cyber risk: the new business riskresources.gabankers.com/convention/2016/hinkel presentation.pdf ·...

Safe Systems The Compliance & Technology Partner for Financial Institutions

Cyber Risk: the New Business Risk Current and Future Regulatory Expectations

Presented By:

Thomas G. Hinkel CISA, CCSA, CRISC, CCSA, CBCP

VP – Compliance Services Safe Systems, Inc.

tom.hinkel@safesystems.com

Safe Systems The Compliance & Technology Partner for Financial Institutions

Agenda

• Size, Scope, and Spending

• Regulatory History & Recent Regulations (Inc. CAT)

• Current Threat Environment

• Best Cyber Controls

• Next Steps

Safe Systems The Compliance & Technology Partner for Financial Institutions

FDIC Cybersecurity Awareness Webinar

Safe Systems The Compliance & Technology Partner for Financial Institutions

FFIEC

“… cyber threats [are] perhaps the foremost risk facing banks today …

[and] represents one of the major, if not the major, risk facing banks today.”

(Thomas J. Curry, Remarks at New England Council, Jul. 24, 2015)

Safe Systems The Compliance & Technology Partner for Financial Institutions

Safe Systems The Compliance & Technology Partner for Financial Institutions

FFIEC

“A bank should evaluate and manage cyber risk

as it does any other business risk. It is not simply the obligation of those employees in the

server room, but rather an enterprise-wide initiative involving all employees.”

- FFIEC

Safe Systems The Compliance & Technology Partner for Financial Institutions

FI Cybersecurity Spending

Wells Fargo currently spends $250M.

Citigroup annual budget - $300M.

J.P. Morgan Chase to double spending in 2016 to $500M.

BoA will spend $400M this year (2015), but could be more. “…the only place in the company that doesn’t have a budget constraint is cybersecurity.” – CEO Brian Moynihan

Safe Systems The Compliance & Technology Partner for Financial Institutions

• “Despite the many positives that technology brings to the global banking industry, it also comes with a host of challenges. At or near the top of the list, in Standard & Poor's Ratings Services' opinion, is cybersecurity.”

• “…we view weak cybersecurity as an emerging risk that has a potential to result in a negative rating actions. If we were to believe that a bank is ill-prepared to withstand a cyberattack, we could downgrade the bank before an actual attack.”

How Ready Are Banks For The Rapidly Rising Threat Of Cyberattack?

Safe Systems The Compliance & Technology Partner for Financial Institutions

Cyber Insurance

Check for the following coverage:

• IT equipment and facilities: Damage to the information assets and technology throughout the institution.

• Media reconstruction

• Extra expense: The extra costs of continuing operations

• E-banking activities

• Business interruption

• Valuable papers and records: Cost to restore or replace papers and records

• Errors and omissions

Understand Exclusions and Limitations

Safe Systems The Compliance & Technology Partner for Financial Institutions

Regulatory History

February 2013 - President signs Executive Order

“Improving Critical Infrastructure

Cybersecurity,” and Presidential Policy Directive “Critical

Infrastructure Security and Resilience.”

May 7, 2014 – FDIC presents webinar to ~6,500 FI CEO’s and

senior managers. “Executive Leadership

of Cybersecurity: What Today's CEOs

Need to Know About the Threats They Don't

See.”

February 6, 2015 – FFIEC Releases

Appendix J to BCP Handbook addressing

Cyber Resiliance

June 30, 2015 - FFIEC Releases Cybersecurity

Assessment Tool

November 10, 2015 – FFIEC updates Management

Handbook

February 1, 2016 – FDIC Supervisory

Insights publishes “A Framework for Cybersecurity”

Safe Systems The Compliance & Technology Partner for Financial Institutions

Current Threat Environment

• Often delivered via email (phishing, spear phishing)

• Examples include Ransomware

Malware – Malicious software generally used to gain access to

or to damage a computer or system.

• Cannot be prevented

Distributed Denial of Service (DDoS) - Attack attempts to make a machine or network connected to the Internet unavailable to its

intended users.

• DDoS attacks to distract a target organization while perpetrating another form of attack.

• Simultaneous attacks on the Bank and their core processor.

Compound Attacks – More than one method of attack is deployed

simultaneously.

Safe Systems The Compliance & Technology Partner for Financial Institutions

FFIEC Cybersecurity Assessment Tool

Inherent Risk Profile

Technologies and Connection Types

Delivery Channels

Online/Mobile Products and Technology Services

Organizational Characteristics

External Threats

Safe Systems The Compliance & Technology Partner for Financial Institutions

FFIEC Cybersecurity Assessment Tool

Cybersecurity Maturity

Cyber Risk Management and Oversight

Threat Intelligence and Collaboration

Cybersecurity Controls

External Dependency Management

Cyber Incident Management and Resilience

Safe Systems The Compliance & Technology Partner for Financial Institutions

“The Assessment results should be communicated to the chief

executive officer (CEO) and Board.” -FFIEC

Cybersecurity Management & Oversight

Safe Systems The Compliance & Technology Partner for Financial Institutions

Cybersecurity Cycle

Safe Systems The Compliance & Technology Partner for Financial Institutions

Cyber Controls

• Threat Intelligence

• Security Awareness Training Employees – Entry level to

Board. Make it role specific.

Contractors

Customers

Merchants

Third-parties

• Patch Management Programs

Safe Systems The Compliance & Technology Partner for Financial Institutions

Summary - Final Thoughts -

Employees are a weak link. Train, test, retrain, retest, repeat.

Customers are a weak link. Awareness training, outreach.

Outsourced relationships are a weak link. • Due diligence, contracts, & ongoing oversight (SOC reports) are key.

• Focus on detective and corrective/responsive controls.

Safe Systems The Compliance & Technology Partner for Financial Institutions

Summary - Final Thoughts -

• Challenge is converting noise into actionable intelligence.

Don’t overemphasize

preventive controls, focus on

detective and responsive / corrective.

Update and test your incident

response plan. Don’t forget third-parties.

Information sharing is

important, but most is just

noise.

“Self-assessments”

are increasingly important.

Safe Systems The Compliance & Technology Partner for Financial Institutions

Final Thoughts

Cyber risk is a substantial business risk. A bank’s board and senior management must understand the seriousness of the

threat environment and create a cybersecurity culture throughout the

organization. - FDIC

Safe Systems The Compliance & Technology Partner for Financial Institutions

Final Thoughts

The effective identification and mitigation of cyber risk must be

grounded in a strong governance structure with the full support of the

board and senior management. - FDIC

Safe Systems The Compliance & Technology Partner for Financial Institutions

Keeping Informed - Additional Resources -

• www.safesystems.com/cybersecurity/

• www.complianceguru.com

• www.safesystems.com/ECAT/

• FFIEC Cybersecurity Awareness http://ffiec.gov/cybersecurity.htm

• FDIC Cyber Challenge: A Community Bank Cyber Exercise https://www.fdic.gov/regulations/resources/director/technical/cyber/purpose.html

Safe Systems The Compliance & Technology Partner for Financial Institutions

Thomas G. Hinkel CISA, CRISC, CCSA, CRMA, CBCP

VP – Compliance Services Safe Systems, Inc.

tom.hinkel@safesystems.com

www.safesystems.com www.complianceguru.com