6/23/2015

1

Cyber Security and the FFIEC

Expectations

TTS WebinarJune 23, 2015

Background• Cyber Security Initiatives

• Cyber Security and Critical Infrastructure Working Group –June 2013

• Webinar: Executive Leadership of Cyber Security: What Today’s CEOs Need to Know About the Treats They Don’t See – May 7, 2014

• Cyber Security Preparedness Assessments – June/July 2014

• Cyber Security Assessments General Observations– Nov. 3, 2014

• Appendix J: BCP Handbook Strengthening the Resilience of Outsourced Technology Services

6/23/2015

2

FFIEC

• Teams of examiners dedicated to IT security issues.

• Focusing on community banks, thrifts, and credit unions.

• Devoting resources to cyber security at all institutions.

General Observations

• Range of inherent risks

• Varied risk management practices

• Questions for CEOs and BODs

Document is not guidance

6/23/2015

3

Cyber Security Inherent Risk

• The amount of risk posed by an institution’s activities and connections, not withstanding risk-mitigation controls that are in place

• Type

• Volume

• Complexity

Connection Types

• VPN

• Wireless

• FTP, Telnet

• LAN

• BYOD

6/23/2015

4

Products and Services

• Offered by the Institution

• Attackers target technologies

• Stolen user credentials

Technologies Used

• Core System

• Internet Banking

• Mobile Banking

• Cloud Computing

• ATMs

6/23/2015

5

Questions• What type of connections do we have?

• How are we managing the connections in relation to rapidly evolving threats/vulnerabilities?

• Do we need all the connections? Would we reduce risk by eliminating some connections?

• How do we evaluate the threats and vulnerabilities for the products/services we offer and technologies used?

• How do the connections, products/services, technologies affect inherent cybersecurity risk?

Preparedness

• Risk management and oversight

• Threat intelligence and collaboration

• Cybersecurity controls

• External dependency management

• Cyber incident management and resilence

6/23/2015

6

Risk Management and Oversight

• Governance

• Allocation of resources

• Training and awareness

Governance• Policies

• Procedures

• Controls

• Ongoing Security Assessements

• Monitoring

• Exception Logs

• Access Controls

• Testing of Controls

• Risk Assessments

• Threats

• Vulnerabilities

• Controls

• Processes that enable adaptability and change due to threats

• Response Plans

• Board and Senior Management Reporting

6/23/2015

7

Questions• What is the process for ensuring ongoing and

routine cybersecurity discussions by BOD and Sr. Mgmt?

• How is accountability determined for mangaging cyber risks? Does this include mgmt’s accountability for business decisions that may introduce cyber risks?

• What is process for ensuring ongoing employee awareness and effective response to cyber risks?

Threat Intelligence and Collaboration

• Getting, monitoring, sharing, and analyzing information on cyber threats

• Maintain awareness and monitor, evaluate so can respond timely and appropriately

• Participate in info sharing forums

6/23/2015

8

Threat Intelligence• Risk assessment reports

• Internal audit reports

• Fraud detection

• AML/BSA monitoring

• FS-ISAC

• FBI

• US Secret Service Electronic Crimes Task Force

• Regulatory Reports

• Webinars/Conferences

• NIST

• 3rd Party Reports

• Verisign

• Mandiant

• Trustwave

• Symantec

Questions• What is the process to gather and analyze

threat information from multiple sources?

• How do you leverage this information to improve risk management practices?

• What reports are provided to the BOD on cyber events and trends?

• Who is accountable for maintaining relationships with law enforcement.?

6/23/2015

9

Controls

• Preventive

• Detective

• Corrective

Preventive• Administrative, technical, physical

• Change management and patch management

• Access controls

• Encryption

• Firewalls, IPS

• Training

• Policies, procedures

6/23/2015

10

Detective

• Anti-virus, anti-malware

• Monitoring, alerting

• Pen testing, vulnerability assessments

• Port scans

• Audit

Corrective

• Installing updates/patches

• Changing passwords, access levels

• Implementing audit and exam recommendations

6/23/2015

11

Questions• What is the process for determining and

implementing preventive, detective, corrective controls on the network?

