center of regulatory intelligence - capco€¦ · managing director, center of regulatory...
TRANSCRIPT
Center of Regulatory Intelligence July 10, 2017
Trending Issues in Fraud
2
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
Table of Contents
A. Editorial Note from the Managing Director, Center of Regulatory Intelligence ....................... 3
B. Washington, D.C. Regulatory Roundup ................................................................................. 4
C. Congressional Hearing Summary: State Action Protecting Persons from Fraud ............... 5
D. FOCUS: Trending Issues in Fraud ...................................................................................... 7
E. President Trump’s Executive Order on Cybersecurity .......................................................... 15
F. Did You Know? ..................................................................................................................... 21
G. About FIS’ Center of Regulatory Intelligence ....................................................................... 22
3
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
A. Editorial Note from the Managing Director, Center of Regulatory Intelligence
This month’s Regulatory Intelligence Briefing provides insight into trends for fraud and summarizes how fraud
remains a hot topic within financial institutions today. We highlight some of fraud’s trending areas, such as call
center and wire fraud, and conclude with ways in which financial institutions can proactively deter both new trends
as well as common practices of fraud.
Today, the necessity of strong cybersecurity measures is self-evident. Cyberattacks and data breaches are
increasingly damaging companies, governments and institutions. President Donald Trump’s recent executive order
on cybersecurity highlights the increasing attention toward risks associated with cybersecurity. We look into the
“Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”
and break down the order by section and follow with an overview of the National Institution of Standards and
Technology (NIST) Cybersecurity Framework. We then explore how cybersecurity policy has advanced over the
years and conclude with some cybersecurity best practices.
We also examine a few recent state legislative trends regarding the desire to protect vulnerable persons from
financial fraud. Some states, in an attempt to keep up with technological developments that place additional classes
of people at risk, have developed laws regarding cyber fraud in areas such as elder abuse and online dating.
A majority of states have passed legislation protecting elders from various forms of abuse; the elderly are common
targets for fraudsters because the victims are generally in better financial situations than younger people and
commonly rely on others in a larger capacity. Fraud related to online dating has also been on the rise and we will
explore the measures certain states are taking to deter online dating fraud. We remain focused on ensuring that
your institution understands state trends and broader regulatory expectations.
.
Peter D. Dugas Managing Director, Center of Regulatory Intelligence
Peter has more than 16 years of government and consulting experience in advising clients on supervisory matters before
the U.S. government and in the implementation of enterprise risk management programs. He is a thought leader in
government affairs and regulatory strategies in support of banks and financial institutions compliance with the Dodd-Frank
Act and Basel Accords. Prior to joining FIS™, he served as a director of government relations at Clark Hill and in senior
government positions, including serving as a deputy assistant secretary at the United States Department of the Treasury.
4
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
B. Washington, D.C. Regulatory Roundup
Regulatory and Compliance Alerts FTC Releases Annual Financial Acts Enforcement Report to CFPB On June 1, 2017, the Federal Trade Commission (FTC) released its 2016 Annual Financial Acts Enforcement Report to the Consumer Financial Protection Bureau (CFPB). The report covers enforcement and other activities related to Regulation Z (Truth in Lending Act), Regulation M (Consumer Leasing Act) and Regulation E (Electronic Fund Transfer Act).
FDIC Adopts Supervisory Guidance on Model Risk Management On June 7, 2017, the FDIC adopted the supervisory guidance on model risk management the FRB previously issued in SR 11-7 and the OCC issued in OCC Bulletin 2011-12. The guidance addresses supervisory expectations for model risk management, including: model development, implementation and use; model validation; and governance, policies and controls.
Department of the Treasury Requests Comment on Foreign Securities Annual Survey
On June 15, 2017, the Department of the Treasury requested comment concerning the revision of the "Annual
Report of U.S. Ownership of Foreign Securities, including Selected Money Market Instruments" annual survey. The
proposed changes impact the instructions, not the forms (or schedules). Comments are due by August 14, 2017.
OFAC Publishes New FAQs regarding Cuba
On June 16, 2017, the Office of Foreign Assets Control (OFAC) published a FAQ document related to President
Donald Trump's recent announcement regarding Cuba sanctions. The document includes 12 questions and
answers, including a note that the announced changes do not take effect until the related regulations are issued.
SEC Requests Comment on Extension of Broker-dealer Information Collection on OTC Securities
On June 16, 2017, the SEC requested approval of an extension of the previously approved collection of information
related to over-the-counter (OTC) securities, for which Rule 15c2-11 (17 CFR 240.15c2-11) provides under the
Securities Exchange Act of 1934. Comments are due by July 16, 2017
.
HUD Requests Comment on State CDBG Program
On June 16, 2017, the Department of Housing and Urban Development (HUD) requested comment from all
interested parties on the proposed collection of information related to the State Community Development Block
Grant (CDBG) Program. Comments are due by August 15, 2017.
