services cyber security summit - fintech ireland · services cyber security summit wednesday 13th...
TRANSCRIPT
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
3rd Annual FinancialServices CyberSecurity Summit
Wednesday 13th July 2016Peter Oakes, Fintech Ireland / Fintech UK
1
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
Peter Oakes
Executive and non-executive director and advisory committee member toregulated and unregulated companies, including Fintech, RegTech, MiFID andFunds. Panel Member, Fintech20 Ireland
Solicitor admitted in Ireland, the United Kingdom and Australia
Founder of Fintech Ireland & Fintech UK (RegTech Ireland & Regtech UK). Thesegroups support ‘fintech’ & ‘regtech’ initiatives in Ireland & the UK
2014-2016: Board Director & Chief Risk Officer for Bank of America MerchantServices Europe (based in London)
2010-2013: Central Bank’s first Director of Enforcement and AML/CTFSupervision in October 2010. Member of the Senior Leadership, Operations,Policy & Supervisory Risk Committees
Over the past 25 years Peter has worked as a regulator (Ireland, UK & Australia)and in the investment management, payments, funds & fintech industries (UK &Ireland) in Board, C-Suite, Legal and Compliance/Risk roles. He has alsoadvised Central Banks, Regulators and their senior management on a wide rangeof supervisory and enforcement issues
2
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
FinTech & RegTech – cybersecurity
Case Study II
How will Fintech & RegTech drive cyber security? Futurescenarios and possible solutions
Peter Oakes, Founder and Fintech Member, Fintech Ireland
3
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
Unbundling Banks
4
Source: © CB Insights
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
Fintech Attacking Banks’ ValueChain
5
Source: © CB Insights
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
Ireland’s Fintech Ecosystem
6
Source: © Dave Anderson /https://www.linkedin.com/in/daveandersonireland
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
A Global RegTech Mapwww.letstalkpayments.com
7
© Letstalkpayments.com
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
SIM Swap – What is it? SIM Swap is a basic
functionality made availableby Mobile Operators
You have probably done it
Allows customers to◦ move their mobile number
from one network to another◦ change SIM card formats
when changing make / modelof their phone
◦ recover their phone number ifits lost or stolen.
8
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971 9
SIM Swap ExplainedHow a SIM Swap Attack Occurs
What is a SIM Swap Attack? - 1/2
© moQom.com
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
What is a SIM Swap Attack? - 2/2
A SIM Swap attack occurs when a fraudster tricks the MobileOperator into believing they are the legitimate owner of themobile number, for example through social engineering
Fraudster simply convinces a shop worker to provide them anew SIM card with the targets telephone number on it
All the fraudster needs is a believable story regarding the fateof the lost, stolen or broken handset, a stolen/fake utility bill forthe address of the target, and the target’s mobile phonenumber
By doing so, the Mobile Operator unknowingly transfers thevictim’s mobile number onto a SIM card in the fraudster’spossession, which when placed in a new handset, allows thefraudster to gain access to the victims banking services
10
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
SIM Swap Fraud
United Kingdom
Ireland
Australia
South Africa
Abu Dhabi
11
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
United Kingdom
12
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
Ireland
13
http://www.irishtimes.com/business/technology/are-banks-answering-the-call-on-mobile-phone-security-1.2704035
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
Recent report on SIM Swapfraud
www.moqom.com
What is a SIM SwapAttack?
Terms of Reference
Methodology
Key Findings
Consumer Exposure
Broader Implications
14
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
Australia
15
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
Cyber Security – RegulatoryExpectations Irish and UK cyber security governance
initiatives◦ there are other regulators that are focussing on
this area, e.g. EBA, IOSCO, ASIC, SEC andpretty much every EU regulator
The role of the Board
The accountability of the Non-ExecutiveDirector (NED)
The relationship between the CRO / CSIO,the Board and the NED
16
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
Data Security & Cyber Security- Financial Crime FCA refers regulated firms to
examples of good and poorpractice in data security atChapter 5 in Part 1 and Chapters6 and 10 in Part 2 of our FinancialCrime: A Guide for Firms
“Outsourcing to a 3rd party doesnot mean you have outsourcedyour obligations to look aftercustomer data. [Must] carry outdue diligence on 3rd partysuppliers before hiring them, try toestablish what their vettingprocedures are, and ensure thatthey respect your firm’s securityarrangements”
If you are a senior manager orboard director of a FCA regulatedentity take note
17
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
Is it really a matter for theBoard? YES!
18
“It is the responsibility ofthe board to ensure thata firm is properlygoverned”
See Central Bankletter on operationalrisk & cybersecurity dated 22September 2015
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
Will this keep the CRO/CISOawake at night?
19
CISO/CRO
© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / [email protected] / ph +353 1 639 2971
Thank youContact Peter Oakes to discuss non-executive director& consulting services for regulated financial entitles,fintech & other innovative companies
https://ie.linkedin.com/in/peteroakes
+353 87 2731434 / +44 75 635 26834
20