© 2016 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

Cybersecurity: Ongoing Challenges and Increasing Threats (Medium and Large Firm Focus) Wednesday, May 25 10:00 a.m. – 11:00 a.m. Hear about the latest IT security threats to your clients and to your practice. This update will highlight the threats that are prevalent today and what steps you should take to protect you and your clients. Panelists will share useful practices for protecting your practice. Moderator: John Brady Vice President and Chief Information Security Officer FINRA Technology Administration Panelists: Gerard (Jerry) Brady

Managing Director, Chief Information Security Officer and Global Head of IT Security Morgan Stanley

Michelle Wraight Director and Chief Privacy Officer Pershing LLC

Andy Zolper Chief Information Security Officer Raymond James Financial, Inc.

© 2016 Financial Industry Regulatory Authority, Inc. All rights reserved. 2

Cybersecurity: Ongoing Challenges and Increasing Threats (Medium and Large Firm Focus) Panelist Bios: Moderator: John Brady is a Vice President in Technology for Cyber and Information Security for FINRA, and is the organization’s Chief Information Security Officer (CISO). In this capacity, he is responsible for all aspects of FINRA’s information and cyber security programs, as well as ensures compliance with related laws and regulations. He oversees staff focused in four primary information security areas: security architecture and controls, security management tools, application security, and identity management. Mr. Brady, along with counterparts in FINRA’s Data Privacy Office, establishes policy and technical controls to ensure information is appropriately protected throughout its lifecycle. He began his career with FINRA over 10 years ago as the Director of Networks and Firewalls. He then broadened and deepened his technical knowledge by taking on responsibility for server and storage infrastructure, where he led system engineering efforts to expand capacity and performance of Market Regulation systems in response to data volumes growing more than 40 percent year over year. Mr. Brady recently led the establishment, design, and implementation of FINRA’s new data centers and the seamless migration of more than 175 applications from an outsourcer to those new data centers. Prior to the commencement of his work with FINRA in October 2002, Mr. Brady was Director of Networks at VeriSign from 2000 to 2002 and Network Solutions from 1998 to 2000. From 1995 to 1998, he built and operated Citibank’s Internet Web and email services as Vice President, Internet Services. From 1993 to 1995, Mr. Brady worked for Sun Microsystems as Senior Consultant, where he built integrated network systems for prominent customers. Mr. Brady began his professional career as a member of technical staff at The Aerospace Corporation from 1987 to 1993, designing satellite systems and command and control networks for the Air Force Space Command. Mr. Brady holds a bachelor’s degree in Computer and Electrical Engineering from Purdue University of West Lafayette in Indiana, and a master’s degree in Industrial Engineering and Operations Research from the University of California at Berkeley. He also is an (ISC)2 Certified Information Systems Security Professional (CISSP). Panelists: Gerard Brady is a Managing Director of Morgan Stanley in Technology and Data based in New York. He is the Head of IT Security and is the Chief Information Security Officer. Mr. Brady joined Morgan Stanley in August 2005 and has more than 26 years of industry experience in information security. Prior to joining the firm, Mr. Brady worked at Guardent (acquired by VeriSign), where he was the Chief Technology Officer and Chief Security Officer. Before joining Guardent, Mr. Brady worked at Prudential as the Enterprise Information Security Officer and at Internet Security Systems running emerging technologies and enterprise security software. Michelle Wraight is Director and Chief Privacy Officer at Pershing, LLC, a BNY Mellon Company, with firm-wide responsibilities for managing the Privacy and Data Protection Program. She has been with Pershing since 2008. Ms. Wraight has over 20 years of experience in the Information Security and Data Protection field, having worked in both the pharmaceutical and financial industries. Prior to her current position, Ms. Wraight was the Information Security Officer at Pershing Managed Account Solutions. Ms. Wraight has shared her many years of security and privacy expertise with clients and colleagues through several speaking engagements at Pershing, BNY Mellon, SIFMA, FINRA, International Association of Privacy Professionals, Industry Conferences and a local University. Mr. Wraight holds a bachelor's degree in Information Technology is a member of the FBI Infragard Program, the International Association of Privacy Professionals and has achieved CISM (Certified Information Security Manager) and CRISC (Certified in Risk and Information Systems Control) industry certifications. Andy Zolper is Chief Information Security Officer for Raymond James Financial, Inc., a diversified financial services provider with subsidiaries engaged in investment and financial planning, investment banking and asset management. Through its three broker-dealer subsidiaries, Raymond James Financial has more than 6,300 financial advisers, serving more than 2.5 million accounts in more than 2,500 locations throughout the United States, Canada and overseas. As CISO, Mr. Zolper provides strategic direction to identify appropriate security measures, sponsors implementation of security solutions, manages daily security operations and provides governance to manage technology risk—all

© 2016 Financial Industry Regulatory Authority, Inc. All rights reserved. 3

in order to help Raymond James achieve its business objectives. Mr. Zolper was previously at UBS as CISO of its Wealth Management Americas division, and later as global head of IT Risk Management. Prior to joining UBS, he led teams in IT risk management, global program management and business process reengineering at JPMorgan Chase. Before working at JPMC, Mr. Zolper was responsible for application development at Sterling Resources Inc., and developed the company's process reengineering, e-learning and knowledge management software products. Before joining Sterling Resources, he served in various management roles at Verizon, ranging from staff director of competitive intelligence analysis to field management of "fiber to the curb" deployment. Mr. Zolper graduated from the Virginia Military Institute. He is a U.S. Marine Corps veteran, having served as a communications and signals intelligence officer. He is a graduate of SIFMA's Securities Industry Institute at The Wharton School, a Registered Operations Professional (Series 99), a certified Six Sigma Black Belt and a Certified Information Security Manager (CISM). He represents Raymond James on the Advisory Council of BITS, the technology policy division of The Financial Services Roundtable, and is a member of SIFMA’s Cyber Security Working Group.

