iib’s risk management and regulatory examination / compliance seminar · 2018-04-04 · brg...

BRG (Berkeley Research Group)550 South Hope Street, Suite 2150, Los Angeles, CA 90071

Website: www.thinkbrg.com

IIB’s Risk Management and Regulatory Examination / Compliance Seminar

Cybersecurity:Regulatory Developments and Industry Practices

Presented at:CUNY Graduate Center

October 25, 20169:00 a.m. – 10:15 a.m.

Moderator:

Walter J. Mix III, Managing Director and Financial Services Practice Group Leader,BRG (Berkeley Research Group)

Panelists:

Melissa Hall, Of Counsel, Morgan, Lewis and Bockius, LLP

James Talbot, Counsel, Skadden, Arps, Slate, Meagher and Flom, LLP

Mike Hartigan, New York Chief Information Security Officer Credit Agricole -Corporate and Investment Bank

Cybersecurity Attack – Map.ipviking.com

2

• Cybersecurity – Some Keys to Success• Cybersecurity: Regulatory Developments

and Industry Practices• DFS’s Cybersecurity Proposal and

Cybersecurity Incident Response Plans• Third Party Cybersecurity Regulatory

Developments

Moderator – Walter J. Mix III Managing Director and Financial Services Practice Group Leader, BRG (Berkeley Research Group)

3

Overview

• “Patchwork” of Cyber Guidance / Home-Host Country Issues?

• How Cybersecurity Relates to ERM / Corporate Governance

• Litigation Example

Walter J. Mix III Managing Director and Financial Services Practice Group Leader, BRG (Berkeley Research Group)

4

Cybersecurity – Some Keys to Success

Multiple Sources of Guidance

5

• What is the Primary Operational Risk Banks Face?

• Panama Papers Takeaways• SWIFT Incident• Bangladesh Incident• Guidance From FFIEC, DFS, EU, NACHA,

New Fed / OCC / FDIC• Overlap or Complimentary?• Home / Host Countries

Some Issues to Consider

6

• Corporate Governance / Board – Management Roles• Risk Assessment• Outsourcing – Vendor Management• Latest Security / Penetration Testing• Cybersecurity Program – Properly Tailored?• 3 Lines of Defense• Monitoring• Audit• Proper Staffing• Training – Tailored• Post Event Plan, Actual Response and Management• Examination Reports• Phishing of Your Employees• What is OOBA? Multi-Factor Authentication?

ERM and Cybersecurity – Issues to Consider

7

• Does Your Risk Assessment Address Risk / Risk Profile? Independently Developed? Best Practices? Measurable?

• Quality of Reports to Board / Management • Multi-Disciplinary Team• FFIEC Assessment Tool-Baseline, Evolving, Intermediate, Advanced and

Innovative• Risk Governance / Board Level: Engaged, Formalized, Ongoing

Communication and Training• Risk Management – Tailored to Risk Profile

– People: Executive Team Awareness, Threat Recognition, Training, Accountability, Multi-disciplinary Team and Contingency Plans

– Process: Fully Integrated within ERM Framework, Measurement / Monitoring and Continuous Improvement/Changing Requirements

– Technology: Centralized, Monitoring, Threat Alerts and IT Investments– Vendor Management

Litigation

8

• A Hypothetical Litigation Scenario

• When Your Bank has been Sued? Not Us!

• “Commercially Reasonable”• Basis • An Ounce of Prevention

• Cybersecurity: Regulatory Developments and Industry Practices

Panelist – Melissa HallOf Counsel, Morgan, Lewis and Bockius, LLP

9

© 2

016

Mor

gan,

Lew

is &

Bock

ius

LLP

CYBERSECURITY: REGULATORY DEVELOPMENTS AND INDUSTRY PRACTICES

Melissa R. H. HallIIB Seminar on Risk Management and Regulatory Examination/Compliance IssuesOctober 25, 2016

CYBERSECURITY AND PAYMENT SYSTEMS

Increased Cybersecurity Incidents Cause Increased Regulatory Concerns• In response to the SWIFT attacks, FFIEC released its Joint Statement on

Cybersecurity of Interbank Messaging and Wholesale Payment Networks– Encourages financial institutions to review their risk management practices

and controls, including authentication, authorization, fraud detection, and response management systems

– Directs financial institutions to rely on the guidance in the FFIEC IT Examination Handbook and any guidance from payment system providers

• OCC has identified cybersecurity as the primary operational risk for banks.– OCC’s Semiannual Risk Perspective outlines the various areas of risk and

concern.• FFIEC’s Cybersecurity Assessment Tool

– Still voluntary!

