iib’s risk management and regulatory examination / compliance seminar · 2018-04-04 · brg...
TRANSCRIPT
BRG (Berkeley Research Group)550 South Hope Street, Suite 2150, Los Angeles, CA 90071
Website: www.thinkbrg.com
IIB’s Risk Management and Regulatory Examination / Compliance Seminar
Cybersecurity:Regulatory Developments and Industry Practices
Presented at:CUNY Graduate Center
October 25, 20169:00 a.m. – 10:15 a.m.
Moderator:
Walter J. Mix III, Managing Director and Financial Services Practice Group Leader,BRG (Berkeley Research Group)
Panelists:
Melissa Hall, Of Counsel, Morgan, Lewis and Bockius, LLP
James Talbot, Counsel, Skadden, Arps, Slate, Meagher and Flom, LLP
Mike Hartigan, New York Chief Information Security Officer Credit Agricole -Corporate and Investment Bank
Cybersecurity Attack – Map.ipviking.com
2
• Cybersecurity – Some Keys to Success• Cybersecurity: Regulatory Developments
and Industry Practices• DFS’s Cybersecurity Proposal and
Cybersecurity Incident Response Plans• Third Party Cybersecurity Regulatory
Developments
Moderator – Walter J. Mix III Managing Director and Financial Services Practice Group Leader, BRG (Berkeley Research Group)
3
Overview
• “Patchwork” of Cyber Guidance / Home-Host Country Issues?
• How Cybersecurity Relates to ERM / Corporate Governance
• Litigation Example
Walter J. Mix III Managing Director and Financial Services Practice Group Leader, BRG (Berkeley Research Group)
4
Cybersecurity – Some Keys to Success
Multiple Sources of Guidance
5
• What is the Primary Operational Risk Banks Face?
• Panama Papers Takeaways• SWIFT Incident• Bangladesh Incident• Guidance From FFIEC, DFS, EU, NACHA,
New Fed / OCC / FDIC• Overlap or Complimentary?• Home / Host Countries
Some Issues to Consider
6
• Corporate Governance / Board – Management Roles• Risk Assessment• Outsourcing – Vendor Management• Latest Security / Penetration Testing• Cybersecurity Program – Properly Tailored?• 3 Lines of Defense• Monitoring• Audit• Proper Staffing• Training – Tailored• Post Event Plan, Actual Response and Management• Examination Reports• Phishing of Your Employees• What is OOBA? Multi-Factor Authentication?
ERM and Cybersecurity – Issues to Consider
7
• Does Your Risk Assessment Address Risk / Risk Profile? Independently Developed? Best Practices? Measurable?
• Quality of Reports to Board / Management • Multi-Disciplinary Team• FFIEC Assessment Tool-Baseline, Evolving, Intermediate, Advanced and
Innovative• Risk Governance / Board Level: Engaged, Formalized, Ongoing
Communication and Training• Risk Management – Tailored to Risk Profile
– People: Executive Team Awareness, Threat Recognition, Training, Accountability, Multi-disciplinary Team and Contingency Plans
– Process: Fully Integrated within ERM Framework, Measurement / Monitoring and Continuous Improvement/Changing Requirements
– Technology: Centralized, Monitoring, Threat Alerts and IT Investments– Vendor Management
Litigation
8
• A Hypothetical Litigation Scenario
• When Your Bank has been Sued? Not Us!
• “Commercially Reasonable”• Basis • An Ounce of Prevention
• Cybersecurity: Regulatory Developments and Industry Practices
Panelist – Melissa HallOf Counsel, Morgan, Lewis and Bockius, LLP
9
© 2
016
Mor
gan,
Lew
is &
Bock
ius
LLP
CYBERSECURITY: REGULATORY DEVELOPMENTS AND INDUSTRY PRACTICES
Melissa R. H. HallIIB Seminar on Risk Management and Regulatory Examination/Compliance IssuesOctober 25, 2016
CYBERSECURITY AND PAYMENT SYSTEMS
Increased Cybersecurity Incidents Cause Increased Regulatory Concerns• In response to the SWIFT attacks, FFIEC released its Joint Statement on
Cybersecurity of Interbank Messaging and Wholesale Payment Networks– Encourages financial institutions to review their risk management practices
and controls, including authentication, authorization, fraud detection, and response management systems
– Directs financial institutions to rely on the guidance in the FFIEC IT Examination Handbook and any guidance from payment system providers
• OCC has identified cybersecurity as the primary operational risk for banks.– OCC’s Semiannual Risk Perspective outlines the various areas of risk and
concern.• FFIEC’s Cybersecurity Assessment Tool
– Still voluntary!
