Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Welcome Remarks Thursday, February 22 9:00 a.m. – 9:15 a.m. Speaker: Steven Randich Executive Vice President and Chief Information Officer FINRA Office of the Chief Information Officer Speaker Biography: Steven J. Randich, Executive Vice President and Chief Information Officer (CIO), oversees all technology at FINRA. Previously, Mr. Randich served as Co-CIO at Citigroup, and CIO and Global Head of Technology for Citigroup's Institutional Clients Group. Prior to joining Citigroup, he was Executive Vice President of Operations and Technology and CIO at NASDAQ, where he was responsible for all aspects of NASDAQ technology, including applications development and technology infrastructure. From 1996 to 2000, Mr. Randich served as Executive Vice President and CIO for the Chicago Stock Exchange. He was responsible for all technology, trading-floor and back-office operations, and business product planning and development. Prior to joining the Chicago Stock Exchange, Mr. Randich was a Managing Principal at IBM Global Services and a Manager at KPMG. Mr. Randich has an undergraduate degree in computer science from Northern Illinois University and an M.B.A. from the University of Chicago.
2018 Cybersecurity ConferenceFebruary 22 | New York, NY
Welcome Remarks
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Speaker
Steven Randich, Executive Vice President and Chief
Information Officer, FINRA Office of the Chief Information
Officer
Panelists
1
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Keynote Address With Jeff Lanza Thursday, February 22 9:15 a.m. – 9:45 a.m. Speaker: Jeff Lanza Retired FBI Agent Speaker Biography: Jeff was chosen as the best speaker in the 50-year history of Kansas City’s prestigious Plaza Club. He is a professional speaker who has provided over one thousand presentations on the topics of cybercrime, leadership, crisis communication, ethics, identity theft, body language and more. His clients include 20th Century Fox Entertainment, UBS, Merrill Lynch, Morgan Stanley, Nationwide, Citigroup, The Young Presidents Organization, American Century, Hallmark, H & R Block, Hess Oil, Standard and Poor’s, Financial Executives International, U.S. Bank, Wells Fargo and others. He developed and presented a program on identity theft prevention which was used to educate a nationwide audience of Citigroup employees. His program on the topic of leadership integrity has been certified for education credits across the United States. Jeff was the 2017 International Keynote Speaker for a cyber security road show in Australia, during which he spoke to businesses about cyber crime prevention. Jeff was head of operations security for the Kansas City FBI and a graduate of the world-renowned John E. Reid School of Interviewing and Interrogation. He is a certified FBI instructor and has trained numerous government agencies and corporate clients on how to interpret and project body language for more effective interpersonal communication. In addition to his latest book on the topic of cyber security, Jeff authored speeches for FBI executives and has been published in The Kansas City Star, Ingram’s Magazine and on the FBI National Web site. Jeff consulted for academy award winning director Ang Lee during the production of “Ride with the Devil”, and he has provided regular consulting services for television and movie production in Hollywood at Steele Films and Granfalloon Productions. Jeff was a major contributor and appeared on camera in a recent episode of The History Channel’s, “America’s Book of Secrets”. He was featured in the companion documentary to the major theatrical release “Runner - Runner”, which stars Ben Affleck and Justin Timberlake. Jeff has been featured in television commercials on the topic of fraud prevention. Jeff was recruited by the FBI from Xerox Corporation, where he was a Computer Systems Analyst. He has an undergraduate degree in Criminal Justice from the University of New Haven (Connecticut) and a Masters Degree in Business Administration from the University of Texas.
2018 Cybersecurity ConferenceFebruary 22 | New York, NY
Keynote Address With Jeff Lanza
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Speaker
Jeff Lanza, Retired FBI Agent
Panelists
1
Credit Reporting Bureaus
Equifax: (800) 525-6285
(800) 685-1111 to freeze your credit report
P.O. Box 740241 Atlanta, GA 30374
Experian: (888) 397-3742
(888) 397-3742 to freeze your credit report
P.O. Box 9530 Allen, TX 75013
Trans Union: (800) 680-7289;
(888) 909-8872 for freezing your credit report
P.O. Box 2000, Chester, PA 19016
Innovis: (800) 540-2505
(800) 540-2505 to freeze your credit report
P.O. Box 1640 Pittsburgh, PA 15230 You are allowed 3 free reports each year; to order:
Web: www.annualcreditreport.com or 877-322-8228
Your credit report at Innovis must be ordered from:
www.innovis.com/personal/creditReport
To remove your name from lists:
Mail - www.dmachoice.org; Phone - www.donotcall.gov
To stop preapproved credit card offers:
www.optoutprescreen.com or 1-888-5-OPTOUT (567-8688) To Report Internet Fraud: www.ic3.gov Key Numbers
FBI (202) 324-3000 or your local field office
FTC 1-877-IDTHEFT; IRS 1-800-829-0433
Postal Inspection Service 1-877-876-2455
Social Security Administration 1-800-269-0271
Identity Theft Resource: www.identitytheft.gov
1. Protect Your Personal Information
✓ Don’t carry your social security card. ✓ Don’t provide your social security number to anyone unless there is
a legitimate need for it. ✓ Be aware that most Medicare cards use the social security number
as the Medicare number. Take steps to protect your card. 2. Protect Your Documents
✓ Shred your sensitive trash with a cross-cut or micro-cut shredder.
✓ Don’t leave outgoing mail with personal information in your
mailbox for pickup.
3. Be Vigilant Against Tricks
✓ Never provide personal information to anyone in response to an
unsolicited request.
✓ Never reply to unsolicited emails from unknown senders or open
their attachments.
✓ Don’t click on links in emails from unknown senders.
4. Protect Your Communications ✓ Keep your computer and security software updated.
✓ Don’t conduct sensitive transactions on a computer that is not
under your control.
✓ Protect your Wi-Fi with a strong password and WPA2 encryption.
5. Protect Your Digital World
✓ Use strong passwords with at least eight characters, but the longer
the stronger. Try random words strung together or phrases.
✓ Use different passwords for your various accounts.
✓ If you store passwords in a file on your computer, encrypt the file
when you save it and assign a strong password to protect that file.
This sounds obvious, but, don’t name the file “passwords”.
✓ Consider using password management programs.
Speaker Information: Jeff Lanza Phone: 816-853-3929
Email:[email protected]
Web Site: www.thelanzagroup.com
Terms to Understand:
1. Fraud Alert: Your credit file at all three credit
reporting agencies is flagged and a potential lender
should take steps to verify that you have authorized
the request.
Inside Scoop: Fraud alerts only work if the merchant
pays attention and takes steps to verify the identity
of the applicant. They expire in 90 days unless you
have been a victim of identity theft, in which case you
can file an extended alert - it lasts for seven years.
2. Credit Monitoring: Your credit files are monitored by
a third party - if activity occurs you are notified.
Inside Scoop: Credit monitoring does not prevent
fraud, it only notifies you when your credit reports
have been accessed, which is an indication that fraud
may have occurred.
3. Credit Freeze: A total lockdown of new account
activity in your name. This requires unfreezing before
you can open an account.
Inside Scoop: A proven way to protect against
identity theft. Credit freeze laws vary by state. To
check yours, go to your state Attorney General’s
website and search for “credit report freeze”.
Presented by Retired
FBI Special Agent
Jeff Lanza Preventing Identity Theft 2018
Identity Theft for Tax Related Purposes
If you are the victim of identity theft, or at risk because
your information has been breached, go to this site:
https://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft
Social Networking Security Reminders
1. Login directly, not through links.
2. Only connect to people you know and trust.
3. Don't put your email address, physical address, or phone number or
other personal information in your profile.
4. Sign out of your account after you use a public computer.
Problem: Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized
businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from
these accounts. Often these funds may not be recovered. Where cyber criminals once attacked mostly large
corporations, they have now begun to target municipalities, smaller businesses, and non-profit organizations.
Thousands of businesses, small and large, have reportedly fallen victim to this type of fraud.
How it is Done: Cyber criminals will often “phish” for victims using mass
emails, pop-up messages that appear on their computers,
and/or the use of social networking and internet career sites5.
For example, cyber criminals often send employees
unsolicited emails that:
✓ Ask for personal or account information;
✓ Direct the employee to click on a malicious link
provided in the email; and/or
✓ Contain attachments that are infected with malware.
Cyber criminals use various methods to trick employees into
opening the attachment or clicking on the link, sometimes
making the email appear to provide information regarding
current events such as natural disasters, major sporting
events, and celebrity news to entice people to open emails
and click. Criminals also may disguise the email to look as
though it’s from a legitimate business. Often, these criminals
will employ some type of scare tactic to entice the employee
to open the email and/or provide account information. For
example, cyber criminals have sent emails claiming to be
from:
1. UPS (e.g., “There has been a problem with your
shipment.”)
2. Financial institutions (e.g., “There is a problem with your
banking account.”)
3. Better Business Bureaus (e.g., “A complaint has been
filed against you.”)
4. Court systems (e.g., “You have been served a
subpoena.”)
Crooks may also use email addresses or other credentials
stolen from company websites or victims, such as relatives,
co-workers, friends, or executives and designing an email to
look like it is from a trusted source to entice people to open
emails and click on links.
They may also use variations of email domains that closely
resemble the company’s domain and may go unnoticed by
the recipient who is being requested to make the transfer.
Speaker Information: Jeff Lanza
Phone: 816-853-3929
Email:[email protected]
Web Site: www.thelanzagroup.com
What You Can Do to Keep Safe - Education
Educate everyone on this type of fraud scheme
• Don’t respond to or open attachments or click on
links in unsolicited e-mails. If a message appears
to be from your financial institution and requests
account information, do not use any of the links
provided.
• Be wary of pop-up messages claiming your
machine is infected and offering software to
scan and fix the problem, as it could actually be
malicious software that allows the fraudster to
remotely access and control your computer.
Presented by Retired
FBI Special Agent
Jeff Lanza
Cyber Fraud
Preventing Account Takeovers
Preventing Wire Transfer/ACH Fraud
1. Conduct online banking and payments activity
from one dedicated computer that is not used
for other online activity.
2. Use all bank provided wire transfer controls
3. Require two persons to consummate all wire
transfers to external parties.
4. Require the bank to talk to someone at your
organization before the wire transfer is
consummated.
5. Restrict the bank accounts from which a wire
transfer can be made.
6. Any wire transactions over a set high dollar
amount must have the approval of the business
owner/CEO.
7. Use unique passwords or a bank supplied
token to access wire-transfer software.
8. Review daily bank account activity on a
regular basis.
9. Require sufficient documentation and have a
second person review all wire transfer journal
entries.
10. Establish positive pay and block for ACH
transactions. This will eliminate the possibility
of non-approved transactions.
Source: FBI
Businesses May Absorb Losses!
The Uniform Commercial Code does not require
banks to refund money lost by fraudulent transfer.
Five Common Scams That
Target Businesses of All Sizes
1. Phishing E-mails – Phishing e-mails specifically
target business owners with the goal of hacking
into their computer or network. Common examples
include e-mails pretending to be from the IRS
claiming the company is being audited or phony e-
mails from the Better Business Bureau, saying the
company has received a complaint. If you receive
a suspicious e-mail like this, don’t click on any
links or open any attachments. 2. Data Breaches – No matter how vigilant your
company is, a data breach can still happen.
Whether it’s the result of hackers, negligence or a
disgruntled employee, a data breach can have a
severe impact on the level of trust customers have
in your business. Educate employees on the
importance of protecting information and practice
the “need to know policy” internally.
3. Directory Scams – Commonly the scammer will
call the business claiming they want to update the
company’s entry in an online directory or the
scammer might lie about being with the Yellow
Pages. The business is later billed hundreds of
dollars for listing services they didn’t agree to.
4. Overpayment Scams –If a customer overpays
using a check or credit card and then asks you to
wire the extra money back to them or to a third
party, don’t do it. This is a very popular method to
commit fraud. Wait until the original payment
clears and then offer the customer a refund by
check or credit.
5. Phony Invoices – The United States Postal
Service suspects that the dollar amount paid out to
scammers as a result of phony invoices may be in
the billions annually, mostly from small and
medium sized businesses. Scrutinize invoices
carefully and conduct regular audits of accounts
payable transactions.
Cyber Security and
Fraud Prevention for Organizations
Presented by
FBI Special Agent Jeff Lanza
(Retired)
Speaker Information: Jeff Lanza
Phone: 816-853-3929
Email: [email protected]
Web Site: www.thelanzagroup.com
Preventing Check Fraud
• Use Positive Pay, the annual cost of which is far below
the cost of one average check fraud case.
• Use secure checks, which include many features to
prevent different types of check fraud.
• Securely store check stock, deposit slips, bank statements
and cancelled checks.
• Implement a secure financial document destruction
process using a high security shredder.
• Establish a secure employee order policy for check stock.
• Purchase check stock from established vendors.
• Regularly review online images of cancelled checks.
Preventing Embezzlement
Things You Should Do:
1. Separate duties and powers with regard to payments and
account reconciliation.
2. Establish a tips hotline that offers anonymity and the
possibility of a reward.
3. Conduct surprise audits as employees may be able to
cover-up some fraud in advance of an audit.
4. Never completely trust anyone – many large fraud cases
have been undertaken by “a most trusted employee”.
Watch Out When an Employee:
1. Doesn’t want to take a day off.
2. Makes expensive purchases including luxury items, cars,
boats, exotic vacations and second homes.
3. Has high personal debt, high medical bills, poor credit,
personal financial loss and addictions.
A pre-employment background investigation
should include checks and verifications in the
following areas:
▪ Employment history; Education;
▪ Professional accreditation;
▪ Military record;
▪ Credit history; Motor vehicle record;
▪ Arrests; Workplace violence or
threatening behavior;
To Promote an Ethical Workplace
• Demonstrate top management commitment.
• Communicate expectations on a regular basis.
• Maintain focus on vision and mission.
• Monitor conduct – trust but verify.
• Maintain whistleblower channels and policies.
• Respond quickly to misconduct.
• Reward acts of integrity.
Red Flags That May Signal Integrity Issues
Cynicism; Alienation from coworkers; Poor or
inconsistent work performance; Resentment of
management; Behavioral changes or work habit
changes; Employee sense of entitlement;
Current Threats
Fake Notification E-mails
Watch out for fake emails that look like they came from Facebook.
These typically include links to phony pages that attempt to steal
your login information or prompt you to download malware. Never
click on links in suspicious emails. Login to a site directly.
Suspicious Posts and Messages
Wall posts or messages that appear to come from a friend asking
you to click on a link to check out a new photo or video that doesn't
actually exist. The link is typically for a phony login page or a site
that will put a virus on your computer to steal your passwords.
Money Transfer Scams
Messages that appear to come from friends or others claiming to be
stranded and asking for money. These messages are typically from
scammers. Ask them a question that only they would be able to
answer. Or contact the person by phone to verify the situation, even
if they say not to call them.
Speaker Information:
Jeff Lanza
Phone: 816-853-3929
Email:[email protected]
Web Site: www.thelanzagroup.com
Specific Actions to Avoid
1. Don’t click on a message that seems weird. If it
seems unusual for a friend to post a link, that friend
may have gotten their site hijacked.
2. Don’t enter your password through a link. Just
because a page on the Internet looks like Facebook, it
doesn't mean it is. It is best to go the Facebook login
page through your browser.
3. Don't use the same password on Facebook that you
use in other places on the web. If you do this,
phishers or hackers who gain access to one of your
accounts may be able to access your other accounts as
well, including your bank.
4. Don't click on links or open attachments in
suspicious emails. Fake emails can be very
convincing, and hackers can spoof the "From:" address
so the email looks like it's from a social site. If the e-
mail looks weird, don't trust it. Delete it.
5. Don’t send money anywhere unless you have verified
the story of someone who says they are your friend or
relative.
Never go to a login in page through a link in an email or a pop up. Always go to the login page
directly by typing the site name or, preferably, through a stored bookmark that you created.
General Online Safety Rules
Be wary of strangers - The internet makes it easy for people to
misrepresent their identities and motives. If you interact with
strangers, be cautious about the amount of information you reveal.
Be skeptical - People may post false or misleading information
about various topics, including their own. Try to verify the
authenticity of any information before taking any action.
Evaluate your settings - Use privacy settings. The default settings
for some sites may allow anyone to see your profile. Even private
information could be exposed, so don't post anything that you
wouldn't want the public to see.
Presented by Retired
FBI Special Agent
Jeff Lanza
Protecting Your Family in
The Information Age (2018)
Two Factor Authentication
Requires you to provide a password and a PIN code (most
often sent to your phone) to log in to online accounts. Use
this to prevent hijacking of your accounts. In most cases you
can set this up in the “settings” section of your account.
Popular Programs: Malware Removal: Malwarebytes.
Password Management: Keeper, LastPass, Dashlane.
Ransomware aka Cryptowall
This fraud scheme begins when the victim clicks on an
infected advertisement, e-mail, or attachment, or visits an
infected website. Once infected with the ransomware, the
victim’s files become encrypted. In most cases, once the
victim pays a ransom fee, they regain access to the files
that were encrypted. Here are three ways to stay protected:
Educate computer users about clicking on suspicious
links or popups. Sometimes these come in the form of a
package delivery notification from major brand names like
Amazon, FedEx or UPS.
Enable popup blockers. Popups are regularly used by
criminals to spread malicious software.
Always backup the content on your computer. If you are
infected by ransomware, you can have your system wiped
clean and then restore your files from your back up. Also,
because ransomware can infect all hard drives, disconnect
the backup drive when not in use or use cloud backup.
Password Management
Try to use different strong passwords for all your accounts.
At a minimum, have different passwords for multiple email
accounts, social networking, financial and employer sites.
General Rules for Computer Security:
• If you were not looking for it, then don’t download it.
• Keep your software current with the latest updates.
• Don’t click on links in emails from unknown senders.
• Be cautious when clicking on links in emails from known
senders as their account may have been hijacked.
• Keep your PC protected with Windows Defender or
antivirus software from a third party.
• Use CTL+ALT+DEL to exit a popup safely in Windows.
• Use CMD+Option+Escape to exit a popup on a Mac.
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Chief Compliance Officer’s (CCO’s) Role in Cybersecurity Thursday, February 22 10:00 a.m. – 11:00 a.m. Increased use of technologies such as mobile devices, social media and cloud computing has increased the risk posed by cyber criminals. As a result, in addition to other compliance matters, the CCO is now also responsible for assisting—and protecting—company information technology (IT) systems. During this session, panelists discuss the role CCOs can play in a firm’s cybersecurity program.
Moderator: Steven Polansky Senior Director FINRA Office of Reg Ops Shared Services Panelists: Jose Dominguez Chief Information Security Officer TD Ameritrade, Inc. Ann Grady Chief Compliance Officer Tastyworks, Inc. Ann McCague Managing Director and Global Head of Compliance Piper Jaffray & Co. Kyle Wootten Chief Compliance Officer of Operations, Finance and Technology Raymond James Financial
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2
Chief Compliance Officer’s (CCO’s) Role in Cybersecurity Panelist Bios: Moderator: Steven Polansky is Senior Director in FINRA's Office of Shared Services. In this capacity, Mr. Polansky leads special national initiatives--including FINRA’s digital investment advice and earlier cybersecurity and conflicts of interest reviews--and special projects. In addition, he leads development of FINRA’s annual regulatory and examination priorities. Previously, Mr. Polansky worked in FINRA's International Department, where he was responsible for analyzing international regulatory developments and leading FINRA's relationships with select financial regulators in Europe and Asia as well as international financial institutions. In addition, Mr. Polansky led advisory projects in a number of jurisdictions related to, among other things, risk-based supervision, prudential oversight and market surveillance. Prior to joining FINRA, he was a management consultant with PricewaterhouseCoopers, and he served for seven years as a professional staff member on the Committee on Foreign Relations in the United States Senate. At the Committee, Mr. Polansky was responsible for advising the Chairman on funding for the Department of State and other foreign policy agencies, missile non-proliferation and international environmental issues. Mr. Polansky received his master of business administration in finance from The Wharton School at the University of Pennsylvania, his master of public administration from the Kennedy School of Government at Harvard University, and his bachelor degree in history from Colgate University. Panelists: Jose Dominguez is Chief Information Security Officer at TD Ameritrade. He joined TD Ameritrade Holding Corporation (Nasdaq: AMTD) in 1997. He has been responsible for the development, maintenance and implementation of the enterprise security program and policies since 2013. Previous to his CISO role, Mr. Dominguez was in various management positions within technology leading Infrastructure and Application Development teams. Prior to joining TD Ameritrade, Mr. Dominguez spent 10 years with the brokerage firm Gruntal & Co. in various application development roles supporting front and back-office functions. He currently sits on the SIFMA Board Subcommittee on Cybersecurity and is a member of the NJ CISO Summit Governing Body. Ann C. McCague has served as Managing Director and Global Head of Compliance for Piper Jaffray Companies since 2005, where she is responsible for regulatory compliance at all group affiliates, including Piper Jaffray & Co., the U.S. broker/dealer and primary operating entity, two foreign broker/dealers and five separate registered investment advisors. Ms. McCague’s career path covers 35 years in the industry, including CCO positions at Dain Rauscher and Think Equity Partners, as well as prior senior compliance positions at national firms. Given her broad scope of knowledge and as seasoned expert, she is a frequent conference panelist. Ms. McCague is/has been a member of numerous FINRA and SIFMA committees. Ms. McCague is a graduate of Augsburg College in Minneapolis, MN, where she earned a master’s degree in Leadership and an undergraduate degree in English, with a Communications minor. Kyle Wootten is the Chief Compliance Officer of Operations, Finance and Technology for Raymond James Financial and member of the RJF Compliance Executive Leadership Team. In this role, Mr. Wootten is responsible for providing strategic direction and management of the compliance framework for various areas that cross multiple functions and entities affiliated with RJF. Specifically, this includes the compliance advice, oversight and testing of the Operations areas of the clearing firm, Raymond James & Associates, which includes oversight of RJA’s clearing and custodial businesses for unaffiliated introducing firms and registered investment advisers, the Financial, Regulatory Reporting and Treasury functions of the affiliated broker-dealers of RJF, and Information Technology, which includes management of the RJF Informational Governance Program. Mr. Wootten is a member of the 17a-5 Steering Committee, the Enterprise Information Technology Risk Board, the Stock Loan Committee for RJA and the Operational Risk Board. Prior to joining RJF, Mr. Wootten was the Deputy Director of Regulatory and Compliance for Thomson Reuters, where he supported the assessment and development of regulatory solutions for the BETA Systems, and worked closely with end-clients on a myriad of regulatory matters, primarily focused on the street-side settlement functions. For nearly 14 years prior to that, he served in various compliance and business roles at Wells Fargo Advisors, including the predecessor firms of Wachovia Securities and A.G. Edwards. During that time, Mr. Wootten held roles providing legal and compliance support to Capital Markets, Trading, and Operations,
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 3
Technology and Finance. Additionally, he managed the Regulatory Change Management function, and was a member of the leadership team of the Wells Fargo Regulatory Reform Program managing the compliance and business analyst resources responsible for implementation of major regulatory initiatives at the firm. Mr. Wootten has an undergraduate degree in Economics and law degree from Saint Louis University.
