from inside the beltway - washington bankers · what is gdpr? regulation (eu) 2016/6791 general...

An (Outsider’s) View

from Inside the Beltway

Washington Bankers Association2018 Northwest Compliance ComferenceWednesday, October 3, 2018

Denyette DePierroVice President & Senior CounselCenter for Payments and CybersecurityAmerican Bankers Association

Rumors:What’s happening in DC?

Trends: TechnologyCybersecurityPrivacy

What’s Happening in DC?

WHAT ABOUT TRUMP!?

• Embattled White House under investigation

• Midterm Elections

• What happens when things go wrong?

• Dodd Frank Reform

• Cannabis Banking

• Privacy & Data Breach

Regulatory and Legislative

Response?

Watch the headlines

RiskCulture

is Shifting

Fintech = Third Party Risk Management

Watch the headlines

Dwolla Enforcement Action

Social Media Risk

Management

www.haveibeenpwned.com

Social Media

Social Engineering

Business Email Compromise

Operational Risk

Physical Security Risk

Build Network of “Trust”

<blah>

Build a network of “trust”!!!

ZeroFox. 2016.

What is Social Media Risk?

14

1. Compliance & Legal Risk

2. Reputational Risk

3. Operational Risk

4. In Real Life (IRL) Risk

• Misuse of brand identity

• Reputation management

• Inadequate human resources

• Malware infections

• Data loss

• Breach of information security

• Breach of privacy

• Decreased employee productivity

• Legal liability

• Fraud/Scams

• Social Engineering

Real or Fake?From: Emily Clark [mailto:emily.clark22@gmail.com] Sent: Thursday, November 24, 2016 12:25 AMTo: Webmaster <webmaster@aba.com>Subject: Infographic for Cybersecurity/Fraud

Hi,

We recently just published a new animated infographic entitled 'The Online Shopper's Saga: In Search of a Secure Payment Solution' which I think you might be interested in reading and possibly sharing with your readers, here’s the link:

https://www.totalprocessing.com/blog/secure-payment-solution-infographic/

Let me know what you think, we have it as both the animated version (gifographic) you see here and a standard flat infographic if you like it, I’d be happy to write you a unique intro to go with it as well if you thought it was something worth sharing with your audience.

Keep up the good work!

Best regards,

Emily Clark

Impersonations

ZeroFOX, 2017

Media Risk

Media Risk

Social Media Security Checklist Identify your organization’s social media footprint: active and dormant accounts, key individuals.

Obtain ‘Verified Accounts’ for your Company and Brand on Social Media to provide assurance to customers that they are interacting with legit account.

Enable two-factor authentication for social media accounts to deter hijacking.

Monitor for impersonation accounts, scams, fraud, and social media account hijacking, and, when malicious, arrange for takedown.

Initiate employee training on social media security hygiene.

Incorporate social media into your informational security policy and incident response plans.

Incorporate social media accounts in the IT password policy requirements.

Develop a multidisciplinary approach to information security.

Consider occasional third party reviews of your program.

Social Media Resources

aba.com 1-800-BANKERS

Checklist - Employee Use

Personal vs. professional use

Personal brand v. bank brand

Authorized spokespeople

Permissions level

Access during work day

Access on work v. personal devices

Access to bank’s wifi

Privacy settings

See something? Say something.

aba.com 1-800-BANKERS

Checklist - Confidentiality & Content

What is prohibited proprietary and confidential information?

Customers personal financial information and transactions

Bank operations

Employee routine and work habits

Personal routine, habits, and vacations

aba.com 1-800-BANKERS

Checklist - Photographs and “Selfie” Risk

Locations

Employees

Technology

Customers

Events

Always Do a Background Check

Clean Desk Policy

No Selfie Zone

aba.com 1-800-BANKERS

Checklist – Content and Monitoring

Customer complaints, comments, and compliments

Compliant language, links, and disclosures

Mention of bank name, directors, senior staff

Fraudulent accounts and mirror sites

Non-public details about bank operations

Details of routines, habits, vacation schedules

Employee Complaints

25

FFIEC Social Media Risk Management Guidance (2013)

FFIEC Social Media Risk Guidance

FFIEC Guidance: Social Media Risk Management (2013)

“A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social

media.”

“The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human

resources, and marketing.”

Reputation Risk – Fraud and Brand Identity.

“Risk may arise in many ways…spoofs of institution communications, and activities in which fraudsters masquerade as the institution…Financial

institutions should have appropriate policies in place to monitor and address in a timely manner the fraudulent use of the financial institution's brand,

such as through phishing or spoofing attacks.”

