Cyber Security. Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP

Transcription

1 Cyber Security Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP Speakers: Keith Overly, Executive Director, Ohio Deferred Compensation Program Raj Patel, Partner, Plante & Moran, PLLC Bill Stewart, Senior Vice President, Booz Allen Hamilton Chris Jarmush, Area Vice President, Defined Contribution Practice Leader, Arthur J. Gallagher & Co.

2 Ohio Deferred Compensation Ohio Deferred Compensation is a plan sponsor and recordkeeper Current Practices Information Security Policy Independent security audit

3 Ohio Deferred Compensation Information Security Policy Physical and electronic security Staff training Data storage and destruction Offsite use of computers Data use by vendors

4 Ohio Deferred Compensation Independent Security Audit Compliance review of actual procedures/practices Penetration testing Social engineering testing

5 Ohio Deferred Compensation Future Considerations Move to cloud-based computing Federal Risk Authorization Management Program or FEDRAMP Standardized approach to security for cloud products Third party assessment Cyber insurance

6 97% of Breaches Were Avoidable Most victims aren t overpowered by unknowable and unstoppable attacks. For the most part, we know them well enough and we also know how to stop them. Verizon Data Breach Investigations Report Weak Infrastructure Weak design (firewalls, wireless routers) Weak user authentication (users, passwords) Lack of Encryption (VPN, secure portals) Out-dated (patch management / anti-virus) Lack of periodic testing User Ignorance Weak user passwords Poor judgment Phishing attacks Not staying current on security trends Technology Advances Mobile devices Cloud computing / public portals Data Collaboration Social Media Third Party Vendors Weak due diligence No Breach notification No Annual breach confirmation

7 House of Security Different organizations view information security differently. Some of the differences are related to varied risk and threat profiles impacting an organization based on factors such as industry, location, products/services, etc. Other differences are related to management s view of security based on its experience with prior security incidents.

8 World of Security

9 9 Secure Network Infrastructure 1. Layer your network - Public, Sensitive, Confidential, Private 2. Perimeter Security - Firewalls, IDS/IPS 3. Wireless Security SSID, Encryption, Default Password 4. Authentication Users & Passwords 5. Encryption - Connectivity & Storage 6. Anti-virus 7. Patch Management 8. Remote Access 9. Network Monitoring 10. Annual Testing External Penetration & Internal Security Assessment

10

11 Last Thoughts Strong password practices Device security Accessing from public places Loss of hardware Disposal of devices Use of mobile technology Incident response plan & team DATA BREACH I m flattered, really I am. But you probably shouldn t use my name as your password.

12 Financial Services institutions have an expansive and changing attack surface Third Party Vendors Vendors Employees Test or Virtual Environments Marketing Social Media Third Party Vendors Recruiting Corporate Platforms Data Storage (Cloud) Data Storage (Portable) Knowledge Management Systems Clients Employee Client s Third Party Vendors Employees Business Contacts Social Media Family Website Corporate Fleet Cell Phone Laptop Friends Tablet

13 Attackers vary in purpose and sophistication Increasing Level of Sophistication Nation States Terror Organizations Organized Crime Hacktivists Employees

14 Adopting an active defense is imperative Protect Prepare for an attack today with the goal of preventing an attack tomorrow Remediate Know what to do when the inevitable occurs Detect Monitor your systems and emerging threats

15 Multiple controls must be put in place Protect Application Security Data Centric Protection Insider Threat Management Identity and Access Management Personnel Screening Physical and Environment Security Detect Cyber Analytics Security Intelligence Monitoring Security Monitoring Vulnerability Assessment Third Party Risk Management Remediate Threat Management Incidence Response

16 The importance of third party risk management cannot be overstated Planning Due Diligence Contract Negotiation Ongoing Monitoring Service Desired Preliminary Risk Inherent Risk Residual Risk Residual Risk Post Remediation Re-Assessment External Controls Internal Controls News Feeds Engagement Risk Profile Business Impact Assessment Control Effectiveness Assessment Final Selection & Remediation Plans

17 Top Trends in Cybersecurity for Financial Services 1. Third Party Risk 2. Cyber Fusion Center (CFC) Implementations 3. Data Element Protection 4. Alternative Payment System Exposure 5. Cyber Crime Analysis 6. Hacktivism spreads to Middle East 7. Western Cyber problems coming to developing nations 8. Wargaming 9. Privacy Knowledge 10. Cyber Insurance Usage Growth

18 18 Assessing Cyber-risk across the DC Landscape Are Defined Contribution Plans at Risk of Cyber-Attacks? Yes but the DC complex is not (yet) a primary target of cyber fraud

19 19 Fiduciary Responsibilities Who are the primary gatekeepers of Participant assets and data? Fiduciary protocols were clearly written with an aim of safeguarding participant assets what about identity? Plan Sponsor Each entity represents a potential point-of-entry for a cyber-attack TPA Participants Recordkeeper Advisor

20 Vulnerability of Financial Services Firms Cybersecurity Examination Initiative 2014 OCIE 1 90% of broker-dealers and 75% of registered investment advisors have been the subject of a cyber-related incident 54% of broker-dealers and 43% of RIAs received fraudulent s seeking to transfer client funds Vast majority of firms conduct periodic risk assessments to identify cybersecurity threats Only 30% of broker-dealers and 13% of managers have provisions to determine their responsibility for cyberattacks Cyberattack Incidents Reported by Federal Agencies (in 000s) GOA, US-CERT Data National Exam Risk Alert by the Office of Compliance Inspections and Examinations February 3,

21 21 Taking a Proactive Approach What steps can Plan Sponsors take to help safeguard participants? Internal Controls Ensure proper security maintenance programs are in place with sufficient resources dedicated to their execution SOC 1 (SSAE 16) Certification Seek service providers who have demonstrated sufficient control procedures Service Standards - Establish written service standards and protocols for what constitutes a reportable event Information Sharing Networks Identify industry groups sharing information on cybersecurity best practices