2018 Cybersecurity ConferenceFebruary 22 | New York, NY
Chief Compliance Officer’s (CCO’s) Role in
Cybersecurity
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Moderator
Steven Polansky, Senior Director, FINRA Office of Regulatory Operations / Shared Services
Panelists
Jose Dominguez, Chief Information Security Officer, TD Ameritrade, Inc.
Ann Grady, Chief Compliance Officer, Tastyworks, Inc.
Ann McCague, Managing Director and Global Head of Compliance, Piper Jaffray & Co.
Kyle Wootten, Chief Compliance Officer of Operations, Finance and Technology, Raymond James Financial
Panelists
1
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Under the “Schedule” icon on the home screen,
Select the day,
Choose the Chief Compliance Officer’s (CCO’s) Role in
Cybersecurity session,
Click on the polling icon:
To Access Polling
2
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
1. Does your firm have a CISO?
a. Yes
b. No
Polling Question 1
3
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
2. Does your firm have a formal technology risk
governance structure (i.e., steering committee) to
which important cybersecurity matters are
escalated?
a. Yes
b. No
Polling Question 2
4
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
3. Are you directly involved in responding to FINRA or
SEC cybersecurity-related examinations?
a. Yes, from a compliance perspective
b. Yes, from a technology perspective
c. Yes, from another perspective
d. No
Polling Question 3
5
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
4. Does your firm have a cybersecurity incident
response plan?
a. Yes
b. No
Polling Question 4
6
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
5. Does your firm conduct table top exercises to test
that plan?
a. Yes
b. No
Polling Question 5
7
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
6. Are you directly involved in developing or
implementing your firm’s response plan?
a. Yes, from a compliance perspective
b. Yes, from a technology perspective
c. Yes, from another perspective
d. No
Polling Question 6
8
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Members should
create an incident
response plan The plan should
identify all team members
The plan should address and inventory
different types of threatsThe plan should
include a methodology for
restoring compromised
systems and/or data
The plan should include escalation
procedures
The plan should include a methodology for communicating
to clients, counter-parties regulators and law enforcement
Response to Cybersecurity Threats – Where is the CCO?
9
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
7. Does your firm’s training include a specific focus on
staff cybersecurity responsibilities?
a. Yes
b. No
Polling Question 7
10
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
8. Does your firm use internally developed phishing or
other tools designed to assess the efficacy of
training?
a. Yes
b. No
Polling Question 8
11
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
9. Are you directly involved in the development or
delivery of your firm’s cybersecurity training:
a. Yes, from a compliance perspective
b. Yes, from a technology perspective
c. Yes, from another perspective
d. No
Polling Question 9
12
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
10.Are you directly involved in the cybersecurity
aspects of your firm’s vendor management program?
a. Yes, from a compliance perspective
b. Yes, from a technology perspective
c. Yes, from another perspective
d. No
Polling Question 10
13
FINRA Cybersecurity Conference: Highlights for Compliance Officers
February 22, 2018
FINRA’s Cybersecurity Risk Reviews? Where does the CCO Role Lie In These Areas?
Cybersecurity governance and risk management
Cybersecurity Risk assessments
Technology governance
System change management
Technical controls
Incident Response Planning
Vendor management
Data loss prevention
Staff training
Cyber Intelligence & Information Sharing
Ann M. Grady, Feb. 22, 2018 2
Ann M. Grady, Feb. 22, 2018
CCO Role When A Cyber-Related data breach occurs
• Who Informs the CCO?
• Is the CCO Part of the Response
Team?
• Who decides whether regulators must
be informed?
• Who decides which States or other
authorities, customers, ..need to be
informed?
CCO or CISO?Staff Training Design Firms should provide cybersecurity training that is tailored to staff needs and that helps them to relate to the importance they play in protecting the firm, its clients and its data.
defining cybersecurity training needs requirements;
identifying appropriate cybersecurity training update cycles;
delivering interactive training with audience participation to increase retention; and
developing training around information from the firm’s loss incidents, risk assessment
process and threat intelligence gathering.
Ann M. Grady, Feb. 22, 2018 4
CCO or CISO? Staff Training
Firms should provide cybersecurity training that is tailored to staff needs.
Effective practices for cybersecurity training include:
Recognizing Risks
Social Engineering Schemes and Phishing
Handling Confidential Information
Password Protection
Escalation Policies
Physical Security
Mobile Security
Ann M. Grady, Feb. 22, 2018 5
Response to Cybersecurity Threats – Where is the CCO?
Members should create an incident
response plan
The plan should identify all team members
The plan should address and inventory different types of
threats
The plan should include a
methodology for restoring
compromised systems and/or
data
The plan should include escalation procedures
The plan should include a methodology for communicating
to clients, counter-parties regulators and law enforcement
I 6
Vendor Due Diligence – Where is the CCO Role?
it is important for firms to establish appropriate contractual language to govern vendor relationships.
The provisions of the contract will govern the vendor’s obligation to the firm, as well as identify the firm’s prerogatives in relation to the vendor. The stringency of these clauses should be risk-based with riskier vendor relationships requiring stronger language.
This includes:
manner in which the firm can conduct its ongoing oversight of the vendor,
the conditions for terminating the relationship,
the vendor’s obligations to protect firm information in the event the relationship terminates.
CCO Panel, Feb. 22, 2018 7
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Effective Practices for Insider Threats and Third-Party Risk Management Thursday, February 22 10:00 a.m. – 11:00 a.m. Financial institutions are subject to threats on multiple fronts. Two threats of significant and growing concern to our industry include insiders, such as employees, and third parties, such as vendors. We necessarily rely on and trust both insiders and third parties; however, we must exert appropriate oversight if we are to prevent that trust from being violated by either malicious actors, or careless actions or inactions. During this session, panelists discuss case studies and share effective practices firms can use to manage and mitigate these risks, and develop and improve both their insider risk and third-party risk management programs.
Moderator: David Yacono Senior Director FINRA Technology, Cyber & Information Security Panelists: Brice Cook Director, Insider Risk Program FINRA Technology, Cyber & Information Security Kishen Sridharan Cybersecurity Partnership and Outreach Executive Raymond James Financial Homayun Yaqub Executive Director JPMorgan Chase & Co.
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2
Effective Practices for Insider Threats and Third-Party Risk Management Panelist Bios: Moderator: David Yacono is Senior Director of Cyber & Information Security at FINRA. His current responsibilities include FINRA’s software security program, which provides security assurance services to a portfolio of more than 100 internally developed systems, as well as FINRA’s third-party risk management program which evaluates, monitors, and manages the cybersecurity risk posed by FINRA’s vendors, cloud providers, and other third-party relationships. Mr. Yacono is also responsible for FINRA’s IT Security Risk Management and Compliance programs, which ensures compliance with IT security standards including FISMA, PCI-DSS, and FBI-CJIS. Since joining FINRA in 1999 he has served in various roles responsible for ensuring the secure and reliable operation of FINRA’s information technology systems, including security architect and security engineer. Mr. Yacono specializes in the application of information security processes, methodologies, and tools to protect the confidentiality, integrity, and availability of information and information processing systems, with special emphasis on financial services; he has nearly 25 years of experience in cybersecurity. Mr.Yacono earned a Bachelor of Science in Electrical Engineering from the University of Maryland, and holds current certifications as a Certified Information Systems Security Professional (CISSP), a Certified Secure Software Lifecycle Professional (CSSLP), and a Certified Third Party Risk Management Professional (CTPRP). Panelists: Brice Cook is FINRA’s first Director for Insider Risk, formally establishing the program after joining FINRA in early 2017. In this role, he leads a collaborative company-wide effort to develop, implement, and execute technical and non-technical processes needed to create a holistic system to manage insider risks. Before Mr. Cook came to FINRA, he retired as a Supervisory Criminal Investigator after 29 years of Federal Government service protecting some of the Nation’s most critical assets. The last 22 years of his Federal Government tenure was at the Department of Energy, serving as a Director in the Office of Corporate Security and leading efforts in Insider Threat, Special Access Programs, Human Reliability Programs, Investigations, Threat Management, and Executive Protection. Mr. Cook’s accomplishments include; establishing the DOE’s first formal Insider Threat Program, founding the Protective Services Working Group—a group of over 50 Federal organizations protecting the nation’s leadership—of which he also served as Chair, serving as a Chair in the Defense Department’s Combating Terrorism Technical Support Office, which provided expertise and oversight in the research and development of personnel protection technologies, serving as a board member of the FBI Joint Terrorism Task Force Executive Board and the DHS Advisory Board for Law Enforcement Officers Flying Armed, and developing policy and guidance for the Federal Government on security professional development and continuity programs. Mr. Cook is a graduate of the 244th session of the FBI National Academy, the Federal Law Enforcement Training Center, and the Federal Executive Institute. Mr. Cook has a Master’s in Public Administration from American University. He has a Bachelor’s degree from Washington State University. He also holds professional certificates as a Certified Information Systems Security Professional (CISSP) and Insider Threat Program Management (ITPM). Mr. Cook has even worked on the FOX Television show America’s Most Wanted, where he supported investigations that led to the arrest of over 150 wanted persons.
Kishen Sridharan is the Cybersecurity Partnership & Outreach Executive, reporting to the Chief Information Security Officer of Raymond James. In this strategic role, he focuses on strengthening and growing Raymond James’ network of relationships with outside organizations like industry associations (e.g. FS-ISAC and SIFMA), peers, government/law enforcement entities, universities, potential new strategic suppliers, and community. He determines level of engagement, assesses ROI to Raymond James, and makes sure Raymond James is a valuable contributing partner in return. In prior roles at Raymond James, Mr. Sridharan helped established a Product Management mindset, framework, and governance structure to deliver highly valuable business outcomes, particularly those which support the Strategic Roadmap. This is the stepping stone to formally convert the InfraSec organization to an “as a Service” model. Before that, he stood up a Project Management Office within InfraSec. Mr. Sridharan has almost 16 years of experience in various facets of technology, project implementation and business process improvement. His experience ranges from compliance, risk management and information assurance to strategic information security consulting. He earned his Bachelor of Science from the Pennsylvania State University in Management Science, Information
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 3
Systems and International Business and an MBA from the University of Maryland. He is a certified Project Management Professional (PMP) and a Scrum Master (CSM). Homayun Yaqub is Executive Director in JPMorgan Chase and Company’s Global Security and Investigations team managing the firm’s Insider Threat program. Prior to joining JPMorgan Chase in 2015, Mr. Yaqub served in the U.S. Intelligence Community and Department of Defense with more than 20 years of experience leading sensitive intelligence activities and related programs worldwide. Mr. Yaqub was also a founding member of The MASY Group, a Washington D.C. based security, intelligence, and risk consulting firm supporting both public and private sector clients. He began his career as a U.S. Army officer serving in various roles throughout the United States, the Middle East, South Asia, and Europe. Mr. Yaqub holds a Masters in Conflict Analysis and Resolution from George Mason University and Bachelors in International Business from James Madison University.
2018 Cybersecurity ConferenceFebruary 22 | New York, NY
Effective Practices for Insider Threats and
Third-Party Risk Management
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Moderator
David Yacono, Senior Director, FINRA Technology, Cyber & Information Security
Panelists
Brice Cook, Director, Insider Risk Program, FINRA Technology, Cyber & Information Security
Kishen Sridharan, Cybersecurity Partnership and Outreach Executive, Raymond James Financial
Homayun Yaqub, Executive Director, JPMorgan Chase & Co.
Panelists
1
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Under the “Schedule” icon on the home screen,
Select the day,
Choose the Effective Practices for Insider Threats and
Third-Party Risk Management session,
Click on the polling icon:
To Access Polling
2
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
1. My firm staff size is:
a. More than 1000
b. 251 to 1000
c. 51 to 250
d. 11 to 50
e. 10 or fewer
Polling Question 1 – Firm Size
3
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
2. For my firm, Insider Risk is:
a. A substantial concern
b. A moderate concern
c. A minor concern
d. A negligible concern (e.g., due to extremely small firm size.)
e. Not sure
Polling Question 2 – Characterizing Insider and Third-party Risk
4
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
3. For my firm, Third-party Risk is:
a. A substantial concern. The security of my third parties
significantly affects my ability to protect my
systems/data/processes.
b. A moderate concern
c. A minor concern. There’s no obvious way that a security
deficiency of one of my third parties could significantly harm me.
d. Not a concern. I have no dependencies on third parties.
e. Not sure
Polling Question 3 – Characterizing Insider and Third-party Risk
5
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Importance of Insider and Third-Party risk
Significance relative to other risk sources.
Trends in emphasis? Drivers?
Characterizing Insider and Third-Party Risks
6
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Insider Risk
Who are the insider threats?
Risk factors to consider?
Strategies for focusing, prioritizing.
Identifying Threat Agents and Risk Factors
7
Third-party Risk
What are the third-party threats?
Risk factors to consider?
Strategies for focusing, prioritizing.
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
4. My firm’s Insider Risk Program is:
a. Mature. Robust strategy with well-defined processes. Advanced controls including Predictive Analysis, Behavioral Analytics
b. Established. A defined insider risk strategy backed by processes and tools that enable enterprise-wide information aggregation and correlation (e.g., SIEM.)
c. Nascent. Basic controls in use, but no overarching strategy.
d. Nonexistent. Needed, but not yet established.
e. None needed. We don’t see the need for an insider risk program.
Polling Question 4 – Insider Risk Management
8
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Recruitment/ Tipping Point
Search and Recon
Exploitation
Acquisition
Exfiltration
Insider Risk Management Methodology
9
Lifecycle: Vetting, Monitoring, Adjudicating,
Detection, Analysis
Insider Risk Kill Chain
High-risk employees, assets, operations
Control Techniques:
Basic: SOD, POLP, training, others?
Better: Log aggregation, SIEM, others?
Best: UEBA, leveraging data/analytics,
others?
Insid
er R
isk K
ill Chain
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
5. My firm’s Third-party Risk Program is:
a. Mature. Robust strategy with well-defined processes that are applied
to all third parties, and that are quantitatively measured.
b. Established. A defined third-party risk management strategy backed by
processes and tools.
c. Nascent. Some controls in place (e.g., vendor questionnaire), but no
overarching strategy.
d. Nonexistent. We use third parties, but no explicit risk mgmt controls.
e. None needed. We don’t use third-parties that impact our risk profile.
Polling Question 5 – Third-party Risk Management
10
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Identifying, Prioritizing Third
Parties
Sources of risk: People, Process,
Technology
Assessment Processes,
Techniques, Timing
Assurance/Evidence Expectations
Controlling Risks
Contract Provisions, Other techniques.
Risk Acceptance? Show stoppers?
Third-party Risk Management Methodology
11
Monitoring, Detecting changes
Changes at third party.
Changes in relationship with third party.
Supporting Tools, Services
Coordination w/ org stakeholders
Infosec, purchasing, legal, etc.
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Insider Risk
Difference in risk for smaller firms?
Control priorities. Effective insider risk management on a
budget.
Third-party Risk
Difference in risk for smaller firms?
Control priorities. Effective third-party risk management on a
budget.
Advice for Smaller Firms
12
2018 Cybersecurity ConferenceFebruary 22 | New York, NY
THANK YOU!
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Cybersecurity Guidance for Small Firms Thursday, February 22 11:15 a.m. – 12:15 p.m. It is crucial that small financial firms take proper cybersecurity measures to protect their customers and their firm. During this session, panelists provide risk-based, threat-informed effective practices applicable to small firms and supportive of their overall business model to increase their security and ensure the protection of their customers.
Moderator: David Kelley Surveillance Director FINRA Kansas City District Office Panelists: Melinda (Mimi) LeGaye President Moody Securities, LLC Lisa Roth President Tessera Capital Partners, LLC Hardeep Walia Founder and Chief Executive Officer Motif
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2
Cybersecurity Guidance for Small Firms Panelist Bios: Moderator: Dave Kelley is Surveillance Director based out of FINRA’s Kansas City District office, and has been with FINRA for seven years. Mr. Kelley also leads FINRA’s Sales Practice exam program for cybersecurity and the Regulatory Specialist team for Cyber Security, IT Controls and Privacy. Prior to joining FINRA, he worked for more than 19 years at American Century Investments in various positions, including Chief Privacy Officer, Director of IT Audit and Director of Electronic Commerce Controls. He led the development of website controls, including customer application security, ethical hacking programs and application controls. Mr. Kelley is a CPA and Certified Internal Auditor, and previously held the Series 7 and 24 licenses. Panelists: Melinda (Mimi) G. LeGaye, serves as President of both Moody Securities, LLC, and MGL Consulting, LLC. Ms. LeGaye has more than 30 years’ experience representing the interests of small broker-dealers having held the positions of president, CCO and FINOP for several small broker-dealers over the years. She currently serves as President and CCO of Moody Securities, LLC and as FINOP and a registered representative for Silver Portal Capital, LLC. Ms. LeGaye also serves as a Small Firm Member on FINRA’s District 6 Committee. Prior to forming MGL, Ms. LeGaye served as CCO of Horne Securities Corp. a broker/dealer, which was formed to distribute Reg D private placements of real estate limited partnerships. During the early 1980s to late 1980s, she served on the Regulatory Affairs Committee and as president of the local chapter of the Real Estate Securities & Syndication Institute (RESSI), which was an affiliate of the National Association of Realtors. Ms. LeGaye is actively involved with ADISA (formerly Real Estate Investment Securities Association, aka REISA). As a consultant, Ms. LeGaye has worked primarily with small and mid-size broker-dealers, but she has also worked with many larger broker-dealers providing clearing services to introducing broker-dealers. Having served as president, CCO, FINOP, General Securities Principal, and Municipal Securities Principal for various broker/dealers since the mid 1980’s, Ms. LeGaye has worked extensively with retail and institutional broker-dealers, as well as boutique broker-dealers which provide investment banking, mergers & acquisitions advisory services, or which conduct business in the wholesale/retail distribution of Reg D Private Placements, non-traded REITs or 1031 Exchange Programs. As a municipal securities principal, she worked for a small minority enterprise broker-dealer, which was involved in municipal bond underwritings, capital raising and financial advisory activities. As President, CCO, FINOP and a small business owner, Ms. LeGaye has first-hand experience and an in-depth understanding of the challenges FINRA small firm members (less than 150 RR’s) face on a day to day basis. Ms. LeGaye holds the Series 7, 24, 27, 53, 63, 79 and 99 registrations. She has previously held the Series 22, 39 and 3 registrations as well. She received her BBA from Sam Houston State University. An advocate for small broker-dealers and sensitive to the compliance, operational and regulatory challenges they face, she has spoken at numerous industry seminars and compliance programs over the years on topics ranging from supervision of independent brokers; surveillance using exception reports; compliance testing for small firms; product due diligence; and most recently at the SMARSH 2016 Connect Conference held in December 2016. Lisa Roth serves as the President, AML Compliance Officer and Chief Information Security Officer of Tessera Capital Partners. Tessera is a limited purpose broker dealer offering new business development, financial intermediary relations, client services and marketing support to investment managers and financial services firms. Ms. Roth holds FINRA Series 7, 24, 53, 4, 65, 99 Licenses. Previously, Ms. Roth has served in various executive capacities with Keystone Capital Corporation, Royal Alliance Associates, First Affiliated (now Allied) Securities, and other brokerage and advisory firms. Ms. Roth serves on FINRA's Membership Committee, is a member of the Board of the Third Party Marketer's Association, and FINRA's Series 14 Item Writing Committee. Ms. Roth was unanimously selected by her peers to serve as the Chairman of FINRA's Small Firm Advisory Board for one of a total of four years of service on the Board from 2008-2012. Ms. Roth has also served as a member of the PCAOB Standing Advisory Group, and is an active participant in other industry forums, including speaking engagements and trade associations. Ms. Roth is also the president of Monahan & Roth, LLC, a professional consulting firm offering consulting, expert witness and mediation services on financial and investment services topics including regulatory compliance, product due diligence, suitability, supervision, information security and related topics. Previously, Ms. Roth founded ComplianceMAX Financial Corp. (purchased by NRS in 2007), a regulatory compliance company offering
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 3
technology and consulting services to more than 1000 broker‐dealers and investment advisers. Ms. Roth's leadership at CMAX led to the development of revolutionary audit and compliance workflow technologies now
in use by some of the US's largest (and smallest) broker‐dealers, investment advisors and other financial services companies. Ms. Roth has been engaged as an expert witness on more than 150 occasions, including FINRA, JAMS and AAA arbitrations, and Superior Court and other litigations, providing research, analysis, expert reports, damages calculations and/or testimony at deposition, hearing and trial. As a member of the FINRA Board of arbitrators, Ms. Roth has been named to more than 20 panels as a hearing officer. Ms. Roth resides in CA, but is a native of Pennsylvania, where she attained a Bachelors of Arts Degree and was awarded the History Prize from Moravian College in Bethlehem, PA. Hardeep Walia is founder and CEO of Motif, a next-generation online broker whose mission is to simplify complex investment products and make them universally accessible. The company’s flagship product allows individual investors to act intuitively on their insights by turning them into a “motif” of stocks. Mr. Walia also serves as CEO of Motif Capital, an institutional investment advisor that develops thematic models for clients such as Goldman Sachs, Global Atlantic, and US Bank’s UHNW arm Ascent Private Capital Management. Prior to Motif, Mr. Walia spent more than six years at Microsoft, where he was General Manager of the company's enterprise services business. He also served as Director of Corporate Development and Strategy, helping to oversee Microsoft's investments and acquisitions. He started his career at The Boston Consulting Group. Mr. Walia holds a BS in Economics and Engineering from Yale University and an MBA from the Wharton School of Business. He holds Series 7, 24 and 63 licenses in the securities industry. He serves on FINRA's Technology Advisory Committee and is on the Advisory Boards of Ascent Private Capital and real-estate startup PeerStreet. He is a featured contributor for LinkedIn, and a frequent guest on CNBC.