OCC Issues Licensing Manual Booklet on Articles of Association, Charter and Bylaw Amendments
On June 19, 2017, the Office of the Comptroller of the Currency (OCC) issued a new booklet, titled “Articles of
Association, Charter, and Bylaw Amendments,” of the Comptroller’s Licensing Manual. This booklet consolidates
the OCC’s policies and procedures regarding articles of association amendments for national banks, charter
amendments for federal savings associations and bylaw amendments for national banks and federal savings
associations.
5
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
C. Congressional Hearing Summary: State Action Protecting Persons from
Fraud
Introduction
Recent trends at state legislatures show a desire to pass new laws to protect vulnerable persons from financial
fraud. The development of new technologies is creating new classes of people states are trying to protect. Different
state laws dealing with elder abuse and online dating protections will be explored below.
Elder Abuse Fraud
Elder abuse has been around for centuries. As defined by the Administration on Aging, the term “elder abuse” refers
to “any knowing, intentional, or negligent act by a caregiver or any other person that causes harm or a serious risk
of harm to a vulnerable adult.” As the definition is so broad, all 50 state legislatures have passed some kind of law
protecting elders. Elders make an easy target for fraudsters because they are generally in better financial situations
than younger people and tend to rely on others in a more often.
The laws also range from general to specific for financial elder exploitation. For example, Colorado requires
mandatory reports for the mistreatment of at-risk elders. Under Colorado law, an “at-risk elder” is defined as any
person who is seventy years of age or older. Mistreatment includes abuse, caretaker neglect or exploitation. The
statute is very broad and covers a large group of persons that are required to report mistreatment or are at an
imminent risk of mistreatment within 24 hours after witnessing the mistreatment or risk of mistreatment. Those
required to report vary, capturing anyone providing healthcare services to veterinarians to clergy members—with
some exceptions.
The law also specifically requires, “Personnel of banks, savings and loan associations, credit unions, and other
lending or financial institutions who directly observe in person the mistreatment of an at-risk elder or an at-risk elder
or who have reasonable cause to believe that an at-risk elder has been mistreated or is at imminent risk of
mistreatment,” to report elder mistreatment.
North Carolina takes this further by protecting older adults—those 65 or older—and disabled adults by criminalizing
their exploitation. The law makes it unlawful for a person to “knowingly, by deception or intimidation, obtain or use,
or endeavor to obtain or use, an older adult’s funds, assets, or property with the intent to temporarily or permanently
deprive the older adult or disabled adult of the use, benefit, or possession of the funds, assets, or property, or to
benefit someone other than the adult or disabled adult.” The law also criminalizes a person conspiring with another
to deprive the older adult or disabled adult of their funds, assets or property. A penalty under the North Carolina
statute is a felony, varying in degree depending on the circumstances.
During the 2017 legislative session in Texas, legislation was passed that goes even further than the laws in states
like Colorado and North Carolina. The new law, taking effect September 1, 2017, focuses on suspected financial
exploitation of vulnerable adults, which includes elderly adults and disabled adults. It requires reporting by an
employee of a financial institution to the financial institution when the employee “has cause to believe that financial
exploitation of a vulnerable adult who is an account holder with the financial institution has occurred, is occurring,
or has been attempted, the employee shall notify the financial institution of the suspected financial exploitation.” A
financial institution would then have to file a report to the Texas Department of Family and Protective Services. But,
the law also allows a financial institution, after submitting a report, to notify a third party “reasonably associated with
the vulnerable adult” of the suspected financial exploitation and place a temporary hold on any transaction that
involves an account of the vulnerable adult and the financial institution has cause to believe is related to the
suspected financial exploitation.
6
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
Online Dating Protections
Similar to elder abuse, fraud related to online dating has been on the rise. When speaking to someone over the
internet in a romantic setting, a person is more likely to disclose personal information that could lead to fraud, for
instance answers to common security questions linked to online accounts like a mother’s maiden name, or your
first car.
States have taken notice of this and have passed legislation to combat some of these practices.
The initial state laws dealing with online dating focused primarily on background checks for those using the websites
to meet others and risk warnings. For example, a New Jersey law passed in 2007 required online dating sites to
inform residents of the state about potential risks of participating in Internet dating services, including whether or
not the internet dating service performed criminal background checks. The state law primarily focuses on risk
awareness.
Recently, states have begun to expand their legislation to be more reactive. A law that took effect January 1, 2017,
in Vermont requires an Internet dating service to disclose to all of its Vermont members that they have
communicated with a person who is now a banned from the service. Specifically, an Internet dating service is
required to disclose to all of its Vermont members known to have previously received and responded to an on-site
message from a banned member:
User name/identifier
Information about how the banned member may be using false identity or may pose a significant risk of
attempting to obtain money from members
A reminder that a member should never send money or personal financial information to another member
A hyperlink to online information that addresses the subject of how to avoid being defrauded by another
member of an Internet dating service
7
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
D. FOCUS: Fraud
Introduction
As technology advances, so does the risk of fraud and the ways it can be committed. There were over three million
complaints filed in 2016 to the Consumer Sentinel Network (CSN), an online database law enforcement uses for
consumer complaints, with 1.3 million of those complaints related to fraud. The top three fraud complaint areas
were debt collection, impostor scams and identity theft. According to a report the Federal Trade Commission (FTC)
issued, Florida, Georgia and Michigan experienced the most fraud, with complaints averaging between 1,083-1,305
per 100,000 people. With these three states at the top of the list, there is a suggested correlation between high
fraud rates and large populations of elderly, immigrants and military personnel.
