1

EMEA COMPLIANCE SUMMIT 2017 Cyber Security Landscape

Magda Mielcarz, EMEA Head OF Channel and Enterprise Services. Treasury and Trade Solutions, Citi

David Rose, Security and CitiDirect BE EMEA Product Manager, Treasury and Trade Solutions, Citi

Citi Academy for Financial Institution Professionals | 4 – 5 April 2017

2

A. Cyber Landscape, Threats and Trends

3

Cyber Security – Threats and Impact Cyber attackers increasingly target institutions to steal money and data, exploiting technology and people/process failures.

Cyber “Insecurity” is Impacting Institutions 1

Methodologies 3

Human Effect

Human + Technology

Technology

1. Computer Weekly; “Cyber crime is a threat to global economy, says researcher”; February 2015.

2. McAfee; “Net Losses: Estimating the Global Cost of Cybercrime”; June 2014.

Payment Fraud – Trend 4

US Wire fraud is increasing while check fraud is decreasing

Source: 2016 AFP Payments Fraud and Control Survey.

Checks

Wires

Industry Stats 2

$445

Billion

Estimated Global

Cost of

Cybercrime as of

February in 20151

$241 Billion

Combined Cost

to Top Three

Global Economies2

US: $116 Billion

China: $71 Billion

Germany: $54 Billion

All Others $204 Billion

US$3.1 Billion lost via Business Email Compromise (BEC) Scams”, FBI

“Bangladesh Bank Chief Resigns After Cyber Theft of $81 Million”,

NY Times

“Union Bank reports cyber breach on offshore account” Times of India

“Ecuador bank hack saw $9m stolen …” International Business Times

4

The Changing Information Security Threat Landscape The volume and sophistication of threats is increasing. Whereas criminals only need to succeed once, Institutions cannot afford one

failure.

Multi-vector attacks

Targeted victims

Sophisticated tools

Persistence / long-term outlook

Impersonation

Business Email Compromise

Key Trends

5

Cyber Threat Actors

Nation-state Cyber Crime Terrorism Hacktivism Insider

• Sophisticated

actors

• Targeting trade

secrets, sensitive

information

• Supporting

national interests

• Financially

motivated

• Frequent use

of social

engineering

• Politically or

ideologically

motivated

• Goal is to instill

fear

• Attacks often

destructive

• Advancement

of a social or

political

agenda

• Attacks often

disruptive

• Motivations vary

including fraud,

revenge, desire

for destruction

• Access is often

authorized,

making detection

hard

6

Trojans, 76.05% Viruses,

1.68%

Worms, 2.57%

Adware/ Spyware,

5.17%

Other, 14.53%

Malware by Type

Malware attacks can target high value transactions such as

money flows, often in conjunction with Social Engineering,

Man-in-the-Middle, Man-in-the-Browser and other attack

vectors

Malware is any software used to disrupt computer

operation, gather sensitive information, or gain access to

private computer systems

Malware is mostly used against financial institutions to

compromise passwords and gain confidential information

such as bank or credit card numbers

6

Malware – A Prominent Threat in the Financial Industry Malware attacks are among the most prevalent cyber threats faced by financial institutions today.

Method of Infection What is Malware?

0.3%

1.9%

2.2%

2.8%

3.6%

16.6%

37.4%

39.9%

Network Propagation

Remote Injection

Web Download

Download by Malware

Direct Install

Web Drive-By

E-Mail Link

E-Mail Attachment

1. PandaLabs Report Q1 2015

Trojans are the

most common:

malicious

programs

disguised as

something

normal that users

may unwittingly

install. 2. 2015 Verizon Data Breach Investigations Report

7

Security Ecosystem - Internal and External Interactions Fraud prevention requires controls and partnership.

Client

Financial

Centers and

Flows

Banks

Other Parts

of the

Corporation

Information

Security and

Technology

Suppliers

Vendor

Performing

Financial

Outsource

Function

Internal Interactions

8

B. Developing a Strategic Defense

9

Citi is facing a must-win battle against

sophisticated cyber adversaries. The

mission of Citi Global Information Security

is to prevent, detect, respond to, and

recover from cyber attacks. Citi does this

by implementing an intelligence-led

strategy to protect the firm’s data, assets,

people, and reputation.

Intelligence-Led Information Security

A business model and managerial

philosophy where analysis and

intelligence are pivotal to an objective,

decision-making framework that

facilitates information protection through

effective implementation of strategies

that target prolific and serious threat

actors and their methods.

