cybersecurity for the mortgage industry › wp-content › uploads › 2015 › ... · cyber...
TRANSCRIPT
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Cybersecurity for the Mortgage Industry
www.RedWolfCyber.com
Presenters: Auzzie K. Brown and Jordan Brown
Agenda
Why Cybersecurity best practice is not optional
Regulatory Requirement / Environment
Business Value
Face of the Threat
Cybersecurity Best Practices
Decision to Outsource vs. Insource
Conclusion
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Gramm Leach Bliley - ActWhy Cybersecurity Best Practices are not Optional
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Gramm Leach Bliley Act, Section 501(b) / FTC, PART 314—STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION:
FINANCIAL INSTITUTIONS SAFEGUARDS: Shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards:
(1)to insure the security and confidentiality of customer records and information
(2) to protect against any anticipated threats or hazards to the security or integrity of such records
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer
SecurityGramm Leach Bliley Act, Section 502 of the Subtitle, subject to certain exceptions / CFPB Laws and Regulations:Prohibits a financial institution from disclosing non-public personal information about a consumer to nonaffiliated third parties, unless the institution satisfies various notice and opt-out requirements, and provided that the consumer has not elected to opt out of the disclosure.
Customer Notification Requirements: The policies and practices of the institution on sharing of information with nonaffiliated third parties, including: ◦the categories of persons with whom information is shared; and ◦the policies and practices of the institution on disclosing information about persons who are no longer customers;
•the categories of information that are collected by the
institution; •the policies that the institution has to protect confidentiality and security; and
•disclosures required by the Fair Credit Reporting Act.
•Protecting the nonpublic personal information of consumers.
Privacy and Security
FTC / CFPB Examination SharingMOU, DatedMarch 12, 2015
The Regulators and Jurisdiction
Interagency Cooperation on Cybersecurity
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Regulatory Agency Responsibility Regulatory Authority
Required Standards
Authority to Levy Penalties and Fines
Interagency Collaboration / Cooperation
Consumer FinancialProtection Bureau (CFPB)
Privacy of Customer Information
The Dodd-Frank Act,subtitle A of Title V of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6802-6809)
Yes Yes Yes
Federal Trade Commission (FTC)
Security of Customer Information
15 U.S.C. 6801(b), 6805(b)(2).
Yes Yes Yes
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Business Value of Cybersecurity Program
Survivability of your Business
Conserve Resources Regulator fines/penalties Loss of customers
Employee Recruiting Tool
Competitive Marketing Advantage Consumer Confidence
Brand Reputation
“The average total cost of a data breach increased from 3.52 to $3.79 million. The
average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study.”
Benchmark research sponsored by IBM Independently conducted by Ponemon Institute LLC May 2015
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
“(Sec. 106) Liability protections are provided to entities acting in accordance with this title that: (1)
monitor information systems; or (2) share or receive indicators or defensive measures”
TITLE I - CYBERSECURITY INFORMATION SHARING
By Deirdre Walsh and Ted Barrett, CNN, December 16, 2015
Business Value of Cybersecurity Program
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
“The risks to your organization of noncompliance are:
• criminal, civil, statutory, regulatory or contractual penalties.”
“The development and execution of organizational security policies and standards will:
• maximize compliance and minimize the resources your organization has to spend to undergo internal and external compliance audits.”
The Basic Components of an Information Security Program MBA Residential Technology Forum (RESTECH) Information Security Workgroup, September 2015
“62% of cyber-breach victims are small to mid-size businesses, which are at the greatest risk for an attack. Their level of preparation is low, and the costs of customer notification alone can be enough to do a small company irreparable financial harm.”May 27, 2015 | By Rosalie L. Donlon, PropertyCasualty360.com
Impetus for Cybersecurity Best Practices
“We write today regarding potential new regulations from the New York State Department of Financial Services (NYDFS) aimed at increasing cyber security defenses within the financial sector. It is our hope that this letter will help spark additional dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cyber security standards for financial institutions.”
Memorandum to Financial and Banking Information Infrastructure Committee
(FBIIC) Members, New York State Department of Financial Services (NYDFS), November 9, 2015
“There is a demonstrated need for robust regulatory action in the cyber security space, and the Department is now considering a new cyber security regulation for financial institutions.”
