Monday, March 23, 2015 Board and Senior Management Oversight of Cybersecurity at the Adviser, the Registered Fund and Their Service Providers Mark C. Amorosi, Investment Management Partner, K&L Gates LLP Jeffrey B. Maletta, Securities and Transactional Litigation Partner, K&L Gates LLP Laura L. Grossman, Assistant General Counsel, Investment Adviser Association Andras P. Teleki, Investment Management Partner, K&L Gates LLP © Copyright 2015 by K&L Gates LLP. All rights reserved. Investment Management Cybersecurity Seminar Series Overview  Session 1 (February 27, 2015)  Untangling the Gordian Knot – Where to Begin When Building Your Cybersecurity Program  Session 2 (Today)  Board and Senior Management Oversight of Cybersecurity at the Adviser, the Registered Fund and Their Service Providers  Session 3 (April 29, 2015)  Testing Your Cybersecurity Infrastructure and Enforcement Related Developments  Session 4 (May 20, 2015)  Breach – What to Do When Things Go Wrong and Cybersecurity Insurance Coverage  Session 5 (June 25, 2015)  Building a Better Mousetrap – Evolving Trends in Cybersecurity Practices and Public Policy Developments klgates.com 2 Session 2 Topics  Oversight responsibilities of board and senior management of investment advisers  Cybersecurity oversight responsibilities of mutual fund boards  Chief Compliance Officer oversight of cybersecurity  Cybersecurity and Rule 38a-1 and Rule 206(4)-7 reviews  Cybersecurity considerations with respect to service providers (e.g., transfer agent, administrator and custodians) and vendors (e.g., IT, due diligence providers, rating agencies)  Contractual considerations with respect to cybersecurity matters klgates.com 3 Responsibilities of Directors and Management for Cybersecurity Cybersecurity: Who Is Responsible (and Liable)?  Directors and officers of registered funds and public companies  Officers and managers of registered advisers  Chief compliance officers  Everyone else How Do We Determine Responsibility? klgates.com 5 Context: The Spectrum of Cyber Attacks  Advanced Persistent Threats (“APT”)  Cybercriminals, exploits and malware  Denial of service attacks  Domain name hijacking  Corporate impersonation and phishing  Mobile and disgruntled employees  Lost or stolen laptops and mobile devices  Third-party vendors weaknesses 6 Context: Potential Effects  Loss of customer funds or assets  Compromise of customer information  Loss of web presence and online business  Interception of email and data communications  Brand tarnishment and reputational harm  Legal and regulatory complications  Loss of “crown jewels” IP and trade secrets 7 No Generally Applicable Privacy and Data Law and No Standard Compliance Program  Securities industry subject to rules that set certain standards and responsibilities  Standards of care develop in civil litigation  Regulatory enforcement may set standards and define responsibilities  Compliance/risk management best practices provide guidance 8 Responsibilities Defined Through Liabilities  Civil litigation against company  Director/officer liability  State corporation law  Federal securities laws  Federal regulatory enforcement  Securities and Exchange Commission  Federal Trade Commission  State regulatory enforcement klgates.com 9 Responsibility Defined By Civil Liability