Managing the Operational Risk of Our Bank 1
Managing Operational Risk Has your organizational leadership ever made any of the following comments? The Board wants us to focus on risk management since we ve received unfavorable ratings. I don t see why we need to address cybersecurity in our business contingency plan. We can put together a risk assessment after we select the new vendor/product. We have a Strategic Plan, what do you mean we need a technology plan? If you re silently saying Yes to these questions, your organization likely needs to address the management of your bank s operational risk. 2
Managing Operational Risk The first step to better risk management is acknowledging the reality and existence of operational risks. Eliminate uncertainty that it can t or won t happen, because it can and it might! No institution is immune to the effects of industry risks and regulatory pressure. 3
Managing Operational Risk 4
Managing Operational Risk Operational Risk - Is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Operational Risk Certainties: Fundamentally different from all other risks, it s embedded in every activity and product of an institution, and is harder to measure, model, and eliminate than conventional risks. Becoming a larger portion of the overall risk pie According to a recent OCC review of examined banks, operational risk has overtaken credit risk as the most important risk type. A prerequisite for strong performance 5
Managing Operational Risk Operational Risk Categories: Internal Fraud External Fraud Employment Practices and Workplace Safety Clients, Products, and Business Factors Damage to Physical Assets Business Disruption and System Failures Execution, Delivery, and Process Management 6
Managing Operational Risk Importance has grown as Banks operational environments face increased challenges: The combination of evolving cyber threats and newly identified information technology vulnerabilities More sophisticated and proficient attacks compromising employee, third party, and system credentials to gain access, install malicious software, steal sensitive information, and operate inside systems for extended periods without detection Breaches at nonfinancial firms directly and indirectly impacting costs to banks Shifts in the business models and renewed global market volatility Changes in consumer behavior coupled with a significant focus on consumer protection 7
Managing Operational Risk Some emerging risks to consider Shifts in Business Models Third Party Relationships Bring Your Own Device (BYOD) Cybersecurity and Data Protection Expansion into Growth Markets New Product Innovation 8
Shifts in Business Models Business models are under increasing pressure as bankers seek to launch new products, use IT automation, reduce staffing, and reengineer business processes Changing business strategy can involve the bundling of products and services, or new bank roles as agent between consumers and merchants Competition from nonbank entities that are expanding into traditional banking areas 9
Third Party Relationships The bank should focus on all phases of risk management, including planning, due diligence, internal controls, reporting, contract negotiations, and ongoing monitoring before partnering with a vendor 10
Cybersecurity and Data Protection In Nov. 2014, the FFIEC released the results from their cybersecurity examinations which included 500 community financial institutions: Examined Bank: reviewed inherent risk associated with multiple points of entry including: VPNs, wireless networks, & bring your own device. Finding: insufficient focus on the interconnectedness of cyber risk Recommendation: strengthen the first line of defense, increase third party reviews, and board communications Result: Increased regulatory scrutiny and expectations extending beyond the IT dept. 11
Cybersecurity and Data Proection Maintain heightened awareness and appropriate resources to identify and mitigate cyber threats and vulnerabilities, and incorporate cyberresilience planning and controls into their business continuity planning and testing 12
Themes Hackers have monetized their activity More hacking More handson effort More sophistication Hackers targeting business customers Smaller organizations targeted Social engineering on the rise Email SaaS, webbased malware, DDoS protection 13
Three Largest Cyber Fraud Trends Organized Crime Wholesale theft of personal financial information CATO Corporate Account Takeover Use of online credentials for ACH, CC and wire fraud Ransomware Your data held for ransom 14 14
Thefts of PFI Target Sally Beauty Community Health Systems Dairy Queen Home Depot Neiman Marcus Harbor Freight University of Maryland Goodwill Jimmy Johns Olmsted Medical Center University of Indiana 15 15
Stolen Card Data Carder or Carding websites Dumps vs CVV s A peek inside a carding operation: http://krebsonsecurity.com/2014/06/peek inside a professional carding shop/ 16 16
Credit Card Data For Sale 17 17
What is Corporate Account Takeover Fraud? Corporate Account Takeover (CATO) fraud is: A form of corporate identity theft whereby cyber thieves gain control of a business s bank account by stealing employee passwords and other valid credentials. (Iowa Division of Banking CATO guidance) Transactional electronic banking services moving money in or out of the bank Bill pay Online ACH origination Online wire transfer initiation Remote Deposit Capture/Mobile Deposit Capture A2A/B2B/B2P 18
Cyber Crime Risks and Prevention Strategies Cyber Crime Corporate Account Takeover Fraud 60 percent of small businesses will close within six months of a cyber security attack. National Cyber Security Alliance 19
Mitigation Themes Employees who are aware and savvy soc test Networks resistant to malware DiD strategy Relationships with vendors validated & risk assessed Business customers use of online tools maximized 20
