On October 29, PEF Services hosted a webinar entitled, “Which describes Your Cybersecurity Program – ‘Eager Beaver’ or ‘Deer in Headlights?’” The program focused on recent risk alerts and actions taken by the SEC regarding Cybersecurity to help private capital funds to develop an appropriate response. The discussion was led moderator,

Mark Heil, Senior Vice President, PEF Services. He was joined by industry experts including Eric Feldman, Chief Information Officer, Riverside, a private equity firm; Micheal Abboud, CEO, Tetherview, a cloud services provider; and Jamie Barnett, Partner, Venable, a Washington, DC-based law firm

 Eric FeldmanJamie BarnettMichael AbboudMark Heil Headshot

The message to the private capital firms was that even a “deer-in-headlights” can become an “eager beaver” which was defined as a firm that was diligently addressing Cybersecurity.

“The ‘Eager Beaver’ is somebody who thoughtful and meticulous, “ explained Eric Feldman, CIO, Riverside. “Somebody who has been paying attention to the OCIE Alerts over the last year and half. Certainly somebody who has engaged their management team and their own teams and somebody who has begun to think about Cyber as a real risk to their organization – not just their management company, but their portfolio companies as well.”

“As attorneys, we see more of the ‘deers’ than we do ‘eager beavers,’” joked Jamie Barnett, Partner, Venable. “The great thing about having this [webinar] today is do you know which one you are. There are a lot of folks who feel like they are ahead of the game and may actually not be.  [They tell you] ‘I have hired a great CFO or CISO, have great anti-virus, have a great firewall and I’m O.K.’ And the fact of the matter and we will get into it today, there’s a lot more that needs to be done!”

Even “eager beavers” must remain vigilant in updating policies, regularly providing employee training, practicing and updating incident response plans, reviewing vendor access controls, etc. or they could become the “deer-in-headlights.”  “Today, the threats are coming in new forms everyday,” notes Michael Abboud, CEO, Tetherview. “So if you are not ahead of the game and dealing with the foundation aspect of your IT infrastructure you are being reactive. The point of today is not to be a ‘deer-in-headlights,’ but to be the ‘eager beaver’ who tries to be proactive and tries to button up the holes that are basic in the IT infrastructure.”

Participants who attended the program learned:

  • How to apply the results from The Office of Compliance Inspections and Examinations (“OCIE”) 2015 Cybersecurity Examination Initiative to augment your firm’s cybersecurity preparedness
  • Preparing for OCIE Cybersecurity exams “that will involve more testing to assess implementation of firm procedures and controls.”
  • Developing the types of policies, documents and reports that need to be created to manage effectively your cybersecurity program and to
    respond to an OCIE Exam
  • Assesses risk associated with using a vendor as part of your cybersecurity due diligence
  • Establishing an incident response program that effectively detects breaches, generates alerts, defines the scope of the incident and provides procedures for communicating the incident to appropriate parties

Topics covered during the webinar were:

  • OCIE Cyber Exams
  • OCIE Recent Cybersecurity Enforcement Actions
  • Governance
  • Risk Assessment
  • Access Controls and Data Loss Prevention
  • Employee Training
  • Vendor Management
  • Incident Response Plans

In addition, participants were presented with a potential list of documents that the SEC may request during its continuing Cybersecurity sweep and provisions they should consider adding to contracts of vendors who have access to their system.

Below is the self-assessment form sent to participants prior to the webinar, the introductory presentation to the program, the presentation used during the webinar, and the video of the webinar itself. It should be noted that all the questions in the self-assessment were derived from the Cybersecurity Examination Sweep Summary issued by OCIE in February.

Cybersecurity Self Analysis 10-29-15 

Cybersecurity Opening Presentation

Cybersecurity Main Presentation

Below are documents that were used to prepare for the webinar and reference during the program:

  1. Risk Alert,OCIE Cybersecurity Initiative 2014 National Exam Program Risk Alert, OCIE (April 15, 2014)
  2. Cybersecurity-Examination-Sweep-Summary National Exam Program Risk Alert, OCIE (February 3, 2015)
  3. Financial Industry Regulatory Authority, Report on Cybersecurity Practices (February 2015)
  4. Best Practices for Victim Response and Reporting of Cyber Incidents  (April 2015), Cybersecurity Unit, Computer Crime & Intellectual Property Section, Criminal Division, US Department of Justice
  5. OCIE’s -2015-Cybersecurity-Examination-Initiative, National Exam Program, Risk Alert, Office of Compliance Inspections and Examinations (“OCIE”) (September 2015)
  6. SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior To Breach, SEC (September 2015)