Cyber-Security. FAS Annual Conference September 12, 2014

Transcription

1 Cyber-Security FAS Annual Conference September 12, 2014

2 Maysar Al-Samadi Vice President, Professional Standards IIROC

3 Cyber-Security IIROC Rule BCP The regulatory landscape Canadian Government policy The Canadian financial sector The US regulatory response Cyber-insurance

4 Cybersecurity Risk Factors and Concerns David Mussington, PhD., CISSP Senior VP Cybersecurity Juno Risk Solutions

5 Agenda Background David Mussington How severe are cyber-security risks? Who are the actors of concern? What protection approaches are available? Conclusions and Principal Takeaways Questions

6 How serious are cybersecurity risks, and what exactly is the threat? Financial Services are the most highly targeted of critical infrastructures by cyber criminals Cyberspace allows for low probability of detection/high payoff illicit activity Evolution in attack capabilities and speed is outstripping defensive measures Recent occurrences (most notably the Snowden revelations) have pointed out the potential damage that flows from insiders

7 Who are the actors of concern, and what do they want?

8 What protection approaches are available, and what are some best practices? Best practice approaches based on proven standards (e.g., NIST, ISO, CBEST, CCS-20 (SANS)) Industry offerings MSSP and commercial anti-virus software and cybersecurity service vendors Assistance from Financial Services Sector peers Government support CCIRC (Public Safety Canada), RCMP Other Support Possibilities: not for profit groups, academia

9 Conclusions and Principal Takeaways The cybersecurity challenge is escalating; Defense/Protection capabilities are falling behind Information sharing within and across industries and with government is the best way to improve defenses and risk awareness; Systemic risks can be transmitted from those with weak cybersecurity protections to those with stronger programs weakest link problems are endemic; Best practice solutions exist, but require a systematic and strategic effort to produce meaningful risk mitigation impact

10 Information Security Perspectives Richard Livesley Director, Strategy and Planning Global Information and Technology Risk Management

11 Risk to BMO = Threat x Vulnerability x Consequence of a breach Threat is bigger Three types Espionage stealing our stuff Disruptive hurting the network we have become reliant on Destructive emerging threat that could target critical infrastructure and be catastrophic Lots of attackers Nation States China is the largest Criminal Gangs Russia has the most Hacktivists Less sophisticated but still a nuisance Vulnerability is larger We are increasing the attack surface : Social, Mobile, Analytics, Cloud The cyber domain is still new with little governance by any legal authority The Internet design is flawed designed to communicate between trusted partners, not those with malicious intent Consequence of a breach have severely harmed companies Customer trust Financial consequences 11

12 Protecting the Bank involves the entire Bank There are two major planks to the program that cover the range of capabilities we are building Together as a Company Within Technology Crisis Management Customer Authentication and Awareness Training Employee Access Management and Awareness Training Supplier Risk Assessments Industry & Regulatory Requirements such as GLBA, FFIEC, PCI DSS Application Software Security Data Security Network Security Vulnerability Management Threat Monitoring & Management Security Incident Response Risk Management Functions 12

13 However, the challenge to create safe cyberspace will not be resolved with a company s eco-system Priority What we need to do Why Improving crosssector sharing Automated sharing of actionable intelligence A common framework to enable discussion (NIST cybersecurity framework?) Stronger partnerships between energy, telco s and financial institutions The threats are immediate and one sectors weakness impacts others The knowledge of each sector strengthens the others Stronger private and public partnerships Faster and more effective sharing of information Legislative clarity on rights and accountabilities eg privacy Stronger governance of the internet Ensures regulatory and legislative actions focus on the right areas A more cyber aware culture with personal accountability A more educated population who understand how bets to protect themselves AND who recognize a weakness on their device threatens others not just themselves The health of cyberspace cannot be isolated to individual companies 13