cybersecurity and compliance presented by bae 4-17-14

28
©2013 Aite Group LLC. Page 1 Cybersecurity and Compliance How to Keep Pace with Cyber Threats Presented by Julie Conroy, Aite Group Dena Hamilton, BAE Systems AI ACFCS Webinar April 17, 2014

Upload: aceds

Post on 06-May-2015

515 views

Category:

Economy & Finance


1 download

TRANSCRIPT

Page 1: Cybersecurity and Compliance presented by BAE 4-17-14

©2013 Aite Group LLC.Page 1

Cybersecurity and Compliance

How to Keep Pace with Cyber Threats

Presented byJulie Conroy, Aite Group

Dena Hamilton, BAE Systems AI

ACFCS Webinar April 17, 2014

Page 2: Cybersecurity and Compliance presented by BAE 4-17-14

Research DirectorAite GroupLansing, MI

Julie Conroy

Page 3: Cybersecurity and Compliance presented by BAE 4-17-14

Executive Manager, Business Solutions GroupBAE Systems Applied Intelligence

Boston, MA

Dena Hamilton

Page 4: Cybersecurity and Compliance presented by BAE 4-17-14

Certification, Training, Networking, News, Guidance

Page 5: Cybersecurity and Compliance presented by BAE 4-17-14

The Mark of Financial Crime Knowledge and Skill

Page 6: Cybersecurity and Compliance presented by BAE 4-17-14

Agenda

• Threat environment• Compliance implications

– FFIEC Online Fraud guidance– FFIEC guidance for DDoS

• Impact

Page 7: Cybersecurity and Compliance presented by BAE 4-17-14
Page 8: Cybersecurity and Compliance presented by BAE 4-17-14

Hacking

Malware

DDoS

Phishing

Social engineering

Page 9: Cybersecurity and Compliance presented by BAE 4-17-14

The malware “zoo” continues its robust growth curve

24.735.6

58.4

81.8

106.3

138.2

165.8

2011 2012 e2013 e2014 e2015 e2016 e2017

Number of Unique New Online Malware Strains Released Per Year (Millions)

Source: McAfee Labs, Aite Group

Page 10: Cybersecurity and Compliance presented by BAE 4-17-14

Trojans represent the bulk of the new strains

Trojans, 74.5%

Viruses, 12.7%

Worms, 11.8%Other, 1.0%

Type of Malware Deployed, Q1 2013

Source: Panda Security

Many capitalize on the unique properties of mobile

Page 11: Cybersecurity and Compliance presented by BAE 4-17-14

The criminals’ efforts are paying off

Source: Aite Group, 2013

$409.4$454.8

$523

$627

$721.8

$794

2011 e2012 e2013 e2014 e2015 e2016

Global Corporate Account Takeover Losses, 2011 to e2016(In US$ millions)

Page 12: Cybersecurity and Compliance presented by BAE 4-17-14
Page 13: Cybersecurity and Compliance presented by BAE 4-17-14

Congress is jumping on the bandwagon

Bill Date introduced

Senate sponsors

Data Security and Breach Notification Act of 2013

June 20, 2013

Toomey, R-Pa.King, I-MaineThune, R-S.D.

Personal Data Privacy and Security Act

Jan. 8. 2014 Leahy, D-Vt.Franken, D-Minn.Schumer, D-N.Y.Blumenthal, D-Conn.

Data Security Act of 2014 Jan. 15, 2014 Carper, D-Del.Blunt, R-Mo.

Data Security and Breach Notification Act of 2014

Jan. 30, 2014 Rockefeller, D-W.V.Feinstein, D-Ca.Prior, D- Ar.

Source: Aite Group, 2014

Page 14: Cybersecurity and Compliance presented by BAE 4-17-14

Agenda

• Threat environment• Compliance implications

– FFIEC Online Fraud guidance– FFIEC statements regarding DDoS and ATM

cashouts• Impact

Page 15: Cybersecurity and Compliance presented by BAE 4-17-14

June 2011 FFIEC guidance

• Supplemental guidance released June 28, 2011 emphasizes:– Need for layered security– Periodic risk assessments and adjustments– In wholesale banking, requirement for layered security for both login

and electronic transaction initiation• Highlights value of behavior analytics in preventing fraud• Requirement of enhanced controls for users with admin rights

– Simple device authentication and challenge questions are not sufficient.

• Regulators began assessing FIs using new guidance in January 2012– While not explicitly mentioned within the guidance, consider mobile

“within scope”

Page 16: Cybersecurity and Compliance presented by BAE 4-17-14

April 2014 FFIEC statement: ATM cash-out

• Conduct ongoing information security risk assessments;• Perform security monitoring, prevention and risk

mitigation;• Protect against unauthorized access;• Implement and test controls around critical systems

regularly;• Conduct information security awareness and training

programs;• Test incident response plans;• Participate in industry information sharing forums.

