workers, friends, or executives and designing an email to

look like it is from a trusted source to entice people to open

emails and click on links.

They may also use variations of email domains that closely

resemble the company’s domain and may go unnoticed by

the recipient who is being requested to make the transfer.

Speaker Information: Jeff Lanza

Phone: 816-853-3929



What You Can Do to Keep Safe - Education

Educate everyone on this type of fraud scheme

• Don’t respond to or open attachments or click on

links in unsolicited e-mails. If a message appears

to be from your financial institution and requests

account information, do not use any of the links

provided.

• Be wary of pop-up messages claiming your

machine is infected and offering software to

scan and fix the problem, as it could actually be

malicious software that allows the fraudster to

remotely access and control your computer.


FBI Special Agent

Jeff Lanza

Cyber Fraud

Preventing Account Takeovers

Preventing Wire Transfer/ACH Fraud

1. Conduct online banking and payments activity

from one dedicated computer that is not used

for other online activity.

2. Use all bank provided wire transfer controls

3. Require two persons to consummate all wire

transfers to external parties.

4. Require the bank to talk to someone at your

organization before the wire transfer is

consummated.

5. Restrict the bank accounts from which a wire

transfer can be made.

6. Any wire transactions over a set high dollar

amount must have the approval of the business

owner/CEO.

7. Use unique passwords or a bank supplied

token to access wire-transfer software.

8. Review daily bank account activity on a

regular basis.

9. Require sufficient documentation and have a

second person review all wire transfer journal

entries.

10. Establish positive pay and block for ACH

transactions. This will eliminate the possibility

of non-approved transactions.

Source: FBI

Businesses May Absorb Losses!

The Uniform Commercial Code does not require

banks to refund money lost by fraudulent transfer.

http://www.thelanzagroup.com/

Five Common Scams That

Target Businesses of All Sizes

1. Phishing E-mails – Phishing e-mails specifically

target business owners with the goal of hacking

into their computer or network. Common examples

include e-mails pretending to be from the IRS

claiming the company is being audited or phony e-

mails from the Better Business Bureau, saying the

company has received a complaint. If you receive

a suspicious e-mail like this, don’t click on any

links or open any attachments. 2. Data Breaches – No matter how vigilant your

company is, a data breach can still happen.

Whether it’s the result of hackers, negligence or a

disgruntled employee, a data breach can have a

severe impact on the level of trust customers have

in your business. Educate employees on the

importance of protecting information and practice

the “need to know policy” internally.

3. Directory Scams – Commonly the scammer will

call the business claiming they want to update the

company’s entry in an online directory or the

scammer might lie about being with the Yellow

Pages. The business is later billed hundreds of

dollars for listing services they didn’t agree to.

4. Overpayment Scams –If a customer overpays

using a check or credit card and then asks you to

wire the extra money back to them or to a third

party, don’t do it. This is a very popular method to

commit fraud. Wait until the original payment

clears and then offer the customer a refund by

check or credit.

5. Phony Invoices – The United States Postal

Service suspects that the dollar amount paid out to

scammers as a result of phony invoices may be in

the billions annually, mostly from small and

medium sized businesses. Scrutinize invoices

carefully and conduct regular audits of accounts

payable transactions.

Cyber Security and

Fraud Prevention for Organizations

Presented by

FBI Special Agent Jeff Lanza

(Retired)

Speaker Information: Jeff Lanza

Phone: 816-853-3929

Email: [email protected]


Preventing Check Fraud

• Use Positive Pay, the annual cost of which is far below

the cost of one average check fraud case.

• Use secure checks, which include many features to

prevent different types of check fraud.

• Securely store check stock, deposit slips, bank statements

and cancelled checks.

• Implement a secure financial document destruction

process using a high security shredder.

• Establish a secure employee order policy for check stock.

• Purchase check stock from established vendors.

• Regularly review online images of cancelled checks.

Preventing Embezzlement

Things You Should Do:

1. Separate duties and powers with regard to payments and

account reconciliation.

2. Establish a tips hotline that offers anonymity and the

possibility of a reward.

3. Conduct surprise audits as employees may be able to

cover-up some fraud in advance of an audit.

4. Never completely trust anyone – many large fraud cases

have been undertaken by “a most trusted employee”.

Watch Out When an Employee:

1. Doesn’t want to take a day off.

2. Makes expensive purchases including luxury items, cars,

boats, exotic vacations and second homes.

3. Has high personal debt, high medical bills, poor credit,

personal financial loss and addictions.

A pre-employment background investigation

should include checks and verifications in the

following areas:

▪ Employment history; Education;

▪ Professional accreditation;

▪ Military record;

▪ Credit history; Motor vehicle record;

▪ Arrests; Workplace violence or

threatening behavior;

To Promote an Ethical Workplace

• Demonstrate top management commitment.

• Communicate expectations on a regular basis.

• Maintain focus on vision and mission.

• Monitor conduct – trust but verify.

• Maintain whistleblower channels and policies.

• Respond quickly to misconduct.

• Reward acts of integrity.

Red Flags That May Signal Integrity Issues

Cynicism; Alienation from coworkers; Poor or

inconsistent work performance; Resentment of

management; Behavioral changes or work habit

changes; Employee sense of entitlement;

Current Threats

Fake Notification E-mails

Watch out for fake emails that look like they came from Facebook.

These typically include links to phony pages that attempt to steal

your login information or prompt you to download malware. Never

click on links in suspicious emails. Login to a site directly.

Suspicious Posts and Messages

Wall posts or messages that appear to come from a friend asking

you to click on a link to check out a new photo or video that doesn't

actually exist. The link is typically for a phony login page or a site

that will put a virus on your computer to steal your passwords.

Money Transfer Scams

Messages that appear to come from friends or others claiming to be

stranded and asking for money. These messages are typically from

scammers. Ask them a question that only they would be able to

answer. Or contact the person by phone to verify the situation, even

if they say not to call them.

Speaker Information:

Jeff Lanza

Phone: 816-853-3929



Specific Actions to Avoid

1. Don’t click on a message that seems weird. If it

seems unusual for a friend to post a link, that friend

may have gotten their site hijacked.

2. Don’t enter your password through a link. Just

because a page on the Internet looks like Facebook, it

doesn't mean it is. It is best to go the Facebook login

page through your browser.

3. Don't use the same password on Facebook that you

use in other places on the web. If you do this,

phishers or hackers who gain access to one of your

accounts may be able to access your other accounts as

well, including your bank.

4. Don't click on links or open attachments in

suspicious emails. Fake emails can be very

convincing, and hackers can spoof the "From:" address

so the email looks like it's from a social site. If the e-

mail looks weird, don't trust it. Delete it.

5. Don’t send money anywhere unless you have verified

the story of someone who says they are your friend or

relative.

Never go to a login in page through a link in an email or a pop up. Always go to the login page

directly by typing the site name or, preferably, through a stored bookmark that you created.

General Online Safety Rules

Be wary of strangers - The internet makes it easy for people to

misrepresent their identities and motives. If you interact with

strangers, be cautious about the amount of information you reveal.

Be skeptical - People may post false or misleading information

about various topics, including their own. Try to verify the

authenticity of any information before taking any action.

Evaluate your settings - Use privacy settings. The default settings

for some sites may allow anyone to see your profile. Even private

information could be exposed, so don't post anything that you

wouldn't want the public to see.


FBI Special Agent

Jeff Lanza

Protecting Your Family in

The Information Age (2018)

Two Factor Authentication

Requires you to provide a password and a PIN code (most

often sent to your phone) to log in to online accounts. Use

this to prevent hijacking of your accounts. In most cases you

can set this up in the “settings” section of your account.

Popular Programs: Malware Removal: Malwarebytes.

Password Management: Keeper, LastPass, Dashlane.

Ransomware aka Cryptowall

This fraud scheme begins when the victim clicks on an

infected advertisement, e-mail, or attachment, or visits an

infected website. Once infected with the ransomware, the

victim’s files become encrypted. In most cases, once the

victim pays a ransom fee, they regain access to the files

that were encrypted. Here are three ways to stay protected:

Educate computer users about clicking on suspicious

links or popups. Sometimes these come in the form of a

package delivery notification from major brand names like

Amazon, FedEx or UPS.

Enable popup blockers. Popups are regularly used by

criminals to spread malicious software.

Always backup the content on your computer. If you are

infected by ransomware, you can have your system wiped

clean and then restore your files from your back up. Also,

because ransomware can infect all hard drives, disconnect

the backup drive when not in use or use cloud backup.

Password Management

Try to use different strong passwords for all your accounts.

At a minimum, have different passwords for multiple email

accounts, social networking, financial and employer sites.

General Rules for Computer Security:

• If you were not looking for it, then don’t download it.

• Keep your software current with the latest updates.

• Don’t click on links in emails from unknown senders.

• Be cautious when clicking on links in emails from known

senders as their account may have been hijacked.

• Keep your PC protected with Windows Defender or

antivirus software from a third party.

• Use CTL+ALT+DEL to exit a popup safely in Windows.

• Use CMD+Option+Escape to exit a popup on a Mac.


Chief Compliance Officer’s (CCO’s) Role in Cybersecurity Thursday, February 22 10:00 a.m. – 11:00 a.m. Increased use of technologies such as mobile devices, social media and cloud computing has increased the risk posed by cyber criminals. As a result, in addition to other compliance matters, the CCO is now also responsible for assisting—and protecting—company information technology (IT) systems. During this session, panelists discuss the role CCOs can play in a firm’s cybersecurity program.

Moderator: Steven Polansky Senior Director FINRA Office of Reg Ops Shared Services Panelists: Jose Dominguez Chief Information Security Officer TD Ameritrade, Inc. Ann Grady Chief Compliance Officer Tastyworks, Inc. Ann McCague Managing Director and Global Head of Compliance Piper Jaffray & Co. Kyle Wootten Chief Compliance Officer of Operations, Finance and Technology Raymond James Financial


Chief Compliance Officer’s (CCO’s) Role in Cybersecurity Panelist Bios: Moderator: Steven Polansky is Senior Director in FINRA's Office of Shared Services. In this capacity, Mr. Polansky leads special national initiatives--including FINRA’s digital investment advice and earlier cybersecurity and conflicts of interest reviews--and special projects. In addition, he leads development of FINRA’s annual regulatory and examination priorities. Previously, Mr. Polansky worked in FINRA's International Department, where he was responsible for analyzing international regulatory developments and leading FINRA's relationships with select financial regulators in Europe and Asia as well as international financial institutions. In addition, Mr. Polansky led advisory projects in a number of jurisdictions related to, among other things, risk-based supervision, prudential oversight and market surveillance. Prior to joining FINRA, he was a management consultant with PricewaterhouseCoopers, and he served for seven years as a professional staff member on the Committee on Foreign Relations in the United States Senate. At the Committee, Mr. Polansky was responsible for advising the Chairman on funding for the Department of State and other foreign policy agencies, missile non-proliferation and international environmental issues. Mr. Polansky received his master of business administration in finance from The Wharton School at the University of Pennsylvania, his master of public administration from the Kennedy School of Government at Harvard University, and his bachelor degree in history from Colgate University. Panelists: Jose Dominguez is Chief Information Security Officer at TD Ameritrade. He joined TD Ameritrade Holding Corporation (Nasdaq: AMTD) in 1997. He has been responsible for the development, maintenance and implementation of the enterprise security program and policies since 2013. Previous to his CISO role, Mr. Dominguez was in various management positions within technology leading Infrastructure and Application Development teams. Prior to joining TD Ameritrade, Mr. Dominguez spent 10 years with the brokerage firm Gruntal & Co. in various application development roles supporting front and back-office functions. He currently sits on the SIFMA Board Subcommittee on Cybersecurity and is a member of the NJ CISO Summit Governing Body. Ann C. McCague has served as Managing Director and Global Head of Compliance for Piper Jaffray Companies since 2005, where she is responsible for regulatory compliance at all group affiliates, including Piper Jaffray & Co., the U.S. broker/dealer and primary operating entity, two foreign broker/dealers and five separate registered investment advisors. Ms. McCague’s career path covers 35 years in the industry, including CCO positions at Dain Rauscher and Think Equity Partners, as well as prior senior compliance positions at national firms. Given her broad scope of knowledge and as seasoned expert, she is a frequent conference panelist. Ms. McCague is/has been a member of numerous FINRA and SIFMA committees. Ms. McCague is a graduate of Augsburg College in Minneapolis, MN, where she earned a master’s degree in Leadership and an undergraduate degree in English, with a Communications minor. Kyle Wootten is the Chief Compliance Officer of Operations, Finance and Technology for Raymond James Financial and member of the RJF Compliance Executive Leadership Team. In this role, Mr. Wootten is responsible for providing strategic direction and management of the compliance framework for various areas that cross multiple functions and entities affiliated with RJF. Specifically, this includes the compliance advice, oversight and testing of the Operations areas of the clearing firm, Raymond James & Associates, which includes oversight of RJA’s clearing and custodial businesses for unaffiliated introducing firms and registered investment advisers, the Financial, Regulatory Reporting and Treasury functions of the affiliated broker-dealers of RJF, and Information Technology, which includes management of the RJF Informational Governance Program. Mr. Wootten is a member of the 17a-5 Steering Committee, the Enterprise Information Technology Risk Board, the Stock Loan Committee for RJA and the Operational Risk Board. Prior to joining RJF, Mr. Wootten was the Deputy Director of Regulatory and Compliance for Thomson Reuters, where he supported the assessment and development of regulatory solutions for the BETA Systems, and worked closely with end-clients on a myriad of regulatory matters, primarily focused on the street-side settlement functions. For nearly 14 years prior to that, he served in various compliance and business roles at Wells Fargo Advisors, including the predecessor firms of Wachovia Securities and A.G. Edwards. During that time, Mr. Wootten held roles providing legal and compliance support to Capital Markets, Trading, and Operations,


Technology and Finance. Additionally, he managed the Regulatory Change Management function, and was a member of the leadership team of the Wells Fargo Regulatory Reform Program managing the compliance and business analyst resources responsible for implementation of major regulatory initiatives at the firm. Mr. Wootten has an undergraduate degree in Economics and law degree from Saint Louis University.


Chief Compliance Officer’s (CCO’s) Role in

Cybersecurity


Moderator

Steven Polansky, Senior Director, FINRA Office of Regulatory Operations / Shared Services

Panelists

Jose Dominguez, Chief Information Security Officer, TD Ameritrade, Inc.

Ann Grady, Chief Compliance Officer, Tastyworks, Inc.

Ann McCague, Managing Director and Global Head of Compliance, Piper Jaffray & Co.

Kyle Wootten, Chief Compliance Officer of Operations, Finance and Technology, Raymond James Financial

Panelists

1


Under the “Schedule” icon on the home screen,

Select the day,

Choose the Chief Compliance Officer’s (CCO’s) Role in

Cybersecurity session,

Click on the polling icon:

To Access Polling

2


1. Does your firm have a CISO?

a. Yes

b. No

Polling Question 1

3


2. Does your firm have a formal technology risk

governance structure (i.e., steering committee) to

which important cybersecurity matters are

escalated?

a. Yes

b. No

Polling Question 2

4


3. Are you directly involved in responding to FINRA or

SEC cybersecurity-related examinations?

a. Yes, from a compliance perspective

b. Yes, from a technology perspective

c. Yes, from another perspective

d. No

Polling Question 3

5


4. Does your firm have a cybersecurity incident

response plan?

a. Yes

b. No

Polling Question 4

6


5. Does your firm conduct table top exercises to test

that plan?

a. Yes

b. No

Polling Question 5

7


6. Are you directly involved in developing or

implementing your firm’s response plan?




d. No

Polling Question 6

8


Members should

create an incident

response plan The plan should

identify all team members

The plan should address and inventory

different types of threatsThe plan should

include a methodology for

restoring compromised

systems and/or data

The plan should include escalation

procedures

The plan should include a methodology for communicating

to clients, counter-parties regulators and law enforcement

Response to Cybersecurity Threats – Where is the CCO?

9


7. Does your firm’s training include a specific focus on

staff cybersecurity responsibilities?

a. Yes

b. No

Polling Question 7

10


8. Does your firm use internally developed phishing or

other tools designed to assess the efficacy of

training?

a. Yes

b. No

Polling Question 8

11


9. Are you directly involved in the development or

delivery of your firm’s cybersecurity training:




d. No

Polling Question 9

12


10.Are you directly involved in the cybersecurity

aspects of your firm’s vendor management program?




d. No

Polling Question 10

13

FINRA Cybersecurity Conference: Highlights for Compliance Officers

February 22, 2018

FINRA’s Cybersecurity Risk Reviews? Where does the CCO Role Lie In These Areas?

Cybersecurity governance and risk management

Cybersecurity Risk assessments

Technology governance

System change management

Technical controls

Incident Response Planning

Vendor management

Data loss prevention

Staff training

Cyber Intelligence & Information Sharing

Ann M. Grady, Feb. 22, 2018 2

Ann M. Grady, Feb. 22, 2018

CCO Role When A Cyber-Related data breach occurs

• Who Informs the CCO?

• Is the CCO Part of the Response

Team?

• Who decides whether regulators must

be informed?

• Who decides which States or other

authorities, customers, ..need to be

informed?

CCO or CISO?Staff Training Design Firms should provide cybersecurity training that is tailored to staff needs and that helps them to relate to the importance they play in protecting the firm, its clients and its data.

defining cybersecurity training needs requirements;

identifying appropriate cybersecurity training update cycles;

delivering interactive training with audience participation to increase retention; and

developing training around information from the firm’s loss incidents, risk assessment

process and threat intelligence gathering.


CCO or CISO? Staff Training

Firms should provide cybersecurity training that is tailored to staff needs.

Effective practices for cybersecurity training include:

Recognizing Risks

Social Engineering Schemes and Phishing

Handling Confidential Information

Password Protection

Escalation Policies

Physical Security

Mobile Security


Response to Cybersecurity Threats – Where is the CCO?

Members should create an incident

response plan

The plan should identify all team members

The plan should address and inventory different types of

threats

The plan should include a

methodology for restoring

compromised systems and/or

data

The plan should include escalation procedures

The plan should include a methodology for communicating

to clients, counter-parties regulators and law enforcement

I 6

Vendor Due Diligence – Where is the CCO Role?

it is important for firms to establish appropriate contractual language to govern vendor relationships.

The provisions of the contract will govern the vendor’s obligation to the firm, as well as identify the firm’s prerogatives in relation to the vendor. The stringency of these clauses should be risk-based with riskier vendor relationships requiring stronger language.

This includes:

manner in which the firm can conduct its ongoing oversight of the vendor,

the conditions for terminating the relationship,

the vendor’s obligations to protect firm information in the event the relationship terminates.

CCO Panel, Feb. 22, 2018 7


Effective Practices for Insider Threats and Third-Party Risk Management Thursday, February 22 10:00 a.m. – 11:00 a.m. Financial institutions are subject to threats on multiple fronts. Two threats of significant and growing concern to our industry include insiders, such as employees, and third parties, such as vendors. We necessarily rely on and trust both insiders and third parties; however, we must exert appropriate oversight if we are to prevent that trust from being violated by either malicious actors, or careless actions or inactions. During this session, panelists discuss case studies and share effective practices firms can use to manage and mitigate these risks, and develop and improve both their insider risk and third-party risk management programs.

Moderator: David Yacono Senior Director FINRA Technology, Cyber & Information Security Panelists: Brice Cook Director, Insider Risk Program FINRA Technology, Cyber & Information Security Kishen Sridharan Cybersecurity Partnership and Outreach Executive Raymond James Financial Homayun Yaqub Executive Director JPMorgan Chase & Co.