2018 Cybersecurity ConferenceFebruary 22 | New York, NY
Cybersecurity Guidance for Small Firms
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Moderator
David Kelley, Surveillance Director, FINRA Kansas City District
Office
Panelists
Melinda (Mimi) LeGaye, President, Moody Securities, LLC
Lisa Roth, President, Tessera Capital Partners, LLC
Hardeep Walia, Founder and Chief Executive Officer, Motif
Panelists
1
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Under the “Schedule” icon on the home screen,
Select the day,
Choose the Cybersecurity Guidance for Small Firms
session,
Click on the polling icon:
To Access Polling
2
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
1. How confident are you in your cybersecurity
program for your firm?
a. We have a good plan that addresses our risks.
b. Started our plan but don’t know if we included all risks to our
firm.
c. Just started but have a long way to go.
d. We don’t have any cybersecurity risks.
Polling Question 1
3
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
2. What part of your cybersecurity plan are you least
comfortable with?
a. Branch Controls
b. Home Office Controls
c. Vendor Controls
d. Concerned about a FINRA exam
e. Other
Polling Question 2
4
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Current Cyber Issues
FINRA Exam Standards
Risk Control Self Assessment Results
Implementation of a Reasonable but Effective Program
Security Basics for the Small Firm Headquarters Office
Security Basics for the Branch Office
Vendor Management and Outsourcing
Practical Advice for Small Firms
5
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Phishing
Malware & Ransomware
3rd Party Wires
Patch Management
Unencrypted Data sent by Email
Current Issues for Small Firms
6
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Exam Standards
Risk Assessment and Governance
Cyber Program Leadership (CISO)
Policies, Procedures and Adherence
IT Certifications
Outsourcing of IT and Controls
Exam Findings
FINRA Exams and Results
7
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Risk Control Self Assessment Results
Percentage of firms who
manage or store PII Source: 2016 RCA
Firm likelihood to outsource
(partial or full) business
functionsSource: 2016 RCA
8
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
3. How often do your conduct training for cybersecurity
risks?
a. Annually
b. Annually plus other ongoing instances
c. We don’t have formal training for our RRs and staff.
d. Ongoing
Polling Question 3
9
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Risk Control Self Assessment Results
Firm purchase or integration
of Cyber Insurance Policies Source: 2016 RCA
Firm coverage of disruption
scenarios in their incident
response plans Source 2016 RCA
10
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Governance
Appointing the CISO, CTO
Framework for risk assessment
Framework for cyber policies
NIST or SANS framework
NASAA guidelines
NY DFS, other state guidelines
Cyber Standards for Small Firm Headquarters
11
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Cyber Policy Components
In-house versus outsourced cyber management
Cloud storage versus on site server storage
Incident response
Vendor Management
Training
Cyber Intelligence
Insurance
Testing
Cyber Standards for Small Firm Headquarters
12
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Device inventory and ongoing monitoring
Centralized communications and data management
Cyber Awareness Training, training, training
Incident reporting
Technical Controls – Patching, Encryption, Virus Protection
Passwords
Physical Security
Cloud Usage
Cyber Basics for Branch/Remote Locations
13
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Initial Due Diligence
Security and IT Vendors
Other Vendors
Ongoing Monitoring
SOC Reports
Qualifications and Standards
FINRA’s Vendor List
NRF or not?
Contractual obligations
Use of the Cloud
Vendor Management
14
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
FINRA Cybersecurity Page: www.finra.org/industry/cybersecurity
2015 Report on Cybersecurity Practices
Small Firm Cybersecurity Checklist
Compliance Vendor Directory
NIST Cybersecurity Framework: www.nist.gov/cyberframework
Financial Services Information Sharing and Analysis Center:
www.fsisac.com/
NASAA cybersecurity Checklist for Investment Advisers:
http://www.nasaa.org/industry-resources/investment-advisers/nasaa-
cybersecurity-report/
Resources
15
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
FINRA Exam Findings Report: www.finra.org/industry/2017-report-exam-findings/cybersecurity
National Law Review – Issues Facing Financial Institutions: www.natlawreview.com/article/top-10-issues-facing-financial-institutions-2017-4-cybersecurity
Handouts:
Model cyber procedures
Incident report template
Branch electronic device review template
Electronic device disclosure form
Resources
16
Third-‐Party Vendor Contracts – Sample Language Confidential Information. As used in this Agreement, "Confidential Information" means information not generally known to the public, and maintained by [Company Name] as confidential, whether of a technical, business or other nature that relates to the engagement or that, although not related to such engagement, is nevertheless disclosed as a result of the Parties' discussions in that regard, and that should reasonably have been understood by the [Service Provider], because of (i) legends or other markings, (ii) the circumstances of disclosure or (iii) the nature of the information itself, to be proprietary and confidential to [Company Name]. Confidential Information includes “nonpublic personal information” about the “customers” and “consumers” (as those terms are defined in Title V of the Gramm-‐Leach-‐Bliley Act and the privacy regulations adopted thereunder) of [Company Name]. Confidential Information may be disclosed in written or other tangible form (including information in computer software or held in electronic storage media) or by oral, visual or other means. For purposes of this Agreement, " [Company Name] " includes employees and controlled affiliates of [Company Name] who disclose Confidential Information to the [Service Provider], and Confidential Information includes information disclosed by such affiliates. Use of Confidential Information. The [Service Provider], except as expressly provided in this Agreement, shall not disclose [Company Name]'s Confidential Information to anyone without [Company Name]'s prior written consent. The [Service Provider] shall take all steps necessary to safeguard and protect such Confidential Information from unauthorized access, use or disclosure by or to others, including but not limited to, maintaining appropriate security measures and providing access on an as-‐needed basis only. The Parties will treat Confidential Information using the same degree of care used to protect its own confidential or proprietary information of like importance, but in any case using no less than a reasonable degree of care. The [Service Provider] shall not reverse-‐engineer, decompile, or disassemble any hardware or software provided or disclosed to it and shall not remove, overprint or deface any notice of copyright, trademark, logo, legend or other notice of ownership from any originals or copies of Confidential Information it obtains from [Company Name]. The [Service Provider] shall not use Confidential Information for any purpose other than with respect to [the Project]. Exceptions. The provisions of the “Use of Confidential Information” Section above shall not apply to any information that (i) is or becomes publicly available without breach of this Agreement; (ii) can be shown by documentation to have been known to the [Service Provider] without confidentiality restrictions at the time of its receipt from [Company Name]; (iii) is rightfully received from a third party who did not acquire or disclose such information by a wrongful or tortious act, or in breach of a confidentiality restriction; (iv) can be shown by documentation to have been independently developed by the [Service Provider] without reference to any Confidential Information; or (v) is identified by [Company Name] as no longer proprietary or confidential. [Service Provider] Personnel. The [Service Provider] shall restrict the possession, knowledge, development and use of Confidential Information to its employees, agents, subcontractors, consultants, advisors and entities controlled by it (collectively, "Personnel") who have a need to know Confidential Information in connection with the Project. The [Service Provider]'s Personnel shall have access only to the Confidential Information they need for such purposes. The [Service Provider] shall ensure that its Personnel are bound by confidentiality obligations substantially similar to those contained herein and that such Personnel comply with this Agreement.
Disclosures Required by Law, Rule or Regulation. If, in the opinion of its counsel, the [Service Provider] becomes legally obligated to disclose Confidential Information, the [Service Provider] shall give [Company Name] prompt written notice sufficient to allow [Company Name] to seek a protective order or other appropriate remedy, and shall, to the extent practicable, consult with [Company Name] in an attempt to agree on the form, content, and timing of such disclosure. Notwithstanding the preceding sentence, notification to [Company Name] shall not be required if such notification is not permitted by law or would interfere with applicable law enforcement activities. The [Service Provider] shall disclose only such information as is required, in the opinion of its counsel, and shall exercise all reasonable efforts to obtain confidential treatment for any Confidential Information that is so disclosed. Ownership of Confidential Information. All Confidential Information disclosed under this Agreement (including information in computer software or held in electronic storage media) shall remain the exclusive property of [Company Name], and the [Service Provider] shall have no rights, by license or otherwise, to use the Confidential Information except as expressly provided herein. No patent, copyright, trademark or other proprietary right is licensed, granted or otherwise conveyed by this Agreement with respect to Confidential or other information. Provisions Applicable to “Nonpublic Personal Information.” Notwithstanding any other provision of this Agreement, with respect to “nonpublic personal information” about the “customers” and “consumers” (as those terms are defined in Title V of the Gramm-‐Leach-‐Bliley Act and the privacy regulations adopted thereunder) of Advisor and any Affiliate of Advisor, Service Provider agrees as follows: (i) Except as may be reasonably necessary in the ordinary course of business to carry out the activities to be performed by Service Provider under this Agreement or as may be required by law or legal process, it will not disclose any such nonpublic personal information to any third party other than affiliates of Service Provider or Advisor (ii) That it will not use any such nonpublic personal information other than to carry out the purposes for which it was disclosed by Advisor or Advisor’s Affiliate unless such other use is (a) expressly permitted by a written agreement executed by Advisor or its Affiliate, or (b) required by law or legal process. (iii) It will take all reasonable measures, including without limitation such measures as it takes to safeguard its own confidential information, to ensure the security and confidentiality of all such nonpublic personal information, to protect against anticipated threats or hazards to the security or integrity of such nonpublic personal information and to protect against unauthorized access to or use of such nonpublic personal information.
TBD Securities Cyber Security Policies
Page 1 of 15 Courtesy of Monahan & Roth, LLC February, 2018
TBD Securities Cyber Security Policies and Procedures
CONTENTS
OVERVIEW 2
AUDIT TRAIL 4
ACCESS MANAGEMENT 5
END-‐USER: MOBILE DEVICE AND APPLICATION SECURITY 7
COLLABORATION SITES AND END-‐USER DATA STORAGE 7
SECURITY RISK ASSESSMENT 8
OR (FOR FINANCIAL SERVICES FIRMS REGISTERED IN NY) 9
EMPLOYEE SECURITY AWARENESS TRAINING 10
VENDOR SELECTION AND MANAGEMENT 10
TECHNOLOGY ASSET INVENTORY, CLASSIFICATION AND TRACKING 11
TECHNOLOGY END-‐OF-‐LIFE PROCESS 12
EMPLOYEE TERMINATION 12
DISASTER RECOVERY AND BACKUP TESTING 13
CYBER SECURITY INSURANCE 13
CYBER SECURITY BREACH FRAMEWORK 13
REGULATORY REPORTING REQUIREMENT(S) 14
TBD Securities Cyber Security Policies
Page 2 of 15 Courtesy of Monahan & Roth, LLC February, 2018
Overview TBD Securities has implemented this program, designed to promote the protection of customer information as well as its information technology systems which include any discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems. At a high level, the goal of this program is to:
(1) identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored on TBD Securities’ Information Systems, the sensitivity of such Nonpublic Information, and how and by whom such Nonpublic Information may be accessed; (2) use defensive infrastructure and the implementation of policies and procedures to protect TBD Securities’ Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts; (3) detect Cyber security incidents; (4) respond to identified or detected Cyber security incidents to mitigate any negative effects; (5) recover from Cyber security incidents and restore normal operations and services; and (6) fulfill all regulatory reporting obligations.
[Name] has been designated as the Chief Information Security Officer (“CISO”) and has primary oversight, maintenance, and execution of this Technology and Information Security Program (the “Program”). The CISO is authorized to delegate physical, technical, and administrative components of this program to qualified third parties as and whenever appropriate. If TBD Securities elects to delegate CISO responsibility to a third-‐party it must:
• Retain ultimate responsibility for implementation of the program • Designate a senior member to supervise the [assigned party], and • Require the [assigned party] to maintain a cyber security program that
substantially complies with relevant rules and regulations. The TBD Securities [TITLE] bears overall responsibility for Business Continuity Plan (“BCP”) / Disaster Recovery (“DR”) planning, information protection, and creating agile security processes and procedures. The CCO has identified the following core functions to guide the Program. These functions will be evaluated and updated by
TBD Securities Cyber Security Policies
Page 3 of 15 Courtesy of Monahan & Roth, LLC February, 2018
the CISO as indicated below to adjust to technological, business and/or operational changes at the firm that may have a material impact on the Program. The CISO will also be responsible for preparing a report, at least bi-‐annually that:
(1) assesses the confidentiality, integrity and availability of TBD Securities’ Information Systems; (2) details exceptions to TBD Securities’ cyber security policies and procedures; (3) identifies cyber risks to TBD Securities; (4) assesses the effectiveness of TBD Securities’ cyber security program; (5) proposes steps to remediate any inadequacies identified therein; and (6) includes a summary of all material Cyber security incidents that affected TBD Securities during the time period addressed by the report.
The CISO shall present the report to [Firm Name’s] senior management or board of directors as applicable. Functions Designated
Person Frequency of Document Review
Frequency of Execution
Access management: password and technology access
CISO Periodically
Access management: physical access
CISO Periodically
End-‐user: desktop, web, network and server security
CISO
End-‐user: mobile devices and application security
CISO
Collaboration sites and storage networks
CISO
Security risk assessment
CISO
Cyber security testing and audit
CISO
Network vulnerability scan
CISO Quarterly
Employee security awareness training
CISO
Vendor selection and maintenance
COO
Technology asset inventory
CISO
TBD Securities Cyber Security Policies
Page 4 of 15 Courtesy of Monahan & Roth, LLC February, 2018
Technology end-‐of-‐life process
CISO
Employee termination
COO
Disaster recovery and backup testing
COO
Cyber security insurance
CISO
Information Security CCO Vendor and third-‐party service provider management
CISO Annually
Cyber incident response
CCO
Penetration testing Annually CISO Report to Senior Management
CISO Bi-‐Annually
Application security CISO Annually
Audit Trail The CSIO shall be responsible for implementing an audit trail that:
(1) tracks and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting necessary to enable TBD Securities to detect and respond to a Cyber security incident; (2) tracks and maintain data logging of all privileged Authorized User access to critical systems; (3) protects the integrity of data stored and maintained as part of any audit trail from alteration or tampering; (4) protects the integrity of hardware from alteration or tampering, including by limiting electronic and physical access permissions to hardware and maintaining logs of physical access to hardware that allows for event reconstruction; (5) logs system events including, at a minimum, access and alterations made to the audit trail systems by the systems or by an Authorized User, and all system administrator functions performed on the systems; and (6) maintains records produced as part of the audit trail for not fewer than six years.
TBD Securities Cyber Security Policies
Page 5 of 15 Courtesy of Monahan & Roth, LLC February, 2018
Access Management TBD Securities has an approach to entitlement management that helps establish controls around access activities. The goal of this program is focused on the following:
• Protect remote, mobile, cloud and social access
• Provide transparency and up-‐to-‐date information on entitlements
• Provide centralized administration for permissions
• Ensure that employees have access only relevant to their job functions
• Protect against insider threats and unauthorized escalation of user privileges Each employee’s profile will be managed in a central directory that will be used to create, delete and modify employee access data. The CCO is the primary owner of the central directory. Authorization: TBD Securities manages authorization information that defines what functions an employee can perform in the context of a specific application. The CCO maintains a record of the authorizations. Passwords: For accessing any firm desktop or device, employees are required to use unique passwords, requiring the following characteristics:
• Contains at least 8 characters
• Uses a combination of lower and uppercase letters
• Uses at least one number and one symbol
• Expires every 180 days (the reuse of any previous password is disallowed)
• After 10 failed login attempts within 15 minutes, the user account will be locked until released by the CISO or a [assigned party] administrator.
Each administrator will have a unique login account and password. Any [assigned party]’s employees (employees of a consultant or other party delegated responsibility for [Firm Name’s] program, on an as needed basis, will each have a unique login and password to access the firm’s password management list. Physical access: TBD Securities will secure the firm’s physical premises with locks and inventory keys issued to authorized persons on an ongoing basis.
TBD Securities Cyber Security Policies
Page 6 of 15 Courtesy of Monahan & Roth, LLC February, 2018
End-‐user: desktop, web, network and server security: TBD Securities has developed practices in TBD Securities firm to protect the sensitivity of all information by implementing the following processes: • Implement the use of password protection for all sensitive data, applications, and collaboration tools • Reconcile the inventory of hardware, software and devices with [assigned party] • Educate end-‐users on appropriate use of desktops and web browsing for business purposes • Track and log USB portable flash drive uses that access the firm’s desktop to detect any unauthorized use • Maintain white-‐list of desktop approved applications and blacklist policy for websites (i.e. adult content, social media, gambling, etc.) Working closely with the CISO, [assigned party] will proactively manage the following items: • Maintain inventory of hardware, software and devices • Closely monitor application and systems log activity (i.e. control the execution of code with an application white-‐listing policy) • Deploy critical operating system security patches within 48 hours of release • Non-‐critical patches are delivered monthly • Implement appropriate protections for electronic systems, including anti-‐virus software and firewalls • Anti-‐virus software is set to auto-‐update and firewalls are updated at least quarterly by [assigned party] To combat social engineering, the [assigned party] will do the following: – Employ up-‐to-‐date anti-‐malware systems (continuously updated by auto-‐update plus quarterly reviews) – Employ spam filters and other email gateways (continuously updated by auto-‐update and periodically reviewed by [assigned party]) (a) Multi-‐Factor Authentication. Each Covered Entity shall: (1) require Multi-‐Factor Authentication for any individual accessing TBD Securities’ internal systems or data from an external network; (2) require Multi-‐Factor Authentication for privileged access to database servers that allow access to Nonpublic Information; (3) require Risk-‐Based Authentication in order to access web applications that capture, display or interface with Nonpublic Information; and (4) support Multi-‐Factor Authentication for any individual accessing web applications that capture, display or interface with Nonpublic Information.
TBD Securities Cyber Security Policies
Page 7 of 15 Courtesy of Monahan & Roth, LLC February, 2018
End-‐user: mobile device and application security Firm-‐owned devices include, but are not limited to, laptops, tablets, cellular phones, and smartphones. Personal devices may utilize mobile access as long as they are password-‐encrypted and firm-‐approved. At the time of hiring, and annually thereafter, TBD Securities requests disclosure of all electronic devices, including the % business and personal use for purposes of maintaining an up-‐to-‐date inventory. Employees are advised to report any lost, stolen, or compromised electronic device to the CISO or CCO immediately. The CISO or CCO will update the firm inventory and shut off inbound and outbound access to the device as necessary. Firm personnel will receive training on the secure use of mobile devices and removable media on an as-‐needed basis including during the annual compliance meeting.
Collaboration sites and end-‐user data storage The CISO will be primarily responsible for vetting any collaboration site and data storage along with the CCO. Each site must have identified “data owners,” who manage, control, and review access. Only firm approved collaboration sites listed below will be utilized: [Name ANY RELEVANT CITATIONS] Protecting firm data includes the proper use of collaboration sites and data storage sites. The following are requirements for collaboration sites and storing data: Desktop, laptop, remote desktop and tablets
• Ensure storage only in an approved, sandboxed or otherwise encrypted location instead of the desktop • Save information to be shared to an access-‐controlled network location such as a network shared drive • Store data and information with retention requirements in a records management repository • Only use applications obtained through firm-‐approved channels
Mobile devices (smart phones and tablets)
• Only store data within firm-‐approved applications • TBD Securities intends to have remote-‐wipe capability for all employee devices
Records retention
TBD Securities Cyber Security Policies
Page 8 of 15 Courtesy of Monahan & Roth, LLC February, 2018
• • Certain types of data have retention periods
• • All records including digital should be stored in an approved records
repository
• • Collaboration sites are not approved repositories
• Employees are responsible for preventing inappropriate use of or access to data by
• • Only accessing information needed for your job function
• • Preparing, handling, using and releasing data
• • Using correct storage locations
• • Following appropriate use or restrictions of electronic communications,
including but not limited to email, instant messaging, text, chat, audio/video conferencing and social media
Security risk assessment The firm will use an independent [assigned party] to perform a comprehensive enterprise risk assessment. The [assigned party] will assess any potential or existing cyber-‐security threats to identify potential risks and business impacts. At the discretion of the CISO and CCO, the following items under review may include, as relevant, the following: Category Subcategory Network Security Network Infrastructure
Firewalls Network Diagram Frequency of Documentation Wireless
Data Security Data Classification Backup and Restoration Encryption Mobile Security Disposal Protection of Transmission
Access Control Active Directory Authentication Network Access Control
TBD Securities Cyber Security Policies
Page 9 of 15 Courtesy of Monahan & Roth, LLC February, 2018
Account/Password Management Application Access
System Development Systems Installation Software Development Maintenance and Patching Decommissioning Change Control Management
Protection Antivirus software Updates and patches Web Filter and traffic
Testing and Monitoring Server Monitoring Network Monitoring Penetration Testing Vulnerability Testing Alerting
Vendors Vendor Assessment Client Data
Employees Termination / Role Transfer Physical Premise Security Data Center
Building Security and Staff Building and Office Access Server Room
Information Security Program Info Security Policy Cyber security Insurance Coverage Review
OR (For Financial Services Firms registered in NY) (At least annually, each Covered Entity shall conduct a risk assessment of TBD Securities’ Information Systems. Such risk assessment shall be carried out in accordance with written policies and procedures and shall be documented in writing. The risk assessment shall minimally include:
(1) criteria for the evaluation and categorization of identified risks; (2) criteria for the assessment of the confidentiality, integrity and availability of TBD Securities’ Information Systems, including the adequacy of existing controls in the context of identified risks; and (3) requirements for documentation describing how identified risks will be mitigated or accepted based on the risk assessment, justifying such decisions in light of the risk assessment findings, and assigning accountability for the identified risks.