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Impetus for Cyber Best PracticesFTC vs. Wyndham Resorts
“U.S. Court Affirms FTC Authority
to Enforce Data Breach Rules
In a decision that cites a litany of
basic security blunders, the United
States Third Circuit Court of Appeals
unanimously found that the Federal
Trade Commission has the authority
to sue Wyndham Hotels for
DECEPTIVE cyber-security
practices that, "taken together,
unreasonably and unnecessarily
exposed consumers' personal data to
unauthorized access and theft.“
E- Week, By Wayne Rash, Posted August 24, 2015
Does your Company ConsumerPrivacy and SecurityPolicy mirror itsInformation Security Program?
?Typical Mortgage Privacy/SecurityStatement:
To Protect your personal identifiableinformation from unauthorized accessand Use, we use security measures that comply withfederal law. These
Measures include computersafeguards, secured files and buildings.We require all Companies with whom we share Your information
to keep it confidential
Face of the Threat
External Threat:• Third Party Vendors, trusted suppliers of technical, computer and
security equipment, software and hardware
Advanced Persistent Threats (APT):• Undetected, continuous computer hacking processes to gain access to a
high-value organization’s network. • Phishing emails or other tricks to fool employees into downloading
malware• Goal is to steal data
Insider and Internal Threats:• Employee, contractor, supplier, or business partner who has authorized
yet uncontrolled access to systems and/or sensitive information • Acts can be malicious or unintended
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Recent Cybersecurity Breaches
“On May 21, 2015, Homestead discovered thatA Cyber attacker carried out a sophisticated attackon our website and we believe the attacker gainedunauthorized access to data belonging to some ofHomestead’s customers. The information accessedmay have included names, home and work address,Social security numbers, bank and other accountnumbers…”
Homestead Funding Corporation, Albany, NewYork, June 8, 2015
“HSBC has informed New Hampshire's Attorney
General of a compromise of some records of current
and former mortgage customers of its HSBC
Finance unit. In the breach, some personal
information about mortgage accounts was
"inadvertently made accessible via the Internet,"
including customers' names, Social Security
numbers, account numbers, old account information
and possibly some phone numbers, the bank wrote in
a letter to state officials”
April 16, 2015, HSBC Finance Notifies Mortgage
Customers of Data Breach, By Penny Crosman
The Securities and Exchange Commission is the latest federal agency turning up the heat on companies whose lax cybersecurity has contributed to breaches of user data.
The SEC's action, along with those last month at the Federal Trade Commission and in federal courts, is starting to sketch out a pattern of dwindling tolerance for negligence by companies
in protecting their computer systems. Last week, the SEC announced a settlement with St. Louis-based R.T. Jones Capital Equities Management, which lost the personally identifiable information (PII) of approximately 100,000 people.
By John Fontana, Identity Matters, September 30, 2015
Superior Mortgage Corp., a lender with 40 branch offices in 10 states and multiple Web sites, has agreed to settle Federal Trade Commission charges that it violated federal law by failing to provide reasonable security for sensitive
customer data and falsely claiming that it encrypted data submitted online. The settlement bars future deceptive claims and requires the company to establish data security procedures that will be reviewed by
independent third-party auditors for 10 years.
FTC File No.052-3136
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Recent Cybersecurity Breaches
Last year, according to the Mount Olympus Mortgage Co. in
Irvine, several of its officers secretly downloaded confidential information on hundreds of loan customers and transferred five gigabytes of data to a competitor.
The loan officers then deleted files and emails on their computers and went to work for that rival, Chicago-based lender Guaranteed Rate, which has offices in Irvine, Newport Beach and Santa Ana.
But Mount Olympus, a 38-employee operation also known as MOMco, recovered the information, including more than 1,000 emails between its former mortgage bankers and their soon-to-be new employer, according to a lawsuit it filed last year in Orange County Superior Court.
“It’s nerve-wracking and obscene,” said MOMco President Michael Arnall. “The damage to our business is very, very high.”