Effective Practices for Insider Threats and Third-Party Risk Management Panelist Bios: Moderator: David Yacono is Senior Director of Cyber & Information Security at FINRA. His current responsibilities include FINRA’s software security program, which provides security assurance services to a portfolio of more than 100 internally developed systems, as well as FINRA’s third-party risk management program which evaluates, monitors, and manages the cybersecurity risk posed by FINRA’s vendors, cloud providers, and other third-party relationships. Mr. Yacono is also responsible for FINRA’s IT Security Risk Management and Compliance programs, which ensures compliance with IT security standards including FISMA, PCI-DSS, and FBI-CJIS. Since joining FINRA in 1999 he has served in various roles responsible for ensuring the secure and reliable operation of FINRA’s information technology systems, including security architect and security engineer. Mr. Yacono specializes in the application of information security processes, methodologies, and tools to protect the confidentiality, integrity, and availability of information and information processing systems, with special emphasis on financial services; he has nearly 25 years of experience in cybersecurity. Mr.Yacono earned a Bachelor of Science in Electrical Engineering from the University of Maryland, and holds current certifications as a Certified Information Systems Security Professional (CISSP), a Certified Secure Software Lifecycle Professional (CSSLP), and a Certified Third Party Risk Management Professional (CTPRP). Panelists: Brice Cook is FINRA’s first Director for Insider Risk, formally establishing the program after joining FINRA in early 2017. In this role, he leads a collaborative company-wide effort to develop, implement, and execute technical and non-technical processes needed to create a holistic system to manage insider risks. Before Mr. Cook came to FINRA, he retired as a Supervisory Criminal Investigator after 29 years of Federal Government service protecting some of the Nation’s most critical assets. The last 22 years of his Federal Government tenure was at the Department of Energy, serving as a Director in the Office of Corporate Security and leading efforts in Insider Threat, Special Access Programs, Human Reliability Programs, Investigations, Threat Management, and Executive Protection. Mr. Cook’s accomplishments include; establishing the DOE’s first formal Insider Threat Program, founding the Protective Services Working Group—a group of over 50 Federal organizations protecting the nation’s leadership—of which he also served as Chair, serving as a Chair in the Defense Department’s Combating Terrorism Technical Support Office, which provided expertise and oversight in the research and development of personnel protection technologies, serving as a board member of the FBI Joint Terrorism Task Force Executive Board and the DHS Advisory Board for Law Enforcement Officers Flying Armed, and developing policy and guidance for the Federal Government on security professional development and continuity programs. Mr. Cook is a graduate of the 244th session of the FBI National Academy, the Federal Law Enforcement Training Center, and the Federal Executive Institute. Mr. Cook has a Master’s in Public Administration from American University. He has a Bachelor’s degree from Washington State University. He also holds professional certificates as a Certified Information Systems Security Professional (CISSP) and Insider Threat Program Management (ITPM). Mr. Cook has even worked on the FOX Television show America’s Most Wanted, where he supported investigations that led to the arrest of over 150 wanted persons.

Kishen Sridharan is the Cybersecurity Partnership & Outreach Executive, reporting to the Chief Information Security Officer of Raymond James. In this strategic role, he focuses on strengthening and growing Raymond James’ network of relationships with outside organizations like industry associations (e.g. FS-ISAC and SIFMA), peers, government/law enforcement entities, universities, potential new strategic suppliers, and community. He determines level of engagement, assesses ROI to Raymond James, and makes sure Raymond James is a valuable contributing partner in return. In prior roles at Raymond James, Mr. Sridharan helped established a Product Management mindset, framework, and governance structure to deliver highly valuable business outcomes, particularly those which support the Strategic Roadmap. This is the stepping stone to formally convert the InfraSec organization to an “as a Service” model. Before that, he stood up a Project Management Office within InfraSec. Mr. Sridharan has almost 16 years of experience in various facets of technology, project implementation and business process improvement. His experience ranges from compliance, risk management and information assurance to strategic information security consulting. He earned his Bachelor of Science from the Pennsylvania State University in Management Science, Information


Systems and International Business and an MBA from the University of Maryland. He is a certified Project Management Professional (PMP) and a Scrum Master (CSM). Homayun Yaqub is Executive Director in JPMorgan Chase and Company’s Global Security and Investigations team managing the firm’s Insider Threat program. Prior to joining JPMorgan Chase in 2015, Mr. Yaqub served in the U.S. Intelligence Community and Department of Defense with more than 20 years of experience leading sensitive intelligence activities and related programs worldwide. Mr. Yaqub was also a founding member of The MASY Group, a Washington D.C. based security, intelligence, and risk consulting firm supporting both public and private sector clients. He began his career as a U.S. Army officer serving in various roles throughout the United States, the Middle East, South Asia, and Europe. Mr. Yaqub holds a Masters in Conflict Analysis and Resolution from George Mason University and Bachelors in International Business from James Madison University.


Effective Practices for Insider Threats and

Third-Party Risk Management


Moderator

David Yacono, Senior Director, FINRA Technology, Cyber & Information Security

Panelists

Brice Cook, Director, Insider Risk Program, FINRA Technology, Cyber & Information Security

Kishen Sridharan, Cybersecurity Partnership and Outreach Executive, Raymond James Financial

Homayun Yaqub, Executive Director, JPMorgan Chase & Co.

Panelists

1



Select the day,

Choose the Effective Practices for Insider Threats and

Third-Party Risk Management session,


To Access Polling

2


1. My firm staff size is:

a. More than 1000

b. 251 to 1000

c. 51 to 250

d. 11 to 50

e. 10 or fewer

Polling Question 1 – Firm Size

3


2. For my firm, Insider Risk is:

a. A substantial concern

b. A moderate concern

c. A minor concern

d. A negligible concern (e.g., due to extremely small firm size.)

e. Not sure

Polling Question 2 – Characterizing Insider and Third-party Risk

4


3. For my firm, Third-party Risk is:

a. A substantial concern. The security of my third parties

significantly affects my ability to protect my

systems/data/processes.

b. A moderate concern

c. A minor concern. There’s no obvious way that a security

deficiency of one of my third parties could significantly harm me.

d. Not a concern. I have no dependencies on third parties.

e. Not sure

Polling Question 3 – Characterizing Insider and Third-party Risk

5


Importance of Insider and Third-Party risk

Significance relative to other risk sources.

Trends in emphasis? Drivers?

Characterizing Insider and Third-Party Risks

6


Insider Risk

Who are the insider threats?

Risk factors to consider?

Strategies for focusing, prioritizing.

Identifying Threat Agents and Risk Factors

7

Third-party Risk

What are the third-party threats?

Risk factors to consider?

Strategies for focusing, prioritizing.


4. My firm’s Insider Risk Program is:

a. Mature. Robust strategy with well-defined processes. Advanced controls including Predictive Analysis, Behavioral Analytics

b. Established. A defined insider risk strategy backed by processes and tools that enable enterprise-wide information aggregation and correlation (e.g., SIEM.)

c. Nascent. Basic controls in use, but no overarching strategy.

d. Nonexistent. Needed, but not yet established.

e. None needed. We don’t see the need for an insider risk program.

Polling Question 4 – Insider Risk Management

8


Recruitment/ Tipping Point

Search and Recon

Exploitation

Acquisition

Exfiltration

Insider Risk Management Methodology

9

Lifecycle: Vetting, Monitoring, Adjudicating,

Detection, Analysis

Insider Risk Kill Chain

High-risk employees, assets, operations

Control Techniques:

Basic: SOD, POLP, training, others?

Better: Log aggregation, SIEM, others?

Best: UEBA, leveraging data/analytics,

others?

Insid

er R

isk K

ill Chain


5. My firm’s Third-party Risk Program is:

a. Mature. Robust strategy with well-defined processes that are applied

to all third parties, and that are quantitatively measured.

b. Established. A defined third-party risk management strategy backed by

processes and tools.

c. Nascent. Some controls in place (e.g., vendor questionnaire), but no

overarching strategy.

d. Nonexistent. We use third parties, but no explicit risk mgmt controls.

e. None needed. We don’t use third-parties that impact our risk profile.

Polling Question 5 – Third-party Risk Management

10


Identifying, Prioritizing Third

Parties

Sources of risk: People, Process,

Technology

Assessment Processes,

Techniques, Timing

Assurance/Evidence Expectations

Controlling Risks

Contract Provisions, Other techniques.

Risk Acceptance? Show stoppers?

Third-party Risk Management Methodology

11

Monitoring, Detecting changes

Changes at third party.

Changes in relationship with third party.

Supporting Tools, Services

Coordination w/ org stakeholders

Infosec, purchasing, legal, etc.


Insider Risk

Difference in risk for smaller firms?

Control priorities. Effective insider risk management on a

budget.

Third-party Risk

Difference in risk for smaller firms?

Control priorities. Effective third-party risk management on a

budget.

Advice for Smaller Firms

12


THANK YOU!


Cybersecurity Guidance for Small Firms Thursday, February 22 11:15 a.m. – 12:15 p.m. It is crucial that small financial firms take proper cybersecurity measures to protect their customers and their firm. During this session, panelists provide risk-based, threat-informed effective practices applicable to small firms and supportive of their overall business model to increase their security and ensure the protection of their customers.

Moderator: David Kelley Surveillance Director FINRA Kansas City District Office Panelists: Melinda (Mimi) LeGaye President Moody Securities, LLC Lisa Roth President Tessera Capital Partners, LLC Hardeep Walia Founder and Chief Executive Officer Motif


Cybersecurity Guidance for Small Firms Panelist Bios: Moderator: Dave Kelley is Surveillance Director based out of FINRA’s Kansas City District office, and has been with FINRA for seven years. Mr. Kelley also leads FINRA’s Sales Practice exam program for cybersecurity and the Regulatory Specialist team for Cyber Security, IT Controls and Privacy. Prior to joining FINRA, he worked for more than 19 years at American Century Investments in various positions, including Chief Privacy Officer, Director of IT Audit and Director of Electronic Commerce Controls. He led the development of website controls, including customer application security, ethical hacking programs and application controls. Mr. Kelley is a CPA and Certified Internal Auditor, and previously held the Series 7 and 24 licenses. Panelists: Melinda (Mimi) G. LeGaye, serves as President of both Moody Securities, LLC, and MGL Consulting, LLC. Ms. LeGaye has more than 30 years’ experience representing the interests of small broker-dealers having held the positions of president, CCO and FINOP for several small broker-dealers over the years. She currently serves as President and CCO of Moody Securities, LLC and as FINOP and a registered representative for Silver Portal Capital, LLC. Ms. LeGaye also serves as a Small Firm Member on FINRA’s District 6 Committee. Prior to forming MGL, Ms. LeGaye served as CCO of Horne Securities Corp. a broker/dealer, which was formed to distribute Reg D private placements of real estate limited partnerships. During the early 1980s to late 1980s, she served on the Regulatory Affairs Committee and as president of the local chapter of the Real Estate Securities & Syndication Institute (RESSI), which was an affiliate of the National Association of Realtors. Ms. LeGaye is actively involved with ADISA (formerly Real Estate Investment Securities Association, aka REISA). As a consultant, Ms. LeGaye has worked primarily with small and mid-size broker-dealers, but she has also worked with many larger broker-dealers providing clearing services to introducing broker-dealers. Having served as president, CCO, FINOP, General Securities Principal, and Municipal Securities Principal for various broker/dealers since the mid 1980’s, Ms. LeGaye has worked extensively with retail and institutional broker-dealers, as well as boutique broker-dealers which provide investment banking, mergers & acquisitions advisory services, or which conduct business in the wholesale/retail distribution of Reg D Private Placements, non-traded REITs or 1031 Exchange Programs. As a municipal securities principal, she worked for a small minority enterprise broker-dealer, which was involved in municipal bond underwritings, capital raising and financial advisory activities. As President, CCO, FINOP and a small business owner, Ms. LeGaye has first-hand experience and an in-depth understanding of the challenges FINRA small firm members (less than 150 RR’s) face on a day to day basis. Ms. LeGaye holds the Series 7, 24, 27, 53, 63, 79 and 99 registrations. She has previously held the Series 22, 39 and 3 registrations as well. She received her BBA from Sam Houston State University. An advocate for small broker-dealers and sensitive to the compliance, operational and regulatory challenges they face, she has spoken at numerous industry seminars and compliance programs over the years on topics ranging from supervision of independent brokers; surveillance using exception reports; compliance testing for small firms; product due diligence; and most recently at the SMARSH 2016 Connect Conference held in December 2016. Lisa Roth serves as the President, AML Compliance Officer and Chief Information Security Officer of Tessera Capital Partners. Tessera is a limited purpose broker dealer offering new business development, financial intermediary relations, client services and marketing support to investment managers and financial services firms. Ms. Roth holds FINRA Series 7, 24, 53, 4, 65, 99 Licenses. Previously, Ms. Roth has served in various executive capacities with Keystone Capital Corporation, Royal Alliance Associates, First Affiliated (now Allied) Securities, and other brokerage and advisory firms. Ms. Roth serves on FINRA's Membership Committee, is a member of the Board of the Third Party Marketer's Association, and FINRA's Series 14 Item Writing Committee. Ms. Roth was unanimously selected by her peers to serve as the Chairman of FINRA's Small Firm Advisory Board for one of a total of four years of service on the Board from 2008-2012. Ms. Roth has also served as a member of the PCAOB Standing Advisory Group, and is an active participant in other industry forums, including speaking engagements and trade associations. Ms. Roth is also the president of Monahan & Roth, LLC, a professional consulting firm offering consulting, expert witness and mediation services on financial and investment services topics including regulatory compliance, product due diligence, suitability, supervision, information security and related topics. Previously, Ms. Roth founded ComplianceMAX Financial Corp. (purchased by NRS in 2007), a regulatory compliance company offering


technology and consulting services to more than 1000 broker‐dealers and investment advisers. Ms. Roth's leadership at CMAX led to the development of revolutionary audit and compliance workflow technologies now

in use by some of the US's largest (and smallest) broker‐dealers, investment advisors and other financial services companies. Ms. Roth has been engaged as an expert witness on more than 150 occasions, including FINRA, JAMS and AAA arbitrations, and Superior Court and other litigations, providing research, analysis, expert reports, damages calculations and/or testimony at deposition, hearing and trial. As a member of the FINRA Board of arbitrators, Ms. Roth has been named to more than 20 panels as a hearing officer. Ms. Roth resides in CA, but is a native of Pennsylvania, where she attained a Bachelors of Arts Degree and was awarded the History Prize from Moravian College in Bethlehem, PA. Hardeep Walia is founder and CEO of Motif, a next-generation online broker whose mission is to simplify complex investment products and make them universally accessible. The company’s flagship product allows individual investors to act intuitively on their insights by turning them into a “motif” of stocks. Mr. Walia also serves as CEO of Motif Capital, an institutional investment advisor that develops thematic models for clients such as Goldman Sachs, Global Atlantic, and US Bank’s UHNW arm Ascent Private Capital Management. Prior to Motif, Mr. Walia spent more than six years at Microsoft, where he was General Manager of the company's enterprise services business. He also served as Director of Corporate Development and Strategy, helping to oversee Microsoft's investments and acquisitions. He started his career at The Boston Consulting Group. Mr. Walia holds a BS in Economics and Engineering from Yale University and an MBA from the Wharton School of Business. He holds Series 7, 24 and 63 licenses in the securities industry. He serves on FINRA's Technology Advisory Committee and is on the Advisory Boards of Ascent Private Capital and real-estate startup PeerStreet. He is a featured contributor for LinkedIn, and a frequent guest on CNBC.


Cybersecurity Guidance for Small Firms


Moderator

David Kelley, Surveillance Director, FINRA Kansas City District

Office

Panelists

Melinda (Mimi) LeGaye, President, Moody Securities, LLC

Lisa Roth, President, Tessera Capital Partners, LLC

Hardeep Walia, Founder and Chief Executive Officer, Motif

Panelists

1



Select the day,

Choose the Cybersecurity Guidance for Small Firms

session,


To Access Polling

2


1. How confident are you in your cybersecurity

program for your firm?

a. We have a good plan that addresses our risks.

b. Started our plan but don’t know if we included all risks to our

firm.

c. Just started but have a long way to go.

d. We don’t have any cybersecurity risks.

Polling Question 1

3


2. What part of your cybersecurity plan are you least

comfortable with?

a. Branch Controls

b. Home Office Controls

c. Vendor Controls

d. Concerned about a FINRA exam

e. Other

Polling Question 2

4


Current Cyber Issues

FINRA Exam Standards

Risk Control Self Assessment Results

Implementation of a Reasonable but Effective Program

Security Basics for the Small Firm Headquarters Office

Security Basics for the Branch Office

Vendor Management and Outsourcing

Practical Advice for Small Firms

5


Phishing

Malware & Ransomware

3rd Party Wires

Patch Management

Unencrypted Data sent by Email

Current Issues for Small Firms

6


Exam Standards

Risk Assessment and Governance

Cyber Program Leadership (CISO)

Policies, Procedures and Adherence

IT Certifications

Outsourcing of IT and Controls

Exam Findings

FINRA Exams and Results

7



Percentage of firms who

manage or store PII Source: 2016 RCA

Firm likelihood to outsource

(partial or full) business

functionsSource: 2016 RCA

8


3. How often do your conduct training for cybersecurity

risks?

a. Annually

b. Annually plus other ongoing instances

c. We don’t have formal training for our RRs and staff.

d. Ongoing

Polling Question 3

9



Firm purchase or integration

of Cyber Insurance Policies Source: 2016 RCA

Firm coverage of disruption

scenarios in their incident

response plans Source 2016 RCA

10


Governance

Appointing the CISO, CTO

Framework for risk assessment

Framework for cyber policies

NIST or SANS framework

NASAA guidelines

NY DFS, other state guidelines

Cyber Standards for Small Firm Headquarters

11


Cyber Policy Components

In-house versus outsourced cyber management

Cloud storage versus on site server storage

Incident response

Vendor Management

Training

Cyber Intelligence

Insurance

Testing

Cyber Standards for Small Firm Headquarters

12


Device inventory and ongoing monitoring

Centralized communications and data management

Cyber Awareness Training, training, training

Incident reporting

Technical Controls – Patching, Encryption, Virus Protection

Passwords

eMail

Physical Security

Cloud Usage

Cyber Basics for Branch/Remote Locations

13


Initial Due Diligence

Security and IT Vendors

Other Vendors

Ongoing Monitoring

SOC Reports

Qualifications and Standards

FINRA’s Vendor List

NRF or not?

Contractual obligations

Use of the Cloud

Vendor Management

14


FINRA Cybersecurity Page: www.finra.org/industry/cybersecurity

2015 Report on Cybersecurity Practices

Small Firm Cybersecurity Checklist

Compliance Vendor Directory

NIST Cybersecurity Framework: www.nist.gov/cyberframework

Financial Services Information Sharing and Analysis Center:

www.fsisac.com/

NASAA cybersecurity Checklist for Investment Advisers:

http://www.nasaa.org/industry-resources/investment-advisers/nasaa-

cybersecurity-report/

Resources

15

http://www.finra.org/industry/cybersecurity

https://www.nist.gov/cyberframework

http://www.fsisac.com/

http://www.nasaa.org/industry-resources/investment-advisers/nasaa-cybersecurity-report/


FINRA Exam Findings Report: www.finra.org/industry/2017-report-exam-findings/cybersecurity

National Law Review – Issues Facing Financial Institutions: www.natlawreview.com/article/top-10-issues-facing-financial-institutions-2017-4-cybersecurity

Handouts:

Model cyber procedures

Incident report template

Branch electronic device review template

Electronic device disclosure form

Resources

16

http://www.finra.org/industry/2017-report-exam-findings/cybersecurity

https://www.natlawreview.com/article/top-10-issues-facing-financial-institutions-2017-4-cybersecurity

Third-‐Party Vendor Contracts – Sample Language Confidential Information. As used in this Agreement, "Confidential Information" means information not generally known to the public, and maintained by [Company Name] as confidential, whether of a technical, business or other nature that relates to the engagement or that, although not related to such engagement, is nevertheless disclosed as a result of the Parties' discussions in that regard, and that should reasonably have been understood by the [Service Provider], because of (i) legends or other markings, (ii) the circumstances of disclosure or (iii) the nature of the information itself, to be proprietary and confidential to [Company Name]. Confidential Information includes “nonpublic personal information” about the “customers” and “consumers” (as those terms are defined in Title V of the Gramm-‐Leach-‐Bliley Act and the privacy regulations adopted thereunder) of [Company Name]. Confidential Information may be disclosed in written or other tangible form (including information in computer software or held in electronic storage media) or by oral, visual or other means. For purposes of this Agreement, " [Company Name] " includes employees and controlled affiliates of [Company Name] who disclose Confidential Information to the [Service Provider], and Confidential Information includes information disclosed by such affiliates. Use of Confidential Information. The [Service Provider], except as expressly provided in this Agreement, shall not disclose [Company Name]'s Confidential Information to anyone without [Company Name]'s prior written consent. The [Service Provider] shall take all steps necessary to safeguard and protect such Confidential Information from unauthorized access, use or disclosure by or to others, including but not limited to, maintaining appropriate security measures and providing access on an as-‐needed basis only. The Parties will treat Confidential Information using the same degree of care used to protect its own confidential or proprietary information of like importance, but in any case using no less than a reasonable degree of care. The [Service Provider] shall not reverse-‐engineer, decompile, or disassemble any hardware or software provided or disclosed to it and shall not remove, overprint or deface any notice of copyright, trademark, logo, legend or other notice of ownership from any originals or copies of Confidential Information it obtains from [Company Name]. The [Service Provider] shall not use Confidential Information for any purpose other than with respect to [the Project]. Exceptions. The provisions of the “Use of Confidential Information” Section above shall not apply to any information that (i) is or becomes publicly available without breach of this Agreement; (ii) can be shown by documentation to have been known to the [Service Provider] without confidentiality restrictions at the time of its receipt from [Company Name]; (iii) is rightfully received from a third party who did not acquire or disclose such information by a wrongful or tortious act, or in breach of a confidentiality restriction; (iv) can be shown by documentation to have been independently developed by the [Service Provider] without reference to any Confidential Information; or (v) is identified by [Company Name] as no longer proprietary or confidential. [Service Provider] Personnel. The [Service Provider] shall restrict the possession, knowledge, development and use of Confidential Information to its employees, agents, subcontractors, consultants, advisors and entities controlled by it (collectively, "Personnel") who have a need to know Confidential Information in connection with the Project. The [Service Provider]'s Personnel shall have access only to the Confidential Information they need for such purposes. The [Service Provider] shall ensure that its Personnel are bound by confidentiality obligations substantially similar to those contained herein and that such Personnel comply with this Agreement.