12

Malware and Compromised Credentials

• SWIFT attacks were not an attack on the SWIFT network itself • A combination of malware and compromised access credentials allowed

the thieves to access the system• Social engineering, phishing, etc. are a real and ongoing concern

– Hard to eliminate human error• FFIEC identified malware and compromised credentials as meriting

particular focus by financial institutions’ cybersecurity risk assessments– Issued joint statements in 2015

13

FRB’s Secure Payments Task Force

• Part of the FRB’s overall faster payments initiative• Has noted that there is no universally accepted way to verify identity of

payment systems participants• Secure Payments Task Force is considering possible solutions, including

identity management practices, sharing of fraud and cyber-threat information, and ways to analyze data

• Report is expected sometime in 2017

14

Don’t Forget About Other Participants in Payment Systems• Credit card networks and NACHA also lead cybersecurity efforts• Payment Card Industry Data Security Standard (PCI DSS) • EMV chip credit card • NACHA’s ACH Risk Management Strategy

15

INTERAGENCY ENHANCED CYBER RISK MANAGEMENT STANDARDS

Interagency Enhanced Cyber Risk Management Standards ANPR• Hot off the presses!• Released October 19, 2016 by the FDIC, OCC and FRB• Would established enhanced cyber risk management standards for the

largest and most interconnected entities, as well as for services that these entities receive from third parties.

• Would apply to depository institutions and depository institution holding companies with total consolidated assets of $50 billion; U.S. operations of foreign banking organization with total U.S. assets of $50 billion or more, financial market infrastructure companies and nonbank financial companies supervised by the FRB.

• ANPR presents 39 questions on which the agencies are seeking comment.

17

Interagency Enhanced Cyber Risk Management Standards ANPR• More stringent standards on systems that are critical to the functioning

of the financial sectors (“sector-critical systems”)– Seeking comment on what systems should be “sector-critical systems”– Proposed 2 hour recovery time objective (RTO) for sector-critical systems

• Divides enhanced cyber risk standards into 5 categories:– Cyber risk governance– Cyber risk management– Internal dependency management– External dependency management– Incident response, cyber resilience and situational awareness

18

Some Proposed Requirements

• Cyber risk governance would implement standards similar to governance standards for large, complex financial institutions – e.g., board-level oversight and written governance plans, accountability of

senior management, oversight independent from business lines, etc.• Cyber risk management would be an independent function reporting to

chief risk officer or board of directors, and internal audits would need to assess cyber risk management

• Internal dependency management would include an inventory of all business assets on an enterprise-wide basis prioritized according to the assets’ criticality to the business functions they support, the firm’s mission, and the financial sector

19

5 Categories of Cyber Risk Management

• External dependency management would include having the ability to monitor in real time all external dependencies and trusted connection that support an entity’s cyber risk management strategy

• Covered entities would need to develop effective incident response and cyber resilience governance, strategies and capacities that enable them to anticipate, withstand, and rapidly recover from disruptions caused by cyber events, including establishing an enterprise-wide cyber resilience and incident response programs

• Cyber resilience would require secure, offline storage of critical records, as well establishing plans to transfer functions to another entity or service provider if the entity or service provider subject to a cyber incident is unable to perform

• Situational awareness would require ongoing threat monitoring and threat intelligence gathering

20

Some Takeaways

• Cybersecurity isn’t going away as a business or regulatory issue• Banking regulators and other participants in the payment system are

active in oversight and management of cybersecurity issues• Pay attention to the regulatory guidance out there

– FFIEC, FDIC, OCC, Federal Reserve, credit card network rules, NACHA rules• Ensure you have a cybersecurity risk assessment plan that is

appropriately scaled to your level of risk and is dynamic enough to adapt to changes in cybersecurity threats

