Digital Crime and Cybersecurity

May 2017Scott D. Ramsey, Managing Director

Agenda

2

I. Cybersecurity Issues, Trends & Compliance

II. Public Private Partnerships

III. FFIEC & NYDFS 500 Rule

IV. Third Party Risk Management

V. Social Media

VI. Payment Systems & Card Security

VII. Data Protection & Retention

VIII. FinTech

Cybersecurity Issues,

Trends & Compliance

Interesting Cybersecurity Statistics

• Growth of New Malware1

In Q3 2016 alone, 18 million new

malware samples were captured.

• Ransomware on the Rise2

More than 4,000 ransomware

attacks daily since the beginning of

2016.

300% increase over 2015.

1 PandaLabs Report October 20, 2016.

4

MALWARES

Keyloggers

Backdoors

Dialers

Adwares

Virus

Troyanos

Gusanos

Spywares Otros2 US Government Computer Crime and

Intellectual Property Section (CCIPS)

Threat Advancements

5

• IoT Zombie Army– Toasters to cars connected

• Hacking Machines– Smart machines “learning” to circumvent controls

• Cyber Warfare– Cybergangs providing HaaS (Hacking as a Service)

• Increased Attacks on Financial Systems– Nation State sponsoring FUD (Fear, Uncertainty, Doubt)

• Intelligence Sharing– Increased gathering of information by Nations for sharing

• Blockchain Adoption– Securing inter-device transactions

Point of View

• Existing methods for detecting malware are not keeping

pace with advanced malware attacks

• A robust defense in depth strategy incorporates tool and

technology along with education and training of end users

• People continue to be the weakest link in cybersecurity

programs

• Security budgets continue to be static because the return

on security investments are not tied to business risk

• Machine learning (smart computing) is playing a larger role

– both in cyber defense and cyberattacks

6

Public Private Partnerships

Groups and Professional Societies

InfraGard is a partnership

between the FBI and

members of the private

sector.

As an independent, nonprofit,

global association, ISACA engages

in the development, adoption and

use of globally accepted, industry-

leading knowledge and practices

for information systems.

The Information Systems

Security Association (ISSA)®

is a not-for-profit, international

organization of information

security professionals and

practitioners.

Conferences

Point of View

• You get out what you put in

• Certifications – Get your return on

investment

• Continue Professional Education (CPE)– Be selective

– Network

9

FFIEC & 23 NYCRR 500

FFIEC Cybersecurity Assessment

11

• Use the Cybersecurity Assessment Tool

• Have Board and CEO lead the effort

• Identify gap and target state

• Implement action plan to attain and sustain target state

• Update Cybersecurity Assessment periodically

Regulatory expectation is that each financial institution will:

NY DFS Part 500– Highlights

WHEN?

The regulation

became effective

March 1, 2017

WHO?

Covered Entities:

• Banks

• Insurance

Companies

• Others

WHAT?

• Enhanced

Cybersecurity

Program

• Detection of

Cybersecurity

Event and 72

Hour Reporting

• Audit Trail

• Incident

Response Plan

HOW?

Board Resolution

or Senior Officer

needs to sign

certification of

compliance by

Feb.15 of each

year starting in

2018

12

NYDFS & FFIEC Compared Examples

Enhanced Requirements under New NYDFS Rule

13

Point of View

• The regulations being enacted are

pragmatic and reasonable, but are late and

behind

• Cybersecurity program needs to take both

business and technology risks into account

• DFS 500 follows FFIEC, but puts more “bite”

into regulations

• State regulatory agencies are taking Federal

issuances and adding their own

specifications for compliance (23 NYCRR

500)

14

Third Party Risk Management

Third Parties – Who or What is Connected?

16

Point of View

• Third parties should be viewed as any

other user

• Establish standards and requirements for

all third parties

• Include right to audit for compliance to

standards

• Third Parties should adhere to your

cybersecurity policies

17

Social Media

Social Media Do’s and Don’ts

19

Facebook:

• Don’t post NPI in profile

• Don’t post public out-of-town pictures until back home

LinkedIn:

• Keep separate personal and professional IDs

• Don’t post NPI in profiles

DNA Discovery:

• Don’t post family tree for public view Potential giveaway of Mother’s maiden name, Father’s middle name,

birthdate, etc.