TBD Securities Cyber Security Policies
Page 10 of 15 Courtesy of Monahan & Roth, LLC February, 2018
Employee security awareness training To assist firm employees in understanding their obligations regarding sensitive firm information, the CISO will provide each employee with a copy of this Program upon commencement of employment and whenever changes are made. In addition, the CISO and/or CCO will implement programs to perform training functions on an as-‐needed basis. At the discretion of the CCO and CISO, employee security awareness training may include any of the following: • Instruct employees to take basic steps to maintain the security, confidentiality and integrity of client and investor information, including: – Secure all files, notes, and correspondence – Change passwords periodically and do not post passwords near computers – Avoid the use of speaker phones and discourage discussions in public areas – Recognize any fraudulent attempts to obtain client or investor information and report to appropriate management personnel – Access firm, client, or investor information on removable and mobile devices with care and on an as-‐needed basis using firm protocols (passwords, etc.) • Instruct employees to close out of files that hold protected client and investor information, investments, investment strategies, and other confidential information when they are not at their desks • Educate employees about the types of cyber security attacks and appropriate responses
Vendor selection and management For vendors interacting with TBD Securities systems, network and data, the firm will perform the following activities to protect sensitive information: • Assess vendors before working with them including a cyber-‐security risk assessment • Review third-‐party vendor contract language to establish each party’s responsibility with respect to cyber-‐security procedures • Segregate sensitive firm systems from third-‐party vendor access and monitor remote maintenance performed by third-‐party contractors
TBD Securities Cyber Security Policies
Page 11 of 15 Courtesy of Monahan & Roth, LLC February, 2018
• the use of Multi-‐Factor Authentication as set forth herein to limit access to sensitive systems and Nonpublic Information;
• the use of encryption to protect all Nonpublic Information in transit and at rest; • prompt notice to be provided to TBD Securities in the event of a Cyber security
incident affecting the third party service provider; • identity protection services to be provided for any customers materially
impacted by a cyber security incident that results from the third party service provider’s negligence or willful misconduct;
• representations and warranties from the third party service provider that the service or product provided to TBD Securities is free of viruses, trap doors, time bombs and other mechanisms that would impair the security of TBD Securities’ Information Systems or Nonpublic Information; and
• the right of TBD Securities or its agents to perform cyber security audits of the third party service provider.
Technology asset inventory, classification and tracking TBD Securities has a process in place to identify, classify, and track all technology assets (“assets”): • To ensure accurate classification and tracking, TBD Securities will procure/vet all assets through [assigned party] • TBD Securities will maintain an inventory of all assets as well as an identified owner • TBD Securities will cross-‐reference the list of internal assets with [assigned party] • Asset identification and classification process will be scalable to accommodate growth and acquisition • TBD Securities will track assets and their attributes throughout their lifecycle • Automated processes will be used periodically to perform discovery of unknown assets • TBD Securities will create a map of network resources, including data flows, internal connections and external connections TBD Securities will establish and enforce a process of assessing and classifying assets based on their sensitivity to attack and business value. [assigned party] will auto-‐alert TBD Securities if a new device is discovered on the network
TBD Securities Cyber Security Policies
Page 12 of 15 Courtesy of Monahan & Roth, LLC February, 2018
TBD Securities shall encrypt all Nonpublic Information it holds or transmits both in transit and at rest,
Technology end-‐of-‐life process TBD Securities has developed and will follow processes for securely disposing of assets once they are no longer being used by the firm or have reached the end of their usable life (the “end-‐of-‐life process”). Working closely with the CISO, [assigned party] will closely monitor the firm hardware and recommend a refresh every 3-‐5 years per individual hardware equipment. A certified end-‐of-‐life management vendor (“EMV”) will properly recycle any old hardware. Notification: The end-‐of-‐life process will notify all necessary and relevant parties to initiate a coordinated execution: • CISO • Asset owner • End user(s) • Relevant vendor(s) Hard Drives: Any decommissioned hard drive will be securely stored for a minimum of 6 years since decommission date. When disposing the hard drive, the EMV will do the following: • Erase all data on the drive • Physically destroy the hard drive • Produce documentation of proper disposal
Employee termination The firm is dedicated to protecting the network and proprietary data at risk upon termination of employees. To prevent any issues of former employees leaking information, TBD Securities has adopted an approach towards access controls and entitlement management. Please refer to the [assigned party] checklist for employee on/off-‐boarding. TBD Securities will maintain this list as new applications, drives, systems, and vendors are incorporated.
TBD Securities Cyber Security Policies
Page 13 of 15 Courtesy of Monahan & Roth, LLC February, 2018
The following items will be monitored: • Network access • Desktop access • Mobile device access • Internal and external applications • Vendors, such as prime brokers, executing brokers, etc.
Disaster recovery and backup testing Please see [Firm Name’s] Business Continuity Procedures / Disaster Recovery Plan (“BCP”) for detailed documentation. Any changes can be represented in that BCP / DR plan. The CCO in connection with the CISO will update the firm’s BCP on an as-‐needed basis to ensure that it is consistent with the Program.
Cyber security insurance On an annual basis the CISO will review the firm’s insurance coverage related to cyber security threats and make a determination as to its adequacy in conjunction with the CCO and COO. It is anticipated that cyber security insurance will not be attained unless or until the firm’s risk profile substantially increases, because currently the majority of client sensitive data are retained by competent third party vendors primarily including its clearing firm.
Cyber security breach/incident response framework The firm has implemented a framework to identify, prepare, prevent, detect, respond, and recover from cyber security incidents, any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.
In the event of a cyber security incident, the firm’s information technology personnel (or anyone detecting the incident) will immediately notify the CISO (or qualified designee) who will work with appropriate personnel to:
TBD Securities Cyber Security Policies
Page 14 of 15 Courtesy of Monahan & Roth, LLC February, 2018
• Assess the nature and scope of any such incident and maintain a written record of the systems and information involved
• Take appropriate steps to contain and control the incident to prevent further
unauthorized access, disclosure or use, and maintain a written record of steps taken
• Promptly conduct a reasonable investigation, determine the likelihood that
personal information has or will be misused, and maintain a written record of such determination
• Discuss the issue with outside counsel (or a qualified resource) and make a
determination regarding disclosing the issue to regulatory authorities, law enforcement and/or individuals whose information may have been affected
• Evaluate the need for changes to the firm’s policies and procedures in light of
the breach
• The firm will work with outside resource(s) and/or counsel as necessary to determine appropriate next steps including addressing any weaknesses identified in the process
• A record of the response to the incident shall be recorded and retained
among the firm’s central records.
Regulatory reporting requirement(s) (For entities registered to do business in NY and not otherwise exempt: TBD Securities submit to the superintendent of the state of New York, Department of Financial Services (“DFS”) a written statement by January 15, in such form set forth as by the DFS, certifying that TBD Securities is in compliance with the requirements specifically identified by DFS. TBD Securities shall maintain for examination by the DFS all records, schedules and data supporting this certificate for a period of five years.
(1) To the extent TBD Securities has identified areas, systems, or processes that require material improvement, updating or redesign, TBD Securities shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by DFS. (2) To the extent that TBD Securities has identified any material risk of imminent harm relating to its cyber security program, TBD Securities shall notify the superintendent within 72 hours and include such items in its annual report filed pursuant to this section.
TBD Securities Cyber Security Policies
Page 15 of 15 Courtesy of Monahan & Roth, LLC February, 2018
TBD Securities January 15, 20 __ Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations The Board of Directors or a Senior Officer(s) of TBD Securities certifies:
(1) The Board of Directors (or name of Senior Officer(s)) has reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary;
(2) To the best of the (Board of Directors) or (name of Senior Officer(s)) knowledge, the Cybersecurity Program of TBD Securities as of [Date] complies with the rules and regulations of the state of New York.
By: Printed Name: Title: Date:
Electronic*Devices*and*Communications*Inspection*Form*
!Electronic*Device*Review:*
Device!Name! Description! %!Business!Use! %!Personal!Use!! ! ! !
☐ Yes ☐ No Anti7malware!software!is!installed!on!this!device.!!
☐ Yes ☐ No Anti7virus!software!is!installed!on!this!device.!!
☐ Yes ☐ No Software!auto7update!is!set!to!“ON”!on!this!device.!!
☐ Yes ☐ No Log!in!privileges!to!this!device!are!password!protected.!!
☐ Yes ☐ No This!device!‘times!out’!after!15!minutes!or!less!time!of!non7use.!
☐ Yes ☐ No ONLY!approved!(company)!email!is!received!on!this!device.!!!
☐ Yes ☐ No This!device!‘times!out’!after!15!minutes!or!less!time!of!non7use.!
☐ Yes ☐ No ONLY!associated!personnel!have!access!to!this!device.!!
Please!explain!any!“NO”!answer!in!the!space!provided!below:!
Exceptions,!Notes:!
Electronic*Device*Review:*
Device!Name! Description! %!Business!Use! %!Personal!Use!! ! ! !
☐ Yes ☐ No Anti7malware!software!is!installed!on!this!device.!!
☐ Yes ☐ No Anti7virus!software!is!installed!on!this!device.!!
☐ Yes ☐ No Software!auto7update!is!set!to!“ON”!on!this!device.!!
☐ Yes ☐ No Log!in!privileges!to!this!device!are!password!protected.!!
☐ Yes ☐ No This!device!‘times!out’!after!15!minutes!or!less!time!of!non7use.!
☐ Yes ☐ No ONLY!approved!(company)!email!is!received!on!this!device.!!!
☐ Yes ☐ No This!device!‘times!out’!after!15!minutes!or!less!time!of!non7use.!
☐ Yes ☐ No ONLY!associated!personnel!have!access!to!this!device.!!
Please!explain!any!“NO”!answer!in!the!space!provided!below:!
Exceptions,!Notes:!
CYBER SECURITY INCIDENT REPORT
Courtesy of Monahan & Roth, LLC
Incident Reported By: Incident Reported To: Date Reported: Time: � am � pm Nature of the incident (Include the scope, systems and information involved): CONTAINMENT Date Contained Time: � am � pm Record the steps taken to contain and control the incident to prevent further unauthorized access, disclosure or use: INVESTIGATION Investigation performed Time: � am � pm Describe the nature of the investigation, including whether or not sensitive information has or might be compromised:
CYBER SECURITY INCIDENT REPORT
Courtesy of Monahan & Roth, LLC
DISCLOSURE TO THIRD PARTIES (check all that apply) � Counsel � Other Qualified Resource
� Law Enforcement � Individuals affected
Describe:
RESOLUTION Resolution achieved Time: � am � pm � Related Cyber Policies adequate � Related Cyber Policies require amendment � Follow-‐up required Describe: Principal Acknowledgement of Resolution: Date Notes:
Courtesy of Monahan & Roth, LLC
Electronic Device Disclosure
Associated persons are required to disclose the use and/or the termination of use of any electronic device used entirely or in part for business purposes by completing the table below.
� This is an initial report of electronic device(s) I have a new device to report � I have a retired device to report
� I have a change in usage of a previously reported device to report Device Description (example: “primary office computer”). Include smartphones, tablets and other devices
Device Type (example: iMac, or Dell PC desktop)
% Business Use
% Personal Use
Notes (example: shared device with another associated person)
I hereby certify that the above information is correct and accurate to the best of my knowledge and that I adhere to my Broker-‐Dealer’s policies and procedures.
Signature Date
Cyber Security Checklist for Broker Dealers
Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC
1
Identify: Risk Assessment & Management YES NO N/A
1. Risk assessments are conducted frequently (e.g. annually, quarterly).
2. Cybersecurity is included in the risk assessment.
3. The risk assessment includes a review of the data collected or
created, where the data is stored, and if the data is encrypted.
4. Internal “insider” risk (e.g. disgruntled employees) and external risks
are included in the risk assessment.
5. The risk assessment includes relationships with third parties.
6. Adequate policies and procedures demonstrate expectations of employees regarding cybersecurity practices (e.g. frequent password changes, locking of devices, reporting of lost or stolen
devices, etc.).
7. Primary and secondary person(s) are assigned as the central point of contact in the event of a cybersecurity incident.
8. Specific roles and responsibilities are tasked to the primary and secondary person(s).
9. The firm has inventory of electronic devices and software in use in
its home office.
10. The firm has an inventory of electronic devices and software in use in its branch offices.
Notes:
Cyber Security Checklist for Broker Dealers
Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC
2
Protect: Use of Electronic Mail
YES NO N/A 1. The firm has protective measures in place to govern the distribution
of identifiable information of a client transmitted via email.
2. The firm has protective measures in place to govern authentication practices for access to email on all devices (computer and mobile devices),
3. The firm requires that passwords for access to email are changed no less than quarterly.
4. The firm’s policies and procedures provide instruction to authenticate client instructions received via email.
5. If applicable, the firm’s employees and clients are aware that email communication is not secured.
Protect: Devices
YES NO N/A 1. Device access (physical and digital) is permitted for authorized
employees.
2. Device access (physical and digital) is permitted for authorized clients.
3. Device access is routinely audited and updated appropriately. 4. Devices are routinely backed up and underlying data is stored in a
separate location (i.e. on an external drive, in the cloud, etc.) subject to FINRA requirements for electronic storage, or other related requirements.
5. Backups have been tested in the most recent 12 months. 6. The firm has written policies and procedures regarding the secure
destruction of electronic devices no longer in use (end of life procedures).
Notes:
Cyber Security Checklist for Broker Dealers
Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC
3
Protect: Use of Cloud Services
YES NO N/A 1. Due diligence Due diligence has been conducted on the
cloud service provider prior to signing an agreement or contract.
2. As part of the due diligence, the firm has evaluated whether the cloud service provider has safeguards against breaches and a documented process in the event of breaches.
3. The firm has a business relationship with the cloud service provider and has the contact information for that entity.
4. The firm is aware of the assignability terms of the contract. 5. The firm understands how the firm’s data is segregated from
other entities’ data within the cloud service.
6. The firm is familiar with the restoration procedures in the event of a breach or loss of data stored through the cloud service.
7. The firm has written policies and procedures in the event that the cloud service provider is purchased, closed, or otherwise unable to be accessed.
8. The firm solely relies on free cloud storage. 9. The firm maintains a 17(a)4 compliant backup of all records
off-‐site.
10. Data containing sensitive or personally identifiable information is stored through a cloud service.
11. The firm’s data accessible by the vendor containing sensitive or personally identifiable information, which is stored through a cloud services, is encrypted.
12. The firm has written policies and procedures related to the use of devices by employees or vendors who access data in the cloud.
13. If applicable, the firm’s procedures provide controls when cloud provider (or its staff) may access and/or view the firm’s data stored in the cloud.
14. If the firm allows any user remote access to its network (e.g. through use of VPN), such access is subject to controls including user management.
15. The VPN access of employees is monitored. 16. The firm has written policies and procedures related to the
termination of VPN access when any authorized user resigns or is terminated.
Cyber Security Checklist for Broker Dealers
Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC
4
Protect: Use of Firm Websites YES NO N/A 1. The firm relies on a parent or affiliated company for the
construction and maintenance of the website.
2. The firm relies on internal personnel for the construction and maintenance of the website.
3. The firm relies on a third-‐party vendor for the construction and maintenance of the website.
4. If the firm relies on a third party for website maintenance, there is an agreement with the third party regarding the services and the confidentiality of information.
5. The firm can directly make changes to the website. 6. The firm can directly access the domain renewal information and
the security certificate information.
7. The firm’s website is used to access client information. 8. SSL or other encryption is used when accessing client information
on the firm’s website.
9. The firm’s website includes a client portal. 10. SSL or other encryption is used when accessing a client portal. 11. When accessing the client portal, user authentication credentials
(i.e., user name and password) are encrypted.
12. Additional authentication credentials (i.e., challenge questions, etc.) are required when accessing the client portal from an unfamiliar network or computer.
13. The firm has written policies and procedures related to a denial of service issue.
Notes:
Cyber Security Checklist for Broker Dealers
Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC
5
Protect: Custodians & Other Third-‐Party Vendors YES NO N/A 1. The firm’s due diligence on third parties includes cybersecurity as
a component.
2. The firm has requested vendors to complete a cybersecurity questionnaire, with a focus on issues of liability sharing and whether vendors have policies and procedures based on industry standards.
3. The firm understands when/if the vendor has IT staff or outsources some of its functions.
4. The firm has obtained a written attestation from the vendor that it uses software to ensure customer data is protected.
5. If applicable the firm has attained evidence of the vendor’s cyber security risk assessment or audit on a regular basis.
6. The cyber-‐security terms of the agreement with an outside vendor is not voided because of the actions of an employee of the firm.
7. The firm’s contract with third-‐party vendors includes terms of confidentiality.
8. The firm has been provided enough information to assess the cybersecurity practices of any third-‐party vendors.
9. [Relevant to custodians only] The firm has discussed with the custodian matters regarding impersonation of clients and authentication of client orders.
10. The firm’s contact with the vendor includes terms for notification in the event of a cyber breach.
Protect: Encryption YES NO N/A 1. The firm routinely consults with an IT professional knowledgeable
in cybersecurity.
2. The firm has written policies and procedures in place to categorize data as either confidential or non-‐confidential.
3. The firm has written policies and procedures in place to address data security and/or encryption requirements.
4. The firm has written policies and procedures in place to address the physical security of confidential data and systems containing confidential data (i.e., servers, laptops, tablets, removable media, etc.).
5. The firm utilizes encryption on all data systems that contain (or access) confidential information.
6. The identities and credentials for authorized users are recorded and periodically updated.
Cyber Security Checklist for Broker Dealers
Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC
6
Cyber Security Checklist for Broker Dealers
Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC
7
Notes:
Cyber Security Checklist for Broker Dealers
Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC
8
Detect: Anti-‐Virus Protection and Firewalls YES NO N/A 1. The firm mandates the installation and auto update of anti-‐virus , anti-‐spam, anti-‐malware software on all electronic devices accessing the firm’s network or otherwise retaining personally identifiable information or firm records.
2. The firm mandates that all settings are deployed to ensure that software is subject to auto-‐update.
3. Employees are trained and educated on the basic function of anti-‐virus programs and how to report potential malicious events.
4. If the alerts are set up by an outside vendor, there is an ongoing relationship between the vendor and the firm to ensure continuity and updates.
5. A firewall is employed and configured appropriate to the firm's needs.
6. The firm has policies and procedures to address flagged network events.
Notes:
Cyber Security Checklist for Broker Dealers
Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC
9
Respond: Responding to a Cyber Event YES NO N/A 1. The firm has a plan and procedure for immediately notifying authorities in the case of a disaster or security incident of magnitude.
2. The plans and procedures identify which authorities should be contacted based on the type of incident and who should be responsible for initiating those contacts.
3. The firm has a communications plan, which identifies who will speak to the public/press in the case of an incident and how internal communications will be managed.
4. The communications plan identifies the process for notifying clients and if applicable, for addressing damages.
Notes:
Cyber Security Checklist for Broker Dealers
Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC
10
Recover: Cyber-‐insurance YES NO N/A 1. The firm has considered whether cyber-‐insurance is necessary or appropriate for the firm.
2. The firm has evaluated the coverage in a cybersecurity insurance policy to determine whether it covers breaches, including; breaches by foreign cyber intruders; insider breaches (e.g. an employee who steals sensitive data); and breaches as a result of third-‐party relationships.
3. The cybersecurity insurance policy covers notification (clients and regulators) costs.
4. The firm has evaluated whether the policy includes first-‐party coverage (e.g. damages associated with theft, data loss, hacking and denial of service attacks) or third-‐party coverage (e.g. legal expenses, notification expenses, third-‐party remediation expenses).
5. The exclusions of the cybersecurity insurance policy are appropriate for the firm’s business model.
6. The firm has put into place all safeguards necessary to ensure that the cyber-‐security policy is not voided through firm employee actions, such as negligent computer security where software patches and updates are not installed in a timely manner.
Recover: Disaster Recovery YES NO N/A 1. The firm has a business continuity plan to implement in the event of a cybersecurity event.
2. The firm has a process for retrieving backed up data and archival copies of information.
3. The firm has written policies and procedures for employees regarding the storage and archival of information.
4. The firm provides training on policies and procedures related to document retention, safekeeping and udpates.
Notes:
Cyber Security Checklist for Broker Dealers
Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC
11
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Recent Cyber Attacks, Threats and Possible Solutions Thursday, February 22 11:15 a.m. – 12:15 p.m. The world has entered an age in which well-organized and well-funded groups use sophisticated cyber techniques to attack organizations with increasing frequency. This threat landscape is constantly changing and modern cyber defenses must evolve. During this session, panelists discuss recent high-visibility hacks and steps that could have been taken to prevent them from happening or minimize the disruption.
Moderator: Gregory Markovich Regulatory Principal, Sales Practice FINRA Chicago District Office Panelists: Britt Lindley Chief Information Security Officer Thrivent Financial for Lutherans Jesse Magenheimer Director - Information Security State Farm Melissa Vacon Assistant Vice President of Information Services Signator Investors, Inc.
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2
Recent Cyber Attacks, Threats and Possible Solutions Panelist Bios: Moderator: Greg Markovich joined FINRA on February 1, 2016, as Regulatory Principal and he is currently responsible for leading cybersecurity examinations and providing security consultation and training for other staff. Prior to joining FINRA, Mr. Markovich has 30 years of information technology (IT) and security experience working at two investment management firms including Capital Group – American Funds, and American Century Investments. His leadership roles at these firms included responsibility for information security, risk management, identity access management, and disaster recovery. Mr. Markovich also has experience leading applications development and infrastructure support teams. In addition to having an MBA degree from the University of Missouri, Mr. Markovich has several security certifications including a certified information systems security professional (CISSP) and a certified ethical hacker (CEH) certification. Panelists: Britt Lindley is Chief Information Security Officer within Thrivent Financial’s Information Technology division, reporting directly to the Chief Administrative Officer. Mr. Lindley serves in this position for Thrivent Financial, its subsidiaries and affiliates (Thrivent). Acting as the Chief Information Security Officer, Mr. Lindley is responsible for the management, oversight and implementation of the required Information Security programs and associated controls. He leads a team of professionals who are responsible for the Information Security functions for Thrivent, and is also the chair of Thrivent’s Protection Risk Group, which communicates internal and external Information Security operational risk, as well as risk management, to senior leaders. For 16 years prior to joining Thrivent in 2010 as Director of Information Security, Mr. Lindley held Information Security leadership roles within various industry sectors including banking, technology, and transportation/logistics. Serving in these various security leadership roles, Mr. Lindley has worked in both privately held and public companies, as well as large multi-national organizations. Mr. Lindley earned his Bachelor of Science degree in Computer Science from Point Park University in Pittsburgh, PA. He also holds Information Security certifications from the International Information Systems Security Certification Consortium (ISC2) (CISSP – Certified Information Systems Security Professional – Since 2000) and Information Systems Audit and Control Association (ISACA) (CISM – Certified Information Security Manager – Since 2004). Mr. Lindley is active in trade and industry groups for the Financial Service industry. Mr. Lindley is an active volunteer within local organizations of the Community Foundation of the Fox Valley and a board member of the Volunteer Center of East Central WI. Mr. Lindley is retired from the Wisconsin National Guard after 23 years of service. Jesse Magenheimer is Director in Information Security at State Farm in Bloomington, Illinois with responsibilities for Protective Technologies and Enterprise Information Security Incident Response. He has more than 25 years of IT experience with the past 17 years being spent in various information security, technology, and IT auditing roles. He has worked on the development of end-to-end application security controls, security architecture for data centers, creation of new professional security roles, leading IT and integrated audits, advancing the use of protective technologies, design of the company’s enterprise information security incident response plan, and the creation and execution of information security incident response exercises. Mr. Magenheimer holds a Bachelor’s Degree in Computer Science and a Master’s Degree in Emergency and Disaster Management. He also possesses a number of information security, risk management, and project management industry certifications. Melissa Vacon is Assistant Vice President of Information Systems at John Hancock, supporting Signator Investors, Inc. For the past four years, Ms. Vacon has been responsible for all aspects of technology for the distribution arm of John Hancock. This includes all IT development and maintenance activities, all large project initiatives, infrastructure support, vendor management, cybersecurity risk mitigation and administration. Prior to joining Signator, Ms. Vacon held multiple IT positions within John Hancock, starting in 2001. Before joining John Hancock, Ms. Vacon was employed by GE at their Electric Insurance division.
