What Directors need to know about Cybersecurity?

What Directors need to know about Cybersecurity? W HAT I S C YBERSECURITY? PRESENTED BY: UTAH BANKERS ASSOCIATION AND JON WALDMAN PARTNER, SENIOR IS CONSULTANT - SBS 1

Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance DSU Mission: Save the World! Phone: 605-380-8897 jon@protectmybank.com www.protectmybank.com 2

Our Experience PROCESS: Information Security Program design and roll-out IT Risk Management Vendor Management Technology Selection Business Continuity/ Disaster Recovery Incident Response Information Security Consulting IT Audit ISP Audit Controls Audit Wire Transfer Audit ACH Audit Internet Banking Audit TECHNOLOGY: Penetration Testing Vulnerability Assessment System Configuration Assessment Acceptable Use Scanning PEOPLE: Social Engineering Awareness Programs ISO Training CATO Training 3

Dakota State Nationally Recognized National Security Agency Department of Homeland Security 4,000 universities in the country Only 100 named national centers in the past 10 years National Center of Excellence in Information Assurance www.dsu.edu 4

What s the deal with Cybersecurity? Agenda: What IS Cybersecurity? What s the state of the state regarding Cybersecurity? What s going on with Cybersecurity regulation? Who s responsible for Cybersecurity? What are the 10 Questions you as Directors and Executives need to know about Cybersecurity at your institution? 5

What is Cybersecurity? Cyber Risk the increased probability that the very-highimpact, internet-based risks and threats we once thought were improbably will harm our networks Cybersecurity the controls and processes in place to protect our networks and customer information from cyber risk How does it relate to Information Security? discipline of Information Security, which not only encompasses Cybersecurity, but also all of the traditional things we ve done to protect our confidential customer information, including IT Risk Assessment, Vendor Management, Business Continuity Planning, Vulnerability Assessment, IT Audit, and much more Images courtesy of ISACA and member Menny Barzilay http://www.isaca.org/knowledge-center/blog/lists/posts/post.aspx?id=296 6

Cybersecurity State of the Union Is more or less money being access digitally today than previously? What are the two things that bad guys are after? More attacks against your physical organization or against your digital organization? Increase in outsourcing Cybercrime = Organized Crime More breaches More threats MORE RISK! 7

Vendors, CATO, and Ransomware Bank networks are pretty secure When is the last time you heard a community bank get HACKED? How are bad guys getting our information and money, then? Through our Vendors (Target) Breaches of our customers (Commercial Account Takeover) Other random attacks (phishing emails, ransomware) 8

Growth in Banking New Products/Services Mobile Cash Management Consumer Capture Online Account Opening Integrative Teller Machines P2P Payment Systems Cybercrime Increasing Organized Crime Advance Persistent Threats Third Party Bank Customer 9

Cybersecurity Assessments 2 nd Half of 2014 Targeted Regulatory Exams June 2013, the FFIEC established the Cybersecurity and Critical Infrastructure Working Group (CCWIG) Approximately 500 assessments on banks with $1 billion or less in assets approx. 20000 man-hours = big deal! Information gathering and learning mode Finalized report in December 2014 for all exams moving forward 10

Cybersecurity Assessment Results Exams were built upon key aspects of existing supervisory expectations addressed in the FFIEC IT Handbook Goal to identify area of Inherent Risk at financial institutions regarding cybersecurity preparedness Assesses an institution s current practices and overall cybersecurity preparedness, with a focus on the following key areas: Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience 11

Lots of Questions The Cybersecurity General Observations document was only four pages, and quite broad Three MAJOR take-aways: Board of Directors are going to be EXPECTED to be MUCH more involved in Information Security Program activities Banks are going to have to have comprehensive, valuable, and repeatable Risk Management processes More regulation is to come! 12

Which leads us to the present FFIEC Cybersecurity Assessment Tool released on Tuesday June 30th, 2015 Not really a tool, as we have traditionally defined software or hardware More of a process to help banks perform a selfassessment on their Cybersecurity Preparedness Based on size-and-complexity Resulting from the 2014 Cybersecurity Assessment lessons-learned 13

FFIEC CA Tool (3 parts) Three (3) major components 1. Rating your Inherent Risk for Cybersecurity threats based on your size and complexity 2. Rating your Cybersecurity Maturity regarding how prepared you are to handle different Cybersecurity threats 3. Interpreting and analyzing your results by understanding how your Inherent Risk ties to your Cybersecurity Maturity, and where you SHOULD be regarding risk vs. maturity. 14