Disclosures Required by Law, Rule or Regulation. If, in the opinion of its counsel, the [Service Provider] becomes legally obligated to disclose Confidential Information, the [Service Provider] shall give [Company Name] prompt written notice sufficient to allow [Company Name] to seek a protective order or other appropriate remedy, and shall, to the extent practicable, consult with [Company Name] in an attempt to agree on the form, content, and timing of such disclosure. Notwithstanding the preceding sentence, notification to [Company Name] shall not be required if such notification is not permitted by law or would interfere with applicable law enforcement activities. The [Service Provider] shall disclose only such information as is required, in the opinion of its counsel, and shall exercise all reasonable efforts to obtain confidential treatment for any Confidential Information that is so disclosed. Ownership of Confidential Information. All Confidential Information disclosed under this Agreement (including information in computer software or held in electronic storage media) shall remain the exclusive property of [Company Name], and the [Service Provider] shall have no rights, by license or otherwise, to use the Confidential Information except as expressly provided herein. No patent, copyright, trademark or other proprietary right is licensed, granted or otherwise conveyed by this Agreement with respect to Confidential or other information. Provisions Applicable to “Nonpublic Personal Information.” Notwithstanding any other provision of this Agreement, with respect to “nonpublic personal information” about the “customers” and “consumers” (as those terms are defined in Title V of the Gramm-‐Leach-‐Bliley Act and the privacy regulations adopted thereunder) of Advisor and any Affiliate of Advisor, Service Provider agrees as follows: (i) Except as may be reasonably necessary in the ordinary course of business to carry out the activities to be performed by Service Provider under this Agreement or as may be required by law or legal process, it will not disclose any such nonpublic personal information to any third party other than affiliates of Service Provider or Advisor (ii) That it will not use any such nonpublic personal information other than to carry out the purposes for which it was disclosed by Advisor or Advisor’s Affiliate unless such other use is (a) expressly permitted by a written agreement executed by Advisor or its Affiliate, or (b) required by law or legal process. (iii) It will take all reasonable measures, including without limitation such measures as it takes to safeguard its own confidential information, to ensure the security and confidentiality of all such nonpublic personal information, to protect against anticipated threats or hazards to the security or integrity of such nonpublic personal information and to protect against unauthorized access to or use of such nonpublic personal information.

TBD Securities Cyber Security Policies

Page 1 of 15 Courtesy of Monahan & Roth, LLC February, 2018

TBD Securities Cyber Security Policies and Procedures

CONTENTS

OVERVIEW 2

AUDIT TRAIL 4

ACCESS MANAGEMENT 5

END-‐USER: MOBILE DEVICE AND APPLICATION SECURITY 7

COLLABORATION SITES AND END-‐USER DATA STORAGE 7

SECURITY RISK ASSESSMENT 8

OR (FOR FINANCIAL SERVICES FIRMS REGISTERED IN NY) 9

EMPLOYEE SECURITY AWARENESS TRAINING 10

VENDOR SELECTION AND MANAGEMENT 10

TECHNOLOGY ASSET INVENTORY, CLASSIFICATION AND TRACKING 11

TECHNOLOGY END-‐OF-‐LIFE PROCESS 12

EMPLOYEE TERMINATION 12

DISASTER RECOVERY AND BACKUP TESTING 13

CYBER SECURITY INSURANCE 13

CYBER SECURITY BREACH FRAMEWORK 13

REGULATORY REPORTING REQUIREMENT(S) 14



Overview TBD Securities has implemented this program, designed to promote the protection of customer information as well as its information technology systems which include any discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems. At a high level, the goal of this program is to:

(1) identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored on TBD Securities’ Information Systems, the sensitivity of such Nonpublic Information, and how and by whom such Nonpublic Information may be accessed; (2) use defensive infrastructure and the implementation of policies and procedures to protect TBD Securities’ Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts; (3) detect Cyber security incidents; (4) respond to identified or detected Cyber security incidents to mitigate any negative effects; (5) recover from Cyber security incidents and restore normal operations and services; and (6) fulfill all regulatory reporting obligations.

[Name] has been designated as the Chief Information Security Officer (“CISO”) and has primary oversight, maintenance, and execution of this Technology and Information Security Program (the “Program”). The CISO is authorized to delegate physical, technical, and administrative components of this program to qualified third parties as and whenever appropriate. If TBD Securities elects to delegate CISO responsibility to a third-‐party it must:

• Retain ultimate responsibility for implementation of the program • Designate a senior member to supervise the [assigned party], and • Require the [assigned party] to maintain a cyber security program that

substantially complies with relevant rules and regulations. The TBD Securities [TITLE] bears overall responsibility for Business Continuity Plan (“BCP”) / Disaster Recovery (“DR”) planning, information protection, and creating agile security processes and procedures. The CCO has identified the following core functions to guide the Program. These functions will be evaluated and updated by



the CISO as indicated below to adjust to technological, business and/or operational changes at the firm that may have a material impact on the Program. The CISO will also be responsible for preparing a report, at least bi-‐annually that:

(1) assesses the confidentiality, integrity and availability of TBD Securities’ Information Systems; (2) details exceptions to TBD Securities’ cyber security policies and procedures; (3) identifies cyber risks to TBD Securities; (4) assesses the effectiveness of TBD Securities’ cyber security program; (5) proposes steps to remediate any inadequacies identified therein; and (6) includes a summary of all material Cyber security incidents that affected TBD Securities during the time period addressed by the report.

The CISO shall present the report to [Firm Name’s] senior management or board of directors as applicable. Functions Designated

Person Frequency of Document Review

Frequency of Execution

Access management: password and technology access

CISO Periodically

Access management: physical access

CISO Periodically

End-‐user: desktop, web, network and server security

CISO

End-‐user: mobile devices and application security

CISO

Collaboration sites and storage networks

CISO

Security risk assessment

CISO

Cyber security testing and audit

CISO

Network vulnerability scan

CISO Quarterly

Employee security awareness training

CISO

Vendor selection and maintenance

COO

Technology asset inventory

CISO



Technology end-‐of-‐life process

CISO

Employee termination

COO

Disaster recovery and backup testing

COO

Cyber security insurance

CISO

Information Security CCO Vendor and third-‐party service provider management

CISO Annually

Cyber incident response

CCO

Penetration testing Annually CISO Report to Senior Management

CISO Bi-‐Annually

Application security CISO Annually

Audit Trail The CSIO shall be responsible for implementing an audit trail that:

(1) tracks and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting necessary to enable TBD Securities to detect and respond to a Cyber security incident; (2) tracks and maintain data logging of all privileged Authorized User access to critical systems; (3) protects the integrity of data stored and maintained as part of any audit trail from alteration or tampering; (4) protects the integrity of hardware from alteration or tampering, including by limiting electronic and physical access permissions to hardware and maintaining logs of physical access to hardware that allows for event reconstruction; (5) logs system events including, at a minimum, access and alterations made to the audit trail systems by the systems or by an Authorized User, and all system administrator functions performed on the systems; and (6) maintains records produced as part of the audit trail for not fewer than six years.



Access Management TBD Securities has an approach to entitlement management that helps establish controls around access activities. The goal of this program is focused on the following:

• Protect remote, mobile, cloud and social access

• Provide transparency and up-‐to-‐date information on entitlements

• Provide centralized administration for permissions

• Ensure that employees have access only relevant to their job functions

• Protect against insider threats and unauthorized escalation of user privileges Each employee’s profile will be managed in a central directory that will be used to create, delete and modify employee access data. The CCO is the primary owner of the central directory. Authorization: TBD Securities manages authorization information that defines what functions an employee can perform in the context of a specific application. The CCO maintains a record of the authorizations. Passwords: For accessing any firm desktop or device, employees are required to use unique passwords, requiring the following characteristics:

• Contains at least 8 characters

• Uses a combination of lower and uppercase letters

• Uses at least one number and one symbol

• Expires every 180 days (the reuse of any previous password is disallowed)

• After 10 failed login attempts within 15 minutes, the user account will be locked until released by the CISO or a [assigned party] administrator.

Each administrator will have a unique login account and password. Any [assigned party]’s employees (employees of a consultant or other party delegated responsibility for [Firm Name’s] program, on an as needed basis, will each have a unique login and password to access the firm’s password management list. Physical access: TBD Securities will secure the firm’s physical premises with locks and inventory keys issued to authorized persons on an ongoing basis.



End-‐user: desktop, web, network and server security: TBD Securities has developed practices in TBD Securities firm to protect the sensitivity of all information by implementing the following processes: • Implement the use of password protection for all sensitive data, applications, and collaboration tools • Reconcile the inventory of hardware, software and devices with [assigned party] • Educate end-‐users on appropriate use of desktops and web browsing for business purposes • Track and log USB portable flash drive uses that access the firm’s desktop to detect any unauthorized use • Maintain white-‐list of desktop approved applications and blacklist policy for websites (i.e. adult content, social media, gambling, etc.) Working closely with the CISO, [assigned party] will proactively manage the following items: • Maintain inventory of hardware, software and devices • Closely monitor application and systems log activity (i.e. control the execution of code with an application white-‐listing policy) • Deploy critical operating system security patches within 48 hours of release • Non-‐critical patches are delivered monthly • Implement appropriate protections for electronic systems, including anti-‐virus software and firewalls • Anti-‐virus software is set to auto-‐update and firewalls are updated at least quarterly by [assigned party] To combat social engineering, the [assigned party] will do the following: – Employ up-‐to-‐date anti-‐malware systems (continuously updated by auto-‐update plus quarterly reviews) – Employ spam filters and other email gateways (continuously updated by auto-‐update and periodically reviewed by [assigned party]) (a) Multi-‐Factor Authentication. Each Covered Entity shall: (1) require Multi-‐Factor Authentication for any individual accessing TBD Securities’ internal systems or data from an external network; (2) require Multi-‐Factor Authentication for privileged access to database servers that allow access to Nonpublic Information; (3) require Risk-‐Based Authentication in order to access web applications that capture, display or interface with Nonpublic Information; and (4) support Multi-‐Factor Authentication for any individual accessing web applications that capture, display or interface with Nonpublic Information.



End-‐user: mobile device and application security Firm-‐owned devices include, but are not limited to, laptops, tablets, cellular phones, and smartphones. Personal devices may utilize mobile access as long as they are password-‐encrypted and firm-‐approved. At the time of hiring, and annually thereafter, TBD Securities requests disclosure of all electronic devices, including the % business and personal use for purposes of maintaining an up-‐to-‐date inventory. Employees are advised to report any lost, stolen, or compromised electronic device to the CISO or CCO immediately. The CISO or CCO will update the firm inventory and shut off inbound and outbound access to the device as necessary. Firm personnel will receive training on the secure use of mobile devices and removable media on an as-‐needed basis including during the annual compliance meeting.

Collaboration sites and end-‐user data storage The CISO will be primarily responsible for vetting any collaboration site and data storage along with the CCO. Each site must have identified “data owners,” who manage, control, and review access. Only firm approved collaboration sites listed below will be utilized: [Name ANY RELEVANT CITATIONS] Protecting firm data includes the proper use of collaboration sites and data storage sites. The following are requirements for collaboration sites and storing data: Desktop, laptop, remote desktop and tablets

• Ensure storage only in an approved, sandboxed or otherwise encrypted location instead of the desktop • Save information to be shared to an access-‐controlled network location such as a network shared drive • Store data and information with retention requirements in a records management repository • Only use applications obtained through firm-‐approved channels

Mobile devices (smart phones and tablets)

• Only store data within firm-‐approved applications • TBD Securities intends to have remote-‐wipe capability for all employee devices

Records retention



• • Certain types of data have retention periods

• • All records including digital should be stored in an approved records

repository

• • Collaboration sites are not approved repositories

• Employees are responsible for preventing inappropriate use of or access to data by

• • Only accessing information needed for your job function

• • Preparing, handling, using and releasing data

• • Using correct storage locations

• • Following appropriate use or restrictions of electronic communications,

including but not limited to email, instant messaging, text, chat, audio/video conferencing and social media

Security risk assessment The firm will use an independent [assigned party] to perform a comprehensive enterprise risk assessment. The [assigned party] will assess any potential or existing cyber-‐security threats to identify potential risks and business impacts. At the discretion of the CISO and CCO, the following items under review may include, as relevant, the following: Category Subcategory Network Security Network Infrastructure

Firewalls Network Diagram Frequency of Documentation Wireless

Data Security Data Classification Backup and Restoration Encryption Mobile Security Disposal Protection of Transmission

Access Control Active Directory Authentication Network Access Control



Account/Password Management Application Access

System Development Systems Installation Software Development Maintenance and Patching Decommissioning Change Control Management

Protection Antivirus software Updates and patches Web Filter and traffic

Testing and Monitoring Server Monitoring Network Monitoring Penetration Testing Vulnerability Testing Alerting

Vendors Vendor Assessment Client Data

Employees Termination / Role Transfer Physical Premise Security Data Center

Building Security and Staff Building and Office Access Server Room

Information Security Program Info Security Policy Cyber security Insurance Coverage Review

OR (For Financial Services Firms registered in NY) (At least annually, each Covered Entity shall conduct a risk assessment of TBD Securities’ Information Systems. Such risk assessment shall be carried out in accordance with written policies and procedures and shall be documented in writing. The risk assessment shall minimally include:

(1) criteria for the evaluation and categorization of identified risks; (2) criteria for the assessment of the confidentiality, integrity and availability of TBD Securities’ Information Systems, including the adequacy of existing controls in the context of identified risks; and (3) requirements for documentation describing how identified risks will be mitigated or accepted based on the risk assessment, justifying such decisions in light of the risk assessment findings, and assigning accountability for the identified risks.



Employee security awareness training To assist firm employees in understanding their obligations regarding sensitive firm information, the CISO will provide each employee with a copy of this Program upon commencement of employment and whenever changes are made. In addition, the CISO and/or CCO will implement programs to perform training functions on an as-‐needed basis. At the discretion of the CCO and CISO, employee security awareness training may include any of the following: • Instruct employees to take basic steps to maintain the security, confidentiality and integrity of client and investor information, including: – Secure all files, notes, and correspondence – Change passwords periodically and do not post passwords near computers – Avoid the use of speaker phones and discourage discussions in public areas – Recognize any fraudulent attempts to obtain client or investor information and report to appropriate management personnel – Access firm, client, or investor information on removable and mobile devices with care and on an as-‐needed basis using firm protocols (passwords, etc.) • Instruct employees to close out of files that hold protected client and investor information, investments, investment strategies, and other confidential information when they are not at their desks • Educate employees about the types of cyber security attacks and appropriate responses

Vendor selection and management For vendors interacting with TBD Securities systems, network and data, the firm will perform the following activities to protect sensitive information: • Assess vendors before working with them including a cyber-‐security risk assessment • Review third-‐party vendor contract language to establish each party’s responsibility with respect to cyber-‐security procedures • Segregate sensitive firm systems from third-‐party vendor access and monitor remote maintenance performed by third-‐party contractors



• the use of Multi-‐Factor Authentication as set forth herein to limit access to sensitive systems and Nonpublic Information;

• the use of encryption to protect all Nonpublic Information in transit and at rest; • prompt notice to be provided to TBD Securities in the event of a Cyber security

incident affecting the third party service provider; • identity protection services to be provided for any customers materially

impacted by a cyber security incident that results from the third party service provider’s negligence or willful misconduct;

• representations and warranties from the third party service provider that the service or product provided to TBD Securities is free of viruses, trap doors, time bombs and other mechanisms that would impair the security of TBD Securities’ Information Systems or Nonpublic Information; and

• the right of TBD Securities or its agents to perform cyber security audits of the third party service provider.

Technology asset inventory, classification and tracking TBD Securities has a process in place to identify, classify, and track all technology assets (“assets”): • To ensure accurate classification and tracking, TBD Securities will procure/vet all assets through [assigned party] • TBD Securities will maintain an inventory of all assets as well as an identified owner • TBD Securities will cross-‐reference the list of internal assets with [assigned party] • Asset identification and classification process will be scalable to accommodate growth and acquisition • TBD Securities will track assets and their attributes throughout their lifecycle • Automated processes will be used periodically to perform discovery of unknown assets • TBD Securities will create a map of network resources, including data flows, internal connections and external connections TBD Securities will establish and enforce a process of assessing and classifying assets based on their sensitivity to attack and business value. [assigned party] will auto-‐alert TBD Securities if a new device is discovered on the network



TBD Securities shall encrypt all Nonpublic Information it holds or transmits both in transit and at rest,

Technology end-‐of-‐life process TBD Securities has developed and will follow processes for securely disposing of assets once they are no longer being used by the firm or have reached the end of their usable life (the “end-‐of-‐life process”). Working closely with the CISO, [assigned party] will closely monitor the firm hardware and recommend a refresh every 3-‐5 years per individual hardware equipment. A certified end-‐of-‐life management vendor (“EMV”) will properly recycle any old hardware. Notification: The end-‐of-‐life process will notify all necessary and relevant parties to initiate a coordinated execution: • CISO • Asset owner • End user(s) • Relevant vendor(s) Hard Drives: Any decommissioned hard drive will be securely stored for a minimum of 6 years since decommission date. When disposing the hard drive, the EMV will do the following: • Erase all data on the drive • Physically destroy the hard drive • Produce documentation of proper disposal

Employee termination The firm is dedicated to protecting the network and proprietary data at risk upon termination of employees. To prevent any issues of former employees leaking information, TBD Securities has adopted an approach towards access controls and entitlement management. Please refer to the [assigned party] checklist for employee on/off-‐boarding. TBD Securities will maintain this list as new applications, drives, systems, and vendors are incorporated.



The following items will be monitored: • Network access • Desktop access • Mobile device access • Internal and external applications • Vendors, such as prime brokers, executing brokers, etc.

Disaster recovery and backup testing Please see [Firm Name’s] Business Continuity Procedures / Disaster Recovery Plan (“BCP”) for detailed documentation. Any changes can be represented in that BCP / DR plan. The CCO in connection with the CISO will update the firm’s BCP on an as-‐needed basis to ensure that it is consistent with the Program.

Cyber security insurance On an annual basis the CISO will review the firm’s insurance coverage related to cyber security threats and make a determination as to its adequacy in conjunction with the CCO and COO. It is anticipated that cyber security insurance will not be attained unless or until the firm’s risk profile substantially increases, because currently the majority of client sensitive data are retained by competent third party vendors primarily including its clearing firm.

Cyber security breach/incident response framework The firm has implemented a framework to identify, prepare, prevent, detect, respond, and recover from cyber security incidents, any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.

In the event of a cyber security incident, the firm’s information technology personnel (or anyone detecting the incident) will immediately notify the CISO (or qualified designee) who will work with appropriate personnel to:



• Assess the nature and scope of any such incident and maintain a written record of the systems and information involved

• Take appropriate steps to contain and control the incident to prevent further

unauthorized access, disclosure or use, and maintain a written record of steps taken

• Promptly conduct a reasonable investigation, determine the likelihood that

personal information has or will be misused, and maintain a written record of such determination

• Discuss the issue with outside counsel (or a qualified resource) and make a

determination regarding disclosing the issue to regulatory authorities, law enforcement and/or individuals whose information may have been affected

• Evaluate the need for changes to the firm’s policies and procedures in light of

the breach

• The firm will work with outside resource(s) and/or counsel as necessary to determine appropriate next steps including addressing any weaknesses identified in the process

• A record of the response to the incident shall be recorded and retained

among the firm’s central records.