To better understand these statistics, this article provides a refresher on the basics of insider fraud and how insider
fraud remains present in financial institutions today. Then, the article highlights some of the trending fraud areas
and explores ways in which financial institutions can take a proactive approach to deterring fraud.
Insider Fraud
Insider fraud remains of paramount concern for financial institutions. According to the Association of Certified Fraud
Examiners in a 2016 global fraud study, the banking and financial services industry experiences more cases of
fraud than any other industry. While the technology associated with insider fraud has evolved, the actions
themselves remain the same. Insider fraud is significant because it is a long-term threat to institutions when
employees have unrestricted access to private data and overlapping duties with insufficient oversight. We will
discuss data theft, account takeovers and general ledger fraud and how these types of insider fraud posed a threat
to institutions because of their overarching influence within all business units.
Data theft fraud, broadly speaking, occurs when information that is personal, confidential or financial in nature is
transferred or shared illegally. Account takeover fraud occurs when a criminal takes control of an account illegally
(possibly through phishing, spyware or malware scams) and utilizes the account for personal gain. General ledger
fraud, the central repositories that hold all financial and non-financial accounting data, occurs when this information
is misused for illegal activity. These three types of insider fraud can impact institutions, including: the loss of
intellectual property, infrastructure disruption, monetary loss and reputational damage.
EXAMPLES KEY TIPS FOR FINANCIAL INSITUTIONS
Account Takeovers
Personnel selling a customer’s PIN,
email, credit card or account number
to an external fraudster d
Personnel opening one type of an
account for a customer and setting
up a different type of account without
the customer's knowledge d
Personnel making unauthorized
transactions on an account or giving
the online credentials to an external
fraudster
Be aware of changes to customer
contact information (e.g. phone number,
email or address) followed by new
payment requests (e.g. new card
request, new check order, new online
bill payee, etc.) within a specific
timeframe.
Be aware of changes to contact
information that occur for a short period
and are then restored.
Be aware of changes in an account
setting, such as overdraft limits and
credit limits.
Be aware of changes in relationships
and rights between accounts and
customers.
8
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
Be aware of changes in access method
followed by maintenance or financial
transactions.
Be aware of repeated cases of returned
mail.
General Ledger Fraud
Misuse of an institution’s account
information, such as using journal
entries to identify repetitive and
unique account sequences
Moving funds between accounts
without authorization
Creating a fake company account
and issuing payments to that
account
Be aware of the debit transactions on
general ledger accounts by having a
specific dollar amount threshold
Track unusual transactions against
internal accounts
Note which employees have access to
certain internal accounts
Pay attention to unusual volume, activity
or dollar amount of transfers or debits
from internal accounts to employee
accounts
What is Trending in Fraud?
When analyzing how fraud occurs in the present day, it is obvious that fraudsters are not trying to reinvent the
wheel. Elements of previous fraudulent schemes can be found in the current types of trending fraud, including:
social engineering, targeting vulnerable persons and masking one’s identity. And while technology is a tool for
positive development within financial institutions, fraudsters also utilize changes in technology, often faster than
financial institutions
New Ways Fraud is Being Introduced
Elder Financial Abuse As previously discussed, elders are very vulnerable to financial exploitation. Family members, friends and other caregivers often carry out some of the most common scams against the elderly and older adults’ utilization of social media sites to stay in touch with family and friends can increase fraud vulnerability. The fraudulent activities can include:
Manipulating the Power of Attorney to steal victims’ money
Taking advantage of joint bank accounts to steal money
Using ATM cards and stealing checks to withdraw money from victims’ accounts
Refusing to obtain needed care for victims until receiving compensation
Through early fraud detection, financial institutions can be key actors in combatting elder financial exploitation. In some states, financial institutions’ personnel are required to report suspected financial exploitation, and in March 2016, The Consumer Financial Protection Bureau (CFPB) issued “Recommendations and report for financial institutions on preventing and responding to elder financial exploitation.”
9
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
Warning Signs Associated with Elder Account Activity
1. Large increases in account activity, such as daily maximum currency
withdrawals from an ATM
2. Large gaps in check numbers, or “out of sync” check numbers
3. Uncharacteristic non-sufficient funds activity or overdrafts
4. Uncharacteristic debit transactions (including unusual ATM use)
5. Uncharacteristic lapses in payments for services
6. Disregard for penalties when closing accounts or certificates of deposit
7. Abrupt changes to financial documents, such as a new power of attorney, a
change to a joint account or a change in account beneficiary
8. Excessive numbers of payments or payments of large sums to a caregiver or
third party
9. New account use soon after adding an authorized user
10. Statements mailed to an address separate from customer’s residence
10
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
Source for both charts: CFPB “Recommendations and report for financial institutions on preventing and responding to elder financial exploitation” (March 2016)
Call Center
With an emphasis on cybersecurity after highly publicized cyber-attacks and with the implementation of EMV chips
across the U.S., criminal organizations set their sights on a new medium for fraud in 2016: call centers. “Call center
fraud” can be described as an interaction between a criminal and a call center agent with the motive of completing
a fraudulent transaction. Fraudsters gather copious amounts of intelligence on their victims through other accessible
channels, such as social media or data purchased on illegal black markets, before they decide to strike. Through
the advancement of technology, caller-ID spoofing and voice manipulation software is easier to use and access
than ever before. Call centers are also susceptible to fraud because their primary purpose is not to detect fraud but
rather to handle a large volume of calls quickly and efficiently. Readjusting call center employees’ objectives and
properly training them to be the first line of defense against call center fraud is important.
