MANAGING CYBER RISK: WHO HAS YOUR INFORMATION? Contributing authors Tom Lawton Donna Goddard Edward P Gibson STATEMENT OF INTENT Corporate treasurers must consider the cyber risks associated with many of their core activities, including the provision of client identity documents to their financial institutions (FIs). It is therefore crucial that they understand the nature of the risks they face, the value of the data at risk and the solutions available to manage that data. The views and opinions expressed in this paper are those of the authors and do not necessarily reflect the official policy or position of Thomson Reuters.
Managing Cyber Risk: Who has YOUR information? 2 Introduction This white paper will explore the ever-increasing global threat of cybercrime; with a particular focus on the specific cyber risks faced by corporate treasurers when disseminating the strictly confidential data necessary to comply with regulations governing Know Your Customer (KYC) due diligence; and finally explore the steps that organizations can take to reduce the risk of their information being compromised.
Managing Cyber Risk: Who has YOUR information? 3 CYBERCRIME A GROWING THREAT The methods employed by cyber criminals are becoming evermore sophisticated, making it challenging for organizations to stay that crucial step ahead of the criminal underworld. This concern is echoed in the C-suite as was demonstrated in the PwC Global Economic Crime Survey 2014: nearly half of respondents reported that the risk of cybercrime had increased (a 23% increase over 2011), with 49% of global CEOs concerned about cyber threats to their organization. i We are operating in the age of digitization. Many previously physical items (such as some forms of hard copy documentation and even photographs) now exist mainly or in some cases only in the digital world. The impact of this creates both opportunities and challenges for organisations. However in order to take advantage of the benefits, companies need to address the impact of information overload, caused by more and more data being received, collected and stored every day. Moreover, much of this information is confidential or businesscritical and if it was to be stolen or accidently leaked it could lead to significant financial and reputational damage. Several high profile cybercrime incidents hit the headlines in 2014. In one case, criminals hacked into and leaked the confidential emails of the co-chair of a well-known global brand, leading to their resignation. This and other incidents have meant that cybercrime and cyber security are understandably becoming very much a focus of the Boardroom. THE KYC/AML LANDSCAPE AND DATA SECURITY Traditionally a banker would be expected to either know their clients personally or have them introduced by someone who did. Globalization has provided the opportunity for organizations to do business anywhere and with anyone. However with opportunity has come the challenge of having to navigate jurisdictions they are not familiar with to undertake know your customer checks. At the same time, knowing exactly who you are doing business with has become more crucial than ever in the wake of significant events like 9/11 and the financial crisis. Recent reports of hefty fines for non-compliance serve to demonstrate the stance that regulators are taking and their expectation that organizations exercise the appropriate level of due diligence. Banks and FIs (in an attempt to avoid financial and reputational damage) are taking what they believe to be necessary steps to demonstrate that they take their responsibilities seriously. Unfortunately, due to a lack of a defined anti-money laundering (AML) standard, this has resulted in them requesting increasing volumes of information from their clients. In addition, the lack of a defined standard, results in banks interpreting legislation in different ways, leading to further requests for information from their clients. Whilst this is understandable indeed necessary given the current climate and lack of standard it has resulted in corporates facing myriad challenges: not only are large amounts of time and effort needed to collect, validate, store and maintain the vast quantities of information that is being requested at any one time, but there are also very real risks surrounding the security of this strictly confidential data. DATA SECURITY RISKS There are three risk stages to be aware of when trying to ensure the confidentiality, integrity and availability of your sensitive personal data: DATA LIFECYCLE CREATION USAGE TRANSMISSION PRESERVATION RETIREMENT RISK STAGES DATA IN USE: Data when in use at the endpoint (i.e. laptops, workstations, etc.) DATA IN MOTION: Data when transmitted outside of the secure network (i.e. email, web, etc.) DATA AT REST: Data in storage (i.e. file shares, databases, etc.) I http://www.pwc.com/gx/en/economic-crime-survey/
