cyber security and resiliency in the financial sector
DESCRIPTION
August 2009. Cyber Security and Resiliency in the Financial Sector. Major Themes. Globalization of the Financial Services Sector Primary Dependencies on Telecommunications Infrastructure and Information Technology Cyber Threats and Vulnerabilities - PowerPoint PPT PresentationTRANSCRIPT
Cyber Security and Resiliency in the Financial Sector
August 2009
Major Themes
• Globalization of the Financial Services Sector• Primary Dependencies on Telecommunications
Infrastructure and Information Technology• Cyber Threats and Vulnerabilities• U.S. Financial Sector Public/Private Partnerships• Federal Government Initiatives• FBIIC & FSSCC Cyber Security Committee Activities• Emerging Challenges
2
Globalization of Financial Sector
• Information is one of a financial institution’s most important assets
• Financial market operations are increasingly becoming electronically connected and interdependent around the world. A major U.S. bank operates in more than 100 countries.
• The financial services industry plays a key role in protecting a nation’s financial services infrastructure.
• Increasing globalization provides expanded market opportunities and efficiencies and poses new challenges.
3
Globalization of Financial Sector(cont)
• International Basel II Accord identifies for the first time operations risk. Like traditional credit and market risk, operations risk must be managed and capital must be held against potential losses.
• Operations risks from cyber/operational incidents in a globalized
sector may include: 1) cascading impacts that cannot be contained regionally2) jurisdictions may have to work together to address the impacts
and restore operations, and 3) the international framework to address global financial
disruptions relies on arrangements among Central Banks, Financial Market Authorities and Treasuries.
4
Globalization of Financial Sector (cont)
• Global information infrastructure and the data that reside within these systems is critical to the economies of countries
• Cyber exploitation has grown more sophisticated, targeted, and serious over the past several years and we expect the trend to continue.
• Nation-states and criminals target government and private sector information networks to gain competitive advantage in the commercial sector.
5
Critical Dependencies
6
RegulatoryReporting
TradingSystems
PaymentsSystems
ATM &Credit Card
Systems
Financial Markets: NYSE, CME, NASDAQ, CBT, etc.
Fedwire, SWIFT,CHIPS, ACH, etc.
ATM, Credit & DebitCard Networks
External Links toFinancial Services Firms,
Payment Systems & UtilitiesCorrespondent
and Clearing Systems
Correspondent Banks,Clearing Houses, etc.
Note: FBO transactions are often performed on IT Systems located in home countries
RecordsSystemsLoan
Funding
LAN
Loan Underwritingand Review
LoanDocumentation
LoanServicer
Loan Administration
Example of IT systems and internal data flows
supportingthe lending process
Payroll ServiceBureau
Trust ServicesCompany
External ServiceProviders
External Information Providers:
Dun & Bradstreet,Credit Bureaus, etc.
Source: Steve Malphrus, Chair, Financial Sector Group, Presidents Council on Year 2000 Conversion
SoftwareLibraries
Currency Sorters
DDA, Loans, CISGeneral Ledger,
MIS,etc.Back Office Systems
Item Processing,Check Sorters &Image Systems
An Example of How Information Technology is Utilized in a Commercial Bank
Security, and Vault
Control Systems
Phone Switchesand Voice
Response Systems
Call Centers
CustomersEnvironmental Systems Security Monitoring Company
Computer &Communications
SystemsTreasury, Money Market& Trade Fin.Systems, etc.
Branch Platformand
Teller Systems
Home & TelephoneBankingSystems
Retail Customers
Wholesale Customers
Online Links
Management Information Systems: reports for executives, risk mgt.,
boards of directors, etc.
BackupData Centers
RegulatoryAgencies
Cyber Threats and Vulnerabilities
• Widely publicized events include:o Denial of Serviceo Phishing and other social engineering attackso Identity thefto Telecom congestion issueso People within institutions who commit fraud or steal information
for personal financial gain
• The overall impact is growing both in terms of the amount of money lost as well as an erosion in public confidence in online financial services.
8
Financial Sector Framework for Security and Resilience
• The Financial Sector framework for security and resiliency is based on a foundation of strong public/private sector partnerships
• Participation is voluntary
• Represents all facets of the sector – credit, debt and equity, exchange-traded derivatives, and insurance
• s Seen as the model for public/private partnerships in other sectors
• Built on the foundation of Y2K efforts
9
US Financial Sector Public/Private Partnership
Financial and Banking Information Infrastructure Committee (FBIIC)
• Established in 2002 by the President’s Working Group on Financial Markets. The President’s Working Group and the U.K. Tripartite have worked closely together on many issues.