Regulatory reporting requirement(s) (For entities registered to do business in NY and not otherwise exempt: TBD Securities submit to the superintendent of the state of New York, Department of Financial Services (“DFS”) a written statement by January 15, in such form set forth as by the DFS, certifying that TBD Securities is in compliance with the requirements specifically identified by DFS. TBD Securities shall maintain for examination by the DFS all records, schedules and data supporting this certificate for a period of five years.

(1) To the extent TBD Securities has identified areas, systems, or processes that require material improvement, updating or redesign, TBD Securities shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by DFS. (2) To the extent that TBD Securities has identified any material risk of imminent harm relating to its cyber security program, TBD Securities shall notify the superintendent within 72 hours and include such items in its annual report filed pursuant to this section.



TBD Securities January 15, 20 __ Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations The Board of Directors or a Senior Officer(s) of TBD Securities certifies:

(1) The Board of Directors (or name of Senior Officer(s)) has reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary;

(2) To the best of the (Board of Directors) or (name of Senior Officer(s)) knowledge, the Cybersecurity Program of TBD Securities as of [Date] complies with the rules and regulations of the state of New York.

By: Printed Name: Title: Date:

Electronic*Devices*and*Communications*Inspection*Form*

!Electronic*Device*Review:*

Device!Name! Description! %!Business!Use! %!Personal!Use!! ! ! !

☐ Yes ☐ No Anti7malware!software!is!installed!on!this!device.!!

☐ Yes ☐ No Anti7virus!software!is!installed!on!this!device.!!

☐ Yes ☐ No Software!auto7update!is!set!to!“ON”!on!this!device.!!

☐ Yes ☐ No Log!in!privileges!to!this!device!are!password!protected.!!

☐ Yes ☐ No This!device!‘times!out’!after!15!minutes!or!less!time!of!non7use.!

☐ Yes ☐ No ONLY!approved!(company)!email!is!received!on!this!device.!!!


☐ Yes ☐ No ONLY!associated!personnel!have!access!to!this!device.!!

Please!explain!any!“NO”!answer!in!the!space!provided!below:!

Exceptions,!Notes:!

Electronic*Device*Review:*

Device!Name! Description! %!Business!Use! %!Personal!Use!! ! ! !

☐ Yes ☐ No Anti7malware!software!is!installed!on!this!device.!!

☐ Yes ☐ No Anti7virus!software!is!installed!on!this!device.!!

☐ Yes ☐ No Software!auto7update!is!set!to!“ON”!on!this!device.!!

☐ Yes ☐ No Log!in!privileges!to!this!device!are!password!protected.!!


☐ Yes ☐ No ONLY!approved!(company)!email!is!received!on!this!device.!!!


☐ Yes ☐ No ONLY!associated!personnel!have!access!to!this!device.!!

Please!explain!any!“NO”!answer!in!the!space!provided!below:!

Exceptions,!Notes:!

CYBER SECURITY INCIDENT REPORT

Courtesy of Monahan & Roth, LLC

Incident Reported By: Incident Reported To: Date Reported: Time: � am � pm Nature of the incident (Include the scope, systems and information involved): CONTAINMENT Date Contained Time: � am � pm Record the steps taken to contain and control the incident to prevent further unauthorized access, disclosure or use: INVESTIGATION Investigation performed Time: � am � pm Describe the nature of the investigation, including whether or not sensitive information has or might be compromised:

CYBER SECURITY INCIDENT REPORT


DISCLOSURE TO THIRD PARTIES (check all that apply) � Counsel � Other Qualified Resource

� Law Enforcement � Individuals affected

Describe:

RESOLUTION Resolution achieved Time: � am � pm � Related Cyber Policies adequate � Related Cyber Policies require amendment � Follow-‐up required Describe: Principal Acknowledgement of Resolution: Date Notes:


Electronic Device Disclosure

Associated persons are required to disclose the use and/or the termination of use of any electronic device used entirely or in part for business purposes by completing the table below.

� This is an initial report of electronic device(s) I have a new device to report � I have a retired device to report

� I have a change in usage of a previously reported device to report Device Description (example: “primary office computer”). Include smartphones, tablets and other devices

Device Type (example: iMac, or Dell PC desktop)

% Business Use

% Personal Use

Notes (example: shared device with another associated person)

I hereby certify that the above information is correct and accurate to the best of my knowledge and that I adhere to my Broker-‐Dealer’s policies and procedures.

Signature Date

Cyber Security Checklist for Broker Dealers

Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC

1

Identify: Risk Assessment & Management YES NO N/A

1. Risk assessments are conducted frequently (e.g. annually, quarterly).

2. Cybersecurity is included in the risk assessment.

3. The risk assessment includes a review of the data collected or

created, where the data is stored, and if the data is encrypted.

4. Internal “insider” risk (e.g. disgruntled employees) and external risks

are included in the risk assessment.

5. The risk assessment includes relationships with third parties.

6. Adequate policies and procedures demonstrate expectations of employees regarding cybersecurity practices (e.g. frequent password changes, locking of devices, reporting of lost or stolen

devices, etc.).

7. Primary and secondary person(s) are assigned as the central point of contact in the event of a cybersecurity incident.

8. Specific roles and responsibilities are tasked to the primary and secondary person(s).

9. The firm has inventory of electronic devices and software in use in

its home office.

10. The firm has an inventory of electronic devices and software in use in its branch offices.

Notes:



2

Protect: Use of Electronic Mail

YES NO N/A 1. The firm has protective measures in place to govern the distribution

of identifiable information of a client transmitted via email.

2. The firm has protective measures in place to govern authentication practices for access to email on all devices (computer and mobile devices),

3. The firm requires that passwords for access to email are changed no less than quarterly.

4. The firm’s policies and procedures provide instruction to authenticate client instructions received via email.

5. If applicable, the firm’s employees and clients are aware that email communication is not secured.

Protect: Devices

YES NO N/A 1. Device access (physical and digital) is permitted for authorized

employees.

2. Device access (physical and digital) is permitted for authorized clients.

3. Device access is routinely audited and updated appropriately. 4. Devices are routinely backed up and underlying data is stored in a

separate location (i.e. on an external drive, in the cloud, etc.) subject to FINRA requirements for electronic storage, or other related requirements.

5. Backups have been tested in the most recent 12 months. 6. The firm has written policies and procedures regarding the secure

destruction of electronic devices no longer in use (end of life procedures).

Notes:



3

Protect: Use of Cloud Services

YES NO N/A 1. Due diligence Due diligence has been conducted on the

cloud service provider prior to signing an agreement or contract.

2. As part of the due diligence, the firm has evaluated whether the cloud service provider has safeguards against breaches and a documented process in the event of breaches.

3. The firm has a business relationship with the cloud service provider and has the contact information for that entity.

4. The firm is aware of the assignability terms of the contract. 5. The firm understands how the firm’s data is segregated from

other entities’ data within the cloud service.

6. The firm is familiar with the restoration procedures in the event of a breach or loss of data stored through the cloud service.

7. The firm has written policies and procedures in the event that the cloud service provider is purchased, closed, or otherwise unable to be accessed.

8. The firm solely relies on free cloud storage. 9. The firm maintains a 17(a)4 compliant backup of all records

off-‐site.

10. Data containing sensitive or personally identifiable information is stored through a cloud service.

11. The firm’s data accessible by the vendor containing sensitive or personally identifiable information, which is stored through a cloud services, is encrypted.

12. The firm has written policies and procedures related to the use of devices by employees or vendors who access data in the cloud.

13. If applicable, the firm’s procedures provide controls when cloud provider (or its staff) may access and/or view the firm’s data stored in the cloud.

14. If the firm allows any user remote access to its network (e.g. through use of VPN), such access is subject to controls including user management.

15. The VPN access of employees is monitored. 16. The firm has written policies and procedures related to the

termination of VPN access when any authorized user resigns or is terminated.



4

Protect: Use of Firm Websites YES NO N/A 1. The firm relies on a parent or affiliated company for the

construction and maintenance of the website.

2. The firm relies on internal personnel for the construction and maintenance of the website.

3. The firm relies on a third-‐party vendor for the construction and maintenance of the website.

4. If the firm relies on a third party for website maintenance, there is an agreement with the third party regarding the services and the confidentiality of information.

5. The firm can directly make changes to the website. 6. The firm can directly access the domain renewal information and

the security certificate information.

7. The firm’s website is used to access client information. 8. SSL or other encryption is used when accessing client information

on the firm’s website.

9. The firm’s website includes a client portal. 10. SSL or other encryption is used when accessing a client portal. 11. When accessing the client portal, user authentication credentials

(i.e., user name and password) are encrypted.

12. Additional authentication credentials (i.e., challenge questions, etc.) are required when accessing the client portal from an unfamiliar network or computer.

13. The firm has written policies and procedures related to a denial of service issue.

Notes:



5

Protect: Custodians & Other Third-‐Party Vendors YES NO N/A 1. The firm’s due diligence on third parties includes cybersecurity as

a component.

2. The firm has requested vendors to complete a cybersecurity questionnaire, with a focus on issues of liability sharing and whether vendors have policies and procedures based on industry standards.

3. The firm understands when/if the vendor has IT staff or outsources some of its functions.

4. The firm has obtained a written attestation from the vendor that it uses software to ensure customer data is protected.

5. If applicable the firm has attained evidence of the vendor’s cyber security risk assessment or audit on a regular basis.

6. The cyber-‐security terms of the agreement with an outside vendor is not voided because of the actions of an employee of the firm.

7. The firm’s contract with third-‐party vendors includes terms of confidentiality.

8. The firm has been provided enough information to assess the cybersecurity practices of any third-‐party vendors.

9. [Relevant to custodians only] The firm has discussed with the custodian matters regarding impersonation of clients and authentication of client orders.

10. The firm’s contact with the vendor includes terms for notification in the event of a cyber breach.

Protect: Encryption YES NO N/A 1. The firm routinely consults with an IT professional knowledgeable

in cybersecurity.

2. The firm has written policies and procedures in place to categorize data as either confidential or non-‐confidential.

3. The firm has written policies and procedures in place to address data security and/or encryption requirements.

4. The firm has written policies and procedures in place to address the physical security of confidential data and systems containing confidential data (i.e., servers, laptops, tablets, removable media, etc.).

5. The firm utilizes encryption on all data systems that contain (or access) confidential information.

6. The identities and credentials for authorized users are recorded and periodically updated.



6



7

Notes:



8

Detect: Anti-‐Virus Protection and Firewalls YES NO N/A 1. The firm mandates the installation and auto update of anti-‐virus , anti-‐spam, anti-‐malware software on all electronic devices accessing the firm’s network or otherwise retaining personally identifiable information or firm records.

2. The firm mandates that all settings are deployed to ensure that software is subject to auto-‐update.

3. Employees are trained and educated on the basic function of anti-‐virus programs and how to report potential malicious events.

4. If the alerts are set up by an outside vendor, there is an ongoing relationship between the vendor and the firm to ensure continuity and updates.

5. A firewall is employed and configured appropriate to the firm's needs.

6. The firm has policies and procedures to address flagged network events.

Notes:



9

Respond: Responding to a Cyber Event YES NO N/A 1. The firm has a plan and procedure for immediately notifying authorities in the case of a disaster or security incident of magnitude.

2. The plans and procedures identify which authorities should be contacted based on the type of incident and who should be responsible for initiating those contacts.

3. The firm has a communications plan, which identifies who will speak to the public/press in the case of an incident and how internal communications will be managed.

4. The communications plan identifies the process for notifying clients and if applicable, for addressing damages.

Notes:



10

Recover: Cyber-‐insurance YES NO N/A 1. The firm has considered whether cyber-‐insurance is necessary or appropriate for the firm.

2. The firm has evaluated the coverage in a cybersecurity insurance policy to determine whether it covers breaches, including; breaches by foreign cyber intruders; insider breaches (e.g. an employee who steals sensitive data); and breaches as a result of third-‐party relationships.

3. The cybersecurity insurance policy covers notification (clients and regulators) costs.

4. The firm has evaluated whether the policy includes first-‐party coverage (e.g. damages associated with theft, data loss, hacking and denial of service attacks) or third-‐party coverage (e.g. legal expenses, notification expenses, third-‐party remediation expenses).

5. The exclusions of the cybersecurity insurance policy are appropriate for the firm’s business model.

6. The firm has put into place all safeguards necessary to ensure that the cyber-‐security policy is not voided through firm employee actions, such as negligent computer security where software patches and updates are not installed in a timely manner.

Recover: Disaster Recovery YES NO N/A 1. The firm has a business continuity plan to implement in the event of a cybersecurity event.

2. The firm has a process for retrieving backed up data and archival copies of information.

3. The firm has written policies and procedures for employees regarding the storage and archival of information.

4. The firm provides training on policies and procedures related to document retention, safekeeping and udpates.

Notes:



11


Recent Cyber Attacks, Threats and Possible Solutions Thursday, February 22 11:15 a.m. – 12:15 p.m. The world has entered an age in which well-organized and well-funded groups use sophisticated cyber techniques to attack organizations with increasing frequency. This threat landscape is constantly changing and modern cyber defenses must evolve. During this session, panelists discuss recent high-visibility hacks and steps that could have been taken to prevent them from happening or minimize the disruption.

Moderator: Gregory Markovich Regulatory Principal, Sales Practice FINRA Chicago District Office Panelists: Britt Lindley Chief Information Security Officer Thrivent Financial for Lutherans Jesse Magenheimer Director - Information Security State Farm Melissa Vacon Assistant Vice President of Information Services Signator Investors, Inc.


Recent Cyber Attacks, Threats and Possible Solutions Panelist Bios: Moderator: Greg Markovich joined FINRA on February 1, 2016, as Regulatory Principal and he is currently responsible for leading cybersecurity examinations and providing security consultation and training for other staff. Prior to joining FINRA, Mr. Markovich has 30 years of information technology (IT) and security experience working at two investment management firms including Capital Group – American Funds, and American Century Investments. His leadership roles at these firms included responsibility for information security, risk management, identity access management, and disaster recovery. Mr. Markovich also has experience leading applications development and infrastructure support teams. In addition to having an MBA degree from the University of Missouri, Mr. Markovich has several security certifications including a certified information systems security professional (CISSP) and a certified ethical hacker (CEH) certification. Panelists: Britt Lindley is Chief Information Security Officer within Thrivent Financial’s Information Technology division, reporting directly to the Chief Administrative Officer. Mr. Lindley serves in this position for Thrivent Financial, its subsidiaries and affiliates (Thrivent). Acting as the Chief Information Security Officer, Mr. Lindley is responsible for the management, oversight and implementation of the required Information Security programs and associated controls. He leads a team of professionals who are responsible for the Information Security functions for Thrivent, and is also the chair of Thrivent’s Protection Risk Group, which communicates internal and external Information Security operational risk, as well as risk management, to senior leaders. For 16 years prior to joining Thrivent in 2010 as Director of Information Security, Mr. Lindley held Information Security leadership roles within various industry sectors including banking, technology, and transportation/logistics. Serving in these various security leadership roles, Mr. Lindley has worked in both privately held and public companies, as well as large multi-national organizations. Mr. Lindley earned his Bachelor of Science degree in Computer Science from Point Park University in Pittsburgh, PA. He also holds Information Security certifications from the International Information Systems Security Certification Consortium (ISC2) (CISSP – Certified Information Systems Security Professional – Since 2000) and Information Systems Audit and Control Association (ISACA) (CISM – Certified Information Security Manager – Since 2004). Mr. Lindley is active in trade and industry groups for the Financial Service industry. Mr. Lindley is an active volunteer within local organizations of the Community Foundation of the Fox Valley and a board member of the Volunteer Center of East Central WI. Mr. Lindley is retired from the Wisconsin National Guard after 23 years of service. Jesse Magenheimer is Director in Information Security at State Farm in Bloomington, Illinois with responsibilities for Protective Technologies and Enterprise Information Security Incident Response. He has more than 25 years of IT experience with the past 17 years being spent in various information security, technology, and IT auditing roles. He has worked on the development of end-to-end application security controls, security architecture for data centers, creation of new professional security roles, leading IT and integrated audits, advancing the use of protective technologies, design of the company’s enterprise information security incident response plan, and the creation and execution of information security incident response exercises. Mr. Magenheimer holds a Bachelor’s Degree in Computer Science and a Master’s Degree in Emergency and Disaster Management. He also possesses a number of information security, risk management, and project management industry certifications. Melissa Vacon is Assistant Vice President of Information Systems at John Hancock, supporting Signator Investors, Inc. For the past four years, Ms. Vacon has been responsible for all aspects of technology for the distribution arm of John Hancock. This includes all IT development and maintenance activities, all large project initiatives, infrastructure support, vendor management, cybersecurity risk mitigation and administration. Prior to joining Signator, Ms. Vacon held multiple IT positions within John Hancock, starting in 2001. Before joining John Hancock, Ms. Vacon was employed by GE at their Electric Insurance division.


Recent Cyber Attacks, Threats and

Possible Solutions


Moderator

Gregory Markovich, Regulatory Principal, Sales Practice, FINRA Chicago District Office

Panelists

Britt Lindley, Chief Information Security Officer, Thrivent Financial for Lutherans

Jesse Magenheimer, Director - Information Security, State Farm

Melissa Vacon, Assistant Vice President of Information Services, Signator Investors, Inc.

Panelists

1



Select the day,

Choose the Recent Cyber Attacks, Threats and

Possible Solutions session,


To Access Polling

2


Why is it important: The frequency and sophistication of cybersecurity threats and attacks is increasing.

Financial firms and individual broker-dealers are at risk.

Firms must take steps to prevent attacks and monitor their environment.

Cybersecurity Attacks, Threats and Prevention

3

Effective Practices:• Written policies and procedures to protect customer information

• Governance Framework and Risk Management (identify, assess, manage)

• Technical Controls

• Vendor Management

• Training

• Monitoring and Incident Management


1. Has your firm experienced any of the following

cybersecurity threats: phishing, ransomware,

account take over, wire fraud, denial of service,

malware, or viruses?

a. Yes

b. No

c. Don’t know

Polling Question 1

4


2. Has your firm received phishing emails in the last 12

months?

a. Yes

b. No

c. Don’t know

Polling Question 2

5


Financial Service Firms Common Threats

6

Threats: Phishing - #1 threat for financial firms as observed by FINRA

Ransomware

Account Takeover

Wire Fraud

DDoS Attacks

Malware

Virus

Insider Threat

Spam

Others……..


3. What level of human resources does your firm

currently have focused on monitoring the

environment for cyber related incidents or attacks

(including third party resources)?

a. None

b. 5 people or less

c. 5 to 10 people

d. Greater than 10 people

Polling Question 3

7


An organized and highly skilled team whose mission is to

continuously monitor and improve an organization’s

security posture while preventing, detecting, analyzing, and

responding to cyber security incidents with the aid of both

technology and well-defined processes and procedures.

Security Operations Center (SOC)

8

FUNCTIONS:

• Maintain security monitoring tools

• Investigate suspicious activities

ROLES:

• Security Analyst

• Security Engineer

• Security Manager


4. Does your firm monitor the environment for potential

internal threats?

a. Yes

b. No

c. Don’t know

Polling Question 4

9


Training

Vendor Management

Risk Assessment/Management

Monitoring

Security Patching

Others….

Financial Service – Prevention Activities

10


Cyber Incident Recovery Process

11

Develop and implement plans, processes, and procedures

to fully restore a system weakened or breached as a result

of a cyber incident or event.

Recovery Steps Include:

• Preparation, Identification, Containment,

Eradication, Recovery, and Lessons Learned


5. Does your firm actively oversee the security controls

and cyber programs for your critical third-party

providers?

a. Yes

b. No

c. Don’t know

Polling Question 5

12


Written policy that cover the entire life cycle of

relationship

Onboarding, ongoing oversight, and termination of agreement

Contractual terms and conditions

Responsibilities of both parties, incident notification, ability to

review audit reports (SSAE 18)

Risk based ongoing assessment of third party’s

security controls

Third-Party Management

13







FINRA References

14




Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. – 2:15 p.m. Cybersecurity is a top priority for the financial services industry. Firms dedicate significant resources every day to protect against cyber-crime, safeguard consumer data, and maintain the integrity and resilience of their systems in face of countless cyber threats. During this session, panelists discuss defensive measures firms can take within branch locations. These measures include developing information security branch plans, training employees and other solutions.