Managing Cyber Risk: Who has YOUR information? 4 DATA IN USE: This is typically data when it is in the process of being created by an organization or worked on by the FI within their corporate networks. Areas for concern in this stage might come from physical theft, incorrect data being input and insecure destruction of physical copies once electronic versions are created. DATA IN MOTION: This stage relates to the risks to data when being transferred between the organization and the FI. Transmission channels can include a number of options including sending via email, sending either hard copy or a version transferred to USB/CD/ DVD in the post or uploading to internet sites. Ensuring the secure delivery of confidential documents to the correct recipient can create challenges. Current methods are often neither efficient nor secure - frequently material is sent unencrypted via e-mail or post. Donna Goddard, an information security professional at Thomson Reuters says, You don t always need to have hard copies of material; electronic copies, as long as they can be independently validated, are acceptable for most situations. However, because a lot of regulations governing AML and KYC were written before the digital age, some FIs still insist on original documentation, especially in regions such as Asia and Africa. This is problematic because documents commonly get lost or delivered to the incorrect person. James Kelly, Head of Treasury at Rentokil Initial, comments My team can spend the whole day checking with postal couriers to see if the documents were received by the correct person. Sending documents via email is not always secure either, as organizations may not have the correct procedures in place to ensure that information is sent securely. This information can be intercepted but more often is misdirected if for example someone types in the incorrect email address. DATA AT REST: This stage relates to risks to data when being stored in databases or shared drives. Once companies have ensured their documents have arrived securely at the FI, they retain little or no control over where and how this strictly confidential information is being stored or who can access it. Corporates have to rely on their financial counterparties implementing appropriate controls to effectively manage their information. For example, encrypting data held in databases, implementing appropriate access management procedures and, in the event of a disaster, trusting that the FI has implemented robust disaster recovery and backup policies. THE HUMAN FACTOR A key theme between each of the risk areas above is the human factor. No matter how advanced the control environment, the human element presents an opportunity for things to go wrong. For example, an organization could have the best security system in place, but if a member of staff accidentally left confidential information on their desk overnight for a colleague to see, this simple error could negate all of the technical controls in place. Organizations need to ensure that their employees are properly trained. Not only on the most appropriate methods of managing confidential information, including, for example, data encryption, but also with regard to simple processes, such as how to create a secure work environment. Understanding basic concepts in relation to the quantity of the data required for the KYC process is also crucial for both organizations and FI s. Limiting the amount of information held to that which is absolutely necessary reduces the cyber risk and makes it easier for FIs to comply with data protection legislation that requires them to ensure that data held on a subject is current. THE VALUE OF THE DATA AT RISK The nature of the documents that are being requested by banks is often strictly confidential. For example, documentation regularly required to open a single bank account could include the passports of all signatories; the names, addresses and dates of birth for all directors; and the certified Articles of Incorporation. If this information were to be leaked or stolen, it could have significant personal or business-critical consequences for the individuals and organization concerned - as seen in recent high profile cases. James Kelly comments further, We have had instances where we have asked signatories for passports, utility bills and dates of birth and the directors have been quite concerned about how they are going to be sent and what we are going to do with the data. I think we owe a duty of care to our signatories and anyone we are sending data on behalf of. THE CUSTOMER EXPERIENCE In addition to dealing with myriad security risks around the provision of client identity documents, corporate treasurers are also often on the receiving end of poor customer service as a result of numerous bank requests. Banks and FIs have a legal obligation to comply with regulations, but they must create a balance between compliance and a good customer experience. At a recent industry round table there was an excellent example shared by Ed Gibson, the ex-chief cyber security advisor for Microsoft in the UK. This poor customer experience was around the provision of client identity documents and the need to manage the security risk. As a US-based citizen, Gibson transferred money to his foreign FI in the UK and was contacted by email within 24 hours of the transfer. Suspecting a phishing attempt, he did not reply. A few days later a letter arrived by post from the FI requesting identity documentation by either post or email. He sent the information via email, but received no acknowledgement. Two weeks later, he received another letter asking why he had not sent the requested information, upon which he contacted his UK branch and they advised that the documents had been received. Three weeks later, a further letter arrived requesting the documentation. Gibson comments, The experience left me with several unanswered questions about who had my information and where my documents were being stored. It was undoubtedly an unsatisfactory customer experience. TIME TO TAKE STOCK It is clear from the above that current processes of document dissemination are not delivering a favorable customer experience or keeping pace with the need for heightened security in the face of growing cyber risk. This is further exacerbated by the fact that both cyber security risks and changes in data protection legislation are evolving at a pace that many companies struggle to keep up with. Simply erecting a protective IT barrier may not