• Chaired by the U.S. Department of the Treasury
• Brings together federal and state financial authorities
• Improves coordination and communication among financial regulators
• Promotes the public/private partnerships
10
FBIIC Members
• U.S. Department of the Treasury (chair)• Federal Reserve Board• American Council of State Savings Supervisors• Farm Credit Administration• Federal Deposit Insurance Corporation• Federal Housing Finance Agency• Federal Reserve Bank of New York• National Association of Insurance Commissioners• National Association of State Credit Union Supervisors• National Credit Union Administration• North American Securities Administrators Association• Securities & Exchange Commission• Commodity Futures Trading Commission• Office of the Comptroller of the Currency• Office of Thrift Supervision• Securities Investor Protection Corporation
11
Current FBIIC Activities
• Assess and prioritize sector vulnerabilitieso Including identifying and analyzing emerging risks
• Encourage participation in the public/private partnershipso Including membership in the Financial Services Sector Coordinating Council (FSSCC), the Financial Sector – Information
Sharing and Analysis Center (FS ISAC) and both initiating new coalitions or joining existing regional coalitions
• Sponsor exercises with public and private partnerso Including financial sector participants, regulatory authorities, homeland security officials and members of the law
enforcement and intelligence communities. Example, last year’s marketwide pandemic exercise and this year’s Cyber Fire Exercise scheduled for mid-September 2009.
• Manage and update the sector’s crisis responseo Test and validate emergency protocols for both resource needs/requests and situational awareness across the region(s)
o Identify and lead projects to improve sector-wide risk management, crisis response, and resilience
• Meets formally on a quarterly basis and includes many ongoing workstreams.
12
US Financial Sector Public/Private Partnership
Financial Services Sector Coordinating Council (FSSCC)
• Established in 2002 as the private sector arm for the Banking and Finance Sector
• Brings together the largest financial institutions, exchanges, core clearing & settlement organizations, and trade associations
13
FSSCC Members
• State Street Global Advisors (Chair)• Morgan Stanley (Vice Chair)
• American Bankers Association• American Council of Life Insurers• American Insurance Association• American Society for Industrial Security (ASIS) • Bank Administration Institute• Bank of America• Bank of New York Mellon• Barclays• BITS/The Financial Services Roundtable• ChicagoFIRST• Citigroup• Continuous Linked Settlement Bank (Foreign Exchange)• Consumer Bankers Association• Credit Union National Association• Depository Trust & Clearing Corporation• Fannie Mae• Financial Industry Regulatory Authority• Financial Information Forum
• FS-ISAC• Goldman Sachs• ICE Futures• Independent Community Bankers of America• Investment Company Institute• JP Morgan Chase• Managed Funds Association• NACHA – The Electronic Payments Association• National Armored Car Association• National Association of Federal Credit Unions• Navy Federal Credit Union• NASDAQ• NYSE• Options Clearing Corporation• Securities Industry Automation Corporation• Securities Industry and Financial Markets Association• State Farm Insurance Company• Travelers• The New York Clearing House• VISA USA Inc.
14
Current FSSCC Activities
• Encourage participation in the public/private partnershipso Major expansion took place in 2008 to include more of the largest financial institutions and insurance providers
• Work with other private sector coordinating councils and the Partnership for Critical Infrastructure Security (PCIS)o Focus on interdependencies
• Participate in the development of exercises with public and private partnerso Including financial sector participants, regulatory authorities, homeland security officials and members of the law
enforcement and intelligence communities
• Manage and update the sector’s crisis responseo Organize sector calls and participate in DHS Infrastructure Protection calls to provide update on sector needs and
response
• Identify and lead projects to improve sector-wide risk management, crisis response, and resilience
• Meets formally on a quarterly basis and includes many ongoing workstreams.15
FBIIC/FSSCC Cyber Security Mission
Work with the financial services sector to strengthen cyber security and resilience of the sector’s current and future IT operations
16
FBIIC/FSSCC Cyber Security Objectives
• Understand the current level of resilience within the sector, and develop recommendations for policy, education, best practices, and exercises to strengthen the sector’s resiliency to cyber threats
• Develop a common operating perspective by improving the sector’s awareness of potential cyber threats and vulnerabilities
• Strengthen the public/private partnerships on cyber security issues
• Develop a single voice within the sector to interact with and respond to government and to other sectors’ requests, inquiries, projects and overall policy efforts (This would not include lobbying or compliance and regulatory matters)
17
Cyber Security Committee Working Group:
Research and DevelopmentObjective:
Identify top priorities for research, promote development initiatives
1) Advance the State of the Art in Designing and Testing Secure Applications 2) Develop more Secure and Resilient Financial Transaction Systems3) Improve Enrollment and Identity Credential Management to make it less
susceptible to social engineering attacks4) Understand the Human Insider Threat by developing deterrence and detection
solutions to reduce risks posed by insiders5) Develop Data Centric Protection Strategies to better classify and protect
sensitive information6) Develop better Measures of the Value of Security Investments7) Develop Practical Standards to reduce risk and enhance resiliency
18
Cyber Security Committee Working Group:
Long Range VisionProject:
The proposed objective of the WG is to produce a “Long Range Vision” document that will identify: • Global business drivers for future sector growth
• New technology principles & processes that must be in place for the sector to operate in a fully globalized marketplace in 5 years
• Geopolitical and IT vulnerabilities that will arise or be exacerbated because of this new paradigm.