Page 17: Cybersecurity and Compliance presented by BAE 4-17-14

April 2014 FFIEC statement: DDoS• Maintain an ongoing program to assess information security risk that

identifies, prioritizes and assesses the risk to critical systems, including threats to external websites and online accounts;

• Monitor Internet traffic to the FI’s websites to detect attacks;• Activate incident response plans and notify service providers as

appropriate if the institution suspects that a DDoS attack is occurring;• Ensure sufficient staffing for the duration of the DDoS attack and consider

hiring pre-contracted third-party servicers that can assist in managing the Internet-based traffic flow;

• Share information about the attack with FS-ISAC and law enforcement;• Evaluate any gaps in the response following attacks and in ongoing risk

assessments.

Page 18: Cybersecurity and Compliance presented by BAE 4-17-14

Agenda

• Threat environment• Compliance implications

– FFIEC Online Fraud guidance– FFIEC statements regarding DDoS and ATM

cashouts• Impact

Page 19: Cybersecurity and Compliance presented by BAE 4-17-14

Cybersecurity and compliance: Impact

• Periodic risk assessments• DDoS and cashouts• BSA• Increased internal and external collaboration

Page 20: Cybersecurity and Compliance presented by BAE 4-17-14

Assume the bad guys will get in

Construct your defenses and compliance programs accordingly

Page 21: Cybersecurity and Compliance presented by BAE 4-17-14

Aite Group: Partner, Advisor, Catalyst

Aite Group (pronounced eye-tay) is an independent research and advisory firm focused on business, technology and regulatory issues and their impact on the financial services industry.

Julie Conroy Research Director [email protected] +1.617.398.5045

Page 22: Cybersecurity and Compliance presented by BAE 4-17-14

22Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc

CYBER SECURITY AND AMLHOW YOU CAN STAY AHEAD OF THEIR GAME

DENA HAMILTONEXECUTIVE MANAGER, TECHNICAL SALES

Page 23: Cybersecurity and Compliance presented by BAE 4-17-14

Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 23

THEY ARE GETTING BETTER, FASTER AND BROADER

8 charged Global Cyber Theft

Bank Heist*

$2.8 million from New York banks in two separate attacks

Pulled off in a matter of hours

The ring used prepaid MasterCard debit cards

The thieves hacked into the banks' systems to drastically increase the amount available on the cards, and then used the information about the cards to withdraw money at banks around the world

$45M

Page 24: Cybersecurity and Compliance presented by BAE 4-17-14

Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 24

KNOW WHO YOUR CUSTOMERS ARE

• DUE DILIGENCE

• INFORMATION AT ACCOUNT OPENING

• APPLY APPROPRIATE RISK SCORE

• CREATE RIGOROUS PROCESS

Page 25: Cybersecurity and Compliance presented by BAE 4-17-14

Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 25

KNOW HOW YOUR PRODUCTS CAN BE PROLIFERATED

• Risk assess all products

• Understand fully how those products can be manipulated (e.g. e-Cash)

• Careful with mobile transactions – they may not be subject to jurisdictional restrictions

Remember … funds gained by illicit means is considered money laundering

Page 26: Cybersecurity and Compliance presented by BAE 4-17-14

Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 26

REPORT CYBERCRIME INCIDENTS

Globally, the Financial Action Task Force (FATF), have not yet addressed money laundering and terrorist financing resulting from cyber crimes.

Page 27: Cybersecurity and Compliance presented by BAE 4-17-14

Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 27

WHAT CAN YOU DO TO PROTECT YOUR CUSTOMER

• Automatically trigger real-time monitoring for unusual transactions

• Block payments if not through due diligence

• Create a process that does proactive customer notification

Page 28: Cybersecurity and Compliance presented by BAE 4-17-14

Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 28

WE CAN HELP

XCelent Award - 2013 Breadth of Functionality Watchlist and Sanctions Solutions

Global Managed Security Services Award - 2013

Cyber Security Solution of the Year - 2013

Fraud and Financial Crime Software Award - 2013

Certified, GCHQ & CPNI - 2012 Quality-assured cyber incident response

AML Category leader – 2012RiskTech Quadrant™, Chartis Research

Most Innovative Information Security Company - 2012

“Best-in-class”, AML Technology - 2013Detection Tools and Enterprise Support

Best Financial Crime Product or Service - 2013 Reader’s Choice

THANK YOU.© BAE Systems 2014, unpublished, copyright BAE Systems all rights reserved.

Proprietary: no use, disclosure or reproduction without the written permission of BAE Systems plc.