Data Breaches and Cyber Risks MD/DC Credit Union Association 2015 Volunteer Leadership Conference Presented by: Ken Otsuka Business Protection Risk Management CUNA Mutual Group CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited 2014 CUNA Mutual Group, All Rights Reserved.
Data Breaches How do they Happen? Network hackers and malware Employee negligence / theft Lost / stolen laptops, backup tapes / disks and other data-bearing mobile devices Vendor leaks/mistakes 2
Data Breaches Financial risk Compliance / Legal risk Reputation risk A data breach can result in more than lost data. It can damage the credit union s reputation, shake member trust, and cost tens of thousands to repair. 3
Agenda Board s role in data security Data breach studies by the Ponemon Institute, Verizon, Mandiant and PricewaterhouseCoopers (PwC) Data breach insurance claims study NetDiligence Best practices for securing members confidential data Mobile devices Assessment tools National Institute of Standards and Technology s (NIST) Cybersecurity Framework Federal Financial Institutions Examination Council s (FFIEC) Cybersecurity Framework Tool 4
Boards Have a Duty to Protect Member Data NCUA Rules & Regulations 748 and its Appendices A and B spell out the credit union s responsibilities for protecting sensitive member data Appendix A implements the Gramm-Leach-Bliley (GLB) Act s safeguards rule and requires credit unions to develop a written information security program (ISP) Ensure the security and confidentiality of member information; Protect against anticipated threats to the security and integrity of such information; and Protect against unauthorized access to, or use of, such information that could result in substantial harm to members The board is responsible for overseeing the development, implementation, maintenance and approving the ISP ISP must contain an incident response plan (IRP) Addressed in Appendix B Board is responsible for the IRP Management must report to the board at least annually on the overall status of the written information security program 5
Ponemon Institute Is Your Company Ready for a Big Data Breach? Cybersecurity Preparedness: The Good, The Bad and The Ugly The Good 73% of the organizations have an incident response plan in place compared to 61% in last year s study The Bad 78% of the organizations say they either don t review and update their incident response plan or have no set timeframe for doing so Only 30% of the respondents say their organizations are effective or very effective in developing and executing their incident response plan 56% of the organizations do not perform a risk assessment on their information systems to identify vulnerabilities Only 54% of the organizations have training and security awareness programs Only 34% of the organizations train customer service representatives on how to respond to questions in the event a breach occurs Source: Ponemon Institute s 2014 study, Is Your Company Ready for a Big Data Breach? 6
Ponemon Institute Is Your Company Ready for a Big Data Breach? The Ugly 43% of the organizations experienced a data breach involving a theft of more than 1,000 records 60% of the organizations experienced more than one data breach during the last two years Only 41% provide for either continuous monitoring (20%) or daily monitoring (21%) of their information systems for suspicious/anomalous traffic 44% say they either never monitor their information systems (28%) or are unsure if monitoring takes place (16%) 7
Verizon 2015 Data Breach Investigations Report External threats far exceed internal threats and partner threats. Source: Verizon 2015 Data Breach Investigations Report 8
Verizon 2015 Data Breach Investigations Report Malware distributed in spear phishing attacks In a controlled study 150,000 emails were sent 50% of the recipients opened the email and clicked on the link within the first hour Source: Verizon 2015 Data Breach Investigations Report 9
Mandiant s 2015 M-Trends Report Early Detection is Critical Source: Mandiant 2015 M-Trends Report 10
PwC s Global State of Information Security Survey 2015 Total number of security incidents reported by respondents climbed to 42.8 million. The equivalent to 117,339 incoming attacks per day Security incident: The National Institute of Standards and Technology (NIST) defines security incident as a violation of computer security policies, acceptable use policies, or standard practices. These include, but are not limited to: Attempts (failed or successful) to gain unauthorized access to a system or its data Unwanted disruption or denial of service Unauthorized use of a system for the processing or storage of data Unauthorized changes to system hardware or software 2013 28.9 million 2014 42.8 million 2012 24.9 million Source: PwC Global State of Information Security Survey 2015 11