• Don’t forget about cyber resiliency• Consider submitting comments to the ANPR

– Agencies are considering whether to issue regulations, guidance, or something else

21

Melissa R. H. Hall

Washington, [email protected]

Melissa R. H. Hall represents US and overseas banks, nonbank financial services companies, investors in financial services, and technology companies in regulatory and corporate matters. She advises them on a wide range of state and federal financial regulatory laws and regulations. She provides counsel on financial regulatory compliance and enforcement, including state and federal licensing requirements, consumer financial products and compliance, payment systems, corporate and transactional matters, financial institution investment and acquisition, and the development of new financial services products.

22

Africa Asia PacificEuropeLatin AmericaMiddle EastNorth America

Our Global ReachAlmatyAstanaBeijingBostonBrusselsChicago

DallasDubaiFrankfurt HartfordHoustonLondon

Los AngelesMiamiMoscowNew YorkOrange CountyParis

PhiladelphiaPittsburghPrincetonSan FranciscoSanta MonicaShanghai

Silicon ValleySingaporeTokyoWashington, DCWilmington

Our Locations

23

This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar outcomes. Links provided from outside sources are subject to expiration or change. Attorney Advertising.

© 2016 Morgan, Lewis & Bockius LLP

THANK YOU

24

• DFS’s Cybersecurity Proposal• Cybersecurity Incident

Response Plans

Panelist – James Talbot Counsel, Skadden, Arps, Slate, Meagher and Flom, LLP

25

26 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesDFS’s Cybersecurity Proposal

Beijing / Boston / Brussels / Chicago / Frankfurt / Hong Kong / Houston / LondonLos Angeles / Moscow / Munich / New York / Palo Alto / Paris / São Paulo / SeoulShanghai / Singapore / Tokyo / Toronto / Washington, D.C. / Wilmington

October 25, 2016

DFS’s Cybersecurity Proposal

Presented by: Jamie Talbot


Overview of DFS Proposal

• Stated goal: Set “minimum standards” while preserving flexibility

• Requirement: Create a Cybersecurity Program− Risk assessment− Defensive infrastructure− Detect, respond to and recover from incidents− Meet other regulatory reporting requirements


Covered Entities and Nonpublic Information

• Covered Entities− Individuals or entities

operating under a license or similar authorization under NY banking, insurance or financial services laws» Some exceptions for smaller

entities

• Nonpublic Information − Information about individuals received

or generated in course of financial services relationship (GLBA)

− Information about an individual’s health received or generated in the course of a health care relationship (HIPAA)

− Information that can be used to distinguish or trace an individual’s identity (linked or linkable to the individual)

− Information that, if disclosed or tampered with, could have a material adverse impact on operations, business or security


Cybersecurity Policy

• Written Cybersecurity Policy− Information security− Business continuity− Data governance− Access controls− System and application development

security− Vendor management − Incident response plan


Staffing, Reporting and Technical Requirements

• Chief Information Security Officer− Security personnel (with training)

• Reporting− By CISO to Board (bi-annual)− By Board or senior officers to DFS (annual certification of

compliance)

• Specific technical requirements− Multifactor authentication for access to internal systems− Monitor web access patterns− Encryption – in transit and at rest


Additional DFS Requirements

• Security testing −Penetration testing (annually)−Vulnerability assessment (quarterly)

• Risk Assessment (annually)• Limit and monitor access to information• Audit trail

− Access and Reconstruction• Limit data retention


Breach Notification

• Notice to DFS superintendent of any cybersecurity event that:− has a reasonable likelihood of materially affecting

normal operations OR − affects nonpublic information

• If any other regulator was notified, notify DFS• 72 hour deadline• Unsuccessful attacks can be cybersecurity

events


Problems with Breach Notification

• Can an unsuccessful attack ever give rise to a “reasonable likelihood of materially affecting the normal operation” of the business?

• Does an unsuccessful attack that would have affected nonpublic information have to be reported?− Even if no material impact?

• What if the company isn’t sure of the effect within the 72 hour deadline?

• Not just personally identifiable information• No exception for law enforcement requests• End result: far more reporting


Haven’t We Seen this Movie?

