Welcome Remarks Thursday, February 22 9:00 a.m. 9:15 a.m.

Transcription

1 Welcome Remarks Thursday, February 22 9:00 a.m. 9:15 a.m. Speaker: Steven Randich Executive Vice President and Chief Information Officer FINRA Office of the Chief Information Officer Speaker Biography: Steven J. Randich, Executive Vice President and Chief Information Officer (CIO), oversees all technology at FINRA. Previously, Mr. Randich served as Co-CIO at Citigroup, and CIO and Global Head of Technology for Citigroup's Institutional Clients Group. Prior to joining Citigroup, he was Executive Vice President of Operations and Technology and CIO at NASDAQ, where he was responsible for all aspects of NASDAQ technology, including applications development and technology infrastructure. From 1996 to 2000, Mr. Randich served as Executive Vice President and CIO for the Chicago Stock Exchange. He was responsible for all technology, trading-floor and back-office operations, and business product planning and development. Prior to joining the Chicago Stock Exchange, Mr. Randich was a Managing Principal at IBM Global Services and a Manager at KPMG. Mr. Randich has an undergraduate degree in computer science from Northern Illinois University and an M.B.A. from the University of Chicago Financial Industry Regulatory Authority, Inc. All rights reserved. 1

2 2018 Cybersecurity Conference February 22 New York, NY Welcome Remarks

3 Panelists Speaker Steven Randich, Executive Vice President and Chief Information Officer, FINRA Office of the Chief Information Officer FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 1

4 Keynote Address With Jeff Lanza Thursday, February 22 9:15 a.m. 9:45 a.m. Speaker: Jeff Lanza Retired FBI Agent Speaker Biography: Jeff was chosen as the best speaker in the 50-year history of Kansas City s prestigious Plaza Club. He is a professional speaker who has provided over one thousand presentations on the topics of cybercrime, leadership, crisis communication, ethics, identity theft, body language and more. His clients include 20th Century Fox Entertainment, UBS, Merrill Lynch, Morgan Stanley, Nationwide, Citigroup, The Young Presidents Organization, American Century, Hallmark, H & R Block, Hess Oil, Standard and Poor s, Financial Executives International, U.S. Bank, Wells Fargo and others. He developed and presented a program on identity theft prevention which was used to educate a nationwide audience of Citigroup employees. His program on the topic of leadership integrity has been certified for education credits across the United States. Jeff was the 2017 International Keynote Speaker for a cyber security road show in Australia, during which he spoke to businesses about cyber crime prevention. Jeff was head of operations security for the Kansas City FBI and a graduate of the world-renowned John E. Reid School of Interviewing and Interrogation. He is a certified FBI instructor and has trained numerous government agencies and corporate clients on how to interpret and project body language for more effective interpersonal communication. In addition to his latest book on the topic of cyber security, Jeff authored speeches for FBI executives and has been published in The Kansas City Star, Ingram s Magazine and on the FBI National Web site. Jeff consulted for academy award winning director Ang Lee during the production of Ride with the Devil, and he has provided regular consulting services for television and movie production in Hollywood at Steele Films and Granfalloon Productions. Jeff was a major contributor and appeared on camera in a recent episode of The History Channel s, America s Book of Secrets. He was featured in the companion documentary to the major theatrical release Runner - Runner, which stars Ben Affleck and Justin Timberlake. Jeff has been featured in television commercials on the topic of fraud prevention. Jeff was recruited by the FBI from Xerox Corporation, where he was a Computer Systems Analyst. He has an undergraduate degree in Criminal Justice from the University of New Haven (Connecticut) and a Masters Degree in Business Administration from the University of Texas Financial Industry Regulatory Authority, Inc. All rights reserved. 1

5 2018 Cybersecurity Conference February 22 New York, NY Keynote Address With Jeff Lanza

6 Panelists Speaker Jeff Lanza, Retired FBI Agent FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 1

7 Preventing Identity Theft 2018 Presented by Retired FBI Special Agent Jeff Lanza 1. Protect Your Personal Information Don t carry your social security card. Don t provide your social security number to anyone unless there is a legitimate need for it. Be aware that most Medicare cards use the social security number as the Medicare number. Take steps to protect your card. 2. Protect Your Documents Shred your sensitive trash with a cross-cut or micro-cut shredder. Don t leave outgoing mail with personal information in your mailbox for pickup. 3. Be Vigilant Against Tricks Never provide personal information to anyone in response to an unsolicited request. Never reply to unsolicited s from unknown senders or open their attachments. Don t click on links in s from unknown senders. 4. Protect Your Communications Keep your computer and security software updated. Don t conduct sensitive transactions on a computer that is not under your control. Protect your Wi-Fi with a strong password and WPA2 encryption. 5. Protect Your Digital World Use strong passwords with at least eight characters, but the longer the stronger. Try random words strung together or phrases. Use different passwords for your various accounts. If you store passwords in a file on your computer, encrypt the file when you save it and assign a strong password to protect that file. This sounds obvious, but, don t name the file passwords. Consider using password management programs. Social Networking Security Reminders 1. Login directly, not through links. 2. Only connect to people you know and trust. 3. Don't put your address, physical address, or phone number or other personal information in your profile. 4. Sign out of your account after you use a public computer. Identity Theft for Tax Related Purposes If you are the victim of identity theft, or at risk because your information has been breached, go to this site: To remove your name from lists: Mail - Phone - To stop preapproved credit card offers: or OPTOUT ( ) Speaker Information: Jeff Lanza Phone: jefflanza@thelanzagroup.com Web Site: Credit Reporting Bureaus Equifax: (800) (800) to freeze your credit report P.O. Box Atlanta, GA Experian: (888) (888) to freeze your credit report P.O. Box 9530 Allen, TX Trans Union: (800) ; (888) for freezing your credit report P.O. Box 2000, Chester, PA Innovis: (800) (800) to freeze your credit report P.O. Box 1640 Pittsburgh, PA You are allowed 3 free reports each year; to order: Web: or Your credit report at Innovis must be ordered from: Terms to Understand: 1. Fraud Alert: Your credit file at all three credit reporting agencies is flagged and a potential lender should take steps to verify that you have authorized the request. Inside Scoop: Fraud alerts only work if the merchant pays attention and takes steps to verify the identity of the applicant. They expire in 90 days unless you have been a victim of identity theft, in which case you can file an extended alert - it lasts for seven years. 2. Credit Monitoring: Your credit files are monitored by a third party - if activity occurs you are notified. Inside Scoop: Credit monitoring does not prevent fraud, it only notifies you when your credit reports have been accessed, which is an indication that fraud may have occurred. 3. Credit Freeze: A total lockdown of new account activity in your name. This requires unfreezing before you can open an account. Inside Scoop: A proven way to protect against identity theft. Credit freeze laws vary by state. To check yours, go to your state Attorney General s website and search for credit report freeze. To Report Internet Fraud: Key Numbers FBI (202) or your local field office FTC IDTHEFT; IRS Postal Inspection Service Social Security Administration Identity Theft Resource:

8 Cyber Fraud Preventing Account Takeovers Presented by Retired FBI Special Agent Jeff Lanza Problem: Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts. Often these funds may not be recovered. Where cyber criminals once attacked mostly large corporations, they have now begun to target municipalities, smaller businesses, and non-profit organizations. Thousands of businesses, small and large, have reportedly fallen victim to this type of fraud. Source: FBI How it is Done: Cyber criminals will often phish for victims using mass s, pop-up messages that appear on their computers, and/or the use of social networking and internet career sites5. For example, cyber criminals often send employees unsolicited s that: Ask for personal or account information; Direct the employee to click on a malicious link provided in the ; and/or Contain attachments that are infected with malware. Cyber criminals use various methods to trick employees into opening the attachment or clicking on the link, sometimes making the appear to provide information regarding current events such as natural disasters, major sporting events, and celebrity news to entice people to open s and click. Criminals also may disguise the to look as though it s from a legitimate business. Often, these criminals will employ some type of scare tactic to entice the employee to open the and/or provide account information. For example, cyber criminals have sent s claiming to be from: 1. UPS (e.g., There has been a problem with your shipment. ) 2. Financial institutions (e.g., There is a problem with your banking account. ) 3. Better Business Bureaus (e.g., A complaint has been filed against you. ) 4. Court systems (e.g., You have been served a subpoena. ) Crooks may also use addresses or other credentials stolen from company websites or victims, such as relatives, co-workers, friends, or executives and designing an to look like it is from a trusted source to entice people to open s and click on links. They may also use variations of domains that closely resemble the company s domain and may go unnoticed by the recipient who is being requested to make the transfer. Speaker Information: Jeff Lanza Phone: jefflanza@thelanzagroup.com Web Site: Businesses May Absorb Losses! The Uniform Commercial Code does not require banks to refund money lost by fraudulent transfer. What You Can Do to Keep Safe - Education Educate everyone on this type of fraud scheme Don t respond to or open attachments or click on links in unsolicited s. If a message appears to be from your financial institution and requests account information, do not use any of the links provided. Be wary of pop-up messages claiming your machine is infected and offering software to scan and fix the problem, as it could actually be malicious software that allows the fraudster to remotely access and control your computer. Preventing Wire Transfer/ACH Fraud 1. Conduct online banking and payments activity from one dedicated computer that is not used for other online activity. 2. Use all bank provided wire transfer controls 3. Require two persons to consummate all wire transfers to external parties. 4. Require the bank to talk to someone at your organization before the wire transfer is consummated. 5. Restrict the bank accounts from which a wire transfer can be made. 6. Any wire transactions over a set high dollar amount must have the approval of the business owner/ceo. 7. Use unique passwords or a bank supplied token to access wire-transfer software. 8. Review daily bank account activity on a regular basis. 9. Require sufficient documentation and have a second person review all wire transfer journal entries. 10. Establish positive pay and block for ACH transactions. This will eliminate the possibility of non-approved transactions.

9 Cyber Security and Fraud Prevention for Organizations Presented by FBI Special Agent Jeff Lanza (Retired) Five Common Scams That Target Businesses of All Sizes 1. Phishing s Phishing s specifically target business owners with the goal of hacking into their computer or network. Common examples include s pretending to be from the IRS claiming the company is being audited or phony e- mails from the Better Business Bureau, saying the company has received a complaint. If you receive a suspicious like this, don t click on any links or open any attachments. 2. Data Breaches No matter how vigilant your company is, a data breach can still happen. Whether it s the result of hackers, negligence or a disgruntled employee, a data breach can have a severe impact on the level of trust customers have in your business. Educate employees on the importance of protecting information and practice the need to know policy internally. 3. Directory Scams Commonly the scammer will call the business claiming they want to update the company s entry in an online directory or the scammer might lie about being with the Yellow Pages. The business is later billed hundreds of dollars for listing services they didn t agree to. 4. Overpayment Scams If a customer overpays using a check or credit card and then asks you to wire the extra money back to them or to a third party, don t do it. This is a very popular method to commit fraud. Wait until the original payment clears and then offer the customer a refund by check or credit. 5. Phony Invoices The United States Postal Service suspects that the dollar amount paid out to scammers as a result of phony invoices may be in the billions annually, mostly from small and medium sized businesses. Scrutinize invoices carefully and conduct regular audits of accounts payable transactions. A pre-employment background investigation should include checks and verifications in the following areas: Employment history; Education; Professional accreditation; Military record; Credit history; Motor vehicle record; Arrests; Workplace violence or threatening behavior; Speaker Information: Jeff Lanza Phone: jefflanza@thelanzagroup.com Web Site: Preventing Check Fraud Use Positive Pay, the annual cost of which is far below the cost of one average check fraud case. Use secure checks, which include many features to prevent different types of check fraud. Securely store check stock, deposit slips, bank statements and cancelled checks. Implement a secure financial document destruction process using a high security shredder. Establish a secure employee order policy for check stock. Purchase check stock from established vendors. Regularly review online images of cancelled checks. Preventing Embezzlement Things You Should Do: 1. Separate duties and powers with regard to payments and account reconciliation. 2. Establish a tips hotline that offers anonymity and the possibility of a reward. 3. Conduct surprise audits as employees may be able to cover-up some fraud in advance of an audit. 4. Never completely trust anyone many large fraud cases have been undertaken by a most trusted employee. Watch Out When an Employee: 1. Doesn t want to take a day off. 2. Makes expensive purchases including luxury items, cars, boats, exotic vacations and second homes. 3. Has high personal debt, high medical bills, poor credit, personal financial loss and addictions. Red Flags That May Signal Integrity Issues Cynicism; Alienation from coworkers; Poor or inconsistent work performance; Resentment of management; Behavioral changes or work habit changes; Employee sense of entitlement; To Promote an Ethical Workplace Demonstrate top management commitment. Communicate expectations on a regular basis. Maintain focus on vision and mission. Monitor conduct trust but verify. Maintain whistleblower channels and policies. Respond quickly to misconduct. Reward acts of integrity.

10 Protecting Your Family in The Information Age (2018) Presented by Retired FBI Special Agent Jeff Lanza Never go to a login in page through a link in an or a pop up. Always go to the login page directly by typing the site name or, preferably, through a stored bookmark that you created. General Rules for Computer Security: If you were not looking for it, then don t download it. Keep your software current with the latest updates. Don t click on links in s from unknown senders. Be cautious when clicking on links in s from known senders as their account may have been hijacked. Keep your PC protected with Windows Defender or antivirus software from a third party. Use CTL+ALT+DEL to exit a popup safely in Windows. Use CMD+Option+Escape to exit a popup on a Mac. Current Threats Fake Notification s Watch out for fake s that look like they came from Facebook. These typically include links to phony pages that attempt to steal your login information or prompt you to download malware. Never click on links in suspicious s. Login to a site directly. Suspicious Posts and Messages Wall posts or messages that appear to come from a friend asking you to click on a link to check out a new photo or video that doesn't actually exist. The link is typically for a phony login page or a site that will put a virus on your computer to steal your passwords. Money Transfer Scams Messages that appear to come from friends or others claiming to be stranded and asking for money. These messages are typically from scammers. Ask them a question that only they would be able to answer. Or contact the person by phone to verify the situation, even if they say not to call them. General Online Safety Rules Be wary of strangers - The internet makes it easy for people to misrepresent their identities and motives. If you interact with strangers, be cautious about the amount of information you reveal. Be skeptical - People may post false or misleading information about various topics, including their own. Try to verify the authenticity of any information before taking any action. Evaluate your settings - Use privacy settings. The default settings for some sites may allow anyone to see your profile. Even private information could be exposed, so don't post anything that you wouldn't want the public to see. Two Factor Authentication Requires you to provide a password and a PIN code (most often sent to your phone) to log in to online accounts. Use this to prevent hijacking of your accounts. In most cases you can set this up in the settings section of your account. Popular Programs: Malware Removal: Malwarebytes. Password Management: Keeper, LastPass, Dashlane. Specific Actions to Avoid 1. Don t click on a message that seems weird. If it seems unusual for a friend to post a link, that friend may have gotten their site hijacked. 2. Don t enter your password through a link. Just because a page on the Internet looks like Facebook, it doesn't mean it is. It is best to go the Facebook login page through your browser. 3. Don't use the same password on Facebook that you use in other places on the web. If you do this, phishers or hackers who gain access to one of your accounts may be able to access your other accounts as well, including your bank. 4. Don't click on links or open attachments in suspicious s. Fake s can be very convincing, and hackers can spoof the "From:" address so the looks like it's from a social site. If the e- mail looks weird, don't trust it. Delete it. 5. Don t send money anywhere unless you have verified the story of someone who says they are your friend or relative. Ransomware aka Cryptowall This fraud scheme begins when the victim clicks on an infected advertisement, , or attachment, or visits an infected website. Once infected with the ransomware, the victim s files become encrypted. In most cases, once the victim pays a ransom fee, they regain access to the files that were encrypted. Here are three ways to stay protected: Educate computer users about clicking on suspicious links or popups. Sometimes these come in the form of a package delivery notification from major brand names like Amazon, FedEx or UPS. Enable popup blockers. Popups are regularly used by criminals to spread malicious software. Always backup the content on your computer. If you are infected by ransomware, you can have your system wiped clean and then restore your files from your back up. Also, because ransomware can infect all hard drives, disconnect the backup drive when not in use or use cloud backup. Password Management Try to use different strong passwords for all your accounts. At a minimum, have different passwords for multiple accounts, social networking, financial and employer sites. Speaker Information: Jeff Lanza Phone: jefflanza@thelanzagroup.com Web Site:

11 Chief Compliance Officer s (CCO s) Role in Cybersecurity Thursday, February 22 10:00 a.m. 11:00 a.m. Increased use of technologies such as mobile devices, social media and cloud computing has increased the risk posed by cyber criminals. As a result, in addition to other compliance matters, the CCO is now also responsible for assisting and protecting company information technology (IT) systems. During this session, panelists discuss the role CCOs can play in a firm s cybersecurity program. Moderator: Steven Polansky Senior Director FINRA Office of Reg Ops Shared Services Panelists: Jose Dominguez Chief Information Security Officer TD Ameritrade, Inc. Ann Grady Chief Compliance Officer Tastyworks, Inc. Ann McCague Managing Director and Global Head of Compliance Piper Jaffray & Co. Kyle Wootten Chief Compliance Officer of Operations, Finance and Technology Raymond James Financial 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

12 Chief Compliance Officer s (CCO s) Role in Cybersecurity Panelist Bios: Moderator: Steven Polansky is Senior Director in FINRA's Office of Shared Services. In this capacity, Mr. Polansky leads special national initiatives--including FINRA s digital investment advice and earlier cybersecurity and conflicts of interest reviews--and special projects. In addition, he leads development of FINRA s annual regulatory and examination priorities. Previously, Mr. Polansky worked in FINRA's International Department, where he was responsible for analyzing international regulatory developments and leading FINRA's relationships with select financial regulators in Europe and Asia as well as international financial institutions. In addition, Mr. Polansky led advisory projects in a number of jurisdictions related to, among other things, risk-based supervision, prudential oversight and market surveillance. Prior to joining FINRA, he was a management consultant with PricewaterhouseCoopers, and he served for seven years as a professional staff member on the Committee on Foreign Relations in the United States Senate. At the Committee, Mr. Polansky was responsible for advising the Chairman on funding for the Department of State and other foreign policy agencies, missile non-proliferation and international environmental issues. Mr. Polansky received his master of business administration in finance from The Wharton School at the University of Pennsylvania, his master of public administration from the Kennedy School of Government at Harvard University, and his bachelor degree in history from Colgate University. Panelists: Jose Dominguez is Chief Information Security Officer at TD Ameritrade. He joined TD Ameritrade Holding Corporation (Nasdaq: AMTD) in He has been responsible for the development, maintenance and implementation of the enterprise security program and policies since Previous to his CISO role, Mr. Dominguez was in various management positions within technology leading Infrastructure and Application Development teams. Prior to joining TD Ameritrade, Mr. Dominguez spent 10 years with the brokerage firm Gruntal & Co. in various application development roles supporting front and back-office functions. He currently sits on the SIFMA Board Subcommittee on Cybersecurity and is a member of the NJ CISO Summit Governing Body. Ann C. McCague has served as Managing Director and Global Head of Compliance for Piper Jaffray Companies since 2005, where she is responsible for regulatory compliance at all group affiliates, including Piper Jaffray & Co., the U.S. broker/dealer and primary operating entity, two foreign broker/dealers and five separate registered investment advisors. Ms. McCague s career path covers 35 years in the industry, including CCO positions at Dain Rauscher and Think Equity Partners, as well as prior senior compliance positions at national firms. Given her broad scope of knowledge and as seasoned expert, she is a frequent conference panelist. Ms. McCague is/has been a member of numerous FINRA and SIFMA committees. Ms. McCague is a graduate of Augsburg College in Minneapolis, MN, where she earned a master s degree in Leadership and an undergraduate degree in English, with a Communications minor. Kyle Wootten is the Chief Compliance Officer of Operations, Finance and Technology for Raymond James Financial and member of the RJF Compliance Executive Leadership Team. In this role, Mr. Wootten is responsible for providing strategic direction and management of the compliance framework for various areas that cross multiple functions and entities affiliated with RJF. Specifically, this includes the compliance advice, oversight and testing of the Operations areas of the clearing firm, Raymond James & Associates, which includes oversight of RJA s clearing and custodial businesses for unaffiliated introducing firms and registered investment advisers, the Financial, Regulatory Reporting and Treasury functions of the affiliated brokerdealers of RJF, and Information Technology, which includes management of the RJF Informational Governance Program. Mr. Wootten is a member of the 17a-5 Steering Committee, the Enterprise Information Technology Risk Board, the Stock Loan Committee for RJA and the Operational Risk Board. Prior to joining RJF, Mr. Wootten was the Deputy Director of Regulatory and Compliance for Thomson Reuters, where he supported the assessment and development of regulatory solutions for the BETA Systems, and worked closely with end-clients on a myriad of regulatory matters, primarily focused on the street-side settlement functions. For nearly 14 years prior to that, he served in various compliance and business roles at Wells Fargo Advisors, including the predecessor firms of Wachovia Securities and A.G. Edwards. During that time, Mr. Wootten held roles providing legal and compliance support to Capital Markets, Trading, and Operations, 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2