• Does the process call for a review and update of ocntrols when IT environment changes?

• What is the process for classifying data and determining appropriate controls based on risk?

• What is the process for ensuring risks identified through detective controls are remediated?

6/23/2015

12

External Dependency Management

• Outsourced third parties

• Expectations and practices to oversee relationships

Questions

• How do we connect to third parties and ensure they are managing their cybersecurity controls?

• What are the third parties responsibilities during a cyber attack? How are these outlined in the incident response plan?

6/23/2015

13

Incident Management and Resilience

• Incident

• Detection

• Response

• Mitigation

• Escalation

• Reporting

• Resilience

Questions

• In the event of a cyber attack, how will we respond internally and with customers, third parties, regulators, and law enforcement?

• How are cyber incident scenarios incorporated into our business continuity and disaster recovery plans? Have they been tested?

6/23/2015

14

7 Cybersecurity Questions Bank Boards Need to Ask

• What is management’s familiarity with cybersecurity?

• Have the crown jewels been identified and are they properly protected?

• Can management articulate is cyber risks and explain its approach and responses?

• Has management assigned clear roles and responsibilities for identifying, evaluating, monitoring, and responding to cybersecurity incidents?

• What are the crisis communication plans in event of cyber attack?

• Is the bank managing third-party vendors?

• Are the third-party vendors and the bank members of an information sharing and analysis center (like FS-ISAC)?

American Banker, Oct. 6, 2014

Regulatory Cyber Security and Preparedness

• Baseline Protections

• Information Sharing

• Response and Recovery

6/23/2015

15

Baseline Protection

• Policies

• Procedures

• Controls

Baseline Protection Questions to Ask

• #1 - Is Cyber risk part of the current risk management framework?

• #2 - Do we follow the NIST Cybersecurity Framework?

• #3 - Do we know the cyber risks that our vendors and third-party service providers expose us to and do we know the rigor of their cybersecurity controls?

6/23/2015

16

Baseline Protection Questions to Ask

• #4 - Do we have Cyber Risk Insurance? If yes, what does it cover and exclude? Is the coverage adequate based on the cyber risk exposure?

• #5 - Do we engage in basic cyber hygiene?

Information Sharing Questions to Ask

• #6 - Do we share incident information with industy groups? If so, when and how does this occur?

6/23/2015

17

Response and Recovery Questions to Ask

• #7 - Do we have a cyber-incident playbook and who is the point person for managing response and recovery?

• #8 - What roles do senior leaders and the board play in managing and overseeing the cyber incident response?

• #9 - When and how do we engage with law enforcement after a breach?

Response and Recovery Questions to Ask

• #10 - After a cyber incident, when and how do we inform our customers, investors, and the general public?

6/23/2015

18

NIST Cybersecurity Framework

• February 12, 2014 - Framework for Improving Critical Infrastructure Cybersecurity

• Provides “what’s needed” for comprehensive cybersecurity program.

• Any size organization can apply principles and best practices

NIST Framework• Organizations should:

• Describe current cybersecurity posture

• Describe target state for cybersecurity

• Identify and prioritize opportunities for improvement

• Assess progress

• Communicate with internal and external stakeholders about risks

6/23/2015

19

NIST Framework

• Core

• Identify

• Protect

• Detect

• Respond and Recover

Why Review NIST Framework

• Regulators may use to formulate examination work program and guidance

• Increased focus on cybersecurity - high profile data breaches

• Regulators devoting extra resources to cybersecurity

6/23/2015

20

4 - Key Elements • Third Party Management

• Third Party Capacity

• Testing with Third Party TSPs

• Cyber Resilience

6/23/2015

21

Third Party Management

• Risk Focused

• Oversight

• Controls

• Evaluating a third party before you enter into the relationship

• Consider maturity of new technologies

• Understand the benefits and risks

• Assess the effectiveness of TSP’s BCP

• Review with your BCP in mind

Due Diligence

6/23/2015

22

Contracts• Right to audit

• Establishing and monitoring performance standards

• Default and termination

• Subcontracting

• Foreign-based service providers

• BCP testing

• Data governance

• TSP updates

• Security issues

Ongoing Monitoring

• Monitor performance

• Review the third parties BCP including testing

• Third party audits (of the outsourced third party)

