Get in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective

Transcription

1 Get in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective Rory Guenther, CISA Senior Examiner, Operational Risk Specialist, Federal Reserve Bank of Mpls Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay

2 Vendor Management THIRD PARTY SERVICE PROVIDERS

3 What is a Third-Party? Third Party is broadly defined to include all entities that have entered into a business relationship with the institution 3

4 Third Party Vendor Management as a Priority FI must establish and maintain a compliant vendor management program Examiners are giving more attention to vendor management Bank s exposure to violations committed by a third party service provider Civil money penalties 4

5 Civil Money Penalties Bank assessed $7,800,000 in part due to Bank s oversight of affiliate and third-party service providers. Bank required to refund approximately $140 million to customers and pay $25 million penalty for deceptive marketing tactics used by their vendors. Bank pays $175 million to settle accusation that its independent brokers discriminated against black and Hispanic borrowers. Focus of settlement was failure to police the behavior of independent loan brokers. 5

6 Civil Money Penalties, cont. Bank assessed $21 million for insufficient oversight which allowed bank loan officers and outside brokers to adjust rates and fees without regard to borrower risk which resulted in brokers extracting larger overpayments. (Fair Lending) Bank assessed $112.5 million for insufficient oversight of affiliate and third party service providers. (UDAP) Bank assessed $200 million for insufficient oversight of third party telemarketers (Deceptive Marketing) Bank assessed $11.2 million for insufficient oversight and control of TPSP system integration challenges and insufficient due diligence to note prior consumer complaints against TP. (UDAP) Bank assessed $210 million for insufficient oversight of third parties to insure they followed the bank provided scripts. (Unfair and deceptive sale of credit card add-on product.) 6

7 What Is the Guidance? Consists of SR 13-19/CA letter (Guidance on Managing Outsourcing Risk) and an attached policy statement on managing outsourcing risk Supplements existing guidance for technology service providers Refer to the FFIEC Outsourcing Technology Services Booklet (June 2004) at Applies to all financial institutions supervised by the Federal Reserve but other regulators have issued similar guidance 7

8 What s New? Applicability of guidance to outsourced activities beyond core bank processing and information technology-related services Enhanced risk management that institutions should have for better oversight and management of outsourcing risk Additional guidance pertaining to key aspects (attributes, governance, and operational effectiveness) of an institution s service provider risk management program 8

9 Areas of Emphasis Types of risk exposure Board of directors and senior management responsibilities Service provider risk management programs Additional risk considerations 9

10 Third Party Risk Types Strategic: Adverse business impact Reputation: Negative public opinion Operational Failed internal processes, people or systems Transactional: Problems with service or product delivery Financial: Unable to meet contractual arrangements Compliance: Violations of laws, regulations or internal policies Foreign: Country, culture, or geopolitical 10

11 Board and Senior Management Responsibilities Ensuring outsourced activities are conducted in a safe and sound manner and in compliance with appropriate laws and regulations Approving institution-wide vendor management policies that mitigate outsourcing risk Reporting to the board of directors on adherence to policies governing outsourcing arrangements 11

12 Elements of the Service Provider Risk Management Program Risk assessment Due diligence for the selection of service providers Contract provisions and considerations Incentive compensation review Oversight and monitoring of service providers Business continuity and contingency plans 12

13 What Constitutes Significant TP Relationship? Relationship is new or involves new FI activities Has material effect on FI s revenues or expenses TP performs critical functions TP stores, access, transmits, or performs transactions with sensitive customer information Increases FI s geographic market Performs a service involving lending or card payment transactions Poses risks that could affect earnings, capital, or reputation Provides product or service that covers large number of consumers Provides product or service that implicates higher risk consumer protection regulations Involves deposit taking arrangements Markets products directly to FI customers that could pose risk of financial loss to individual 13

14 Risk Tiers Based on Inherent Risk Inherent Risk is a function of Organizational and Profile risk TIER 1 Define Risk Severity Levels TIER 2 Highly integrated High reliance Interruption leads to significant operational impact High transition cost/effort Some integration Some reliance Interruption leads to moderate operational impact High transition cost/effort TIER 3 No integration Cost & performance drives relationship Interruption leads to limited operational impact Moderate transition cost/effort TIER 4 No integration Cost & performance drives relationship Interruption has no operational impact Minimal transition cost/effort

15 TOP 10 REGULATOR EXPECTATIONS 2014 EastPay. All Rights Reserved 15

16 1. Due Diligence Prior to Vendor Selection Review of all available information about a potential third party, focusing on the entity's financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls 2014 EastPay. All Rights Reserved 16

