Cyber Security Risks for Banking Institutions.

Transcription

1 Cyber Security Risks for Banking Institutions. September 8,

2 Administrative CPE regulations require that online participants take part in online questions Must respond to a minimum of four questions per 50 minutes. Polling questions will appear on your media player Results will be reviewed in the aggregate; no responses will be tracked back to any individual or organization To ask a question, use the Ask a Question box on your media player Technical issues: use the? button in the upper-right corner of your webcast player to access our new online help portal If this does not resolve your issue, please submit a question through the Ask a Question box, and you will receive a reply from our technical staff shortly in the Answered Questions box. 2 2

3 KPMG Presenters Brian Stephens Partner National Sector Leader, Banking & Capital Markets Ron Plesco Managing Director National Lead of Cyber Investigations Glenn Siriano Principal Information Protection & Business Resiliency 3 3

4 Agenda Cyber activity 2014 & Beyond The New Normal FS Industry Activities to Manage/Mitigate Information Protection Risks Regulator Hot-buttons and lessons learned KPMG Observations 4 4

5 Anticipate Attacks. Avoid Breaches. Every business is becoming digital. Leaders need to know IT and be able to align with the business needs. Technology is an enabler. But it comes at a price. CEO departure watershed for IT, business alignment - ZDNet May 5,

6 Polling Question #1 Approximately what percentage of your total operating costs has increased to deal with cyber security concerns (staffing, budget, etc). 1. No change 2. 0%-5% 3. 6%-10% 4. 11%-15% 5. Over 15% 6. Not sure 6 6

7 Security Spend Climbing Gartner estimates overall security spend on technology and services market at $67.2 billion in Breaches increasing by 20%. Cost of those breaches increasing 30%. Billions spent on cyber security and much of it wasted. -Sydney Morning Herald April 3,

8 Yet Applications are more Vulnerable # Vendor History Average Vulnerabilities Trend Name year 1 year 1 Oracle Apple Google Mozilla IBM Microsoft Readhat Cisco Adobe Novell Linux Moodle

9 New Vectors of Threats are Accelerating the Concern YESTERDAY Bad Actors Isolated criminals Script Kiddies Target of Opportunity Targets Identity Theft Self Promotion Opportunities Theft of Services TODAY Bad Actors Organized criminals Foreign States Hactivists Target of Choice Targets Intellectual Property Financial Information Strategic Access 9 9

10 Polling Question #2 In the last 12 months, has your bank invested in cyber intelligence technologies such as big data stores, intelligence feeds (FSISAC), etc.? 1. Yes 2. No 3. Not sure 10 10

11 Impacts 11 11

12 Cyber Risk Perfect Storm Growing Threat Level Bad Actors have evolved, Retail is 5 th worst sector and 75% of data loss incidents in Retail are hacking related (2012)* Changing Technology Landscape Consumerization of IT, Cloud and eroding perimeter Compliance Pressure Compliant does not necessarily mean sustainably (cyber) resilient * KPMG s 2012 Data Loss Barometer; a global insight into lost and stolen information

13 Proliferation of Do It Yourself Kits Malware offered for $249 with a service level agreement (SLA) and replacement warranty if the creation is detected by any antivirus within 9 months 13 13

14 Losses are Mounting $100 billion annual loss to the U.S. economy (2013). $100 billion to $500 billion annual loss to Global economy (2013). $23.6 million average loss by U.S. financial services companies (2013)

15 Cyber Activity 2014 & Beyond - Changes in Security Models Traditional perimeter defense approach being replaced with a multi-layered approach Security intelligence becoming critical to aggregate and analyze information New models emerging for identity and trust: Biometrics Merger of personal and business identities Cloud encryption gateways to encrypt when data leaves the organization Drive towards proactive intelligent security: Real time actionable insight for threats Adopt new techniques to analyze log data Baseline user behavior & detect anomalies 15 15

16 Polling Question #3 In the last 12 months, has your bank increased focus on the Internal Threat of cyber security including the building of user activity profiles, monitoring of employee and contractor use? 1. Yes 2. No 3. Not sure 16 16

17 Here s What You Can Do Focus your attention here Attack Surface Threats Security Products Assume you are, or will be, compromised. Focus on limiting your attack surface and prioritize based upon exposure and risk and conduct a independent investigation

18 Confusion Reigns 18 18

19 FS Industry Activities to Manage/Mitigate Information Protection Risks Top down risk assessment using industry standard (ISO 27001, COBIT, etc.) Re-think governance model Revamp Identity Management & Access Control Review impact of emerging and disruptive technology (cloud, social media, etc.) Enhance Application Security/SDLC Integration Enhance Data & Information Management Improve Security Operations Center & Monitoring & Incident Management Enhance Infrastructure Develop and Revise Policy & Standards Maintain an effective end-user Awareness program Improve 3 rd party vendor security assessment program Mobile banking security enhancements 19 19

20 Polling Question #4 Given the increased threats and sophistication of attacks, in the past 12 months has your bank voluntarily shifted from ISO based compliance to the adoption of NIST standards? 1. Yes 2. No 3. Not sure 20 20

21 Regulator Hot-Buttons Appropriate vendor due diligence Cloud Security People as the weakest link Payment systems Application Security Data Loss Prevention (DLP) Privileged Access and Monitoring BCP testing & resiliency planning 21 21

22 Polling Question #5 Given the increased focus on data governance, has your organization hired or created a Chief Data Officer role in the last 12 months? 1. Yes 2. No 3. Not sure 22 22

23 1: Team The Incident Response team lacks a proper balance between skill-set, size and management oversight. 23

24 2: Process Processes and procedures related to incident response are not tailored to the organization. 24

25 3: Tools Cyber Incident Response tools are inadequate, unmanaged, untested, underutilized, or absent. 25

26 4: Data Data pertinent to an incident is not readily available. 26

27 5: Politics The Incident Response team lacks authority and visibility in the organization. 27

28 Q&A 28

29 Thank You Ron Plesco Managing Director National Lead of Cyber Investigations KPMG LLP rplesco.com Glenn Siriano Principal Information Protection & Business Resiliency KPMG LLP Brian Stephens Partner National Sector Leader, Banking & Capital Markets KPMG LLP

30 The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 30