Institutions can mitigate call center fraud through:
Employee Education: Personnel needs to be properly informed of policies and procedures.
Training: Personnel should be prepared and well-versed in the types of questions they can and cannot
answer.
Verification: Personnel should know what types of transactions should be restricted or limited.
Employee Goals: While call centers thrive on a high call turnover rate, goals should be readjusted so an
employee’s performance is not only tied to the number of calls managed, but also placing an emphasis on
fraud prevention.
Authentication: Financial institutions may want to add steps to their identification verification process, such
as challenge questions in addition to knowledge-based authentication questions.
Wire Fraud
Wire transfers for financial transactions originated with the advent of the telegraph network. At their core, wire
transfers are a cheap method for the transfer of funds from one person or entity to another. As wire transfers have
become more sophisticated, so has the fraud accompanying wire transfers. Fraudsters use malware, social
engineering and phishing to initiate or steal data related to electronic wire fraud. According to the Federal Bureau
of Investigations, “business email compromise” fraud, a type of wire fraud where fraudsters utilize business email
addresses to initiate fraudulent wire transfers, has been on the rise and is now a $5 billion-dollar industry. Some
common types of business email compromise are requests for money from vendors, requests for confidential or
protected information like employee W-2’s, and business executive or attorney impersonation.
11. New activity on an inactive account or joint account
12. Signatures that do not match or appear suspicious
14. Uncharacteristic requests to wire money
11
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
Recently, California and New Mexico issued guidance alerting consumers to ways in which they can be aware of
wire fraud scams. Most notably, the guidance drew attention to scams that involved “government and businesses”
requesting wire transfers, such as phantom debt scams (where fraudsters claim to be a debt collector and demand
funds immediately) or a government relief scam (where the fraudster claims to be a government entity which owes
a restitution, but first needs a wire transfer of a specific amount of money). Also, financial institutions in states
governed by the Uniform Commercial Code (UCC), with additional states codifying similar language, must act “in
good faith,” defined in the UCC as “honesty in fact and the observance of reasonable commercial standards of fair
dealing.” While courts have differed over the level of due diligence required for transactions, banks must be
monitoring transactions to identify likely fraudulent transactions or they could potentially face legal hardship.
Institutions can protect themselves and their customers by paying attention to red flags and implementing
safeguards. Some of the key takeaways include:
Risk Assessment and Strategy
Financial institutions that undergo proper risk assessments and implement a well-developed fraud prevention
strategy will minimize their exposure to risk from fraud. While fraud risk assessments are not one-size-fits-all, the
goal is always the same: conduct a systematic
assessment to remove gaps or weakness within
an institution. This allows an institution to
develop a stronger fraud prevention strategy,
which ties into an institution’s risk appetite. If an
institution does not mitigate its vulnerabilities,
the problems related to fraud can go undetected
and harm an institution over long periods, or
develop quickly and abruptly disrupt the
institution. Risk assessment is also crucial to
product development, customer service and
reputable image sustainment. By assessing
potential impacts and services, institutions can
map a strategy and set it into place.
Ensure the institution has a formal process for transferring funds including segregation of duties between setting up and releasing a wire. Training employees on the proper processes is also key, an example would be requiring a call back to the customer verifying the wire by using the phone number listed on the account not the wire request.
Transfer Procedures
Account Usage Agreements Implement Usage agreements and provide details on who is authorized to execute a transaction and which accounts are eligible for transfers.
Know Your Customers Be aware of your consumer and their typical transaction history.
Training Inform employees who conduct wire transfers of fraud’s warning signs and teach them how to protect sensitive data.
12
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
When conducting a Fraud Risk Assessment, an institution should asses each of its business areas for the following:
Fighting Fraud
Common best practices for implementing a fraud prevention strategy are:
To deter possible gaps and weakness, institutions should be diligent and check the
following list against their fraud prevention framework.
1. Maintain a Strong Grasp on Internal Controls
Internal controls should provide a high level of confidence in your operations. They should be reviewed and revised, and some institutions may benefit from setting specified review periods. Internal controls also allow an institution to review its progress and implement new ways of limiting exposure to risk by limiting fraud opportunities.
2. Involve Senior Management in the Process
Involvement from the top sets the stage for an internal antifraud culture and serves to increase the ethical reputation of an organization. Inclusive environments create effective governance processes, which supports the significance of fraud prevention to the culture of the institution through the development and implementation of fraud programs and ethics policies.