12
Malware and Compromised Credentials
• SWIFT attacks were not an attack on the SWIFT network itself • A combination of malware and compromised access credentials allowed
the thieves to access the system• Social engineering, phishing, etc. are a real and ongoing concern
– Hard to eliminate human error• FFIEC identified malware and compromised credentials as meriting
particular focus by financial institutions’ cybersecurity risk assessments– Issued joint statements in 2015
13
FRB’s Secure Payments Task Force
• Part of the FRB’s overall faster payments initiative• Has noted that there is no universally accepted way to verify identity of
payment systems participants• Secure Payments Task Force is considering possible solutions, including
identity management practices, sharing of fraud and cyber-threat information, and ways to analyze data
• Report is expected sometime in 2017
14
Don’t Forget About Other Participants in Payment Systems• Credit card networks and NACHA also lead cybersecurity efforts• Payment Card Industry Data Security Standard (PCI DSS) • EMV chip credit card • NACHA’s ACH Risk Management Strategy
15
INTERAGENCY ENHANCED CYBER RISK MANAGEMENT STANDARDS
Interagency Enhanced Cyber Risk Management Standards ANPR• Hot off the presses!• Released October 19, 2016 by the FDIC, OCC and FRB• Would established enhanced cyber risk management standards for the
largest and most interconnected entities, as well as for services that these entities receive from third parties.
• Would apply to depository institutions and depository institution holding companies with total consolidated assets of $50 billion; U.S. operations of foreign banking organization with total U.S. assets of $50 billion or more, financial market infrastructure companies and nonbank financial companies supervised by the FRB.
• ANPR presents 39 questions on which the agencies are seeking comment.
17
Interagency Enhanced Cyber Risk Management Standards ANPR• More stringent standards on systems that are critical to the functioning
of the financial sectors (“sector-critical systems”)– Seeking comment on what systems should be “sector-critical systems”– Proposed 2 hour recovery time objective (RTO) for sector-critical systems
• Divides enhanced cyber risk standards into 5 categories:– Cyber risk governance– Cyber risk management– Internal dependency management– External dependency management– Incident response, cyber resilience and situational awareness
18
Some Proposed Requirements
• Cyber risk governance would implement standards similar to governance standards for large, complex financial institutions – e.g., board-level oversight and written governance plans, accountability of
senior management, oversight independent from business lines, etc.• Cyber risk management would be an independent function reporting to
chief risk officer or board of directors, and internal audits would need to assess cyber risk management
• Internal dependency management would include an inventory of all business assets on an enterprise-wide basis prioritized according to the assets’ criticality to the business functions they support, the firm’s mission, and the financial sector
19
5 Categories of Cyber Risk Management
• External dependency management would include having the ability to monitor in real time all external dependencies and trusted connection that support an entity’s cyber risk management strategy
• Covered entities would need to develop effective incident response and cyber resilience governance, strategies and capacities that enable them to anticipate, withstand, and rapidly recover from disruptions caused by cyber events, including establishing an enterprise-wide cyber resilience and incident response programs
• Cyber resilience would require secure, offline storage of critical records, as well establishing plans to transfer functions to another entity or service provider if the entity or service provider subject to a cyber incident is unable to perform
• Situational awareness would require ongoing threat monitoring and threat intelligence gathering
20
Some Takeaways
• Cybersecurity isn’t going away as a business or regulatory issue• Banking regulators and other participants in the payment system are
active in oversight and management of cybersecurity issues• Pay attention to the regulatory guidance out there
– FFIEC, FDIC, OCC, Federal Reserve, credit card network rules, NACHA rules• Ensure you have a cybersecurity risk assessment plan that is
appropriately scaled to your level of risk and is dynamic enough to adapt to changes in cybersecurity threats
• Don’t forget about cyber resiliency• Consider submitting comments to the ANPR
– Agencies are considering whether to issue regulations, guidance, or something else
21
Melissa R. H. Hall
Washington, [email protected]
Melissa R. H. Hall represents US and overseas banks, nonbank financial services companies, investors in financial services, and technology companies in regulatory and corporate matters. She advises them on a wide range of state and federal financial regulatory laws and regulations. She provides counsel on financial regulatory compliance and enforcement, including state and federal licensing requirements, consumer financial products and compliance, payment systems, corporate and transactional matters, financial institution investment and acquisition, and the development of new financial services products.