13 Technology and Finance. Additionally, he managed the Regulatory Change Management function, and was a member of the leadership team of the Wells Fargo Regulatory Reform Program managing the compliance and business analyst resources responsible for implementation of major regulatory initiatives at the firm. Mr. Wootten has an undergraduate degree in Economics and law degree from Saint Louis University Financial Industry Regulatory Authority, Inc. All rights reserved. 3

14 2018 Cybersecurity Conference February 22 New York, NY Chief Compliance Officer s (CCO s) Role in Cybersecurity

15 Panelists Moderator Steven Polansky, Senior Director, FINRA Office of Regulatory Operations / Shared Services Panelists Jose Dominguez, Chief Information Security Officer, TD Ameritrade, Inc. Ann Grady, Chief Compliance Officer, Tastyworks, Inc. Ann McCague, Managing Director and Global Head of Compliance, Piper Jaffray & Co. Kyle Wootten, Chief Compliance Officer of Operations, Finance and Technology, Raymond James Financial FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 1

16 To Access Polling Under the Schedule icon on the home screen, Select the day, Choose the Chief Compliance Officer s (CCO s) Role in Cybersecurity session, Click on the polling icon: FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 2

17 Polling Question 1 1. Does your firm have a CISO? a. Yes b. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 3

18 Polling Question 2 2. Does your firm have a formal technology risk governance structure (i.e., steering committee) to which important cybersecurity matters are escalated? a. Yes b. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 4

19 Polling Question 3 3. Are you directly involved in responding to FINRA or SEC cybersecurity-related examinations? a. Yes, from a compliance perspective b. Yes, from a technology perspective c. Yes, from another perspective d. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 5

20 Polling Question 4 4. Does your firm have a cybersecurity incident response plan? a. Yes b. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 6

21 Polling Question 5 5. Does your firm conduct table top exercises to test that plan? a. Yes b. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 7

22 Polling Question 6 6. Are you directly involved in developing or implementing your firm s response plan? a. Yes, from a compliance perspective b. Yes, from a technology perspective c. Yes, from another perspective d. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 8

23 Response to Cybersecurity Threats Where is the CCO? The plan should include a methodology for communicating to clients, counter-parties regulators and law enforcement Members should create an incident response plan The plan should identify all team members The plan should include escalation procedures The plan should include a methodology for restoring compromised systems and/or data The plan should address and inventory different types of threats FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 9

24 Polling Question 7 7. Does your firm s training include a specific focus on staff cybersecurity responsibilities? a. Yes b. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 10

25 Polling Question 8 8. Does your firm use internally developed phishing or other tools designed to assess the efficacy of training? a. Yes b. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 11

26 Polling Question 9 9. Are you directly involved in the development or delivery of your firm s cybersecurity training: a. Yes, from a compliance perspective b. Yes, from a technology perspective c. Yes, from another perspective d. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 12

27 Polling Question Are you directly involved in the cybersecurity aspects of your firm s vendor management program? a. Yes, from a compliance perspective b. Yes, from a technology perspective c. Yes, from another perspective d. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 13

28 FINRA Cybersecurity Conference: Highlights for Compliance Officers February 22, 2018

29 FINRA s Cybersecurity Risk Reviews? Where does the CCO Role Lie In These Areas? Cybersecurity governance and risk management Cybersecurity Risk assessments Technology governance System change management Technical controls Incident Response Planning Vendor management Data loss prevention Staff training Cyber Intelligence & Information Sharing Ann M. Grady, Feb. 22,

30 CCO Role When A Cyber-Related data breach occurs Who Informs the CCO? Is the CCO Part of the Response Team? Who decides whether regulators must be informed? Who decides which States or other authorities, customers,..need to be informed? Ann M. Grady, Feb. 22, 2018

31 CCO or CISO? Staff Training Design Firms should provide cybersecurity training that is tailored to staff needs and that helps them to relate to the importance they play in protecting the firm, its clients and its data. defining cybersecurity training needs requirements; identifying appropriate cybersecurity training update cycles; delivering interactive training with audience participation to increase retention; and developing training around information from the firm s loss incidents, risk assessment process and threat intelligence gathering. Ann M. Grady, Feb. 22,

32 CCO or CISO? Staff Training Firms should provide cybersecurity training that is tailored to staff needs. Effective practices for cybersecurity training include: Recognizing Risks Social Engineering Schemes and Phishing Handling Confidential Information Password Protection Escalation Policies Physical Security Mobile Security Ann M. Grady, Feb. 22,

33 Response to Cybersecurity Threats Where is the CCO? Members should create an incident response plan The plan should include a methodology for communicating to clients, counter-parties regulators and law enforcement The plan should identify all team members The plan should include escalation procedures The plan should address and inventory different types of threats The plan should include a methodology for restoring compromised systems and/or data I 6

34 Vendor Due Diligence Where is the CCO Role? it is important for firms to establish appropriate contractual language to govern vendor relationships. The provisions of the contract will govern the vendor s obligation to the firm, as well as identify the firm s prerogatives in relation to the vendor. The stringency of these clauses should be risk-based with riskier vendor relationships requiring stronger language. This includes: manner in which the firm can conduct its ongoing oversight of the vendor, the conditions for terminating the relationship, the vendor s obligations to protect firm information in the event the relationship terminates. CCO Panel, Feb. 22,

35 Effective Practices for Insider Threats and Third-Party Risk Management Thursday, February 22 10:00 a.m. 11:00 a.m. Financial institutions are subject to threats on multiple fronts. Two threats of significant and growing concern to our industry include insiders, such as employees, and third parties, such as vendors. We necessarily rely on and trust both insiders and third parties; however, we must exert appropriate oversight if we are to prevent that trust from being violated by either malicious actors, or careless actions or inactions. During this session, panelists discuss case studies and share effective practices firms can use to manage and mitigate these risks, and develop and improve both their insider risk and third-party risk management programs. Moderator: David Yacono Senior Director FINRA Technology, Cyber & Information Security Panelists: Brice Cook Director, Insider Risk Program FINRA Technology, Cyber & Information Security Kishen Sridharan Cybersecurity Partnership and Outreach Executive Raymond James Financial Homayun Yaqub Executive Director JPMorgan Chase & Co Financial Industry Regulatory Authority, Inc. All rights reserved. 1

36 Effective Practices for Insider Threats and Third-Party Risk Management Panelist Bios: Moderator: David Yacono is Senior Director of Cyber & Information Security at FINRA. His current responsibilities include FINRA s software security program, which provides security assurance services to a portfolio of more than 100 internally developed systems, as well as FINRA s third-party risk management program which evaluates, monitors, and manages the cybersecurity risk posed by FINRA s vendors, cloud providers, and other third-party relationships. Mr. Yacono is also responsible for FINRA s IT Security Risk Management and Compliance programs, which ensures compliance with IT security standards including FISMA, PCI-DSS, and FBI-CJIS. Since joining FINRA in 1999 he has served in various roles responsible for ensuring the secure and reliable operation of FINRA s information technology systems, including security architect and security engineer. Mr. Yacono specializes in the application of information security processes, methodologies, and tools to protect the confidentiality, integrity, and availability of information and information processing systems, with special emphasis on financial services; he has nearly 25 years of experience in cybersecurity. Mr.Yacono earned a Bachelor of Science in Electrical Engineering from the University of Maryland, and holds current certifications as a Certified Information Systems Security Professional (CISSP), a Certified Secure Software Lifecycle Professional (CSSLP), and a Certified Third Party Risk Management Professional (CTPRP). Panelists: Brice Cook is FINRA s first Director for Insider Risk, formally establishing the program after joining FINRA in early In this role, he leads a collaborative company-wide effort to develop, implement, and execute technical and non-technical processes needed to create a holistic system to manage insider risks. Before Mr. Cook came to FINRA, he retired as a Supervisory Criminal Investigator after 29 years of Federal Government service protecting some of the Nation s most critical assets. The last 22 years of his Federal Government tenure was at the Department of Energy, serving as a Director in the Office of Corporate Security and leading efforts in Insider Threat, Special Access Programs, Human Reliability Programs, Investigations, Threat Management, and Executive Protection. Mr. Cook s accomplishments include; establishing the DOE s first formal Insider Threat Program, founding the Protective Services Working Group a group of over 50 Federal organizations protecting the nation s leadership of which he also served as Chair, serving as a Chair in the Defense Department s Combating Terrorism Technical Support Office, which provided expertise and oversight in the research and development of personnel protection technologies, serving as a board member of the FBI Joint Terrorism Task Force Executive Board and the DHS Advisory Board for Law Enforcement Officers Flying Armed, and developing policy and guidance for the Federal Government on security professional development and continuity programs. Mr. Cook is a graduate of the 244th session of the FBI National Academy, the Federal Law Enforcement Training Center, and the Federal Executive Institute. Mr. Cook has a Master s in Public Administration from American University. He has a Bachelor s degree from Washington State University. He also holds professional certificates as a Certified Information Systems Security Professional (CISSP) and Insider Threat Program Management (ITPM). Mr. Cook has even worked on the FOX Television show America s Most Wanted, where he supported investigations that led to the arrest of over 150 wanted persons. Kishen Sridharan is the Cybersecurity Partnership & Outreach Executive, reporting to the Chief Information Security Officer of Raymond James. In this strategic role, he focuses on strengthening and growing Raymond James network of relationships with outside organizations like industry associations (e.g. FS-ISAC and SIFMA), peers, government/law enforcement entities, universities, potential new strategic suppliers, and community. He determines level of engagement, assesses ROI to Raymond James, and makes sure Raymond James is a valuable contributing partner in return. In prior roles at Raymond James, Mr. Sridharan helped established a Product Management mindset, framework, and governance structure to deliver highly valuable business outcomes, particularly those which support the Strategic Roadmap. This is the stepping stone to formally convert the InfraSec organization to an as a Service model. Before that, he stood up a Project Management Office within InfraSec. Mr. Sridharan has almost 16 years of experience in various facets of technology, project implementation and business process improvement. His experience ranges from compliance, risk management and information assurance to strategic information security consulting. He earned his Bachelor of Science from the Pennsylvania State University in Management Science, Information 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2

37 Systems and International Business and an MBA from the University of Maryland. He is a certified Project Management Professional (PMP) and a Scrum Master (CSM). Homayun Yaqub is Executive Director in JPMorgan Chase and Company s Global Security and Investigations team managing the firm s Insider Threat program. Prior to joining JPMorgan Chase in 2015, Mr. Yaqub served in the U.S. Intelligence Community and Department of Defense with more than 20 years of experience leading sensitive intelligence activities and related programs worldwide. Mr. Yaqub was also a founding member of The MASY Group, a Washington D.C. based security, intelligence, and risk consulting firm supporting both public and private sector clients. He began his career as a U.S. Army officer serving in various roles throughout the United States, the Middle East, South Asia, and Europe. Mr. Yaqub holds a Masters in Conflict Analysis and Resolution from George Mason University and Bachelors in International Business from James Madison University Financial Industry Regulatory Authority, Inc. All rights reserved. 3

38 2018 Cybersecurity Conference February 22 New York, NY Effective Practices for Insider Threats and Third-Party Risk Management

39 Panelists Moderator David Yacono, Senior Director, FINRA Technology, Cyber & Information Security Panelists Brice Cook, Director, Insider Risk Program, FINRA Technology, Cyber & Information Security Kishen Sridharan, Cybersecurity Partnership and Outreach Executive, Raymond James Financial Homayun Yaqub, Executive Director, JPMorgan Chase & Co. FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 1

40 To Access Polling Under the Schedule icon on the home screen, Select the day, Choose the Effective Practices for Insider Threats and Third-Party Risk Management session, Click on the polling icon: FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 2

41 Polling Question 1 Firm Size 1. My firm staff size is: a. More than 1000 b. 251 to 1000 c. 51 to 250 d. 11 to 50 e. 10 or fewer FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 3

42 Polling Question 2 Characterizing Insider and Third-party Risk 2. For my firm, Insider Risk is: a. A substantial concern b. A moderate concern c. A minor concern d. A negligible concern (e.g., due to extremely small firm size.) e. Not sure FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 4

43 Polling Question 3 Characterizing Insider and Third-party Risk 3. For my firm, Third-party Risk is: a. A substantial concern. The security of my third parties significantly affects my ability to protect my systems/data/processes. b. A moderate concern c. A minor concern. There s no obvious way that a security deficiency of one of my third parties could significantly harm me. d. Not a concern. I have no dependencies on third parties. e. Not sure FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 5

44 Characterizing Insider and Third-Party Risks Importance of Insider and Third-Party risk Significance relative to other risk sources. Trends in emphasis? Drivers? FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 6

45 Identifying Threat Agents and Risk Factors Insider Risk Who are the insider threats? Risk factors to consider? Strategies for focusing, prioritizing. Third-party Risk What are the third-party threats? Risk factors to consider? Strategies for focusing, prioritizing. FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 7

46 Polling Question 4 Insider Risk Management 4. My firm s Insider Risk Program is: a. Mature. Robust strategy with well-defined processes. Advanced controls including Predictive Analysis, Behavioral Analytics b. Established. A defined insider risk strategy backed by processes and tools that enable enterprise-wide information aggregation and correlation (e.g., SIEM.) c. Nascent. Basic controls in use, but no overarching strategy. d. Nonexistent. Needed, but not yet established. e. None needed. We don t see the need for an insider risk program. FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 8

47 Insider Risk Management Methodology Lifecycle: Vetting, Monitoring, Adjudicating, Detection, Analysis Insider Risk Kill Chain High-risk employees, assets, operations Control Techniques: Basic: SOD, POLP, training, others? Better: Log aggregation, SIEM, others? Best: UEBA, leveraging data/analytics, others? Recruitment/ Tipping Point Search and Recon Exploitation Acquisition Exfiltration Insider Risk Kill Chain FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 9

48 Polling Question 5 Third-party Risk Management 5. My firm s Third-party Risk Program is: a. Mature. Robust strategy with well-defined processes that are applied to all third parties, and that are quantitatively measured. b. Established. A defined third-party risk management strategy backed by processes and tools. c. Nascent. Some controls in place (e.g., vendor questionnaire), but no overarching strategy. d. Nonexistent. We use third parties, but no explicit risk mgmt controls. e. None needed. We don t use third-parties that impact our risk profile. FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 10

49 Third-party Risk Management Methodology Identifying, Prioritizing Third Parties Sources of risk: People, Process, Technology Assessment Processes, Techniques, Timing Assurance/Evidence Expectations Controlling Risks Contract Provisions, Other techniques. Risk Acceptance? Show stoppers? Monitoring, Detecting changes Changes at third party. Changes in relationship with third party. Supporting Tools, Services Coordination w/ org stakeholders Infosec, purchasing, legal, etc. FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 11

50 Advice for Smaller Firms Insider Risk Difference in risk for smaller firms? Control priorities. Effective insider risk management on a budget. Third-party Risk Difference in risk for smaller firms? Control priorities. Effective third-party risk management on a budget. FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 12

51 2018 Cybersecurity Conference February 22 New York, NY THANK YOU!