Managing Cyber Risk: Who has YOUR information? 5 be enough sometimes the perpetrator comes from within or has access to an insider. Once again, it is the human element that potentially poses the greatest risk. On the other hand, fairly simple measures can go a long way towards mitigating risks. The UK Information Commissioner s Office (ICO) says that in many data breach cases, the measures which could have prevented the breach or reduced the level of harm to individuals would have been simple to implement. Corporate treasurers must therefore take stock, identify the full range of risks within their role and formulate a coherent plan to manage these risks. TAKING STEPS TO MANAGE THE RISKS When it comes to managing risk in the KYC/AML space, strategies will differ depending on organization type. Large FIs, for example, are in a position to call on specialized security functions. They can adopt a layered approach to information security, spanning technology, process and people-focused security mitigation programs. Larger firms can usually also access security technologies such as DLP (data loss prevention) or ID (intrusion detection) across every end-point or network interface. Smaller organizations, such as buy side firms, may not have access to these resources, and should consider how best to deploy their limited resources. Tom Lawton, Head of Risk at Thomson Reuters Org ID comments, In a previous security role, business leads often asked me where they should start and what the most important security measures were. I would always highlight five areas for them to focus on: a lockdown of base operating system builds to remove default settings and open services; security patching to keep defenses up to date; malware detection; strong passwords; and network segregation (layering the network to separate the highest and lowest value assets). This list would always be a starting point of how to build effective defenses. Every firm should have an inventory of all physical devices, systems, software platforms and connections to external sources catalogued and available for inspection. There should also be a written information security policy that outlines who is responsible for security and the governance structure in place. Protection of firm networks and information is vital. This is a minimum requirement, but getting expert help may be the best way forward for many organizations. Goddard says, When it comes to KYC and information security, organizations need to stop trying to do everything themselves, specialize in what they are good at and let experts in this field deliver workable solutions. She goes on to say, One of the key things I would recommend an organization to do is leverage external parties that have the expertise that you need. Quite often the temptation is to try and muddle through with people internally, but this is not necessarily the cheapest option. If you partner with the right organization, they ll often be able to recommend ways in which you might be able to implement things that could save you money in the long run. Technology and external partners are certainly available to help mitigate the cyber risk around the provision of client identity documents. KYC utilities and managed services can help organizations to distribute client identity documents securely through central repositories or portals. The concept of a central repository or portal offers several benefits. Firstly, data is stored securely: there are appropriate measures in place to ensure both physical and environmental security, as well as device security and malware protection. Solutions such as Thomson Reuters Org ID use industry leading protocols to encrypt network communication for all sensitive traffic. In addition, with Org ID information is stored in two data centers in the United Kingdom that are subject to European data privacy laws the strongest privacy framework in the world. When asked about the time-consuming challenge of keeping vast amounts of information up to date, Goddard responded, When choosing an external partner, it is crucial to use an organization that is used to handling large amounts of data, processing it and storing it. Organizations should do their research and ensure that the third parties they work with have disaster recovery and backup plans and have been externally audited and assessed. This much is certain: cyber criminals will try to find a way to hack your information, so getting expert help could be an important advantage to help organizations stay a step ahead. CONCLUSION In order to remain competitive, comply with legislation and protect their data, organizations should do the following: Implement a coherent security policy, which should be reviewed on a regular basis. Engage with internal and/or external