22
Africa Asia PacificEuropeLatin AmericaMiddle EastNorth America
Our Global ReachAlmatyAstanaBeijingBostonBrusselsChicago
DallasDubaiFrankfurt HartfordHoustonLondon
Los AngelesMiamiMoscowNew YorkOrange CountyParis
PhiladelphiaPittsburghPrincetonSan FranciscoSanta MonicaShanghai
Silicon ValleySingaporeTokyoWashington, DCWilmington
Our Locations
23
This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar outcomes. Links provided from outside sources are subject to expiration or change. Attorney Advertising.
© 2016 Morgan, Lewis & Bockius LLP
THANK YOU
24
• DFS’s Cybersecurity Proposal• Cybersecurity Incident
Response Plans
Panelist – James Talbot Counsel, Skadden, Arps, Slate, Meagher and Flom, LLP
25
26 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesDFS’s Cybersecurity Proposal
Beijing / Boston / Brussels / Chicago / Frankfurt / Hong Kong / Houston / LondonLos Angeles / Moscow / Munich / New York / Palo Alto / Paris / São Paulo / SeoulShanghai / Singapore / Tokyo / Toronto / Washington, D.C. / Wilmington
October 25, 2016
DFS’s Cybersecurity Proposal
Presented by: Jamie Talbot
27 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesDFS’s Cybersecurity Proposal
Overview of DFS Proposal
• Stated goal: Set “minimum standards” while preserving flexibility
• Requirement: Create a Cybersecurity Program− Risk assessment− Defensive infrastructure− Detect, respond to and recover from incidents− Meet other regulatory reporting requirements
28 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesDFS’s Cybersecurity Proposal
Covered Entities and Nonpublic Information
• Covered Entities− Individuals or entities
operating under a license or similar authorization under NY banking, insurance or financial services laws» Some exceptions for smaller
entities
• Nonpublic Information − Information about individuals received
or generated in course of financial services relationship (GLBA)
− Information about an individual’s health received or generated in the course of a health care relationship (HIPAA)
− Information that can be used to distinguish or trace an individual’s identity (linked or linkable to the individual)
− Information that, if disclosed or tampered with, could have a material adverse impact on operations, business or security
29 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesDFS’s Cybersecurity Proposal
Cybersecurity Policy
• Written Cybersecurity Policy− Information security− Business continuity− Data governance− Access controls− System and application development
security− Vendor management − Incident response plan
30 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesDFS’s Cybersecurity Proposal
Staffing, Reporting and Technical Requirements
• Chief Information Security Officer− Security personnel (with training)
• Reporting− By CISO to Board (bi-annual)− By Board or senior officers to DFS (annual certification of
compliance)
• Specific technical requirements− Multifactor authentication for access to internal systems− Monitor web access patterns− Encryption – in transit and at rest
31 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesDFS’s Cybersecurity Proposal
Additional DFS Requirements
• Security testing −Penetration testing (annually)−Vulnerability assessment (quarterly)
• Risk Assessment (annually)• Limit and monitor access to information• Audit trail
− Access and Reconstruction• Limit data retention
32 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesDFS’s Cybersecurity Proposal
Breach Notification
• Notice to DFS superintendent of any cybersecurity event that:− has a reasonable likelihood of materially affecting
normal operations OR − affects nonpublic information
• If any other regulator was notified, notify DFS• 72 hour deadline• Unsuccessful attacks can be cybersecurity
events
33 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesDFS’s Cybersecurity Proposal
Problems with Breach Notification
• Can an unsuccessful attack ever give rise to a “reasonable likelihood of materially affecting the normal operation” of the business?
• Does an unsuccessful attack that would have affected nonpublic information have to be reported?− Even if no material impact?
• What if the company isn’t sure of the effect within the 72 hour deadline?
• Not just personally identifiable information• No exception for law enforcement requests• End result: far more reporting
34 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesDFS’s Cybersecurity Proposal
Haven’t We Seen this Movie?
• Echoes of existing laws, regulatory guidance and industry best practice−GLBA, HIPAA, NIST, FTC, FFIEC guidance, PCI requirements, etc.
• Few conflicts with existing laws
35 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesDFS’s Cybersecurity Proposal
Differences from Existing Requirements
• Obligations, not guidance• Expanded scope
− Non-HIPAA entities must now meet HIPAA-like standards− Nonpublic information broadened – not just PII
§ “Linked or linkable”
• Additional internal reporting• Certification• Specific staffing requirements• Broader notification requirements
36 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesDFS’s Cybersecurity Proposal
Industry Concerns
• Additional costs and compliance burdens− Compliance certification− Reporting
• One-size-fits-all• Many already doing much of this• Company is both victim of attack and liability
target− Tension for reporting
• More to come?