52 Cybersecurity Guidance for Small Firms Thursday, February 22 11:15 a.m. 12:15 p.m. It is crucial that small financial firms take proper cybersecurity measures to protect their customers and their firm. During this session, panelists provide risk-based, threat-informed effective practices applicable to small firms and supportive of their overall business model to increase their security and ensure the protection of their customers. Moderator: David Kelley Surveillance Director FINRA Kansas City District Office Panelists: Melinda (Mimi) LeGaye President Moody Securities, LLC Lisa Roth President Tessera Capital Partners, LLC Hardeep Walia Founder and Chief Executive Officer Motif 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

53 Cybersecurity Guidance for Small Firms Panelist Bios: Moderator: Dave Kelley is Surveillance Director based out of FINRA s Kansas City District office, and has been with FINRA for seven years. Mr. Kelley also leads FINRA s Sales Practice exam program for cybersecurity and the Regulatory Specialist team for Cyber Security, IT Controls and Privacy. Prior to joining FINRA, he worked for more than 19 years at American Century Investments in various positions, including Chief Privacy Officer, Director of IT Audit and Director of Electronic Commerce Controls. He led the development of website controls, including customer application security, ethical hacking programs and application controls. Mr. Kelley is a CPA and Certified Internal Auditor, and previously held the Series 7 and 24 licenses. Panelists: Melinda (Mimi) G. LeGaye, serves as President of both Moody Securities, LLC, and MGL Consulting, LLC. Ms. LeGaye has more than 30 years experience representing the interests of small broker-dealers having held the positions of president, CCO and FINOP for several small broker-dealers over the years. She currently serves as President and CCO of Moody Securities, LLC and as FINOP and a registered representative for Silver Portal Capital, LLC. Ms. LeGaye also serves as a Small Firm Member on FINRA s District 6 Committee. Prior to forming MGL, Ms. LeGaye served as CCO of Horne Securities Corp. a broker/dealer, which was formed to distribute Reg D private placements of real estate limited partnerships. During the early 1980s to late 1980s, she served on the Regulatory Affairs Committee and as president of the local chapter of the Real Estate Securities & Syndication Institute (RESSI), which was an affiliate of the National Association of Realtors. Ms. LeGaye is actively involved with ADISA (formerly Real Estate Investment Securities Association, aka REISA). As a consultant, Ms. LeGaye has worked primarily with small and mid-size brokerdealers, but she has also worked with many larger broker-dealers providing clearing services to introducing broker-dealers. Having served as president, CCO, FINOP, General Securities Principal, and Municipal Securities Principal for various broker/dealers since the mid 1980 s, Ms. LeGaye has worked extensively with retail and institutional broker-dealers, as well as boutique broker-dealers which provide investment banking, mergers & acquisitions advisory services, or which conduct business in the wholesale/retail distribution of Reg D Private Placements, non-traded REITs or 1031 Exchange Programs. As a municipal securities principal, she worked for a small minority enterprise broker-dealer, which was involved in municipal bond underwritings, capital raising and financial advisory activities. As President, CCO, FINOP and a small business owner, Ms. LeGaye has first-hand experience and an in-depth understanding of the challenges FINRA small firm members (less than 150 RR s) face on a day to day basis. Ms. LeGaye holds the Series 7, 24, 27, 53, 63, 79 and 99 registrations. She has previously held the Series 22, 39 and 3 registrations as well. She received her BBA from Sam Houston State University. An advocate for small broker-dealers and sensitive to the compliance, operational and regulatory challenges they face, she has spoken at numerous industry seminars and compliance programs over the years on topics ranging from supervision of independent brokers; surveillance using exception reports; compliance testing for small firms; product due diligence; and most recently at the SMARSH 2016 Connect Conference held in December Lisa Roth serves as the President, AML Compliance Officer and Chief Information Security Officer of Tessera Capital Partners. Tessera is a limited purpose broker dealer offering new business development, financial intermediary relations, client services and marketing support to investment managers and financial services firms. Ms. Roth holds FINRA Series 7, 24, 53, 4, 65, 99 Licenses. Previously, Ms. Roth has served in various executive capacities with Keystone Capital Corporation, Royal Alliance Associates, First Affiliated (now Allied) Securities, and other brokerage and advisory firms. Ms. Roth serves on FINRA's Membership Committee, is a member of the Board of the Third Party Marketer's Association, and FINRA's Series 14 Item Writing Committee. Ms. Roth was unanimously selected by her peers to serve as the Chairman of FINRA's Small Firm Advisory Board for one of a total of four years of service on the Board from Ms. Roth has also served as a member of the PCAOB Standing Advisory Group, and is an active participant in other industry forums, including speaking engagements and trade associations. Ms. Roth is also the president of Monahan & Roth, LLC, a professional consulting firm offering consulting, expert witness and mediation services on financial and investment services topics including regulatory compliance, product due diligence, suitability, supervision, information security and related topics. Previously, Ms. Roth founded ComplianceMAX Financial Corp. (purchased by NRS in 2007), a regulatory compliance company offering 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2

54 technology and consulting services to more than 1000 broker dealers and investment advisers. Ms. Roth's leadership at CMAX led to the development of revolutionary audit and compliance workflow technologies now in use by some of the US's largest (and smallest) broker dealers, investment advisors and other financial services companies. Ms. Roth has been engaged as an expert witness on more than 150 occasions, including FINRA, JAMS and AAA arbitrations, and Superior Court and other litigations, providing research, analysis, expert reports, damages calculations and/or testimony at deposition, hearing and trial. As a member of the FINRA Board of arbitrators, Ms. Roth has been named to more than 20 panels as a hearing officer. Ms. Roth resides in CA, but is a native of Pennsylvania, where she attained a Bachelors of Arts Degree and was awarded the History Prize from Moravian College in Bethlehem, PA. Hardeep Walia is founder and CEO of Motif, a next-generation online broker whose mission is to simplify complex investment products and make them universally accessible. The company s flagship product allows individual investors to act intuitively on their insights by turning them into a motif of stocks. Mr. Walia also serves as CEO of Motif Capital, an institutional investment advisor that develops thematic models for clients such as Goldman Sachs, Global Atlantic, and US Bank s UHNW arm Ascent Private Capital Management. Prior to Motif, Mr. Walia spent more than six years at Microsoft, where he was General Manager of the company's enterprise services business. He also served as Director of Corporate Development and Strategy, helping to oversee Microsoft's investments and acquisitions. He started his career at The Boston Consulting Group. Mr. Walia holds a BS in Economics and Engineering from Yale University and an MBA from the Wharton School of Business. He holds Series 7, 24 and 63 licenses in the securities industry. He serves on FINRA's Technology Advisory Committee and is on the Advisory Boards of Ascent Private Capital and realestate startup PeerStreet. He is a featured contributor for LinkedIn, and a frequent guest on CNBC Financial Industry Regulatory Authority, Inc. All rights reserved. 3

55 2018 Cybersecurity Conference February 22 New York, NY Cybersecurity Guidance for Small Firms

56 Panelists Moderator David Kelley, Surveillance Director, FINRA Kansas City District Office Panelists Melinda (Mimi) LeGaye, President, Moody Securities, LLC Lisa Roth, President, Tessera Capital Partners, LLC Hardeep Walia, Founder and Chief Executive Officer, Motif FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 1

57 To Access Polling Under the Schedule icon on the home screen, Select the day, Choose the Cybersecurity Guidance for Small Firms session, Click on the polling icon: FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 2

58 Polling Question 1 1. How confident are you in your cybersecurity program for your firm? a. We have a good plan that addresses our risks. b. Started our plan but don t know if we included all risks to our firm. c. Just started but have a long way to go. d. We don t have any cybersecurity risks. FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 3

59 Polling Question 2 2. What part of your cybersecurity plan are you least comfortable with? a. Branch Controls b. Home Office Controls c. Vendor Controls d. Concerned about a FINRA exam e. Other FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 4

60 Practical Advice for Small Firms Current Cyber Issues FINRA Exam Standards Risk Control Self Assessment Results Implementation of a Reasonable but Effective Program Security Basics for the Small Firm Headquarters Office Security Basics for the Branch Office Vendor Management and Outsourcing FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 5

61 Current Issues for Small Firms Phishing Malware & Ransomware 3 rd Party Wires Patch Management Unencrypted Data sent by FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 6

62 FINRA Exams and Results Exam Standards Risk Assessment and Governance Cyber Program Leadership (CISO) Policies, Procedures and Adherence IT Certifications Outsourcing of IT and Controls Exam Findings FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 7

63 Risk Control Self Assessment Results Percentage of firms who manage or store PII Source: 2016 RCA Firm likelihood to outsource (partial or full) business functions Source: 2016 RCA FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 8

64 Polling Question 3 3. How often do your conduct training for cybersecurity risks? a. Annually b. Annually plus other ongoing instances c. We don t have formal training for our RRs and staff. d. Ongoing FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 9

65 Risk Control Self Assessment Results Firm purchase or integration of Cyber Insurance Policies Source: 2016 RCA Firm coverage of disruption scenarios in their incident response plans Source 2016 RCA FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 10

66 Cyber Standards for Small Firm Headquarters Governance Appointing the CISO, CTO Framework for risk assessment Framework for cyber policies NIST or SANS framework NASAA guidelines NY DFS, other state guidelines FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 11

67 Cyber Standards for Small Firm Headquarters Cyber Policy Components In-house versus outsourced cyber management Cloud storage versus on site server storage Incident response Vendor Management Training Cyber Intelligence Insurance Testing FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 12

68 Cyber Basics for Branch/Remote Locations Device inventory and ongoing monitoring Centralized communications and data management Cyber Awareness Training, training, training Incident reporting Technical Controls Patching, Encryption, Virus Protection Passwords Physical Security Cloud Usage FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 13

69 Vendor Management Initial Due Diligence Security and IT Vendors Other Vendors Ongoing Monitoring SOC Reports Qualifications and Standards FINRA s Vendor List NRF or not? Contractual obligations Use of the Cloud FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 14

70 Resources FINRA Cybersecurity Page: Report on Cybersecurity Practices Small Firm Cybersecurity Checklist Compliance Vendor Directory NIST Cybersecurity Framework: Financial Services Information Sharing and Analysis Center: NASAA cybersecurity Checklist for Investment Advisers: FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 15

71 Resources FINRA Exam Findings Report: report-exam-findings/cybersecurity National Law Review Issues Facing Financial Institutions: Handouts: Model cyber procedures Incident report template Branch electronic device review template Electronic device disclosure form FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 16

72 Third- Party Vendor Contracts Sample Language Confidential Information. As used in this Agreement, "Confidential Information" means information not generally known to the public, and maintained by [Company Name] as confidential, whether of a technical, business or other nature that relates to the engagement or that, although not related to such engagement, is nevertheless disclosed as a result of the Parties' discussions in that regard, and that should reasonably have been understood by the [Service Provider], because of (i) legends or other markings, (ii) the circumstances of disclosure or (iii) the nature of the information itself, to be proprietary and confidential to [Company Name]. Confidential Information includes nonpublic personal information about the customers and consumers (as those terms are defined in Title V of the Gramm- Leach- Bliley Act and the privacy regulations adopted thereunder) of [Company Name]. Confidential Information may be disclosed in written or other tangible form (including information in computer software or held in electronic storage media) or by oral, visual or other means. For purposes of this Agreement, " [Company Name] " includes employees and controlled affiliates of [Company Name] who disclose Confidential Information to the [Service Provider], and Confidential Information includes information disclosed by such affiliates. Use of Confidential Information. The [Service Provider], except as expressly provided in this Agreement, shall not disclose [Company Name]'s Confidential Information to anyone without [Company Name]'s prior written consent. The [Service Provider] shall take all steps necessary to safeguard and protect such Confidential Information from unauthorized access, use or disclosure by or to others, including but not limited to, maintaining appropriate security measures and providing access on an as- needed basis only. The Parties will treat Confidential Information using the same degree of care used to protect its own confidential or proprietary information of like importance, but in any case using no less than a reasonable degree of care. The [Service Provider] shall not reverse- engineer, decompile, or disassemble any hardware or software provided or disclosed to it and shall not remove, overprint or deface any notice of copyright, trademark, logo, legend or other notice of ownership from any originals or copies of Confidential Information it obtains from [Company Name]. The [Service Provider] shall not use Confidential Information for any purpose other than with respect to [the Project]. Exceptions. The provisions of the Use of Confidential Information Section above shall not apply to any information that (i) is or becomes publicly available without breach of this Agreement; (ii) can be shown by documentation to have been known to the [Service Provider] without confidentiality restrictions at the time of its receipt from [Company Name]; (iii) is rightfully received from a third party who did not acquire or disclose such information by a wrongful or tortious act, or in breach of a confidentiality restriction; (iv) can be shown by documentation to have been independently developed by the [Service Provider] without reference to any Confidential Information; or (v) is identified by [Company Name] as no longer proprietary or confidential. [Service Provider] Personnel. The [Service Provider] shall restrict the possession, knowledge, development and use of Confidential Information to its employees, agents, subcontractors, consultants, advisors and entities controlled by it (collectively, "Personnel") who have a need to know Confidential Information in connection with the Project. The [Service Provider]'s Personnel shall have access only to the Confidential Information they need for such purposes. The [Service Provider] shall ensure that its Personnel are bound by confidentiality obligations substantially similar to those contained herein and that such Personnel comply with this Agreement.

73 Disclosures Required by Law, Rule or Regulation. If, in the opinion of its counsel, the [Service Provider] becomes legally obligated to disclose Confidential Information, the [Service Provider] shall give [Company Name] prompt written notice sufficient to allow [Company Name] to seek a protective order or other appropriate remedy, and shall, to the extent practicable, consult with [Company Name] in an attempt to agree on the form, content, and timing of such disclosure. Notwithstanding the preceding sentence, notification to [Company Name] shall not be required if such notification is not permitted by law or would interfere with applicable law enforcement activities. The [Service Provider] shall disclose only such information as is required, in the opinion of its counsel, and shall exercise all reasonable efforts to obtain confidential treatment for any Confidential Information that is so disclosed. Ownership of Confidential Information. All Confidential Information disclosed under this Agreement (including information in computer software or held in electronic storage media) shall remain the exclusive property of [Company Name], and the [Service Provider] shall have no rights, by license or otherwise, to use the Confidential Information except as expressly provided herein. No patent, copyright, trademark or other proprietary right is licensed, granted or otherwise conveyed by this Agreement with respect to Confidential or other information. Provisions Applicable to Nonpublic Personal Information. Notwithstanding any other provision of this Agreement, with respect to nonpublic personal information about the customers and consumers (as those terms are defined in Title V of the Gramm- Leach- Bliley Act and the privacy regulations adopted thereunder) of Advisor and any Affiliate of Advisor, Service Provider agrees as follows: (i) Except as may be reasonably necessary in the ordinary course of business to carry out the activities to be performed by Service Provider under this Agreement or as may be required by law or legal process, it will not disclose any such nonpublic personal information to any third party other than affiliates of Service Provider or Advisor (ii) That it will not use any such nonpublic personal information other than to carry out the purposes for which it was disclosed by Advisor or Advisor s Affiliate unless such other use is (a) expressly permitted by a written agreement executed by Advisor or its Affiliate, or (b) required by law or legal process. (iii) It will take all reasonable measures, including without limitation such measures as it takes to safeguard its own confidential information, to ensure the security and confidentiality of all such nonpublic personal information, to protect against anticipated threats or hazards to the security or integrity of such nonpublic personal information and to protect against unauthorized access to or use of such nonpublic personal information.

74 TBD Securities Cyber Security Policies TBD Securities Cyber Security Policies and Procedures CONTENTS OVERVIEW 2 AUDIT TRAIL 4 ACCESS MANAGEMENT 5 END- USER: MOBILE DEVICE AND APPLICATION SECURITY 7 COLLABORATION SITES AND END- USER DATA STORAGE 7 SECURITY RISK ASSESSMENT 8 OR (FOR FINANCIAL SERVICES FIRMS REGISTERED IN NY) 9 EMPLOYEE SECURITY AWARENESS TRAINING 10 VENDOR SELECTION AND MANAGEMENT 10 TECHNOLOGY ASSET INVENTORY, CLASSIFICATION AND TRACKING 11 TECHNOLOGY END- OF- LIFE PROCESS 12 EMPLOYEE TERMINATION 12 DISASTER RECOVERY AND BACKUP TESTING 13 CYBER SECURITY INSURANCE 13 CYBER SECURITY BREACH FRAMEWORK 13 REGULATORY REPORTING REQUIREMENT(S) 14 Page 1 of 15 Courtesy of Monahan & Roth, LLC February, 2018

75 TBD Securities Cyber Security Policies Overview TBD Securities has implemented this program, designed to promote the protection of customer information as well as its information technology systems which include any discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems. At a high level, the goal of this program is to: (1) identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored on TBD Securities Information Systems, the sensitivity of such Nonpublic Information, and how and by whom such Nonpublic Information may be accessed; (2) use defensive infrastructure and the implementation of policies and procedures to protect TBD Securities Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts; (3) detect Cyber security incidents; (4) respond to identified or detected Cyber security incidents to mitigate any negative effects; (5) recover from Cyber security incidents and restore normal operations and services; and (6) fulfill all regulatory reporting obligations. [Name] has been designated as the Chief Information Security Officer ( CISO ) and has primary oversight, maintenance, and execution of this Technology and Information Security Program (the Program ). The CISO is authorized to delegate physical, technical, and administrative components of this program to qualified third parties as and whenever appropriate. If TBD Securities elects to delegate CISO responsibility to a third- party it must: Retain ultimate responsibility for implementation of the program Designate a senior member to supervise the [assigned party], and Require the [assigned party] to maintain a cyber security program that substantially complies with relevant rules and regulations. The TBD Securities [TITLE] bears overall responsibility for Business Continuity Plan ( BCP ) / Disaster Recovery ( DR ) planning, information protection, and creating agile security processes and procedures. The CCO has identified the following core functions to guide the Program. These functions will be evaluated and updated by Page 2 of 15 Courtesy of Monahan & Roth, LLC February, 2018

76 TBD Securities Cyber Security Policies the CISO as indicated below to adjust to technological, business and/or operational changes at the firm that may have a material impact on the Program. The CISO will also be responsible for preparing a report, at least bi- annually that: (1) assesses the confidentiality, integrity and availability of TBD Securities Information Systems; (2) details exceptions to TBD Securities cyber security policies and procedures; (3) identifies cyber risks to TBD Securities; (4) assesses the effectiveness of TBD Securities cyber security program; (5) proposes steps to remediate any inadequacies identified therein; and (6) includes a summary of all material Cyber security incidents that affected TBD Securities during the time period addressed by the report. The CISO shall present the report to [Firm Name s] senior management or board of directors as applicable. Functions Access management: password and technology access Access management: physical access End- user: desktop, web, network and server security End- user: mobile devices and application security Collaboration sites and storage networks Security risk assessment Cyber security testing and audit Network vulnerability scan Employee security awareness training Vendor selection and maintenance Technology asset inventory Designated Person CISO CISO CISO CISO CISO CISO CISO CISO CISO COO CISO Frequency of Document Review Periodically Periodically Quarterly Frequency of Execution Page 3 of 15 Courtesy of Monahan & Roth, LLC February, 2018

77 TBD Securities Cyber Security Policies Technology end- of- CISO life process Employee COO termination Disaster recovery COO and backup testing Cyber security CISO insurance Information Security CCO Vendor and third- CISO Annually party service provider management Cyber incident CCO response Penetration testing Annually CISO Report to CISO Bi- Annually Senior Management Application security CISO Annually Audit Trail The CSIO shall be responsible for implementing an audit trail that: (1) tracks and maintain data that allows for the complete and accurate reconstruction of all financial transactions and accounting necessary to enable TBD Securities to detect and respond to a Cyber security incident; (2) tracks and maintain data logging of all privileged Authorized User access to critical systems; (3) protects the integrity of data stored and maintained as part of any audit trail from alteration or tampering; (4) protects the integrity of hardware from alteration or tampering, including by limiting electronic and physical access permissions to hardware and maintaining logs of physical access to hardware that allows for event reconstruction; (5) logs system events including, at a minimum, access and alterations made to the audit trail systems by the systems or by an Authorized User, and all system administrator functions performed on the systems; and (6) maintains records produced as part of the audit trail for not fewer than six years. Page 4 of 15 Courtesy of Monahan & Roth, LLC February, 2018

78 TBD Securities Cyber Security Policies Access Management TBD Securities has an approach to entitlement management that helps establish controls around access activities. The goal of this program is focused on the following: Protect remote, mobile, cloud and social access Provide transparency and up- to- date information on entitlements Provide centralized administration for permissions Ensure that employees have access only relevant to their job functions Protect against insider threats and unauthorized escalation of user privileges Each employee s profile will be managed in a central directory that will be used to create, delete and modify employee access data. The CCO is the primary owner of the central directory. Authorization: TBD Securities manages authorization information that defines what functions an employee can perform in the context of a specific application. The CCO maintains a record of the authorizations. Passwords: For accessing any firm desktop or device, employees are required to use unique passwords, requiring the following characteristics: Contains at least 8 characters Uses a combination of lower and uppercase letters Uses at least one number and one symbol Expires every 180 days (the reuse of any previous password is disallowed) After 10 failed login attempts within 15 minutes, the user account will be locked until released by the CISO or a [assigned party] administrator. Each administrator will have a unique login account and password. Any [assigned party] s employees (employees of a consultant or other party delegated responsibility for [Firm Name s] program, on an as needed basis, will each have a unique login and password to access the firm s password management list. Physical access: TBD Securities will secure the firm s physical premises with locks and inventory keys issued to authorized persons on an ongoing basis. Page 5 of 15 Courtesy of Monahan & Roth, LLC February, 2018

