Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder
Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system implementations services provided by the firm. I have had the fortune of supporting a wide variety of clients in all industries. Graduated from Waynesburg College,magna cum laude with a BS in Mathematics and Computer Science. Chair the PICPA IT Assurance Committee. Member of the AICPA sub-committee on privacy. Member of the firm s Financial Services Focus Group. 2
Agenda Recent History Fun Facts Risks facing Financial Institutions 10 Questions your Board should be asking What can you do Questions 3
2014 Year of the Mega Breach Sony Shut down the company s IT systems for 2 weeks Target 40 million credit cards stolen JP Morgan Chase 83 million customers data was stolen ebay 145 million records compromised Home Depot 56 million credit cards stolen 4
5
Ponemon Security Study The average cost of a data breach has increased 15% to 3.5 million The average cost paid for each lost or stolen record that contained sensitive information increased more than 9% from $136 to $145 Average cost per lost record in the USA is $201 6
Fun Facts 1 in 10 US citizens are subject to identity theft If you make more than 70K, you are 2x more likely to be targeted In 2013, 13.1 million consumers were victims of identity theft 52% of all fraud involved on-line transactions Average time incurred to re-establish your identity - 330 hours 7
2009 Breaches by Type 37% 8
2013 Breaches by Type 3% 4% Stolen Documents Improper Disposal Email disclosure Unknown 33% 12% 6% Web- Based Hacks Stolen Computer 13% Social Engineering Hacking 62% 16% 14% 9
The Black Market Value of Data We Process Health Care Record - $50 Credit Card - $2 - $15 Social Security No. - $5 when packaged with a name Name and password to Bank Account - $1,000 Verified Email Accounts - $.50 10
A Quick Trip Down FFIEC s Memory Lane Revised Technology Service Providers Guidance 10/31/2012 Working Group on Cybersecurity established 6/6/2013 FFIEC Supports Cybersecurity Awareness Month 10/2/2013 Cybersecurity Webinar for 5,000+ Mgmt Members 5/7/2014 FFIEC Launches www.ffiec.gov/cy bersecurity.htm 6/24/2014 Cybersecurity Assessment Pilot Program Underway 7/1/2014 FFIEC Cybersecurity Assessment General Observations 11/3/2014 Emerging e-banking Technologies 7/15/1998 Technology Services Supplied by Outside Firms 11/28/2000 Revised e-banking and (IT) Audit Guidance 10/21/2004 Business Continuity Planning Released 3/19/2008 Remote Deposit Capture Technology 1/14/2009 FFIEC Cybersecurity Priorities for the Remainder of 2015 3/1/2015 Release of Cybersecurity Assessment Tool 6/30/2015 1998 2000 2002 2004 2006 2008 2010 2012 2014 2015 Today 11
Risks that Financial Institutions Face Financial Forensics Public Relations Credit Monitoring Penalties and Fines Loss of Customers/Revenue Lawsuits and Legal Cost Drop in Stock Price Reputational Operational 12
Reputational Damage Front page news Notifying customers, employees, government agencies Public outcry Loss of customer trust Reluctance of new customers 13
Couldn t happen to me 14
So what do we have to look forward to? 15
Question 1 Have we assessed the maturity of our cyber security profile? 16
So, What is the Industry Recommending? On June 30 th, the FFIEC released their cyber security assessment tool Help institutions identify their risks and determine their cyber security maturity It is a repeatable and measurable process to keep management informed of their institutions cyber risks and ability to address a breach 17
Cyber Security Assessment Tool The tool has two components Inherent Risk Profile fancy name for risk assessment Cyber Security Maturity Evaluation The adoption of the tool is strictly voluntary at this time The FFIEC has targeted June of 2016 as the timeline to include in their examinations 18
Inherent Risk Profile Categories Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats 19
Cyber Security 1. Cyber Risk Management & Oversight Governance Risk Management Resources Training and Culture 2. Threat Intelligence & Collaboration 3. Cyber Security Controls Intelligence Sourcing Monitoring and Analyzing Information Sharing Preventative Controls Detective Controls Corrective Controls 4. External Dependency Management 5. Cyber Incident Management & Resilience Connections Relationships Management Incident Resilience Planning and Strategy Detection, Response and Mitigation Escalation and Reporting 20
Question 2 Have we built a layered defense to protect our customers sensitive information? 21
Build a Layered Approach to Defense 22
Question 3 Do we have a current inventory of our sensitive data and who has access to it? 23
Where is our data Which Servers and workstations Which Databases Which Applications Other Electronic Media 24
Question 4 Have we inventoried all of the third party vendors that have access to our systems and have we evaluated their controls? 25
Question 5 When was the last time we had an independent party try to hack into our systems? 26