Moderator: Kevin Bogue Regulatory Principal, Sales Practice FINRA Chicago District Office Panelists: Tammy Boone Compliance Manager NEXT Financial Group, Inc. Robert Geary Director, IT Security – Distribution Lincoln Financial Securities David Wimer Business Information Security Officer Transamerica


Branch Cybersecurity Controls Panelist Bios: Moderator: Kevin Bogue joined FINRA on January 9, 2017 as a Regulatory Principal in the Chicago District Office. Mr. Bogue is a member of the Sales Practice Cybersecurity team responsible for examining firms' controls over their protection of sensitive client and firm information. Prior to joining FINRA, Mr. Bogue has more than 17 years of information technology (IT) and security experience working as a technology consultant with Accenture, as an internal Global IT auditor, IT Compliance Manager and SOX Program Manager with Abbott Laboratories, as an IT Compliance Manager with Brunswick and as an internal IT Audit Manager with CDW. Mr. Bogue earned an MS in Information Systems from DePaul University in Chicago, IL and a BS in Psychology from Iowa State University in Ames, IA. Panelists: Tammy Boone joined NEXT in December 2010 and is currently the Compliance Manager overseeing Licensing, Registration and Branch Exams. Ms. Boone has more than 30 years of financial services experience in various capacities including support staff, branch operations, licensing, registration and compliance. Ms. Boone holds the Series 7, 9, 10, 63 and 65 licenses. Robert Geary is Director of IT Security - Distribution for Lincoln Financial Securities and has more than 23 years of Information Technology experience. Mr. Geary started with Lincoln Financial Group in 1998 and has held several technical positions throughout his career. He spent five years as a member of Lincoln’s Cyber Threat Intelligence & Investigations Team, focusing on Incident Response, Endpoint Security Controls, and Vulnerability Management. He holds a Bachelor of Science degree in Mechanical Engineering from Drexel University along with several professional designations, including the Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler (GCIH). David Wimer has experience in information security, privacy and risk domains within telecommunications and finance industries. Mr. Wimer has more than 20 years’ developing, implementing and educating his business colleagues on practical security practices. Mr. Wimer is a Business Information Security Officer for Transamerica and has worked through examinations from both SEC and FINRA in the past two years on Transamerica’s application of cyber security controls within their organization. Mr. Wimer’s philosophy and primary focus in on continuous education of workforce at all levels and has built a respectable awareness and training program within Transamerica. Mr. Wimer had additional experience in building and implementing controls on third party risk and has past experience conducting and supervising security assessments of Transamerica external partnerships, vendors and cloud providers/solutions.


Plenary Session: Branch Cybersecurity

Controls


Moderator

Kevin Bogue, Regulatory Principal, Sales Practice, FINRA Chicago

District Office

Panelists

Tammy Boone, Compliance Manager, NEXT Financial Group, Inc.

Robert Geary, Director, IT Security – Distribution, Lincoln

Financial Securities

David Wimer, Business Information Security Officer, Transamerica

Panelists

1



Select the day,

Choose the Plenary Session: Branch Cybersecurity

Controls session,


To Access Polling

2


1. Do you have branch office locations?

a. Yes

b. No

Polling Question 1

3


2. Do you have formal branch office policies and

procedures?

a. Yes

b. No

Polling Question 2

4


3. Do you provide formal guidance to branches as to

what cybersecurity controls are expected to be in

place?

a. Yes

b. No

Polling Question 3

5


Why is it important: Many branch offices operate

independently from the home office to set up computer

systems and controls.

Branch Cybersecurity Controls

6

Effective Practices:• Policy / procedure created for branch locations

• Certification

• Cyber training – not just an annual process

• Automated tools

• Branch examiners trained by IT to examine for cyber controls

• Data Loss Prevention (DLP) tools

• Recommend technology, software (e.g., antivirus) or vendors (e.g., cloud).


Firms should have policies and procedures dealing with

cybersecurity issues at branch locations. Topics include:

Processes in place to verify controls have been implemented and

are functioning as intended.

Branch Cybersecurity Controls continued…

7

• Physical Security • Encryption

• Virus and Malware Protection • Reporting of Lost / Stolen Assets

• Patching • The Use of Passwords

• Training and Awareness • Business Continuity Planning / Testing

• Vendor / Cloud Usage • Representative Certifications


Firms with Independent Contractor model may have more risk

due to the nature of the branch technology infrastructure.

Reps may purchase their own assets

Reps may not follow home office policies and procedures correctly

– Use of cloud providers not approved by the firm

– Physical security of assets

– Access to office is secure

– Process to report and manage lost/stolen assets

– Proper disposal of decommissioned assets

– Data protection controls (e.g., secure transmission and encryption)


8


Typical controls would include:

Proper access control including password management and multifactor logins

Securely maintain branch assets including timely patching, anti-virus, and updates

Training and awareness of branch personnel (including contractors)

Branch level Business Continuity (BC) and Disaster Recovery (DR) planning / testing

Process to follow when an incident / breach has occurred


9


All Firms with branch locations should verify and regularly audit security

controls in the branch offices.

Knowledge, through an inventory process, of critical software and hardware

assets that exist in the branch.

Physical security of assets, sensitive information and firm data:

– Access to branch office is secure

– Process to report and manage lost / stolen assets

– Proper disposal of decommissioned assets

Data protection controls including:

– Secure transmission and storage of all sensitive information

– Encryption of all sensitive information on branch computers


10


What are we seeing?

Few firms conduct regular audits of branch office security controls

Opportunity exists for firms to improve and formalize their oversight of branch offices

Most firms with large numbers of branches have developed cybersecurity questionnaires that the reps attest

Firms will audit branches on certain cyber related questions and controls in place; e.g., laptop encryption, endpoint protection, updated OS, password management, physical security

Automated tools for monitoring branch equipment


11







References

12




Cyber Incident Response Plans and Resources Thursday, February 22 2:30 p.m. – 3:30 p.m. Every organization should develop a written plan that identifies cyber-attack scenarios and sets out appropriate responses. While plans must be customized for each organization’s particular circumstances, the plan should address basic components. Join panelists as they discuss these components and provide examples of steps their firms have implemented. Panelists also provide resources and helpful tools for firms to address critical cyber threats as well as provide examples of what not to do.

Moderator: Rafael Skovron Examination Manager, Sales Practice FINRA San Francisco District Office Panelists: Andrew Hartridge Chief Information Security Officer M&T Securities, Inc. Paul Horn Chief Information Security Officer HD Vest Financial Services Gregory Scroggs Senior Vice President and Chief Information Security Officer Primerica


Cyber Incident Response Plans and Resources Panelist Bios: Moderator: Rafael Skovron began his career by consulting for international public accounting firm Grant Thornton. Mr. Skovron’s work included a large IT controls project at Fannie Mae in D.C and testing IT controls for financial audits of public companies. Mr. Skovron then joined the Office Depot Internal Audit team and performed operational, financial, and technology audits at the global headquarters in Boca Raton and in Mexico. At FINRA, Mr. Skovron has worked at both the Boca Raton and San Francisco offices leading cybersecurity and technology governance routine examinations. His cause examinations have covered breaches of broker-dealer websites, phishing, business email compromise scams, mobile security risks, cloud security and branch office risks. He is also a member of an internal consulting team that develops guidance on technology governance and cybersecurity. Mr. Skovron is also a member of the Bay Area Chapter of InfraGuard, a non-profit organization serving as a public-private partnership between U.S. businesses and the Federal Bureau of Investigation to address cybersecurity risks. Panelists: Andrew Hartridge serves as M&T Bank’s Chief Information Security Officer, forming and executing the overall strategy for information security. Mr. Hartridge is an accomplished Information Technology executive with in-depth knowledge of Telecommunications, Information Security, Privacy, Operating Platforms and Emerging technologies. He has broad experience in the public and private sectors within financial services, health-care, and manufacturing industries. He leads Cybersecurity activities for the Company, inclusive of networking and telecommunications, identity and access management, regulatory compliance and related policy and project support, to protect the Bank’s and customers’ data, monetary assets, information and reputation. Prior to this position, Mr. Hartridge held progressively senior executive leadership roles at the US Internal Revenue Service where he was responsible for covering all aspects of the agency’s cybersecurity program. Mr. Hartridge is a Certified Information Systems Security Professional (CISSP) and an Information Systems Security Architecture Professional (ISSAP). Paul Horn currently serves as Chief Information Security Officer (CISO) at HD Vest Financial Services and has more than 20 years of various security experiences. Those experiences include time spent as a Special Agent with the Air Force Office of Special Investigations, leading a global information security program for DynCorp International’s logistics and air operations for various government contracts, and leading the Drug Enforcement Administration’s Aviation Division vulnerability management program. Mr. Horn also takes part in the Strategic Threat Assessment & Response (STAR) work group lead by the IRS to help protect taxpayers and the integrity of the tax ecosystem. In addition, Mr. Horn has been a finalist in 2013, 2014, 2015 and 2016 for Certified CISO of the Year through EC-Council and now serves on the awards committee. Mr. Horn also serves on a variety of Cyber Security Advisor Boards and has a deep dedication to the information security community by mentoring other security professionals. Mr. Horn holds a Master of Science in Management with a concentration in Information Systems Security and a Bachelor of Science in Business Administration in Information Technology from Colorado Technical University. Mr. Horn also holds the following information security certifications, Certified Chief Information Security Officer (C|CISO), Certified Information Systems Security Professional (CISSP), Certified Information Security Manger (CISM), Certified in Risk and Information Systems Control (CRISC), and GAIC Certified Incident Handler (GCIH). Greg Scroggs attended Georgia Tech as a cooperative student with The Southern Company in Atlanta, where he served in a variety of roles: computer operations, application programming, system programming, and telecommunications functions. His next role involved both technical and management positions at the Primerica division of Travelers and Citigroup, where he held various technical operations, security, and telecommunications management positions. For the past 10 years, Mr. Scroggs has managed security engineering and operations, technology risk management, and data telecommunications for Primerica, which is now a public company. His current role at Primerica is Senior Vice President and Chief Information Security Officer (CISO).


Cyber Incident Response Plans and

Resources


Moderator

Rafael Skovron, Examination Manager, Sales Practice, FINRA San Francisco District Office

Panelists

Andrew Hartridge, Chief Information Security Officer, M&T Securities, Inc.

Paul Horn, Chief Information Security Officer, HD Vest Financial Services

Gregory Scroggs, Senior Vice President and Chief Information Security Officer, Primerica

Panelists

1



Select the day,

Choose the Cyber Incident Response Plans and

Resources session,


To Access Polling

2


1. Are you from a small firm? (Under 100 RRs)

a. Yes

b. No

Polling Question 1

3


Reduce recovery time

Increase stakeholder confidence

Limit reputational damage to the firm and to the

industry

Compliance with FINRA supervision rules

Why invest resources in incident response?

4


2. What would you do if your printers started printing

out tax returns randomly?

a. Turn the machine off

b. Add paper and collect the tax returns

c. Call the police

d. Contact your Chief Information Security Officer

Polling Question 2

5


Potential Events

Declared vs Confirmed

Indicators

Incidents vs Attacks

Severity levels

What is an incident?

6


Containment

Mitigation

Recovery

Investigation

Notification

Restitution

Key elements of an incident response plan

7


Commander

Executives

PR / Communications

Legal

Compliance

What do you outsource?

Who are the major players in the plan?

8


Too much data, not enough understanding of people,

process, and tech

New vendors quickly on-boarded

Fatigue

Incident response doesn’t scale

No logs

Some logs are worth more than others

Common issues when implementing a plan

9


Practice beyond table tops or not?

Open vs closed pen tests

Pre-scripted playbooks for more frequent attacks

Develop scenarios for specific outcomes or not?

Who makes decisions, when, how will it be made.

Practicing the incident response plan

10


3. Do you rely on insurance as your incident response

plan?

a. Yes

b. No

Polling Question 3

11


Breach coach

Vendors

Correlating events across customers

Small Firm Checklist

Can small firms run effective incident response?

12


Role of cyber insurance underwriters

Policy review

How does insurance factor into incident response?

13


Networks and data are in the cloud

Forensic detail

Contractual responsibilities

Vendor involvement

Does incident response change in the cloud?

14

Security Incident Response Plan

(S-IRP)

2

Revision History

Revision

Number

Issue Date Issued By Explanation

3

1 Table of Contents 1 TABLE OF CONTENTS ..................................................................................................................................................... 3

2 RESPONDERS ................................................................................................................................................................. 5

3 OVERVIEW ..................................................................................................................................................................... 6

3.1 EFFECTIVE DATE ................................................................................................................................................................ 6

3.2 FORWARD ........................................................................................................................................................................ 6

3.3 REPORTING ...................................................................................................................................................................... 6

3.4 SCOPE ............................................................................................................................................................................. 6

4 DEFINITIONS .................................................................................................................................................................. 7

4.1 EVENT ............................................................................................................................................................................. 7

4.2 PRECURSOR ...................................................................................................................................................................... 7

4.3 INDICATOR ....................................................................................................................................................................... 7

4.4 INCIDENT RESPONSE ........................................................................................................................................................... 7

4.5 INVESTIGATION.................................................................................................................................................................. 7

4.6 SYSTEM OWNER ................................................................................................................................................................ 7

5 SIRT FRAMEWORK ......................................................................................................................................................... 8

5.1 PREPARATION ................................................................................................................................................................... 8

5.2 DETECTION & ANALYSIS ...................................................................................................................................................... 8

5.3 SECURITY INCIDENT ESCALATION ......................................................................................................................................... 10

5.4 CONTAINMENT, ERADICATION & RECOVERY ......................................................................................................................... 10

5.5 POST-INCIDENT ACTIVITY .................................................................................................................................................. 12

6 SECURITY INCIDENT DETAILS ....................................................................................................................................... 13

6.1 CATEGORIES ................................................................................................................................................................... 13

6.2 SCOPE ........................................................................................................................................................................... 14

6.3 SEVERITY LEVELS (RATING) ................................................................................................................................................ 15

6.4 ATTACK VECTOR .............................................................................................................................................................. 16

6.5 PRIVACY LIKELIHOOD/CONSIDERATIONS ............................................................................................................................... 16

7 THE SIRT ...................................................................................................................................................................... 16

7.1 SIRT CHARGE ................................................................................................................................................................. 16

7.2 SIRT OBJECTIVES ............................................................................................................................................................. 16

8 SIRT MEMBERS ............................................................................................................................................................ 17

8.1 INCIDENT COMMANDER .................................................................................................................................................... 17

8.2 INCIDENT ADMINISTRATOR ................................................................................................................................................ 18

8.3 ANTI-MONEY LAUNDERING RESPONDER .............................................................................................................................. 18

8.4 SUPPORTING RESPONDERS ................................................................................................................................................ 18

8.5 HELP DESK ..................................................................................................................................................................... 21

8.6 EMPLOYEES, ADVISORS, ETC. ............................................................................................................................................. 21

9 SECURITY INCIDENT TRACKING .................................................................................................................................... 22

10 SECURITY INCIDENT CLOSURE ...................................................................................................................................... 22

10.1 FINAL REPORTS ............................................................................................................................................................... 23

10.2 THIRD-PARTY REPORTS ..................................................................................................................................................... 23

11 SIRT TRAINING ............................................................................................................................................................. 23

11.1 ADVANCED TRAINING AND SKILLS REQUIREMENTS ................................................................................................................. 23

12 SIRT EXERCISES ............................................................................................................................................................ 24

13 SECURITY INCIDENT METRIC REPORTING ..................................................................................................................... 24

13.1 OUT-OF-BAND COMMUNICATIONS...................................................................................................................................... 24

13.2 BOARD OF DIRECTORS REPORTING ...................................................................................................................................... 25

4

13.3 COLLECTING SECURITY INCIDENT DATA ................................................................................................................................ 25

14 SECURITY INCIDENT EXTERNAL REPORTING ................................................................................................................. 25

14.1 INSURANCE REPORTING .................................................................................................................................................... 25

14.2 SUSPICIOUS ACTIVITY REPORTING ....................................................................................................................................... 25

14.3 CONSTITUENT NOTIFICATION ............................................................................................................................................. 25

14.4 PAYMENT CARD INDUSTRY REPORTING ................................................................................................................................ 25

14.5 CREDIT MONITORING ....................................................................................................................................................... 26

14.6 CLAIMS FOR REIMBURSEMENTS .......................................................................................................................................... 26

15 EXTERNAL INFORMATION SHARING ............................................................................................................................ 26

15.1 INFRAGARD .................................................................................................................................................................... 26

15.2 FINANCIAL SERVICES INFORMATION SHARING AND ANALYSIS CENTER ........................................................................................ 27

15.3 DATA SETS TO CONSIDER FOR SHARING ............................................................................................................................... 27

16 SIRT ORGANIZATIONAL STRUCTURE ............................................................................................................................ 28

17 WORKFLOW ACTIVITY ................................................................................................................................................. 29

5

2 Responders The following individuals have been identified within the Security Incident Response Plan with duties and

responsibilities described in later sections of this document.

Security Incident Response Team Core Members

Name Function Section Telephone

Incident Commander 8.1

Incident Commander 8.1

Incident Administrator 8.2



Anti-money Laundering Responder 8.3

Anti-money Laundering Responder 8.3

Supporting Responders

Name Function Section Telephone

Incident Coordinator 8.4.1

Incident Coordinator 8.4.1

Sr. Reviewing Executive 8.4.2

Sr. Reviewing Executive 8.4.2

IT Responder 8.4.3

IT Responder 8.4.3

IT Responder 8.4.3

SOC Responder 8.4.4

QSA Responder 8.4.5

QSA Responder 8.4.5

Forensic Responder 8.4.6





DR Responder 8.4.7

DR Responder 8.4.7

Communications Responder 8.4.8

Communications Responder 8.4.8

Risk and Compliance Responder 8.4.9

Risk and Compliance Responder 8.4.9

Finance Responder 8.4.10

Finance Responder 8.4.10

Legal Responder 8.4.11




Operations Responder 8.4.12

Operations Responder 8.4.12

Sales Responder 8.4.13

Sales Responder 8.4.13

HR Responder 8.4.14

HR Responder 8.4.14

Law Enforcement Responder (FBI) 14.2

Law Enforcement Responder (FBI) 14.2

6

Law Enforcement Responder (USSS) 14.2

3 Overview The purpose of this Security Incident Response Plan (“S-IRP” or “Plan”) is to provide a governing framework for

Acme Corporation and its subsidiaries (“Acme” or the “Company”) around Incident Response (IR) efforts for

suspected and confirmed Security Incidents. The goal of the Plan is to outline Acme’s approach for handling

Incident Response efforts, defining Security Incident(s), identifying the organizational structure and defining roles,

responsibilities, and levels of authority, identifying the severity rating of Security Incidents, and establishing

methods of reporting and escalation of Security Incidents.

The S-IRP also establishes the Security Incident Response Team (SIRT). The SIRT will follow the guidance in this

document. The S-IRP will be reviewed annually and updated as needed to reflect changes in technology and/or at

the request of the Chief Information Security Officer (CISO). Changes to the policy will be coordinated through

the Information Security Steering Committee (ISSC) for approval. In the event that items in the S-IRP are unclear,

the CISO and/or Deputy Information Security Officer (Deputy ISO) will provide interpretive guidance.

3.1 Effective Date The S-IRP will be effective January 1, 2017 but will be limited to Security Incidents rated as a Level 5 or 6 along

with a Functional or Recoverability Impact of Significant or Catastrophic; or Informational Impact of Privacy

Breach or Integrity Loss. These incidents will be identified as “Declared Incidents” and discussed further in

section 5.3.

3.2 Forward The Company must be able to respond to physical and electronic Security Incidents in a manner that protects the

Company’s Confidential Information (defined below) and resources (both physical and electronic) that might be

affected by the Security Incident.

The Company in varying degrees, relies upon Confidential Information (“Confidential Information”), which

includes Confidential or Proprietary business information of the Company, cardholder and sensitive authentication

data within the Payment Card Industry Data Security Standard (PCI DSS), nonpublic personal information (NPPI)

of Company customers and personally identifiable information (PII) of employees, registered representatives,

Investment Advisors Representatives and customers, such customers and employees being referred to herein

collectively as “Company Constituencies,” and registered representatives and investment advisors being referred to

herein collectively as “Advisors”. See the Information Security Policy for definitions of Confidential Information,

NPPI, and PII and for the detailed Information Classification Matrix.

3.3 Reporting The SIRT, in consultation with the Legal Responders (identified in Section 8 of the S-IRP), are responsible for

determining the extent of Federal, State, and Self-Regulatory Organization (SRO) notification to be made in

connection with a Security Incident. The actual notification will be performed by the Legal Responders.

Security Incident’s may result in a business disruption resulting in the activation of the Business Continuity Plan

(BCP) and/or the Emergency Plan. See the BCP and Emergency Plan’s for more details.

