Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m. The cyber threats are no longer a question of if, but when, a breach will occur. It is important to have a cybersecurity plan in place so you are ready to act if your organization experiences a data breach. Join panelists as they share effective steps organizations can take to prepare for an attack. Moderator: Lloyd Glavocich Principal Examiner, IT ROOR FINRA Member Regulation, Office of Risk Oversight and Operational Regulation Panelists: Brian Donadio Principal and Head of Global Business Continuity Services Vanguard Laz Montano Chief Technology Risk and Security Officer Voya Financial 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Steps to Take Now to be Ready if Your Organization is Breached Panelist Bios: Moderator: Lloyd Glavocich has been an IT professional since 1982, with many years spent in the development, management and support of both the Examination Systems and Surveillance Systems Programs in his 20- year tenure with the New York Stock Exchange s Regulatory Technology division. He is currently a FINRA Principal IT Examiner with a concentration on Cybersecurity, Data Governance and IT Governance. Mr. Glavocich advises the FINRA examination staff in conducting technology related reviews, in addition to performing reviews for his own examinations. Mr. Glavocich has had professional experience in key areas of IT, including application development, systems administration, database administration, project management and technology controls. Mr. Glavocich was responsible for shepherding the NYSE examination process to the laptop platform for distributed scope execution at member firms in 1995. Mr. Glavocich has also worked for Siemens and Cap Gemini as a developer in an early portion of his career. Panelists: Brian Donadio is Principal and head of Business Continuity Services at Vanguard, where he leads the team of business continuity professionals who have enterprise-wide responsibility for ensuring that Vanguard is prepared, around the globe, to face a wide range of business disruptions. Mr. Donadio previously was Principal and Senior Counsel in the Legal & Compliance Division, where he led the team responsible for litigation and dispute resolution, global privacy and data protection regulation, and various legal risk management matters. In addition to working with Vanguard's U.S. and international retail, institutional, and financial advisor businesses, Mr. Donadio and his team partnered closely with other areas across Vanguard, including information technology, information security, fraud prevention, business continuity, enterprise risk, and enterprise data governance. Mr. Donadio joined Vanguard after serving as a law clerk in the U.S. District Court for the Eastern District of Pennsylvania and working as a litigation associate at Dechert LLP. Mr. Donadio graduated cum laude from the University of Michigan Law School and received his B.A., with honors, from the University of Pennsylvania. Laz Montano serves as the chief technology risk and security officer for Voya Financial, responsible for providing leadership, management and strategy for all aspects of technology risk and information security. His first and second lines of defense teams manage and align the company to industry best practices. They take a broad, risk-based approach in effectively safeguarding company, employee and customer information across Voya products, channels and lines of business. Mr. Montano joined Voya in June 2014, bringing more than 25 years of information technology and security experience to his role. Before joining Voya, Mr. Montano was the chief information security officer at MetLife, a Fortune 50 financial services company spanning 46 countries with 70,000 employees, serving 90 million customers. He was accountable for the creation and maintenance of security infrastructure, information security policy, risk assessments, incident response, security awareness and training programs. He also serves on the National Technology Security Coalition s (NTSC) Board of Directors, representing the financial services industry. In this role, he helps influence the strategic direction of the NTSC and joins chief information security officers (CISOs) who represent a broad cross-section of enterprise companies. These CISOs have a vested interest in protecting the security of their customers and employees through policies that improve national cybersecurity standards and awareness. Mr. Montano completed his undergraduate studies at Charter Oak College and the University of Connecticut, and received a Master of Business Administration (MBA) degree from Rensselaer Polytechnic Institute. He is a Certified Information Security Manager (CISM) and holds Certified in the Governance of Enterprise IT (CGEIT) accreditation. 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2
2018 Cybersecurity Conference February 22 New York, NY Steps to Take Now to be Ready if Your Organization is Breached
Panelists Moderator Lloyd Glavocich, Principal Examiner, IT ROOR, FINRA Member Regulation, Office of Risk Oversight and Operational Regulation Panelists Brian Donadio, Principal and Head of Global Business Continuity Services, Vanguard Laz Montano, Chief Technology Risk and Security Officer, Voya Financial 1
Discussion Agenda Firm s Response Team Assembling Crisis Task Force Exercising of Playbook Scenarios Involvement of External Resources Assessment of Losses Communications Plan 2
Firm s Response Team Response Team Structure Incident Response Playbook Functional Involvement Business Response Communications / Media Relations Technology Tooling and Capabilities Assigned Personnel 3
Assembling Crisis Task Force Clearly identified lines of communication Clearly identified gold copy of information Identification of Command Centers (in person / remote) Technology-to-Business communication Establishing a Senior Crisis Leader Crisis Management Coordinator Knows all actors and responsibilities / keep actors focused 4
Exercising of Playbook Scenarios Red Team / Blue Team Exercises All inclusive to ensure lockstep understanding. Clarity of responsibilities. Announced and Unannounced Exercises Importance of Reports and Post Mortems Learning and Fortifying Playbook 5
Involvement of External Resources External Resources may include: Legal Counsel with Crisis Experience Consultants and Advisors Service Providers Should be included in exercises Essential that employees know external contributors Must be able to be mobilized at a moment s notice 6
Assessment of Losses Ascertain a picture of impact, to the extent possible Include known data and monetary losses Prepare to communicate all that is known Issue caveat that the situation in still developing Establish methods to receive updates: Hot lines, Websites, Media Contacts 7
Communications Plan Create and socialize crisis communication plan Establish restrictions for engaging the Media Communicate to regulators, customers & employees Avoid the negative interpretation of no comment If caused by criminal act, coordinate with: FBI and Law Enforcement to stand shoulder-to-shoulder Frame the situation to instill confidence in resolution 8