3. Hire Experienced and Qualified Personnel in Oversight Roles
Personnel overseeing operations should have a deep awareness and understanding of the risks fraud creates. They should also know how to interact with other employees to instill the importance of fraud prevention and reporting. These individuals can aid in the creation and implementation of policies and procedures specific to fraud. It is also crucial to have staff at all levels who are aware that part of their responsibility includes reporting any suspicions of fraud.
THE TYPES OF FRAUD THAT CAN OCCUR AND LIKELIHOOD OF A SIGNIFICANT FRAUD OCCURRING
To identify types of fraud to which an institution is
vulnerable, the institution should develop a methodology
within their fraud risk assessment that reflects its overall
culture and risk appetite.
THE ADEQUACY OF EXISTING ANTI-FRAUD PROGRAMS, MONITORING AND PREVENTATIVE CONTROLS
An institution’s anti-fraud program should be preventive in
nature, and should mitigate or deter risk. The controls’
effectiveness should also be monitored. Having
preventative controls in place is a proactive approach to
reducing the risk of fraud.
THE BUSINESS IMPACT OF FRAUD
Properly monitoring risk within in each business unit allows
financial institutions to accurately assess what type of fraud
impacts different types of business. By breaking fraud
down individually, it allows for a more precise assessment
and therefore better protection.
THE POTENTIAL GAPS IN FRAUD CONTROLS
To identify gaps within the fraud controls, a financial
institution needs to determine if current fraud controls are
sufficiently designed and implemented to mitigate risk. The
institution should pay close attention to management
override of controls and evaluate the residual fraud risk that
occurs when people in senior positions commit fraud.
13
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
4. Require Independent Audits
Independent auditors can objectively assess whether controls are designed, implemented and working properly and effectively. They can also make recommendations on how to improve internal controls. The independent auditor's role is to ensure the institution is on the forefront of corporate policies, practices, procedures and technology, as well as new products and services.
5. Educate Employees on Fraud
Employees should receive training on fraud and understand they are the first line of defense in fraud prevention. Employees should also be encouraged to report fraud they observe. Some people may be more likely to participate in fraud reporting, particularly insider fraud reporting, if their submissions are made anonymously through a whistle blower hotline.
6. Maintain Proper Lines of Authority
Companies with strong internal controls view the process of fraud prevention as an all-
inclusive effort. A structured reporting line ensures that employees are aware of with
whom they should communicate regarding fraud.
The Main Principles of Fraud Risk Management
Fraud risk management is an integral component of corporate governance and internal controls. Corporate
governance monitors fraud, addressing how the board of directors and management meet their respective
obligations to achieve the organization’s goals (fiduciary, reporting and legal responsibilities to stakeholders). The
internal control environment then creates the discipline that supports the assessment of risks, which is necessary
to achieve these goals.
An institution is most prepared when they are aware of how to detect, prevent and monitor fraud.
1. CONTROL ACTIVITY
The risk assessment process helps determine the need for a control activity. Control activities are the policies, procedures, and mechanisms that help ensure that the response to reduce risks are identified in the risk assessment and are carried out efficiently.
Fraud control activities are generally classified as either:
- Preventive, to avoid a fraudulent activity at the time of initial occurrence; or
- Detective, to discover a fraudulent activity after the initial processing occurred.
14
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
3. MONITORING ACTIVITIES
Institutions could use fraud risk management monitoring activities to ensure they select automation that supports fraud prevention and detection strategies. Examples of monitoring activities include:
Ongoing evaluations of controls, processes, risk assessments and operating procedures which should be built into the organization’s business process
Separate (periodic) evaluations, such as specialized training and surveying anonymous systems used for whistleblowing to see how effective it has been in deterring fraud
A combination of ongoing and periodic evaluations
2. INVESTIGATION AND CORRECTIVE ACTION
By establishing a process for investigation and corrective action, an institution can improve its chances of loss recovery while minimizing exposure to litigation and reputational damage. It is important to note, however, that control activities cannot provide absolute assurance against fraud, and an institution should therefore ensure a system is developed for:
Prompt review
Confidential investigation
Resolving non-compliance of company protocol
Source: https://www.coso.org/Documents/COSO-Fraud-Risk-Management-Guide-Executive-Summary.pdf
15
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
E. President Trump’s Executive order on Cybersecurity According to reports, 34 percent of federal government agencies surveyed have experienced a data breach within
the last year and 96 percent of federal agencies surveyed consider themselves vulnerable. In May, the WannaCry
hack, affecting more than 150 countries, brought attention to how susceptible information is to attack. The hack
also brings to light the importance of expanding cybersecurity workforce development as it relates to cybersecurity
expertise. It reminds us that each industry and institution should be diligent and proactive within their own operations
to ensure the safety and soundness of their customers’ data.
This article breaks down President Donald Trump’s “Executive Order on Strengthening the Cybersecurity of Federal
Networks and Critical Infrastructure” by section, followed by an overview of the National Institution of Standards
and Technology (NIST) Cybersecurity Framework. Next, the article explores how cybersecurity policy has advanced
over the years. We conclude with some cybersecurity best practices.