Annual Security Reviews External Vulnerability Scans External Penetration Testing Firewall Configuration File Review Internal Vulnerability Scans 27
Question 6 What procedures have we implemented to protect our sensitive information that is stored and accessed using mobile devices? 28
Question 7 How often do we provide security awareness training to our personnel? 29
Question 8 Do we have the appropriate insurance coverage to address our cyber security concerns? 30
Cyber Insurance - Do I Need a Policy? Need to evaluate the information that you collect, process and store to determine the marketability of this data, if it was to fall into the hands of thieves. Need to evaluate your social profile. Are you a target of social activist? Need to understand the breach activities that have transpired in your industry. 31
First Party Coverage Theft and fraud. Covers destruction or loss of the policyholder s data, as the result of a criminal or fraudulent cyber event, including theft and transfer of funds. Forensic investigation. Covers the legal, technical or forensic services necessary to assess whether a cyber attack has occurred, to assess the impact of the attack and to stop an attack. Business interruption. Covers lost income and related costs where a policyholder is unable to conduct business, due to a cyber event or data loss. 32
First Party Coverage (continued) Extortion. Provides coverage for the costs associated with the investigation of threats to commit cyber attacks against the policyholder s systems and for payments to extortionists who threaten to obtain and disclose sensitive information. Computer data loss and restoration. Covers physical damage to, or loss of use of, computer-related assets, including the costs of retrieving and restoring data, hardware, software or other information destroyed or damaged, as the result of a cyber attack. 33
Third Party Coverage Litigation and regulatory. Covers the costs associated with civil lawsuits, judgments, settlements or penalties resulting from a cyber event. Regulatory response. Covers the legal, technical or forensic services necessary to assist the policyholder in responding to governmental inquiries relating to a cyber attack, and provides coverage for fines, penalties, investigations or other regulatory actions. Notification costs. Covers the costs to notify customers, employees or other victims affected by a cyber event, including notice required by law. 34
Third Party Coverage (continued) Crisis management. Covers crisis management and public relations expenses incurred to educate customers concerning a cyber event and the policyholder s response, including the cost of advertising for this purpose. Credit monitoring. Covers the costs of credit monitoring, fraud monitoring or other related services to customers or employees affected by a cyber event. Media liability. Provides coverage for media liability, including coverage for copyright, trademark or service mark infringement resulting from online publication by the insured. Privacy liability. Provides coverage for liability to employees or customers for a breach of privacy. 35
What is Not Covered by Cyber Insurance? Reputational harm Loss of future revenue Cost to improve internal technology safe guards Lost value of intellectual property The policy will typically have sublimit related to fines and penalties 36
Question 9 Do we have a formal incident response plan that has been tested in the event our systems are breeched? 37
Question 10 How Is Our Executive Leadership Kept Informed About the Current Level and Business Impact of Cyber Risks to Our Company? 38
What Actions Should I be Taking? Accept that security is an enterprise-wide risk, not just an IT issue. Create an awareness from the mailroom to the boardroom. Stakeholders include, but are not limited to, the Boardroom, HR, Audit, IT and Legal Establish awareness that controls and processes have been specifically designed to prevent attacks. New hire orientation Ongoing awareness and communication Visible to the organization 39
What Actions Should I be Taking? Integrate cyber risk strategy into the organization s strategic plan Have a team dedicated to managing cyber threats and your incident response plan Identify your organization s most critical data assets Where do these assets reside? Who has access to these assets? 40
What Actions Should I be Taking? Implement a layered defense Assess your cyber security maturity Identify vendors used for business functions involving critical data assets Make sure you understand their security policies and procedures Decide whether cyber insurance should be a part of your risk mitigation strategy 41
Your Role in Combatting Threats Be diligent Always Assume the Worst Understand and Follow Policies and Procedures Report Suspicious Activity Avoid Malicious Web Sites Don t Click on Suspicious E-mails Ask for Identification Require Authorization for Access Safeguard Social Media Content Educate/Inform Customers Avoid Untrusted Wifi 42
Questions 43