Malware s Role in Data Breaches Data breaches are frequently the result of credential-stealing malware Distributed in spear phishing attacks Tool of choice in Advance Persistent Threat (APT) attacks What s an Advanced Persistent Threat (APT) attack? Malware planted on network via spear phishing attack Establishes communication with command & control server Moves slowly about the network searching for sensitive data to steal and the credentials necessary to access that data Sensitive data is extracted using encryption and other techniques to disguise it Intelligence Gathering Point of Entry Establish Communication with C&C Lateral Movement through Network Data Discovery Data Exfiltration 12
NetDiligence 2015 Cyber Liability & Data Breach Insurance Claims Per breach costs Average payout: $673,767 Median payout: $76,984 Per record costs Average cost per record: $964.31 Median cost per record: $13.00 Average records lost: 3.16 million Median records lost: 2,300 Crisis service costs Average cost of crisis services: $499,710 Median cost of crisis services: $60,563 Crisis services include the cost of forensics, legal counsel guidance, notification and credit monitoring Legal costs Average cost of legal defense: $434,354 Median cost of legal defense: $73,600 Average cost of settlement: $880,839 Median cost of settlement: $50,000 Source: NetDiligence 2015 Cyber Liability & Data Breach Claims Study 13
Why the Problem? Intrusion detection and network monitoring is weak Malware Lack of encryption Websites are porous and need constant care Hardening and patching Cyber thieves take advantage of human error Unchanged default settings Failing to install patches Failing to protect laptops Improper disposal of paper records Weak passwords 14
Best Practices Protect data wherever it is located At rest In motion In use Encryption Data residing on the network (servers, workstation hard drives and laptops) Data residing on mobile devices Backup tapes/disks Data transmitted over the Internet and in emails Endpoint security Protects the endpoints (devices) connected to credit union network Includes typical protections such as a firewall and antivirus/antimalware Block access to personal email accounts Spam and web filters Intrusion detection system (IDS)/intrusion prevention system (IPS) Install operating system patches when made available 15
Best Practices Protect data wherever it is located At rest In motion In use Vulnerability assessments Penetration testing Monitor system logs Disable / lockdown workstation USB ports and CD Rom drives Helps prevent insider theft of confidential member data Data loss prevention (DLP) solution Identifies, monitors, and protects data at rest, in motion, and in use DLP tools allow credit unions to see which databases, file servers, desktops and laptops hold sensitive data Identifies when someone is transmitting data via email or downloading to external storage devices Third-party reviews of network security Secure paper records 16
Best Practices Protect data wherever it is located At rest In motion In use Accessing network/systems remotely Telecommuters working from home Third-party vendors Remote Access Best Practices Prohibit remote employees from using home computers to access network Establish a virtual private network (VPN) A VPN is a network that uses the Internet to provide remote employees with secure access to the credit union s network Prohibit employees from using unsecure wireless networks (public Wi-Fi) Require multifactor authentication not just usernames and passwords One-time-password tokens Plug-in tokens 17
Mobile Devices: Tablets / Smartphones Credit union issued versus employee use of personal devices (BYOD) Both should be secured Secure the business side of the device (sandboxing) Good Technology MaaS360 Adopt acceptable use policy Mobile Devices Used for Business Purposes Antivirus software Password protect the device/time-out feature to lock the device Remote wipe capability Prohibit employees from storing confidential member data to the device If it is necessary to store such data on the device, the data should be encrypted Encrypt confidential member data transmitted in emails Does your credit union issue tablets or laptops to directors to receive board meeting packets? 18