79 TBD Securities Cyber Security Policies End- user: desktop, web, network and server security: TBD Securities has developed practices in TBD Securities firm to protect the sensitivity of all information by implementing the following processes: Implement the use of password protection for all sensitive data, applications, and collaboration tools Reconcile the inventory of hardware, software and devices with [assigned party] Educate end- users on appropriate use of desktops and web browsing for business purposes Track and log USB portable flash drive uses that access the firm s desktop to detect any unauthorized use Maintain white- list of desktop approved applications and blacklist policy for websites (i.e. adult content, social media, gambling, etc.) Working closely with the CISO, [assigned party] will proactively manage the following items: Maintain inventory of hardware, software and devices Closely monitor application and systems log activity (i.e. control the execution of code with an application white- listing policy) Deploy critical operating system security patches within 48 hours of release Non- critical patches are delivered monthly Implement appropriate protections for electronic systems, including anti- virus software and firewalls Anti- virus software is set to auto- update and firewalls are updated at least quarterly by [assigned party] To combat social engineering, the [assigned party] will do the following: Employ up- to- date anti- malware systems (continuously updated by auto- update plus quarterly reviews) Employ spam filters and other gateways (continuously updated by auto- update and periodically reviewed by [assigned party]) (a) Multi- Factor Authentication. Each Covered Entity shall: (1) require Multi- Factor Authentication for any individual accessing TBD Securities internal systems or data from an external network; (2) require Multi- Factor Authentication for privileged access to database servers that allow access to Nonpublic Information; (3) require Risk- Based Authentication in order to access web applications that capture, display or interface with Nonpublic Information; and (4) support Multi- Factor Authentication for any individual accessing web applications that capture, display or interface with Nonpublic Information. Page 6 of 15 Courtesy of Monahan & Roth, LLC February, 2018

80 TBD Securities Cyber Security Policies End- user: mobile device and application security Firm- owned devices include, but are not limited to, laptops, tablets, cellular phones, and smartphones. Personal devices may utilize mobile access as long as they are password- encrypted and firm- approved. At the time of hiring, and annually thereafter, TBD Securities requests disclosure of all electronic devices, including the % business and personal use for purposes of maintaining an up- to- date inventory. Employees are advised to report any lost, stolen, or compromised electronic device to the CISO or CCO immediately. The CISO or CCO will update the firm inventory and shut off inbound and outbound access to the device as necessary. Firm personnel will receive training on the secure use of mobile devices and removable media on an as- needed basis including during the annual compliance meeting. Collaboration sites and end- user data storage The CISO will be primarily responsible for vetting any collaboration site and data storage along with the CCO. Each site must have identified data owners, who manage, control, and review access. Only firm approved collaboration sites listed below will be utilized: [Name ANY RELEVANT CITATIONS] Protecting firm data includes the proper use of collaboration sites and data storage sites. The following are requirements for collaboration sites and storing data: Desktop, laptop, remote desktop and tablets Ensure storage only in an approved, sandboxed or otherwise encrypted location instead of the desktop Save information to be shared to an access- controlled network location such as a network shared drive Store data and information with retention requirements in a records management repository Only use applications obtained through firm- approved channels Mobile devices (smart phones and tablets) Only store data within firm- approved applications TBD Securities intends to have remote- wipe capability for all employee devices Records retention Page 7 of 15 Courtesy of Monahan & Roth, LLC February, 2018

81 TBD Securities Cyber Security Policies Certain types of data have retention periods All records including digital should be stored in an approved records repository Collaboration sites are not approved repositories Employees are responsible for preventing inappropriate use of or access to data by Only accessing information needed for your job function Preparing, handling, using and releasing data Using correct storage locations Following appropriate use or restrictions of electronic communications, including but not limited to , instant messaging, text, chat, audio/video conferencing and social media Security risk assessment The firm will use an independent [assigned party] to perform a comprehensive enterprise risk assessment. The [assigned party] will assess any potential or existing cyber- security threats to identify potential risks and business impacts. At the discretion of the CISO and CCO, the following items under review may include, as relevant, the following: Category Network Security Data Security Access Control Subcategory Network Infrastructure Firewalls Network Diagram Frequency of Documentation Wireless Data Classification Backup and Restoration Encryption Mobile Security Disposal Protection of Transmission Active Directory Authentication Network Access Control Page 8 of 15 Courtesy of Monahan & Roth, LLC February, 2018

82 TBD Securities Cyber Security Policies Account/Password Management Application Access System Development Protection Testing and Monitoring Vendors Employees Physical Premise Security Information Security Program Cyber security Insurance Systems Installation Software Development Maintenance and Patching Decommissioning Change Control Management Antivirus software Updates and patches Web Filter and traffic Server Monitoring Network Monitoring Penetration Testing Vulnerability Testing Alerting Vendor Assessment Client Data Termination / Role Transfer Data Center Building Security and Staff Building and Office Access Server Room Info Security Policy Coverage Review OR (For Financial Services Firms registered in NY) (At least annually, each Covered Entity shall conduct a risk assessment of TBD Securities Information Systems. Such risk assessment shall be carried out in accordance with written policies and procedures and shall be documented in writing. The risk assessment shall minimally include: (1) criteria for the evaluation and categorization of identified risks; (2) criteria for the assessment of the confidentiality, integrity and availability of TBD Securities Information Systems, including the adequacy of existing controls in the context of identified risks; and (3) requirements for documentation describing how identified risks will be mitigated or accepted based on the risk assessment, justifying such decisions in light of the risk assessment findings, and assigning accountability for the identified risks. Page 9 of 15 Courtesy of Monahan & Roth, LLC February, 2018

83 TBD Securities Cyber Security Policies Employee security awareness training To assist firm employees in understanding their obligations regarding sensitive firm information, the CISO will provide each employee with a copy of this Program upon commencement of employment and whenever changes are made. In addition, the CISO and/or CCO will implement programs to perform training functions on an as- needed basis. At the discretion of the CCO and CISO, employee security awareness training may include any of the following: Instruct employees to take basic steps to maintain the security, confidentiality and integrity of client and investor information, including: Secure all files, notes, and correspondence Change passwords periodically and do not post passwords near computers Avoid the use of speaker phones and discourage discussions in public areas Recognize any fraudulent attempts to obtain client or investor information and report to appropriate management personnel Access firm, client, or investor information on removable and mobile devices with care and on an as- needed basis using firm protocols (passwords, etc.) Instruct employees to close out of files that hold protected client and investor information, investments, investment strategies, and other confidential information when they are not at their desks Educate employees about the types of cyber security attacks and appropriate responses Vendor selection and management For vendors interacting with TBD Securities systems, network and data, the firm will perform the following activities to protect sensitive information: Assess vendors before working with them including a cyber- security risk assessment Review third- party vendor contract language to establish each party s responsibility with respect to cyber- security procedures Segregate sensitive firm systems from third- party vendor access and monitor remote maintenance performed by third- party contractors Page 10 of 15 Courtesy of Monahan & Roth, LLC February, 2018

84 TBD Securities Cyber Security Policies the use of Multi- Factor Authentication as set forth herein to limit access to sensitive systems and Nonpublic Information; the use of encryption to protect all Nonpublic Information in transit and at rest; prompt notice to be provided to TBD Securities in the event of a Cyber security incident affecting the third party service provider; identity protection services to be provided for any customers materially impacted by a cyber security incident that results from the third party service provider s negligence or willful misconduct; representations and warranties from the third party service provider that the service or product provided to TBD Securities is free of viruses, trap doors, time bombs and other mechanisms that would impair the security of TBD Securities Information Systems or Nonpublic Information; and the right of TBD Securities or its agents to perform cyber security audits of the third party service provider. Technology asset inventory, classification and tracking TBD Securities has a process in place to identify, classify, and track all technology assets ( assets ): To ensure accurate classification and tracking, TBD Securities will procure/vet all assets through [assigned party] TBD Securities will maintain an inventory of all assets as well as an identified owner TBD Securities will cross- reference the list of internal assets with [assigned party] Asset identification and classification process will be scalable to accommodate growth and acquisition TBD Securities will track assets and their attributes throughout their lifecycle Automated processes will be used periodically to perform discovery of unknown assets TBD Securities will create a map of network resources, including data flows, internal connections and external connections TBD Securities will establish and enforce a process of assessing and classifying assets based on their sensitivity to attack and business value. [assigned party] will auto- alert TBD Securities if a new device is discovered on the network Page 11 of 15 Courtesy of Monahan & Roth, LLC February, 2018

85 TBD Securities Cyber Security Policies TBD Securities shall encrypt all Nonpublic Information it holds or transmits both in transit and at rest, Technology end- of- life process TBD Securities has developed and will follow processes for securely disposing of assets once they are no longer being used by the firm or have reached the end of their usable life (the end- of- life process ). Working closely with the CISO, [assigned party] will closely monitor the firm hardware and recommend a refresh every 3-5 years per individual hardware equipment. A certified end- of- life management vendor ( EMV ) will properly recycle any old hardware. Notification: The end- of- life process will notify all necessary and relevant parties to initiate a coordinated execution: CISO Asset owner End user(s) Relevant vendor(s) Hard Drives: Any decommissioned hard drive will be securely stored for a minimum of 6 years since decommission date. When disposing the hard drive, the EMV will do the following: Erase all data on the drive Physically destroy the hard drive Produce documentation of proper disposal Employee termination The firm is dedicated to protecting the network and proprietary data at risk upon termination of employees. To prevent any issues of former employees leaking information, TBD Securities has adopted an approach towards access controls and entitlement management. Please refer to the [assigned party] checklist for employee on/off- boarding. TBD Securities will maintain this list as new applications, drives, systems, and vendors are incorporated. Page 12 of 15 Courtesy of Monahan & Roth, LLC February, 2018

86 TBD Securities Cyber Security Policies The following items will be monitored: Network access Desktop access Mobile device access Internal and external applications Vendors, such as prime brokers, executing brokers, etc. Disaster recovery and backup testing Please see [Firm Name s] Business Continuity Procedures / Disaster Recovery Plan ( BCP ) for detailed documentation. Any changes can be represented in that BCP / DR plan. The CCO in connection with the CISO will update the firm s BCP on an as- needed basis to ensure that it is consistent with the Program. Cyber security insurance On an annual basis the CISO will review the firm s insurance coverage related to cyber security threats and make a determination as to its adequacy in conjunction with the CCO and COO. It is anticipated that cyber security insurance will not be attained unless or until the firm s risk profile substantially increases, because currently the majority of client sensitive data are retained by competent third party vendors primarily including its clearing firm. Cyber security breach/incident response framework The firm has implemented a framework to identify, prepare, prevent, detect, respond, and recover from cyber security incidents, any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System. In the event of a cyber security incident, the firm s information technology personnel (or anyone detecting the incident) will immediately notify the CISO (or qualified designee) who will work with appropriate personnel to: Page 13 of 15 Courtesy of Monahan & Roth, LLC February, 2018

87 TBD Securities Cyber Security Policies Assess the nature and scope of any such incident and maintain a written record of the systems and information involved Take appropriate steps to contain and control the incident to prevent further unauthorized access, disclosure or use, and maintain a written record of steps taken Promptly conduct a reasonable investigation, determine the likelihood that personal information has or will be misused, and maintain a written record of such determination Discuss the issue with outside counsel (or a qualified resource) and make a determination regarding disclosing the issue to regulatory authorities, law enforcement and/or individuals whose information may have been affected Evaluate the need for changes to the firm s policies and procedures in light of the breach The firm will work with outside resource(s) and/or counsel as necessary to determine appropriate next steps including addressing any weaknesses identified in the process A record of the response to the incident shall be recorded and retained among the firm s central records. Regulatory reporting requirement(s) (For entities registered to do business in NY and not otherwise exempt: TBD Securities submit to the superintendent of the state of New York, Department of Financial Services ( DFS ) a written statement by January 15, in such form set forth as by the DFS, certifying that TBD Securities is in compliance with the requirements specifically identified by DFS. TBD Securities shall maintain for examination by the DFS all records, schedules and data supporting this certificate for a period of five years. (1) To the extent TBD Securities has identified areas, systems, or processes that require material improvement, updating or redesign, TBD Securities shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by DFS. (2) To the extent that TBD Securities has identified any material risk of imminent harm relating to its cyber security program, TBD Securities shall notify the superintendent within 72 hours and include such items in its annual report filed pursuant to this section. Page 14 of 15 Courtesy of Monahan & Roth, LLC February, 2018

88 TBD Securities Cyber Security Policies TBD Securities January 15, 20 Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations The Board of Directors or a Senior Officer(s) of TBD Securities certifies: (1) The Board of Directors (or name of Senior Officer(s)) has reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary; (2) To the best of the (Board of Directors) or (name of Senior Officer(s)) knowledge, the Cybersecurity Program of TBD Securities as of [Date] complies with the rules and regulations of the state of New York. By: Printed Name: Title: Date: Page 15 of 15 Courtesy of Monahan & Roth, LLC February, 2018

89 Electronic*Devices*and*Communications*Inspection*Form*! Electronic*Device*Review:* Device!Name! Description! %!Business!Use! %!Personal!Use!!!!! Yes No Anti7malware!software!is!installed!on!this!device.!! Yes No Anti7virus!software!is!installed!on!this!device.!! Yes No Software!auto7update!is!set!to! ON!on!this!device.!! Yes No Log!in!privileges!to!this!device!are!password!protected.!! Yes No This!device! times!out!after!15!minutes!or!less!time!of!non7use.! Yes No ONLY!approved!(company)! !is!received!on!this!device.!!! Yes No This!device! times!out!after!15!minutes!or!less!time!of!non7use.! Yes No ONLY!associated!personnel!have!access!to!this!device.!! Please!explain!any! NO!answer!in!the!space!provided!below:! Exceptions,!Notes:! Electronic*Device*Review:* Device!Name! Description! %!Business!Use! %!Personal!Use!!!!! Yes No Anti7malware!software!is!installed!on!this!device.!! Yes No Anti7virus!software!is!installed!on!this!device.!! Yes No Software!auto7update!is!set!to! ON!on!this!device.!! Yes No Log!in!privileges!to!this!device!are!password!protected.!! Yes No This!device! times!out!after!15!minutes!or!less!time!of!non7use.! Yes No ONLY!approved!(company)! !is!received!on!this!device.!!! Yes No This!device! times!out!after!15!minutes!or!less!time!of!non7use.! Yes No ONLY!associated!personnel!have!access!to!this!device.!! Please!explain!any! NO!answer!in!the!space!provided!below:! Exceptions,!Notes:!

90 CYBER SECURITY INCIDENT REPORT Incident Reported By: Incident Reported To: Date Reported: Time: am pm Nature of the incident (Include the scope, systems and information involved): CONTAINMENT Date Contained Time: am pm Record the steps taken to contain and control the incident to prevent further unauthorized access, disclosure or use: INVESTIGATION Investigation performed Time: am pm Describe the nature of the investigation, including whether or not sensitive information has or might be compromised: Courtesy of Monahan & Roth, LLC

91 CYBER SECURITY INCIDENT REPORT DISCLOSURE TO THIRD PARTIES (check all that apply) Counsel Other Qualified Resource Law Enforcement Individuals affected Describe: RESOLUTION Resolution achieved Time: am pm Describe: Related Cyber Policies adequate Related Cyber Policies require amendment Follow- up required Principal Acknowledgement of Resolution: Date Notes: Courtesy of Monahan & Roth, LLC

92 Electronic Device Disclosure Associated persons are required to disclose the use and/or the termination of use of any electronic device used entirely or in part for business purposes by completing the table below. This is an initial report of electronic device(s) I have a new device to report I have a retired device to report I have a change in usage of a previously reported device to report Device Description (example: primary office computer ). Include smartphones, tablets and other devices Device Type (example: imac, or Dell PC desktop) % Business Use % Personal Use Notes (example: shared device with another associated person) I hereby certify that the above information is correct and accurate to the best of my knowledge and that I adhere to my Broker- Dealer s policies and procedures. Signature Date Courtesy of Monahan & Roth, LLC

93 Cyber Security Checklist for Broker Dealers Identify: Risk Assessment & Management YES NO N/A 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment. 3. The risk assessment includes a review of the data collected or created, where the data is stored, and if the data is encrypted. 4. Internal insider risk (e.g. disgruntled employees) and external risks are included in the risk assessment. 5. The risk assessment includes relationships with third parties. 6. Adequate policies and procedures demonstrate expectations of employees regarding cybersecurity practices (e.g. frequent password changes, locking of devices, reporting of lost or stolen devices, etc.). 7. Primary and secondary person(s) are assigned as the central point of contact in the event of a cybersecurity incident. 8. Specific roles and responsibilities are tasked to the primary and secondary person(s). 9. The firm has inventory of electronic devices and software in use in its home office. 10. The firm has an inventory of electronic devices and software in use in its branch offices. Notes: 1 Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC

94 Cyber Security Checklist for Broker Dealers Protect: Use of Electronic Mail YES NO N/A 1. The firm has protective measures in place to govern the distribution of identifiable information of a client transmitted via The firm has protective measures in place to govern authentication practices for access to on all devices (computer and mobile devices), 3. The firm requires that passwords for access to are changed no less than quarterly. 4. The firm s policies and procedures provide instruction to authenticate client instructions received via If applicable, the firm s employees and clients are aware that communication is not secured. Protect: Devices YES NO N/A 1. Device access (physical and digital) is permitted for authorized employees. 2. Device access (physical and digital) is permitted for authorized clients. 3. Device access is routinely audited and updated appropriately. 4. Devices are routinely backed up and underlying data is stored in a separate location (i.e. on an external drive, in the cloud, etc.) subject to FINRA requirements for electronic storage, or other related requirements. 5. Backups have been tested in the most recent 12 months. 6. The firm has written policies and procedures regarding the secure destruction of electronic devices no longer in use (end of life procedures). Notes: 2 Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC

95 Cyber Security Checklist for Broker Dealers Protect: Use of Cloud Services YES NO N/A 1. Due diligence Due diligence has been conducted on the cloud service provider prior to signing an agreement or contract. 2. As part of the due diligence, the firm has evaluated whether the cloud service provider has safeguards against breaches and a documented process in the event of breaches. 3. The firm has a business relationship with the cloud service provider and has the contact information for that entity. 4. The firm is aware of the assignability terms of the contract. 5. The firm understands how the firm s data is segregated from other entities data within the cloud service. 6. The firm is familiar with the restoration procedures in the event of a breach or loss of data stored through the cloud service. 7. The firm has written policies and procedures in the event that the cloud service provider is purchased, closed, or otherwise unable to be accessed. 8. The firm solely relies on free cloud storage. 9. The firm maintains a 17(a)4 compliant backup of all records off- site. 10. Data containing sensitive or personally identifiable information is stored through a cloud service. 11. The firm s data accessible by the vendor containing sensitive or personally identifiable information, which is stored through a cloud services, is encrypted. 12. The firm has written policies and procedures related to the use of devices by employees or vendors who access data in the cloud. 13. If applicable, the firm s procedures provide controls when cloud provider (or its staff) may access and/or view the firm s data stored in the cloud. 14. If the firm allows any user remote access to its network (e.g. through use of VPN), such access is subject to controls including user management. 15. The VPN access of employees is monitored. 16. The firm has written policies and procedures related to the termination of VPN access when any authorized user resigns or is terminated. 3 Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC

