Cybersecurity…..Is your PE Firm Ready?
October 30, 2014
The Panel
Melinda Scott, Founding Partner, Scott Goldring
Eric Feldman, Chief Information Officer, The Riverside Company
Joe Campbell, CTO, PEF Services
Mark Heil, EVP, PEF Services (moderator)
SEC’s Office of Compliance Inspections and Examinations
Cybersecurity Initiative
Melinda Scott Scott Goldring Associates
SEC sponsored Cybersecurity Roundtable conclusions (March 2014):
• Integrity of our market system and customer data needs protection
• Stronger partnerships between the government and private sector required to address cyber threats
• Commissioner Aguilar emphasized: • The importance for the Commission to gather
information • Consider what additional steps the Commission
should take to address cyber-threats.
Background
• Pilot examinations study of 50 registered investment advisors (April 2014)
• The OCIE’s cybersecurity initiative is designed to: • Assess cybersecurity preparedness among RIAs • Obtain information about the industry's recent
experiences with certain types of cyber threats • Promote compliance • Share with the industry where it sees risk
To comply: • Assess your supervisory, compliance and other risk
management systems related to cybersecurity • Make changes to address weakness and strengthen the
systems
Examinations
• Cybersecurity Governance
• Identification and Assessment of Risk
• Protection of Networks and Information
• Risks Associated with remote customer access
• Fund transfer requests
• Risks associated with vendors and third parties
• Detection of unauthorized activity
• Experiences with cybersecurity threats
Examination Focus Areas
• Two-fold goal: • Protect sensitive client data • Protect funds and accommodate distributions
• Identify responsible person for cybersecurity compliance • Create a written security policy
• Procedures to protect the information • Perform periodic risk assessments and document results • Develop plan in event of a breach
Cybersecurity Governance
• Inventory of your firm’s Physical devices and systems, software platforms and applications
• Prioritize hardware, data and software for protection based on their sensitivity and business value
• Map of network resources, connections and data flows • Update inventory and map annually • Assess for adequacy, retention and secure maintenance your
logging capabilities.
Identification and Assessment of Risk
• Roles and Responsibilities/Business Continuity • Create a diagram of cybersecurity roles and responsibilities: • Explicitly state who has been the assigned the role to inventory
the devices, • Who has been assigned the role to assess threats, and • Who do they report to when they find a problem. • Does your firm have an adequate business continuity plan?
Governance Policies and Procedures
• The SEC suggests that you use or model your processes after those published by: the National Institute of Standards and Technology (NIST) or; the International Organization for Standardization (ISO)
• Provide written guidance and periodic training to employees concerning security risks.
• Keep dated copies of your training materials and an attendance sheet, signed and dated.
• Maintain protection against Distributed Denial of Service (DDoS) attacks for critical internet-facing IP addresses?
• Test the functionally of your backup system • Incident Response Policy
Protection of the Firm’s Networks and Information
• If you provide your clients with any type of on-line access, you must keep the following information:
• The name of any third party that manages the service • A description of the functionality of the platform, what information is
available, balances, address, contact information, withdrawal requests
• How your customers are authenticated • List any software or other practice employed for detecting anomalous
transaction requests that may be the result of compromised customer account access
• Include a description of any security measures used to protect customer PINs
• Make sure you have a statement to circulate to your clients about reducing cybersecurity risks in conducting transaction with the firm
Risks Associated with Remote Customer Access and Funds Transfer Requests
• Do you conduct a cybersecurity risk assessment with your vendors before you hire them and give them access to your firm’s network?
• Appoint someone within your firm to regularly assess and monitor the actions of your vendors.
• Have the Vendor sit in on your cybersecurity training so they are aware of your policies, or provide them with a written copy of your policies and request a statement that their practices will be compliant with your policies.
Risks Associated with Vendors and Third Parties
• You should have an unauthorized activity policy that includes the title, department and job function of the person who is responsible for carrying out the procedures.
• Maintain baseline information about expected events on the Firm’s network so you can recognized unexpected events.
