cyber security - p&i events€¦ · cyber security. ohio deferred compensation • ohio...
TRANSCRIPT
Moderator:Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP
Speakers:Keith Overly, Executive Director, Ohio Deferred Compensation Program
Raj Patel, Partner, Plante & Moran, PLLCBill Stewart, Senior Vice President, Booz Allen Hamilton
Chris Jarmush, Area Vice President, Defined Contribution Practice Leader, Arthur J. Gallagher & Co.
Cyber Security
Ohio Deferred Compensation
• Ohio Deferred Compensation is a plan sponsor and recordkeeper
• Current Practices– Information Security Policy– Independent security audit
Ohio Deferred Compensation
• Information Security Policy– Physical and electronic security– Staff training– Data storage and destruction– Offsite use of computers– Data use by vendors
Ohio Deferred Compensation
• Independent Security Audit– Compliance review of actual procedures/practices– Penetration testing – Social engineering testing
Ohio Deferred Compensation
• Future Considerations– Move to cloud-based computing
• Federal Risk Authorization Management Program or FEDRAMP
– Standardized approach to security for cloud products– Third party assessment
– Cyber insurance
Weak InfrastructureWeak design (firewalls, wireless routers)Weak user authentication (users, passwords)Lack of Encryption (VPN, secure portals)Out-dated (patch management / anti-virus)Lack of periodic testing
User IgnoranceWeak user passwordsPoor judgmentPhishing attacksNot staying current on security trends
9 7 % o f B r e a c h e s We r e A v o i d a b l e Most victims aren’t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them.Verizon Data Breach Investigations Report
Technology AdvancesMobile devicesCloud computing / public portalsData CollaborationSocial Media
Third Party VendorsWeak due diligenceNo Breach notificationNo Annual breach confirmation
House of Security
Different organizations view information security differently. Some of the differences are related to
varied risk and threat profiles impacting an organization — based on factors such as industry,
location, products/services, etc.
Other differences are related to management’s view of security based on its experience with prior
security incidents.
World of Security
1. Layer your network - Public, Sensitive, Confidential, Private
2. Perimeter Security - Firewalls, IDS/IPS
3. Wireless Security – SSID, Encryption, Default Password
4. Authentication – Users & Passwords
5. Encryption - Connectivity & Storage
6. Anti-virus
7. Patch Management
8. Remote Access
9. Network Monitoring
10. Annual Testing – External Penetration & Internal Security Assessment
Secure Network Infrastructure
9
Last Thoughts• Strong password practices• Device security• Accessing from public places• Loss of hardware• Disposal of devices• Use of mobile technology• Incident response plan & team• 1-800 DATA BREACH
I’m flattered, really I am. But you
probably shouldn’t use my name as your password.
Test or Virtual Environments
Financial Services institutions have an expansive and changing attack surface
Client’s Third Party Vendors
Third Party Vendors’Vendors
Friends
Business Contacts
Family
CellPhone
Tablet
Laptop
Social Media
Marketing
Social Media
Website
Recruiting Data Storage (Cloud)
Data Storage (Portable)
Corporate Fleet
EmployeeKnowledge Management Systems
Third Party Vendors
Employees
ClientsEmployees
Corporate Platforms
Attackers vary in purpose and sophistication
Nation States
Incr
easi
ng L
evel
of S
ophi
stic
atio
n
Terror Organizations
Organized Crime
Hacktivists
Employees
Adopting an active defense is imperative
ProtectPrepare for an attack today with the goal of preventing
an attack tomorrow
RemediateKnow what to do when the
inevitable occursDetect
Monitor your systems and emerging threats
Multiple controls must be put in place
ProtectApplication Security
Data Centric Protection
Insider Threat Management
Identity and Access Management
Personnel Screening
Physical and Environment Security
Detect
Cyber Analytics
Security Intelligence Monitoring
Security Monitoring
Vulnerability Assessment
Third Party Risk Management
Threat Management
Incidence Response
Remediate
The importance of third party risk management cannot be overstated
Preliminary Risk
ResidualRisk
New
s Fee
ds
Re-A
sses
smen
t
Internal Controls
External Controls
Service Desired
ResidualRisk
Post Remediation
Inherent Risk
Planning Due Diligence
EngagementRiskProfile
Control Effectiveness Assessment
Final Selection & Remediation PlansBusiness Impact Assessment
Contract Negotiation
Ongoing Monitoring
Top Trends in Cybersecurity for Financial Services1. Third Party Risk
2. Cyber Fusion Center (CFC) Implementations
3. Data Element Protection
4. Alternative Payment System Exposure
5. Cyber Crime Analysis
6. Hacktivism spreads to Middle East
7. “Western” Cyber problems coming to developing nations
8. Wargaming
9. Privacy Knowledge
10. Cyber Insurance Usage Growth
Are Defined Contribution Plans at Risk of Cyber-Attacks?
Assessing Cyber-risk across the DC Landscape
Yes – but the DC complex is not (yet) a primary target of cyber fraud
18
Who are the primary gatekeepers of Participant assets and data?
Fiduciary Responsibilities
Participants
Plan Sponsor
Record-keeper
Advisor
TPA
• Fiduciary protocols were clearly written with an aim of safeguarding participant assets – what about identity?
• Each entity represents a potential point-of-entry for a cyber-attack
19
Cybersecurity Examination Initiative 2014 – OCIE1
Vulnerability of Financial Services Firms
• 90% of broker-dealers and 75% of registered investment advisors have been the subject of a cyber-related incident
1National Exam Risk Alert by the Office of Compliance Inspections and ExaminationsFebruary 3, 2015
• 54% of broker-dealers and 43% of RIAs received fraudulent e-mails seeking to transfer client funds
• Vast majority of firms conduct periodic risk assessments to identify cybersecurity threats
• Only 30% of broker-dealers and 13% of managers have provisions to determine their responsibility for cyberattacks
5.511.9
16.8
30
41.8 42.948.6
0
20
40
60
2006 2007 2008 2009 2010 2011 2012
Cyberattack Incidents Reported by Federal Agencies
(in 000s)
GOA, US-CERT Data
20
What steps can Plan Sponsors take to help safeguard participants?
Taking a Proactive Approach
• Internal Controls – Ensure proper security maintenance programs are in place with sufficient resources dedicated to their execution
• SOC 1 (SSAE 16) Certification – Seek service providers who have demonstrated sufficient control procedures
• Service Standards - Establish written service standards and protocols for what constitutes a “reportable event”
• Information Sharing Networks – Identify industry groups sharing information on cybersecurity best practices
21