19
Cyber Security Committee Working Group: International Issues
Objectives:
• Risk mitigation related to foreign travel & operationso Broadly raise awareness and provide practical guidance to counter increased
vulnerabilities and threats. • Undersea cables
o Improve international undersea cable communications resilience practices and capabilities for critical financial services functions by working collectively as an industry with appropriate telecommunications services providers.
• Supply chain managemento From both a tactical & strategic perspective, identify the most critical service
providers to the financial services sector (and individual financial organizations)o Conduct sector surveys to aid in developing best practices
• International cyber security coordination20
Cyber Security Committee Working Group:Exercise & Planning
Projects:
• Conducted a cyber security exercise for members of the FBIIC, the FSSCC, and the FSSCC/FBIIC cyber security committees in early Fall ’08.
• Update the Financial Services Sector Specific Plan (SSP) to include the current and future cyber security initiatives.
• Currently planning a week-long cyber security exercise in September 2009– Allow participants to test crisis management and incident response
protocols– Conduct via e-mail– Voluntary, no-charge, and maintain the anonymity of the participants
21
Cyber Security Committee Working Group:Information Sharing
Projects
• National security clearances for people within the financial services sector
o Need for the “right” people to be cleared;
o Develop a roadmap for improved info sharing across the financial services sector that addresses
1) Common operating picture of cyber threats2) Info sharing by intelligence & law enforcement 3) Talent issues in the public sector4) Leverages FS-ISAC operational capabilities5) Improves info sharing with IT & telecom sectors
22
President’s Cyber Initiative
• In response to this growing threat to the United States’ information infrastructure, President George W. Bush approved the National Security Presidential Directive – 54 / Homeland Security Presidential Directive – 23, establishing the National Cyber Security Initiative in January 2008.
• The President's directive established U.S. policy, strategy and guidelines to secure federal government systems, as well as provided an approach that anticipates future cyber threats and technologies and requires that the Federal Government integrate many of its technical and organizational capabilities in order to better address sophisticated threats and vulnerabilities.
23
The 60 Day Cyber Review
Discussions throughout the development of the 60 day review were focused on:
• Public/Private partnerships and their differing degrees of success• How critical sectors are currently regulated or not regulated• Legal concerns over cyber monitoring• Agencies’ jurisdictions and authorities• Congressional jurisdiction• Efforts to secure Federal government systems• Coordination of efforts across public and private sectors• Privacy and Civil Liberties• Information sharing (current efforts and barriers)• Monetizing risk• Education of future generations, businesses, and consumers• International coordination and development of standards• Research and Development – “leap ahead technologies” and incentives for innovation• Identity management
24
Federal Government Priority Services
• Government Emergency Telecommunications Service (GETS)
• Wireless Priority Service (WPS)
• Telecommunications Service Priority (TSP)
25
Congestion at one of many points, can block a call !
AT&TVerizonQwest
Local ExchangeNetworks
Mobile Switch
Wireless Priority Service addresses wireless congestion at
Government Emergency Telecommunications Service
addresses wireline congestion
Local ExchangeNetworks
MobileSwitchMobileSwitch
call origination and call termination5
Emerging Challenges
• Financial firms will continue to expand global operations.
• To realize global market and operational goals, financial firms will increasingly rely on information technology and telecommunications infrastructure throughout the world.
• The incoming workforce and next generation of consumers will use information technology and telecommunications in ways we have not yet predicted.
• Interest in exploiting this increased reliance on information technology and telecommunications will continue to grow.
27
QUESTIONS
28
?
Websites
• Federal Financial Institutions Examination Councilwww.ffiec.gov
• Financial and Banking Information Infrastructure Committeewww.fbiic.gov
• Financial Services Sector Coordinating Councilwww.fsscc.org
• Financial Services - Information Sharing and Analysis Centerwww.fsisac.com
Overview of the U.S. Financial System
Financial marketssecurities, bonds, futures
markets, etc.
Financial intermediariesbanks, savings institutions,
Broker/dealers, FCMs,insurance companies, etc.
Lenders/Investorsindividuals, firms,
government
Borrowers/Issuersindividuals, firms,
government
Supervision:Fed, SEC, FDIC,
OCC, CFTC,OTS, OFHEO,NCUA, SROs,
State authorities, etc.
Financial utilities: payment, clearing & settlementService providers
Critical public utilities and services: telecommunications, power, transportation, public safety, insurance companies as recovery agents
transactions
transactions
transactions
transactions
Financial instrumentsloans, securities,
Futures, annuities,CP, FX, etc.
Financial system:
private-sector controls and trade groups
Audit,public disclosure, rating agencies,
etc.
U.S. Financial System: components,
participants, and instruments Financial
system:Applicable laws
and regulations
Central bank and Treasury functions
(Federal Reserve and
the Department of
the Treasury)
Components: credit, debt & equity, exchange-traded derivatives, and insurance
Source: Steve Malphrus, Chair, Financial Sector Vulnerability Assessment Task ForcePresident’s Working Group on Financial Markets
AssociationsFSRoundtable/
BITS, ABA, ICBA, ACB, SIA, FIA,
etc.