Risk Mitigation for Online Banking Limit administrative control on banking acct Do NOT use master account to perform standard banking activities Create segregation of duties and delegate responsibilities Initiation/request Authorization Review (might be part of authorization might be independent review later) 21
Risk Mitigation for Online Banking Meet with insurance agent to understand what, if any, cyber liability coverage is in place or can be acquired Understand limitations and exclusions Perform risk analysis of (electronic) banking function at least annually review the following: AV and anti malware software function Patch/update management How do other roles/responsibilities/activities of staff interact/intersect with banking responsibilities 22
Corporate Account Takeover Catholic church parish Hospice Collection agency Main street newspaper stand Electrical contractor Public school district Health care trade association Rural hospital Mining company On and on and on and on 23
How do CATO fraudsters break in? Email Phishing Entry for Trojans and other malware Weak passwords password 12345678 Poor computer upkeep Do not understand risk Patching, antivirus It won t happen to us/we re small No ISP Lack of training 24
Case Study County Hospital System October 2012 January 2013 Bank customer (hospital) gets hacked/phished Two ACH payroll files totaling > $150,000 Lessons learned 25
CATO Lawsuits - UCC a payment order received by the [bank] is effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. 26 26
CATO Lawsuits - UCC Parties Tennessee Electric vs. TriSummit Bank How much? $327,804 stolen via ACH through CATO Method Internet banking site was down DOS? Basis Tennessee Electric asserting TriSummit processed bogus ACH file without any call back 27 27
CATO Lawsuits - UCC Parties Choice Escrow vs BancorpSouth How much? $440,000 stolen via single wire through CATO Defense CE passed on dual control offered by the bank Decision Court ruled in favor of bank CE attorneys failed to demonstrate bank s procedures were not commercially reasonable 28 28
Ransomware Malware encrypts everything it can interact with i.e. anything the infected user has access to CryptoLocker Kovter Also displays and adds child pornography images May 20, 2014 Ransomware attacks doubled in last month (7,000 to 15,000) http://insurancenewsnet.com/oarticle/2014/05/20/cryptolocker goes spear phishinginfections soar warns knowbe4 a 506966.html 29 29
Ransomware Working (tested) backups are key 30 30
Bring Your Own Device Increase in allowance of employees and third parties to access systems (at bank and at vendor) from personal devices, such as mobile phones and tablets. Creates opportunities for credentials to be stolen and for bank systems to be infected with malware. In many instances, banks and third parties do not promptly resolve high risk vulnerabilities that are identified by detective controls. 31
Managing Operational Risk Expansion into Growth Markets and/or Products. Bank Secrecy Act and anti money laundering risk prevail and in some cases are increasing in risk Management succession planning and retention of key employees Lack of strategic plan execution 32
Managing Operational Risk New Product Innovation contemplated changes to business models and responses to strategic opportunities, such as the introduction of new or revised business products, processes, or delivery channels. 33
Managing Operational Risk 34
Managing Operational Risk How can we better manage these risks? Enhanced Governance Promote Strategic Planning Improve Vendor Management Practice Change Management Invest in Risk Mitigation Meet New Capital and Liquidity Requirements 35
Managing Operational Risk Enhanced Governance Develop a risk awareness culture throughout the organization Set the tone at the top Review compensation schemes and recruiting programs Improvements to Board Oversight Seek out individuals with knowledge in emerging operational risks, cyber risk, technology, and compliance Spend time on risk education and improving the overall knowledge of the operational/technical environment Cybersecurity incorporation into: overall governance risk management strategic planning processes 36
Managing Operational Risk Promote Strategic Planning Whether it s simplifying operations, changing business processes, or implementing new products, these decisions should be part of an overall strategic plan Determine how new business models will evolve within individual business lines and enterprise wide Consider emerging risks and the bank s position in this transforming landscape 37
Managing Operational Risk Improve Vendor Management Increase focus on third party audits, paring down the number of contracted vendors and improving contract management. Consider consolidation in the number of vendors contracted by financial institutions to assist in cost reduction strategies. The number, nature, and complexity of foreign and domestic third party relationships continue to expand. Ensure oversight and monitoring is commensurate with the breadth, complexity, and criticality of the arrangements. Identify and monitor risks of third party relationships and ensure resilience against business disruption. 38
Managing Operational Risk Practice Change Management Enhance the implementation of change management programs and processes and ensure their effective monitoring It s all about People, Rules and Tools 39
Managing Operational Risk Invest in Risk Mitigation Perform risk assessments more frequently and prior to selection of new product/service lines. Invest in tools to help mitigate high to med high risk. Consider utilizing risk and control self assessments, key risk indicators, business process mapping, comparative analysis, and the monitoring of action plans. 40
Managing Operational Risk Meet new capital guidelines March 31, 2015 Implementation What will change for us? Will we be ok? More capital? Change in products? 41
Managing Operational Risk As you continue to respond to the changing regulatory landscape, a fragile economy, and changing customer demands, don't take your eye off the ball when it comes to Operational Risk unless you want to be hit in the face. 42