3.4 Scope This S-IRP applies to all physical and electronic Security Incidents involving Company resources, including, but

not limited to employees, hard copy documents, electronic documents, and any computing devices, midrange, and

network environments owned or used by Acme, Advisors, third-party service providers and vendors that access,

process, store, or transfer Acme Information.

7

For Security Incidents involving Advisors and any Advisor-owned or leased IT equipment, a Security Incident

Intake Form must be completed by contacting the Help Desk or submitting an email to [email protected]

Monday through Friday between the hours of 8:00am and 5:00pm Central Standard Time. All applicable portions

of the Security Incident Intake Form and portions of this document may apply and where applicable must be

followed.

4 Definitions For the purpose of this document, a Security Incident is defined as an “Event” that has actual or potential adverse

effects on an individual, computer or network resource resulting in misuse and/or abuse, compromise of

information, loss and/or damage of company property and/or information. Any Event that originates from, is

directed towards, or transits Company controlled computing equipment and/or network resources, to include

Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS) in support of Acme

business operations, will fall under the purview of the SIRT.

Computing device containing Company information operated and/or owned by Advisors will fall under the purview

of the SIRT for reporting purposes; detection, containment, eradication, and recovery efforts will be the

responsibility of the System Owner and/or Advisor. It is foreseeable that many Events will be classified and

handled by semi-automated or automated means and will not require further analysis and/or escalation. The

potential list of Security Incidents is contained in Section 6 of this document.

4.1 Event For the purpose of this document, an “Event” is defined as any observable occurrence either physical or within a

system or network.

4.2 Precursor For the purpose of this document, a “Precursor” is a sign that a Security Incident may occur in the future.

4.3 Indicator For the purpose of this document, an “Indicator” is a sign that a Security Incident may have occurred or may be

occurring now.

4.4 Incident Response For the purpose of this document, “Incident Response” means the process of detecting and analyzing a “Security

Incidents” and mitigating its effect on an organization.

4.5 Investigation For the purpose of this document, an “Investigation” is the process for ascertaining facts and detailed examination

of information.

4.6 System Owner For the purpose of this document, a “System Owner” is the person responsible or designated for procurement,

development, integration, modification, or operation and maintenance of the information system.

8

5 SIRT Framework The S-IRP Life Cycle methodology establishes response capability, but also aids in preventing Security Incidents.

The SIRT is typically not responsible for Security Incident prevention, it is fundamental to the success of the

Security Incident Response Program. The sections below provide a basic framework that must be followed to

handle and prevent Security Incidents.

5.1 Preparation A Company goal is to try to keep the number of Security Incidents low to protect the business and its processes. If

the number of Security Incidents is high in volume it may overwhelm the SIRT and their capabilities.

The SIRT must be knowledgeable with industry acceptable Incident Handling techniques. The lists of training

requirements are listed in Section 11 of this document.

5.2 Detection & Analysis Security Incidents occur in a multitude of ways, and it is not feasible to develop a step-by-step instruction for each

type of Security Incident. SIRTs need to be flexible in its approach to handling and responding to any type of

Security Incident. The list of Attack Vectors can be found in Section 6.4 of this document.

5.2.1 Detection

The most challenging part of the Incident Response process is the ability to accurately detect and assess suspected

or possible Security Incidents and then make a determination if a Security Incident occurred. The challenge resides

within the following three factors:

1. A Security Incident may be detected though a variety of means, e.g., automated network based detection

tools, host based Intrusion Detection Systems (IDS), antivirus platforms, and log analyzers or by manual

means such as an individual reporting an Event or problem. When applicable computing resources

(applications, systems, etc.) must be configured to send Event Logs to a centralized Security Incident and

Event Management (SIEM) platform for analysis to provide a central method for detection and/or initiating

directives.

2. The volume of Events and/or potential signs of a Security Incident in most organizations are generally high.

It is not uncommon for an organization to encounter thousands if not millions of intrusion detection Events

per day.

3. Because the severity of Security Incidents is variable, individuals who have specialized technical

knowledge and extensive experience need to evaluate Security Incident related data.

9

5.2.2 Reporting New Security Incidents

Anyone who suspects the occurrence of a Security Incident or is affected by a Security Incident must report such

information via telephone to the Help Desk within 2 hours of discovery and/or learning of the information or as

soon as reasonably practicable. The Help Desk’s phone number is (555) 555-5555. Security Incidents may also be

reported through the [email protected] mailbox Monday through Friday between the hours of 8:00am and

5:00pm Central Standard Time. The individual who reports the Security Incident will be known as the “Detector”

and s/he will provide relevant information to the Help Desk representative that will be included in the Security

Incident Intake Form. In the event the Help Desk is unavailable, notifications must be made to the CISO and/or

Deputy ISO identified in Section 2 and 8.1.1

The Help Desk is initially responsible for ensuring the minimal information is contained within the Security

Incident Intake Forms and providing the data to the CISO and/or Deputy ISO. The Help Desk must notify the

CISO and/or Deputy ISO upon completing the Security Incident Intake Form or as soon as reasonably practicable.

In some cases Information Security personnel and the Incident Administrator may self-initiate a Security Incident

Intake Form.

5.2.3 Security Incident Intake Form

The Security Incident Intake Form at a minimum needs to contain the following data points prior to submitting to

the CISO and/or Deputy ISO:

Date and Time notified

Date and Time opened

Date and Time of when the Event took place

Title of the Incident

Summary on the Event and how it was detected

Detectors name, email, and phone number (Detectors may choose to remain Anonymous if so desired)

Acme Point of Contact (POC) for the Event

Category of the Incident

Scope (Functional Impact, Informational Impact, and Recoverability Impact) of the Incident

Severity of the Incident

Method of detection

5.2.4 Analysis

The SIRT will endeavor to efficiently analyze and validate each Security Incident and follow a pre-defined

evaluation and resolution process. The SIRT will document the steps it takes during the evaluation stages. When

the SIRT believes that a Security Incident has occurred, they will evaluate the scope of the Security Incident by

making the following determinations, if possible: (i) the cause of the event; (ii) how it occurred by performing

containment; (iii) what was affected. The SIRT will update the status of Security Incidents by performing a deeper

analysis of Security Incidents, perform root cause analysis and identify corrective actions as needed.

The status for Security Incidents shall contain the following data points (as applicable):

A summary of the Security Incident;

Indicators related to the Security Incident;

Actions taken by all Incident Handlers on the Security Incident;

Impact assessments related to the Security Incident (Functional, Informational, and Recoverability);

Contact information for other involved parties (non SIRT members);

A list of evidence gathered during the Security Incident;

Comments from Incident Handlers;

Next steps to be taken, to include root cause analysis and corrective actions as needed.

IDS systems may produce false positive instances resembling Security Incidents which will require further analysis.

Not all Security Incidents have Precursors and Indicators are common. Even when an Indicator is accurate, it does

not automatically mean a Security Incident has occurred. For example, a server can crash due to a memory leak,

10

and this would not be classified as a Security Incident. The Incident Commander will use his or her judgment to

determine whether an Event is actually a Security Incident.

5.2.5 Security Incident Ratings

The Incident Commander will rate all new Security Incident s/he oversees and document the appropriate

response(s) taken by the SIRT based on several factors such as impacts, attack vectors and privacy. If a Security

Incident meets multiple severity ratings the highest level must be chosen. The Incident Commander may reduce the

Security Incident classification or prioritize open Security Incident evaluations based on the information available

to him or her or when readily available alternatives.

Security Incidents receiving a “Level 6” severity rating will receive the highest priority of SIRT resources. In the

case of multiple Security Incidents, the higher severity rating will receive higher prioritization.

5.3 Security Incident Escalation Security Incidents that are assigned a severity rating meeting the threshold in section 3.1 shall be known as

“Declared Incidents”. The SIRT members shall confirm the rating and, once this occurs, these incidents will be

referred to as “Confirmed Incidents.” Incident ratings may change during the evaluation stages of a Security

Incident, especially as the SIRT obtains and reviews additional information. The Incident Commander will

coordinate with the SIRT to determine if a Security Incident needs to be escalated or de-escalated. The same

criteria used to initially rate a new Security Incident will be used to escalate or de-escalate a severity rating.

Confirmed Incidents need to be evaluated for insurance carrier notification by the Legal Responders. If such

requirement exists the Legal Responder will notify the Insurance Carriers and perform any required follow up

actions they request.

5.3.1 Escalation

The Incident Commander will approve the initial or escalation of any Security Incident that is identified as a

“Declared Incident” with a severity “Level 6” and activate the Core SIRT members as appropriate. The Senior

Reviewing Executive will inform Senior Management about the Security Incident and the reason for the escalation

as soon as reasonably practicable.

The Incident Commander will approve the initial or escalation of any Security Incident that is identified as a

“Declared Incident” with a severity “Level 5”, and activate the Core SIRT members as appropriate. The Incident

Commander will be responsible for informing Senior Management about the Security Incident and the reason for

the escalation at the discretion of the SIRT.

5.3.2 De-escalation

The Incident Commander will obtain approval from the SIRT before lowering a “Confirmed Incident” with a

“Level 6” rating. The Incident Commander must document the reason(s) for the de-escalation.

5.4 Containment, Eradication & Recovery All Security Incidents will be handled in phases, including: containment, eradication and recovery.

5.4.1 Containment

The SIRT is responsible for developing containment and remediation strategies. Containment strategies will vary

and will be largely dependent on the circumstances and type of Security Incident. Most Security Incidents will

require some form of containment (short or long-term) to limit the damage to the company. Decision-making will

be more streamlined if there are predetermined containment and remediation strategies to follow in the event of

routine or standard types of Security Incidents

Collecting evidence is an important part of evaluating and resolving a Security Incident. The goal of collecting

evidence is to resolve the Security Incident, and it may be needed for legal proceedings. Gathering evidence may

not be required for every Security Incident. The Incident Commander will consult with the SIRT and direct the

collection of evidence as needed. The Incident Commander may also discuss the evidence collection efforts with

11

Legal Counsel, as needed. Evidence that is collected during the investigation of a Security Incident must be

accounted for and secured at all times and collected according to applicable laws and regulations so that any

evidence can be admissible in court if needed.

The SIRT must physically secure and store evidence and/or material collected and/or prepared during the course of

a Security Incident. Evidence must be retained for at least 120 days from the date the Security Incident is presented

to the ISSC, or as long as reasonably necessary for legal purposes.

The Incident Commander has the discretion to direct the discovery of the identification of attacking hosts.

5.4.2 Eradication

Once a Security Incident has been contained, eradication may be necessary to remove and/or eliminate components

and/or artifacts associated with the Security Incident. For example, malware needs to be deleted, certain user

accounts may need to be disabled, and vulnerabilities that were exploited and/or involved must be identified and

fixed to the extent possible.

Systems owned and operated by Advisor’s that may be involved in Security Incident’s may require the Advisor to

coordinate with individuals who have specialized computer security skills and forensic skills and are able to

perform or assist with any detection, containment, eradication and/or recovery efforts. Advisors will need to

coordinate with Acme Security to determine the appropriate computer security and/or forensic skills needed prior to

engaging anyone for assistance as this may result in duplicate expenses for the Advisor.

In some situations access to Acme computing resources may be temporarily suspended until a qualified security

professional is able to determine all containment, eradication and recovery steps are performed and such

information is communicated to the Incident Commander and/or Incident Administrator.

5.4.3 Recovery

In general, recovery efforts are performed by the Incident Coordinator. Recovery efforts involve restoring systems

to normal operation, confirming systems are functioning normally, and when applicable remediating vulnerabilities

to prevent similar attacks from occurring. Recovery efforts may run parallel to and/or overlap with eradication

efforts.

Typical recovery actions are listed below:

Restoring from clean backups

Rebuilding systems from scratch

Replacing compromised files with clean versions

Installing patches

Changing passwords

Tighten network perimeter security (e.g., firewall rules, access control lists)

Higher levels of logging for affected resources

If a Security Incident has a severity rating of “Level 6” and/or the associated computing resources (e.g., a laptop or

desktop) have been involved in two or more “Level 5” severity rated Security Incidents the computing resources

must be reimaged and/or restored to a last known non-compromised state prior to being placed into service. Files

that were previously on the computer resource need to be scanned prior to being placed on reimaged and/or restored

computing resources. Note: The restoration of files may contain malicious code that may remain dormant until the

files are opened. The Incident Commander will determine whether to restore files and report his or her decision to

the SIRT. If the determination is made to restore files, only common files must be restored and under no

circumstances may any user profiles be transferred to a clean system and/or image.

12

5.5 Post-Incident Activity Post-Incident activities are a critical part of the Security Incident response process because they provide the

Company with the opportunity to learn from Incident response activities and improve the evaluation and

remediation processes as needed.

The Incident Commander will schedule a “lessons learned” meeting no later than 3 weeks after a Level 5 or 6

Security Incident is fully closed out. All members of the SIRT are required to attend the lessons learned meeting.

The Incident Administrator will be responsible for documenting the meeting.

The following topics need to be discussed at the lessons learned meeting and summarized and documented by the

Incident Administrator:

Exactly what happened, and at what times?

How well did staff and management perform in dealing with the Security Incident?

Were the documented procedures followed, were they adequate, and do they need to be improved?

What information was needed sooner?

Were any steps or actions taken that might have hindered recovery?

What would the staff and management do differently the next time a similar Security Incident occurs?

How could information sharing with other organizations have been improved if this was done?

What corrective actions can prevent similar Security Incidents in the future?

What precursors or indicators need to be watched for in the future to detect similar Security Incidents?

What additional tools or resources are needed to detect, analyze, and mitigate future Security Incidents?

During this meeting, the SIRT must identify the root cause(s) of the event to the best of their ability, remedial

measures taken, the team’s performance and whether any internal controls, policies and/or procedures need to be

modified in an attempt to prevent similar Security Incidents from recurring. The Risk Responder will submit an

Issue and Corrective Action Report (ICAR) as needed that will be tracked by the Risk Management manager who is

identified in the Firm’s Supervisory Control Program.

13

6 Security Incident Details The Security Incident details listed below are required for all Security Incidents and will aid during IR efforts.

6.1 Categories All Security Incidents will be categorized, based upon the details of the Security Incident.

Security Incidents at a minimum needs to contain one of the following data points:

Category Summary and Notes

General Any Security Incident Category not specifically identified below.

Unauthorized Access An individual gains physical or logical access without permission to network,

system, application, data, building/office, or other resource.

Loss of Data, Equipment,

and/or Documents

The loss or theft of data, documents, a computing device or media.

Attrition An attack that employs brute force methods to impair the normal functionality of

networks, systems or applications (e.g., Denial of Service, Rainbow Tables).

Malicious Code (Malware) Successful installation of malicious software (e.g., virus, worm, Trojan horse, or

other code based malicious entity) that infects an operating system or application.

Malicious code that has successfully been quarantined by antivirus software does

not need to be reported.

Improper Usage A person that violates the acceptable computing use policies.

Scans, Probes, and/or

Attempted Access

Any activity that seeks to access or identify a computer, open ports, protocols,

service, or any combination for later exploit. This activity does not directly result

in a compromise or denial of service.

Investigation Unconfirmed incidents that are potentially malicious or anomalous activity

warranting further review.

Exercise and/or Network

Defense Testing

To be used during testing or exercises and approved testing of internal and external

network defenses or responses.

Social Engineering Attempted acquisition of information such as usernames, passwords, and credit

card details by disguising the request as a purportedly trustworthy entity in person

or by an electronic communication (such as email, voice mail, etc.).

Failed Authentication

(Advisor/Client only)

Attempted acquisition of information such as usernames, passwords, and credit

card details by disguising the request as a purportedly trustworthy entity in person

or by an electronic communication (such as email, voicemail, etc.).

System Malfunctions Computing resources associated with improper maintenance and/or operation that

are operating outside its intended purpose.

Physical Harm Physical or psychological harm to an individual or group.

14

6.2 Scope For the purpose of this S-IRP, each Security Incident will be evaluated to determine the potential Scope of the

Security Incident. The Scope will aid in the identification of the Severity Level, and will aid during times of

concurrent Security Incidents and to prioritize response efforts. The Scope consists of evaluating the functional,

informational, and recoverability impacts. When a Security Incident is initially reported, the Scope may need to be

estimated. If the Scope is unknown at the time of initial discovery, the team needs to make a conservative estimate

based upon the information available; the Scope must then be modified as necessary during the lifecycle of the

Security Incident if additional information is obtained and it changes the Scope.

The Scope for Security Incidents at a minimum needs to contain one of the following data points for each Impact:

Impact (with Category, Notes and Summary)

Functional Impact

Insignificant Organization’s ability to provide services is not effected.

Minor Organization is able to provide services to all users but has lost efficiency

Marginal Organization is able to provide critical services to all users but has lost efficiency

Major Organization has lost the ability to provide services to a subset of users

Significant Organization is no longer able to provide some services to any users

Catastrophic Organization is no longer able to provide critical services to any users

Informational Impact

None No information was exfiltrated, changed, deleted, or otherwise compromised

Privacy Loss *NPPI, PII, and/or payment card data was accessed or exfiltrated

Privacy Loss (Outside

Acme)

*NPPI, PII, and/or payment card data was accessed or exfiltrated outside of Acme

Proprietary Loss Company proprietary information was accessed or exfiltrated

Integrity Loss *NPPI, PII, payment card data and/or proprietary information was changed or

deleted

Recoverability Impact

Insignificant Time to recovery is possible and has been put to use; less than 1 hour

Minor Time to recovery is predictable with existing resources; less than 2 hours

Marginal Time to recovery is predictable with additional resources; less than 4 hours

Major Time to recovery is unpredictable; no additional resources and outside help

needed; less than 8 hours

Significant Time to recovery is unpredictable; additional resources and outside help needed;

more than 8 hours

Catastrophic Recovery is not possible; permanent loss of service or facility (e.g., NPPI was

exfiltrated and posted publicly)

Financial Impact

Very Low Less than $100,000

Low $100,001 - $200,000

Moderate $200,001 - $300,000

Medium $300,001 - $500,000

High $500,001 - $1,000,000

Very High Greater than $1,000,001

*See the Acme Information Security Policy for the Information Classification Matrix that provides detailed

examples of NPPI and PII data points.

15

6.3 Severity Levels (Rating)

All Security Incidents will be classified (rated), based upon the details of the Security Incident.

The Severity Level (Rating) for Security Incidents at a minimum needs to contain one of the following data points:

Rating (with Notes and Summary)

Level 6

(Very High)

Any Event and/or Security Incident that potentially has a significant impact on one or more of the following:

The ability to provide products and/or services to a significant number of customers;

The ability to control, record, measure, track, and/or account for a significant amount of inventory, revenue

or cash;

The unacceptable risk of significant punitive regulatory actions, contractual penalties, fraudulent criminal

activity, and/or civil litigation; or

Significant notoriety that has potential to affect the Company’s valuation adversely, damage the brand,

and/or cause widespread concern amongst customers and/or investors.

Level 5

(High)

Any Event and/or Security Incident not rated as “Level 6” and meets on or more of the following:

Subject to mandatory reporting and/or notification;

Requires due diligence to access, identify, and/or correct a deficiency within the organization’s data

processing, data usage, and/or information security infrastructure;

Presents the potential, but not the likelihood of some sort of litigation, and/or media attention; or

Impacts key business functions, systems and/or “Confidential information.”

Level 4

(Medium)

Any Event and/or Security Incident not rated as “Level 6 or 5” that results in a False Positive and/or a duplicate

effort.

Level 3

(Moderate)

Any Event and/or Security Incident not rated as “Level 6, 5, or 4” that warrants further analysis and/or

investigation.

Level 2

(Low)

Any Event that is NOT categorized as a Security Incident but has precursors of a Security Incident (i.e., someone

reports a potential Security Incident that is determined to not be a Security Incident); these items need be logged.

Level 1

(Very Low)

Any Event that is NOT categorized as a Security Incident and does NOT have any precursors of a Security Incident

(i.e., someone reports a potential Security Incident that is determined to not be a Security Incident); these items may

be logged at the discretion of the Incident Commander.

16

6.4 Attack Vector For the purpose of this S-IRP, the attack vector will aid during times of concurrent Incidents and to prioritize

response efforts based on currently available information, the network architecture and level of sophistication

The Attack Vector for Security Incidents at a minimum needs to contain one of the following data points:

Vector Summary and Notes

Attrition An attack that employs brute force methods

Web Websites or web-based applications

Email Email message or attachment

External/Removable Media Flash drives, Compact Discs (CDs), or other peripheral devices

Impersonation/Spoofing Replacement of legitimate content/services

Improper Usage Violation of acceptable use or other policies

Loss or Theft of Equipment Electronic or physical loss of a computing device, media, or document

Unknown Cause of attack is unidentified

Other An attack does not fit into any other vector

6.5 Privacy Likelihood/Considerations (i.e. Informational Impact) For the purpose of this S-IRP, each Security Incident will be evaluated for an Informational Impact to determine the

likelihood of potential Privacy considerations. This will aid in the identification of which Security Incidents

require the attention of the Legal Counsel to help evaluate any potential Privacy Notification requirements.

