DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

Transcription

1 HEALTH WEALTH CAREER DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS? Gregg Sommer, CAIA Head of Operational Risk Assessments St. Louis MERCER

2 CYBERSECURITY BREACHES 1. Target 2. JPMorgan 3. Code Spaces 4. Sony 5. Pentagon SEC reported that 74% of advisors and 88% of broker-dealers have had unauthorized access to their network 1 1 SEC cybersecurity examination sweep summary Feb 3, 2015 OCIE Volume IV, Issue 4 MERCER

3 HOW BIG IS THE PROBLEM? 270% increase in identified victims and exposed losses 1 Cyber crime costs the global economy up to $500 billion annually 1 90% of large organizations reported a breach successful attacks per week 3 Over the last four years cyber attacks on businesses have increased by 144% and the average time to resolve has increased by 221% 4 1 Merrill Lynch CIO Reports 2 Security Breaches Survey PWC Ponemon Institute 4 CYREN Cyber Threat Report, 2015 MERCER

4 WHY GLOBAL TREND WILL CONTINUE 1. Role of technology continues to expand 2. Motivation - Financial gain - Malicious intent - Promote beliefs - Challenge - Risk / Reward analysis MERCER

5 CYBERCRIME INCIDENTS Banking and Finance FINANCIAL FRAUD DENIAL OF SERVICE ATTACKS 29% FINANCIAL LOSSES COMPROMISED/STOLEN RECORDS IDENTITY THEFTS 20% NO INCIDENTS 20% 23% 23% 36% 0% 5% 10% 15% 20% 25% 30% 35% 40% SOURCE: PWC CYBERCRIME REPORT MERCER

6 POINTS OF ENTRY MOBILE BUSINESS DEVICES CONTACTS Employees WEBSITE & MARKETING SOCIAL MEDIA 3 RD PARTY VENDORS 3 rd Party Vendors EMPLOYEES FAMILY- FRIENDS SOCIAL MEDIA Organization 3 RD PARTY VENDORS MOBILE DATA DEVICES STORAGE (CLOUD) NETWORK HARDWARE Clients EMPLOYEES MERCER

7 INDUSTRY AND REGULATORY GUIDANCE NIST CYBERSECURITY FRAMEWORK 1 Identify Protect Detect Respond Recover 1 NIST website SEC RISK ALERT 2 Cybersecurity Governance (Policies, Procedures, and Oversight) Risk Associated with Remote Customer Access and Fund Transfer Requests Risks Associated with Vendors and any Third Parties Detection of Unauthorized Activity Experiences with Cyber Threats 2 Morgan Lewis summary of the SEC risk alert Feb 2015 BEST PRACTICES GOVERNANCE AND POLICIES EMPLOYEE TRAINING TECHNOLOGY THIRD PARTY ASSESSMENT MERCER

8 BEST PRACTICES GOVERNANCE AND POLICIES Culture Senior Management Engagement Accountable Oversight Proactive Approach Processes Documented Information Security Policy Cybersecurity and Risk Assessment Test Cyber Insurance Risk Transfer Monitor Cash Activity Daily Third Party / Vendor Due Diligence Policy MERCER

9 BEST PRACTICES EMPLOYEE TRAINING Awareness Passwords Public Wi-Fi Local Drives Communication Scam Preparation Phishing MERCER

10 BEST PRACTICES TECHNOLOGY Security Network, Physical, Data, Logical Systems Malware / Anti-virus Patching and Updates Intrusion Prevention System and Testing Cloud Technology Backup Process and Testing MERCER

11 BEST PRACTICES THIRD PARTY ASSESSMENT Tools Classify Vendors Define Assessment Process SLAs and Contract Management Monitor Business Relationships Plan For Vendors Not Meeting Requirements Independent Assessments (SSAE16 SOC Testing) MERCER

12 KEY TAKEAWAYS Cyber risk will continue to rise Conduct an assessment against industry best practices Monitor investment organizations and third parties Document your due diligence process Partner with expert providers for implementation MERCER

13

14 Important notices References to Mercer shall be construed to include Mercer LLC and/or its associated companies Mercer LLC. All rights reserved. This contains confidential and proprietary information of Mercer and is intended for the exclusive use of the parties to whom it was provided by Mercer. Its content may not be modified, sold or otherwise provided, in whole or in part, to any other person or entity, without Mercer s prior written permission. The findings, ratings and/or opinions expressed herein are the intellectual property of Mercer and are subject to change without notice. They are not intended to convey any guarantees as to the future performance of the investment products, asset classes or capital markets discussed. Past performance does not guarantee future results. Mercer s ratings do not constitute individualized investment advice. Information contained herein has been obtained from a range of third party sources. While the information is believed to be reliable, Mercer has not sought to verify it independently. As such, Mercer makes no representations or warranties as to the accuracy of the information presented and takes no responsibility or liability (including for indirect, consequential or incidental damages), for any error, omission or inaccuracy in the data supplied by any third party. This does not constitute an offer or a solicitation of an offer to buy or sell securities, commodities and/or any other financial instruments or products or constitute a solicitation on behalf of any of the investment managers, their affiliates, products or strategies that Mercer may evaluate or recommend. For the most recent approved ratings of an investment strategy, and a fuller explanation of their meanings, contact your Mercer representative. For Mercer s conflict of interest disclosures, contact your Mercer representative or see Mercer universes: Mercer s universes are intended to provide collective samples of strategies that best allow for robust peer group comparisons over a chosen timeframe. Mercer does not assert that the peer groups are wholly representative of and applicable to all strategies available to investors. The value of your investments can go down as well as up, and you may not get back the amount you have invested. Investments denominated in a foreign currency will fluctuate with the value of the currency. Certain investments carry additional risks that should be considered before choosing an investment manager or making an investment decision. MERCER