cyber risk: the new business riskresources.gabankers.com/convention/2016/hinkel presentation.pdf ·...
TRANSCRIPT
Safe Systems The Compliance & Technology Partner for Financial Institutions
Cyber Risk: the New Business Risk Current and Future Regulatory Expectations
Presented By:
Thomas G. Hinkel CISA, CCSA, CRISC, CCSA, CBCP
VP – Compliance Services Safe Systems, Inc.
Safe Systems The Compliance & Technology Partner for Financial Institutions
Agenda
• Size, Scope, and Spending
• Regulatory History & Recent Regulations (Inc. CAT)
• Current Threat Environment
• Best Cyber Controls
• Next Steps
Safe Systems The Compliance & Technology Partner for Financial Institutions
FDIC Cybersecurity Awareness Webinar
Safe Systems The Compliance & Technology Partner for Financial Institutions
FFIEC
“… cyber threats [are] perhaps the foremost risk facing banks today …
[and] represents one of the major, if not the major, risk facing banks today.”
(Thomas J. Curry, Remarks at New England Council, Jul. 24, 2015)
Safe Systems The Compliance & Technology Partner for Financial Institutions
Safe Systems The Compliance & Technology Partner for Financial Institutions
FFIEC
“A bank should evaluate and manage cyber risk
as it does any other business risk. It is not simply the obligation of those employees in the
server room, but rather an enterprise-wide initiative involving all employees.”
- FFIEC
Safe Systems The Compliance & Technology Partner for Financial Institutions
FI Cybersecurity Spending
Wells Fargo currently spends $250M.
Citigroup annual budget - $300M.
J.P. Morgan Chase to double spending in 2016 to $500M.
BoA will spend $400M this year (2015), but could be more. “…the only place in the company that doesn’t have a budget constraint is cybersecurity.” – CEO Brian Moynihan
Safe Systems The Compliance & Technology Partner for Financial Institutions
• “Despite the many positives that technology brings to the global banking industry, it also comes with a host of challenges. At or near the top of the list, in Standard & Poor's Ratings Services' opinion, is cybersecurity.”
• “…we view weak cybersecurity as an emerging risk that has a potential to result in a negative rating actions. If we were to believe that a bank is ill-prepared to withstand a cyberattack, we could downgrade the bank before an actual attack.”
How Ready Are Banks For The Rapidly Rising Threat Of Cyberattack?
Safe Systems The Compliance & Technology Partner for Financial Institutions
Cyber Insurance
Check for the following coverage:
• IT equipment and facilities: Damage to the information assets and technology throughout the institution.
• Media reconstruction
• Extra expense: The extra costs of continuing operations
• E-banking activities
• Business interruption
• Valuable papers and records: Cost to restore or replace papers and records
• Errors and omissions
Understand Exclusions and Limitations
Safe Systems The Compliance & Technology Partner for Financial Institutions
Regulatory History
February 2013 - President signs Executive Order
“Improving Critical Infrastructure
Cybersecurity,” and Presidential Policy Directive “Critical
Infrastructure Security and Resilience.”
May 7, 2014 – FDIC presents webinar to ~6,500 FI CEO’s and
senior managers. “Executive Leadership
of Cybersecurity: What Today's CEOs
Need to Know About the Threats They Don't
See.”
February 6, 2015 – FFIEC Releases
Appendix J to BCP Handbook addressing
Cyber Resiliance
June 30, 2015 - FFIEC Releases Cybersecurity
Assessment Tool
November 10, 2015 – FFIEC updates Management
Handbook
February 1, 2016 – FDIC Supervisory
Insights publishes “A Framework for Cybersecurity”
Safe Systems The Compliance & Technology Partner for Financial Institutions
Current Threat Environment
• Often delivered via email (phishing, spear phishing)
• Examples include Ransomware
Malware – Malicious software generally used to gain access to
or to damage a computer or system.
• Cannot be prevented
Distributed Denial of Service (DDoS) - Attack attempts to make a machine or network connected to the Internet unavailable to its
intended users.
• DDoS attacks to distract a target organization while perpetrating another form of attack.
• Simultaneous attacks on the Bank and their core processor.
Compound Attacks – More than one method of attack is deployed
simultaneously.
Safe Systems The Compliance & Technology Partner for Financial Institutions
FFIEC Cybersecurity Assessment Tool
Inherent Risk Profile
Technologies and Connection Types
Delivery Channels
Online/Mobile Products and Technology Services
Organizational Characteristics
External Threats
Safe Systems The Compliance & Technology Partner for Financial Institutions
FFIEC Cybersecurity Assessment Tool
Cybersecurity Maturity
Cyber Risk Management and Oversight
Threat Intelligence and Collaboration
Cybersecurity Controls
External Dependency Management
Cyber Incident Management and Resilience
Safe Systems The Compliance & Technology Partner for Financial Institutions
“The Assessment results should be communicated to the chief
executive officer (CEO) and Board.” -FFIEC
Cybersecurity Management & Oversight
Safe Systems The Compliance & Technology Partner for Financial Institutions
Cybersecurity Cycle
Safe Systems The Compliance & Technology Partner for Financial Institutions
Cyber Controls
• Threat Intelligence
• Security Awareness Training Employees – Entry level to
Board. Make it role specific.
Contractors
Customers
Merchants
Third-parties
• Patch Management Programs
Safe Systems The Compliance & Technology Partner for Financial Institutions
Summary - Final Thoughts -
Employees are a weak link. Train, test, retrain, retest, repeat.
Customers are a weak link. Awareness training, outreach.
Outsourced relationships are a weak link. • Due diligence, contracts, & ongoing oversight (SOC reports) are key.
• Focus on detective and corrective/responsive controls.
Safe Systems The Compliance & Technology Partner for Financial Institutions
Summary - Final Thoughts -
• Challenge is converting noise into actionable intelligence.
Don’t overemphasize
preventive controls, focus on
detective and responsive / corrective.
Update and test your incident
response plan. Don’t forget third-parties.
Information sharing is
important, but most is just
noise.
“Self-assessments”
are increasingly important.
Safe Systems The Compliance & Technology Partner for Financial Institutions
Final Thoughts
Cyber risk is a substantial business risk. A bank’s board and senior management must understand the seriousness of the
threat environment and create a cybersecurity culture throughout the
organization. - FDIC
Safe Systems The Compliance & Technology Partner for Financial Institutions
Final Thoughts
The effective identification and mitigation of cyber risk must be
grounded in a strong governance structure with the full support of the
board and senior management. - FDIC
Safe Systems The Compliance & Technology Partner for Financial Institutions
Keeping Informed - Additional Resources -
• www.safesystems.com/cybersecurity/
• www.complianceguru.com
• www.safesystems.com/ECAT/
• FFIEC Cybersecurity Awareness http://ffiec.gov/cybersecurity.htm
• FDIC Cyber Challenge: A Community Bank Cyber Exercise https://www.fdic.gov/regulations/resources/director/technical/cyber/purpose.html
Safe Systems The Compliance & Technology Partner for Financial Institutions
Thomas G. Hinkel CISA, CRISC, CCSA, CRMA, CBCP
VP – Compliance Services Safe Systems, Inc.
www.safesystems.com www.complianceguru.com