FINRA Annual Conference May 23–25, 2016 • Washington, DC

Cybersecurity: Ongoing Challenges and Increasing Threats (Medium and Large Firm Focus)

FINRA Annual Conference © 2016 FINRA. All rights reserved. 1

Panelists Moderator John Brady, Vice President and Chief Information Security Officer ,

FINRA Technology Administration

Panelists Jerry Brady, Managing Director, Chief Information Security Officer

and Global Head of IT Security, Morgan Stanley Michelle Wraight, Director and Chief Privacy Officer, Pershing LLC Andy Zolper, Chief Information Security Officer, Raymond James

Financial, Inc.

FINRA Annual Conference © 2016 FINRA. All rights reserved.

Click on the schedule icon on the home screen Choose the Cybersecurity: Ongoing Challenges and

Increasing Threats (Medium and Large Firm Focus)session In the lower right there is an icon: iPhone – Bubble with a bar graph Android – Thumbs up

– Click on that to see polling questions and responses.

2

To Access Polling

FINRA Annual Conference © 2016 FINRA. All rights reserved. 3

Threats & Risks

FINRA Annual Conference © 2016 FINRA. All rights reserved. 4

Ransomware

FINRA Annual Conference © 2016 FINRA. All rights reserved.

Prevention Restrict write permission on file servers / shared folders Software whitelisting Block malicious websites Educate users and user support Detect and block software behaviors indicative of malware Segment your network using firewalls

Response and Recovery Quickly isolate computers that may contain malware Backup data and files; test restoration regularly

5

Ransomware – Best Practices

FINRA Annual Conference © 2016 FINRA. All rights reserved. 6

Phishing, Spear Phishing & Whaling

FINRA Annual Conference © 2016 FINRA. All rights reserved.

Training with simulated phishes Email and web security filtering Fraud controls and thresholds in

payments and funds transfers Assist users with review of questionable emails and

provide a central contact for reporting Maintain secure configurations and stay current on

security patches Restrict workstation administrator privileges

7

Phishing – Best Practices

FINRA Annual Conference © 2016 FINRA. All rights reserved. 8

Insider Threat

FINRA Annual Conference © 2016 FINRA. All rights reserved.

Guidance: US-CERT: “Common Sense Guide to Mitigating Insider Threats” MITRE: “Insider Threat Program Best Practices” Dept. of Energy: “Predictive Model for Insider Threat Mitigation” Raytheon: “Best Practices for Mitigating and Investigating Insider Threats” INSA: “A Preliminary Examination of Insider Threat Programs in the U.S. Private Sector”

Effective Controls: Pre-hire screening and background checks Security Information and Event Management (SIEM) Behavioral Analytics tools HR processes for identifying and tracking insider risks

9

Insider Threat – Best Practices

FINRA Annual Conference © 2016 FINRA. All rights reserved. 10

Privacy Breach Reporting

FINRA Annual Conference © 2016 FINRA. All rights reserved.

Access to legal expertise familiar with privacy, healthcare, other relevant laws

Know your information assets and legal obligations Engage senior management and the Board Awareness training for staff and management Include 3rd parties (vendors, partners) in your plans Data Loss Prevention (DLP) tools ID Theft “Red Flags” program Collaboration between Data Privacy and Information Security teams

11

Privacy – Best Practices

FINRA Annual Conference © 2016 FINRA. All rights reserved.

Develop incident response plans, that is “playbooks” for various scenarios Explore cybersecurity insurance coverage options Retain an Incident Response firm w/ forensics capabilities Establish working relationships with Law Enforcement (FBI

and/or USSS) Conduct “table top” exercises involving all departments

identified in response plans

12

Response and Recovery – Best Practices

FINRA Annual Conference © 2016 FINRA. All rights reserved. 13

Distributed Denial of Service

FINRA Annual Conference © 2016 FINRA. All rights reserved.

Have a means to mitigate – in-house, with a DDoS protection service, or your Internet Service Provider (ISP)

Access to expertise capable of coordinating detection, mitigation and recovery

Test DDoS mitigation capability regularly Avoid paying ransom Stay current on patches and secure configurations Implement a Web Application Firewall (WAF)

14

DDoS – Best Practices

FINRA Annual Conference © 2016 FINRA. All rights reserved. 15

© 2016 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

Cybersecurity: Ongoing Challenges and Increasing Threats (Medium and Large Firm Focus) Tuesday, May 23 3:00 p.m. – 4:00 p.m. Resources Regulatory Guidance

• FINRA Report on Cybersecurity Practices (February 3, 2015)

www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf

• NIST Cyber Security Framework and Roadmap

www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf www.nist.gov/cyberframework/upload/roadmap-021214.pdf

• SEC National Exam Program Risk Alert (OCIE Cyber Security Initiative)

www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf

• SEC Cybersecurity Guidance Update (April 2015)

www.sec.gov/investment/im-guidance-2015-02.pdf

Tips and Templates

• National Cyber Security Alliance – Mobile Tip Sheet

https://staysafeonline.org/business-safe-online/resources/stay-cyberaware-while-on-the-go-safety-tips-for-mobile-devices

• Cyber Security in the Golden State (see “Practical Steps”)

https://oag.ca.gov/cybersecurity

• Strategies to Mitigate Targeted Cyber Intrusions www.asd.gov.au/infosec/mitigationstrategies.htm