Trump’s Executive Order
Trump signed the executive order on May 11, 2017. It lays out guidelines for federal agencies’ required reports to
the Department of Homeland Security (DHS) and Office of Management and Budget (OMB). The reports must
outline where each agency stands in terms of risk management and information technology (IT) standards, among
other related matters. To clarify the new expectations the executive order has set forth, we have broken down the
executive order by sections and highlighted some key areas.
Section One: Cybersecurity of Federal Networks
Section one of the executive order addresses cybersecurity risk management and goes into detail regarding the
“Framework for Improving Critical Infrastructure of Cybersecurity” (the Framework) and IT architecture within the
government.
The executive order states that the heads of executive departments and agencies will be held accountable for
managing cyber risk to their enterprises. Each agency’s risk management decisions could potentially cause risk to
national security and the executive branch as a whole. Agency heads will therefore be accountable to the President
for implementing risk management measures and ensuring that cybersecurity risk management processes are
aligned with strategic, operational and budgetary planning.
Section one also puts emphasis on the U.S. government’s IT and data, along with planning for future modernization
and fixing known vulnerabilities. Effective risk management requires agency heads to lead integrated teams of
senior executives with expertise in the following, among other areas: IT, budget, security, law, privacy and human
resources.
The executive order requires each agency head to use the Framework and deliver a risk management report to the
Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of
the order. The report must outline an agency’s risk mitigation efforts and the strategic, operational and budgetary
considerations that help inform its choices, along with an action plan to help implement the framework. The
Secretary of Homeland Security and the Director of the OMB will assess the reports to see if the risk mitigation
actions are sufficient to manage cybersecurity risk.
Further, the Director of the OMB, in coordination with the Secretary of Homeland Security, with support from the
Secretary of Commerce and the Administrator of General Services, will create a plan to properly protect the
executive branch enterprise; to attempt to identify any insufficiencies; to evaluate the budget needs; and to ensure
policies, standards and guidelines are in line with the Framework.
16
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
Section one also outlines a policy for the executive branch to build and maintain a modern, secure and more resilient
IT architecture.
The Director of the American Technology Council must coordinate a report to the Secretary of Homeland Security,
Director of the OMB and the Administrator of General Services, in consultation with the Secretary of Commerce, on
the modernization of Federal IT within 90 days of the order. The report must outline how the agencies will transition
consolidated network architectures and shared IT services (defined as email, cloud and cybersecurity services).
As previous administrations, have demonstrated, detailed further in the article, the importance of information sharing
between executive agencies is imperative for a successful cybersecurity network. Trump’s executive order not only
emphasizes the importance of the relationship between the private and public sectors but also between the
agencies. Section two of the executive order further discusses the issue of a growing cybersecurity infrastructure.
Section Two: Cybersecurity of Critical Infrastructure
The second section of the executive order addresses the cybersecurity infrastructure of the executive branch. This
section discusses the greatest risks for attacks that could result in catastrophic effects on the U.S., and requests
input on possible efforts to support the cybersecurity management related to these risks. The Secretary of
Homeland Security, in coordination with the Secretary of Defense, the Attorney General, the Director of National
Intelligence, the Director of the Federal Bureau of Investigation (FBI) and the heads of other appropriate sector-
specific agencies, is required to:
1. Identify the authorities and capabilities agencies could employ to support efforts to protect the areas
identified to be at greatest risk of attack pursuant to former President Barack Obama’s Executive Order
13636 from February 2013, including public health or safety, economic security or national security
2. Evaluate if the resources available will support the cybersecurity risk management efforts
3. Provide a report within 180 days of the order that covers the authorities and capabilities that agencies could
employ to support the cybersecurity efforts of critical infrastructure; the results of the engagement and
determinations on resources available; and further findings and assessments to better support
cybersecurity risk management efforts
4. Provide an updated report to the President on the matters discussed on an annual basis
The executive order also addresses areas such as: supporting transparency in the marketplace; resilience against
botnets and other automated threats; the assessment of electricity incident response capabilities; and the
Department of Defense (DOD) warfighting capabilities and industrial base. Each section will need to provide a report
to the President outlining the different objectives and priorities listed below.
Supporting transparency in the marketplace
The Secretary of Homeland Security, in coordination with the Secretary of Commerce, must submit within 90 days
a report that examines the existing Federal policies and practices which promote market transparency of
cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded entities.
Resilience against botnets and other automated threats
The Secretary of Commerce and the Secretary of Homeland Security, in consultation with other named agencies,
must submit a preliminary report within 240 days, detailing how to improve the resilience of the internet and
communications ecosystem and to encourage collaboration with the goal of reducing threats that are perpetuated
by automated and distributed attacks (for example, botnet attacks). A full report is due within one year.
17
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
Assessment of electricity disruption incident response capabilities
The Secretary of Energy and the Secretary of Homeland Security, in consultation with other named agencies, must
submit within 90 days an assessment of the potential scope of a prolonged power outage associated with a
significant cyber incident, along with how prepared the U.S. is for such an attack, if any gaps or shortcomings exist
and what is required to mitigate such an incident.