auditors as they are often an invaluable resource and can view their organization s security procedures with objective eyes. Undertake a full risk assessment and determine the likely implications of a security breach involving sensitive data. Board-level awareness and support of this exercise are crucial. II Leverage the expertise of third parties to help you streamline processes and manage cyber risk. Finally training is absolutely critical. Implementing the most effective security framework in the world will not be worth the paper it is printed on, if employees are either unaware of its existence or do not know how to comply with it. Sadly, cyber risks are here to stay and there is no silver bullet, it is just about managing risk in the best possible way. As Goddard says, You should never be spending so much on security that your business does not exist. It takes a mixture of the appropriate processes, technologies and people to mitigate cybercrime; however technology can help and has the added benefit of being able to demonstrate to regulators that an organization is taking cybercrime and security seriously. As Gibson commented, The regulator will look favorably at any organization that has taken reasonable steps to help ensure the sanctity of their internal controls and security. That can t be overstated in my experience. ii https://www.treasurers.org/under-attack
Managing Cyber Risk: Who has YOUR information? 6 About the Authors TOM LAWTON, HEAD OF RISK MANAGEMENT, ORG ID AT THOMSON REUTERS As Head of Risk Management for Org ID Tom s job is to ensure that the business can continually meet its customers requirements for quality, compliance and resilience. Tom started his career in technology as a COBOL and Pascal Programmer in Financial Services. He moved into the relatively new field of Technology Auditing in the 1990s, working for the Bank of England, then Reuters. During this time Tom was posted to New York and Singapore. Prior to his current role, Tom was Chief Information Security Officer for Thomson Reuters Markets from 2008-2012 and Head of Technology Assurance from 2012-14. DONNA GODDARD, ISRM BUSINESS LEAD, THOMSON REUTERS Donna Goddard is an information security professional with over 20 years experience in investment banking technology and over 10 years in information security. Donna is a proven thought leader who actively participates in key information security forums. Donna has subject expertise in many aspects of information security including data leakage protection, identity and access management, risk management and relationship management EDWARD P GIBSON, ESQ., CEO/FOUNDER, EMBASSY ATTACHÉ GROUPS Ed, a Vietnam-era veteran (Army-Airborne), began his professional career as an Attorney in the Office of General Counsel, Amway Corporation, based in Michigan, USA. In 1985 he was appointed as a Special Agent, Federal Bureau of Investigation (FBI). He served in various FBI Field Offices investigating complex frauds, espionage matters (CIA /FBI agents turned traitors), and FBI Headquarters in Washington, D.C. where he developed and led the first-ever Operational Asset Forfeiture / Anti-Money Laundering training program for all FBI Special Agents, backed by a DOJ multi-million dollar training budget. In 2000 Ed was assigned to the FBI s flagship overseas post the American Embassy in London, as an Assistant Legal Attaché (Diplomat) where he had primary oversight over all FBI cyber-investigations in the U.K. and Republic of Ireland. He was named Acting Legal Attaché, Riyadh, Saudi Arabia in 2003, and subsequently returned to the London Embassy. In 2005, Ed completed his 20-year FBI career, and was headhunted by Microsoft to be the first former FBI Agent to hold the role of Chief Cyber-Security Advisor and Senior Risk spokesperson in the U.K. In addition to establishing Microsoft s first-ever computer forensics training program for Police Constables, and, a Chief Information Security Officer (CISO) Council comprised of CISOs representing over 30 global companies, Ed gave over 250 presentations to commercial companies, government agencies, and customer groups around the world on operating-system and software security, cyber safety, and Microsoft s unwavering commitment to product security. In 2010 Ed returned to the Washington, DC, metropolis and joined PricewaterhouseCoopers Cyber Centre of Excellence. In 2013, Ed moved to consultancy Alvarez & Marsal, LLC, Washington, D.C. to help establish a dedicated global cyber security division. In late 2014 Ed founded the Embassy Attaché Groups, anticipating a launch in late 2015. While in the U.K. Ed achieved the CISSP certification, qualified as a Solicitor in England and Wales, completed a two-year computing Diploma at Oxford s Kellogg College, was named a Fellow of the British Computer Society (FBCS), and in 2010 was inducted into the Information Security - Europe Hall of Fame. RISK MANAGEMENT SOLUTIONS FROM THOMSON REUTERS Risk Management Solutions bring together trusted regulatory, customer and pricing data, intuitive software and expert insight and services an unrivaled combination in the industry that empowers professionals and enterprises to confidently anticipate and act on risks and make smarter decisions that accelerate business performance. For more information, contact your representative or visit us online at risk.thomsonreuters.com 2015 Thomson Reuters GRC03174/ 7-15