• Monitor your network to detect potential cybersecurity events • Monitor your physical environment to detect potential cybersecurity
events
Detection of Unauthorized Activity
• The SEC wants you to tell them about any cybersecurity breaches that occurred since January 1, 2013.
• Before you discuss any of these issues with an outside vendor, discuss it with your General Counsel or attorney
Danger! Danger! Will Robinson
Information Security Landscape Riverside Company
Why Attack Small and Mid-sized
Enterprises (SME)?
Because they are easy targets
Background on Cyber Attacks
• Lack of funding for information security
• Lack of employee training
• Stepping stone attacks
• Lack of process for contractor access to systems
Why SMEs?
• Financial account data
• Company reputation
• Intellectual property and proprietary information
• Legal or regulatory enforcement actions
• LP commitments
What’s at Risk?
What Riverside is doing…
Management Company
Information Security Pyramid
• Introducing information security assessments into our due diligence processes
• Current state assessments for existing portfolio companies and tracking remediations
• Assisting with the development of incident response plans
Portfolio Companies
• Start with the basics: understand where your data sits and who has access to it
• Engage a 3rd party to perform a current state assessment to include risk and overall security posture
• Get C-level sponsorship – it’s critical
• Research cyber-liability insurance policy options
Immediate Next Steps…
• LPs asking more targeted questions
• Portfolio companies being asked to respond to 3rd party risk assessment questionnaires
• Follow-up to the OCIE’s Risk Alert early 2015
What to expect in 2015…
PEF Services’ Approach to Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity
voluntary AND risk-based - driven by business
collaboration between government and private sector
focuses on business drivers to guide cybersecurity activities
National Institute of Standards and Technology (NIST)
Feb 2014
Improving Cybersecurity
• Different risks for different firms . . . threats vulnerabilities risk tolerances
Improve existing Risk Program
New Risk Program
1 size fits all
NOT
The Framework
mitigate
transfer
avoid
accept
Core Implementation Tiers increases in sophistication in . . .
from informal-reactive responses to agile, risk-informed approaches
T1: no formal approach to risk T3: formally approved policies provide context for firm to view its current risk approach Profiles
The Framework
Each part reinforces the connection between business drivers and cybersecurity activities.
Current Profile Target profile
develop a roadmap help align business requirements AND risk tolerance
GAP
consists of 5 concurrent, continuous Functions: • Identify, Protect, Detect, Respond,
Recover
Matches them with References
NIST COBIT ISO SOC
Framework Core
Function Category Subcategory
• use as a systematic process for identifying, assessing, and managing risk
• The Framework is NOT to replace existing processes
• use current process and overlay it onto the Framework to determine gaps in its current CS risk approach
• use to develop a roadmap to improvement
• use to determine activities that are most important to critical service delivery
• use to prioritize expenditures to maximize the impact of the investment
• designed to complement existing cybersecurity operations -OR-
• use as the foundation for a new cybersecurity program for improving existing program
• use to provide a means of expressing CS requirements to business partners and clients
Use the Framework
Case Study: Dammed Creek (DC)
• Middle Market Buyout Fund ($500 MM AUM)
• Fund I: 50 investors, 1 institutional
• Fund II: 60 investors, 5 institutional
• Portfolio companies do business with government and military
DC Advisory Board Meeting
• LPs raise cybersecurity issues • Dammed Creek recently hired a CTO • Previously used reputable consultants • Portfolio companies do business with
government and military
The Breach
• Co-founder downloaded infected software onto personal computer
• Using VPN transferred virus to firm’s network
The Breach Part II
• Hacker denied access to personnel files • BUT, was able to download key documents
related to a portfolio company whose primary customer is the US government
The SEC Exam
• Shortly after the breach, the SEC notifies firm that it wants to do a cybersecurity exam
• Requests a list of documents
Thank You
PEF Services LLC Joe Campbell
212-203-4685 x 106 [email protected] www.pefundservices.com
PEF Services LLC
Mark Heil 212-203-4679
[email protected] www.pefundservices.com
The Riverside Company Eric Feldman 212 484 2178
[email protected] www. riversidecompany.com
Scott Goldring Associates Melinda Scott 646-652-8567
[email protected] www.scottgoldringassociates.com