cyber security trends
TRANSCRIPT
Cyber Security for the future
of financial services
Thio Tse Gan
May 2016
1© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd
Global trends & outlook
2© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd
Cyber-attacks are on the rise
$400B+
50%
90%63%8%
11%
18%
Healthcare Financial Services Educational Government
22999.9%
27.5%increase in the
data breaches in
various industries
from 2013 [5]
15%o f i n c i d e n t s
s t i l l t a k e d a y s
t o d i s c o v e r [ 2 ]
Average
number of
days
attackers
maintained
presence after
infiltration
and before
detection [3]chance that at least one person
will fall prey to a phishing
campaign with just
10emails [2]
recipients open emails and click
on phishing links within the first
hour of receiving them [2]
$154
$201
$217
GlobalAverage
2014
2015
Per capita cost of data breach was
highest in US in 2015 [4]
$217
of the exploited
vulnerabilities were
compromised more than a
year after CVE* was
published [2]
Numbers denote industry wise breakup of 2014 data breach incidents
is the annual cost to
the global economy
from cybercrime [1]
o f i n c i d e n t s
i n v o l v e a b u s e
o f p r i v i l e g e d
a c c e s s [ 2 ]
55%
[1] Net Losses: Estimating the Global Cost of Cybercrime by Center for Strategic and International Studies; [2] Verizon 2015 Data Breach Investigations Report; [3] Mandiant -Trends® 2014: Beyond the Breach, published April 10, 2014; [4] Ponemon 2015 Cost
of Data Breach Study: Global Analysis ; [5] ITRC Breach Statistics 2005-2014; * CVE (Common Vulnerabilities and Exposures) is a dictionary of publically known information security vulnerabilities and exposures -http://cve.mitre.org
© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 3
© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 4
Rampant cyber attacks observed around the
world in 2015 and 2016
5© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd
80 million
records exposed in attack launched on
Anthem Inc.
19.7 million
people’s personal
details stolenin attack launched on
U.S. Office of Personnel
ManagementNational pension
system hackedin Japan and 1.25
million people’s
personal data was
exposed
10.4 million
records exposed in 3 attacks launched
on TalkTalk Group
5 million personal
details leaked in data breach in VTech
$81 million
stolen from
Central Bank of Bangladesh in a
bank heist
U.S. IRS hacked100,000 personal details
stolen and used to
generate PINS for Social
Security numbers in 2
separate attacks
Complex regulatory requirements created to curb
rise of cyber crime
© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 6
European Union
EU Data Protection Directive 1995, EU
Privacy and Electronic Communications
Directive (as amended in 2011), Data
Retention Directive 2006. Member states
implement Directives as their own national
laws. Regulation of Investigatory Powers
Act 2000
Russia
Federal Law No. 152-FZ
on personal data 2006
Switzerland
Federal Data
Protection Act 1992 on
personal data 2006
Japan
Personal Information
Protection Act 2003
China
Decision on
strengthening Internet
information protection,
guideline for personal
information protection
South Africa
Electronic
Communications Act
Dubai
Data Protection Act 2007
Singapore
Personal Data
Protection Act
2013
Philippines
Data Privacy
Act 2011
New Zealand
Privacy Act
1993
Australia
Australian Federal
Privacy Act 1988.
Anti-Spam Act 2004
Argentina
Protection of Personal
Data Law 2001Costa Rica
Law No. 7975 – Undisclosed
Information Law. Law No. 8968 –
Protection in the Handling of the
Personal Data of Individuals
Mexico
Federal Law on the
Protection of Personal
Data Held by Private
Parties 2010
California
California Online Privacy
Protection Act 2003,
Security Breach Notice
(Civil Code 1798 Formerly
SB 1386) 2003
US Federal
HIPPA 1996, GLBA 1999,
COPPA 1998, CAN-SPAM 2003.
Do Not Call Improvement Act
2007, Safe Harbor Principles
2000, FCRA (as amended in
2003) Patriot Act 2001Canada
PIPEDA 2004.
Privacy Act 1988
and Provincial
privacy Laws
Financial Services
Technology regulatory landscape
© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 7
Singapore
• Personal Data and Privacy Act - 2013
• MAS Notice 644 on Technology Risk Management - 2013
• SRD TR 01/2014 – System vulnerability assessments and
penetration testing
• SRD TR 02/2014 – IT security risk posed by personal
mobile devices
• SRD TR 01/2015 – Early detection of cyber intrusions
• SRD TR 03/2015 – Technology risk and cyber security
training for Board
• MAS Notice 634 Bankig Secrecy – Conditions for
Outsourcing - 2004
• Guidelines on Outsourcing - 2004
• Consultation Paper on Notice on Outsourcing - 2014
• Consultation Paper on Guidelines on Outsourcing – 2014
• Business Continuity Management guidelines – 2013
• SRD TR 01/2011 – Information technology outsourcing
Vietnam
• Circular no. 01/2011/TT-NHNN Safety, secrecy guidelines of
the information technology systems in banking operation
• Circular no. 12/2011/TT-NHNN Management and utilization
of digital signatures, sigital certificates and SBV digital
signature verification services
• Circular no. 29/2011/TT-NHNN Security and Secrecy of
internet banking services
Thailand
• BOT Notification No. 1953-2548 Guideline for the
Preparation of IT Contingency Plan – 2008
• BOT Notification No. SorNorSor. 26/2552 Guidelines
for Development of IT Contingency Plan – 2008
• BOT Notification No. SorNorSor.6/2557 Supervisory
Guidelines on IT Outsourcing - 2014
• BOT Notification No. SorNorSor. 26/551 Supervisory
Guidelines for Security of E-Banking Services – 2008
Malaysia
• BNM Guidelines on Data Management and
Management information Systems – 2011
• Guidelines on management of IT Environment (GPIS 1)
– 2004
Indonesia
• Law of The Republic of Indonesia No. 11 of 2008
Concerning Electronic Information And Transactions
• OJK No. 1/POJK.05/2015 Risk Management in Non-
Bank Financial Services
• No. 9/15/PBI/2007 Implementation of Risk Management
in the Use of Information Technology by Commercial
Banks
Organizations are
spending more
money and paying
more attention than
they ever have …
… but for many
the problem
seems to be
getting worse.
