2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

Transcription

1 2015 CEO & Board University Cybersecurity on the Rise Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C.

2 About Wolf & Company, P.C Regional firm established in 1911 Provide Audit, Tax, Business Consulting & Risk Management services PCAOB Registered & Inspected Member of AICPA Center for Audit Quality Member of PKF North America 200 Professionals Offices located in: Boston, Massachusetts Springfield, Massachusetts Albany, NY Livingston, NJ 2

3 Financial Institution Expertise Provide services to over 250 financial institutions Approximately 50 FIs with assets > $1 billion Approximately 30 publicly traded FIs Constant regulatory review of our deliverables Provide Risk Management Services in 27 states and 2 U.S. territories IT Assurance Services Group Internal Audit Services Group Regulatory Compliance Services Group WolfPAC Solutions Group 3

4 The Unknown As we know, There are known knowns. There are things we know we know. We also know There are known unknowns. That is to say We know there are some things We do not know. But there are also unknown unknowns, The ones we don't know We don't know. Donald Rumsfeld, February 12, 2002 Department of Defense news briefing 4

5 In the News 5

6 What s Happening Now?

7 What s Happening Now?

8 What s Happening Now?

9 What s Happening Now? 9

10 Who are the Threats? Organized Crime Hacktivists Nations and Foreign Competitors

11 The Threats Advanced & Persistent Targeted, not opportunistic Highly technical, sometimes simple and always planned

12 Regulators Concerned About Cybersecurity Cyber Criminals Likely to Target Smaller Banks As large banks improve their resistance to cyber attacks, cyber criminals are very likely [to] turn their attention to community banks, Comptroller of the Currency Thomas Curry told an audience at a technology conference in Washington, D.C., yesterday. These smaller institutions can provide a point of entry into larger networks, and they may have less sophisticated defenses than large banks, he said. - Thomas Curry 5/8/14 12

13 FFIEC Alerts.

14 FFIEC Wants Banks Setting the tone from the top and building a security culture Identifying, measuring, mitigating, and monitoring risks Developing risk management processes commensurate with the risks and complexity of the institutions Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed both now and in the future Creating a governance process to ensure ongoing awareness and accountability Ensuring timely reports to senior management that include meaningful information addressing the institution s vulnerability to cyber risks

15 CEO/Board Problem? In the future, at some point, the CEO and board of directors have to take responsibility, Rockefeller told Mulligan 15

16 Current Impact to Risk Assessments 16

17 Cyber Risk Life Cycle Risk Assessment (Identify) Governance & Oversight Security Functions (Protect, Detect, Respond, Recover) Business Changes Regulatory Changes (Key) Risk Indicators (Threat intelligence, Indicators of Compromise) Audit & Monitor Controls 17

18 So What Has Changed? Inventories of assets must support an inventory of threats and security controls Build into your process risk assessment update based on Threat Intelligence Cybersecurity events Identify the threat for each asset with and ensure specific controls mitigate the threat Identify behavior that would indicate you were compromised Impacts other risk management programs Vendor management BCP 18

19 How to I measure my readiness? 19

20 Current Guidance Available FFIEC IT Booklets NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) FFIEC Cybersecurity Assessment Tool 20

21 Cybersecurity Preparedness Risk management and oversight Threat intelligence and collaboration Cybersecurity controls External dependency management Cyber incident management and resilience 21

22 Risk Management and Oversight Governance More frequent Board and Senior management education Define roles and responsibilities that assign accountability regarding cyber risks Reporting structure of CISO/ISO Management of cyber security issues (interaction between information security and core business functions) Allocation of resources Time and energy Training and awareness of employees Onboarding and ongoing training More frequent and relevant training Training for information security professionals Test training effectiveness 22

23 CEO Should Develop a plan to conduct the assessment Lead employee efforts Set the target state of cybersecurity preparedness Address risk management and control weaknesses Analyze and present results for executive oversight Make sure Institution remains nimble and agile in addressing evolving areas of cybersecurity risk Oversee changes to maintain or increase the desired cybersecurity preparedness 23

24 The Board Should Engage with management Approve plans to use the Assessment Review management s analysis of the Assessment results Review management s determination of whether the institution s cybersecurity preparedness is aligned with its risks Review and approve plans to address any risk management or control weaknesses Review the results of management s ongoing monitoring of the institution s exposure to and preparedness for cyber threats 24

25 Threat Intelligence External sources of threat intelligence Media reports Third party service providers Financial Services Information Sharing and Analysis (FS-ISAC) InfraGard Secret Service US Cert Internal sources of threat intelligence Fraud detection tools Anti-Money Laundering/Office of Foreign Assets Control/Bank Secrecy Security information and event management (SIEM) Sharing information with law enforcement 25

26 Impact to other Risk Management Programs? 26

27 Vendor Management Enhanced Due Diligence and Ongoing Monitoring Activities How do you vet, select and monitoring third party service providers Vulnerability management (i.e. recent SSL vulnerabilities) Integrating Incident Response Plans and Tests Cybersecurity questionnaires Contract language Termination clauses Right to audit (required remediation) 27

28 Enhancements To Your BCP Not enough consideration made to prepare for cyber events. Unique factors of events: Customers/Clients affected by cyber incident Consideration for employee hit by ID Theft Third party providers/suppliers affected by cyber incident Transportation affected by cyber incident Remote working capabilities affected by cyber incident Consider utilities and availability of employee homes Plan for loss of personnel and key and backup locations for extended periods of time Cyber Incident Response Plans should be incorporated to BCP Cyber Testing

29 Important Resources FFIEC Cybersecurity guidance- NIST Cybersecurity Framework- Executive Order FBI InfraGard- U.S. Computer Emergency Readiness Team- U.S. Secret Service Electronic Crimes Task Forcehttp:// Department of Homeland Security- NY State Department of Financial Services Memohttps:// 0Committee/NY%20Cyber%20Security%20Exam%20Process.pdf

30 Conclusion Community Banks are and will be the next attack vector Breaches most likely will be caused by your employees (not just IT), your customers (when they give up their credentials) or Vendors (especially if no due diligence is performed) Regulators holding Boards and CEO s accountable for risk mitigation efforts 30

31 Thank You! Questions? Matthew J. Putvinski, CPA, CISA, CISSP Director, IT Assurance Services twitter.com\mattputvinski linkedin.com\in\mattputvinski