2018 Cybersecurity ConferenceFebruary 22 | New York, NY
Recent Cyber Attacks, Threats and
Possible Solutions
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Moderator
Gregory Markovich, Regulatory Principal, Sales Practice, FINRA Chicago District Office
Panelists
Britt Lindley, Chief Information Security Officer, Thrivent Financial for Lutherans
Jesse Magenheimer, Director - Information Security, State Farm
Melissa Vacon, Assistant Vice President of Information Services, Signator Investors, Inc.
Panelists
1
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Under the “Schedule” icon on the home screen,
Select the day,
Choose the Recent Cyber Attacks, Threats and
Possible Solutions session,
Click on the polling icon:
To Access Polling
2
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Why is it important: The frequency and sophistication of cybersecurity threats and attacks is increasing.
Financial firms and individual broker-dealers are at risk.
Firms must take steps to prevent attacks and monitor their environment.
Cybersecurity Attacks, Threats and Prevention
3
Effective Practices:• Written policies and procedures to protect customer information
• Governance Framework and Risk Management (identify, assess, manage)
• Technical Controls
• Vendor Management
• Training
• Monitoring and Incident Management
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
1. Has your firm experienced any of the following
cybersecurity threats: phishing, ransomware,
account take over, wire fraud, denial of service,
malware, or viruses?
a. Yes
b. No
c. Don’t know
Polling Question 1
4
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
2. Has your firm received phishing emails in the last 12
months?
a. Yes
b. No
c. Don’t know
Polling Question 2
5
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Financial Service Firms Common Threats
6
Threats: Phishing - #1 threat for financial firms as observed by FINRA
Ransomware
Account Takeover
Wire Fraud
DDoS Attacks
Malware
Virus
Insider Threat
Spam
Others……..
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
3. What level of human resources does your firm
currently have focused on monitoring the
environment for cyber related incidents or attacks
(including third party resources)?
a. None
b. 5 people or less
c. 5 to 10 people
d. Greater than 10 people
Polling Question 3
7
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
An organized and highly skilled team whose mission is to
continuously monitor and improve an organization’s
security posture while preventing, detecting, analyzing, and
responding to cyber security incidents with the aid of both
technology and well-defined processes and procedures.
Security Operations Center (SOC)
8
FUNCTIONS:
• Maintain security monitoring tools
• Investigate suspicious activities
ROLES:
• Security Analyst
• Security Engineer
• Security Manager
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
4. Does your firm monitor the environment for potential
internal threats?
a. Yes
b. No
c. Don’t know
Polling Question 4
9
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Training
Vendor Management
Risk Assessment/Management
Monitoring
Security Patching
Others….
Financial Service – Prevention Activities
10
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Cyber Incident Recovery Process
11
Develop and implement plans, processes, and procedures
to fully restore a system weakened or breached as a result
of a cyber incident or event.
Recovery Steps Include:
• Preparation, Identification, Containment,
Eradication, Recovery, and Lessons Learned
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
5. Does your firm actively oversee the security controls
and cyber programs for your critical third-party
providers?
a. Yes
b. No
c. Don’t know
Polling Question 5
12
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Written policy that cover the entire life cycle of
relationship
Onboarding, ongoing oversight, and termination of agreement
Contractual terms and conditions
Responsibilities of both parties, incident notification, ability to
review audit reports (SSAE 18)
Risk based ongoing assessment of third party’s
security controls
Third-Party Management
13
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
FINRA Cybersecurity Page: www.finra.org/industry/cybersecurity
2015 Report on Cybersecurity Practices
Small Firm Cybersecurity Checklist
Compliance Vendor Directory
NIST Cybersecurity Framework: www.nist.gov/cyberframework
FINRA References
14
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. – 2:15 p.m. Cybersecurity is a top priority for the financial services industry. Firms dedicate significant resources every day to protect against cyber-crime, safeguard consumer data, and maintain the integrity and resilience of their systems in face of countless cyber threats. During this session, panelists discuss defensive measures firms can take within branch locations. These measures include developing information security branch plans, training employees and other solutions.
Moderator: Kevin Bogue Regulatory Principal, Sales Practice FINRA Chicago District Office Panelists: Tammy Boone Compliance Manager NEXT Financial Group, Inc. Robert Geary Director, IT Security – Distribution Lincoln Financial Securities David Wimer Business Information Security Officer Transamerica
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2
Branch Cybersecurity Controls Panelist Bios: Moderator: Kevin Bogue joined FINRA on January 9, 2017 as a Regulatory Principal in the Chicago District Office. Mr. Bogue is a member of the Sales Practice Cybersecurity team responsible for examining firms' controls over their protection of sensitive client and firm information. Prior to joining FINRA, Mr. Bogue has more than 17 years of information technology (IT) and security experience working as a technology consultant with Accenture, as an internal Global IT auditor, IT Compliance Manager and SOX Program Manager with Abbott Laboratories, as an IT Compliance Manager with Brunswick and as an internal IT Audit Manager with CDW. Mr. Bogue earned an MS in Information Systems from DePaul University in Chicago, IL and a BS in Psychology from Iowa State University in Ames, IA. Panelists: Tammy Boone joined NEXT in December 2010 and is currently the Compliance Manager overseeing Licensing, Registration and Branch Exams. Ms. Boone has more than 30 years of financial services experience in various capacities including support staff, branch operations, licensing, registration and compliance. Ms. Boone holds the Series 7, 9, 10, 63 and 65 licenses. Robert Geary is Director of IT Security - Distribution for Lincoln Financial Securities and has more than 23 years of Information Technology experience. Mr. Geary started with Lincoln Financial Group in 1998 and has held several technical positions throughout his career. He spent five years as a member of Lincoln’s Cyber Threat Intelligence & Investigations Team, focusing on Incident Response, Endpoint Security Controls, and Vulnerability Management. He holds a Bachelor of Science degree in Mechanical Engineering from Drexel University along with several professional designations, including the Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler (GCIH). David Wimer has experience in information security, privacy and risk domains within telecommunications and finance industries. Mr. Wimer has more than 20 years’ developing, implementing and educating his business colleagues on practical security practices. Mr. Wimer is a Business Information Security Officer for Transamerica and has worked through examinations from both SEC and FINRA in the past two years on Transamerica’s application of cyber security controls within their organization. Mr. Wimer’s philosophy and primary focus in on continuous education of workforce at all levels and has built a respectable awareness and training program within Transamerica. Mr. Wimer had additional experience in building and implementing controls on third party risk and has past experience conducting and supervising security assessments of Transamerica external partnerships, vendors and cloud providers/solutions.
2018 Cybersecurity ConferenceFebruary 22 | New York, NY
Plenary Session: Branch Cybersecurity
Controls
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Moderator
Kevin Bogue, Regulatory Principal, Sales Practice, FINRA Chicago
District Office
Panelists
Tammy Boone, Compliance Manager, NEXT Financial Group, Inc.
Robert Geary, Director, IT Security – Distribution, Lincoln
Financial Securities
David Wimer, Business Information Security Officer, Transamerica
Panelists
1
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Under the “Schedule” icon on the home screen,
Select the day,
Choose the Plenary Session: Branch Cybersecurity
Controls session,
Click on the polling icon:
To Access Polling
2
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
1. Do you have branch office locations?
a. Yes
b. No
Polling Question 1
3
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
2. Do you have formal branch office policies and
procedures?
a. Yes
b. No
Polling Question 2
4
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
3. Do you provide formal guidance to branches as to
what cybersecurity controls are expected to be in
place?
a. Yes
b. No
Polling Question 3
5
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Why is it important: Many branch offices operate
independently from the home office to set up computer
systems and controls.
Branch Cybersecurity Controls
6
Effective Practices:• Policy / procedure created for branch locations
• Certification
• Cyber training – not just an annual process
• Automated tools
• Branch examiners trained by IT to examine for cyber controls
• Data Loss Prevention (DLP) tools
• Recommend technology, software (e.g., antivirus) or vendors (e.g., cloud).
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Firms should have policies and procedures dealing with
cybersecurity issues at branch locations. Topics include:
Processes in place to verify controls have been implemented and
are functioning as intended.
Branch Cybersecurity Controls continued…
7
• Physical Security • Encryption
• Virus and Malware Protection • Reporting of Lost / Stolen Assets
• Patching • The Use of Passwords
• Training and Awareness • Business Continuity Planning / Testing
• Vendor / Cloud Usage • Representative Certifications
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Firms with Independent Contractor model may have more risk
due to the nature of the branch technology infrastructure.
Reps may purchase their own assets
Reps may not follow home office policies and procedures correctly
– Use of cloud providers not approved by the firm
– Physical security of assets
– Access to office is secure
– Process to report and manage lost/stolen assets
– Proper disposal of decommissioned assets
– Data protection controls (e.g., secure transmission and encryption)
Branch Cybersecurity Controls continued…
8
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Typical controls would include:
Proper access control including password management and multifactor logins
Securely maintain branch assets including timely patching, anti-virus, and updates
Training and awareness of branch personnel (including contractors)
Branch level Business Continuity (BC) and Disaster Recovery (DR) planning / testing
Process to follow when an incident / breach has occurred
Branch Cybersecurity Controls continued…
9
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
All Firms with branch locations should verify and regularly audit security
controls in the branch offices.
Knowledge, through an inventory process, of critical software and hardware
assets that exist in the branch.
Physical security of assets, sensitive information and firm data:
– Access to branch office is secure
– Process to report and manage lost / stolen assets
– Proper disposal of decommissioned assets
Data protection controls including:
– Secure transmission and storage of all sensitive information
– Encryption of all sensitive information on branch computers
Branch Cybersecurity Controls continued…
10
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
What are we seeing?
Few firms conduct regular audits of branch office security controls
Opportunity exists for firms to improve and formalize their oversight of branch offices
Most firms with large numbers of branches have developed cybersecurity questionnaires that the reps attest
Firms will audit branches on certain cyber related questions and controls in place; e.g., laptop encryption, endpoint protection, updated OS, password management, physical security
Automated tools for monitoring branch equipment
Branch Cybersecurity Controls continued…
11
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
FINRA Cybersecurity Page: www.finra.org/industry/cybersecurity
Small Firm Cybersecurity Checklist
2015 Report on Cybersecurity Practices
Compliance Vendor Directory
NIST Cybersecurity Framework: www.nist.gov/cyberframework
References
12
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Cyber Incident Response Plans and Resources Thursday, February 22 2:30 p.m. – 3:30 p.m. Every organization should develop a written plan that identifies cyber-attack scenarios and sets out appropriate responses. While plans must be customized for each organization’s particular circumstances, the plan should address basic components. Join panelists as they discuss these components and provide examples of steps their firms have implemented. Panelists also provide resources and helpful tools for firms to address critical cyber threats as well as provide examples of what not to do.
Moderator: Rafael Skovron Examination Manager, Sales Practice FINRA San Francisco District Office Panelists: Andrew Hartridge Chief Information Security Officer M&T Securities, Inc. Paul Horn Chief Information Security Officer HD Vest Financial Services Gregory Scroggs Senior Vice President and Chief Information Security Officer Primerica
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2
Cyber Incident Response Plans and Resources Panelist Bios: Moderator: Rafael Skovron began his career by consulting for international public accounting firm Grant Thornton. Mr. Skovron’s work included a large IT controls project at Fannie Mae in D.C and testing IT controls for financial audits of public companies. Mr. Skovron then joined the Office Depot Internal Audit team and performed operational, financial, and technology audits at the global headquarters in Boca Raton and in Mexico. At FINRA, Mr. Skovron has worked at both the Boca Raton and San Francisco offices leading cybersecurity and technology governance routine examinations. His cause examinations have covered breaches of broker-dealer websites, phishing, business email compromise scams, mobile security risks, cloud security and branch office risks. He is also a member of an internal consulting team that develops guidance on technology governance and cybersecurity. Mr. Skovron is also a member of the Bay Area Chapter of InfraGuard, a non-profit organization serving as a public-private partnership between U.S. businesses and the Federal Bureau of Investigation to address cybersecurity risks. Panelists: Andrew Hartridge serves as M&T Bank’s Chief Information Security Officer, forming and executing the overall strategy for information security. Mr. Hartridge is an accomplished Information Technology executive with in-depth knowledge of Telecommunications, Information Security, Privacy, Operating Platforms and Emerging technologies. He has broad experience in the public and private sectors within financial services, health-care, and manufacturing industries. He leads Cybersecurity activities for the Company, inclusive of networking and telecommunications, identity and access management, regulatory compliance and related policy and project support, to protect the Bank’s and customers’ data, monetary assets, information and reputation. Prior to this position, Mr. Hartridge held progressively senior executive leadership roles at the US Internal Revenue Service where he was responsible for covering all aspects of the agency’s cybersecurity program. Mr. Hartridge is a Certified Information Systems Security Professional (CISSP) and an Information Systems Security Architecture Professional (ISSAP). Paul Horn currently serves as Chief Information Security Officer (CISO) at HD Vest Financial Services and has more than 20 years of various security experiences. Those experiences include time spent as a Special Agent with the Air Force Office of Special Investigations, leading a global information security program for DynCorp International’s logistics and air operations for various government contracts, and leading the Drug Enforcement Administration’s Aviation Division vulnerability management program. Mr. Horn also takes part in the Strategic Threat Assessment & Response (STAR) work group lead by the IRS to help protect taxpayers and the integrity of the tax ecosystem. In addition, Mr. Horn has been a finalist in 2013, 2014, 2015 and 2016 for Certified CISO of the Year through EC-Council and now serves on the awards committee. Mr. Horn also serves on a variety of Cyber Security Advisor Boards and has a deep dedication to the information security community by mentoring other security professionals. Mr. Horn holds a Master of Science in Management with a concentration in Information Systems Security and a Bachelor of Science in Business Administration in Information Technology from Colorado Technical University. Mr. Horn also holds the following information security certifications, Certified Chief Information Security Officer (C|CISO), Certified Information Systems Security Professional (CISSP), Certified Information Security Manger (CISM), Certified in Risk and Information Systems Control (CRISC), and GAIC Certified Incident Handler (GCIH). Greg Scroggs attended Georgia Tech as a cooperative student with The Southern Company in Atlanta, where he served in a variety of roles: computer operations, application programming, system programming, and telecommunications functions. His next role involved both technical and management positions at the Primerica division of Travelers and Citigroup, where he held various technical operations, security, and telecommunications management positions. For the past 10 years, Mr. Scroggs has managed security engineering and operations, technology risk management, and data telecommunications for Primerica, which is now a public company. His current role at Primerica is Senior Vice President and Chief Information Security Officer (CISO).
2018 Cybersecurity ConferenceFebruary 22 | New York, NY
Cyber Incident Response Plans and
Resources
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Moderator
Rafael Skovron, Examination Manager, Sales Practice, FINRA San Francisco District Office
Panelists
Andrew Hartridge, Chief Information Security Officer, M&T Securities, Inc.
Paul Horn, Chief Information Security Officer, HD Vest Financial Services
Gregory Scroggs, Senior Vice President and Chief Information Security Officer, Primerica
Panelists
1
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Under the “Schedule” icon on the home screen,
Select the day,
Choose the Cyber Incident Response Plans and
Resources session,
Click on the polling icon:
To Access Polling
2
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
1. Are you from a small firm? (Under 100 RRs)
a. Yes
b. No
Polling Question 1
3
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Reduce recovery time
Increase stakeholder confidence
Limit reputational damage to the firm and to the
industry
Compliance with FINRA supervision rules
Why invest resources in incident response?
4
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
2. What would you do if your printers started printing
out tax returns randomly?
a. Turn the machine off
b. Add paper and collect the tax returns
c. Call the police
d. Contact your Chief Information Security Officer
Polling Question 2
5
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Potential Events
Declared vs Confirmed
Indicators
Incidents vs Attacks
Severity levels
What is an incident?
6
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Containment
Mitigation
Recovery
Investigation
Notification
Restitution
Key elements of an incident response plan
7
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Commander
Executives
PR / Communications
Legal
Compliance
What do you outsource?
Who are the major players in the plan?
8
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Too much data, not enough understanding of people,
process, and tech
New vendors quickly on-boarded
Fatigue
Incident response doesn’t scale
No logs
Some logs are worth more than others
Common issues when implementing a plan
9
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Practice beyond table tops or not?
Open vs closed pen tests
Pre-scripted playbooks for more frequent attacks
Develop scenarios for specific outcomes or not?
Who makes decisions, when, how will it be made.
Practicing the incident response plan
10
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
3. Do you rely on insurance as your incident response
plan?
a. Yes
b. No
Polling Question 3
11
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Breach coach
Vendors
Correlating events across customers
Small Firm Checklist
Can small firms run effective incident response?
12
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Role of cyber insurance underwriters
Policy review
How does insurance factor into incident response?
13
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Networks and data are in the cloud
Forensic detail
Contractual responsibilities
Vendor involvement
Does incident response change in the cloud?
14
Security Incident Response Plan
(S-IRP)
2
Revision History
Revision
Number
Issue Date Issued By Explanation
3
1 Table of Contents 1 TABLE OF CONTENTS ..................................................................................................................................................... 3
2 RESPONDERS ................................................................................................................................................................. 5
3 OVERVIEW ..................................................................................................................................................................... 6
3.1 EFFECTIVE DATE ................................................................................................................................................................ 6
3.2 FORWARD ........................................................................................................................................................................ 6
3.3 REPORTING ...................................................................................................................................................................... 6
3.4 SCOPE ............................................................................................................................................................................. 6
4 DEFINITIONS .................................................................................................................................................................. 7
4.1 EVENT ............................................................................................................................................................................. 7
4.2 PRECURSOR ...................................................................................................................................................................... 7
4.3 INDICATOR ....................................................................................................................................................................... 7
4.4 INCIDENT RESPONSE ........................................................................................................................................................... 7
4.5 INVESTIGATION.................................................................................................................................................................. 7
4.6 SYSTEM OWNER ................................................................................................................................................................ 7
5 SIRT FRAMEWORK ......................................................................................................................................................... 8
5.1 PREPARATION ................................................................................................................................................................... 8
5.2 DETECTION & ANALYSIS ...................................................................................................................................................... 8
5.3 SECURITY INCIDENT ESCALATION ......................................................................................................................................... 10
5.4 CONTAINMENT, ERADICATION & RECOVERY ......................................................................................................................... 10
5.5 POST-INCIDENT ACTIVITY .................................................................................................................................................. 12
6 SECURITY INCIDENT DETAILS ....................................................................................................................................... 13
6.1 CATEGORIES ................................................................................................................................................................... 13
6.2 SCOPE ........................................................................................................................................................................... 14
6.3 SEVERITY LEVELS (RATING) ................................................................................................................................................ 15
6.4 ATTACK VECTOR .............................................................................................................................................................. 16
6.5 PRIVACY LIKELIHOOD/CONSIDERATIONS ............................................................................................................................... 16
7 THE SIRT ...................................................................................................................................................................... 16
7.1 SIRT CHARGE ................................................................................................................................................................. 16
7.2 SIRT OBJECTIVES ............................................................................................................................................................. 16
8 SIRT MEMBERS ............................................................................................................................................................ 17
8.1 INCIDENT COMMANDER .................................................................................................................................................... 17
8.2 INCIDENT ADMINISTRATOR ................................................................................................................................................ 18
8.3 ANTI-MONEY LAUNDERING RESPONDER .............................................................................................................................. 18
8.4 SUPPORTING RESPONDERS ................................................................................................................................................ 18
8.5 HELP DESK ..................................................................................................................................................................... 21
8.6 EMPLOYEES, ADVISORS, ETC. ............................................................................................................................................. 21
9 SECURITY INCIDENT TRACKING .................................................................................................................................... 22
10 SECURITY INCIDENT CLOSURE ...................................................................................................................................... 22
10.1 FINAL REPORTS ............................................................................................................................................................... 23
10.2 THIRD-PARTY REPORTS ..................................................................................................................................................... 23
11 SIRT TRAINING ............................................................................................................................................................. 23
11.1 ADVANCED TRAINING AND SKILLS REQUIREMENTS ................................................................................................................. 23
12 SIRT EXERCISES ............................................................................................................................................................ 24
13 SECURITY INCIDENT METRIC REPORTING ..................................................................................................................... 24
13.1 OUT-OF-BAND COMMUNICATIONS...................................................................................................................................... 24
13.2 BOARD OF DIRECTORS REPORTING ...................................................................................................................................... 25
4
13.3 COLLECTING SECURITY INCIDENT DATA ................................................................................................................................ 25
14 SECURITY INCIDENT EXTERNAL REPORTING ................................................................................................................. 25
14.1 INSURANCE REPORTING .................................................................................................................................................... 25
14.2 SUSPICIOUS ACTIVITY REPORTING ....................................................................................................................................... 25
14.3 CONSTITUENT NOTIFICATION ............................................................................................................................................. 25
14.4 PAYMENT CARD INDUSTRY REPORTING ................................................................................................................................ 25
14.5 CREDIT MONITORING ....................................................................................................................................................... 26
14.6 CLAIMS FOR REIMBURSEMENTS .......................................................................................................................................... 26
15 EXTERNAL INFORMATION SHARING ............................................................................................................................ 26
15.1 INFRAGARD .................................................................................................................................................................... 26
15.2 FINANCIAL SERVICES INFORMATION SHARING AND ANALYSIS CENTER ........................................................................................ 27
15.3 DATA SETS TO CONSIDER FOR SHARING ............................................................................................................................... 27
16 SIRT ORGANIZATIONAL STRUCTURE ............................................................................................................................ 28
17 WORKFLOW ACTIVITY ................................................................................................................................................. 29
5
2 Responders The following individuals have been identified within the Security Incident Response Plan with duties and
responsibilities described in later sections of this document.