17 1. Due Diligence Prior to Vendor Selection(cont d) Evaluation of a third party may include the following items: Audited financial statements, annual reports, SEC filings, and other available financial indicators Significance of the proposed contract on the third party's financial condition Experience and ability in implementing and monitoring proposed activity Business reputation 2014 EastPay. All Rights Reserved 17

18 1. Due Diligence Prior to Vendor Selection (cont d) Qualifications and experience of the company's principals Strategies and goals, including service philosophies, quality initiatives, efficiency improvements, and employment policies Existence of any significant complaints or litigation, or regulatory actions against the company Ability to perform the proposed functions using current systems or the need to make additional investment 2014 EastPay. All Rights Reserved 18

19 1. Due Diligence Prior to Vendor Selection (cont d) Use of other parties or subcontractors by the third party Scope of internal controls, systems and data security, privacy protections, and audit coverage Business resumption strategy and contingency plans Knowledge of relevant consumer protection and civil rights laws and regulations Adequacy of management information systems Insurance coverage 2014 EastPay. All Rights Reserved 19

20 2. Vendor Selection Audit Requirements Identify regulation requirements of FI Resources and Technology Support System Policies, procedures, and service organization control reports Disaster recovery plan Reputation 2014 EastPay. All Rights Reserved 20

21 3. Contract Negotiation Audit rights, self assessments, monthly compliance reviews, obtain vendor s annual SOC report on its control compliance Service level agreements and financial penalties 2014 EastPay. All Rights Reserved 21

22 4. Contract Scope Timeframe covered by the contract Frequency, format, and specifications of the service or product to be provided Other services to be provided by the third party, such as software support and maintenance, training of employees, and customer service 2014 EastPay. All Rights Reserved 22

23 4. Contract Scope (cont d) Requirement that the third party comply with all applicable laws, regulations, and regulatory guidance Authorization for the institution and the appropriate federal and state regulatory agency to have access to records of the third party as are necessary or appropriate to evaluate compliance with laws, rules, and regulations 2014 EastPay. All Rights Reserved 23

24 4. Contract Scope (cont d) Identification of which party will be responsible for delivering any required customer disclosures Insurance coverage to be maintained by the third party Terms relating to any use of bank premises, equipment, or employees 2014 EastPay. All Rights Reserved 24

25 4. Contract Scope (cont d) Permissibility/prohibition of the third party to subcontract or use another party to meet its obligations with respect to the contract, and any notice/approval requirements Authorization for the institution to monitor and periodically review the third party for compliance with its agreement Indemnification 2014 EastPay. All Rights Reserved 25

26 5. Implementation Access management Review system access reports at least monthly to ensure users of outsourced service are authorized Transaction monitoring Change management FI should approve any changes made by vendor System backup 2014 EastPay. All Rights Reserved 26

27 6. Monitoring Audits Service Organization Control (SOC) Reports Vendor s compliance with their own policies IT Controls Statement on Standards for Attestation Engagements No. 16 (SSAE 16), formerly known as Statement on Auditing Standards No. 70 (SAS 70) 2014 EastPay. All Rights Reserved 27

28 7. Ensure Proposed Relationship is consistent with FI s Strategic Plan and Overall Strategy Step one in Risk Assessment Process Management should analyze benefits, costs, legal aspects, and potential risks associated with Third-Party Expanded analysis should be conducted if product or service is new for FI FI personnel conducting analysis should have appropriate knowledge and skills to conduct 2014 EastPay. All Rights Reserved 28

29 8. Ensure vendor management program risk-ranks vendors based on: Access to other confidential (i.e. proprietary) information? Criticality of the product/service they provide? Complexity of the product/service? 2014 EastPay. All Rights Reserved 29

30 9. Adherence to Service Level Agreements and Contract Provisions Formal Policy that defines SLA program SLA monitoring process Recourse process for non-performance Escalation process Dispute resolution process Termination process 2014 EastPay. All Rights Reserved 30

31 10. File Bank Service Company Act when Required Section 7 of Bank Service Company Act (12 U.S.C. 1867) requires insured financial institutions to notify their appropriate federal banking agency in writing of contracts or relationships with third parties that provide certain services to the institution 2014 EastPay. All Rights Reserved 31

32 10. File Bank Service Company Act when Required (cont d) Section 7(c)(2) of the Bank Service Company Act states that any FDIC-supervised institution that has services performed by a third party "shall notify such agency of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first." 2014 EastPay. All Rights Reserved 32