Cybersecurity Inherent Risk Five Inherent Risk Areas 1. Technologies and Connection Types 2. Delivery Channels 3. Online/Mobile Products and Technology Services 4. Organizational Characteristics 5. External Threats 74% 24% 1% >1% >1% 15

Cybersecurity Maturity 16

How does Cybersecurity Maturity work? Measured by 5 Cybersecurity Maturity Levels 1. Baseline 2. Evolving 3. Intermediate 4. Advanced 5. Innovative 17

Increasing Maturity 18

Who s Responsible for Cybersecurity? Who wants to go first? Raise of hands? I ll give you a hint 19

20

Who ME? It is an expectation that C-Level Management and/or Board of Directors install a top-down approach to cybersecurity The President/CEO will be expected to DRIVE this Cybersecurity Assessment process (read: not necessarily complete each question), and the Board of Directors needs to understand what the results of this Cybersecurity Assessment mean from a high-level 21

How much do I need to know? Board involvement was a major point of the FFIEC Cybersecurity Assessment that were performed in the second half of 2014 and heavily mentioned in the General Observations The Cybersecurity Assessment Tool specifically mentions Board involvement TWENTY-ONE (21) times in the Cybersecurity Maturity section, just in case you didn t think the FFIEC is taking Board involvement seriously. Domain 1 - Cyber Risk Management and Oversight talks about Board involvement on an increasing frequency to go with increasing maturity, particularly in the Oversight component of the Governance factor, mentioning the Board fourteen (14) times alone. So pretty involved, at least with knowing what is going on 22

FFIEC Mgmt - Board of Directors Things to know: Boards are going to be held responsible for the management of IT and Cybersecurity Are ULTIMATELY responsible for the protection of customer information Boards must set the Risk Appetite Boards must review and approve the Bank s Strategic Plans Boards must review and approve all IT-related policies Boards must understand the technologies used at the institution Boards need to oversee all major IT projects Boards must provide a credible challenge for management decisions Boards must understand IT and Cybersecurity risk 23

What is a Risk Appetite? What type of Bank are you? Bleeding Edge Leading Edge Average ( The Pack ) Conservative What s your IT Strategy? What s your risk appetite? Risk Mitigation Strategy! 24

The 10 Questions Deputy Secretary of the US Department of Treasury Sarah Bloom Raskin ABA Summer Leadership Meeting 7/14/2015 Follow-up from previous 10 questions with an update since the FFIEC released their Cybersecurity Assessment Tool 25

Question 1 Has the bank embedded cybersecurity into governance, control, and risk management systems? 26

Question 1 explained What this really means Baking Cybersecurity into your existing Information Security Programs Being proactive instead of reactive to cybersecurity threats Understanding the world around you 27

Question 2 Have you remained vigilant about systematically identifying key assets, that is, those that provide high-value targets for malicious cyber actors? 28

Question 2 explained What are your most risky assets? How do you KNOW they are your most risky assets? Do you receive updates on these most-risky assets? 29

Question 3 Have you tailored security controls to the specific cyber risks presented by each key network, system, or set of sensitive data? 30

Question 3 explained How are you mitigating your risk around these most-risky assets? Do you have goals? Do you have an organizational risk appetite? Can you compare your riskiest assets to other assets? Or institutions? 31

Question 4 How do you prioritize the implementing of enhanced controls around key networks, systems, and sensitive data? 32

Question 4 explained What are your next steps to make sure that your most risky assets are being protected? Have you budgeted for additional controls? The more mature your organization, the more mature the controls. The more mature the controls, the more costly the next steps 33

Question 5 Have you reviewed the FFIEC Cybersecurity Assessment Tool and appropriately incorporated it into your approach to cyber risk management? 34

Question 5 explained Do you understand your Inherent Risk Profile? Do you know where your Cyber Maturity is for each of the five (5) Domains? 1. Cyber Risk Management and Oversight 2. Threat Intelligence and Collaboration 3. Cybersecurity Controls 4. External Dependency Management 5. Cyber Incident Management and Resilience Have you set a Cyber Maturity GOAL for each of those five (5) Domains? What are your next steps? 35