DOD warfighting capabilities and industrial base
The Secretary of Defense, the Secretary of Homeland Security and the Director of the FBI, in coordination with
other named agencies, must submit a report within 90 days, assessing the cybersecurity risks facing the defense
industrial base, including its supply chain, U.S. military platforms, systems, networks and capabilities. The report
must also address recommendations on how to mitigate these risks.
Section Three: Cybersecurity for the Nation
The final section of the executive order addresses cybersecurity for the nation. It aims to ensure the internet remains
valuable for future generations by maintaining the highest level of security and privacy. The section is broken down
in to three subsections: deterrence and protection, international cooperation and workforce development. Each of
the three sections require different types of reports to be filed.
The deterrence and protection report will focus on the nation’s strategic options for deterring adversaries and better
protecting the U.S. population from cyber threats. The international cooperation reports require named agencies to
identify their cybersecurity priorities and the Secretary of State to document an engagement strategy for
international cooperation in cybersecurity. Finally, there are three reports required within the workforce development
subsection, with a focus on the U.S. maintaining a competitive advantage. The reports will cover the following topic
areas:
1. Education and Training
2. Assessment of Foreign Cyber Systems
3. Cyber Capabilities
The Framework
While much of this article has focused on the executive order’s reporting requirements for executive agencies, it is
also important to better understand the NIST Framework. The Framework started when President Obama issued
Executive Order 13636 in 2013, tasking NIST to build the Framework.
The Framework provides the outline for the creation and improvement of a cybersecurity program. A cybersecurity
program is most often led by a chief information security officer (CISO) or similar person. A CISO should understand
risk from both a business and IT perspective as well as possess an understanding of risks, vulnerabilities and
exposures associated with that institution. The CISO should also possess the authority to enforce and sustain the
cybersecurity program, which includes handing out disciplinary measures when policies are violated or
circumvented. In general, when following the Framework an institution will focus on:
Their current cybersecurity posture
The opportunities for cybersecurity improvement within the context of risk management
Assessment of preventive measures in relation to risk appetite
Communication procedures for internal and external stakeholders about cybersecurity risk
18
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
The Framework builds on the private sector effort by providing institutions with a means of measuring institutional
security standards against federal guidelines, in addition to providing additional guidance on how to prepare a
cybersecurity program. The Framework does this by allowing each institution to use specific measurements at their
own discretion. This includes listing key critical infrastructures that intuition’s may rely on and utilizing the
Framework to provide an approach that will help identify, asses and manage cyber risk.
Organizations are not expected to replace their cybersecurity process with the Framework, but rather to implement
it into their current processes and identify areas to improve cybersecurity risk management.
19
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
The Growth of US Cybersecurity Policy
Since President Ronald Reagan, administrations have progressively taken stronger stances on cybersecurity and
effected cybersecurity change. Some common threads among administrations include expanding shared expertise
and lessening the divide between the public and private sectors. The chart provided displays the cybersecurity
policy progression throughout the past 30 years.
How Cybersecurity Has Advanced Throughout Administrations
Ronald Reagan Bill Clinton George W. Bush Barack Obama
1984 – National Security Decision Directive (NSDD) 145 NSDD 145 provided the initial objectives and policies regarding safeguarding systems that process sensitive information. Further, NSDD 145 gave the National Security Agency (NSA), Department of Defense and National Security Council more prominent roles in the development of certain areas of safeguarding and technical development. 1987 – Computer Security Act of 1987 (CSA) The CSA limited the NSA and reaffirmed the NIST would oversee the security of non-government systems and information, with help from the NSA.
1996 – Executive Order 13010 Critical Infrastructure Protection Executive Order 13010 highlighted “cyber-threats,” at the time described as “threats of electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures.” The executive order stressed the immediate threat of cyberattack to national security and the need for a public-private partnership.
2009 – Cyberspace Policy Review
This review highlighted several main points, including measuring the performance and accountability of U.S. cyber polices; strengthening standards regarding the security of and operations in cyberspace; and investing in research and education to encourage innovation and development.
2011 – Executive Order 13587- Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information
This executive order directed structural reforms to ensure responsibility in sharing and safeguarding computer networks and was enacted as a defense against insider threats within every agency and department in the U.S. executive branch.
2013 – Executive Order 13636- Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information
This executive order tasked NIST to work with the private sector on policy, procedure and industry best practices to build a cybersecurity Framework.
2003 – National Strategy to Secure Cyberspace
A portion of the larger National Strategy for Homeland Security, the main objectives of the National Strategy to Secure Cyberspace were to design an overall system of protection for the nation on cybersecurity by implementing things like a cyberspace security response system and a cyberspace security awareness and training program. The National Strategy to Secure Cyberspace also encouraged national and international cyberspace security cooperation.
2006- National Infrastructure Protection Plan
The DHS published this plan to protect and ensure resilience of all infrastructure sectors and resources central to the nation.
2008 – The Comprehensive National Cybersecurity Initiative (CNCI)
The CNCI was an initiative that sought to protect government computer systems and begin the process of addressing the protection of private sector computer systems.