Data Breaches Employee Negligence Credit union discovered malware on least 24 workstation pc s Malware captures screen shots Social Security numbers, account information and transaction records for 115,000 accountholders (members) may have been compromised Credit union employee accidentally published a file on the credit union s public-facing website File contained member names, addresses, Social Security numbers, account numbers and account passwords Credit union employee accidently emailed a spreadsheet to a member Spreadsheet contained member names and account numbers Credit union employee s laptop stolen from vehicle Contained unencrypted sensitive data (names, addresses, SSN s and account numbers) on 45,000 members Source: CUMIS Insurance Society, Inc.. 19
Data Breaches Vendor Negligence Credit union uses third-party vendor to mail monthly account statements Members received their correct statements plus a portion of statements belonging to other members Credit union downloaded confidential member data to a thumb drive for their outside auditor - Auditor lost the thumb drive in a public park while watching son s football game - 14,500 members impacted Source: CUMIS Insurance Society, Inc.. 20
Security Awareness Training Must be addressed in the credit union s information security program All employees should receive training on at least an annual basis The goal is to change employee behavior to reinforce good data security practices 21
Malware Beyond Theft of Data Carbanak Malware Targeted 100 financial institutions in 30 countries, including U.S. Losses per institution ranged from $2.5M to $10M Funds stolen from institutions not from depositor accounts Distributed via phishing attacks Sought out employees with administrative rights Performed reconnaissance (video) to learn details of the 3 rd party EFT systems used Logged into 3 rd party EFT systems to transfer funds to other institutions Source: Kaspersky Lab, The Great Bank Robbery: The Carbanak APT 22
The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) 23
NIST s Cybersecurity Framework Background President Obama issued Executive Order 13636 (Improving Critical Infrastructure Cybersecurity) in 2013 Directed the National Institute of Standards and Technology (NIST) to spearhead the development of a framework to reduce cyber risks to critical infrastructure NIST published the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) in 2014 Critical Infrastructure is defined in Presidential Policy Directive 21 (Critical Infrastructure Security and Resilience) to include the following sectors: Chemical Commercial facilities Communications Critical manufacturing Dams Defense industrial base Emergency services Energy Industry Sectors Financial services Food and agriculture Government facilities Healthcare and public health Information technology Nuclear reactors, materials and waste Transportation systems Water and wastewater system 24
NIST s Cybersecurity Framework What is it? Collection of best practices, procedures and guidelines developed in partnership by the government and private sector to manage cyber risk Relies on industry standards and best practices (e.g., ISO and COBIT) Intended to be used by organizations of all sizes to evaluate, maintain and improve security over information systems Not a one-size-fits-all approach Enables credit unions to understand how their cybersecurity risk management processes stack up against the ideal standards addressed in the Cybersecurity Framework Promotes participation in information sharing groups, such as FS-ISAC Participation is voluntary 25
Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool 26
Cybersecurity Assessment Tool Launched by the FFIEC on June 30, 2015 www.ffiec.gov/cyberassessmenttool.htm Assists credit unions in identifying their risks and determining their cybersecurity preparedness Developed specifically for financial institutions based on the results of the cybersecurity assessments conducted by FFIEC member agencies piloted in 2014 A better option for credit unions than NIST s Cybersecurity Framework Designed to provide a measurable and repeatable process to assess a credit union s level of cybersecurity risk and preparedness CUNA Mutual Group highly recommends using the Cybersecurity Assessment Tool 27
Cybersecurity Assessment Tool Completing the Cybersecurity Assessment Tool is a three-step process Step 1: Determine Inherent Risk Profile Step 2: Determine Cybersecurity Maturity Level Step 3: Analyze Results 28
Step 1: Inherent Risk Profile The Inherent Risk Profile (IRP) identifies a credit union s inherent risk before implementing controls IRP identifies the amount of risk posed to a credit union based on the types of products, services and activities; and the volume and complexity of the credit union s operations in five categories: Technologies and connections Delivery channels Online/mobile products/services Organizational characteristics External threats Includes five risk levels Least Inherent Risk Minimal Inherent Risk Moderate Inherent Risk Significant Inherent Risk Most Inherent Risk 29