Security Incident Response Team Core Members
Name Function Section Telephone
Incident Commander 8.1
Incident Commander 8.1
Incident Administrator 8.2
Incident Administrator 8.2
Incident Administrator 8.2
Anti-money Laundering Responder 8.3
Anti-money Laundering Responder 8.3
Supporting Responders
Name Function Section Telephone
Incident Coordinator 8.4.1
Incident Coordinator 8.4.1
Sr. Reviewing Executive 8.4.2
Sr. Reviewing Executive 8.4.2
IT Responder 8.4.3
IT Responder 8.4.3
IT Responder 8.4.3
SOC Responder 8.4.4
QSA Responder 8.4.5
QSA Responder 8.4.5
Forensic Responder 8.4.6
Forensic Responder 8.4.6
Forensic Responder 8.4.6
Forensic Responder 8.4.6
Forensic Responder 8.4.6
DR Responder 8.4.7
DR Responder 8.4.7
Communications Responder 8.4.8
Communications Responder 8.4.8
Risk and Compliance Responder 8.4.9
Risk and Compliance Responder 8.4.9
Finance Responder 8.4.10
Finance Responder 8.4.10
Legal Responder 8.4.11
Legal Responder 8.4.11
Legal Responder 8.4.11
Legal Responder 8.4.11
Operations Responder 8.4.12
Operations Responder 8.4.12
Sales Responder 8.4.13
Sales Responder 8.4.13
HR Responder 8.4.14
HR Responder 8.4.14
Law Enforcement Responder (FBI) 14.2
Law Enforcement Responder (FBI) 14.2
6
Law Enforcement Responder (USSS) 14.2
3 Overview The purpose of this Security Incident Response Plan (“S-IRP” or “Plan”) is to provide a governing framework for
Acme Corporation and its subsidiaries (“Acme” or the “Company”) around Incident Response (IR) efforts for
suspected and confirmed Security Incidents. The goal of the Plan is to outline Acme’s approach for handling
Incident Response efforts, defining Security Incident(s), identifying the organizational structure and defining roles,
responsibilities, and levels of authority, identifying the severity rating of Security Incidents, and establishing
methods of reporting and escalation of Security Incidents.
The S-IRP also establishes the Security Incident Response Team (SIRT). The SIRT will follow the guidance in this
document. The S-IRP will be reviewed annually and updated as needed to reflect changes in technology and/or at
the request of the Chief Information Security Officer (CISO). Changes to the policy will be coordinated through
the Information Security Steering Committee (ISSC) for approval. In the event that items in the S-IRP are unclear,
the CISO and/or Deputy Information Security Officer (Deputy ISO) will provide interpretive guidance.
3.1 Effective Date The S-IRP will be effective January 1, 2017 but will be limited to Security Incidents rated as a Level 5 or 6 along
with a Functional or Recoverability Impact of Significant or Catastrophic; or Informational Impact of Privacy
Breach or Integrity Loss. These incidents will be identified as “Declared Incidents” and discussed further in
section 5.3.
3.2 Forward The Company must be able to respond to physical and electronic Security Incidents in a manner that protects the
Company’s Confidential Information (defined below) and resources (both physical and electronic) that might be
affected by the Security Incident.
The Company in varying degrees, relies upon Confidential Information (“Confidential Information”), which
includes Confidential or Proprietary business information of the Company, cardholder and sensitive authentication
data within the Payment Card Industry Data Security Standard (PCI DSS), nonpublic personal information (NPPI)
of Company customers and personally identifiable information (PII) of employees, registered representatives,
Investment Advisors Representatives and customers, such customers and employees being referred to herein
collectively as “Company Constituencies,” and registered representatives and investment advisors being referred to
herein collectively as “Advisors”. See the Information Security Policy for definitions of Confidential Information,
NPPI, and PII and for the detailed Information Classification Matrix.
3.3 Reporting The SIRT, in consultation with the Legal Responders (identified in Section 8 of the S-IRP), are responsible for
determining the extent of Federal, State, and Self-Regulatory Organization (SRO) notification to be made in
connection with a Security Incident. The actual notification will be performed by the Legal Responders.
Security Incident’s may result in a business disruption resulting in the activation of the Business Continuity Plan
(BCP) and/or the Emergency Plan. See the BCP and Emergency Plan’s for more details.
3.4 Scope This S-IRP applies to all physical and electronic Security Incidents involving Company resources, including, but
not limited to employees, hard copy documents, electronic documents, and any computing devices, midrange, and
network environments owned or used by Acme, Advisors, third-party service providers and vendors that access,
process, store, or transfer Acme Information.
7
For Security Incidents involving Advisors and any Advisor-owned or leased IT equipment, a Security Incident
Intake Form must be completed by contacting the Help Desk or submitting an email to [email protected]
Monday through Friday between the hours of 8:00am and 5:00pm Central Standard Time. All applicable portions
of the Security Incident Intake Form and portions of this document may apply and where applicable must be
followed.
4 Definitions For the purpose of this document, a Security Incident is defined as an “Event” that has actual or potential adverse
effects on an individual, computer or network resource resulting in misuse and/or abuse, compromise of
information, loss and/or damage of company property and/or information. Any Event that originates from, is
directed towards, or transits Company controlled computing equipment and/or network resources, to include
Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS) in support of Acme
business operations, will fall under the purview of the SIRT.
Computing device containing Company information operated and/or owned by Advisors will fall under the purview
of the SIRT for reporting purposes; detection, containment, eradication, and recovery efforts will be the
responsibility of the System Owner and/or Advisor. It is foreseeable that many Events will be classified and
handled by semi-automated or automated means and will not require further analysis and/or escalation. The
potential list of Security Incidents is contained in Section 6 of this document.
4.1 Event For the purpose of this document, an “Event” is defined as any observable occurrence either physical or within a
system or network.
4.2 Precursor For the purpose of this document, a “Precursor” is a sign that a Security Incident may occur in the future.
4.3 Indicator For the purpose of this document, an “Indicator” is a sign that a Security Incident may have occurred or may be
occurring now.
4.4 Incident Response For the purpose of this document, “Incident Response” means the process of detecting and analyzing a “Security
Incidents” and mitigating its effect on an organization.
4.5 Investigation For the purpose of this document, an “Investigation” is the process for ascertaining facts and detailed examination
of information.
4.6 System Owner For the purpose of this document, a “System Owner” is the person responsible or designated for procurement,
development, integration, modification, or operation and maintenance of the information system.
8
5 SIRT Framework The S-IRP Life Cycle methodology establishes response capability, but also aids in preventing Security Incidents.
The SIRT is typically not responsible for Security Incident prevention, it is fundamental to the success of the
Security Incident Response Program. The sections below provide a basic framework that must be followed to
handle and prevent Security Incidents.
5.1 Preparation A Company goal is to try to keep the number of Security Incidents low to protect the business and its processes. If
the number of Security Incidents is high in volume it may overwhelm the SIRT and their capabilities.
The SIRT must be knowledgeable with industry acceptable Incident Handling techniques. The lists of training
requirements are listed in Section 11 of this document.
5.2 Detection & Analysis Security Incidents occur in a multitude of ways, and it is not feasible to develop a step-by-step instruction for each
type of Security Incident. SIRTs need to be flexible in its approach to handling and responding to any type of
Security Incident. The list of Attack Vectors can be found in Section 6.4 of this document.
5.2.1 Detection
The most challenging part of the Incident Response process is the ability to accurately detect and assess suspected
or possible Security Incidents and then make a determination if a Security Incident occurred. The challenge resides
within the following three factors:
1. A Security Incident may be detected though a variety of means, e.g., automated network based detection
tools, host based Intrusion Detection Systems (IDS), antivirus platforms, and log analyzers or by manual
means such as an individual reporting an Event or problem. When applicable computing resources
(applications, systems, etc.) must be configured to send Event Logs to a centralized Security Incident and
Event Management (SIEM) platform for analysis to provide a central method for detection and/or initiating
directives.
2. The volume of Events and/or potential signs of a Security Incident in most organizations are generally high.
It is not uncommon for an organization to encounter thousands if not millions of intrusion detection Events
per day.
3. Because the severity of Security Incidents is variable, individuals who have specialized technical
knowledge and extensive experience need to evaluate Security Incident related data.
9
5.2.2 Reporting New Security Incidents
Anyone who suspects the occurrence of a Security Incident or is affected by a Security Incident must report such
information via telephone to the Help Desk within 2 hours of discovery and/or learning of the information or as
soon as reasonably practicable. The Help Desk’s phone number is (555) 555-5555. Security Incidents may also be
reported through the [email protected] mailbox Monday through Friday between the hours of 8:00am and
5:00pm Central Standard Time. The individual who reports the Security Incident will be known as the “Detector”
and s/he will provide relevant information to the Help Desk representative that will be included in the Security
Incident Intake Form. In the event the Help Desk is unavailable, notifications must be made to the CISO and/or
Deputy ISO identified in Section 2 and 8.1.1
The Help Desk is initially responsible for ensuring the minimal information is contained within the Security
Incident Intake Forms and providing the data to the CISO and/or Deputy ISO. The Help Desk must notify the
CISO and/or Deputy ISO upon completing the Security Incident Intake Form or as soon as reasonably practicable.
In some cases Information Security personnel and the Incident Administrator may self-initiate a Security Incident
Intake Form.
5.2.3 Security Incident Intake Form
The Security Incident Intake Form at a minimum needs to contain the following data points prior to submitting to
the CISO and/or Deputy ISO:
Date and Time notified
Date and Time opened
Date and Time of when the Event took place
Title of the Incident
Summary on the Event and how it was detected
Detectors name, email, and phone number (Detectors may choose to remain Anonymous if so desired)
Acme Point of Contact (POC) for the Event
Category of the Incident
Scope (Functional Impact, Informational Impact, and Recoverability Impact) of the Incident
Severity of the Incident
Method of detection
5.2.4 Analysis
The SIRT will endeavor to efficiently analyze and validate each Security Incident and follow a pre-defined
evaluation and resolution process. The SIRT will document the steps it takes during the evaluation stages. When
the SIRT believes that a Security Incident has occurred, they will evaluate the scope of the Security Incident by
making the following determinations, if possible: (i) the cause of the event; (ii) how it occurred by performing
containment; (iii) what was affected. The SIRT will update the status of Security Incidents by performing a deeper
analysis of Security Incidents, perform root cause analysis and identify corrective actions as needed.
The status for Security Incidents shall contain the following data points (as applicable):
A summary of the Security Incident;
Indicators related to the Security Incident;
Actions taken by all Incident Handlers on the Security Incident;
Impact assessments related to the Security Incident (Functional, Informational, and Recoverability);
Contact information for other involved parties (non SIRT members);
A list of evidence gathered during the Security Incident;
Comments from Incident Handlers;
Next steps to be taken, to include root cause analysis and corrective actions as needed.
IDS systems may produce false positive instances resembling Security Incidents which will require further analysis.
Not all Security Incidents have Precursors and Indicators are common. Even when an Indicator is accurate, it does
not automatically mean a Security Incident has occurred. For example, a server can crash due to a memory leak,
10
and this would not be classified as a Security Incident. The Incident Commander will use his or her judgment to
determine whether an Event is actually a Security Incident.
5.2.5 Security Incident Ratings
The Incident Commander will rate all new Security Incident s/he oversees and document the appropriate
response(s) taken by the SIRT based on several factors such as impacts, attack vectors and privacy. If a Security
Incident meets multiple severity ratings the highest level must be chosen. The Incident Commander may reduce the
Security Incident classification or prioritize open Security Incident evaluations based on the information available
to him or her or when readily available alternatives.
Security Incidents receiving a “Level 6” severity rating will receive the highest priority of SIRT resources. In the
case of multiple Security Incidents, the higher severity rating will receive higher prioritization.
5.3 Security Incident Escalation Security Incidents that are assigned a severity rating meeting the threshold in section 3.1 shall be known as
“Declared Incidents”. The SIRT members shall confirm the rating and, once this occurs, these incidents will be
referred to as “Confirmed Incidents.” Incident ratings may change during the evaluation stages of a Security
Incident, especially as the SIRT obtains and reviews additional information. The Incident Commander will
coordinate with the SIRT to determine if a Security Incident needs to be escalated or de-escalated. The same
criteria used to initially rate a new Security Incident will be used to escalate or de-escalate a severity rating.
Confirmed Incidents need to be evaluated for insurance carrier notification by the Legal Responders. If such
requirement exists the Legal Responder will notify the Insurance Carriers and perform any required follow up
actions they request.
5.3.1 Escalation
The Incident Commander will approve the initial or escalation of any Security Incident that is identified as a
“Declared Incident” with a severity “Level 6” and activate the Core SIRT members as appropriate. The Senior
Reviewing Executive will inform Senior Management about the Security Incident and the reason for the escalation
as soon as reasonably practicable.
The Incident Commander will approve the initial or escalation of any Security Incident that is identified as a
“Declared Incident” with a severity “Level 5”, and activate the Core SIRT members as appropriate. The Incident
Commander will be responsible for informing Senior Management about the Security Incident and the reason for
the escalation at the discretion of the SIRT.
5.3.2 De-escalation
The Incident Commander will obtain approval from the SIRT before lowering a “Confirmed Incident” with a
“Level 6” rating. The Incident Commander must document the reason(s) for the de-escalation.
5.4 Containment, Eradication & Recovery All Security Incidents will be handled in phases, including: containment, eradication and recovery.
5.4.1 Containment
The SIRT is responsible for developing containment and remediation strategies. Containment strategies will vary
and will be largely dependent on the circumstances and type of Security Incident. Most Security Incidents will
require some form of containment (short or long-term) to limit the damage to the company. Decision-making will
be more streamlined if there are predetermined containment and remediation strategies to follow in the event of
routine or standard types of Security Incidents
Collecting evidence is an important part of evaluating and resolving a Security Incident. The goal of collecting
evidence is to resolve the Security Incident, and it may be needed for legal proceedings. Gathering evidence may
not be required for every Security Incident. The Incident Commander will consult with the SIRT and direct the
collection of evidence as needed. The Incident Commander may also discuss the evidence collection efforts with
11
Legal Counsel, as needed. Evidence that is collected during the investigation of a Security Incident must be
accounted for and secured at all times and collected according to applicable laws and regulations so that any
evidence can be admissible in court if needed.
The SIRT must physically secure and store evidence and/or material collected and/or prepared during the course of
a Security Incident. Evidence must be retained for at least 120 days from the date the Security Incident is presented
to the ISSC, or as long as reasonably necessary for legal purposes.
The Incident Commander has the discretion to direct the discovery of the identification of attacking hosts.
5.4.2 Eradication
Once a Security Incident has been contained, eradication may be necessary to remove and/or eliminate components
and/or artifacts associated with the Security Incident. For example, malware needs to be deleted, certain user
accounts may need to be disabled, and vulnerabilities that were exploited and/or involved must be identified and
fixed to the extent possible.
Systems owned and operated by Advisor’s that may be involved in Security Incident’s may require the Advisor to
coordinate with individuals who have specialized computer security skills and forensic skills and are able to
perform or assist with any detection, containment, eradication and/or recovery efforts. Advisors will need to
coordinate with Acme Security to determine the appropriate computer security and/or forensic skills needed prior to
engaging anyone for assistance as this may result in duplicate expenses for the Advisor.
In some situations access to Acme computing resources may be temporarily suspended until a qualified security
professional is able to determine all containment, eradication and recovery steps are performed and such
information is communicated to the Incident Commander and/or Incident Administrator.
5.4.3 Recovery
In general, recovery efforts are performed by the Incident Coordinator. Recovery efforts involve restoring systems
to normal operation, confirming systems are functioning normally, and when applicable remediating vulnerabilities
to prevent similar attacks from occurring. Recovery efforts may run parallel to and/or overlap with eradication
efforts.
Typical recovery actions are listed below:
Restoring from clean backups
Rebuilding systems from scratch
Replacing compromised files with clean versions
Installing patches
Changing passwords
Tighten network perimeter security (e.g., firewall rules, access control lists)
Higher levels of logging for affected resources
If a Security Incident has a severity rating of “Level 6” and/or the associated computing resources (e.g., a laptop or
desktop) have been involved in two or more “Level 5” severity rated Security Incidents the computing resources
must be reimaged and/or restored to a last known non-compromised state prior to being placed into service. Files
that were previously on the computer resource need to be scanned prior to being placed on reimaged and/or restored
computing resources. Note: The restoration of files may contain malicious code that may remain dormant until the
files are opened. The Incident Commander will determine whether to restore files and report his or her decision to
the SIRT. If the determination is made to restore files, only common files must be restored and under no
circumstances may any user profiles be transferred to a clean system and/or image.
12
5.5 Post-Incident Activity Post-Incident activities are a critical part of the Security Incident response process because they provide the
Company with the opportunity to learn from Incident response activities and improve the evaluation and
remediation processes as needed.
The Incident Commander will schedule a “lessons learned” meeting no later than 3 weeks after a Level 5 or 6
Security Incident is fully closed out. All members of the SIRT are required to attend the lessons learned meeting.
The Incident Administrator will be responsible for documenting the meeting.
The following topics need to be discussed at the lessons learned meeting and summarized and documented by the
Incident Administrator:
Exactly what happened, and at what times?
How well did staff and management perform in dealing with the Security Incident?
Were the documented procedures followed, were they adequate, and do they need to be improved?
What information was needed sooner?
Were any steps or actions taken that might have hindered recovery?
What would the staff and management do differently the next time a similar Security Incident occurs?
How could information sharing with other organizations have been improved if this was done?
What corrective actions can prevent similar Security Incidents in the future?
What precursors or indicators need to be watched for in the future to detect similar Security Incidents?
What additional tools or resources are needed to detect, analyze, and mitigate future Security Incidents?
During this meeting, the SIRT must identify the root cause(s) of the event to the best of their ability, remedial
measures taken, the team’s performance and whether any internal controls, policies and/or procedures need to be
modified in an attempt to prevent similar Security Incidents from recurring. The Risk Responder will submit an
Issue and Corrective Action Report (ICAR) as needed that will be tracked by the Risk Management manager who is
identified in the Firm’s Supervisory Control Program.
13
6 Security Incident Details The Security Incident details listed below are required for all Security Incidents and will aid during IR efforts.
6.1 Categories All Security Incidents will be categorized, based upon the details of the Security Incident.
Security Incidents at a minimum needs to contain one of the following data points:
Category Summary and Notes
General Any Security Incident Category not specifically identified below.
Unauthorized Access An individual gains physical or logical access without permission to network,
system, application, data, building/office, or other resource.
Loss of Data, Equipment,
and/or Documents
The loss or theft of data, documents, a computing device or media.
Attrition An attack that employs brute force methods to impair the normal functionality of
networks, systems or applications (e.g., Denial of Service, Rainbow Tables).
Malicious Code (Malware) Successful installation of malicious software (e.g., virus, worm, Trojan horse, or
other code based malicious entity) that infects an operating system or application.
Malicious code that has successfully been quarantined by antivirus software does
not need to be reported.
Improper Usage A person that violates the acceptable computing use policies.
Scans, Probes, and/or
Attempted Access
Any activity that seeks to access or identify a computer, open ports, protocols,
service, or any combination for later exploit. This activity does not directly result
in a compromise or denial of service.
Investigation Unconfirmed incidents that are potentially malicious or anomalous activity
warranting further review.
Exercise and/or Network
Defense Testing
To be used during testing or exercises and approved testing of internal and external
network defenses or responses.
Social Engineering Attempted acquisition of information such as usernames, passwords, and credit
card details by disguising the request as a purportedly trustworthy entity in person
or by an electronic communication (such as email, voice mail, etc.).
Failed Authentication
(Advisor/Client only)
Attempted acquisition of information such as usernames, passwords, and credit
card details by disguising the request as a purportedly trustworthy entity in person
or by an electronic communication (such as email, voicemail, etc.).
System Malfunctions Computing resources associated with improper maintenance and/or operation that
are operating outside its intended purpose.
Physical Harm Physical or psychological harm to an individual or group.
14
6.2 Scope For the purpose of this S-IRP, each Security Incident will be evaluated to determine the potential Scope of the
Security Incident. The Scope will aid in the identification of the Severity Level, and will aid during times of
concurrent Security Incidents and to prioritize response efforts. The Scope consists of evaluating the functional,
informational, and recoverability impacts. When a Security Incident is initially reported, the Scope may need to be
estimated. If the Scope is unknown at the time of initial discovery, the team needs to make a conservative estimate
based upon the information available; the Scope must then be modified as necessary during the lifecycle of the
Security Incident if additional information is obtained and it changes the Scope.
The Scope for Security Incidents at a minimum needs to contain one of the following data points for each Impact:
Impact (with Category, Notes and Summary)
Functional Impact
Insignificant Organization’s ability to provide services is not effected.