20
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
Actionable Intelligence
Best Practices for Financial Institutions for Cybersecurity Preparation
Conclusion
As displayed in Trump’s budget proposal, $971 million was committed to DHS’s cyber operations, along with a
$41.5 million raise in cyber spending at the Justice Department. Trump has also vowed to improve cyber programs
and networks. As more governmental and private institutional operations come online, the need for institutions to
implement and maintain robust cybersecurity programs increases every day. Institutions should continue to
implement and maintain robust cybersecurity programs to mitigate the chance of cyberattacks.
01 02 03 04
Conduct an internal
compliance risk assessment.
Develop and
implement
corporate
policies and
procedures
required for
compliance with
federal and state
privacy and
security laws.
Establish secure
data backup
protocols to ensure
that, even if the
company is under
attack, important
company records
are secure (may
also be part of an
institution’s
business continuity
plan).
Establish
protocols to
handle common
forms of
cyberattacks.
05
Perform periodic auditing of
cybersecurity practices.
06 07 08 09
Ensure the CEO
and executive
leadership are
properly
informed about
the cyber risks to
the company
and are involved
in the oversight
and decision-
making process
related both to
cyberattacks and
proactive
cybersecurity
measures.
Review
cybersecurity
programs to
ensure they
apply industry
standards and
best practices.
Store sensitive
information
securely,
encrypting where
appropriate.
Conduct
appropriate data
security due
diligence on
third-party
service providers
with access to
personal
information and
sensitive
business
information.
10
Perform
company-wide
training, tailored
to the personnel
at issue, to
ensure
adherence to all
electronic
security
measures.
21
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
Fraud Risk Management
E. Did You Know?
With organizations losing an estimated five percent of their annual revenues
to fraud, regulators are demanding more proactive management of fraud risk.
Financial institutions must have a strong understanding of where their
vulnerabilities lie in order to effectively combat fraud.
Fraud Risk Management
FIS fraud risk management (FRM) solutions are tailored to support and meet
your organization’s needs. Our experienced financial crime management
consultants can assist your institution with establishing a comprehensive FRM
program or enhance your existing program using client and industry best
practices.
We can assist your institution with the following components of a FRM
program:
Fraud risk assessment to evaluate the risk to the organization of
various types of fraud, both external and internal
Fraud policy development (including code of contact, ethics and
whistleblower)
Documentation of procedures for a fraud program
Fraud training for employees, management and the board to support
understanding of the nature, causes and characteristics of fraud
Design and implementation of controls to detect and prevent fraud
Assistance in consolidation of decentralized fraud functions
Fraud program and best practice review
Fraud investigation
Risk Managed Services Center
With our Risk Managed Services Center (RMSC), we also provide a back-
office solution that can assist your organization with assigning, researching,
resolving and reporting on system alerts generated by financial crime
monitoring systems:
FIS Memento fraud management applications
FIS Prime Compliance Suite
FIS Prime watch list filtering
Non-proprietary BSA/AML and fraud monitoring tools
The RMSC team also can conduct due diligence assessments on vendors,
commercial customers and other third-parties to identify high-risk entities that may
pose significant threats to your organization.
FIS RISC Solutions is your trusted partner for all things risk and compliance. Contact us today to help with your RISC needs. Contact Us: 800.822.6758 Email us: [email protected] Visit us online: fisglobal.com/RISC
22
Regulatory Intelligence Briefing – July 2017
www.fisglobal.com/RISC
F. About FIS’ Center of Regulatory Intelligence
FIS™ (NYSE: FIS), a global leader in banking and payments technology as well as consulting and outsourcing
solutions, opened its Center of Regulatory Intelligence (CRI) in Washington, D.C. on June 16, 2015. The primary
goal of CRI is to translate policy, legislative and regulatory developments into actionable intelligence for FIS clients
to enable knowledge advantage. The unique perspective gained by monitoring regulatory change in such close
proximity to the policymakers and regulators enables CRI to empower FIS clients to stay one step ahead, identify
impact precisely, make smart business decisions and succeed. FIS clients receive insights from CRI through
regularly published regulatory intelligence briefings and thought leadership insights intended to give client
institutions deep intelligence into regulatory initiatives coming out of the legislature, administration and regulatory
agencies. Input from CRI also helps drive FIS research and development efforts as well as consulting services
aimed at helping address regulatory changes prior to implementation.
CRI provides the latest intelligence, thought leadership and cutting-edge regulatory insights into risk, information
security and compliance issues facing the financial services industry. This FIS thought leadership center provides
early insight on regulatory changes, helping financial services clients stay compliant with new regulations. Through
CRI, FIS interfaces with key policymakers to provide industry perspectives on the potential impacts of regulatory
mandates to financial institutions.
Contact Us
FIS Center of Regulatory Intelligence
1101 Pennsylvania Ave., NW Suite 300
Washington, DC 20004
P: 202.756.2263
©2017 FIS and/or its subsidiaries. All Rights Reserved.
Register your colleagues to receive regular updates from FIS’ Center of Regulatory Intelligence.