96 Cyber Security Checklist for Broker Dealers Protect: Use of Firm Websites YES NO N/A 1. The firm relies on a parent or affiliated company for the construction and maintenance of the website. 2. The firm relies on internal personnel for the construction and maintenance of the website. 3. The firm relies on a third- party vendor for the construction and maintenance of the website. 4. If the firm relies on a third party for website maintenance, there is an agreement with the third party regarding the services and the confidentiality of information. 5. The firm can directly make changes to the website. 6. The firm can directly access the domain renewal information and the security certificate information. 7. The firm s website is used to access client information. 8. SSL or other encryption is used when accessing client information on the firm s website. 9. The firm s website includes a client portal. 10. SSL or other encryption is used when accessing a client portal. 11. When accessing the client portal, user authentication credentials (i.e., user name and password) are encrypted. 12. Additional authentication credentials (i.e., challenge questions, etc.) are required when accessing the client portal from an unfamiliar network or computer. 13. The firm has written policies and procedures related to a denial of service issue. Notes: 4 Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC

97 Cyber Security Checklist for Broker Dealers Protect: Custodians & Other Third- Party Vendors YES NO N/A 1. The firm s due diligence on third parties includes cybersecurity as a component. 2. The firm has requested vendors to complete a cybersecurity questionnaire, with a focus on issues of liability sharing and whether vendors have policies and procedures based on industry standards. 3. The firm understands when/if the vendor has IT staff or outsources some of its functions. 4. The firm has obtained a written attestation from the vendor that it uses software to ensure customer data is protected. 5. If applicable the firm has attained evidence of the vendor s cyber security risk assessment or audit on a regular basis. 6. The cyber- security terms of the agreement with an outside vendor is not voided because of the actions of an employee of the firm. 7. The firm s contract with third- party vendors includes terms of confidentiality. 8. The firm has been provided enough information to assess the cybersecurity practices of any third- party vendors. 9. [Relevant to custodians only] The firm has discussed with the custodian matters regarding impersonation of clients and authentication of client orders. 10. The firm s contact with the vendor includes terms for notification in the event of a cyber breach. Protect: Encryption YES NO N/A 1. The firm routinely consults with an IT professional knowledgeable in cybersecurity. 2. The firm has written policies and procedures in place to categorize data as either confidential or non- confidential. 3. The firm has written policies and procedures in place to address data security and/or encryption requirements. 4. The firm has written policies and procedures in place to address the physical security of confidential data and systems containing confidential data (i.e., servers, laptops, tablets, removable media, etc.). 5. The firm utilizes encryption on all data systems that contain (or access) confidential information. 6. The identities and credentials for authorized users are recorded and periodically updated. 5 Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC

98 Cyber Security Checklist for Broker Dealers 6 Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC

99 Cyber Security Checklist for Broker Dealers Notes: 7 Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC

100 Cyber Security Checklist for Broker Dealers Detect: Anti- Virus Protection and Firewalls YES NO N/A 1. The firm mandates the installation and auto update of anti- virus, anti- spam, anti- malware software on all electronic devices accessing the firm s network or otherwise retaining personally identifiable information or firm records. 2. The firm mandates that all settings are deployed to ensure that software is subject to auto- update. 3. Employees are trained and educated on the basic function of anti- virus programs and how to report potential malicious events. 4. If the alerts are set up by an outside vendor, there is an ongoing relationship between the vendor and the firm to ensure continuity and updates. 5. A firewall is employed and configured appropriate to the firm's needs. 6. The firm has policies and procedures to address flagged network events. Notes: 8 Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC

101 Cyber Security Checklist for Broker Dealers Respond: Responding to a Cyber Event YES NO N/A 1. The firm has a plan and procedure for immediately notifying authorities in the case of a disaster or security incident of magnitude. 2. The plans and procedures identify which authorities should be contacted based on the type of incident and who should be responsible for initiating those contacts. 3. The firm has a communications plan, which identifies who will speak to the public/press in the case of an incident and how internal communications will be managed. 4. The communications plan identifies the process for notifying clients and if applicable, for addressing damages. Notes: 9 Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC

102 Cyber Security Checklist for Broker Dealers Recover: Cyber- insurance YES NO N/A 1. The firm has considered whether cyber- insurance is necessary or appropriate for the firm. 2. The firm has evaluated the coverage in a cybersecurity insurance policy to determine whether it covers breaches, including; breaches by foreign cyber intruders; insider breaches (e.g. an employee who steals sensitive data); and breaches as a result of third- party relationships. 3. The cybersecurity insurance policy covers notification (clients and regulators) costs. 4. The firm has evaluated whether the policy includes first- party coverage (e.g. damages associated with theft, data loss, hacking and denial of service attacks) or third- party coverage (e.g. legal expenses, notification expenses, third- party remediation expenses). 5. The exclusions of the cybersecurity insurance policy are appropriate for the firm s business model. 6. The firm has put into place all safeguards necessary to ensure that the cyber- security policy is not voided through firm employee actions, such as negligent computer security where software patches and updates are not installed in a timely manner. Recover: Disaster Recovery YES NO N/A 1. The firm has a business continuity plan to implement in the event of a cybersecurity event. 2. The firm has a process for retrieving backed up data and archival copies of information. 3. The firm has written policies and procedures for employees regarding the storage and archival of information. 4. The firm provides training on policies and procedures related to document retention, safekeeping and udpates. Notes: 10 Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC

103 Cyber Security Checklist for Broker Dealers 11 Adapted from the NASAA Cyber Security Checklist for Investment Advisers; courtesy of Monahan & Roth, LLC

104 Recent Cyber Attacks, Threats and Possible Solutions Thursday, February 22 11:15 a.m. 12:15 p.m. The world has entered an age in which well-organized and well-funded groups use sophisticated cyber techniques to attack organizations with increasing frequency. This threat landscape is constantly changing and modern cyber defenses must evolve. During this session, panelists discuss recent highvisibility hacks and steps that could have been taken to prevent them from happening or minimize the disruption. Moderator: Gregory Markovich Regulatory Principal, Sales Practice FINRA Chicago District Office Panelists: Britt Lindley Chief Information Security Officer Thrivent Financial for Lutherans Jesse Magenheimer Director - Information Security State Farm Melissa Vacon Assistant Vice President of Information Services Signator Investors, Inc Financial Industry Regulatory Authority, Inc. All rights reserved. 1

105 Recent Cyber Attacks, Threats and Possible Solutions Panelist Bios: Moderator: Greg Markovich joined FINRA on February 1, 2016, as Regulatory Principal and he is currently responsible for leading cybersecurity examinations and providing security consultation and training for other staff. Prior to joining FINRA, Mr. Markovich has 30 years of information technology (IT) and security experience working at two investment management firms including Capital Group American Funds, and American Century Investments. His leadership roles at these firms included responsibility for information security, risk management, identity access management, and disaster recovery. Mr. Markovich also has experience leading applications development and infrastructure support teams. In addition to having an MBA degree from the University of Missouri, Mr. Markovich has several security certifications including a certified information systems security professional (CISSP) and a certified ethical hacker (CEH) certification. Panelists: Britt Lindley is Chief Information Security Officer within Thrivent Financial s Information Technology division, reporting directly to the Chief Administrative Officer. Mr. Lindley serves in this position for Thrivent Financial, its subsidiaries and affiliates (Thrivent). Acting as the Chief Information Security Officer, Mr. Lindley is responsible for the management, oversight and implementation of the required Information Security programs and associated controls. He leads a team of professionals who are responsible for the Information Security functions for Thrivent, and is also the chair of Thrivent s Protection Risk Group, which communicates internal and external Information Security operational risk, as well as risk management, to senior leaders. For 16 years prior to joining Thrivent in 2010 as Director of Information Security, Mr. Lindley held Information Security leadership roles within various industry sectors including banking, technology, and transportation/logistics. Serving in these various security leadership roles, Mr. Lindley has worked in both privately held and public companies, as well as large multi-national organizations. Mr. Lindley earned his Bachelor of Science degree in Computer Science from Point Park University in Pittsburgh, PA. He also holds Information Security certifications from the International Information Systems Security Certification Consortium (ISC2) (CISSP Certified Information Systems Security Professional Since 2000) and Information Systems Audit and Control Association (ISACA) (CISM Certified Information Security Manager Since 2004). Mr. Lindley is active in trade and industry groups for the Financial Service industry. Mr. Lindley is an active volunteer within local organizations of the Community Foundation of the Fox Valley and a board member of the Volunteer Center of East Central WI. Mr. Lindley is retired from the Wisconsin National Guard after 23 years of service. Jesse Magenheimer is Director in Information Security at State Farm in Bloomington, Illinois with responsibilities for Protective Technologies and Enterprise Information Security Incident Response. He has more than 25 years of IT experience with the past 17 years being spent in various information security, technology, and IT auditing roles. He has worked on the development of end-to-end application security controls, security architecture for data centers, creation of new professional security roles, leading IT and integrated audits, advancing the use of protective technologies, design of the company s enterprise information security incident response plan, and the creation and execution of information security incident response exercises. Mr. Magenheimer holds a Bachelor s Degree in Computer Science and a Master s Degree in Emergency and Disaster Management. He also possesses a number of information security, risk management, and project management industry certifications. Melissa Vacon is Assistant Vice President of Information Systems at John Hancock, supporting Signator Investors, Inc. For the past four years, Ms. Vacon has been responsible for all aspects of technology for the distribution arm of John Hancock. This includes all IT development and maintenance activities, all large project initiatives, infrastructure support, vendor management, cybersecurity risk mitigation and administration. Prior to joining Signator, Ms. Vacon held multiple IT positions within John Hancock, starting in Before joining John Hancock, Ms. Vacon was employed by GE at their Electric Insurance division Financial Industry Regulatory Authority, Inc. All rights reserved. 2

106 2018 Cybersecurity Conference February 22 New York, NY Recent Cyber Attacks, Threats and Possible Solutions

107 Panelists Moderator Gregory Markovich, Regulatory Principal, Sales Practice, FINRA Chicago District Office Panelists Britt Lindley, Chief Information Security Officer, Thrivent Financial for Lutherans Jesse Magenheimer, Director - Information Security, State Farm Melissa Vacon, Assistant Vice President of Information Services, Signator Investors, Inc. FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 1

108 To Access Polling Under the Schedule icon on the home screen, Select the day, Choose the Recent Cyber Attacks, Threats and Possible Solutions session, Click on the polling icon: FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 2

109 Cybersecurity Attacks, Threats and Prevention Why is it important: The frequency and sophistication of cybersecurity threats and attacks is increasing. Financial firms and individual broker-dealers are at risk. Firms must take steps to prevent attacks and monitor their environment. Effective Practices: Written policies and procedures to protect customer information Governance Framework and Risk Management (identify, assess, manage) Technical Controls Vendor Management Training Monitoring and Incident Management FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 3

110 Polling Question 1 1. Has your firm experienced any of the following cybersecurity threats: phishing, ransomware, account take over, wire fraud, denial of service, malware, or viruses? a. Yes b. No c. Don t know FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 4

111 Polling Question 2 2. Has your firm received phishing s in the last 12 months? a. Yes b. No c. Don t know FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 5

112 Financial Service Firms Common Threats Threats: Phishing - #1 threat for financial firms as observed by FINRA Ransomware Account Takeover Wire Fraud DDoS Attacks Malware Virus Insider Threat Spam Others.. FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 6

113 Polling Question 3 3. What level of human resources does your firm currently have focused on monitoring the environment for cyber related incidents or attacks (including third party resources)? a. None b. 5 people or less c. 5 to 10 people d. Greater than 10 people FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 7

114 Security Operations Center (SOC) An organized and highly skilled team whose mission is to continuously monitor and improve an organization s security posture while preventing, detecting, analyzing, and responding to cyber security incidents with the aid of both technology and well-defined processes and procedures. FUNCTIONS: Maintain security monitoring tools Investigate suspicious activities ROLES: Security Analyst Security Engineer Security Manager FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 8

115 Polling Question 4 4. Does your firm monitor the environment for potential internal threats? a. Yes b. No c. Don t know FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 9

116 Financial Service Prevention Activities Training Vendor Management Risk Assessment/Management Monitoring Security Patching Others. FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 10

117 Cyber Incident Recovery Process Develop and implement plans, processes, and procedures to fully restore a system weakened or breached as a result of a cyber incident or event. Recovery Steps Include: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 11

118 Polling Question 5 5. Does your firm actively oversee the security controls and cyber programs for your critical third-party providers? a. Yes b. No c. Don t know FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 12

119 Third-Party Management Written policy that cover the entire life cycle of relationship Onboarding, ongoing oversight, and termination of agreement Contractual terms and conditions Responsibilities of both parties, incident notification, ability to review audit reports (SSAE 18) Risk based ongoing assessment of third party s security controls FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 13

120 FINRA References FINRA Cybersecurity Page: Report on Cybersecurity Practices Small Firm Cybersecurity Checklist Compliance Vendor Directory NIST Cybersecurity Framework: FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 14

121 Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m. Cybersecurity is a top priority for the financial services industry. Firms dedicate significant resources every day to protect against cyber-crime, safeguard consumer data, and maintain the integrity and resilience of their systems in face of countless cyber threats. During this session, panelists discuss defensive measures firms can take within branch locations. These measures include developing information security branch plans, training employees and other solutions. Moderator: Kevin Bogue Regulatory Principal, Sales Practice FINRA Chicago District Office Panelists: Tammy Boone Compliance Manager NEXT Financial Group, Inc. Robert Geary Director, IT Security Distribution Lincoln Financial Securities David Wimer Business Information Security Officer Transamerica 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

122 Branch Cybersecurity Controls Panelist Bios: Moderator: Kevin Bogue joined FINRA on January 9, 2017 as a Regulatory Principal in the Chicago District Office. Mr. Bogue is a member of the Sales Practice Cybersecurity team responsible for examining firms' controls over their protection of sensitive client and firm information. Prior to joining FINRA, Mr. Bogue has more than 17 years of information technology (IT) and security experience working as a technology consultant with Accenture, as an internal Global IT auditor, IT Compliance Manager and SOX Program Manager with Abbott Laboratories, as an IT Compliance Manager with Brunswick and as an internal IT Audit Manager with CDW. Mr. Bogue earned an MS in Information Systems from DePaul University in Chicago, IL and a BS in Psychology from Iowa State University in Ames, IA. Panelists: Tammy Boone joined NEXT in December 2010 and is currently the Compliance Manager overseeing Licensing, Registration and Branch Exams. Ms. Boone has more than 30 years of financial services experience in various capacities including support staff, branch operations, licensing, registration and compliance. Ms. Boone holds the Series 7, 9, 10, 63 and 65 licenses. Robert Geary is Director of IT Security - Distribution for Lincoln Financial Securities and has more than 23 years of Information Technology experience. Mr. Geary started with Lincoln Financial Group in 1998 and has held several technical positions throughout his career. He spent five years as a member of Lincoln s Cyber Threat Intelligence & Investigations Team, focusing on Incident Response, Endpoint Security Controls, and Vulnerability Management. He holds a Bachelor of Science degree in Mechanical Engineering from Drexel University along with several professional designations, including the Certified Information Systems Security Professional (CISSP) and GIAC Certified Incident Handler (GCIH). David Wimer has experience in information security, privacy and risk domains within telecommunications and finance industries. Mr. Wimer has more than 20 years developing, implementing and educating his business colleagues on practical security practices. Mr. Wimer is a Business Information Security Officer for Transamerica and has worked through examinations from both SEC and FINRA in the past two years on Transamerica s application of cyber security controls within their organization. Mr. Wimer s philosophy and primary focus in on continuous education of workforce at all levels and has built a respectable awareness and training program within Transamerica. Mr. Wimer had additional experience in building and implementing controls on third party risk and has past experience conducting and supervising security assessments of Transamerica external partnerships, vendors and cloud providers/solutions Financial Industry Regulatory Authority, Inc. All rights reserved. 2

123 2018 Cybersecurity Conference February 22 New York, NY Plenary Session: Branch Cybersecurity Controls

124 Panelists Moderator Kevin Bogue, Regulatory Principal, Sales Practice, FINRA Chicago District Office Panelists Tammy Boone, Compliance Manager, NEXT Financial Group, Inc. Robert Geary, Director, IT Security Distribution, Lincoln Financial Securities David Wimer, Business Information Security Officer, Transamerica FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 1

125 To Access Polling Under the Schedule icon on the home screen, Select the day, Choose the Plenary Session: Branch Cybersecurity Controls session, Click on the polling icon: FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 2

126 Polling Question 1 1. Do you have branch office locations? a. Yes b. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 3

127 Polling Question 2 2. Do you have formal branch office policies and procedures? a. Yes b. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 4

128 Polling Question 3 3. Do you provide formal guidance to branches as to what cybersecurity controls are expected to be in place? a. Yes b. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 5

129 Branch Cybersecurity Controls Why is it important: Many branch offices operate independently from the home office to set up computer systems and controls. Effective Practices: Policy / procedure created for branch locations Certification Cyber training not just an annual process Automated tools Branch examiners trained by IT to examine for cyber controls Data Loss Prevention (DLP) tools Recommend technology, software (e.g., antivirus) or vendors (e.g., cloud). FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 6

130 Branch Cybersecurity Controls continued Firms should have policies and procedures dealing with cybersecurity issues at branch locations. Topics include: Physical Security Encryption Virus and Malware Protection Reporting of Lost / Stolen Assets Patching The Use of Passwords Training and Awareness Business Continuity Planning / Testing Vendor / Cloud Usage Representative Certifications Processes in place to verify controls have been implemented and are functioning as intended. FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 7

131 Branch Cybersecurity Controls continued Firms with Independent Contractor model may have more risk due to the nature of the branch technology infrastructure. Reps may purchase their own assets Reps may not follow home office policies and procedures correctly Use of cloud providers not approved by the firm Physical security of assets Access to office is secure Process to report and manage lost/stolen assets Proper disposal of decommissioned assets Data protection controls (e.g., secure transmission and encryption) FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 8

132 Branch Cybersecurity Controls continued Typical controls would include: Proper access control including password management and multifactor logins Securely maintain branch assets including timely patching, antivirus, and updates Training and awareness of branch personnel (including contractors) Branch level Business Continuity (BC) and Disaster Recovery (DR) planning / testing Process to follow when an incident / breach has occurred FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 9

133 Branch Cybersecurity Controls continued All Firms with branch locations should verify and regularly audit security controls in the branch offices. Knowledge, through an inventory process, of critical software and hardware assets that exist in the branch. Physical security of assets, sensitive information and firm data: Access to branch office is secure Process to report and manage lost / stolen assets Proper disposal of decommissioned assets Data protection controls including: Secure transmission and storage of all sensitive information Encryption of all sensitive information on branch computers FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 10