• Echoes of existing laws, regulatory guidance and industry best practice−GLBA, HIPAA, NIST, FTC, FFIEC guidance, PCI requirements, etc.

• Few conflicts with existing laws


Differences from Existing Requirements

• Obligations, not guidance• Expanded scope

− Non-HIPAA entities must now meet HIPAA-like standards− Nonpublic information broadened – not just PII

§ “Linked or linkable”

• Additional internal reporting• Certification• Specific staffing requirements• Broader notification requirements


Industry Concerns

• Additional costs and compliance burdens− Compliance certification− Reporting

• One-size-fits-all• Many already doing much of this• Company is both victim of attack and liability

target− Tension for reporting

• More to come?


• November 12, 2016− Comment period closes

• January 1, 2017− Regulation takes effect

• June 30, 2017 − Compliance grace period

expires• January 15, 2018

− 1st annual compliance certification

Key Dates


Beijing / Boston / Brussels / Chicago / Frankfurt / Hong Kong / Houston / LondonLos Angeles / Moscow / Munich / New York / Palo Alto / Paris / São Paulo / SeoulShanghai / Singapore / Tokyo / Toronto / Washington, D.C. / Wilmington

October 25, 2016

Cybersecurity Incident Response PlansPresented by: Jamie Talbot

39 Skadden, Arps, Slate, Meagher & Flom LLP and AffiliatesCybersecurity Incident Response Plans

“As soon as a cyberattack hits, everyone’s IQ drops 50 points.”


Incident Response Plans: No Longer Just a Good Idea

• DFS requirement (proposed)• Response clock is accelerating

−Privacy advocates and activists−Insurance plans−Delay may increase liability


72 Hours is Not Much Time

• Detect activity• Identify activity as an incident• Determine how to stop the incident• Determine impact

− What was accessed− What was copied− Source

• Review legal requirements− Who needs to be notified?

• Prepare and submit formal notification


Don’t Delay!

• When a cyberattack hits, companies cannot waste time figuring out:− What to do− Who should be involved

− Who should make decisions− What external parties (regulators, customer, etc.) should be contacted

− What is the state of the law

• Scrambling to figure out the team and an action plan once an incident occurs is inefficient and dramatically increases the risk of a misstep


Establishing a Rapid Response Team

• Identify team members and “project lead” − IT, legal, security, PR/communications, HR, risk management,

corporate management, government relations− Outside counsel

• Create a playbook of how incidents will be handled − Determine how incidents will be identified − Prioritize and classify the incident− Establish protocols to determine who should be notified− Establish protocols to mitigate and remediate− Establish protocols for how incidents will be documented− Include logistical information

» Backup contacts» Communication channels


DFS Required Contents of Plan

• Per the DFS Proposal, plan MUST address the following:− Internal processes for responding to an incident (including

unsuccessful attacks)− Goals of the plan− Definition of clear roles, responsibilities and levels of decision-making

authority− External and internal communications and information sharing− Remediation of any identified weaknesses in IT systems and controls− Documentation and reporting regarding incidents and related incident

response activities − Evaluation and revision of the plan following an incident

• Third Party Cybersecurity Regulatory Developments

Panelist – Mike HartiganNew York Chief Information Security Officer Credit Agricole – Corporate and Investment Bank

45

Third Party Cyber Security Regulatory Developments

Mike HartiganOctober 25th, 2016

ANNUAL SEMINAR ON RISK MANAGEMENT AND REGULATORY EXAMINATION/COMPLIANCE ISSUES

Cyber Security: Regulatory Developments and Industry Practices

Third Party Cyber Security Assessment Agenda


Cyber Security Assessment within the Third Party Program


Step 1 - Third Party Program Scoping & Risk Classification


Step 2 - Conducting the TSP Cyber Security Assessment


Step 3 - Residual Risk Management


Third Party Service Provider Risk Assessment Considerations


Third Party Service Provider FFIEC & DFS Regulatory Developments


Regulatory Cyber Security Landscape


Questions


Appendix - DFS Cyber Security Requirement

Conclusion

57

Thank You!

Questions?

iib’s risk management and regulatory examination / compliance seminar · 2018-04-04 · brg...

Documents