7 The SIRT Senior Management established the SIRT to ensure centralized coordination of Incident Responses. The SIRT is

comprised of technical and non-technical Company employees and contractors who are charged with prevention,

identification, analysis, containment, eradication, recovery, and lessons learned of Security Incidents.

7.1 SIRT Charge The SIRT is responsible for establishing, overseeing, and carrying out the plans of action for any Security Incident

that potentially threatens the confidentiality, integrity, or availability of Company resources (both physical and

electronic) and those owned and/or operated by Advisors to a certain degree. The SIRT will attempt to

restore/recover information and/or systems to an operational state as quickly as possible while preserving forensic

data. The SIRT will provide direction and support to the Company and its Advisors when responding to any

Incident under its purview.

7.2 SIRT Objectives The SIRT’s main objectives are to protect and preserve information and computing resources to ensure the

availability, integrity and, as required confidentiality, of Company information and computing resources.

There are five primary objectives of the SIRT:

1. Control and manage Security Incidents.

2. Timely investigate and assess the severity of Security Incidents.

3. Timely recover or bypass Security Incidents to re-establish normal operational conditions.

4. Timely notification of “Confirmed Incidents” with a “Level 6” rating to Senior Management, the Risk

Oversight Committee (ROC) and/or ISSC.

5. Prevent or establish methods to better protect the Company and its Advisors from experiencing similar

Security Incidents from occurring in the future to the extent possible.

17

8 SIRT Members The SIRT members (also known as “Responders”) are an operational and diverse team that has specialized skills to

investigate Security Incidents and recommending measures to correct or bypass problems or conditions relating to

Security Incidents. The nature of Security Incidents will determine which parties are needed to assist with response

efforts and implement preventative or corrective actions.

Permanent (Core) Members

Incident Commander

Incident Administrator

Anti-money Laundering (AML)

Responder

Supporting / SME members (at the discretion of the SIRT) may

include:

Internal Supporting Responders

o Senior Reviewing Executive

o Incident Coordinator

o IT

o Disaster Recovery (DR)

o Communications

o Risk and Compliance

o Finance

o Legal

o Operations

o Sales

o Human Resources

External Supporting Responders

o Qualified Security Assessor (QSA)

o Forensic Computing Services Firm

o Security Operations Center (SOC)

The core SIRT will be assisted by supporting responders who are Subject Matter Experts (SME) within their field.

These SMEs will only be informed about an incident at the discretion of the SIRT and thus informed of their

responsibilities below. SIRT members must conduct themselves following accordance with the following general

objectives:

Conduct objective, thorough, and timely investigations.

Evaluate Security Incidents with a focus on individuals’ privacy rights.

Collect, preserve, and protect data, documentation and materials related to the investigation.

Maintain confidentiality around the investigation and/or Security Incident as required.

Maintain thorough documentation of the entire investigation process.

Safeguard data, documentation and materials related to the investigation materials and documentation.

Maintain the chain of custody of investigation materials and documentation.

Evaluate the underlying facts discovered by the evidence obtained in connection with an investigation of a

Security Incident and present objective conclusions in Final Reports. Conclusions must be fully supported

by facts discovered during an investigation of a Security Incident.

Conduct a post-incident review of the investigation, and document policy or procedural issues that

enhanced or hindered the Security Incident detection, monitoring, investigation, and subsequent

development and implementation of corrective or problem bypass measures.

Evaluate the business impact of any recommendations that are made to Senior Management.

8.1 Incident Commander The CISO will serve as the Primary Incident Commander. The Deputy ISO will serve as the Secondary Incident

Commander.

18

8.1.1 Responsibilities

Activate the SIRT and as needed Supporting Responders

Conduct SIRT meetings

Coordinate SIRT investigations

Classify Security Incidents according to Section 6 of this document

Determine investigation objectives

Coordinate SIRT training and exercises

Finalize post-investigation documents

Prepare reports, as needed

Update the Senior Reviewing Executive regarding the status of an investigation as needed

Recommend to the CEO whether information needs to be issued the general public, when requested

Coordinate with law enforcement at the direction of the SIRT

Deactivate the SIRT

8.2 Incident Administrator The Incident Administrator will assist in a number of administrative functions and assist the Incident Commander

and the Incident Coordinator as needed.


Take notes during meetings and document their actions to include the general actions of the SIRT

Task management and tracking labor hours of SIRT members.

Act as the repository for all Security Incident-related evidence upon deactivation of response efforts when

directed by the Incident Commander with coordination by Legal Responders.

Monitor the [email protected] mailbox Monday through Friday between 08:00am and 05:00pm and

self-initiate Security Incident Intake Form as needed.

Assist in finalize notification documents and mail such documents

8.3 Anti-Money Laundering Responder The Anti-money Laundering (AML) responder will perform AML procedures as well as account reviews and block

accounts as needed.

The AML Compliance Manager will serve as the Primary Anti-money Laundering Responder. The Regulatory

Compliance Manager will serve as the Secondary Anti-money Laundering Responder. Both managers are members

of the AML Committee in addition to the Chief Compliance Officer.


Coordinate with the Chief Compliance Officer and/or the AML Committee to determine whether any

punitive or legal actions are recommended for any Advisor.

Perform account reviews and block accounts as needed. Additional notification to internal staff may be

performed in lieu of blocking accounts. This will be performed at the determination of the AML

Compliance Manager or Regulatory Compliance Manager.

Notify internal staff and/or departments in lieu of blocking accounts as needed.

8.4 Supporting Responders Supporting Responders are not permanent SIRT members; however, these individuals may be asked to assist with a

SIRT investigation because they have expertise in a particular subject matter. The Incident Commander and/or

Incident Coordinator may request the assistance of Supporting Responders. If their assistance is required, they will

become part of the SIRT for the particular investigation they are assisting with. The Incident Commander is the

only SIRT member authorized to discontinue the assistance of the Supporting Responders.

19

8.4.1 Incident Coordinator Responders Core Responsibilities

The Incident Coordinator is responsible for resolving day-to-day production problems and leverages other support

groups within the business such as the application support group.

The Head of Infrastructure will serve as the Primary Incident Coordinator. The Manager of Development Services

will serve as the Secondary Incident Coordinator.

Serve as the single POC to the Incident Commander for all technical actions.

Identify and request supporting responders as needed.

Assess the scope of the Security Incident damage, if any.

Provide a systematic approach for technical actions when numerous technology platforms could be

impacted by a Security Incident.

Control and contain the Security Incident, to the extent possible.

Collect, document, and preserve forensic evidence related to the Security Incident.

Maintain a chain of custody for all computing evidence obtained during Security Incidents.

Interview individuals who may have information relevant to the Security Incident.

Identify root cause and/or source, the extend of the damage, and recommend counter measures or

mitigation solutions to reduce or stop any additional damage.

Conduct problem analysis to determine whether any failure in Company’s Infrastructure or computing

environment may have enabled the Event to occur.

Audit mission-critical systems to ensure they are current with service packs and patches.

Recommend solutions that are designed to aid in the prevention of similar Security Incidents from recurring

in the future. All recommendations need to take into consideration the business impact that would be

incurred if any recommendations are approved and implemented.

Monitor recovery efforts.

8.4.2 Sr. Reviewing Executive Responders Core Responsibilities

A Senior Reviewing Executive will be indirectly involved during investigations of Security Incidents so he or she

can provide impartial oversight to help protect the interests of the Company. If the Incident Commander is busy

running the S-IRP, the Reviewing Senior Executive will provide Senior Management with any relevant updates

regarding IR efforts.

The CCO will serve as the Primary Reviewing Senior Executive. The CIO will serve as the Secondary Reviewing

Senior Executive.

Update Senior Management and business managers as needed regarding the ongoing investigation and IR

efforts

Work with Senior Management to obtain the services of external resources as needed

Prioritize the Security Incident within the Company, or direct more senior and/or capable leadership and/or

resources to the IR efforts

Provide objective oversight of the IR efforts

Review reports generated by the Incident Commander as needed

8.4.3 Information Technology (IT) Responders Core Responsibilities

Provide the necessary technical support to enable and effective response such as platform, application,

database, and network support

8.4.4 Security Operations Center (SOC) Responders Core Responsibilities

Serve as central POC for suspected Security Incidents derived from Company network traffic or Advisor

networks that are externally reviewed through Managed Security Service Providers (MSSPs)

Manage the day-to-day monitoring of resources and/or systems for potential security compromises

20

8.4.5 Qualified Security Assessor (QSA) Responders Core Responsibilities

Serve as central POC for suspected Security Incidents involving cardholder and/or sensitive authentication

data

8.4.6 Forensic Responders Core Responsibilities

Oversee all Forensic investigation requirements and efforts performed by any third-party resources

Provide expert guidance related to securing electronic or physical evidence procedures, when appropriate

Provide expert forensic examination of computing resources and/or forensic images captured during

response efforts

Ensure all evidence was collected throughout the Security Incident’s lifecycle from SIRT members upon

deactivation of the SIRT

Ensure the procedures for Digital Evidence Chain of Custody are followed by the SIRT

8.4.7 Disaster Recovery (DR) Responders Core Responsibilities

Maintain awareness of the situational throughout the entire IR lifecycle for affected technologies identified

within the Company’s Disaster Recovery/Business Continuity (DR/BC) Plan.

Coordination with affected technology groups to ensure they are capable of rapid transition to DR/BC

mode.

Assess each affected piece of technology to determine a solution in the event any physical assets must be

seized by or provided to Law Enforcement (LE).

8.4.8 Communications Responders Core Responsibilities

Serve as the POC for all requests for information from any source.

Coordinate the release of information to the public

Provide ongoing advice and awareness regarding the release of communications or documents to the

public.

Manage crisis communications to limit exposure to the Company and its Advisors

Create and distribute internal communications for Company to help manage the impact of public awareness

of Security Incidents.

Assist in drafting and finalizing notification documents with the Legal Responder and Incident

Administrator.

8.4.9 Risk and Compliance Responders Core Responsibilities

Ensure that all statutory and contractual obligations are met in a timely manner.

Perform Internal Controls evaluation.

Facilitate policy updates and/or changes as needed.

Provide ongoing advice and awareness regarding the release of communications or documents to regulators

and/or law enforcement.

Ensure all reporting requirements are addressed by the SIRT for SEC, FINRA, Federal, State, and Local

Laws.

Identify and track Risks as well as Issues and Corrective Actions.

Evaluate Incidents as needed as part of the ROC bi-monthly meetings.

8.4.10 Finance Responders Core Responsibilities

Ensure that all Sarbanes-Oxley Act (SOX) requirements are met during the lifecycle of the Security

Incident such as evidence tampering and whistleblower protections

Analyze cost savings and/or reforecast budgets if emergency funding is needed

Track expenses during the lifecycle of the Security Incident

8.4.11 Legal Responders Core Responsibilities

Provide ongoing legal counsel during Security Incidents

21

Evaluate legal privacy implications of Security Incidents

Evaluate SIRT actions to take into consideration post-event litigation and/or criminal prosecution

Aid in the determination of whether to notify law enforcement. Serve as the liaison to law enforcement if it

becomes involved in the investigation of Security Incidents.

Provide guidance regarding other legal and contractual obligations stemming from Security Incidents.

Draft and finalize notification documents with the assistance of the Incident Administrator and

Communications Responder.

Notify Insurance Carriers and keep them informed on the progress of the Security Incident.

8.4.12 Operations Responders Core Responsibilities

Evaluate the operational impact of Security Events based on Advisor and Company Constituencies needs;

update SIRT as needed.

Liaise with outside entities such as clearing firms, banks, and regulators.

Perform general field support

Recommend the addition of additional controls and/or processes as necessary with coordination from Risk

and Compliance Responders.

Implement additional controls and/or processes upon approval by Senior Management or Risk

Management.

8.4.13 Sales Responders Core Responsibilities

Evaluate the potential business impact of SIRT response efforts and provide this information to the SIRT.

Work with Disaster Recovery Responders to coordinate between IT and affected business unit(s) in the

event of a disruption to the business operations that may require a Disaster Recovery / Business Continuity

action.

8.4.14 Human Resource Responders Core Responsibilities

Handle all employment related circumstances resulting from Security Incidents

8.4.15 Law Enforcement Responders Core Responsibilities

Serve as central POC for suspected Security Incidents when law enforcement notification is required

(criminal activity for federal, state, local, and international laws).

8.5 Help Desk The Help Desk will serve as the central POC for reporting Security Incidents. The Help Desk will be available

(Monday through Saturday 06:00am – 07:00pm and Sunday 07:00am – 04:00pm) for communications and Security

Incident Reporting. Additionally the Incident Administrator will serve as an additional POC by monitoring the

[email protected] mailbox Monday through Friday between 08:00am and 05:00pm.


Monitor Acme computing resources for reports of suspected and/or confirmed Security Incidents

Complete Security Incident Intake Forms and select the appropriate severity level.

Notify the Incident Commander upon completion of Security Incident Intake Forms or as soon as

reasonably practicable

Email completed Security Incident Intake Forms to the Incident Commander as directed by the Incident

Commander.

Receive calls from Advisors on potential Security Incidents.

8.6 Employees, Advisors, etc. Anyone who observes and/or is informed of a suspected or confirmed Security Incident is responsible for reporting

such information immediately.

22


Report suspected or confirmed Security Incidents within 2 hours of obtaining information or as soon as

reasonably practicable. See sections 3.4 and 5.3.3 for more information on how to report.

9 Security Incident Tracking The SIRT will log, track and document the investigation and resolution of all Security Incidents by submitting a

Security Incident Intake Form at https://incidentintake.acme.com. Data for a particular Security Incident will only

be available to the SIRT members, and upon request and/or approval of the CISO and/or CCO.

Security Incidents will follow the following lifecycle status:

Initial (Indicates the ticket is in the initial detection and reporting process)

Follow-Up (Indicates the ticket is ready for the CISO and/or Deputy CISO to review)

Secondary (Indicates the ticket is ready for the SIRT to review)

Collection (Indicates the ticket is ready for Containment, Eradication and Recovery efforts)

Closed (Indicates the Core SIRT has agreed the matter as closed)

Process to log a new Security Incident Intake Form:

1. Navigate to https://incidentintake.acme.com

2. Click on “Create New”

3. Enter all required information for all tabs

a. You may select “Save for Later” to come back at a later time

b. You will also be presented a warning message in the event all required fields are not completed

4. Click “Submit” to send the form to the next stage for review

Process for Follow-Up and Secondary Analysis:


2. Click on “Edit Incident” for the appropriate Security Incident

3. Enter all required information for all tabs

a. You may select “Save for Later” to come back at a late time

b. You will also be presented a warning message in the event all required fields are not completed

4. Click “Submit” to send the form to the next stage for review

Process for Collection:



3. Click on “Attachments” and navigate to the appropriate section

4. Enter information for all required fields

5. Click “Submit” to save your information

6. Repeated steps 3, 4, and 5for all appropriate sections

10 Security Incident Closure Once the affected systems or resources have been returned to normal operations, the SIRT will verify that all

corrective and/or preventative tasks are complete and that local services have been restored. In cases where

Security Incident response efforts are partially outsourced to third-parties, the Incident Commander will monitor

and document the Security Incident resolution.

23

If a Security Incident is rated as a “Confirmed Incident” with a “Level 6 or 5” severity, the Incident Commander

must obtain approval from the SIRT to close the Security Incident.

Process for Closing



3. Click on “Attachments” and navigate to the “Incident Closure Form”

4. Enter information for all required fields

5. Click “Submit” to save your information

6. Click “Browse Existing”

7. Select the drop down arrow next to “Edit Incident” for the appropriate Security Incident

8. Click “Close Case”

a. You will be presented the following message “You are attempting to close this incident. This

action cannot be undone and will mark all aspects of the incident as read only. Are you sure you

want to close the incident?

9. Select the “Ok” to close the Security Incident

At any time the CISO, CCO, or Chief Executive Officer (CEO) may terminate a Security Incident investigation,

regardless of Security Incident severity rating. If a Security Incident is turned over to a law enforcement agency,

the SIRT investigation will, in most cases, be suspended; however the CISO and Legal Counsel will attempt to

obtain updates from Law Enforcement regarding the matter.

Prior to closing any Security Incident involving potential disclosure of NPPI, PII, or other information that was

deemed to not constitute NPPI or PII, the Legal Responder needs to conduct a follow up review of the conclusion to

confirm that the information involved has been correctly categorized.

10.1 Final Reports The SIRT prepares Final Reports. These reports (electronic and physical) are maintained by the CISO.

10.2 Third-Party Reports The Incident Commander and/or SIRT must confer with Legal Responders prior to engaging any third-party vendor

that may produce third-party reports. Any report that is prepared by a Qualified Security Assessor (QSA) or an

outside computing forensics firm must be addressed to Legal Counsel and marked as “Attorney-Client Privileged

and Work Product Protected.”

11 SIRT Training Core SIRT members will receive incident response training as needed. The CISO and Legal Counsel need to

provide input in advance of any training to ensure the incident response training elements are current.

The following training topics need to be considered in the training venue:

State and Federal Privacy Law

Company Polices relevant to recent security incident trends

Best practices for conducting incident handling and investigations

Best practices for evidence preservation.

Hardware and software tools used by the SIRT

11.1 Advanced Training and Skills Requirements Incident Commanders, Coordinators, and Administrators may be required to complete additional training to ensure

Incident Handling processes meet industry acceptance as an Incident Handler.

24

12 SIRT Exercises The SIRT will conduct an annual exercise that simulates a Security Incident. The purpose of the exercise will be to

maintain the skills and knowledge of the SIRT members. Exercises will involve all core SIRT members and

Supporting Responders will be selected to participate as required by the nature of the exercise. At the conclusion of

the exercise, the Incident Commander in coordination with the SIRT members will prepare a brief report to

distribute to the ISSC and ROC evaluating the exercise within 30 days of completion. Any skill and/or knowledge

area that needs to be improved as well as procedural enhancements will be identified in the report.

13 Security Incident Metric Reporting The reports identified in this section will be generated based on information within the Security Incident tracking

system. Where possible, these reports will be generated and distributed automatically:

Annually – ID Theft Prevention Status Report: Security Incident Metric Reporting and data from the

Security Incident tracking system will be utilized to supplement the Firm’s ID Theft Prevention Program

and the reporting requirements as follows (the following portion was taken from the ID Theft Prevention

Program Document):

Our firm is responsible for developing, implementing and administering our ITPP and will report

annually to Senior Management on compliance with the FTC’s Red Flags Rule. The report will

address the effectiveness of our ITPP in addressing the risk of identity theft in connection with

covered account openings, existing accounts, and service provider arrangements, significant

incidents involving identity theft and management’s response and recommendations for material

changes to our ITPP. Acme will document and report on the effectiveness of ID Theft Prevention

Program activities utilizing the annual ID Theft Prevention Status Report. The report will include:

Significant incidents (# of incidents, victims impacted and exposure) involving identity

theft and management’s response

Identity theft control and operating procedure effectiveness

Summary of service provider arrangements including any changes to Service provider

arrangements

Summary of recommendations for material changes to the program

This annual program performance report will be issued by the Risk Management department by

January 31 of each year.

Acme Compliance is responsible for reporting to Acme Senior Management on the effectiveness of

the Program and on the general state of ID Theft within the firm. As a result, the ID Theft

Prevention Status Report will be issued and incorporated into our Annual CEO Certification

Process that is reviewed with Senior Management.

13.1 Out-of-band Communications While the SIRT may provide status updates, it may need to prepare for multiple communication methods,

particularly out-of-band communications (e.g., in person, paper). This is necessary in some instances where

systems may be compromised that would give intruders an advanced warning that a Security Incident has been

identified and that Security Incident response efforts were underway. The Incident Commander will determine if

out-of-band communications are necessary prior to activation of the SIRT and thereafter as needed.

25

13.2 Board of Directors Reporting All Security Incidents rated as “Confirmed Incidents” with a “Level 6” severity rating will be presented to the

Acme Board of Directors no less than annually by the CISO or CCO and included in the annual CEO Certification

process.

13.3 Collecting Security Incident Data Collecting data during Security Incidents will help enhance the Information Security program. The information

gathered may: (i) indicate the existence of systemic security weaknesses and threats; and (ii) evidence changes in

Security Incident trends, which could feed into the Enterprise Risk Assessment process and lead to the

implementation of additional controls.