• MIS reports

6/23/2015

23

Third Party Capacity

• Third Party Service Provider’s ability:

• To provide critical services to all its clients

• Meet stated RTOs and RPOs

TSP Alternatives• Lack of resilience/failure of TSP

• Financial Institution clients take over operations

• Convert

• New TSP takes over existing operations

• Bring in-house

6/23/2015

24

• Have a contingency plan that addresses alternatives for the resilience of services supporting critical operations

Strategic Considerations -Third Party Management

• Business resilience embedded in your third party risk management life cycle

• Ensure third party service provider has a “third party risk management program”

6/23/2015

25

• Ensure your TSPs have an adequate plan and have tested it

• Identify and prearrange alternative resources

Strategic Considerations - Third Party Capacity

Within the Plan• Discuss scenarios of significant

disruptions

• Assess immediate or short term space, systems, and personnel capacity

• Identify feasible recovery operations and address restoration of key services in a BCP

• Participate in user groups or industry initiatives to test recovery scenarios

6/23/2015

26

Testing with TSPs• Demonstrate ability to meet recovery

objectives

• Include important services in your testing

• Based on established risk prioritization and evaluation of critical functions

Remember• Ability to

• Recover

• Restore

• Resume

• Maintain

6/23/2015

27

• Test with TSP

• Review TSP’s test scope, execution, and results

• Provide test results to Board

• Understand the testing process and that the testing is adequate

Appendix J

6/23/2015

28

Test Scenarios

• TSP outage or disruption

• Institution outage or disruption

• Cyber event both institution and TSP

• Simultaneous attack affecting both

Testing Complexity

• Develop strategies

• Extend beyond:

• Third party network connectivity

• Include transaction processing

• Functionality testing

• Demonstrate transaction flows

• Identify interdependencies and end to end processes

6/23/2015

29

• Perform integrated tests incorporating more than one system or application including external dependencies

• Test interdependencies - two or more departments, business lines, processes, functions

• Conduct end to end exercises

• Conduct full scale exercises

• Perform exercises that include third parties, subcontractors, vendors, or servicers

• Assurances the TSP has capacity to restore critical services

• TSP needs to be transparent with testing activities and results

• TSP should share results, remediation action plans, status report

• Institution needs to evaluate the results

Testing wth TSP

6/23/2015

30

Cyber Resilience• Malware - use layered

anti-malware strategy

• Integrity checks

• Anomaly detection

• System behavior monitoring

• Employee security awareness training

• Strong passwords

• Mobile device controls

• Social media controls

• Hardened operating systems

• Controlled Internet access

Cyber Resilience

• Insider Threats

• Employee screening/hiring practices

• Background checks, drug testing, credit checks, etc.

• Dual controls

• Segregation of duties

6/23/2015

31

Data or Systems Destruction and

Corruption• Destruction - erased or rendered unusable

• Corruption - altered/manipulated without authorization

• “Air gap” - computer, system, or network is physically separated from other computers, systems, or networks

• Limits exposure to cyber attack and allows for restoration of data to a point in time before the attack

• “Periodic read only” backup

• Transmission of data to a physically and logically separate read only backup location

6/23/2015

32

• Cloud based disaster recovery services

• Virtualization

• Disk backup

• Data replication

• Reliance on a single communication provider

• Disruptions that affect multiple financial institutions due to TSP concentration

• Simultaneous disruptions of voice and data due to convergence of services in same network

• Disruption of data and voice between other entities and TSP

Communication Infrastructure Disruption

6/23/2015

33

Simultaneous Attack on Financial Institution and

TSPs• Production and backup sites geographically separated (sufficient distance apart)

• What about a Cyber Attack? Will geographic disparity help?