134 Branch Cybersecurity Controls continued What are we seeing? Few firms conduct regular audits of branch office security controls Opportunity exists for firms to improve and formalize their oversight of branch offices Most firms with large numbers of branches have developed cybersecurity questionnaires that the reps attest Firms will audit branches on certain cyber related questions and controls in place; e.g., laptop encryption, endpoint protection, updated OS, password management, physical security Automated tools for monitoring branch equipment FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 11

135 References FINRA Cybersecurity Page: Small Firm Cybersecurity Checklist 2015 Report on Cybersecurity Practices Compliance Vendor Directory NIST Cybersecurity Framework: FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 12

136 Cyber Incident Response Plans and Resources Thursday, February 22 2:30 p.m. 3:30 p.m. Every organization should develop a written plan that identifies cyber-attack scenarios and sets out appropriate responses. While plans must be customized for each organization s particular circumstances, the plan should address basic components. Join panelists as they discuss these components and provide examples of steps their firms have implemented. Panelists also provide resources and helpful tools for firms to address critical cyber threats as well as provide examples of what not to do. Moderator: Rafael Skovron Examination Manager, Sales Practice FINRA San Francisco District Office Panelists: Andrew Hartridge Chief Information Security Officer M&T Securities, Inc. Paul Horn Chief Information Security Officer HD Vest Financial Services Gregory Scroggs Senior Vice President and Chief Information Security Officer Primerica 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

137 Cyber Incident Response Plans and Resources Panelist Bios: Moderator: Rafael Skovron began his career by consulting for international public accounting firm Grant Thornton. Mr. Skovron s work included a large IT controls project at Fannie Mae in D.C and testing IT controls for financial audits of public companies. Mr. Skovron then joined the Office Depot Internal Audit team and performed operational, financial, and technology audits at the global headquarters in Boca Raton and in Mexico. At FINRA, Mr. Skovron has worked at both the Boca Raton and San Francisco offices leading cybersecurity and technology governance routine examinations. His cause examinations have covered breaches of brokerdealer websites, phishing, business compromise scams, mobile security risks, cloud security and branch office risks. He is also a member of an internal consulting team that develops guidance on technology governance and cybersecurity. Mr. Skovron is also a member of the Bay Area Chapter of InfraGuard, a nonprofit organization serving as a public-private partnership between U.S. businesses and the Federal Bureau of Investigation to address cybersecurity risks. Panelists: Andrew Hartridge serves as M&T Bank s Chief Information Security Officer, forming and executing the overall strategy for information security. Mr. Hartridge is an accomplished Information Technology executive with in-depth knowledge of Telecommunications, Information Security, Privacy, Operating Platforms and Emerging technologies. He has broad experience in the public and private sectors within financial services, health-care, and manufacturing industries. He leads Cybersecurity activities for the Company, inclusive of networking and telecommunications, identity and access management, regulatory compliance and related policy and project support, to protect the Bank s and customers data, monetary assets, information and reputation. Prior to this position, Mr. Hartridge held progressively senior executive leadership roles at the US Internal Revenue Service where he was responsible for covering all aspects of the agency s cybersecurity program. Mr. Hartridge is a Certified Information Systems Security Professional (CISSP) and an Information Systems Security Architecture Professional (ISSAP). Paul Horn currently serves as Chief Information Security Officer (CISO) at HD Vest Financial Services and has more than 20 years of various security experiences. Those experiences include time spent as a Special Agent with the Air Force Office of Special Investigations, leading a global information security program for DynCorp International s logistics and air operations for various government contracts, and leading the Drug Enforcement Administration s Aviation Division vulnerability management program. Mr. Horn also takes part in the Strategic Threat Assessment & Response (STAR) work group lead by the IRS to help protect taxpayers and the integrity of the tax ecosystem. In addition, Mr. Horn has been a finalist in 2013, 2014, 2015 and 2016 for Certified CISO of the Year through EC-Council and now serves on the awards committee. Mr. Horn also serves on a variety of Cyber Security Advisor Boards and has a deep dedication to the information security community by mentoring other security professionals. Mr. Horn holds a Master of Science in Management with a concentration in Information Systems Security and a Bachelor of Science in Business Administration in Information Technology from Colorado Technical University. Mr. Horn also holds the following information security certifications, Certified Chief Information Security Officer (C CISO), Certified Information Systems Security Professional (CISSP), Certified Information Security Manger (CISM), Certified in Risk and Information Systems Control (CRISC), and GAIC Certified Incident Handler (GCIH). Greg Scroggs attended Georgia Tech as a cooperative student with The Southern Company in Atlanta, where he served in a variety of roles: computer operations, application programming, system programming, and telecommunications functions. His next role involved both technical and management positions at the Primerica division of Travelers and Citigroup, where he held various technical operations, security, and telecommunications management positions. For the past 10 years, Mr. Scroggs has managed security engineering and operations, technology risk management, and data telecommunications for Primerica, which is now a public company. His current role at Primerica is Senior Vice President and Chief Information Security Officer (CISO) Financial Industry Regulatory Authority, Inc. All rights reserved. 2

138 2018 Cybersecurity Conference February 22 New York, NY Cyber Incident Response Plans and Resources

139 Panelists Moderator Rafael Skovron, Examination Manager, Sales Practice, FINRA San Francisco District Office Panelists Andrew Hartridge, Chief Information Security Officer, M&T Securities, Inc. Paul Horn, Chief Information Security Officer, HD Vest Financial Services Gregory Scroggs, Senior Vice President and Chief Information Security Officer, Primerica FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 1

140 To Access Polling Under the Schedule icon on the home screen, Select the day, Choose the Cyber Incident Response Plans and Resources session, Click on the polling icon: FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 2

141 Polling Question 1 1. Are you from a small firm? (Under 100 RRs) a. Yes b. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 3

142 Why invest resources in incident response? Reduce recovery time Increase stakeholder confidence Limit reputational damage to the firm and to the industry Compliance with FINRA supervision rules FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 4

143 Polling Question 2 2. What would you do if your printers started printing out tax returns randomly? a. Turn the machine off b. Add paper and collect the tax returns c. Call the police d. Contact your Chief Information Security Officer FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 5

144 What is an incident? Potential Events Declared vs Confirmed Indicators Incidents vs Attacks Severity levels FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 6

145 Key elements of an incident response plan Containment Mitigation Recovery Investigation Notification Restitution FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 7

146 Who are the major players in the plan? Commander Executives PR / Communications Legal Compliance What do you outsource? FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 8

147 Common issues when implementing a plan Too much data, not enough understanding of people, process, and tech New vendors quickly on-boarded Fatigue Incident response doesn t scale No logs Some logs are worth more than others FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 9

148 Practicing the incident response plan Practice beyond table tops or not? Open vs closed pen tests Pre-scripted playbooks for more frequent attacks Develop scenarios for specific outcomes or not? Who makes decisions, when, how will it be made. FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 10

149 Polling Question 3 3. Do you rely on insurance as your incident response plan? a. Yes b. No FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 11

150 Can small firms run effective incident response? Breach coach Vendors Correlating events across customers Small Firm Checklist FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 12

151 How does insurance factor into incident response? Role of cyber insurance underwriters Policy review FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 13

152 Does incident response change in the cloud? Networks and data are in the cloud Forensic detail Contractual responsibilities Vendor involvement FINRA Cybersecurity Conference 2018 FINRA. All rights reserved. 14

153 Security Incident Response Plan (S-IRP)

154 Revision History Revision Number Issue Date Issued By Explanation 2

155 1 Table of Contents 1 TABLE OF CONTENTS RESPONDERS OVERVIEW EFFECTIVE DATE FORWARD REPORTING SCOPE DEFINITIONS EVENT PRECURSOR INDICATOR INCIDENT RESPONSE INVESTIGATION SYSTEM OWNER SIRT FRAMEWORK PREPARATION DETECTION & ANALYSIS SECURITY INCIDENT ESCALATION CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY SECURITY INCIDENT DETAILS CATEGORIES SCOPE SEVERITY LEVELS (RATING) ATTACK VECTOR PRIVACY LIKELIHOOD/CONSIDERATIONS THE SIRT SIRT CHARGE SIRT OBJECTIVES SIRT MEMBERS INCIDENT COMMANDER INCIDENT ADMINISTRATOR ANTI-MONEY LAUNDERING RESPONDER SUPPORTING RESPONDERS HELP DESK EMPLOYEES, ADVISORS, ETC SECURITY INCIDENT TRACKING SECURITY INCIDENT CLOSURE FINAL REPORTS THIRD-PARTY REPORTS SIRT TRAINING ADVANCED TRAINING AND SKILLS REQUIREMENTS SIRT EXERCISES SECURITY INCIDENT METRIC REPORTING OUT-OF-BAND COMMUNICATIONS BOARD OF DIRECTORS REPORTING

156 13.3 COLLECTING SECURITY INCIDENT DATA SECURITY INCIDENT EXTERNAL REPORTING INSURANCE REPORTING SUSPICIOUS ACTIVITY REPORTING CONSTITUENT NOTIFICATION PAYMENT CARD INDUSTRY REPORTING CREDIT MONITORING CLAIMS FOR REIMBURSEMENTS EXTERNAL INFORMATION SHARING INFRAGARD FINANCIAL SERVICES INFORMATION SHARING AND ANALYSIS CENTER DATA SETS TO CONSIDER FOR SHARING SIRT ORGANIZATIONAL STRUCTURE WORKFLOW ACTIVITY

157 2 Responders The following individuals have been identified within the Security Incident Response Plan with duties and responsibilities described in later sections of this document. Security Incident Response Team Core Members Name Function Section Telephone Incident Commander 8.1 Incident Commander 8.1 Incident Administrator 8.2 Incident Administrator 8.2 Incident Administrator 8.2 Anti-money Laundering Responder 8.3 Anti-money Laundering Responder 8.3 Supporting Responders Name Function Section Telephone Incident Coordinator Incident Coordinator Sr. Reviewing Executive Sr. Reviewing Executive IT Responder IT Responder IT Responder SOC Responder QSA Responder QSA Responder Forensic Responder Forensic Responder Forensic Responder Forensic Responder Forensic Responder DR Responder DR Responder Communications Responder Communications Responder Risk and Compliance Responder Risk and Compliance Responder Finance Responder Finance Responder Legal Responder Legal Responder Legal Responder Legal Responder Operations Responder Operations Responder Sales Responder Sales Responder HR Responder HR Responder Law Enforcement Responder (FBI) 14.2 Law Enforcement Responder (FBI)

158 Law Enforcement Responder (USSS) Overview The purpose of this Security Incident Response Plan ( S-IRP or Plan ) is to provide a governing framework for Acme Corporation and its subsidiaries ( Acme or the Company ) around Incident Response (IR) efforts for suspected and confirmed Security Incidents. The goal of the Plan is to outline Acme s approach for handling Incident Response efforts, defining Security Incident(s), identifying the organizational structure and defining roles, responsibilities, and levels of authority, identifying the severity rating of Security Incidents, and establishing methods of reporting and escalation of Security Incidents. The S-IRP also establishes the Security Incident Response Team (SIRT). The SIRT will follow the guidance in this document. The S-IRP will be reviewed annually and updated as needed to reflect changes in technology and/or at the request of the Chief Information Security Officer (CISO). Changes to the policy will be coordinated through the Information Security Steering Committee (ISSC) for approval. In the event that items in the S-IRP are unclear, the CISO and/or Deputy Information Security Officer (Deputy ISO) will provide interpretive guidance. 3.1 Effective Date The S-IRP will be effective January 1, 2017 but will be limited to Security Incidents rated as a Level 5 or 6 along with a Functional or Recoverability Impact of Significant or Catastrophic; or Informational Impact of Privacy Breach or Integrity Loss. These incidents will be identified as Declared Incidents and discussed further in section Forward The Company must be able to respond to physical and electronic Security Incidents in a manner that protects the Company s Confidential Information (defined below) and resources (both physical and electronic) that might be affected by the Security Incident. The Company in varying degrees, relies upon Confidential Information ( Confidential Information ), which includes Confidential or Proprietary business information of the Company, cardholder and sensitive authentication data within the Payment Card Industry Data Security Standard (PCI DSS), nonpublic personal information (NPPI) of Company customers and personally identifiable information (PII) of employees, registered representatives, Investment Advisors Representatives and customers, such customers and employees being referred to herein collectively as Company Constituencies, and registered representatives and investment advisors being referred to herein collectively as Advisors. See the Information Security Policy for definitions of Confidential Information, NPPI, and PII and for the detailed Information Classification Matrix. 3.3 Reporting The SIRT, in consultation with the Legal Responders (identified in Section 8 of the S-IRP), are responsible for determining the extent of Federal, State, and Self-Regulatory Organization (SRO) notification to be made in connection with a Security Incident. The actual notification will be performed by the Legal Responders. Security Incident s may result in a business disruption resulting in the activation of the Business Continuity Plan (BCP) and/or the Emergency Plan. See the BCP and Emergency Plan s for more details. 3.4 Scope This S-IRP applies to all physical and electronic Security Incidents involving Company resources, including, but not limited to employees, hard copy documents, electronic documents, and any computing devices, midrange, and network environments owned or used by Acme, Advisors, third-party service providers and vendors that access, process, store, or transfer Acme Information. 6

159 For Security Incidents involving Advisors and any Advisor-owned or leased IT equipment, a Security Incident Intake Form must be completed by contacting the Help Desk or submitting an to acmesecurity@acme.com Monday through Friday between the hours of 8:00am and 5:00pm Central Standard Time. All applicable portions of the Security Incident Intake Form and portions of this document may apply and where applicable must be followed. 4 Definitions For the purpose of this document, a Security Incident is defined as an Event that has actual or potential adverse effects on an individual, computer or network resource resulting in misuse and/or abuse, compromise of information, loss and/or damage of company property and/or information. Any Event that originates from, is directed towards, or transits Company controlled computing equipment and/or network resources, to include Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS) in support of Acme business operations, will fall under the purview of the SIRT. Computing device containing Company information operated and/or owned by Advisors will fall under the purview of the SIRT for reporting purposes; detection, containment, eradication, and recovery efforts will be the responsibility of the System Owner and/or Advisor. It is foreseeable that many Events will be classified and handled by semi-automated or automated means and will not require further analysis and/or escalation. The potential list of Security Incidents is contained in Section 6 of this document. 4.1 Event For the purpose of this document, an Event is defined as any observable occurrence either physical or within a system or network. 4.2 Precursor For the purpose of this document, a Precursor is a sign that a Security Incident may occur in the future. 4.3 Indicator For the purpose of this document, an Indicator is a sign that a Security Incident may have occurred or may be occurring now. 4.4 Incident Response For the purpose of this document, Incident Response means the process of detecting and analyzing a Security Incidents and mitigating its effect on an organization. 4.5 Investigation For the purpose of this document, an Investigation is the process for ascertaining facts and detailed examination of information. 4.6 System Owner For the purpose of this document, a System Owner is the person responsible or designated for procurement, development, integration, modification, or operation and maintenance of the information system. 7

160 5 SIRT Framework The S-IRP Life Cycle methodology establishes response capability, but also aids in preventing Security Incidents. The SIRT is typically not responsible for Security Incident prevention, it is fundamental to the success of the Security Incident Response Program. The sections below provide a basic framework that must be followed to handle and prevent Security Incidents. 5.1 Preparation A Company goal is to try to keep the number of Security Incidents low to protect the business and its processes. If the number of Security Incidents is high in volume it may overwhelm the SIRT and their capabilities. The SIRT must be knowledgeable with industry acceptable Incident Handling techniques. The lists of training requirements are listed in Section 11 of this document. 5.2 Detection & Analysis Security Incidents occur in a multitude of ways, and it is not feasible to develop a step-by-step instruction for each type of Security Incident. SIRTs need to be flexible in its approach to handling and responding to any type of Security Incident. The list of Attack Vectors can be found in Section 6.4 of this document Detection The most challenging part of the Incident Response process is the ability to accurately detect and assess suspected or possible Security Incidents and then make a determination if a Security Incident occurred. The challenge resides within the following three factors: 1. A Security Incident may be detected though a variety of means, e.g., automated network based detection tools, host based Intrusion Detection Systems (IDS), antivirus platforms, and log analyzers or by manual means such as an individual reporting an Event or problem. When applicable computing resources (applications, systems, etc.) must be configured to send Event Logs to a centralized Security Incident and Event Management (SIEM) platform for analysis to provide a central method for detection and/or initiating directives. 2. The volume of Events and/or potential signs of a Security Incident in most organizations are generally high. It is not uncommon for an organization to encounter thousands if not millions of intrusion detection Events per day. 3. Because the severity of Security Incidents is variable, individuals who have specialized technical knowledge and extensive experience need to evaluate Security Incident related data. 8

161 5.2.2 Reporting New Security Incidents Anyone who suspects the occurrence of a Security Incident or is affected by a Security Incident must report such information via telephone to the Help Desk within 2 hours of discovery and/or learning of the information or as soon as reasonably practicable. The Help Desk s phone number is (555) Security Incidents may also be reported through the acmesecurity@acme.com mailbox Monday through Friday between the hours of 8:00am and 5:00pm Central Standard Time. The individual who reports the Security Incident will be known as the Detector and s/he will provide relevant information to the Help Desk representative that will be included in the Security Incident Intake Form. In the event the Help Desk is unavailable, notifications must be made to the CISO and/or Deputy ISO identified in Section 2 and The Help Desk is initially responsible for ensuring the minimal information is contained within the Security Incident Intake Forms and providing the data to the CISO and/or Deputy ISO. The Help Desk must notify the CISO and/or Deputy ISO upon completing the Security Incident Intake Form or as soon as reasonably practicable. In some cases Information Security personnel and the Incident Administrator may self-initiate a Security Incident Intake Form Security Incident Intake Form The Security Incident Intake Form at a minimum needs to contain the following data points prior to submitting to the CISO and/or Deputy ISO: Date and Time notified Date and Time opened Date and Time of when the Event took place Title of the Incident Summary on the Event and how it was detected Detectors name, , and phone number (Detectors may choose to remain Anonymous if so desired) Acme Point of Contact (POC) for the Event Category of the Incident Scope (Functional Impact, Informational Impact, and Recoverability Impact) of the Incident Severity of the Incident Method of detection Analysis The SIRT will endeavor to efficiently analyze and validate each Security Incident and follow a pre-defined evaluation and resolution process. The SIRT will document the steps it takes during the evaluation stages. When the SIRT believes that a Security Incident has occurred, they will evaluate the scope of the Security Incident by making the following determinations, if possible: (i) the cause of the event; (ii) how it occurred by performing containment; (iii) what was affected. The SIRT will update the status of Security Incidents by performing a deeper analysis of Security Incidents, perform root cause analysis and identify corrective actions as needed. The status for Security Incidents shall contain the following data points (as applicable): A summary of the Security Incident; Indicators related to the Security Incident; Actions taken by all Incident Handlers on the Security Incident; Impact assessments related to the Security Incident (Functional, Informational, and Recoverability); Contact information for other involved parties (non SIRT members); A list of evidence gathered during the Security Incident; Comments from Incident Handlers; Next steps to be taken, to include root cause analysis and corrective actions as needed. IDS systems may produce false positive instances resembling Security Incidents which will require further analysis. Not all Security Incidents have Precursors and Indicators are common. Even when an Indicator is accurate, it does not automatically mean a Security Incident has occurred. For example, a server can crash due to a memory leak, 9