37 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesDFS’s Cybersecurity Proposal
• November 12, 2016− Comment period closes
• January 1, 2017− Regulation takes effect
• June 30, 2017 − Compliance grace period
expires• January 15, 2018
− 1st annual compliance certification
Key Dates
38 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesDFS’s Cybersecurity Proposal
Beijing / Boston / Brussels / Chicago / Frankfurt / Hong Kong / Houston / LondonLos Angeles / Moscow / Munich / New York / Palo Alto / Paris / São Paulo / SeoulShanghai / Singapore / Tokyo / Toronto / Washington, D.C. / Wilmington
October 25, 2016
Cybersecurity Incident Response PlansPresented by: Jamie Talbot
39 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesCybersecurity Incident Response Plans
“As soon as a cyberattack hits, everyone’s IQ drops 50 points.”
40 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesCybersecurity Incident Response Plans
Incident Response Plans: No Longer Just a Good Idea
• DFS requirement (proposed)• Response clock is accelerating
−Privacy advocates and activists−Insurance plans−Delay may increase liability
41 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesCybersecurity Incident Response Plans
72 Hours is Not Much Time
• Detect activity• Identify activity as an incident• Determine how to stop the incident• Determine impact
− What was accessed− What was copied− Source
• Review legal requirements− Who needs to be notified?
• Prepare and submit formal notification
42 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesCybersecurity Incident Response Plans
Don’t Delay!
• When a cyberattack hits, companies cannot waste time figuring out:− What to do− Who should be involved
− Who should make decisions− What external parties (regulators, customer, etc.) should be contacted
− What is the state of the law
• Scrambling to figure out the team and an action plan once an incident occurs is inefficient and dramatically increases the risk of a misstep
43 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesCybersecurity Incident Response Plans
Establishing a Rapid Response Team
• Identify team members and “project lead” − IT, legal, security, PR/communications, HR, risk management,
corporate management, government relations− Outside counsel
• Create a playbook of how incidents will be handled − Determine how incidents will be identified − Prioritize and classify the incident− Establish protocols to determine who should be notified− Establish protocols to mitigate and remediate− Establish protocols for how incidents will be documented− Include logistical information
» Backup contacts» Communication channels
44 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesCybersecurity Incident Response Plans
DFS Required Contents of Plan
• Per the DFS Proposal, plan MUST address the following:− Internal processes for responding to an incident (including
unsuccessful attacks)− Goals of the plan− Definition of clear roles, responsibilities and levels of decision-making
authority− External and internal communications and information sharing− Remediation of any identified weaknesses in IT systems and controls− Documentation and reporting regarding incidents and related incident
response activities − Evaluation and revision of the plan following an incident
• Third Party Cybersecurity Regulatory Developments
Panelist – Mike HartiganNew York Chief Information Security Officer Credit Agricole – Corporate and Investment Bank
45
Third Party Cyber Security Regulatory Developments
Mike HartiganOctober 25th, 2016
ANNUAL SEMINAR ON RISK MANAGEMENT AND REGULATORY EXAMINATION/COMPLIANCE ISSUES
Page 47 Cyber Security: Regulatory Developments and Industry Practices
Third Party Cyber Security Assessment Agenda
Page 48 Cyber Security: Regulatory Developments and Industry Practices
Cyber Security Assessment within the Third Party Program
Page 49 Cyber Security: Regulatory Developments and Industry Practices
Step 1 - Third Party Program Scoping & Risk Classification
Page 50 Cyber Security: Regulatory Developments and Industry Practices
Step 2 - Conducting the TSP Cyber Security Assessment
Page 51 Cyber Security: Regulatory Developments and Industry Practices
Step 3 - Residual Risk Management
Page 52 Cyber Security: Regulatory Developments and Industry Practices
Third Party Service Provider Risk Assessment Considerations
Page 53 Cyber Security: Regulatory Developments and Industry Practices
Third Party Service Provider FFIEC & DFS Regulatory Developments
Page 54 Cyber Security: Regulatory Developments and Industry Practices
Regulatory Cyber Security Landscape
Page 55 Cyber Security: Regulatory Developments and Industry Practices
Questions
Page 56 Cyber Security: Regulatory Developments and Industry Practices
Appendix - DFS Cyber Security Requirement
Conclusion
57
Thank You!
Questions?