Question 6 Have you designated specific professionals to be responsible for the institution s cybersecurity strategy and provided them with the authority, resources, and access they need to effectively perform their work? 36

37

Question 6 explained Who s in charge? Do they have the responsibility they need? Are they the EXPERTS they need to be? Are they receiving adequate training and ongoing education? Do they have the funds and resources they require to protect customer information properly? 38

Question 7 Have you trained personnel on cybersecurity policies? 39

Question 7 explained Are your folks prepared to handing Cybersecurity issues? Corporate Account Takeover Phishing Malware CEO Fraud Wire Fraud Do your folks receive ongoing training? Is it REAL training not just watching a 30-minute video once a year? 40

Questions 8 & 9 How do you ensure that insurance coverage matches cyber-related risks? Does our cyber risk insurance impose minimum required practices, which may lead to denial of coverage if not followed? 41

Questions 8 & 9 explained Cyber Insurance is in a tricky spot right now there s NO STANDARD Do you know your options? Do you know what s REALLY covered? New, separate cyber insurance Some cyber insurance companies are requiring and verifying certain controls are in place before providing policies Some cyber insurance companies are offering additional services, such as digital forensics or incident response in addition to liability coverages Look into options! 42

Question 10 As part of cyber hygiene: Do you require multi-step identity checks known as multi-factor authentication before allowing access to networks, systems, and data? Have you restricted special, high-level access to only those who need it? Are you doing regular maintenance and consistently patching software? Are you effectively scanning systems for malicious activity? 43

Multi-step Identity Checks Multi-factor authentication Two-step authentication Dual Control verification Using additional forms of authentication is easier and less expensive now than it s ever been If you re NOT using additional forms of strong authentication for your most risky systems (admin accounts, commercial online banking, etc.) then you need to stop what you re doing and make a few phone calls 44

Limiting Admin Access Who has admin access to your most important information and critical systems? Do they NEED it? Who s watching the watchers? How often is this access reviewed? 45

Constant Updates and Patching Changes to current patching cycles are becoming challenging for IT administrators Does your organization have a formal, documented PLAN? Is it followed? Is it EFFECTIVE? How do you know? What about out-of-band patches to fix critical vulnerabilities, like zero-day vulnerabilities? Does patch management get reported upstream at a 10,000 foot level? 46

Continuous Vulnerability Scanning With the influx of new, wide-spread vulnerabilities affecting internetfacing devices, and the frequency with which they occur do you REALLY want to wait 12 to 18 months to find out if your network is vulnerable to attack? Continuous vulnerability scanning internally (Vulnerability Assessment) and externally (Penetration Testing) is being encouraged by almost all new standards, including the new FFIEC Cybersecurity Assessment Tool. Combining your own ability to scan yourself (weekly, monthly, or quarterly) with an external service (contracted Pen Test or VA) can both help make sure your network is safe and validate your patch management processes at the same time. 47

Additional Questions for later Are we keeping up on our Vendor Management? Do we know if our outsourced vendors and service providers are REALLY protecting our confidential customer data? How do we plan to FAIL WELL? Do we have relationships in place to assist us in the event of a breach? Law enforcement Digital Forensics Incident Response How do we plan to inform our customers, our shareholders, and/or the general public in the event of a breach? Are we sharing information with other financial institutions and with industry groups? 48

Next Steps Seriously find out the answers to these questions! Make sure Information and Cyber Security are a part of your regular meetings and not just as footnotes in your meeting minutes. Actively engage your IT Committee and ISO-level employees Ensure you understand your organization s risk appetite REALLY manage your Information and Cyber Security programs Build a culture of ongoing education in your institution. Never stop learning! Did I mention that you should know the answers to these questions? 49

Education Conferences and Conventions Technology & Security Conferences from your Association Webinars Regular Hot Topics from your Association Banking Schools Graduate Banking Schools such as www.gsb.com Information Security Certifications a deep dive into financial institution-specific, role-based training and education CB Security Manager (CBSM) CB Security Technical Professional (CBSTP) CB Security Executive (CBSE) CB Vendor Manager (CBVM) CB Ethical Hacker (CBEH) CB Incident Responder CCBIH) More - Ask about our Learning Paths! And more at / 50

51

Questions & Contact Info Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance DSU Mission: Save the World! Phone: 605-380-8897 jon@protectmybank.com www.protectmybank.com 52