162 and this would not be classified as a Security Incident. The Incident Commander will use his or her judgment to determine whether an Event is actually a Security Incident Security Incident Ratings The Incident Commander will rate all new Security Incident s/he oversees and document the appropriate response(s) taken by the SIRT based on several factors such as impacts, attack vectors and privacy. If a Security Incident meets multiple severity ratings the highest level must be chosen. The Incident Commander may reduce the Security Incident classification or prioritize open Security Incident evaluations based on the information available to him or her or when readily available alternatives. Security Incidents receiving a Level 6 severity rating will receive the highest priority of SIRT resources. In the case of multiple Security Incidents, the higher severity rating will receive higher prioritization. 5.3 Security Incident Escalation Security Incidents that are assigned a severity rating meeting the threshold in section 3.1 shall be known as Declared Incidents. The SIRT members shall confirm the rating and, once this occurs, these incidents will be referred to as Confirmed Incidents. Incident ratings may change during the evaluation stages of a Security Incident, especially as the SIRT obtains and reviews additional information. The Incident Commander will coordinate with the SIRT to determine if a Security Incident needs to be escalated or de-escalated. The same criteria used to initially rate a new Security Incident will be used to escalate or de-escalate a severity rating. Confirmed Incidents need to be evaluated for insurance carrier notification by the Legal Responders. If such requirement exists the Legal Responder will notify the Insurance Carriers and perform any required follow up actions they request Escalation The Incident Commander will approve the initial or escalation of any Security Incident that is identified as a Declared Incident with a severity Level 6 and activate the Core SIRT members as appropriate. The Senior Reviewing Executive will inform Senior Management about the Security Incident and the reason for the escalation as soon as reasonably practicable. The Incident Commander will approve the initial or escalation of any Security Incident that is identified as a Declared Incident with a severity Level 5, and activate the Core SIRT members as appropriate. The Incident Commander will be responsible for informing Senior Management about the Security Incident and the reason for the escalation at the discretion of the SIRT De-escalation The Incident Commander will obtain approval from the SIRT before lowering a Confirmed Incident with a Level 6 rating. The Incident Commander must document the reason(s) for the de-escalation. 5.4 Containment, Eradication & Recovery All Security Incidents will be handled in phases, including: containment, eradication and recovery Containment The SIRT is responsible for developing containment and remediation strategies. Containment strategies will vary and will be largely dependent on the circumstances and type of Security Incident. Most Security Incidents will require some form of containment (short or long-term) to limit the damage to the company. Decision-making will be more streamlined if there are predetermined containment and remediation strategies to follow in the event of routine or standard types of Security Incidents Collecting evidence is an important part of evaluating and resolving a Security Incident. The goal of collecting evidence is to resolve the Security Incident, and it may be needed for legal proceedings. Gathering evidence may not be required for every Security Incident. The Incident Commander will consult with the SIRT and direct the collection of evidence as needed. The Incident Commander may also discuss the evidence collection efforts with 10

163 Legal Counsel, as needed. Evidence that is collected during the investigation of a Security Incident must be accounted for and secured at all times and collected according to applicable laws and regulations so that any evidence can be admissible in court if needed. The SIRT must physically secure and store evidence and/or material collected and/or prepared during the course of a Security Incident. Evidence must be retained for at least 120 days from the date the Security Incident is presented to the ISSC, or as long as reasonably necessary for legal purposes. The Incident Commander has the discretion to direct the discovery of the identification of attacking hosts Eradication Once a Security Incident has been contained, eradication may be necessary to remove and/or eliminate components and/or artifacts associated with the Security Incident. For example, malware needs to be deleted, certain user accounts may need to be disabled, and vulnerabilities that were exploited and/or involved must be identified and fixed to the extent possible. Systems owned and operated by Advisor s that may be involved in Security Incident s may require the Advisor to coordinate with individuals who have specialized computer security skills and forensic skills and are able to perform or assist with any detection, containment, eradication and/or recovery efforts. Advisors will need to coordinate with Acme Security to determine the appropriate computer security and/or forensic skills needed prior to engaging anyone for assistance as this may result in duplicate expenses for the Advisor. In some situations access to Acme computing resources may be temporarily suspended until a qualified security professional is able to determine all containment, eradication and recovery steps are performed and such information is communicated to the Incident Commander and/or Incident Administrator Recovery In general, recovery efforts are performed by the Incident Coordinator. Recovery efforts involve restoring systems to normal operation, confirming systems are functioning normally, and when applicable remediating vulnerabilities to prevent similar attacks from occurring. Recovery efforts may run parallel to and/or overlap with eradication efforts. Typical recovery actions are listed below: Restoring from clean backups Rebuilding systems from scratch Replacing compromised files with clean versions Installing patches Changing passwords Tighten network perimeter security (e.g., firewall rules, access control lists) Higher levels of logging for affected resources If a Security Incident has a severity rating of Level 6 and/or the associated computing resources (e.g., a laptop or desktop) have been involved in two or more Level 5 severity rated Security Incidents the computing resources must be reimaged and/or restored to a last known non-compromised state prior to being placed into service. Files that were previously on the computer resource need to be scanned prior to being placed on reimaged and/or restored computing resources. Note: The restoration of files may contain malicious code that may remain dormant until the files are opened. The Incident Commander will determine whether to restore files and report his or her decision to the SIRT. If the determination is made to restore files, only common files must be restored and under no circumstances may any user profiles be transferred to a clean system and/or image. 11

164 5.5 Post-Incident Activity Post-Incident activities are a critical part of the Security Incident response process because they provide the Company with the opportunity to learn from Incident response activities and improve the evaluation and remediation processes as needed. The Incident Commander will schedule a lessons learned meeting no later than 3 weeks after a Level 5 or 6 Security Incident is fully closed out. All members of the SIRT are required to attend the lessons learned meeting. The Incident Administrator will be responsible for documenting the meeting. The following topics need to be discussed at the lessons learned meeting and summarized and documented by the Incident Administrator: Exactly what happened, and at what times? How well did staff and management perform in dealing with the Security Incident? Were the documented procedures followed, were they adequate, and do they need to be improved? What information was needed sooner? Were any steps or actions taken that might have hindered recovery? What would the staff and management do differently the next time a similar Security Incident occurs? How could information sharing with other organizations have been improved if this was done? What corrective actions can prevent similar Security Incidents in the future? What precursors or indicators need to be watched for in the future to detect similar Security Incidents? What additional tools or resources are needed to detect, analyze, and mitigate future Security Incidents? During this meeting, the SIRT must identify the root cause(s) of the event to the best of their ability, remedial measures taken, the team s performance and whether any internal controls, policies and/or procedures need to be modified in an attempt to prevent similar Security Incidents from recurring. The Risk Responder will submit an Issue and Corrective Action Report (ICAR) as needed that will be tracked by the Risk Management manager who is identified in the Firm s Supervisory Control Program. 12

165 6 Security Incident Details The Security Incident details listed below are required for all Security Incidents and will aid during IR efforts. 6.1 Categories All Security Incidents will be categorized, based upon the details of the Security Incident. Security Incidents at a minimum needs to contain one of the following data points: Category Summary and Notes General Any Security Incident Category not specifically identified below. Unauthorized Access An individual gains physical or logical access without permission to network, system, application, data, building/office, or other resource. Loss of Data, Equipment, The loss or theft of data, documents, a computing device or media. and/or Documents Attrition An attack that employs brute force methods to impair the normal functionality of networks, systems or applications (e.g., Denial of Service, Rainbow Tables). Malicious Code (Malware) Successful installation of malicious software (e.g., virus, worm, Trojan horse, or other code based malicious entity) that infects an operating system or application. Malicious code that has successfully been quarantined by antivirus software does not need to be reported. Improper Usage A person that violates the acceptable computing use policies. Scans, Probes, and/or Any activity that seeks to access or identify a computer, open ports, protocols, Attempted Access service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. Investigation Unconfirmed incidents that are potentially malicious or anomalous activity warranting further review. Exercise and/or Network To be used during testing or exercises and approved testing of internal and external Defense Testing Social Engineering Failed Authentication (Advisor/Client only) System Malfunctions Physical Harm network defenses or responses. Attempted acquisition of information such as usernames, passwords, and credit card details by disguising the request as a purportedly trustworthy entity in person or by an electronic communication (such as , voice mail, etc.). Attempted acquisition of information such as usernames, passwords, and credit card details by disguising the request as a purportedly trustworthy entity in person or by an electronic communication (such as , voic , etc.). Computing resources associated with improper maintenance and/or operation that are operating outside its intended purpose. Physical or psychological harm to an individual or group. 13

166 6.2 Scope For the purpose of this S-IRP, each Security Incident will be evaluated to determine the potential Scope of the Security Incident. The Scope will aid in the identification of the Severity Level, and will aid during times of concurrent Security Incidents and to prioritize response efforts. The Scope consists of evaluating the functional, informational, and recoverability impacts. When a Security Incident is initially reported, the Scope may need to be estimated. If the Scope is unknown at the time of initial discovery, the team needs to make a conservative estimate based upon the information available; the Scope must then be modified as necessary during the lifecycle of the Security Incident if additional information is obtained and it changes the Scope. The Scope for Security Incidents at a minimum needs to contain one of the following data points for each Impact: Impact (with Category, Notes and Summary) Insignificant Minor Marginal Major Significant Catastrophic None Privacy Loss Privacy Loss (Outside Acme) Proprietary Loss Integrity Loss Insignificant Minor Marginal Major Significant Catastrophic Very Low Less than $100,000 Low $100,001 - $200,000 Moderate $200,001 - $300,000 Medium $300,001 - $500,000 High $500,001 - $1,000,000 Very High Greater than $1,000,001 Functional Impact Organization s ability to provide services is not effected. Organization is able to provide services to all users but has lost efficiency Organization is able to provide critical services to all users but has lost efficiency Organization has lost the ability to provide services to a subset of users Organization is no longer able to provide some services to any users Organization is no longer able to provide critical services to any users Informational Impact No information was exfiltrated, changed, deleted, or otherwise compromised *NPPI, PII, and/or payment card data was accessed or exfiltrated *NPPI, PII, and/or payment card data was accessed or exfiltrated outside of Acme Company proprietary information was accessed or exfiltrated *NPPI, PII, payment card data and/or proprietary information was changed or deleted Recoverability Impact Time to recovery is possible and has been put to use; less than 1 hour Time to recovery is predictable with existing resources; less than 2 hours Time to recovery is predictable with additional resources; less than 4 hours Time to recovery is unpredictable; no additional resources and outside help needed; less than 8 hours Time to recovery is unpredictable; additional resources and outside help needed; more than 8 hours Recovery is not possible; permanent loss of service or facility (e.g., NPPI was exfiltrated and posted publicly) Financial Impact *See the Acme Information Security Policy for the Information Classification Matrix that provides detailed examples of NPPI and PII data points. 14

167 6.3 Severity Levels (Rating) All Security Incidents will be classified (rated), based upon the details of the Security Incident. The Severity Level (Rating) for Security Incidents at a minimum needs to contain one of the following data points: Rating (with Notes and Summary) Level 6 (Very High) Any Event and/or Security Incident that potentially has a significant impact on one or more of the following: The ability to provide products and/or services to a significant number of customers; The ability to control, record, measure, track, and/or account for a significant amount of inventory, revenue or cash; The unacceptable risk of significant punitive regulatory actions, contractual penalties, fraudulent criminal activity, and/or civil litigation; or Significant notoriety that has potential to affect the Company s valuation adversely, damage the brand, and/or cause widespread concern amongst customers and/or investors. Level 5 (High) Any Event and/or Security Incident not rated as Level 6 and meets on or more of the following: Subject to mandatory reporting and/or notification; Requires due diligence to access, identify, and/or correct a deficiency within the organization s data processing, data usage, and/or information security infrastructure; Presents the potential, but not the likelihood of some sort of litigation, and/or media attention; or Impacts key business functions, systems and/or Confidential information. Level 4 (Medium) Any Event and/or Security Incident not rated as Level 6 or 5 that results in a False Positive and/or a duplicate effort. Level 3 (Moderate) Any Event and/or Security Incident not rated as Level 6, 5, or 4 that warrants further analysis and/or investigation. Level 2 (Low) Any Event that is NOT categorized as a Security Incident but has precursors of a Security Incident (i.e., someone reports a potential Security Incident that is determined to not be a Security Incident); these items need be logged. Level 1 (Very Low) Any Event that is NOT categorized as a Security Incident and does NOT have any precursors of a Security Incident (i.e., someone reports a potential Security Incident that is determined to not be a Security Incident); these items may be logged at the discretion of the Incident Commander. 15

168 6.4 Attack Vector For the purpose of this S-IRP, the attack vector will aid during times of concurrent Incidents and to prioritize response efforts based on currently available information, the network architecture and level of sophistication The Attack Vector for Security Incidents at a minimum needs to contain one of the following data points: Vector Summary and Notes Attrition An attack that employs brute force methods Web Websites or web-based applications message or attachment External/Removable Media Flash drives, Compact Discs (CDs), or other peripheral devices Impersonation/Spoofing Replacement of legitimate content/services Improper Usage Violation of acceptable use or other policies Loss or Theft of Equipment Electronic or physical loss of a computing device, media, or document Unknown Cause of attack is unidentified Other An attack does not fit into any other vector 6.5 Privacy Likelihood/Considerations (i.e. Informational Impact) For the purpose of this S-IRP, each Security Incident will be evaluated for an Informational Impact to determine the likelihood of potential Privacy considerations. This will aid in the identification of which Security Incidents require the attention of the Legal Counsel to help evaluate any potential Privacy Notification requirements. 7 The SIRT Senior Management established the SIRT to ensure centralized coordination of Incident Responses. The SIRT is comprised of technical and non-technical Company employees and contractors who are charged with prevention, identification, analysis, containment, eradication, recovery, and lessons learned of Security Incidents. 7.1 SIRT Charge The SIRT is responsible for establishing, overseeing, and carrying out the plans of action for any Security Incident that potentially threatens the confidentiality, integrity, or availability of Company resources (both physical and electronic) and those owned and/or operated by Advisors to a certain degree. The SIRT will attempt to restore/recover information and/or systems to an operational state as quickly as possible while preserving forensic data. The SIRT will provide direction and support to the Company and its Advisors when responding to any Incident under its purview. 7.2 SIRT Objectives The SIRT s main objectives are to protect and preserve information and computing resources to ensure the availability, integrity and, as required confidentiality, of Company information and computing resources. There are five primary objectives of the SIRT: 1. Control and manage Security Incidents. 2. Timely investigate and assess the severity of Security Incidents. 3. Timely recover or bypass Security Incidents to re-establish normal operational conditions. 4. Timely notification of Confirmed Incidents with a Level 6 rating to Senior Management, the Risk Oversight Committee (ROC) and/or ISSC. 5. Prevent or establish methods to better protect the Company and its Advisors from experiencing similar Security Incidents from occurring in the future to the extent possible. 16

169 8 SIRT Members The SIRT members (also known as Responders ) are an operational and diverse team that has specialized skills to investigate Security Incidents and recommending measures to correct or bypass problems or conditions relating to Security Incidents. The nature of Security Incidents will determine which parties are needed to assist with response efforts and implement preventative or corrective actions. Permanent (Core) Members Incident Commander Incident Administrator Anti-money Laundering (AML) Responder Supporting / SME members (at the discretion of the SIRT) may include: Internal Supporting Responders o Senior Reviewing Executive o Incident Coordinator o IT o Disaster Recovery (DR) o Communications o Risk and Compliance o Finance o Legal o Operations o Sales o Human Resources External Supporting Responders o Qualified Security Assessor (QSA) o Forensic Computing Services Firm o Security Operations Center (SOC) The core SIRT will be assisted by supporting responders who are Subject Matter Experts (SME) within their field. These SMEs will only be informed about an incident at the discretion of the SIRT and thus informed of their responsibilities below. SIRT members must conduct themselves following accordance with the following general objectives: Conduct objective, thorough, and timely investigations. Evaluate Security Incidents with a focus on individuals privacy rights. Collect, preserve, and protect data, documentation and materials related to the investigation. Maintain confidentiality around the investigation and/or Security Incident as required. Maintain thorough documentation of the entire investigation process. Safeguard data, documentation and materials related to the investigation materials and documentation. Maintain the chain of custody of investigation materials and documentation. Evaluate the underlying facts discovered by the evidence obtained in connection with an investigation of a Security Incident and present objective conclusions in Final Reports. Conclusions must be fully supported by facts discovered during an investigation of a Security Incident. Conduct a post-incident review of the investigation, and document policy or procedural issues that enhanced or hindered the Security Incident detection, monitoring, investigation, and subsequent development and implementation of corrective or problem bypass measures. Evaluate the business impact of any recommendations that are made to Senior Management. 8.1 Incident Commander The CISO will serve as the Primary Incident Commander. The Deputy ISO will serve as the Secondary Incident Commander. 17

170 8.1.1 Responsibilities Activate the SIRT and as needed Supporting Responders Conduct SIRT meetings Coordinate SIRT investigations Classify Security Incidents according to Section 6 of this document Determine investigation objectives Coordinate SIRT training and exercises Finalize post-investigation documents Prepare reports, as needed Update the Senior Reviewing Executive regarding the status of an investigation as needed Recommend to the CEO whether information needs to be issued the general public, when requested Coordinate with law enforcement at the direction of the SIRT Deactivate the SIRT 8.2 Incident Administrator The Incident Administrator will assist in a number of administrative functions and assist the Incident Commander and the Incident Coordinator as needed Responsibilities Take notes during meetings and document their actions to include the general actions of the SIRT Task management and tracking labor hours of SIRT members. Act as the repository for all Security Incident-related evidence upon deactivation of response efforts when directed by the Incident Commander with coordination by Legal Responders. Monitor the acmesecurity@acme.com mailbox Monday through Friday between 08:00am and 05:00pm and self-initiate Security Incident Intake Form as needed. Assist in finalize notification documents and mail such documents 8.3 Anti-Money Laundering Responder The Anti-money Laundering (AML) responder will perform AML procedures as well as account reviews and block accounts as needed. The AML Compliance Manager will serve as the Primary Anti-money Laundering Responder. The Regulatory Compliance Manager will serve as the Secondary Anti-money Laundering Responder. Both managers are members of the AML Committee in addition to the Chief Compliance Officer Responsibilities Coordinate with the Chief Compliance Officer and/or the AML Committee to determine whether any punitive or legal actions are recommended for any Advisor. Perform account reviews and block accounts as needed. Additional notification to internal staff may be performed in lieu of blocking accounts. This will be performed at the determination of the AML Compliance Manager or Regulatory Compliance Manager. Notify internal staff and/or departments in lieu of blocking accounts as needed. 8.4 Supporting Responders Supporting Responders are not permanent SIRT members; however, these individuals may be asked to assist with a SIRT investigation because they have expertise in a particular subject matter. The Incident Commander and/or Incident Coordinator may request the assistance of Supporting Responders. If their assistance is required, they will become part of the SIRT for the particular investigation they are assisting with. The Incident Commander is the only SIRT member authorized to discontinue the assistance of the Supporting Responders. 18