Developing

information

sharing

platforms,

intelligence

products, and

operational

playbooks that

inform executive

action and

decision-making

Deploying

innovative

technologies

that enhance

safety and

security

Transform our

workforce by

investing in

top-level cyber

intelligence, IS

talent, and

leaders from the

private and public

sectors, and

academia

Implementing

leading

management

practices and

initiatives to

maximize

collaboration,

learning, and

innovation across

functional areas

Citi’s Intelligence-Led Information Security Investment Pillars

10

Cyber Security Fusion Center Mission Citi’s Cyber Security Fusion Center (CSFC) is an intelligence-led organization that unifies Citi’s efforts to prevent,

detect, respond to, and recover from cyber-attacks. Through a culture of collaboration, the CSFC fuses intelligence from a

variety of sources to prevent attacks, reduce risk, and support executive decision-making.

Strategic Objectives

Prevent and detect cyber-

attacks against Citi, its

customers, and critical

partners

Reduce Citi’s vulnerability

and risk to cyber-attacks

Minimize damage and

attacks through an

effective and efficient

response effort

Driving a learning

organization to action

11

Developing a Strategic Defence Creating a layered defense utilizing security best practices from the Industry, Financial Market Utilities (e.g. SWIFT) & law

enforcement (e.g. FBI).

People Process Technology

Protect

Detect

Respond

• Staff Segregation of Duties

• Background Verifications

• Identity and Access Management

• Vendor Management

• Data Protection

• Device/Software Controls

• Perimeter/Network Security

• Secure/Authorized Connectivity

• Staff Training • Audits

• Reconciliations

• Network Monitoring

• Vulnerability Assessment

• Response and Escalation • Security Incident Management

• Investigation and Insurance

• Contingency

• Testing

12

Checklist – Protect

People Process Technology

Staff Segregation of Duties

Mandatory absence for staff with financial

responsibilities

Divide responsibilities so one person

cannot dominate a transaction

Background Verifications

Ensure hiring procedures include

reference checks, background screening

Third-party employee due diligence

Identity and Access Management

Centralized Identity administration

Privileged user managed access

Vendor Management

Reviewing end-to-end

payments processes

All third-parties meet internal Information

Security and Risk requirements

Third-Party Information Security

Assessment process

Data Protection

Limit access to sensitive or confidential

data

Data retention, storage, and privacy policy

Account Controls and Segregation

Device/Software Controls

Anti-Malware and Anti-Virus Protection

Timely update of patches, upgrades to software including

SWIFT applications

Secure Software Development including Source Code

Review

Access and Entitlements Management

Perimeter/Network Security

Firewalls

Denial of Service Protection

Secure/Authorized Connectivity

Multi-Factor Authentication

Secure connectivity between

third-parties (including FMUs) with firewalls and encryption

Preventive measures and best practices can help balance risk and add value.

* These best practices are not limited to the suggested preventative measures listed here and are meant to illustrate ways to help increase controls against fraud.

13

Checklist – Detect

People Process Technology

Staff Training

Promote periodic internal training on

cyber threats and fraud awareness

Periodic and surprise staff

awareness/testing on ability to

recognize common threats

Contact Security or Fraud

representative upon suspicious activity

Audits

Periodic reviews and audits

Reconciliations

Daily reconciliation to identify fraud

Regular review of transaction reports

and dashboards

Network Monitoring

• Intrusion Detection (e.g. 24/7

monitoring of network traffic for

abnormalities)

• Anti-Phishing Controls (e.g. filtering e-

mails and proxying hyperlinks)

• Data Leakage Protection (e.g. content

monitoring of traffic leaving the firm)

Vulnerability Assessment

Ethical hack to proactively

identify/remediate weaknesses

Proactive measures to detect potential fraudulent activity can help mitigate transaction level risks.

* These best practices are not limited to the suggested preventative measures listed here and are meant to illustrate ways to help increase controls against fraud.

14

q

Checklist – Respond

People Process Technology

Response and Escalation

Issue alerts and reminders for staff to

know exactly what to do in the event of

an actual or potential compromise

Ensure crisis management proficiency

and other subject matter expertise

Security Incident Management

Recall processes

Periodic tests of response plan

External/Internal communication

Investigation and Insurance

Root cause investigation

Timely reporting of incidents

Insurance coverage as appropriate

Contingency

Contingency infrastructure

Testing

Testing of incident response for

data/system breach both in-house and

with critical 3rd parties

Reaction and recovery mechanisms are necessary for effective and timely risk mitigation.

Fraud Response Process Example

Detection and Impact

Analysis Communication Investigation Resolution

* These best practices are not limited to the suggested preventative measures listed here and are meant to illustrate ways to help increase controls against fraud.

15

C. Case Studies

16

Case Study— Compromised Bank Security Environment The example below illustrates how hackers use a wide variety of tactics to facilitate cyber attacks.