The following metrics at a minimum must be collected by the Incident Administrator:

Number of Security Incidents broken down by incident levels that were handled on an annual basis.

Each SIRT member must track the time spent on each Security Incident and relay this information to the

Incident Administrator.

The lifespan of a Security Incident from the time of discovery through the lessons learned.

Length of time it took the SIRT to respond to the initial report from the detector?

Identify recurring Security Incidents.

Estimate monetary damages stemming directly from Security Incidents.

14 Security Incident External Reporting Reporting Security Incidents externally may be required. Every Security Incident needs to be evaluated in this

regard.

14.1 Insurance Reporting The SIRT must consult with Legal Counsel for any “Confirmed Incidents’ with a “Level 6 or 5” severity to

determine whether the matter must be reported to any of the Company’s Insurers.

14.2 Suspicious Activity Reporting The Company’s obligations to file a suspicious activity report (SAR) and/or to notify appropriate law enforcement

authorities are set forth in the Company’s Bank Secrecy Act / Anti-Money Laundering (AML) Internal Compliance

Program. The AML Responder will initially determine (or the Regulatory Compliance Manager as the delegate)

whether a Security Incident triggers the completion of a SAR and bring to the AML Committee for additional

review and/or discussion. The AML Responder will consult with the Legal Responder where applicable and

receive support from the CISO to ensure the appropriate technical data (IP addresses, hash values, registrar

information, etc.) is included in the reporting process.

14.3 Constituent Notification Certain Security Incidents will require notification to Company Constituents. The SIRT will consult with the Legal

Responders to provide factual information regarding Security Incidents. Legal Responders will determine whether

any notifications (e.g., privacy or regulatory) are required in accordance with applicable laws and regulations and

the manner in which notifications must be made, draft and finalize notification documents, and assist in mailing

such documents along with the assistance of the Incident Administrator and Communications Responder

14.4 Payment Card Industry Reporting A certified QSA may need to be consulted in order to identify specific requirements and steps for reporting

suspected and/or confirmed Security Incidents involving cardholder data and/or sensitive authentication data as

they are specific to each payment card brand.

26

The specifics can be found at the following locations:

Brand Additional Information

Visa http://usa.visa.com/merchants/protect-your-business/cisp/if-compromised.jsp

http://usa.visa.com/download/merchants/cisp-what-to-do-if-compromised.pdf

MasterCard http://www.mastercard.com/us/merchant/pdf/Account_Data_Compromise_User_Guide.pdf

Discover https://www.discover.com/credit-cards/member-benefits/security-center/keep-

secure/understand-fraud.html

American Express https://www209.americanexpress.com/merchant/services/en_US/data-security?intlink=US

14.5 Credit Monitoring The SIRT will consult with Legal Responders to determine whether a Security Incident triggers a legal requirement

to provide credit monitoring to Company Constituents who are impacted by a Security Incident.

If a Security Incident was triggered by an Advisor’s actions and credit monitoring is required, the CCO may require

Advisor’s to pay for all credit monitoring services provided to his or her clients. The Legal Responders, with the

assistance of Incident Administrator and Communications Responder will draft and finalize all notification

documents which may include credit monitoring details. The Incident Administrator is responsible for mailing all

notification documents. See the Acme ID Theft Referral Procedures for details.

14.6 Claims for Reimbursements The SIRT must consult with Legal Counsel to determine whether any of the Company’s Insurers will reimburse

Company for expenses incurred as a result of Security Incidents.

14.6.1 Reimbursement Request by an Affected Constituent

Whenever a Security Incident occurs, an affected Company Constituent may ask the Company to cover expenses

(or reimbursement) related to the Security Incident. The Company may by law, rule and/or regulation be required

to reimburse the requesting Constituent. If reimbursement is not required, the Company may choose to reimburse

an affected Constituent for his or her entire, and/or portion of the, loss suffered as a direct result of the Security

Incident. The determination as to whether such voluntary reimbursement will occur will be made by Senior

Management, with the advice of Legal Responders.

14.6.2 Company Reimbursement or other Request

The SIRT is required to keep track of all expenses incurred as a result of a Security Incident and provide this

information to the Finance Responder and Legal Responders.

The Legal Responders will review all relevant insurance policies and contracts to determine the appropriate method

for obtaining reimbursement for expenses and liabilities stemming from Security Incidents. Legal Responders will

provide this information to Senior Management to determine the best course of action for seeking these funds.

15 External Information Sharing The sharing of information and threat intelligence aids the financial community as a whole. Customer’s trust may

be lost if Security Incidents occur. Therefore efforts need to be made to minimize the impact to consumer trust thus

the sharing of information. The CISO or Incident Commander will review all information prior to being shared.

15.1 InfraGard InfraGard is a partnership between the Federal Bureau of Investigations (FBI) and the private sector dedicated to

sharing information and intelligence to prevent hostile acts against the United States and the 16 critical

infrastructures that make up the backbone of United States (U.S.) economy, security, and health stemming from

Presidential Policy Directive 21 (PPD-21) on Critical Infrastructure Security and Resilience.

http://usa.visa.com/merchants/protect-your-business/cisp/if-compromised.jsp

http://usa.visa.com/download/merchants/cisp-what-to-do-if-compromised.pdf

http://www.mastercard.com/us/merchant/pdf/Account_Data_Compromise_User_Guide.pdf

https://www.discover.com/credit-cards/member-benefits/security-center/keep-secure/understand-fraud.html

https://www.discover.com/credit-cards/member-benefits/security-center/keep-secure/understand-fraud.html

https://www209.americanexpress.com/merchant/services/en_US/data-security?intlink=US

27

The FBI has developed Malware Investigator as a resource that Incident Handlers can submit suspected malware

files and within as little as an hour, receives detailed technical information about what the malware does and what it

may be targeting. The Malware Investigator is only available through established FBI partnerships such as

InfraGard.

15.2 Financial Services Information Sharing and Analysis Center The Company is a current member of the Financial Services Information Sharing and Analysis Center (FS-ISAC)

which is dedicated to providing collaboration for critical security threats facing the global financial services sector

and sharing cyber and physical threat intelligence. Coordination with the FS-ISAC is recommended by the U.S.

Department of Treasury, the lead agency for the Financial Service Critical Infrastructure identified in PPD-21.

15.3 Data Sets To Consider For Sharing The following data sets need to be considered for distribution to those entities listed within this section:

Malicious payloads and hash values

Attacking IP addresses and associated domain names

Command and Control IP addresses and associated domain names

Dropper IP addresses and associated domain names

Threat vector and associated vulnerability exploit

28

16 SIRT Organizational Structure The following diagram represents the makeup of the SIRT and the designation of the core SIRT

Core SIRT

Help Desk /

Mailbox

CISO / Deputy ISOIncident

Commander

Anti-money Laundering Responder

Incident Administrator

Supporting Responders / SME

(ONLY involved as needed)

29

17 Workflow Activity The following diagram depicts the flow of activities regarding the escalation of an Event.


Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. – 3:30 p.m. The cyber threats are no longer a question of if, but when, a breach will occur. It is important to have a cybersecurity plan in place so you are ready to act if your organization experiences a data breach. Join panelists as they share effective steps organizations can take to prepare for an attack.

Moderator: Lloyd Glavocich Principal Examiner, IT ROOR FINRA Member Regulation, Office of Risk Oversight and Operational Regulation Panelists: Brian Donadio Principal and Head of Global Business Continuity Services Vanguard Laz Montano Chief Technology Risk and Security Officer Voya Financial


Steps to Take Now to be Ready if Your Organization is Breached Panelist Bios: Moderator: Lloyd Glavocich has been an IT professional since 1982, with many years spent in the development, management and support of both the Examination Systems and Surveillance Systems Programs in his 20-year tenure with the New York Stock Exchange’s Regulatory Technology division. He is currently a FINRA Principal IT Examiner with a concentration on Cybersecurity, Data Governance and IT Governance. Mr. Glavocich advises the FINRA examination staff in conducting technology related reviews, in addition to performing reviews for his own examinations. Mr. Glavocich has had professional experience in key areas of IT, including application development, systems administration, database administration, project management and technology controls. Mr. Glavocich was responsible for shepherding the NYSE examination process to the laptop platform for distributed scope execution at member firms in 1995. Mr. Glavocich has also worked for Siemens and Cap Gemini as a developer in an early portion of his career. Panelists: Brian Donadio is Principal and head of Business Continuity Services at Vanguard, where he leads the team of business continuity professionals who have enterprise-wide responsibility for ensuring that Vanguard is prepared, around the globe, to face a wide range of business disruptions. Mr. Donadio previously was Principal and Senior Counsel in the Legal & Compliance Division, where he led the team responsible for litigation and dispute resolution, global privacy and data protection regulation, and various legal risk management matters. In addition to working with Vanguard's U.S. and international retail, institutional, and financial advisor businesses, Mr. Donadio and his team partnered closely with other areas across Vanguard, including information technology, information security, fraud prevention, business continuity, enterprise risk, and enterprise data governance. Mr. Donadio joined Vanguard after serving as a law clerk in the U.S. District Court for the Eastern District of Pennsylvania and working as a litigation associate at Dechert LLP. Mr. Donadio graduated cum laude from the University of Michigan Law School and received his B.A., with honors, from the University of Pennsylvania. Laz Montano serves as the chief technology risk and security officer for Voya Financial, responsible for providing leadership, management and strategy for all aspects of technology risk and information security. His first and second lines of defense teams manage and align the company to industry best practices. They take a broad, risk-based approach in effectively safeguarding company, employee and customer information across Voya products, channels and lines of business. Mr. Montano joined Voya in June 2014, bringing more than 25 years of information technology and security experience to his role. Before joining Voya, Mr. Montano was the chief information security officer at MetLife, a Fortune 50 financial services company spanning 46 countries with 70,000 employees, serving 90 million customers. He was accountable for the creation and maintenance of security infrastructure, information security policy, risk assessments, incident response, security awareness and training programs. He also serves on the National Technology Security Coalition’s (NTSC) Board of Directors, representing the financial services industry. In this role, he helps influence the strategic direction of the NTSC and joins chief information security officers (CISOs) who represent a broad cross-section of enterprise companies. These CISOs have a vested interest in protecting the security of their customers and employees through policies that improve national cybersecurity standards and awareness. Mr. Montano completed his undergraduate studies at Charter Oak College and the University of Connecticut, and received a Master of Business Administration (MBA) degree from Rensselaer Polytechnic Institute. He is a Certified Information Security Manager (CISM) and holds Certified in the Governance of Enterprise IT (CGEIT) accreditation.


Steps to Take Now to be Ready if Your

Organization is Breached


Moderator

Lloyd Glavocich, Principal Examiner, IT ROOR, FINRA Member

Regulation, Office of Risk Oversight and Operational

Regulation

Panelists

Brian Donadio, Principal and Head of Global Business

Continuity Services, Vanguard

Laz Montano, Chief Technology Risk and Security Officer, Voya

Financial

Panelists

1


Firm’s Response Team

Assembling Crisis Task Force

Exercising of Playbook Scenarios

Involvement of External Resources

Assessment of Losses

Communications Plan

Discussion Agenda

2


Response Team Structure

Incident Response Playbook

Functional Involvement

Business Response

Communications / Media Relations

Technology Tooling and Capabilities

Assigned Personnel

Firm’s Response Team

3


Clearly identified lines of communication

Clearly identified gold copy of information

Identification of Command Centers (in person / remote)

Technology-to-Business communication

Establishing a Senior Crisis Leader

Crisis Management Coordinator

Knows all actors and responsibilities / keep actors focused

Assembling Crisis Task Force

4


Red Team / Blue Team Exercises

All inclusive to ensure “lockstep” understanding.

Clarity of responsibilities.

Announced and Unannounced Exercises

Importance of Reports and Post Mortems

Learning and Fortifying Playbook

Exercising of Playbook Scenarios

5


External Resources may include:

Legal Counsel with Crisis Experience

Consultants and Advisors

Service Providers

Should be included in exercises

Essential that employees know external contributors

Must be able to be mobilized at a moment’s notice

Involvement of External Resources

6


Ascertain a picture of impact, to the extent possible

Include known data and monetary losses

Prepare to communicate all that is known

Issue caveat that the situation in still developing

Establish methods to receive updates:

Hot lines, Websites, Media Contacts

Assessment of Losses

7


Create and socialize crisis communication plan

Establish restrictions for engaging the Media

Communicate to regulators, customers & employees

Avoid the negative interpretation of “no comment”

If caused by criminal act, coordinate with:

FBI and Law Enforcement to stand shoulder-to-shoulder

Frame the situation to instill confidence in resolution

Communications Plan

8


Plenary Session: Cybersecurity the Current Regulatory Environment: Insight from Regulators and Industry Experts Thursday, February 22 3:45 p.m. – 4:45 p.m.

With recent high-profile data breaches, cybersecurity continues to be a frequent hot topic within the financial services industry. During this session, panelists answer your questions related to the cybersecurity regulatory landscape, insider threats and other important issues. You will hear their perspectives on effective practices and helpful tips they have identified.

Moderator: John Brady Vice President and Chief Information Security Officer FINRA Technology, Cyber & Information Security

Panelists: Christopher Hetner Senior Cybersecurity Advisor to the Chairman U.S. Securities and Exchange Commission (SEC)

Brian Peretti, Esq. Director for the Office of Critical Infrastructure Protection and Compliance Policy U.S. Department of Treasury

John Zecca Senior Vice President of MarketWatch, Head of Market Regulation for the U.S. Markets and Chief Regulatory Officer Nasdaq, Inc.


Cybersecurity the Current Regulatory Environment: Insight from Regulators and Industry Experts Panelist Bios: Moderator: John Brady is Vice President in Technology for Cyber and Information Security for FINRA, and is the organization’s Chief Information Security Officer (CISO). In this capacity, he is responsible for all aspects of FINRA’s information and cyber security programs, as well as ensures compliance with related laws and regulations. He oversees staff focused in four primary information security areas: security architecture and controls, security management tools, application security, and identity management. Mr. Brady, along with counterparts in FINRA’s Data Privacy Office, establishes policy and technical controls to ensure information is appropriately protected throughout its lifecycle. He began his career with FINRA more than 10 years ago as the Director of Networks and Firewalls. He then broadened and deepened his technical knowledge by taking on responsibility for server and storage infrastructure, where he led system engineering efforts to expand capacity and performance of Market Regulation systems in response to data volumes growing more than 40 percent year over year. Mr. Brady recently led the establishment, design, and implementation of FINRA’s new data centers and the seamless migration of more than 175 applications from an outsourcer to those new data centers. Prior to the commencement of his work with FINRA in October 2002, Mr. Brady was Director of Networks at VeriSign from 2000 to 2002 and Network Solutions from 1998 to 2000. From 1995 to 1998, he built and operated Citibank’s Internet Web and email services as Vice President, Internet Services. From 1993 to 1995, Mr. Brady worked for Sun Microsystems as Senior Consultant, where he built integrated network systems for prominent customers. Mr. Brady began his professional career as a member of technical staff at The Aerospace Corporation from 1987 to 1993, designing satellite systems and command and control networks for the Air Force Space Command. Mr. Brady holds a bachelor’s degree in Computer and Electrical Engineering from Purdue University of West Lafayette in Indiana, and a master’s degree in Industrial Engineering and Operations Research from the University of California at Berkeley. He also is an (ISC)2 Certified Information Systems Security Professional (CISSP). Panelists: Christopher Hetner is Senior Advisor to the Securities and Exchange Commission Chairman on Cybersecurity. In this role he is responsible for leading efforts across the agency to address cybersecurity policy, uplifting the SEC’s internal cybersecurity capabilities, engaging with external stakeholders and further enhancing the SEC’s mechanisms for assessing broad-based market risk. Mr. Hetner is also a leading member of the US Treasury Financial Banking Information Infrastructure Committee where he provides leadership across a range of cybersecurity programs impacting the financial services sector. Mr. Hetner has more than 25 years of experience in Cybersecurity, Risk Management and Regulatory Compliance. Prior to his current role he led Cybersecurity for the Technology Control Program within the Office of Compliance Inspections and Examinations. He joins the SEC from Ernst and Young (EY) where he led the Wealth and Asset Management Sector Cybersecurity practice. At EY, his team advised and delivered cybersecurity and risk management capabilities across major financial services firms. In addition to leading the practice, Mr. Hetner served as a senior advisor to a wide range of corporate directors and executive management. Prior to joining EY he was the Chief Information Security Officer (CISO) at GE Capital where he was responsible for building and leading the global Cybersecurity program. He led a global organizational cybersecurity uplift that significantly improved GE Capital’s risk posture. Prior to GE Capital Mr. Hetner was responsible for leading global information security programs and operations for Citi’s Capital Markets and Investment banking unit. Mr. Hetner developed capabilities that transformed how Citi integrated information security into business operations while meeting regulatory compliance requirements. Mr. Hetner holds industry-leading certifications including the CISSP (Certified Information Systems Security Professional), NSA INFOSEC Assessment Certification and CISM (Certified Information Security Manager). He earned a M.S. in Information Assurance cum laude from Norwich University and a B.S in Security Management from John Jay College of Criminal Justice The City University of New York. Brian J. Peretti, Esq., is Director for the Office of Critical Infrastructure Protection and Compliance Policy at the United States Department of the Treasury located in Washington, D.C. At the Department of the Treasury, Mr. Peretti supervises the planning, evaluating and implementation of information security, information assurance, and risk management policies related to critical infrastructure protection, cyber security and


homeland security. He leads the efforts of the Financial and Banking Information Infrastructure Committee (FBIIC), an interagency organization chartered under the President's Working Group for Financial Markets composed of 18 federal and state financial regulatory agencies. He is the relationship manager to the Departments of Homeland Security, Energy, Transportation, Justice, Defense and the Intelligence Community Homeland Security issues. He represents the Treasury on various interagency groups, including Cyber Interagency Planning Committee (Cyber–IPC), the National Cyber Response Coordination Group, and the National CIP R & D draft group. He is the emergency coordinator for the Treasury’s Domestic Finance area, where he leads efforts in the areas of business continuity and disaster recovery. He directs the Treasury’s effort to implement a Research and Development agenda, created in coordination with the financial services sector, to address technology issues. He has lectured extensively and has authored six books on topics related to financial institutions, including, most recently, co-authoring with Barkley Clark and Mark Hargrave Compliance Guide to Payment Systems: Law and Regulations. Prior to joining the Treasury Department, Mr. Peretti was an associate in Shook, Hardy & Bacon’s Corporate Banking and Finance Section in Washington, D.C. Prior to that position, Mr. Peretti was General Counsel for the Wright Patman Congressional Federal Credit Union, which serves the U.S. House of Representatives and associated groups. Mr. Peretti received his bachelor’s degree from Rider University cum laude in 1989 and his law degree from American University, Washington College of Law cum laude in 1992. John Zecca is Senior Vice President of MarketWatch and Head of Market Regulation of the U.S. Markets operated by Nasdaq, Inc. He is also chief regulatory officer of several national securities exchanges and served as chairman of Nasdaq’s Global Risk Steering Committee until January 2017. In these capacities, he oversees a team of regulatory analysts, programmers and attorneys responsible for maintaining fair and orderly markets and for compliance by Nasdaq’s registered broker dealers. He also oversees regulatory services performed by FINRA for Nasdaq’s markets. Mr. Zecca previously served as Nasdaq’s senior corporate counsel and was responsible for public company compliance and mergers and acquisitions. He is a frequent speaker on market regulation, corporate governance and Sarbanes-Oxley issues. Prior to joining Nasdaq, Mr. Zecca served as legal counsel to an SEC commissioned and in the SEC’s Office of General Counsel. He practiced corporate securities law at the firms of Hogan & Hartson (now Hogan Lovells) and Kaye Scholer. He served as law clerk for Hon. John H. Pratt of the United States District Court for the District of Columbia.


Plenary Session: Cybersecurity the

Current Regulatory Environment: Insight

from Regulators and Industry Experts


Moderator

John Brady, Vice President and Chief Information Security Officer, FINRA Technology, Cyber & Information Security

Panelists

Christopher Hetner, Senior Cybersecurity Advisor to the Chairman, U.S. Securities and Exchange Commission (SEC)

Brian Peretti, Esq., Director for the Office of Critical Infrastructure Protection and Compliance Policy, U.S. Department of Treasury

John Zecca, Senior Vice President of MarketWatch, Head of Market Regulation for the U.S. Markets and Chief Regulatory Officer, Nasdaq, Inc.

Panelists

1