171 8.4.1 Incident Coordinator Responders Core Responsibilities The Incident Coordinator is responsible for resolving day-to-day production problems and leverages other support groups within the business such as the application support group. The Head of Infrastructure will serve as the Primary Incident Coordinator. The Manager of Development Services will serve as the Secondary Incident Coordinator. Serve as the single POC to the Incident Commander for all technical actions. Identify and request supporting responders as needed. Assess the scope of the Security Incident damage, if any. Provide a systematic approach for technical actions when numerous technology platforms could be impacted by a Security Incident. Control and contain the Security Incident, to the extent possible. Collect, document, and preserve forensic evidence related to the Security Incident. Maintain a chain of custody for all computing evidence obtained during Security Incidents. Interview individuals who may have information relevant to the Security Incident. Identify root cause and/or source, the extend of the damage, and recommend counter measures or mitigation solutions to reduce or stop any additional damage. Conduct problem analysis to determine whether any failure in Company s Infrastructure or computing environment may have enabled the Event to occur. Audit mission-critical systems to ensure they are current with service packs and patches. Recommend solutions that are designed to aid in the prevention of similar Security Incidents from recurring in the future. All recommendations need to take into consideration the business impact that would be incurred if any recommendations are approved and implemented. Monitor recovery efforts Sr. Reviewing Executive Responders Core Responsibilities A Senior Reviewing Executive will be indirectly involved during investigations of Security Incidents so he or she can provide impartial oversight to help protect the interests of the Company. If the Incident Commander is busy running the S-IRP, the Reviewing Senior Executive will provide Senior Management with any relevant updates regarding IR efforts. The CCO will serve as the Primary Reviewing Senior Executive. The CIO will serve as the Secondary Reviewing Senior Executive. Update Senior Management and business managers as needed regarding the ongoing investigation and IR efforts Work with Senior Management to obtain the services of external resources as needed Prioritize the Security Incident within the Company, or direct more senior and/or capable leadership and/or resources to the IR efforts Provide objective oversight of the IR efforts Review reports generated by the Incident Commander as needed Information Technology (IT) Responders Core Responsibilities Provide the necessary technical support to enable and effective response such as platform, application, database, and network support Security Operations Center (SOC) Responders Core Responsibilities Serve as central POC for suspected Security Incidents derived from Company network traffic or Advisor networks that are externally reviewed through Managed Security Service Providers (MSSPs) Manage the day-to-day monitoring of resources and/or systems for potential security compromises 19

172 8.4.5 Qualified Security Assessor (QSA) Responders Core Responsibilities Serve as central POC for suspected Security Incidents involving cardholder and/or sensitive authentication data Forensic Responders Core Responsibilities Oversee all Forensic investigation requirements and efforts performed by any third-party resources Provide expert guidance related to securing electronic or physical evidence procedures, when appropriate Provide expert forensic examination of computing resources and/or forensic images captured during response efforts Ensure all evidence was collected throughout the Security Incident s lifecycle from SIRT members upon deactivation of the SIRT Ensure the procedures for Digital Evidence Chain of Custody are followed by the SIRT Disaster Recovery (DR) Responders Core Responsibilities Maintain awareness of the situational throughout the entire IR lifecycle for affected technologies identified within the Company s Disaster Recovery/Business Continuity (DR/BC) Plan. Coordination with affected technology groups to ensure they are capable of rapid transition to DR/BC mode. Assess each affected piece of technology to determine a solution in the event any physical assets must be seized by or provided to Law Enforcement (LE) Communications Responders Core Responsibilities Serve as the POC for all requests for information from any source. Coordinate the release of information to the public Provide ongoing advice and awareness regarding the release of communications or documents to the public. Manage crisis communications to limit exposure to the Company and its Advisors Create and distribute internal communications for Company to help manage the impact of public awareness of Security Incidents. Assist in drafting and finalizing notification documents with the Legal Responder and Incident Administrator Risk and Compliance Responders Core Responsibilities Ensure that all statutory and contractual obligations are met in a timely manner. Perform Internal Controls evaluation. Facilitate policy updates and/or changes as needed. Provide ongoing advice and awareness regarding the release of communications or documents to regulators and/or law enforcement. Ensure all reporting requirements are addressed by the SIRT for SEC, FINRA, Federal, State, and Local Laws. Identify and track Risks as well as Issues and Corrective Actions. Evaluate Incidents as needed as part of the ROC bi-monthly meetings Finance Responders Core Responsibilities Ensure that all Sarbanes-Oxley Act (SOX) requirements are met during the lifecycle of the Security Incident such as evidence tampering and whistleblower protections Analyze cost savings and/or reforecast budgets if emergency funding is needed Track expenses during the lifecycle of the Security Incident Legal Responders Core Responsibilities Provide ongoing legal counsel during Security Incidents 20

173 Evaluate legal privacy implications of Security Incidents Evaluate SIRT actions to take into consideration post-event litigation and/or criminal prosecution Aid in the determination of whether to notify law enforcement. Serve as the liaison to law enforcement if it becomes involved in the investigation of Security Incidents. Provide guidance regarding other legal and contractual obligations stemming from Security Incidents. Draft and finalize notification documents with the assistance of the Incident Administrator and Communications Responder. Notify Insurance Carriers and keep them informed on the progress of the Security Incident Operations Responders Core Responsibilities Evaluate the operational impact of Security Events based on Advisor and Company Constituencies needs; update SIRT as needed. Liaise with outside entities such as clearing firms, banks, and regulators. Perform general field support Recommend the addition of additional controls and/or processes as necessary with coordination from Risk and Compliance Responders. Implement additional controls and/or processes upon approval by Senior Management or Risk Management Sales Responders Core Responsibilities Evaluate the potential business impact of SIRT response efforts and provide this information to the SIRT. Work with Disaster Recovery Responders to coordinate between IT and affected business unit(s) in the event of a disruption to the business operations that may require a Disaster Recovery / Business Continuity action Human Resource Responders Core Responsibilities Handle all employment related circumstances resulting from Security Incidents Law Enforcement Responders Core Responsibilities Serve as central POC for suspected Security Incidents when law enforcement notification is required (criminal activity for federal, state, local, and international laws). 8.5 Help Desk The Help Desk will serve as the central POC for reporting Security Incidents. The Help Desk will be available (Monday through Saturday 06:00am 07:00pm and Sunday 07:00am 04:00pm) for communications and Security Incident Reporting. Additionally the Incident Administrator will serve as an additional POC by monitoring the acmesecurity@acme.com mailbox Monday through Friday between 08:00am and 05:00pm Responsibilities Monitor Acme computing resources for reports of suspected and/or confirmed Security Incidents Complete Security Incident Intake Forms and select the appropriate severity level. Notify the Incident Commander upon completion of Security Incident Intake Forms or as soon as reasonably practicable completed Security Incident Intake Forms to the Incident Commander as directed by the Incident Commander. Receive calls from Advisors on potential Security Incidents. 8.6 Employees, Advisors, etc. Anyone who observes and/or is informed of a suspected or confirmed Security Incident is responsible for reporting such information immediately. 21

174 8.6.1 Responsibilities Report suspected or confirmed Security Incidents within 2 hours of obtaining information or as soon as reasonably practicable. See sections 3.4 and for more information on how to report. 9 Security Incident Tracking The SIRT will log, track and document the investigation and resolution of all Security Incidents by submitting a Security Incident Intake Form at Data for a particular Security Incident will only be available to the SIRT members, and upon request and/or approval of the CISO and/or CCO. Security Incidents will follow the following lifecycle status: Initial (Indicates the ticket is in the initial detection and reporting process) Follow-Up (Indicates the ticket is ready for the CISO and/or Deputy CISO to review) Secondary (Indicates the ticket is ready for the SIRT to review) Collection (Indicates the ticket is ready for Containment, Eradication and Recovery efforts) Closed (Indicates the Core SIRT has agreed the matter as closed) Process to log a new Security Incident Intake Form: 1. Navigate to 2. Click on Create New 3. Enter all required information for all tabs a. You may select Save for Later to come back at a later time b. You will also be presented a warning message in the event all required fields are not completed 4. Click Submit to send the form to the next stage for review Process for Follow-Up and Secondary Analysis: 1. Navigate to 2. Click on Edit Incident for the appropriate Security Incident 3. Enter all required information for all tabs a. You may select Save for Later to come back at a late time b. You will also be presented a warning message in the event all required fields are not completed 4. Click Submit to send the form to the next stage for review Process for Collection: 1. Navigate to 2. Click on Edit Incident for the appropriate Security Incident 3. Click on Attachments and navigate to the appropriate section 4. Enter information for all required fields 5. Click Submit to save your information 6. Repeated steps 3, 4, and 5for all appropriate sections 10 Security Incident Closure Once the affected systems or resources have been returned to normal operations, the SIRT will verify that all corrective and/or preventative tasks are complete and that local services have been restored. In cases where Security Incident response efforts are partially outsourced to third-parties, the Incident Commander will monitor and document the Security Incident resolution. 22

175 If a Security Incident is rated as a Confirmed Incident with a Level 6 or 5 severity, the Incident Commander must obtain approval from the SIRT to close the Security Incident. Process for Closing 1. Navigate to 2. Click on Edit Incident for the appropriate Security Incident 3. Click on Attachments and navigate to the Incident Closure Form 4. Enter information for all required fields 5. Click Submit to save your information 6. Click Browse Existing 7. Select the drop down arrow next to Edit Incident for the appropriate Security Incident 8. Click Close Case a. You will be presented the following message You are attempting to close this incident. This action cannot be undone and will mark all aspects of the incident as read only. Are you sure you want to close the incident? 9. Select the Ok to close the Security Incident At any time the CISO, CCO, or Chief Executive Officer (CEO) may terminate a Security Incident investigation, regardless of Security Incident severity rating. If a Security Incident is turned over to a law enforcement agency, the SIRT investigation will, in most cases, be suspended; however the CISO and Legal Counsel will attempt to obtain updates from Law Enforcement regarding the matter. Prior to closing any Security Incident involving potential disclosure of NPPI, PII, or other information that was deemed to not constitute NPPI or PII, the Legal Responder needs to conduct a follow up review of the conclusion to confirm that the information involved has been correctly categorized Final Reports The SIRT prepares Final Reports. These reports (electronic and physical) are maintained by the CISO Third-Party Reports The Incident Commander and/or SIRT must confer with Legal Responders prior to engaging any third-party vendor that may produce third-party reports. Any report that is prepared by a Qualified Security Assessor (QSA) or an outside computing forensics firm must be addressed to Legal Counsel and marked as Attorney-Client Privileged and Work Product Protected. 11 SIRT Training Core SIRT members will receive incident response training as needed. The CISO and Legal Counsel need to provide input in advance of any training to ensure the incident response training elements are current. The following training topics need to be considered in the training venue: State and Federal Privacy Law Company Polices relevant to recent security incident trends Best practices for conducting incident handling and investigations Best practices for evidence preservation. Hardware and software tools used by the SIRT 11.1 Advanced Training and Skills Requirements Incident Commanders, Coordinators, and Administrators may be required to complete additional training to ensure Incident Handling processes meet industry acceptance as an Incident Handler. 23

176 12 SIRT Exercises The SIRT will conduct an annual exercise that simulates a Security Incident. The purpose of the exercise will be to maintain the skills and knowledge of the SIRT members. Exercises will involve all core SIRT members and Supporting Responders will be selected to participate as required by the nature of the exercise. At the conclusion of the exercise, the Incident Commander in coordination with the SIRT members will prepare a brief report to distribute to the ISSC and ROC evaluating the exercise within 30 days of completion. Any skill and/or knowledge area that needs to be improved as well as procedural enhancements will be identified in the report. 13 Security Incident Metric Reporting The reports identified in this section will be generated based on information within the Security Incident tracking system. Where possible, these reports will be generated and distributed automatically: Annually ID Theft Prevention Status Report: Security Incident Metric Reporting and data from the Security Incident tracking system will be utilized to supplement the Firm s ID Theft Prevention Program and the reporting requirements as follows (the following portion was taken from the ID Theft Prevention Program Document): Our firm is responsible for developing, implementing and administering our ITPP and will report annually to Senior Management on compliance with the FTC s Red Flags Rule. The report will address the effectiveness of our ITPP in addressing the risk of identity theft in connection with covered account openings, existing accounts, and service provider arrangements, significant incidents involving identity theft and management s response and recommendations for material changes to our ITPP. Acme will document and report on the effectiveness of ID Theft Prevention Program activities utilizing the annual ID Theft Prevention Status Report. The report will include: Significant incidents (# of incidents, victims impacted and exposure) involving identity theft and management s response Identity theft control and operating procedure effectiveness Summary of service provider arrangements including any changes to Service provider arrangements Summary of recommendations for material changes to the program This annual program performance report will be issued by the Risk Management department by January 31 of each year. Acme Compliance is responsible for reporting to Acme Senior Management on the effectiveness of the Program and on the general state of ID Theft within the firm. As a result, the ID Theft Prevention Status Report will be issued and incorporated into our Annual CEO Certification Process that is reviewed with Senior Management Out-of-band Communications While the SIRT may provide status updates, it may need to prepare for multiple communication methods, particularly out-of-band communications (e.g., in person, paper). This is necessary in some instances where systems may be compromised that would give intruders an advanced warning that a Security Incident has been identified and that Security Incident response efforts were underway. The Incident Commander will determine if out-of-band communications are necessary prior to activation of the SIRT and thereafter as needed. 24

177 13.2 Board of Directors Reporting All Security Incidents rated as Confirmed Incidents with a Level 6 severity rating will be presented to the Acme Board of Directors no less than annually by the CISO or CCO and included in the annual CEO Certification process Collecting Security Incident Data Collecting data during Security Incidents will help enhance the Information Security program. The information gathered may: (i) indicate the existence of systemic security weaknesses and threats; and (ii) evidence changes in Security Incident trends, which could feed into the Enterprise Risk Assessment process and lead to the implementation of additional controls. The following metrics at a minimum must be collected by the Incident Administrator: Number of Security Incidents broken down by incident levels that were handled on an annual basis. Each SIRT member must track the time spent on each Security Incident and relay this information to the Incident Administrator. The lifespan of a Security Incident from the time of discovery through the lessons learned. Length of time it took the SIRT to respond to the initial report from the detector? Identify recurring Security Incidents. Estimate monetary damages stemming directly from Security Incidents. 14 Security Incident External Reporting Reporting Security Incidents externally may be required. Every Security Incident needs to be evaluated in this regard Insurance Reporting The SIRT must consult with Legal Counsel for any Confirmed Incidents with a Level 6 or 5 severity to determine whether the matter must be reported to any of the Company s Insurers Suspicious Activity Reporting The Company s obligations to file a suspicious activity report (SAR) and/or to notify appropriate law enforcement authorities are set forth in the Company s Bank Secrecy Act / Anti-Money Laundering (AML) Internal Compliance Program. The AML Responder will initially determine (or the Regulatory Compliance Manager as the delegate) whether a Security Incident triggers the completion of a SAR and bring to the AML Committee for additional review and/or discussion. The AML Responder will consult with the Legal Responder where applicable and receive support from the CISO to ensure the appropriate technical data (IP addresses, hash values, registrar information, etc.) is included in the reporting process Constituent Notification Certain Security Incidents will require notification to Company Constituents. The SIRT will consult with the Legal Responders to provide factual information regarding Security Incidents. Legal Responders will determine whether any notifications (e.g., privacy or regulatory) are required in accordance with applicable laws and regulations and the manner in which notifications must be made, draft and finalize notification documents, and assist in mailing such documents along with the assistance of the Incident Administrator and Communications Responder 14.4 Payment Card Industry Reporting A certified QSA may need to be consulted in order to identify specific requirements and steps for reporting suspected and/or confirmed Security Incidents involving cardholder data and/or sensitive authentication data as they are specific to each payment card brand. 25

178 The specifics can be found at the following locations: Brand Additional Information Visa MasterCard Discover American Express Credit Monitoring The SIRT will consult with Legal Responders to determine whether a Security Incident triggers a legal requirement to provide credit monitoring to Company Constituents who are impacted by a Security Incident. If a Security Incident was triggered by an Advisor s actions and credit monitoring is required, the CCO may require Advisor s to pay for all credit monitoring services provided to his or her clients. The Legal Responders, with the assistance of Incident Administrator and Communications Responder will draft and finalize all notification documents which may include credit monitoring details. The Incident Administrator is responsible for mailing all notification documents. See the Acme ID Theft Referral Procedures for details Claims for Reimbursements The SIRT must consult with Legal Counsel to determine whether any of the Company s Insurers will reimburse Company for expenses incurred as a result of Security Incidents Reimbursement Request by an Affected Constituent Whenever a Security Incident occurs, an affected Company Constituent may ask the Company to cover expenses (or reimbursement) related to the Security Incident. The Company may by law, rule and/or regulation be required to reimburse the requesting Constituent. If reimbursement is not required, the Company may choose to reimburse an affected Constituent for his or her entire, and/or portion of the, loss suffered as a direct result of the Security Incident. The determination as to whether such voluntary reimbursement will occur will be made by Senior Management, with the advice of Legal Responders Company Reimbursement or other Request The SIRT is required to keep track of all expenses incurred as a result of a Security Incident and provide this information to the Finance Responder and Legal Responders. The Legal Responders will review all relevant insurance policies and contracts to determine the appropriate method for obtaining reimbursement for expenses and liabilities stemming from Security Incidents. Legal Responders will provide this information to Senior Management to determine the best course of action for seeking these funds. 15 External Information Sharing The sharing of information and threat intelligence aids the financial community as a whole. Customer s trust may be lost if Security Incidents occur. Therefore efforts need to be made to minimize the impact to consumer trust thus the sharing of information. The CISO or Incident Commander will review all information prior to being shared InfraGard InfraGard is a partnership between the Federal Bureau of Investigations (FBI) and the private sector dedicated to sharing information and intelligence to prevent hostile acts against the United States and the 16 critical infrastructures that make up the backbone of United States (U.S.) economy, security, and health stemming from Presidential Policy Directive 21 (PPD-21) on Critical Infrastructure Security and Resilience. 26

179 The FBI has developed Malware Investigator as a resource that Incident Handlers can submit suspected malware files and within as little as an hour, receives detailed technical information about what the malware does and what it may be targeting. The Malware Investigator is only available through established FBI partnerships such as InfraGard Financial Services Information Sharing and Analysis Center The Company is a current member of the Financial Services Information Sharing and Analysis Center (FS-ISAC) which is dedicated to providing collaboration for critical security threats facing the global financial services sector and sharing cyber and physical threat intelligence. Coordination with the FS-ISAC is recommended by the U.S. Department of Treasury, the lead agency for the Financial Service Critical Infrastructure identified in PPD Data Sets To Consider For Sharing The following data sets need to be considered for distribution to those entities listed within this section: Malicious payloads and hash values Attacking IP addresses and associated domain names Command and Control IP addresses and associated domain names Dropper IP addresses and associated domain names Threat vector and associated vulnerability exploit 27

180 16 SIRT Organizational Structure The following diagram represents the makeup of the SIRT and the designation of the core SIRT Help Desk / Mailbox CISO / Deputy ISO Incident Commander Core SIRT Anti-money Laundering Responder Incident Administrator Supporting Responders / SME (ONLY involved as needed) 28

181 17 Workflow Activity The following diagram depicts the flow of activities regarding the escalation of an Event. 29