Step 2: Cybersecurity Maturity Determine the credit union s Cybersecurity Maturity level across five domains Cyber Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience Five levels of Cybersecurity Maturity Baseline (lowest level) Evolving Intermediate Advanced Innovative (highest level) Source: FFIEC 30
Step 2: Cybersecurity Maturity Components and Declarative Statements Within each component are declarative statements Declarative statements are the minimum regulatory guidelines that must be attained and sustained for that level of maturity Credit unions must satisfy all declarative statements for each maturity level, and previous levels, to achieve that domain s maturity level Indicate whether credit union satisfies each declarative statement Source: FFIEC 31
Step 2: Cybersecurity Maturity (Baseline) Some credit unions may have trouble qualifying for the Baseline Cybersecurity Maturity Level The controls needed to achieve the Baseline maturity level are consistent with the minimum guidelines contained in the FFIEC s IT Examination Handbook Credit unions must meet the minimum guidelines to be placed in the Baseline maturity level The effects are cumulative in that all declarative statements in each maturity level, and previous maturity levels, must be attained and sustained to achieve that domain s maturity level. 32
Step 3: Analyzing Results As inherent risk rises, so too should maturity levels If a credit union s maturity levels are not aligned with the inherent risk profile: Management should consider reducing inherent risk, or Develop a strategy to improve the maturity levels by adopting controls needed to meet the declarative statements required to achieve a higher maturity level Over-investment in cybersecurity preparedness Be in the blue Danger zone policies, procedures and controls are not sufficient given the Inherent Risk Profile Source: FFIEC 33
Additional Thoughts and Comments Piggybacking on FFIEC joint statements: Cyber Attacks Compromising Credentials and Destructive Malware (March 30, 2015) Cybersecurity Assessment General Observations and Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement (November 3, 2014) Domain 3, Cybersecurity Controls, could be the most important domain and the most difficult for many credit unions to achieve even the Baseline maturity level Domain 3 is the largest part of the Assessment Examples (declarative statements for Baseline maturity level): Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) (FFIEC Information Security Booklet, page 51) Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. (FFIEC Information Security Booklet, page 45) Domain 2, Threat Intelligence and Collaboration, is a short but major part of the Assessment Organizations participating in FS-ISAC are in a much better position to defend against cyber attacks 34
CUNA Mutual Group s Collaboration with FS-ISAC Credit unions that have or purchase a cyber liability insurance policy through CUNA Mutual Group may be eligible for a discount on the basic membership (new memberships and renewals) Visit CUNA Mutual Group s dedicated web page to learn more https://www.cunamutual.com/products/credit-union-protection/cyber-and-securityincident/fs-isac 35
Session Summary Information theft is one of today s most common forms of fraud Given the financial, legal, and reputational risks of a data breach -- failing to prepare can be disaster Take proactive steps to prevent incidents from occurring in the first place Protection Resource Center @ www.cunamutual.com 36
Questions & Answers Ken Otsuka, CPA Senior Consultant - Risk Management CUNA Mutual Group Email: kenneth.otsuka@cunamutual.com 37
Disclaimer This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Credit Union Loss Scenarios Case Studies The credit union loss scenario claim study examples do not make any representations that coverage does or does not exist for any particular claim or loss, or type of claim or loss, under any policy. Whether or not coverage exists for any particular claim or loss under any policy depends on the facts and circumstances involved in the claim or loss and all applicable policy language. CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency, Inc., our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our customers needs. For example, the Workers Compensation Policy is underwritten by non-affiliated admitted carriers. CUMIS Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted market. Data breach services are offered by Kroll, a member of the Altegrity family of businesses. Cyber liability may be underwritten by Beazley Insurance Group. This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions. CUP-9053301.1-0414 CUNA Mutual Group, 2015 All Rights Reserved 38
39