Point of View

• Social media is a treasure trove of information

• Used to obtain information on targets for

identity theft, phishing, etc.

• Develop, implement and enforce Use Policy

for corporate social media

• Engage with clientele to make them aware of

risks and exposures

20

Payment Systems

and Card Security

22

OBJECTIVE CONTROL

Build and maintain a

secure network

1. Install and maintain a firewall configuration to protect data

2. Do not use vendor-supplied defaults for system passwords

and security parameters

Protect Cardholder Data 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data and sensitive

information across open public networks

Maintain a vulnerability

management program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement strong access

control measures

7. Restrict access to cardholder data by business need to

know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly monitor and test

networks

10. Track and monitor all access to network resources and

cardholder data

11. Regularly test security systems and processes

Maintain an information

security policy

12. Maintain a policy that addresses information security

Payment System SecurityPCI DSS

Credit Card SecurityEuropay, MasterCard and VISA (EMV)

23

Points:

• Card issues have spent between $200 and $800 Million to distribute chip cards

• Large retailers have spent over $8 billion to install new card readers

• Chip n Signature are majority of cards issued

Readers do not authentic signature

• Chip n Pin cards are much more secure

However, if Card n Pin are compromised and used in ATM, bank is

responsible

• Chips contain the same card holder data as mag strips

• “Card not present” fraud has increased

Phone and on-line purchase with stolen card

Point of View

• Chip & Pin should be mandatory eliminating

Chip & Signature

• New POS hardware must capture and store

only information required after transaction

• Pattern analysis is a good offense Push alerts to cardholders

Query large purchases

Query out of country purchases

24

Data Protection and Retention

Data Protection and Retention

26

• Data is a unique asset that can exist in

multiple states simultaneously At rest

In transit

Being processed

Archived

• Data Cycle Management program Based on value of data

Ensures RPO can be met

• Controls Encryption

Use of data policy

Point of View

• Data Classification should be based on value of

data Confidential

Company

Public

• Encryption Keys Changed frequently

Known by 2 personnel

Secured with physical access controls for 3d

person

• Formal Retention Policy Off-site audits

Point of sunset

Destruction procedures

27

FinTech

FinTech Defined

29

“[A]n economic industry composed of companies that use technology to make financial services more

efficient. Financial technology companies are generally startups trying to disintermediate incumbent

financial systems and challenge traditional corporations that are less reliant on software.”

FinTech is a Financial Disruptor

Forbe’s FinTech Hot 5

30

Point of View

• FinTech and traditional financial institutions who will

interface with them will need to understand

cybersecurity from multiple aspects and

infrastructures

• Pressures to adopt FinTech will increase as delivery

platforms mature and evolve

• Regulatory “controls” will increase as FinTech is

adopted

• Effective and pro-active cybersecurity controls must

be implemented, monitored and sustained

31

Resources

White Papers and

Intelligence Briefings

• WHITE PAPER: Recalibrating Your

AML Risk Program

• INTELLIGENCE BRIEFINGS:

– Trade-based Money Laundering Risk

and Regulatory Agency Priorities

– Trending Anti-Money Laundering

(AML) Compliance Standards and

Cybersecurity Requirements

Cybersecurity and

Cyber Risk Solutions

• Cybersecurity Assessment

• Reverse Stress Testing

• Exam Readiness Training

• Online Phishing, Malware and

Social Engineering Prevention

Training

• CyberForce Anomalous Activity

& Threat Intelligence Monitoring

BSA/AML and

Fraud Solutions

• BSA/AML Consulting

• Risk Managed Services Center

(RMSC)

– Alert Clearing Services

– Enhanced Due Diligence review

– Vendor risk management

– Complaint management

• Financial Crime Management (FCM)

Monitoring and Detection

Questions?

Scott Ramsey CDRP, CISMScott.D.Ramsey@fisglobal.com

(561) 322-8781

Visit us in the

expo hall

to learn more