Operational Risk:

“A financial institution should pay particular attention to the [FFIEC IT] booklets "Outsourcing Technology Services" and "Information Security" when

using social media, and include social media in existing risk assessment and management programs.”

“Social media is one of several platforms vulnerable to account takeover and the distribution of malware. A financial institution should ensure that the

controls it implements to protect its systems and safeguard customer information from malicious software adequately address social media usage.

Incident Response:

Financial institutions' incident response protocol regarding a security event, such as a data breach or account takeover, should include social media….

FFIEC IT Handbook

Regulation ofSocial Media Risk

FFIEC Information Security Booklet (2016)

Objective 2: Determine whether management promotes effective governance of the information security program through a strong information security culture, defined information security responsibilities and accountability, and adequate resources to support the program.

I.A. Security Culture (p. 3). The board and management should:• Understand and support information security,• Provide appropriate resources for developing, implementing, and maintaining the information security program, and• Foster an information security program in which management and employees are committed to integrating the program into

the institution’s lines of business, support functions, and third-party management program.

Indictors of Mature InfoSec culture: Integration of new initiatives.A stronger security culture generally integrates information security into new initiatives from the outset, and throughout the life cycle of services and applications.

FFIEC IT Handbook

Regulation ofSocial Media Risk

FFIEC Information Security Booklet (2016)

Objective 4: As part of the information security program, determine whether management has established risk identification processes.

II.A. Risk Identification (p. 7) An information security program should have documented processes to identify threats and vulnerabilities continuously.

Threats Can be a natural occurrence, technology or physical failure, person with intent to harm, or who unintentionally causes harm.

Information is available from:• Public sources: news media, blogs, government publications and announcements, and websites.• Private sources: information security vendors, and information-sharing organizations.

FFIEC IT Handbook

Regulation ofSocial Media Risk

FFIEC Information Security Booklet (2016)

Objective 6: Determine whether management effectively implements controls to mitigate identified risk.

II.C.7(e) Training (p. 17). Management should:1. Educate users about their security roles and responsibilities and communicate them through acceptable use policies. 2. Hold all employees, officers, and contractors accountable for complying with security and acceptable use policies3. Ensure that the institution’s information and other assets are protected. 4. Have the ability to impose sanctions for noncompliance.

Content:• Training materials for most users focus on issues such as end-point security, log-in requirements, and password administration

guidelines.• Training programs should include scenarios capturing areas of significant and growing concern, such as phishing and social engineering

attempts, loss of data through e-mail or removable media, or unintentional posting of confidential or proprietary information on social media.

• Training should change to reflect the risk environment.• Employing training should be annual.

Cybersecurity

aba.com 1-800-BANKERS

What’s the next vulnerability?

aba.com 1-800-BANKERS

What’s the next vulnerability?

• Internet of Things

• Artificial Intelligence

• Big Data

• National Digital

Infrastructure

• Social Media/Social

Engineering

• Government Security

and Data Protection

• Smart City

/Interconnectedness

aba.com 1-800-BANKERS

aba.com 1-800-BANKERS

Regulatory and Legislative Response?

Watch the headlines

NIST IOT “Trust” Proposal

aba.com 1-800-BANKERS

City as smartphone

“…Sidewalk thinks of smart cities as being rather like smartphones. It sees

itself as a platform provider responsible for offering basic tools (from software

that identifies available parking spots to location-based services monitoring

the exact position of delivery robots)….Sidewalk plans to let third parties

access the data and technologies, just as developers can use Google’s and

Apple’s software tools to craft apps.

City as fintech

aba.com 1-800-BANKERS

How do we protect

what we don’t

control?

aba.com 1-800-BANKERS

What’s the next

(smart city)

vulnerability?

aba.com 1-800-BANKERS

Cybersecurity & IT

Exam Trends

aba.com 1-800-BANKERS

FFIEC IT Handbook 2018 Updates

• Business Continuity Management

• Operations, Infrastructure, and Architecture

• Development and Acquisition

• Outsourcing Technology Services

• Payments

aba.com 1-800-BANKERS

The

Cultural

Shift

aba.com 1-800-BANKERS

FFIEC Agency Priorities – IT Exams

1. “Fundamental” Internal Controls

2. Cyber hygiene

3. IT asset inventory and reporting

4. Patching

5. Ongoing Staff Education and Training

6. Threat intel and vulnerability management

7. Third party risk: interconnectedness

8. Third party risk: cybersecurity

aba.com 1-800-BANKERS

The

Cultural

Shift

aba.com 1-800-BANKERS

Was there anything weird?

aba.com 1-800-BANKERS

The

Cultural

Shift

QUESTIONS?

www.fsscc.org/files/galleries/FSSCC_Cyber_Insurance_Purchasers_Guide_FINAL-TLP_White.pdf

https://www.aba.com/Tools/Function/Cyber/Pages/

IncidentResponseGuide.aspx

2016Information

Security Exam Toolhttp://www.aba.com/Tools/Function/Technology/Documents/IT-Examination-

Toolkit.pdf

THIS IS A SPECIAL ANNOUNCEMENT

aba.com 1-800-BANKERS

aba.com 1-800-BANKERS

aba.com 1-800-BANKERS

aba.com 1-800-BANKERS

DO YOU EU?

