Cyber-Security
FAS Annual ConferenceSeptember 12, 2014
Maysar Al-SamadiVice President, Professional Standards
IIROC
Cyber-Security
IIROC Rule 17.16 BCP
The regulatory landscape
Canadian Government policy
The Canadian financial sector
The US regulatory response
Cyber-insurance
Cybersecurity Risk Factors and Concerns
David Mussington, PhD., CISSPSenior VP Cybersecurity
Juno Risk Solutions
Agenda
Background – David Mussington
How severe are cyber-security risks?
Who are the actors of concern?
What protection approaches are available?
Conclusions and Principal Takeaways
Questions
How serious are cybersecurity risks, and what exactly is the threat?
Financial Services are the most highly targeted of critical infrastructures by cyber criminals
Cyberspace allows for low probability of detection/high payoff illicit activity
Evolution in attack capabilities and speed is outstripping defensive measures
Recent occurrences (most notably the Snowden revelations) have pointed out the potential damage that flows from insiders
Who are the actors of concern, and what do they want?
What protection approaches are available, and what are some best practices?
Best practice approaches based on proven standards (e.g., NIST, ISO, CBEST, CCS-20 (SANS))
Industry offerings – MSSP and commercial anti-virus software and cybersecurity service vendors
Assistance from Financial Services Sector peers
Government support – CCIRC (Public Safety Canada), RCMP
Other Support Possibilities: not for profit groups, academia
Conclusions and Principal “Takeaways …”
The cybersecurity challenge is escalating;
Defense/Protection capabilities are falling behind
Information sharing within and across industries and with government is the best way to improve defenses and risk awareness;
Systemic risks can be transmitted from those with weak cybersecurity protections to those with stronger programs –“weakest link” problems are endemic;
Best practice solutions exist, but require a systematic and strategic effort to produce meaningful risk mitigation impact
Richard Livesley
Director, Strategy and PlanningGlobal Information and Technology Risk Management
Information Security Perspectives
Risk to BMO = Threat x Vulnerability x Consequence of a breach
Threat is bigger• Three types
– Espionage – stealing our stuff– Disruptive – hurting the network we have become reliant on– Destructive – emerging threat that could target critical infrastructure and be catastrophic
• Lots of attackers– Nation States – China is the largest– Criminal Gangs – Russia has the most– Hacktivists – Less sophisticated but still a nuisance
Vulnerability is larger• We are increasing the ‘attack surface’ : Social, Mobile, Analytics, Cloud• The ‘cyber domain’ is still new with little governance by any legal authority• The Internet design is flawed – designed to communicate between trusted partners, not those with malicious intent
Consequence of a breach have severely harmed companies• Customer trust• Financial consequences
11
Protecting the Bank involves the entire BankThere are two major planks to the program that cover the range of capabilities we are building
12
Together as a Company
• Crisis Management
• Customer Authentication and
Awareness Training
• Employee Access Management and
Awareness Training
• Supplier Risk Assessments
• Industry & Regulatory Requirements
such as GLBA, FFIEC, PCI DSS
Within Technology
• Application Software Security
• Data Security
• Network Security
• Vulnerability Management
• Threat Monitoring & Management
• Security Incident Response
• Risk Management Functions
However, the challenge to create safe cyberspace will not be resolved with a company’s eco-system
13
Priority What we need to do Why
Improving cross-sector sharing
• Automated sharing of actionable intelligence• A common framework to enable discussion
(NIST cybersecurity framework?)• Stronger partnerships between energy, telco’s
and financial institutions
The threats are immediate and one sectors weakness impacts othersThe knowledge of each sector strengthens the others
Stronger private and public partnerships
• Faster and more effective sharing of information• Legislative clarity on rights and accountabilities
eg privacy• Stronger governance of the internet
Ensures regulatory and legislative actions focus on the right areas
A more cyber aware culture with personal accountability
• A more educated population who understand how bets to protect themselves AND who recognize a weakness on their device threatens others – not just themselves
The health of cyberspacecannot be isolated to individual companies