cybersecurity and compliance presented by bae 4-17-14

©2013 Aite Group LLC.Page 1

Cybersecurity and Compliance

How to Keep Pace with Cyber Threats

Presented byJulie Conroy, Aite Group

Dena Hamilton, BAE Systems AI

ACFCS Webinar April 17, 2014

Research DirectorAite GroupLansing, MI

Julie Conroy

Executive Manager, Business Solutions GroupBAE Systems Applied Intelligence

Boston, MA

Dena Hamilton

Certification, Training, Networking, News, Guidance

The Mark of Financial Crime Knowledge and Skill

Agenda

• Threat environment• Compliance implications

– FFIEC Online Fraud guidance– FFIEC guidance for DDoS

• Impact

Hacking

Malware

DDoS

Phishing

Social engineering

The malware “zoo” continues its robust growth curve

24.735.6

58.4

81.8

106.3

138.2

165.8

2011 2012 e2013 e2014 e2015 e2016 e2017

Number of Unique New Online Malware Strains Released Per Year (Millions)

Source: McAfee Labs, Aite Group

Trojans represent the bulk of the new strains

Trojans, 74.5%

Viruses, 12.7%

Worms, 11.8%Other, 1.0%

Type of Malware Deployed, Q1 2013

Source: Panda Security

Many capitalize on the unique properties of mobile

The criminals’ efforts are paying off

Source: Aite Group, 2013

$409.4$454.8

$523

$627

$721.8

$794

2011 e2012 e2013 e2014 e2015 e2016

Global Corporate Account Takeover Losses, 2011 to e2016(In US$ millions)

Congress is jumping on the bandwagon

Bill Date introduced

Senate sponsors

Data Security and Breach Notification Act of 2013

June 20, 2013

Toomey, R-Pa.King, I-MaineThune, R-S.D.

Personal Data Privacy and Security Act

Jan. 8. 2014 Leahy, D-Vt.Franken, D-Minn.Schumer, D-N.Y.Blumenthal, D-Conn.

Data Security Act of 2014 Jan. 15, 2014 Carper, D-Del.Blunt, R-Mo.

Data Security and Breach Notification Act of 2014

Jan. 30, 2014 Rockefeller, D-W.V.Feinstein, D-Ca.Prior, D- Ar.

Source: Aite Group, 2014

Agenda

• Threat environment• Compliance implications

– FFIEC Online Fraud guidance– FFIEC statements regarding DDoS and ATM

cashouts• Impact

June 2011 FFIEC guidance

• Supplemental guidance released June 28, 2011 emphasizes:– Need for layered security– Periodic risk assessments and adjustments– In wholesale banking, requirement for layered security for both login

and electronic transaction initiation• Highlights value of behavior analytics in preventing fraud• Requirement of enhanced controls for users with admin rights

– Simple device authentication and challenge questions are not sufficient.

• Regulators began assessing FIs using new guidance in January 2012– While not explicitly mentioned within the guidance, consider mobile

“within scope”

April 2014 FFIEC statement: ATM cash-out

• Conduct ongoing information security risk assessments;• Perform security monitoring, prevention and risk

mitigation;• Protect against unauthorized access;• Implement and test controls around critical systems

regularly;• Conduct information security awareness and training

programs;• Test incident response plans;• Participate in industry information sharing forums.

April 2014 FFIEC statement: DDoS• Maintain an ongoing program to assess information security risk that

identifies, prioritizes and assesses the risk to critical systems, including threats to external websites and online accounts;

• Monitor Internet traffic to the FI’s websites to detect attacks;• Activate incident response plans and notify service providers as

appropriate if the institution suspects that a DDoS attack is occurring;• Ensure sufficient staffing for the duration of the DDoS attack and consider

hiring pre-contracted third-party servicers that can assist in managing the Internet-based traffic flow;

• Share information about the attack with FS-ISAC and law enforcement;• Evaluate any gaps in the response following attacks and in ongoing risk

assessments.

Agenda

• Threat environment• Compliance implications

– FFIEC Online Fraud guidance– FFIEC statements regarding DDoS and ATM

cashouts• Impact

Cybersecurity and compliance: Impact

• Periodic risk assessments• DDoS and cashouts• BSA• Increased internal and external collaboration

Assume the bad guys will get in

Construct your defenses and compliance programs accordingly

Aite Group: Partner, Advisor, Catalyst

Aite Group (pronounced eye-tay) is an independent research and advisory firm focused on business, technology and regulatory issues and their impact on the financial services industry.

Julie Conroy Research Director jconroy@aitegroup.com +1.617.398.5045

22Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc

CYBER SECURITY AND AMLHOW YOU CAN STAY AHEAD OF THEIR GAME

DENA HAMILTONEXECUTIVE MANAGER, TECHNICAL SALES

Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 23

THEY ARE GETTING BETTER, FASTER AND BROADER

8 charged Global Cyber Theft

Bank Heist*

$2.8 million from New York banks in two separate attacks

Pulled off in a matter of hours

The ring used prepaid MasterCard debit cards

The thieves hacked into the banks' systems to drastically increase the amount available on the cards, and then used the information about the cards to withdraw money at banks around the world

$45M

Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 24

KNOW WHO YOUR CUSTOMERS ARE

• DUE DILIGENCE

• INFORMATION AT ACCOUNT OPENING

• APPLY APPROPRIATE RISK SCORE

• CREATE RIGOROUS PROCESS

Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 25

KNOW HOW YOUR PRODUCTS CAN BE PROLIFERATED

• Risk assess all products

• Understand fully how those products can be manipulated (e.g. e-Cash)

• Careful with mobile transactions – they may not be subject to jurisdictional restrictions

Remember … funds gained by illicit means is considered money laundering

Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 26

REPORT CYBERCRIME INCIDENTS

Globally, the Financial Action Task Force (FATF), have not yet addressed money laundering and terrorist financing resulting from cyber crimes.

Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 27

WHAT CAN YOU DO TO PROTECT YOUR CUSTOMER

• Automatically trigger real-time monitoring for unusual transactions

• Block payments if not through due diligence

• Create a process that does proactive customer notification

Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 28

WE CAN HELP

XCelent Award - 2013 Breadth of Functionality Watchlist and Sanctions Solutions

Global Managed Security Services Award - 2013

Cyber Security Solution of the Year - 2013

Fraud and Financial Crime Software Award - 2013

Certified, GCHQ & CPNI - 2012 Quality-assured cyber incident response

AML Category leader – 2012RiskTech Quadrant™, Chartis Research

Most Innovative Information Security Company - 2012

“Best-in-class”, AML Technology - 2013Detection Tools and Enterprise Support

Best Financial Crime Product or Service - 2013 Reader’s Choice

THANK YOU.© BAE Systems 2014, unpublished, copyright BAE Systems all rights reserved.

Proprietary: no use, disclosure or reproduction without the written permission of BAE Systems plc.