Cyber security training for staff

Avoid password re-use

Be quick to recall suspicious transactions

Utilize a fraud management playbook

Be vigilant and do not click on suspicious links

Deploy anti-virus and anti-malware tools

Deploy maker-checker for transactions

and multi factor authentication

Keep software and patches up to date

Multiple methods of reconciliation

Engage law enforcement

Review insurance and other mitigations

1

Hackers research institution and

identify high value targets, steal user

credentials via social/professional

media

2

Hackers target and compromise a

Bank’s proprietary environment via

malware-infected communication

3

Hackers create fraudulent payment

instructions sent to Financial Network

as authenticated instructions, without

compromising the network

4

Hackers cover their tracks by

planting malware in the

Bank’s infrastructure

5

Fraudulent transactions travel on the

Network via correspondent banks who

forward funds to beneficiary Bank

6

Fraudulent funds are quickly disbursed

via institutions/jurisdictions where

investigation and recalls are difficult

Security Tips * These best practices are not limited to the suggested preventative measures listed here and are meant to illustrate ways to help increase controls against fraud.

17

Anatomy of a Cyber Attack – Disrupting the Chain A successful cyber attack involves a number of stages. Disruption at any stage may thwart an attacker.

Data Protection Programs

Cyber Intelligence Center

Training & Awareness

Secure Email

Encryption

Cyber Intelligence Center

Training & Awareness

Intrusion Detection

Perimeter Security

Secure SDLC

Perimeter Security

Intrusion Detection

Security Incident Process

Vulnerability Assessments

Security Operations Center

Vulnerability & Threat Management

Security Operations Center

Entitlement Management

Privileged User Access

Intrusion Detection

ID Administration

Security Operations Center

Data Protection Programs

Entitlement Management

Intrusion Detection

Perimeter Security

Perimeter Security

Intrusion Detection

Cyber Intelligence Center

Data Protection Programs

Security Operations Center

Vulnerability & Threat Management

Init

iate

Att

ack

Act on Objectives

18

D. Collaboration and Innovation

19

Citi’s Fraud Awareness Toolkit

Main Page: http://www.citi.com/treasuryandtradesolutions/fraudpreventionresources

The Fraud Risk Managers Toolkit provides best practices to tackle fraud risks, encapsulating both Social Engineering and Digital

Security.

20

Continuous Innovation to Keep Ahead of the Threat Citi is leveraging its global Innovation Labs to explore and develop new security solutions.

Device Security

Transaction Security

Biometrics

Out of Band Security

Voice Biometrics: Evaluate technologies to

enable user access via simple verification of

their

natural speech

Behavioral Biometrics: Deploy passive log-in

tool using client behavior (i.e. typing) that

cannot be emulated by external agents

Malware Detection: Enable passive

detection tools to identify viruses

Information Breach: Advise clients when

their private credentials are being publicly

distributed by cyber criminals

Out of Band Authentication: Provide One-

Time-Password via SMS, Phone Call or

device application, using a channel or device

separate from the primary banking channel

Digital Signature and Transaction Approval:

Secure transactions via mobile device

separate from desktop banking channel

Payments Risk Manager: Use data analytics

tools to help identify unusual payment

transactions for clients to review prior to

execution by Citi

Risk-based Authentication: Enable simpler

security for low risk transactions and

complex security for higher risk transactions

The key challenge is to balance user experience, security, and worldwide availability for Citi clients.

The above solutions are being evaluated but may or may not be rolled out in the future.

21

IRS Circular 230 Disclosure: Citigroup Inc. and its affiliates do not provide tax or legal advise. Any discussion of tax matters in these materials (i) is not intended or written to be used, and cannot

be used or relied upon, by you for the purpose of avoiding any tax penalties and (ii) may have been written in connection with the “promotion or marketing” of any transaction contemplated hereby

(“Transaction”). Accordingly, you should seek advice based on your particular circumstances from an independent tax advisor.

Any terms set forth herein are intended for discussion purposes only and are subject to the final terms as set forth in separate definitive written agreements. This presentation is not a commitment

or firm offer and does not obligate us to enter into such a commitment, nor are we acting as a fiduciary to you. By accepting this presentation, subject to applicable law or regulation, you agree to

keep confidential the information contained herein and the existence of and proposed terms for any Transaction.

We are required to obtain, verify and record certain information that identifies each entity that enters into a formal business relationship with us. We will ask for your complete name, street address,

and taxpayer ID number. We may also request corporate formation documents, or other forms of identification, to verify information provided.

© 2017 Citibank, N.A. All rights reserved. Citi and Citi and Arc Design are trademarks and service marks of Citigroup Inc. or its affiliates and are used and registered throughout the world.

