Cyber Risk: the New Business Risk Current and Future Regulatory - - PowerPoint PPT Presentation

Safe Systems The Compliance & Technology Partner for Financial Institutions

Cyber Risk: the New Business Risk

Current and Future Regulatory Expectations

Presented By:

Thomas G. Hinkel

CISA, CCSA, CRISC, CCSA, CBCP VP – Compliance Services Safe Systems, Inc. tom.hinkel@safesystems.com

Safe Systems The Compliance & Technology Partner for Financial Institutions

Agenda

• Size, Scope, and Spending
• Regulatory History & Recent

Regulations (Inc. CAT)

• Current Threat Environment
• Best Cyber Controls
• Next Steps

Safe Systems The Compliance & Technology Partner for Financial Institutions

FDIC Cybersecurity Awareness Webinar

Safe Systems The Compliance & Technology Partner for Financial Institutions

FFIEC

“… cyber threats [are] perhaps the foremost risk facing banks today … [and] represents one of the major, if not the major, risk facing banks today.”

(Thomas J. Curry, Remarks at New England Council, Jul. 24, 2015)

Safe Systems The Compliance & Technology Partner for Financial Institutions

Safe Systems The Compliance & Technology Partner for Financial Institutions

FFIEC

“A bank should evaluate and manage cyber risk

as it does any other business risk. It is not simply the obligation of those employees in the server room, but rather an enterprise-wide initiative involving all employees.”

• FFIEC

Safe Systems The Compliance & Technology Partner for Financial Institutions

FI Cybersecurity Spending

Wells Fargo currently spends $250M. Citigroup annual budget - $300M. J.P. Morgan Chase to double spending in 2016 to $500M. BoA will spend $400M this year (2015), but could be more. “…the only place in the company that doesn’t have a budget constraint is cybersecurity.” – CEO Brian Moynihan

Safe Systems The Compliance & Technology Partner for Financial Institutions

• “Despite the many positives that technology brings to the

global banking industry, it also comes with a host of

• challenges. At or near the top of the list, in Standard &

Poor's Ratings Services' opinion, is cybersecurity.”

• “…we view weak cybersecurity as an emerging risk that

has a potential to result in a negative rating actions. If we were to believe that a bank is ill-prepared to withstand a cyberattack, we could downgrade the bank before an actual attack.”

How Ready Are Banks For The Rapidly Rising Threat Of Cyberattack?

Safe Systems The Compliance & Technology Partner for Financial Institutions

Cyber Insurance

Check for the following coverage:

• IT equipment and facilities: Damage to the information

assets and technology throughout the institution.

• Media reconstruction
• Extra expense: The extra costs of continuing operations
• E-banking activities
• Business interruption
• Valuable papers and records: Cost to restore or replace

papers and records

• Errors and omissions

Understand Exclusions and Limitations

Safe Systems The Compliance & Technology Partner for Financial Institutions

Regulatory History

February 2013 - President signs Executive Order “Improving Critical Infrastructure Cybersecurity,” and Presidential Policy Directive “Critical Infrastructure Security and Resilience.” May 7, 2014 – FDIC presents webinar to ~6,500 FI CEO’s and senior managers. “Executive Leadership

• f Cybersecurity:

What Today's CEOs Need to Know About the Threats They Don't See.” February 6, 2015 – FFIEC Releases Appendix J to BCP Handbook addressing Cyber Resiliance June 30, 2015 - FFIEC Releases Cybersecurity Assessment Tool November 10, 2015 – FFIEC updates Management Handbook February 1, 2016 – FDIC Supervisory Insights publishes “A Framework for Cybersecurity”

Safe Systems The Compliance & Technology Partner for Financial Institutions

Current Threat Environment

• Often delivered via email (phishing, spear phishing)
• Examples include Ransomware

Malware – Malicious software generally used to gain access to

• r to damage a computer or

system.

• Cannot be prevented

Distributed Denial of Service (DDoS) - Attack attempts to make a machine or network connected to the Internet unavailable to its intended users.

• DDoS attacks to distract a target organization while

perpetrating another form of attack.

• Simultaneous attacks on the Bank and their core processor.

Compound Attacks – More than

• ne method of attack is deployed

simultaneously.

Safe Systems The Compliance & Technology Partner for Financial Institutions

FFIEC Cybersecurity Assessment Tool

Inherent Risk Profile

• Technologies and Connection Types
• Delivery Channels
• Online/Mobile Products and Technology Services
• Organizational Characteristics
• External Threats

Safe Systems The Compliance & Technology Partner for Financial Institutions

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity

• Cyber Risk Management and

Oversight

• Threat Intelligence and

Collaboration

• Cybersecurity Controls
• External Dependency Management
• Cyber Incident Management and

Resilience

Safe Systems The Compliance & Technology Partner for Financial Institutions

“The Assessment results should be communicated to the chief executive officer (CEO) and Board.”

• FFIEC

Cybersecurity Management & Oversight

Safe Systems The Compliance & Technology Partner for Financial Institutions

Cybersecurity Cycle

Safe Systems The Compliance & Technology Partner for Financial Institutions

Cyber Controls

• Threat Intelligence
• Security Awareness

Training

• Employees – Entry level to
• Board. Make it role specific.
• Contractors
• Customers
• Merchants
• Third-parties
• Patch Management

Programs

Safe Systems The Compliance & Technology Partner for Financial Institutions

Summary

• Final Thoughts -

Employees are a weak link. Train, test, retrain, retest, repeat. Customers are a weak link. Awareness training, outreach. Outsourced relationships are a weak link.

• Due diligence, contracts, & ongoing oversight (SOC reports) are key.
• Focus on detective and corrective/responsive controls.

Safe Systems The Compliance & Technology Partner for Financial Institutions

Summary

• Final Thoughts -
• Challenge is

converting noise into actionable intelligence. Don’t

• veremphasize

preventive controls, focus on detective and responsive / corrective.

Update and test your incident response plan. Don’t forget third-parties. Information sharing is important, but most is just noise. “Self- assessments” are increasingly important.

Safe Systems The Compliance & Technology Partner for Financial Institutions

Final Thoughts

Cyber risk is a substantial business risk. A bank’s board and senior management must understand the seriousness of the threat environment and create a cybersecurity culture throughout the

• rganization.
• FDIC

Safe Systems The Compliance & Technology Partner for Financial Institutions

Final Thoughts

The effective identification and mitigation of cyber risk must be grounded in a strong governance structure with the full support of the board and senior management.

• FDIC

Safe Systems The Compliance & Technology Partner for Financial Institutions

Keeping Informed

• Additional Resources -
• www.safesystems.com/cybersecurity/
• www.complianceguru.com
• www.safesystems.com/ECAT/
• FFIEC Cybersecurity Awareness

http://ffiec.gov/cybersecurity.htm

• FDIC Cyber Challenge: A Community Bank Cyber

Exercise https://www.fdic.gov/regulations/resources/directo r/technical/cyber/purpose.html

Safe Systems The Compliance & Technology Partner for Financial Institutions

Thomas G. Hinkel

CISA, CRISC, CCSA, CRMA, CBCP

VP – Compliance Services Safe Systems, Inc. tom.hinkel@safesystems.com www.safesystems.com www.complianceguru.com