GDPR For the Rest of Us

A Risk-Based Approach to

GDPR

HOW

DID

THIS

HAPPEN?

10/4/2018 58

10/4/2018 59

DO

YOU

EU?

aba.com 1-800-BANKERS

Do you really know your customer?

What’s your real global footprint?

aba.com 1-800-BANKERS

What is GDPR?

Regulation (EU) 2016/6791 General Data Protection Regulation (GDPR)

Regulates the processing by an individual, a company or an organization of personal data relating to

individuals in the EU

Effective: May 25, 2018Penalties: up to $20M Euros or 4% of global annual revenues

aba.com 1-800-BANKERS

What is GDPR?

GDPR does not apply to:

• Personal data of deceased persons, or of legal entities.

• Data used by an individual for purely personal applications (e.g., sending party invite to friends in EU)

• Crime exemption: information sharing between organizations for the purpose of security, and preventing unauthorized access to systems and cyber crime.

aba.com 1-800-BANKERS

What is GDPR User Data?

• Definition is broad and may vary.

• Includes:

– Online identifiers

– Email address

– IP address

– ‘Cookies’

…but not anonymized data.

aba.com 1-800-BANKERS

Does GDPR Apply to You?

GDPR applies to any company that chooses to do business:

1) In the EU

OR

2) With a person in the EU

aba.com 1-800-BANKERS

Does GDPR Apply to Me?

Example #2: When GDPR does not apply to Non-EU Companies

• Your company is service provider based outside the EU.

• It provides services to customers outside the EU.

• Your clients can use your services when they travel to other countries, including within the EU.

Conclusion:

Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en

aba.com 1-800-BANKERS

GDPR and Banking Activities

• International Foreign Exchange

• International Wires

• Remittances

• Wealth Management and Trust Services

• Payments

Do You EU?

Nine Questions

#1 Have you formed or do you own a

controlling interest in a

European Union legal entity?

#2Do you have an EU business license or

permission to conduct business in

the EU?

#3Do you own or lease office space or employ

personnel or technology in the EU

to conduct business in the EU?

#4Do you have vendor

relationships to access EU markets or to

process the personal data of EU citizens or

residents?

#5 Do you own or

operate websites with EU top-level

domains?

#6 Do you specifically market

products or services through your bank’s

website to people in the EU in one of the 24 EU languages and/or in an

EU currency?

#7Do you allow media marketing

partners such as Facebook, Google, Yahoo, to use EU-based search engines for

retargeting and analytics, or does your banking website use cookies and track IP addresses

and users from the EU?

#8Do you envisage doing business

with people in the EU by directing marketing efforts

towards the EU or directly and intentionally facilitating access for potential EU

customers to your products

and services?

#9Do you hold personal data that identifies an individual in the EU?

If you answered “no” to these

nine questions, it is likely that

GDPR does not apply to yourinstitution.

aba.com 1-800-BANKERS

GDPR Response Plan

DO A DATA SELF ASSESSMENT!

Consider your corporate family tree.

Identify customers in the EU.

Review policies and procedures.

Develop GDPR memo.

Retain legal counsel or consultant.

QUESTIONS?

About the Speaker

Denyette DePierroVice President & Senior Counsel, American Bankers Association

Denyette DePierro joined the American Bankers Association in March 2008. Prior to joining ABA, Denyette was Legislative Counsel at the Independent Community Bankers of America (ICBA) in Washington, D.C. and the California Independent Bankers in Newport Beach, California. Denyette received her J.D. and M.DR from the Pepperdine School of Law, where she was a fellow at the Straus Institute for Dispute Resolution. She received a B.A. from the University of California, Santa Barbara, and was a European Union Fellow at the University of Padua in Padua, Italy in Developmental Economics. At ABA, Denyette focuses on the state, federal, and international regulation of technology, cybersecurity, privacy, data security and emerging trends in banking, including fintech, blockchain, internet of things (IOT), artificial intelligence, and social media.

Email: ddepierr@aba.comPhone: 202.663.5333Twitter: @DenyetteDLinkedIn: linkedin.com/in/depierro