Strategic Considerations - Cyber Resilience

• How you respond is critical

• Use backup architectures and technology that minimize potential for destruction and corruption

• Use integrity controls

• Use independent, redundant alternate communication providers

• Layer your anti-malware strategy

• Enhance planning to include simultaneous attacks

• Increase awareness of insider threats

• Enhance incident response plans

• Prearrange 3rd party forensics and incident management services

6/23/2015

34

• Management should ensure resilience through:

• Third Party Management

• Third Party Capacity

• Testing

• Cyber Resilience

Risk Management Program• Senior management and Board level - awareness,

understand risks/threats, and are engaged.

• Need security measures to deter and combat.

• Create a culture of risk management

• Emphasize importance of identifying and escalating risks internally, communicate enterprise-wide about risks.

• Evaluate new products, services, and relationships -IT Strategic plan.

6/23/2015

35

Risk Management Program

• Enhance to address cyber security

• Current written information security program

• Enterprise-wide information security risk assessment

• BCP, DRP, Incident Response Plan, Outsourced Third Party Risk Management Program

• Board reporting

• Employee security awareness training

• Insurance – cyber security

• Given the increase in cyber security threats, (Institution) is expanding its Information Security Program to also include a Cyber Security Preparedness and Risk Management. This Information and Cyber Security Preparedness Risk Management Program will include as applicable for (Institution’s) size and complexity:

• Identifying, monitoring, measuring, and mitigating risks

• Aligning the information cyber security strategy with the institution’s business strategy

6/23/2015

36

Cyber Risk Management &

Oversight• Robust governance policies and risk management strategies

• Commit sufficient resources

• Enterprise-wide approach

• Ensure strong cyber security culture

Threat Intelligence & Collaboration

• Timely monitoring of threat information and identification of attack methods

• Leverage known sources

• Share crucial threat information

6/23/2015

37

Cyber Security Controls

• Incorporate physical, logical, and other cyber security controls

• Prevent

• Detect

• Mitigate

External Dependency Management

• Identify critical external dependencies

• Establish rigorous vendor management controls

• Define 3rd party responsibilities and service level

• Evaluate 3rd party’s incident response and resilience

6/23/2015

38

Incident Management & Resilience

• Develop Incident Response Plan

• Identify incidents

• Use monitoring tools

• Escalate and report

Incident Response

• Assess nature and scope

• Identify information and/or systems involved

• Notify primary regulator

• Comply with applicable SAR regulations and guidance

• Contain and control

• Notify customers

6/23/2015

39

Cyber security = Information Security

Cultural Change = More Involvement by Sr. Mgmt;

not just IT Issue; Tone at the Top

6/23/2015

40

Not just an IT issue - it is an Operational issue

“Impact goes beyond IT, there are real financial and

reputation implications”

“Few issues more important than cyber attack and cybersecurity to the

regulators”

6/23/2015

41

Questions?Thank YouSusan Orrwww.susanorrconsulting.comsusan@susanorrconsulting.com630.499.0276

TTSWesley Kavelariswww.BankWebinars.cominfo@ttsTrain.com800.831.0678

Upcoming WebinarsJune 24th - W-8, W-9 and Account Opening Issues

June 25th - Dealing with Subpoenas, Summonses, Garnishments, Tax Levies, Etc.

June 25th - 10 Key Compliance Issues on Overdraft Privilege Programs: What your Branches Need to Know and Do

July 7th - Call Center Representative Training

July 8th - Using Business Tax Returns to Analyze Lending Requests

July 8th - Best-Ever Compliance Checklists for Consumer Loans

July 9th - Federal Benefit Payments Garnishment Requirements

July 14th - Entering the World of Consumer Lending - Part 1

July 15th – Outsourced Third Party Risk Management - Vendor Management

July 16th - Lending to Municipalities