All views, opinions and estimates expressed in this communication (the “Communication”) (i) may change without notice, and (ii) may differ from those views, opinions and estimates held or

expressed by Citigroup Inc., its subsidiaries and branches thereof worldwide (together “Citi”) or other Citi personnel.

This Communication is provided for information and discussion purposes only and does not constitute legal or other advice. Unless otherwise expressly indicated, this Communication does not

constitute an offer or recommendation to purchase or sell any financial instruments or other products and does not take into account the investment objectives or financial situation of any particular

person. Recipients of this Communication should obtain advice based on their own individual circumstances from their own tax, financial, legal and other advisors before making an investment

decision or taking any other action and only make such decisions on the basis of the recipient’s own objectives, experience and resources and on the basis of the recipient’s own tax, financial and

legal advice. The information contained in this Communication is based on generally available information and, although obtained from sources believed by Citi to be reliable, its accuracy and

completeness cannot be assured, and such information may be incomplete or condensed. It has not been prepared by research analysts, and the information in this communication is not intended

to constitute “research” as that term is defined by applicable regulations. Furthermore, the information in it is general, may not reflect recent developments and was not intended and must not be

considered or relied on as legal, tax, financial or any other form of advice. Please contact your legal counsel and other advisors if you have any questions or concerns about the matters addressed

here. No liability is accepted by Citi for any loss (whether direct, indirect or consequential) that may arise from any use of the information contained in or derived from this Communication.

IRS Circular 230 Disclosure: Citi, its employees and its affiliates are not in the business of providing, and do not provide, tax or legal advice to any taxpayer outside of Citi. Any statements in this

Communication to tax matters were not intended or written to be used, and cannot be used or relied upon, by any taxpayer for the purpose of avoiding tax penalties. Any such taxpayer should

seek advice based on the taxpayer’s particular circumstances from an independent tax advisor.

Citi specifically prohibits the redistribution of this Communication in whole or in part without the written permission of Citi and Citi accepts no liability whatsoever for the actions of third parties in this

respect.

Copyright © 2017 Citigroup Inc. and/or its affiliates. All rights reserved. CITI, CITI and Arc Design, CITIBANK and CITIGROUP are trademarks and service marks of Citigroup Inc. and/or its

affiliates and are used and registered throughout the world

22

All views, opinions and estimates expressed in this communication (the “Communication”) (i) may change without notice, and (ii) may differ from those views, opinions and estimates held or

expressed by Citigroup Inc., its subsidiaries and branches thereof worldwide (together “Citi”) or other Citi personnel.

This Communication is provided for information and discussion purposes only and does not constitute legal or other advice. Unless otherwise expressly indicated, this Communication does not

constitute an offer or recommendation to purchase or sell any financial instruments or other products and does not take into account the investment objectives or financial situation of any

particular person. Recipients of this Communication should obtain advice based on their own individual circumstances from their own tax, financial, legal and other advisors before making an

investment decision or taking any other action and only make such decisions on the basis of the recipient’s own objectives, experience and resources and on the basis of the recipient’s own tax,

financial and legal advice. The information contained in this Communication is based on generally available information and, although obtained from sources believed by Citi to be reliable, its

accuracy and completeness cannot be assured, and such information may be incomplete or condensed. It has not been prepared by research analysts, and the information in this communication

is not intended to constitute “research” as that term is defined by applicable regulations. Furthermore, the information in it is general, may not reflect recent developments and was not intended

and must not be considered or relied on as legal, tax, financial or any other form of advice. Please contact your legal counsel and other advisors if you have any questions or concerns about the

matters addressed here. No liability is accepted by Citi for any loss (whether direct, indirect or consequential) that may arise from any use of the information contained in or derived from this

Communication.

IRS Circular 230 Disclosure: Citi, its employees and its affiliates are not in the business of providing, and do not provide, tax or legal advice to any taxpayer outside of Citi. Any statements in this

Communication to tax matters were not intended or written to be used, and cannot be used or relied upon, by any taxpayer for the purpose of avoiding tax penalties. Any such taxpayer should

seek advice based on the taxpayer’s particular circumstances from an independent tax advisor.

Citi specifically prohibits the redistribution of this Communication in whole or in part without the written permission of Citi and Citi accepts no liability whatsoever for the actions of third parties in

this respect.

Copyright © 2017 Citigroup Inc. and/or its affiliates. All rights reserved. CITI, CITI and Arc Design, CITIBANK and CITIGROUP are trademarks and service marks of Citigroup Inc. and/or its

affiliates and are used and registered throughout the world

GRA25586 03/15