MATT MASIN, STAFF PHOTOGRAPHER By MARGOT ROOSEVELT / STAFF WRITER
Cyber angst: Orange County companies zero in on data breachesFeb. 27, 2015
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Risk Mitigation Strategies
Best Practice Mortgage Information Security Strategies
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
• Regulatory Compliance to protectCustomers nonpublic information
• Adds Business Value
• Information Security Best PracticesConsistent with Federal FinancialInstitutions Evaluation Council (FFIEC)
Mortgage EmployeeCyber Quiz
Human Behavior /Social Engineering
Risk Assessment/Risk Maturity Assessment
Mortgage Policies /Procedures
Threat Intelligence
Cybersecurity Risk Assessment / Maturity Best Practice Process
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Risk Assessment
Prioritize Risk & Develop Strategy
Risk Remediation
Cyber Risk Management Maintenance
Areas of FocusCybersecurity Policy Documents
Annual Technology Review
Employee Cybersecurity Awareness Program
Annual Cybersecurity Review
Cybersecurity Strategy
Cybersecurity Strategy Implementation Plan
Cybersecurity Operations/MGMTCyber Incident Management
Cybersecurity Policies and Procedures - Documented Program
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
“You shall develop, implement, and maintain a comprehensive information security program that is written” FTC PART 314—STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION; eCFR December 4, 2015
• Establishes foundation to meet regulatory requirement of a written cybersecurity program and commensurate with FFIEC Guidelines
People
Processes
Technology
• Is the organization following the practices outlined in their policies and procedures?
• Are policies and procedures aligned with GLB - Act Privacy and Security Requirements?
• Are they current/relevant to cope with the current threat environment?
Mortgage
Employee Cybersecurity Training & Awareness Program
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
“ (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and
disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures. (c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or
otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.” FTC PART 314—STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION; eCFR December 4, 2015
Mortgage Industry specific Employee Cybersecurity Quiz• Addresses:
Employees at all levels (Executive, Managers, Supervisors and employees)
Regulatory Requirements Security Best Practices
• Establishes baseline common cyber awareness knowledge of employees
• Encourage employee behavior to engage in Cybersecurity Best Practices
Demonstrates to Auditors / Regulators a culture of Cybersecurity Compliance
• “Automated and documented” record of training to provide to auditors (e.g., similar to anti-money laundering quiz)
• Prepares employees for auditor interviews
Mortgage Employee
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
*Cyber Risk Profile and Maturity Assessment Framework
Inherent Risk Profile Assessment Areas• Technologies and Connection Types• Delivery Channels• Online/Mobile Products and Technology Services • Organizational Characteristics• External Threats
GovernanceTraining and CultureThreat IntelligenceMonitoring and
AnalyzingPreventative
Controls
Detective ControlsCorrective ControlsConnectionsIncident Resilience
Planning and StrategyDetection, Response and
MitigationEscalation and Reporting
Cybersecurity Maturity Domains Assessment Areas
*Consistent with Federal Financial Institutions Evaluation Council (FFIEC) Guidelines, June 2015
Risk Assessment and Maturity Model / Report Sample
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Inherent Risk Levels
Cybersecurity Maturity Level
Domain Example: Corporate Wi-Fi Network
Least Minimal Moderate Most Significant
Innovative
Advanced
Intermediate
Evolving
Baseline
X
Cost of In-house Staffing
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Should you Insource Information Security Staff?
*Average Annual salaries of standard Information Security Team: Chief Information Security Officer $140,250 - $222,500 Data Security Analyst $113,500 - $160,000 Systems Security Administrator $105,500 - $149,500 Network Security Administrator $103,250 - $147,000 Network Security Engineer $110,250 - $152,750 Information Systems Security Manager $129,750 - $182,000
*Robert Half Technology 2016 Salary Guide
Total: $702,500 - $1,023,750
Average increase6-7% Annually
Conclusion
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Protecting customer data is the life blood of your organizations future
Employee Security Awareness Training is essential!
Severity and frequency of breaches will increase regulatory oversight Company’s under reporting of breaches Company’s unaware they have been breached
Ever-changing threat and compliance environment requires a strategy: Risk Assessment Risk Prioritization Remediation Process
Individual States have additional Cybersecurity Standards organizations must meet
Engage Cybersecurity Professionals to advise Risk Mitigation efforts
Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited
Address: 11654 Plaza America Drive, Suite 237Reston, VA 20190
Phone: 1-877-675-5259 x702
Emails: [email protected]
www.RedWolfCyber.com