Minor Organization is able to provide services to all users but has lost efficiency
Marginal Organization is able to provide critical services to all users but has lost efficiency
Major Organization has lost the ability to provide services to a subset of users
Significant Organization is no longer able to provide some services to any users
Catastrophic Organization is no longer able to provide critical services to any users
Informational Impact
None No information was exfiltrated, changed, deleted, or otherwise compromised
Privacy Loss *NPPI, PII, and/or payment card data was accessed or exfiltrated
Privacy Loss (Outside
Acme)
*NPPI, PII, and/or payment card data was accessed or exfiltrated outside of Acme
Proprietary Loss Company proprietary information was accessed or exfiltrated
Integrity Loss *NPPI, PII, payment card data and/or proprietary information was changed or
deleted
Recoverability Impact
Insignificant Time to recovery is possible and has been put to use; less than 1 hour
Minor Time to recovery is predictable with existing resources; less than 2 hours
Marginal Time to recovery is predictable with additional resources; less than 4 hours
Major Time to recovery is unpredictable; no additional resources and outside help
needed; less than 8 hours
Significant Time to recovery is unpredictable; additional resources and outside help needed;
more than 8 hours
Catastrophic Recovery is not possible; permanent loss of service or facility (e.g., NPPI was
exfiltrated and posted publicly)
Financial Impact
Very Low Less than $100,000
Low $100,001 - $200,000
Moderate $200,001 - $300,000
Medium $300,001 - $500,000
High $500,001 - $1,000,000
Very High Greater than $1,000,001
*See the Acme Information Security Policy for the Information Classification Matrix that provides detailed
examples of NPPI and PII data points.
15
6.3 Severity Levels (Rating)
All Security Incidents will be classified (rated), based upon the details of the Security Incident.
The Severity Level (Rating) for Security Incidents at a minimum needs to contain one of the following data points:
Rating (with Notes and Summary)
Level 6
(Very High)
Any Event and/or Security Incident that potentially has a significant impact on one or more of the following:
The ability to provide products and/or services to a significant number of customers;
The ability to control, record, measure, track, and/or account for a significant amount of inventory, revenue
or cash;
The unacceptable risk of significant punitive regulatory actions, contractual penalties, fraudulent criminal
activity, and/or civil litigation; or
Significant notoriety that has potential to affect the Company’s valuation adversely, damage the brand,
and/or cause widespread concern amongst customers and/or investors.
Level 5
(High)
Any Event and/or Security Incident not rated as “Level 6” and meets on or more of the following:
Subject to mandatory reporting and/or notification;
Requires due diligence to access, identify, and/or correct a deficiency within the organization’s data
processing, data usage, and/or information security infrastructure;
Presents the potential, but not the likelihood of some sort of litigation, and/or media attention; or
Impacts key business functions, systems and/or “Confidential information.”
Level 4
(Medium)
Any Event and/or Security Incident not rated as “Level 6 or 5” that results in a False Positive and/or a duplicate
effort.
Level 3
(Moderate)
Any Event and/or Security Incident not rated as “Level 6, 5, or 4” that warrants further analysis and/or
investigation.
Level 2
(Low)
Any Event that is NOT categorized as a Security Incident but has precursors of a Security Incident (i.e., someone
reports a potential Security Incident that is determined to not be a Security Incident); these items need be logged.
Level 1
(Very Low)
Any Event that is NOT categorized as a Security Incident and does NOT have any precursors of a Security Incident
(i.e., someone reports a potential Security Incident that is determined to not be a Security Incident); these items may
be logged at the discretion of the Incident Commander.
16
6.4 Attack Vector For the purpose of this S-IRP, the attack vector will aid during times of concurrent Incidents and to prioritize
response efforts based on currently available information, the network architecture and level of sophistication
The Attack Vector for Security Incidents at a minimum needs to contain one of the following data points:
Vector Summary and Notes
Attrition An attack that employs brute force methods
Web Websites or web-based applications
Email Email message or attachment
External/Removable Media Flash drives, Compact Discs (CDs), or other peripheral devices
Impersonation/Spoofing Replacement of legitimate content/services
Improper Usage Violation of acceptable use or other policies
Loss or Theft of Equipment Electronic or physical loss of a computing device, media, or document
Unknown Cause of attack is unidentified
Other An attack does not fit into any other vector
6.5 Privacy Likelihood/Considerations (i.e. Informational Impact) For the purpose of this S-IRP, each Security Incident will be evaluated for an Informational Impact to determine the
likelihood of potential Privacy considerations. This will aid in the identification of which Security Incidents
require the attention of the Legal Counsel to help evaluate any potential Privacy Notification requirements.
7 The SIRT Senior Management established the SIRT to ensure centralized coordination of Incident Responses. The SIRT is
comprised of technical and non-technical Company employees and contractors who are charged with prevention,
identification, analysis, containment, eradication, recovery, and lessons learned of Security Incidents.
7.1 SIRT Charge The SIRT is responsible for establishing, overseeing, and carrying out the plans of action for any Security Incident
that potentially threatens the confidentiality, integrity, or availability of Company resources (both physical and
electronic) and those owned and/or operated by Advisors to a certain degree. The SIRT will attempt to
restore/recover information and/or systems to an operational state as quickly as possible while preserving forensic
data. The SIRT will provide direction and support to the Company and its Advisors when responding to any
Incident under its purview.
7.2 SIRT Objectives The SIRT’s main objectives are to protect and preserve information and computing resources to ensure the
availability, integrity and, as required confidentiality, of Company information and computing resources.
There are five primary objectives of the SIRT:
1. Control and manage Security Incidents.
2. Timely investigate and assess the severity of Security Incidents.
3. Timely recover or bypass Security Incidents to re-establish normal operational conditions.
4. Timely notification of “Confirmed Incidents” with a “Level 6” rating to Senior Management, the Risk
Oversight Committee (ROC) and/or ISSC.
5. Prevent or establish methods to better protect the Company and its Advisors from experiencing similar
Security Incidents from occurring in the future to the extent possible.
17
8 SIRT Members The SIRT members (also known as “Responders”) are an operational and diverse team that has specialized skills to
investigate Security Incidents and recommending measures to correct or bypass problems or conditions relating to
Security Incidents. The nature of Security Incidents will determine which parties are needed to assist with response
efforts and implement preventative or corrective actions.
Permanent (Core) Members
Incident Commander
Incident Administrator
Anti-money Laundering (AML)
Responder
Supporting / SME members (at the discretion of the SIRT) may
include:
Internal Supporting Responders
o Senior Reviewing Executive
o Incident Coordinator
o IT
o Disaster Recovery (DR)
o Communications
o Risk and Compliance
o Finance
o Legal
o Operations
o Sales
o Human Resources
External Supporting Responders
o Qualified Security Assessor (QSA)
o Forensic Computing Services Firm
o Security Operations Center (SOC)
The core SIRT will be assisted by supporting responders who are Subject Matter Experts (SME) within their field.
These SMEs will only be informed about an incident at the discretion of the SIRT and thus informed of their
responsibilities below. SIRT members must conduct themselves following accordance with the following general
objectives:
Conduct objective, thorough, and timely investigations.
Evaluate Security Incidents with a focus on individuals’ privacy rights.
Collect, preserve, and protect data, documentation and materials related to the investigation.
Maintain confidentiality around the investigation and/or Security Incident as required.
Maintain thorough documentation of the entire investigation process.
Safeguard data, documentation and materials related to the investigation materials and documentation.
Maintain the chain of custody of investigation materials and documentation.
Evaluate the underlying facts discovered by the evidence obtained in connection with an investigation of a
Security Incident and present objective conclusions in Final Reports. Conclusions must be fully supported
by facts discovered during an investigation of a Security Incident.
Conduct a post-incident review of the investigation, and document policy or procedural issues that
enhanced or hindered the Security Incident detection, monitoring, investigation, and subsequent
development and implementation of corrective or problem bypass measures.
Evaluate the business impact of any recommendations that are made to Senior Management.
8.1 Incident Commander The CISO will serve as the Primary Incident Commander. The Deputy ISO will serve as the Secondary Incident
Commander.
18
8.1.1 Responsibilities
Activate the SIRT and as needed Supporting Responders
Conduct SIRT meetings
Coordinate SIRT investigations
Classify Security Incidents according to Section 6 of this document
Determine investigation objectives
Coordinate SIRT training and exercises
Finalize post-investigation documents
Prepare reports, as needed
Update the Senior Reviewing Executive regarding the status of an investigation as needed
Recommend to the CEO whether information needs to be issued the general public, when requested
Coordinate with law enforcement at the direction of the SIRT
Deactivate the SIRT
8.2 Incident Administrator The Incident Administrator will assist in a number of administrative functions and assist the Incident Commander
and the Incident Coordinator as needed.
8.2.1 Responsibilities
Take notes during meetings and document their actions to include the general actions of the SIRT
Task management and tracking labor hours of SIRT members.
Act as the repository for all Security Incident-related evidence upon deactivation of response efforts when
directed by the Incident Commander with coordination by Legal Responders.
Monitor the [email protected] mailbox Monday through Friday between 08:00am and 05:00pm and
self-initiate Security Incident Intake Form as needed.
Assist in finalize notification documents and mail such documents
8.3 Anti-Money Laundering Responder The Anti-money Laundering (AML) responder will perform AML procedures as well as account reviews and block
accounts as needed.
The AML Compliance Manager will serve as the Primary Anti-money Laundering Responder. The Regulatory
Compliance Manager will serve as the Secondary Anti-money Laundering Responder. Both managers are members
of the AML Committee in addition to the Chief Compliance Officer.
8.3.1 Responsibilities
Coordinate with the Chief Compliance Officer and/or the AML Committee to determine whether any
punitive or legal actions are recommended for any Advisor.
Perform account reviews and block accounts as needed. Additional notification to internal staff may be
performed in lieu of blocking accounts. This will be performed at the determination of the AML
Compliance Manager or Regulatory Compliance Manager.
Notify internal staff and/or departments in lieu of blocking accounts as needed.
8.4 Supporting Responders Supporting Responders are not permanent SIRT members; however, these individuals may be asked to assist with a
SIRT investigation because they have expertise in a particular subject matter. The Incident Commander and/or
Incident Coordinator may request the assistance of Supporting Responders. If their assistance is required, they will
become part of the SIRT for the particular investigation they are assisting with. The Incident Commander is the
only SIRT member authorized to discontinue the assistance of the Supporting Responders.
19
8.4.1 Incident Coordinator Responders Core Responsibilities
The Incident Coordinator is responsible for resolving day-to-day production problems and leverages other support
groups within the business such as the application support group.
The Head of Infrastructure will serve as the Primary Incident Coordinator. The Manager of Development Services
will serve as the Secondary Incident Coordinator.
Serve as the single POC to the Incident Commander for all technical actions.
Identify and request supporting responders as needed.
Assess the scope of the Security Incident damage, if any.
Provide a systematic approach for technical actions when numerous technology platforms could be
impacted by a Security Incident.
Control and contain the Security Incident, to the extent possible.
Collect, document, and preserve forensic evidence related to the Security Incident.
Maintain a chain of custody for all computing evidence obtained during Security Incidents.
Interview individuals who may have information relevant to the Security Incident.
Identify root cause and/or source, the extend of the damage, and recommend counter measures or
mitigation solutions to reduce or stop any additional damage.
Conduct problem analysis to determine whether any failure in Company’s Infrastructure or computing
environment may have enabled the Event to occur.
Audit mission-critical systems to ensure they are current with service packs and patches.
Recommend solutions that are designed to aid in the prevention of similar Security Incidents from recurring
in the future. All recommendations need to take into consideration the business impact that would be
incurred if any recommendations are approved and implemented.
Monitor recovery efforts.
8.4.2 Sr. Reviewing Executive Responders Core Responsibilities
A Senior Reviewing Executive will be indirectly involved during investigations of Security Incidents so he or she
can provide impartial oversight to help protect the interests of the Company. If the Incident Commander is busy
running the S-IRP, the Reviewing Senior Executive will provide Senior Management with any relevant updates
regarding IR efforts.
The CCO will serve as the Primary Reviewing Senior Executive. The CIO will serve as the Secondary Reviewing
Senior Executive.
Update Senior Management and business managers as needed regarding the ongoing investigation and IR
efforts
Work with Senior Management to obtain the services of external resources as needed
Prioritize the Security Incident within the Company, or direct more senior and/or capable leadership and/or
resources to the IR efforts
Provide objective oversight of the IR efforts
Review reports generated by the Incident Commander as needed
8.4.3 Information Technology (IT) Responders Core Responsibilities
Provide the necessary technical support to enable and effective response such as platform, application,
database, and network support
8.4.4 Security Operations Center (SOC) Responders Core Responsibilities
Serve as central POC for suspected Security Incidents derived from Company network traffic or Advisor
networks that are externally reviewed through Managed Security Service Providers (MSSPs)
Manage the day-to-day monitoring of resources and/or systems for potential security compromises
20
8.4.5 Qualified Security Assessor (QSA) Responders Core Responsibilities
Serve as central POC for suspected Security Incidents involving cardholder and/or sensitive authentication
data
8.4.6 Forensic Responders Core Responsibilities
Oversee all Forensic investigation requirements and efforts performed by any third-party resources
Provide expert guidance related to securing electronic or physical evidence procedures, when appropriate
Provide expert forensic examination of computing resources and/or forensic images captured during
response efforts
Ensure all evidence was collected throughout the Security Incident’s lifecycle from SIRT members upon
deactivation of the SIRT
Ensure the procedures for Digital Evidence Chain of Custody are followed by the SIRT
8.4.7 Disaster Recovery (DR) Responders Core Responsibilities
Maintain awareness of the situational throughout the entire IR lifecycle for affected technologies identified
within the Company’s Disaster Recovery/Business Continuity (DR/BC) Plan.
Coordination with affected technology groups to ensure they are capable of rapid transition to DR/BC
mode.
Assess each affected piece of technology to determine a solution in the event any physical assets must be
seized by or provided to Law Enforcement (LE).
8.4.8 Communications Responders Core Responsibilities
Serve as the POC for all requests for information from any source.
Coordinate the release of information to the public
Provide ongoing advice and awareness regarding the release of communications or documents to the
public.
Manage crisis communications to limit exposure to the Company and its Advisors
Create and distribute internal communications for Company to help manage the impact of public awareness
of Security Incidents.
Assist in drafting and finalizing notification documents with the Legal Responder and Incident
Administrator.
8.4.9 Risk and Compliance Responders Core Responsibilities
Ensure that all statutory and contractual obligations are met in a timely manner.
Perform Internal Controls evaluation.
Facilitate policy updates and/or changes as needed.
Provide ongoing advice and awareness regarding the release of communications or documents to regulators
and/or law enforcement.
Ensure all reporting requirements are addressed by the SIRT for SEC, FINRA, Federal, State, and Local
Laws.
Identify and track Risks as well as Issues and Corrective Actions.
Evaluate Incidents as needed as part of the ROC bi-monthly meetings.
8.4.10 Finance Responders Core Responsibilities
Ensure that all Sarbanes-Oxley Act (SOX) requirements are met during the lifecycle of the Security
Incident such as evidence tampering and whistleblower protections
Analyze cost savings and/or reforecast budgets if emergency funding is needed
Track expenses during the lifecycle of the Security Incident
8.4.11 Legal Responders Core Responsibilities
Provide ongoing legal counsel during Security Incidents
21
Evaluate legal privacy implications of Security Incidents
Evaluate SIRT actions to take into consideration post-event litigation and/or criminal prosecution
Aid in the determination of whether to notify law enforcement. Serve as the liaison to law enforcement if it
becomes involved in the investigation of Security Incidents.
Provide guidance regarding other legal and contractual obligations stemming from Security Incidents.
Draft and finalize notification documents with the assistance of the Incident Administrator and
Communications Responder.
Notify Insurance Carriers and keep them informed on the progress of the Security Incident.
8.4.12 Operations Responders Core Responsibilities
Evaluate the operational impact of Security Events based on Advisor and Company Constituencies needs;
update SIRT as needed.
Liaise with outside entities such as clearing firms, banks, and regulators.
Perform general field support
Recommend the addition of additional controls and/or processes as necessary with coordination from Risk
and Compliance Responders.
Implement additional controls and/or processes upon approval by Senior Management or Risk
Management.
8.4.13 Sales Responders Core Responsibilities
Evaluate the potential business impact of SIRT response efforts and provide this information to the SIRT.
Work with Disaster Recovery Responders to coordinate between IT and affected business unit(s) in the
event of a disruption to the business operations that may require a Disaster Recovery / Business Continuity
action.
8.4.14 Human Resource Responders Core Responsibilities
Handle all employment related circumstances resulting from Security Incidents
8.4.15 Law Enforcement Responders Core Responsibilities
Serve as central POC for suspected Security Incidents when law enforcement notification is required
(criminal activity for federal, state, local, and international laws).
8.5 Help Desk The Help Desk will serve as the central POC for reporting Security Incidents. The Help Desk will be available
(Monday through Saturday 06:00am – 07:00pm and Sunday 07:00am – 04:00pm) for communications and Security
Incident Reporting. Additionally the Incident Administrator will serve as an additional POC by monitoring the
[email protected] mailbox Monday through Friday between 08:00am and 05:00pm.
8.5.1 Responsibilities
Monitor Acme computing resources for reports of suspected and/or confirmed Security Incidents
Complete Security Incident Intake Forms and select the appropriate severity level.
Notify the Incident Commander upon completion of Security Incident Intake Forms or as soon as
reasonably practicable
Email completed Security Incident Intake Forms to the Incident Commander as directed by the Incident
Commander.
Receive calls from Advisors on potential Security Incidents.
8.6 Employees, Advisors, etc. Anyone who observes and/or is informed of a suspected or confirmed Security Incident is responsible for reporting
such information immediately.
22
8.6.1 Responsibilities
Report suspected or confirmed Security Incidents within 2 hours of obtaining information or as soon as
reasonably practicable. See sections 3.4 and 5.3.3 for more information on how to report.
9 Security Incident Tracking The SIRT will log, track and document the investigation and resolution of all Security Incidents by submitting a
Security Incident Intake Form at https://incidentintake.acme.com. Data for a particular Security Incident will only
be available to the SIRT members, and upon request and/or approval of the CISO and/or CCO.
Security Incidents will follow the following lifecycle status:
Initial (Indicates the ticket is in the initial detection and reporting process)
Follow-Up (Indicates the ticket is ready for the CISO and/or Deputy CISO to review)
Secondary (Indicates the ticket is ready for the SIRT to review)
Collection (Indicates the ticket is ready for Containment, Eradication and Recovery efforts)
Closed (Indicates the Core SIRT has agreed the matter as closed)
Process to log a new Security Incident Intake Form:
1. Navigate to https://incidentintake.acme.com
2. Click on “Create New”
3. Enter all required information for all tabs
a. You may select “Save for Later” to come back at a later time
b. You will also be presented a warning message in the event all required fields are not completed
4. Click “Submit” to send the form to the next stage for review
Process for Follow-Up and Secondary Analysis:
1. Navigate to https://incidentintake.acme.com
2. Click on “Edit Incident” for the appropriate Security Incident
3. Enter all required information for all tabs
a. You may select “Save for Later” to come back at a late time
b. You will also be presented a warning message in the event all required fields are not completed
4. Click “Submit” to send the form to the next stage for review
Process for Collection:
1. Navigate to https://incidentintake.acme.com
2. Click on “Edit Incident” for the appropriate Security Incident
3. Click on “Attachments” and navigate to the appropriate section
4. Enter information for all required fields
5. Click “Submit” to save your information
6. Repeated steps 3, 4, and 5for all appropriate sections
10 Security Incident Closure Once the affected systems or resources have been returned to normal operations, the SIRT will verify that all
corrective and/or preventative tasks are complete and that local services have been restored. In cases where
Security Incident response efforts are partially outsourced to third-parties, the Incident Commander will monitor
and document the Security Incident resolution.
23
If a Security Incident is rated as a “Confirmed Incident” with a “Level 6 or 5” severity, the Incident Commander
must obtain approval from the SIRT to close the Security Incident.
Process for Closing
1. Navigate to https://incidentintake.acme.com
2. Click on “Edit Incident” for the appropriate Security Incident
3. Click on “Attachments” and navigate to the “Incident Closure Form”
4. Enter information for all required fields
5. Click “Submit” to save your information
6. Click “Browse Existing”
7. Select the drop down arrow next to “Edit Incident” for the appropriate Security Incident
8. Click “Close Case”
a. You will be presented the following message “You are attempting to close this incident. This
action cannot be undone and will mark all aspects of the incident as read only. Are you sure you
want to close the incident?
9. Select the “Ok” to close the Security Incident
At any time the CISO, CCO, or Chief Executive Officer (CEO) may terminate a Security Incident investigation,
regardless of Security Incident severity rating. If a Security Incident is turned over to a law enforcement agency,
the SIRT investigation will, in most cases, be suspended; however the CISO and Legal Counsel will attempt to
obtain updates from Law Enforcement regarding the matter.
Prior to closing any Security Incident involving potential disclosure of NPPI, PII, or other information that was
deemed to not constitute NPPI or PII, the Legal Responder needs to conduct a follow up review of the conclusion to
confirm that the information involved has been correctly categorized.
10.1 Final Reports The SIRT prepares Final Reports. These reports (electronic and physical) are maintained by the CISO.
10.2 Third-Party Reports The Incident Commander and/or SIRT must confer with Legal Responders prior to engaging any third-party vendor
that may produce third-party reports. Any report that is prepared by a Qualified Security Assessor (QSA) or an
outside computing forensics firm must be addressed to Legal Counsel and marked as “Attorney-Client Privileged
and Work Product Protected.”
11 SIRT Training Core SIRT members will receive incident response training as needed. The CISO and Legal Counsel need to
provide input in advance of any training to ensure the incident response training elements are current.
The following training topics need to be considered in the training venue:
State and Federal Privacy Law
Company Polices relevant to recent security incident trends
Best practices for conducting incident handling and investigations
Best practices for evidence preservation.
Hardware and software tools used by the SIRT
11.1 Advanced Training and Skills Requirements Incident Commanders, Coordinators, and Administrators may be required to complete additional training to ensure
Incident Handling processes meet industry acceptance as an Incident Handler.
24
12 SIRT Exercises The SIRT will conduct an annual exercise that simulates a Security Incident. The purpose of the exercise will be to
maintain the skills and knowledge of the SIRT members. Exercises will involve all core SIRT members and
Supporting Responders will be selected to participate as required by the nature of the exercise. At the conclusion of
the exercise, the Incident Commander in coordination with the SIRT members will prepare a brief report to
distribute to the ISSC and ROC evaluating the exercise within 30 days of completion. Any skill and/or knowledge
area that needs to be improved as well as procedural enhancements will be identified in the report.