$75.4 billionOrganizations spent
on information security in
2015according to Gartner
© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 8
Moving into digitization
World Economic Forum report
Glimpsing the future
The Future of Financial Services: How
disruptive innovations are reshaping
the way financial services are
structured, provisioned and consumed
An Industry Project of the Financial
Services Community | Prepared in
collaboration with Deloitte
© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 10
Is cyber security a consideration in your plans
innovate?
What’s the deal?
© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 11
Failures & challenges
12© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd
Failure & challenges
© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 13
Failure to include security as part of the design principles Businesses demand features, function and time to market
Addressing the incident and failing to detect the campaignsPerpetrators strategise and take a longer term view
Dont miss the forest for the trees.
Shortage of competent cyber security professionalsDemand is outstripping supply.
Willingness to accept non security IT professionals as ‘replacements’.
Ineffective threat analytics Use of technology with limited data sets and arcade rules sets.
Limited value owing to the rush to implement and lacking integration.
Cyber Security 3.0
14© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd
Are controls in place to guard
against known and emerging
threats?
Can we detect malicious or
unauthorized activity, including
the unknown?
Can we act and recover quickly to
minimize impact?
Building a resilient cyber security organization
This means having the agility to prevent, detect and respond quickly and
effectively, not just to incidents, but also to the consequences of the incidents
Cyber governance
Cyber threat mitigation
Cyber threat intelligence
Cyber incident response
Secure Vigilant Resilient
© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 15
5 design principles
Cyber security design
© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 16
里应外合 – Combating the issue together
Internal cyber security, external cyber security providers, vendors.
Revamp information sharing
Pepetrators share intelligence to effectively compromise organisation.
Why aren’t organisations sharing information about pepetrators?
There is a need for situation awareness.
Automation: what and how
The shortage will continue. Tools and automation exist to create
accuracy.
Design principles: everything is a potential threat
Build the requirement of security as a core.
Actionable intelligence: threat-centric defense
Correlation and inductive technique required. Look beyond just
security data.
Cyber Security Trends
Recognising that new technologies like wearable's, 3D printing and in-memory computing all have security implications and planning for this.
The Integrity Conundrum
Integrity is the forgotten security
domain. Maintaining the integrity of
data, business process, and people
is going to be increasingly critical.
Business Security
Establishing security researchers
across the business units that
handle sensitive data (seen in big
Tech companies to increase agility).
People Are Key
Embedding the psychology of
security in the business and finding
the right SecOps analysts will be
key for on-going management of
cyber risk.
Collaborative Security
Recognising that this “cyber” can’t
be solved alone and developing and
promoting a collaborative security
environment across the business.
Disruptive Technology Risks
Live-Fire Exercises
Conducting sophisticated APT style
attacks, emulation and cyber range
testing against critical systems and
people assets.
Defining Normal
Establishing accurate baselines in
order to identify anomalous activity
and behaviour for investigation.
Real-Time Security Ops
Developing the next generation of
SOC and reducing the time taken to
detect and respond to an ever
increasing threat landscape.
Auto-Corrective Security
Automating security processes and
tools using the latest security
technology to free up people and
time.
© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 17
No such thing as hacker-proof ….
…. if you build it they will come
Deloitte principles
Cyber Security 3.0
© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 19
ResilientSecure Vigilant
Cyber Security 3.0 Model
Design principles
Design security into
core IT infrastructure
Actionable intelligence
Develop a threat-
centric defence
Intelligence sharing
Create situational
awareness
Automation
Increase accuracy in
operational security
Integration
Eliminate
vulnerabilities by
working together
Are controls in place to guard
against known and emerging
threats?
Can we detect malicious or
unauthorized activity, including the
unknown?
Can we act and recover quickly to
minimize impact?
Cyber Governance
© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and
their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not
provide services to clients. Please see www.deloitte.com/sg/about for a more detailed description of DTTL and its member firms.
Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With
a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering
the insights they need to address their most complex business challenges. Deloitte’s more than 225,000 professionals are comm itted to making an impact that
matters. Deloitte serves 4 out of 5 Fortune Global 500® companies.
This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the
“Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect
your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss
whatsoever sustained by any person who relies on this publication.
20