Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

Transcription

1 Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks? August 27, 2014 Presented by: Terry Ammons, Partner, Porter Keadle Moore Tim Davis, Senior, Porter Keadle Moore

2 Agenda Overview of the cybersecurity landscape The expected approaches of regulators How to prepare for the increased scrutiny The importance of threat awareness The impact of third parties and vendor management Tips for using a risk assessment as a practical discovery tool How to effectively respond to a cybersecurity event

3 Overview of the cybersecurity landscape What is cybersecurity? Cyber security is a body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage and unauthorized access. One of the most problematic elements of cyber security is the quickly and constantly evolving nature of security risks.

4 Overview of the cybersecurity landscape What does the cybersecurity landscape look like? Current controls in place are inadequate to protect against cybersecurity attacks on financial infrastructure. Bank regulators and security officials have expanded their focus from fraud detection to cybersecurity prevention.

5 Overview of the cybersecurity landscape The Federal Financial Institutions Examination Council (FFIEC) has taken three initial steps to increase awareness in the US financial system: Launched a web page to consolidate cybersecurity sources that can be easily accessed by banks; Hosted webinars for bank CEOs, senior management, and audit committees to make them aware of cyber threats and their role in mitigating them; and Created a pilot program to conduct cybersecurity risk assessments.

6 Polling Question #1 Did you attend the recent FFIEC Webinar on Cybersecurity? Yes No I m not sure what that is

7 The expected approaches of regulators Cybersecurity Risk Assessment Pilot Program The federal government s first large-scale initiative, Targeted more than 500 community financial institutions, Overseen by the Federal Financial Institutions Examination Council (FFIEC). The program consisted of three broad elements: Educating financial institutions about the pilot program and holding bank executives and audit committees responsible for identifying, managing, and mitigating risks Identifying action steps banks can take to ensure their cybersecurity strategy will meet current and evolving government regulations Conducting cybersecurity risk assessments to test the awareness and readiness of community banks and credit unions

8 The expected approaches of regulators Cybersecurity risk assessments Initial steps will be data gathering only Verbal feedback, but no written examination findings or recommendations Focus on documenting current state The target state will involve additional regulatory expectations

9 FDIC Required Elements of a Cybersecurity Risk Management Program Threat intelligence and collaboration Internal & External Resources Third -party service provider and vendor risk management Governance risk management and oversight Incident response and resilience

10 Polling Question #2 Did your financial institution take part in the Cybersecurity Pilot Program? Yes No I Don t Know

11 Threat Intelligence Source External Hackers Motivation Challenge Ego Game Playing Threat System hacking Social engineering Dumpster diving Internal Hackers Terrorist Poorly trained employees Deadline Financial problems Disenchantment Revenge Political Unintentional errors Programming errors Data entry errors Backdoors, Fraud, Poor documentation System attacks Social engineering Letter bombs Viruses Denial of service Corruption of data Malicious code introduction System bugs Unauthorized access

12 Threat Intelligence and Collaboration Internal & External Resources Regulators expect all financial institutions to: Identify and monitor cyber-threats to their organization, and to the financial sector as a whole. Make sure this real-world information is factored into your risk assessment Monitoring Tools: Financial Services Information Sharing and Analysis Centers (ISACs) - U.S. Secret Service Electronic Crimes Task Force (ECTF) - FBI InfraGard - NCUA Cyber Security Resources - FDIC Cyber Challenge: A Community Bank Cyber Exercise

13 Threat Intelligence Impact Triangle My Institution My Vendors My Customers

14 Polling Question #3 What percentage of cyber attacks target businesses with fewer than 500 employees? 20% 40% 60% 80%

15 Threat Intelligence The Threat Environment Businesses with fewer than 500 employees* 40% do not have an incident response plan 48% do not have a cybersecurity plan 77% do not have a formal, written Internet security policy * National Small Business Study by the National Cyber Security Alliance and Symantec

16 Third-party Service Provider and Vendor Risk Management Managing cybersecurity relies on managing the risk originating at third-parties Focus on vendors with access to your network, customer data and/or other sensitive information Pay particular attention to the following: Pre-contract planning and negotiation Review of current contracts with critical vendors Ongoing monitoring of vendor practices Prompt notification of material incidents Termination/disengagement with noncompliant vendors

17 Governance Risk Management And Oversight Virtually all FFIEC IT Handbooks list proper governance as the first and most important item necessary for compliance! What does proper governance entail? Update & Test your Policies, Procedures and Practices. Assess your Cybersecurity Risk Adjust your Policies, Procedures and Practices as needed based on the risk assessment results. Use your IT Steering Committee (or equivalent) to manage the process. Provide periodic Board updates.

18 Risks to the Financial Institution Financial Loss Reputation Risk Legal Liability

19 Example Risk Assessment Commercial Internet Banking Business Internet Banking/ Cash Management Account compromise/ Account take over High Medium User ID Passwords Network hardening IPS/IDS Acceptable

20 Information and Decision Flows within an Organization

21 Incident Response and Resilience Whether it originates internally or externally, a security incident is a virtual certainty. Be Prepared: Update your incident response program (IRP) to include cybersecurity events. Ensure your IRP contains the following elements: The incident response team members A method for classifying the severity of the incident A response based on severity, to include internal escalation, and external notification. Periodic testing and Board reporting

22 Threat Management and Incident Response Understand your Risk Position Where is my data? What types of systems do I have? What controls are in place? Will this threat affect me?

23 Threat Management and Incident Response Heartbleed Business Internet Banking/ Cash Management High High User ID s High and passwords Network hardening IPS/IDS

24 Threat Management and Incident Response Heartbleed Business Internet Banking/ Cash Management High High User ID s Low and passwords Network hardening IPS/IDS Multi factor authentication

25 NIST Framework Core Regulators are following the National Institute of Standards and Technology (NIST) cybersecurity framework that provides a common mechanism for organizations to: Describe their current cybersecurity posture; Describe their target state for cybersecurity; Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; Assess progress toward the target state; and Communicate among internal and external stakeholders about cybersecurity risk.

26 NIST Framework Core

27 So What Do You Need To Do Now? Ensure that procedures are in place to secure customer and confidential data and recover critical business processes Regardless of the source or nature of the threat. Policies should be impact-based, not threat-based. Update your risk assessments if they don t specifically account for cybersecurity threats. Vendor Risk Assessment--for their exposure to, and protection from, cybersecurity threats BCP Risk Assessment--should account for the impact and probability of cybersecurity threats Controls should be adjusted accordingly (i.e. audit reports, NVAs, Pen tests, etc.).

28 Polling Question #4 How prepared do you believe your financial institution is for the increased regulatory scrutiny related to cyber risks? A. Very Prepared B. Prepared C. Needs Improvement D. Unsure

29 Questions? Terry Ammons Systems Partner (404) Timothy Davis Systems Senior (404)

30 Sign up for our next Webinar! Corporate Governance in Today s Environment Wednesday, October 8 th 2014 (3:00-4:00 pm EST) Register: