Cybersecurity: Tried and True Tactics for Assessing and Managing Risks, Employee Training and Program Testing Brian Rubin, Partner, Sutherland Tee Meeks, CCO/CAO, Waddell & Assocs., Inc. David Edwards, President, Heron Financial Group Wealth Advisors Craig Watanabe, Sr. Compliance Consultant, Advisor Solutions Group, Inc.

Waddell & Associates, Inc. Employee owned RIA firm based in Memphis with a branch in Nashville $770M AUM 23 full time employees Compliance Department = ME + compliance consulting firm No dedicated Technology Department – outsourced to a local tech firm April 15, 2014 - OCIE CYBERSECURITY INITIATIVE A sample cybersecurity document request letter was provided in the appendix of the alert. The letter I received was almost word-for-word the same as the sample request document in the alert The Exam Thorough! >29 questions - most with multiple sub-sections: requiring 78 separate responses and multiple document requests (P&P, Business Continuity Plan, written information security policy, etc..). >2 weeks to respond and provide the requested supporting documents. Don’t wait until the last minute to submit your response: Required to submit via secure portal - ZixCorp secure email which had issues even their own tech support person couldn’t resolve quickly.

I am not a “techie”? How do I answer these questions? Create a team! Meet the W&A team - Compliance officer (me) + Compliance consultant – Ascendant + IT consultant Suggestion: also get your CEO and/or other executives involved in this process. Not because they will be helpful, but they need to be aware of the magnitude of what is involved with the security of your systems and the compliance that is involved. Each question was reviewed, discussed and answered by the most qualified person on the “team” Some questions were more tech focused: Protection against DDoS attacks Process for removal, transfer & disposition of IT assets Others were more compliance focused: Does your Business Continuity plan address cybersecurity incidents? Do you provide guidance/risk training ? ! Within a couple of weeks of submission I received a call to schedule a follow up call to discuss my answers in more detail. I asked if the other members of my “team” could participate on the call. Suggestion: If you choose to include your IT expert, be sure to advise them on how to interact with the auditors. They should answer the questions directly and not provide more information than is required. IT people LOVE to talk about what they know! The follow up call was very interactive. Provided a lot of clarity for both us and the examiners.

Words of Wisdom In our third and final “wrap up” call, the examiners made a few suggestions: 1) They don’t expect CCO’s to be technology experts but they do expect them to be knowledgeable enough about their firm’s technology to understand and mitigate the risks. I mentioned our IT consultant was drafting a Standard Operating Procedure (SOP) manual for us. NOTE: As a result of a recent loss of data on one of our servers, we have learned FIRST HAND just HOW important this is. GET OUTSIDE, UNINTERESTED PARTY ADVICE if necessary! 2) Employee training and client education is extremely important Be sure to document your training 3) Consider purchasing a cybersecurity insurance policy

W&A Best Practices Created an IT risk team. Consists of one or more people from: Compliance Management (for budget purposes) IT (department or outside solution) Use “The letter” as an ONGOING Audit of our technology risks Our IT risk team meets periodically Questions in the audit letter are reviewed again and we discuss changes/updates. Make sure your IT expert(s) can answer EVERY question confidently. (Caution: you may not understand a word your tech person is saying. Hang in there. You will be surprised what you will eventually learn) Purchase Cyber Liability Insurance Get your IT person involved with this process too. They know what kind of coverage best fits your company’s needs. Get multiple quotes – they VARY! Some applications are VERY detailed. Share EVERYTHING tech related with our IT department/consultant Policies and procedures Cyber Liability policy Industry articles IT department/consultant drafting a SOP manual EDUCATE our employees AND our clients. We have frequent conversations about potential risks. Remember: you are responsible for understanding and mitigating the risks!