33 10. File Bank Service Company Act when Required (cont d) As defined in Section 3 of the Act, these services include "check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution." 2014 EastPay. All Rights Reserved 33

34 DDoS, Account Takeover, FRAUD! CYBERCRIME & CYBERSECURITY

35 Cybersecurity The process for managing cyber threats and vulnerabilities and for protecting information and information systems by identifying, defending against, responding to, and recovering from attacks. 35

36 Cybersecurity Conundrum You have to be right all of the time, those exploiting you only have to be right once. - Ancient cybersecurity proverb

37 Cybercrime Where & Why? Where do cyber attacks come from? What is the Motivation? Ideology making a political statement Extortion demand for payment to avoid website attack Competition disrupt a competitors online services Fraud used as a tool to aid in unauthorized financial gain 37

38 Trends

39 How do Cyber Criminals gain Access? Deception via DDoS Spam Phishing Attempts Spoofed Web Pages Popup Ads & Warnings Malware (Trojans, worms, etc.) Theft (Laptops, thumb drives, etc.) Attachments Downloads Social mediums 39

40 What is a denial of service attack? Objective(s): Render a service unavailable Cripple the infrastructure Typical targets: Bank Credit card payment servicers Mode of attack: Saturate the target with external requests for connectivity or communication

41 Distributed DoS (DDoS) A DDoS attack is performed when hundreds, or possibly thousands, of computers simultaneously request services or bandwidth from the same target computer. The attack is executed with networks of computers which are controlled by malicious software which has been installed on a user s computer. The antivirus detection rate for botnet malware is less than 40 percent. For additional information, visit: 41

42 Financial Institution Mitigating Actions Targeted banks have been very successful in employing numerous means of thwarting the DDoS attacks. There has been unprecedented sharing of information amongst the targeted banks as well as with their regulators and other government agencies. Banks are working with service providers to address the problems and to scrub/reduce the attack volumes. Leading DDoS protection providers (Prolexic, VeriSign, Akamai, etc.) Internet Service Providers - AT&T, Verizon, etc. 42

43 Adhere to these best practices Don t assign all resources to DDoS mitigation. Dedicate at least some staff to watching entry systems during attacks. Make sure everything is patched. Keep your security up to date. Have dedicated DDoS protection. Scrambling to find a solution in the midst of an emergency only adds to the chaos and any intended diversion. 43

44 Technology Enabling Fraud As payments have evolved significantly, largely due to technological advancements, so has the sophistication of EFT fraud. Expertly crafted s, malicious links on legitimate websites (such as social networking sites), and other methods are used to place malware within the networks of corporate customers. The malware then harvests security information, including login credentials, subsequently allowing the criminals to initiate electronic payments through hijacked accounts. 44

45 WHO Law enforcement agencies are reporting a significant increase in funds transfer fraud involving the exploitation of valid online banking credentials belonging to small and medium sized businesses. Eastern European organized crimes groups are believed to be predominantly responsible for the activities that are also employing witting and unwitting accomplices in the United States (money mules) to receive, cash and forward payments from thousands to millions of dollars to overseas locations via popular money and wire transfer services. 45

46 The FFIEC Guidance Supplement Effective 1/1/2012: On June 28th, 2011 the Federal Financial Institutions Examination Council FFIEC) released a supplement to the 2005 Authentication in an Internet Banking Environment guidance that describes the measures financial institutions should take to protect Internet banking customers from online fraud. 46

47 Three Primary Requirements Risk Assessments Layered Security Customer Education & Awareness 47

48 Fundamentals of Cyber Security Risk Management Senior Management Buy-in/Corporate Governance Defense-in-Depth (Gap Analysis and External Resources/Relationships, Feeds, and Awareness Robust Monitoring/Oversight Respond Test Monitoring and Incident Response Plans 48

49 Note Similar to the 2005 guidance, the June 2011 supplement applies to all electronic banking delivery channels, including the mobile banking channel. Whether financial institutions provide all or part of their electronic banking activities to customers through inhouse systems or outsourced, service-provider arrangements, the institutions are responsible and accountable for conformance with the 2005 guidance and the 2011 supplement. (VENDOR MANAGEMENT) 49

50 IT/Cybersecurity Controls Cheat sheet Where is your data? What is normal? How do you know?

51 Questions? 2014 EastPay. All Rights Reserved 51

52 Contact The Presenter Rory Guenther, CISA Senior Examiner, Operational Risk Specialist Pam Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education , ext 305