13 Security Incident Metric Reporting The reports identified in this section will be generated based on information within the Security Incident tracking
system. Where possible, these reports will be generated and distributed automatically:
Annually – ID Theft Prevention Status Report: Security Incident Metric Reporting and data from the
Security Incident tracking system will be utilized to supplement the Firm’s ID Theft Prevention Program
and the reporting requirements as follows (the following portion was taken from the ID Theft Prevention
Program Document):
Our firm is responsible for developing, implementing and administering our ITPP and will report
annually to Senior Management on compliance with the FTC’s Red Flags Rule. The report will
address the effectiveness of our ITPP in addressing the risk of identity theft in connection with
covered account openings, existing accounts, and service provider arrangements, significant
incidents involving identity theft and management’s response and recommendations for material
changes to our ITPP. Acme will document and report on the effectiveness of ID Theft Prevention
Program activities utilizing the annual ID Theft Prevention Status Report. The report will include:
Significant incidents (# of incidents, victims impacted and exposure) involving identity
theft and management’s response
Identity theft control and operating procedure effectiveness
Summary of service provider arrangements including any changes to Service provider
arrangements
Summary of recommendations for material changes to the program
This annual program performance report will be issued by the Risk Management department by
January 31 of each year.
Acme Compliance is responsible for reporting to Acme Senior Management on the effectiveness of
the Program and on the general state of ID Theft within the firm. As a result, the ID Theft
Prevention Status Report will be issued and incorporated into our Annual CEO Certification
Process that is reviewed with Senior Management.
13.1 Out-of-band Communications While the SIRT may provide status updates, it may need to prepare for multiple communication methods,
particularly out-of-band communications (e.g., in person, paper). This is necessary in some instances where
systems may be compromised that would give intruders an advanced warning that a Security Incident has been
identified and that Security Incident response efforts were underway. The Incident Commander will determine if
out-of-band communications are necessary prior to activation of the SIRT and thereafter as needed.
25
13.2 Board of Directors Reporting All Security Incidents rated as “Confirmed Incidents” with a “Level 6” severity rating will be presented to the
Acme Board of Directors no less than annually by the CISO or CCO and included in the annual CEO Certification
process.
13.3 Collecting Security Incident Data Collecting data during Security Incidents will help enhance the Information Security program. The information
gathered may: (i) indicate the existence of systemic security weaknesses and threats; and (ii) evidence changes in
Security Incident trends, which could feed into the Enterprise Risk Assessment process and lead to the
implementation of additional controls.
The following metrics at a minimum must be collected by the Incident Administrator:
Number of Security Incidents broken down by incident levels that were handled on an annual basis.
Each SIRT member must track the time spent on each Security Incident and relay this information to the
Incident Administrator.
The lifespan of a Security Incident from the time of discovery through the lessons learned.
Length of time it took the SIRT to respond to the initial report from the detector?
Identify recurring Security Incidents.
Estimate monetary damages stemming directly from Security Incidents.
14 Security Incident External Reporting Reporting Security Incidents externally may be required. Every Security Incident needs to be evaluated in this
regard.
14.1 Insurance Reporting The SIRT must consult with Legal Counsel for any “Confirmed Incidents’ with a “Level 6 or 5” severity to
determine whether the matter must be reported to any of the Company’s Insurers.
14.2 Suspicious Activity Reporting The Company’s obligations to file a suspicious activity report (SAR) and/or to notify appropriate law enforcement
authorities are set forth in the Company’s Bank Secrecy Act / Anti-Money Laundering (AML) Internal Compliance
Program. The AML Responder will initially determine (or the Regulatory Compliance Manager as the delegate)
whether a Security Incident triggers the completion of a SAR and bring to the AML Committee for additional
review and/or discussion. The AML Responder will consult with the Legal Responder where applicable and
receive support from the CISO to ensure the appropriate technical data (IP addresses, hash values, registrar
information, etc.) is included in the reporting process.
14.3 Constituent Notification Certain Security Incidents will require notification to Company Constituents. The SIRT will consult with the Legal
Responders to provide factual information regarding Security Incidents. Legal Responders will determine whether
any notifications (e.g., privacy or regulatory) are required in accordance with applicable laws and regulations and
the manner in which notifications must be made, draft and finalize notification documents, and assist in mailing
such documents along with the assistance of the Incident Administrator and Communications Responder
14.4 Payment Card Industry Reporting A certified QSA may need to be consulted in order to identify specific requirements and steps for reporting
suspected and/or confirmed Security Incidents involving cardholder data and/or sensitive authentication data as
they are specific to each payment card brand.
26
The specifics can be found at the following locations:
Brand Additional Information
Visa http://usa.visa.com/merchants/protect-your-business/cisp/if-compromised.jsp
http://usa.visa.com/download/merchants/cisp-what-to-do-if-compromised.pdf
MasterCard http://www.mastercard.com/us/merchant/pdf/Account_Data_Compromise_User_Guide.pdf
Discover https://www.discover.com/credit-cards/member-benefits/security-center/keep-
secure/understand-fraud.html
American Express https://www209.americanexpress.com/merchant/services/en_US/data-security?intlink=US
14.5 Credit Monitoring The SIRT will consult with Legal Responders to determine whether a Security Incident triggers a legal requirement
to provide credit monitoring to Company Constituents who are impacted by a Security Incident.
If a Security Incident was triggered by an Advisor’s actions and credit monitoring is required, the CCO may require
Advisor’s to pay for all credit monitoring services provided to his or her clients. The Legal Responders, with the
assistance of Incident Administrator and Communications Responder will draft and finalize all notification
documents which may include credit monitoring details. The Incident Administrator is responsible for mailing all
notification documents. See the Acme ID Theft Referral Procedures for details.
14.6 Claims for Reimbursements The SIRT must consult with Legal Counsel to determine whether any of the Company’s Insurers will reimburse
Company for expenses incurred as a result of Security Incidents.
14.6.1 Reimbursement Request by an Affected Constituent
Whenever a Security Incident occurs, an affected Company Constituent may ask the Company to cover expenses
(or reimbursement) related to the Security Incident. The Company may by law, rule and/or regulation be required
to reimburse the requesting Constituent. If reimbursement is not required, the Company may choose to reimburse
an affected Constituent for his or her entire, and/or portion of the, loss suffered as a direct result of the Security
Incident. The determination as to whether such voluntary reimbursement will occur will be made by Senior
Management, with the advice of Legal Responders.
14.6.2 Company Reimbursement or other Request
The SIRT is required to keep track of all expenses incurred as a result of a Security Incident and provide this
information to the Finance Responder and Legal Responders.
The Legal Responders will review all relevant insurance policies and contracts to determine the appropriate method
for obtaining reimbursement for expenses and liabilities stemming from Security Incidents. Legal Responders will
provide this information to Senior Management to determine the best course of action for seeking these funds.
15 External Information Sharing The sharing of information and threat intelligence aids the financial community as a whole. Customer’s trust may
be lost if Security Incidents occur. Therefore efforts need to be made to minimize the impact to consumer trust thus
the sharing of information. The CISO or Incident Commander will review all information prior to being shared.
15.1 InfraGard InfraGard is a partnership between the Federal Bureau of Investigations (FBI) and the private sector dedicated to
sharing information and intelligence to prevent hostile acts against the United States and the 16 critical
infrastructures that make up the backbone of United States (U.S.) economy, security, and health stemming from
Presidential Policy Directive 21 (PPD-21) on Critical Infrastructure Security and Resilience.
27
The FBI has developed Malware Investigator as a resource that Incident Handlers can submit suspected malware
files and within as little as an hour, receives detailed technical information about what the malware does and what it
may be targeting. The Malware Investigator is only available through established FBI partnerships such as
InfraGard.
15.2 Financial Services Information Sharing and Analysis Center The Company is a current member of the Financial Services Information Sharing and Analysis Center (FS-ISAC)
which is dedicated to providing collaboration for critical security threats facing the global financial services sector
and sharing cyber and physical threat intelligence. Coordination with the FS-ISAC is recommended by the U.S.
Department of Treasury, the lead agency for the Financial Service Critical Infrastructure identified in PPD-21.
15.3 Data Sets To Consider For Sharing The following data sets need to be considered for distribution to those entities listed within this section:
Malicious payloads and hash values
Attacking IP addresses and associated domain names
Command and Control IP addresses and associated domain names
Dropper IP addresses and associated domain names
Threat vector and associated vulnerability exploit
28
16 SIRT Organizational Structure The following diagram represents the makeup of the SIRT and the designation of the core SIRT
Core SIRT
Help Desk /
Mailbox
CISO / Deputy ISOIncident
Commander
Anti-money Laundering Responder
Incident Administrator
Supporting Responders / SME
(ONLY involved as needed)
29
17 Workflow Activity The following diagram depicts the flow of activities regarding the escalation of an Event.
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. – 3:30 p.m. The cyber threats are no longer a question of if, but when, a breach will occur. It is important to have a cybersecurity plan in place so you are ready to act if your organization experiences a data breach. Join panelists as they share effective steps organizations can take to prepare for an attack.
Moderator: Lloyd Glavocich Principal Examiner, IT ROOR FINRA Member Regulation, Office of Risk Oversight and Operational Regulation Panelists: Brian Donadio Principal and Head of Global Business Continuity Services Vanguard Laz Montano Chief Technology Risk and Security Officer Voya Financial
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2
Steps to Take Now to be Ready if Your Organization is Breached Panelist Bios: Moderator: Lloyd Glavocich has been an IT professional since 1982, with many years spent in the development, management and support of both the Examination Systems and Surveillance Systems Programs in his 20-year tenure with the New York Stock Exchange’s Regulatory Technology division. He is currently a FINRA Principal IT Examiner with a concentration on Cybersecurity, Data Governance and IT Governance. Mr. Glavocich advises the FINRA examination staff in conducting technology related reviews, in addition to performing reviews for his own examinations. Mr. Glavocich has had professional experience in key areas of IT, including application development, systems administration, database administration, project management and technology controls. Mr. Glavocich was responsible for shepherding the NYSE examination process to the laptop platform for distributed scope execution at member firms in 1995. Mr. Glavocich has also worked for Siemens and Cap Gemini as a developer in an early portion of his career. Panelists: Brian Donadio is Principal and head of Business Continuity Services at Vanguard, where he leads the team of business continuity professionals who have enterprise-wide responsibility for ensuring that Vanguard is prepared, around the globe, to face a wide range of business disruptions. Mr. Donadio previously was Principal and Senior Counsel in the Legal & Compliance Division, where he led the team responsible for litigation and dispute resolution, global privacy and data protection regulation, and various legal risk management matters. In addition to working with Vanguard's U.S. and international retail, institutional, and financial advisor businesses, Mr. Donadio and his team partnered closely with other areas across Vanguard, including information technology, information security, fraud prevention, business continuity, enterprise risk, and enterprise data governance. Mr. Donadio joined Vanguard after serving as a law clerk in the U.S. District Court for the Eastern District of Pennsylvania and working as a litigation associate at Dechert LLP. Mr. Donadio graduated cum laude from the University of Michigan Law School and received his B.A., with honors, from the University of Pennsylvania. Laz Montano serves as the chief technology risk and security officer for Voya Financial, responsible for providing leadership, management and strategy for all aspects of technology risk and information security. His first and second lines of defense teams manage and align the company to industry best practices. They take a broad, risk-based approach in effectively safeguarding company, employee and customer information across Voya products, channels and lines of business. Mr. Montano joined Voya in June 2014, bringing more than 25 years of information technology and security experience to his role. Before joining Voya, Mr. Montano was the chief information security officer at MetLife, a Fortune 50 financial services company spanning 46 countries with 70,000 employees, serving 90 million customers. He was accountable for the creation and maintenance of security infrastructure, information security policy, risk assessments, incident response, security awareness and training programs. He also serves on the National Technology Security Coalition’s (NTSC) Board of Directors, representing the financial services industry. In this role, he helps influence the strategic direction of the NTSC and joins chief information security officers (CISOs) who represent a broad cross-section of enterprise companies. These CISOs have a vested interest in protecting the security of their customers and employees through policies that improve national cybersecurity standards and awareness. Mr. Montano completed his undergraduate studies at Charter Oak College and the University of Connecticut, and received a Master of Business Administration (MBA) degree from Rensselaer Polytechnic Institute. He is a Certified Information Security Manager (CISM) and holds Certified in the Governance of Enterprise IT (CGEIT) accreditation.
2018 Cybersecurity ConferenceFebruary 22 | New York, NY
Steps to Take Now to be Ready if Your
Organization is Breached
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Moderator
Lloyd Glavocich, Principal Examiner, IT ROOR, FINRA Member
Regulation, Office of Risk Oversight and Operational
Regulation
Panelists
Brian Donadio, Principal and Head of Global Business
Continuity Services, Vanguard
Laz Montano, Chief Technology Risk and Security Officer, Voya
Financial
Panelists
1
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Firm’s Response Team
Assembling Crisis Task Force
Exercising of Playbook Scenarios
Involvement of External Resources
Assessment of Losses
Communications Plan
Discussion Agenda
2
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Response Team Structure
Incident Response Playbook
Functional Involvement
Business Response
Communications / Media Relations
Technology Tooling and Capabilities
Assigned Personnel
Firm’s Response Team
3
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Clearly identified lines of communication
Clearly identified gold copy of information
Identification of Command Centers (in person / remote)
Technology-to-Business communication
Establishing a Senior Crisis Leader
Crisis Management Coordinator
Knows all actors and responsibilities / keep actors focused
Assembling Crisis Task Force
4
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Red Team / Blue Team Exercises
All inclusive to ensure “lockstep” understanding.
Clarity of responsibilities.
Announced and Unannounced Exercises
Importance of Reports and Post Mortems
Learning and Fortifying Playbook
Exercising of Playbook Scenarios
5
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
External Resources may include:
Legal Counsel with Crisis Experience
Consultants and Advisors
Service Providers
Should be included in exercises
Essential that employees know external contributors
Must be able to be mobilized at a moment’s notice
Involvement of External Resources
6
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Ascertain a picture of impact, to the extent possible
Include known data and monetary losses
Prepare to communicate all that is known
Issue caveat that the situation in still developing
Establish methods to receive updates:
Hot lines, Websites, Media Contacts
Assessment of Losses
7
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Create and socialize crisis communication plan
Establish restrictions for engaging the Media
Communicate to regulators, customers & employees
Avoid the negative interpretation of “no comment”
If caused by criminal act, coordinate with:
FBI and Law Enforcement to stand shoulder-to-shoulder
Frame the situation to instill confidence in resolution
Communications Plan
8
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Plenary Session: Cybersecurity the Current Regulatory Environment: Insight from Regulators and Industry Experts Thursday, February 22 3:45 p.m. – 4:45 p.m.
With recent high-profile data breaches, cybersecurity continues to be a frequent hot topic within the financial services industry. During this session, panelists answer your questions related to the cybersecurity regulatory landscape, insider threats and other important issues. You will hear their perspectives on effective practices and helpful tips they have identified.
Moderator: John Brady Vice President and Chief Information Security Officer FINRA Technology, Cyber & Information Security
Panelists: Christopher Hetner Senior Cybersecurity Advisor to the Chairman U.S. Securities and Exchange Commission (SEC)
Brian Peretti, Esq. Director for the Office of Critical Infrastructure Protection and Compliance Policy U.S. Department of Treasury
John Zecca Senior Vice President of MarketWatch, Head of Market Regulation for the U.S. Markets and Chief Regulatory Officer Nasdaq, Inc.
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2
Cybersecurity the Current Regulatory Environment: Insight from Regulators and Industry Experts Panelist Bios: Moderator: John Brady is Vice President in Technology for Cyber and Information Security for FINRA, and is the organization’s Chief Information Security Officer (CISO). In this capacity, he is responsible for all aspects of FINRA’s information and cyber security programs, as well as ensures compliance with related laws and regulations. He oversees staff focused in four primary information security areas: security architecture and controls, security management tools, application security, and identity management. Mr. Brady, along with counterparts in FINRA’s Data Privacy Office, establishes policy and technical controls to ensure information is appropriately protected throughout its lifecycle. He began his career with FINRA more than 10 years ago as the Director of Networks and Firewalls. He then broadened and deepened his technical knowledge by taking on responsibility for server and storage infrastructure, where he led system engineering efforts to expand capacity and performance of Market Regulation systems in response to data volumes growing more than 40 percent year over year. Mr. Brady recently led the establishment, design, and implementation of FINRA’s new data centers and the seamless migration of more than 175 applications from an outsourcer to those new data centers. Prior to the commencement of his work with FINRA in October 2002, Mr. Brady was Director of Networks at VeriSign from 2000 to 2002 and Network Solutions from 1998 to 2000. From 1995 to 1998, he built and operated Citibank’s Internet Web and email services as Vice President, Internet Services. From 1993 to 1995, Mr. Brady worked for Sun Microsystems as Senior Consultant, where he built integrated network systems for prominent customers. Mr. Brady began his professional career as a member of technical staff at The Aerospace Corporation from 1987 to 1993, designing satellite systems and command and control networks for the Air Force Space Command. Mr. Brady holds a bachelor’s degree in Computer and Electrical Engineering from Purdue University of West Lafayette in Indiana, and a master’s degree in Industrial Engineering and Operations Research from the University of California at Berkeley. He also is an (ISC)2 Certified Information Systems Security Professional (CISSP). Panelists: Christopher Hetner is Senior Advisor to the Securities and Exchange Commission Chairman on Cybersecurity. In this role he is responsible for leading efforts across the agency to address cybersecurity policy, uplifting the SEC’s internal cybersecurity capabilities, engaging with external stakeholders and further enhancing the SEC’s mechanisms for assessing broad-based market risk. Mr. Hetner is also a leading member of the US Treasury Financial Banking Information Infrastructure Committee where he provides leadership across a range of cybersecurity programs impacting the financial services sector. Mr. Hetner has more than 25 years of experience in Cybersecurity, Risk Management and Regulatory Compliance. Prior to his current role he led Cybersecurity for the Technology Control Program within the Office of Compliance Inspections and Examinations. He joins the SEC from Ernst and Young (EY) where he led the Wealth and Asset Management Sector Cybersecurity practice. At EY, his team advised and delivered cybersecurity and risk management capabilities across major financial services firms. In addition to leading the practice, Mr. Hetner served as a senior advisor to a wide range of corporate directors and executive management. Prior to joining EY he was the Chief Information Security Officer (CISO) at GE Capital where he was responsible for building and leading the global Cybersecurity program. He led a global organizational cybersecurity uplift that significantly improved GE Capital’s risk posture. Prior to GE Capital Mr. Hetner was responsible for leading global information security programs and operations for Citi’s Capital Markets and Investment banking unit. Mr. Hetner developed capabilities that transformed how Citi integrated information security into business operations while meeting regulatory compliance requirements. Mr. Hetner holds industry-leading certifications including the CISSP (Certified Information Systems Security Professional), NSA INFOSEC Assessment Certification and CISM (Certified Information Security Manager). He earned a M.S. in Information Assurance cum laude from Norwich University and a B.S in Security Management from John Jay College of Criminal Justice The City University of New York. Brian J. Peretti, Esq., is Director for the Office of Critical Infrastructure Protection and Compliance Policy at the United States Department of the Treasury located in Washington, D.C. At the Department of the Treasury, Mr. Peretti supervises the planning, evaluating and implementation of information security, information assurance, and risk management policies related to critical infrastructure protection, cyber security and
© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 3
homeland security. He leads the efforts of the Financial and Banking Information Infrastructure Committee (FBIIC), an interagency organization chartered under the President's Working Group for Financial Markets composed of 18 federal and state financial regulatory agencies. He is the relationship manager to the Departments of Homeland Security, Energy, Transportation, Justice, Defense and the Intelligence Community Homeland Security issues. He represents the Treasury on various interagency groups, including Cyber Interagency Planning Committee (Cyber–IPC), the National Cyber Response Coordination Group, and the National CIP R & D draft group. He is the emergency coordinator for the Treasury’s Domestic Finance area, where he leads efforts in the areas of business continuity and disaster recovery. He directs the Treasury’s effort to implement a Research and Development agenda, created in coordination with the financial services sector, to address technology issues. He has lectured extensively and has authored six books on topics related to financial institutions, including, most recently, co-authoring with Barkley Clark and Mark Hargrave Compliance Guide to Payment Systems: Law and Regulations. Prior to joining the Treasury Department, Mr. Peretti was an associate in Shook, Hardy & Bacon’s Corporate Banking and Finance Section in Washington, D.C. Prior to that position, Mr. Peretti was General Counsel for the Wright Patman Congressional Federal Credit Union, which serves the U.S. House of Representatives and associated groups. Mr. Peretti received his bachelor’s degree from Rider University cum laude in 1989 and his law degree from American University, Washington College of Law cum laude in 1992. John Zecca is Senior Vice President of MarketWatch and Head of Market Regulation of the U.S. Markets operated by Nasdaq, Inc. He is also chief regulatory officer of several national securities exchanges and served as chairman of Nasdaq’s Global Risk Steering Committee until January 2017. In these capacities, he oversees a team of regulatory analysts, programmers and attorneys responsible for maintaining fair and orderly markets and for compliance by Nasdaq’s registered broker dealers. He also oversees regulatory services performed by FINRA for Nasdaq’s markets. Mr. Zecca previously served as Nasdaq’s senior corporate counsel and was responsible for public company compliance and mergers and acquisitions. He is a frequent speaker on market regulation, corporate governance and Sarbanes-Oxley issues. Prior to joining Nasdaq, Mr. Zecca served as legal counsel to an SEC commissioned and in the SEC’s Office of General Counsel. He practiced corporate securities law at the firms of Hogan & Hartson (now Hogan Lovells) and Kaye Scholer. He served as law clerk for Hon. John H. Pratt of the United States District Court for the District of Columbia.
2018 Cybersecurity ConferenceFebruary 22 | New York, NY
Plenary Session: Cybersecurity the
Current Regulatory Environment: Insight
from Regulators and Industry Experts
FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.
Moderator
John Brady, Vice President and Chief Information Security Officer, FINRA Technology, Cyber & Information Security
Panelists
Christopher Hetner, Senior Cybersecurity Advisor to the Chairman, U.S. Securities and Exchange Commission (SEC)
Brian Peretti, Esq., Director for the Office of Critical Infrastructure Protection and Compliance Policy, U.S. Department of Treasury
John Zecca, Senior Vice President of MarketWatch, Head of Market Regulation for the U.S. Markets and Chief Regulatory Officer, Nasdaq, Inc.
Panelists
1