Cybersecurity Are you prepared?
First Cash, then your customer, now YOU!
What is Cybersecurity? The body of technologies, processes, practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access. CYBERSECURITY = SECURITY
Why is it important? One in every 2,500 calls to financial institutions is a fraud, resulting in an average loss of 57 cents for each call 92% of all hacker attacks come from a person opening an email from an unknown source Since 2013, there have been 770,000 email phishing attacks resulting in a loss of $184 billion A hacker will sit on a PC and watch the behavior of their attackee for 292 days before attacking Source: EMC and Verizon 2014 report
Cybersecurity Environment US Financial Services US Financial Services Breaches by Type: Hacker 31% Malware 13% Rogue Employee 13% Vendor 13% Loss of Laptop or Device 6% System Malfunction 6% Theft 6% Unknown 13% Source: NetDiligence Proprietary & Confidential
Cybersecurity Environment The 2014 NetDiligence Cyber Claims Study uses actual cyber liability insurance reported claims to illuminate the real costs of incidents from an insurer s perspective. The median claim payout was $144,000. The average claim payout was $733,109. The average claim payout for a large company was $2.9 million, while the average payout in the Healthcare sector was $1.3 million.
How can you be prepared? A Cybersecurity Framework needs to include: Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience
Risk Management and Oversight A strong governance is essential Regular reporting to the Board Question the Risk Assessments how did they come up with that? Manage cyber risk at the enterprise level, not just within IT everyone needs to understand their role.
Threat Intelligence and Collaboration There are strength in numbers Keep informed, understand what is going on (new attacks, etc.) Use monitoring services including email warnings www.fsisac.com Financial Institutions Information Sharing and Analysis Center
Cybersecurity Controls There s more than one kind of Control Preventive Controls minimizes the impact and likelihood of an attack Detective Controls identifies attacks in early stages Corrective controls mitigate the impact and stop future attacks
External Dependency Management Your Security starts with Their Security Know your critical external dependencies Establish a rigorous vendor management control And, don t forget to evaluate your vendor s incident response plan
Incident Management & Resilience Mitigation and Recovery are a Must Implement and understand Incident Management Procedures so you can promptly respond and recover from a cyber attack Test your process, make sure it meets your level of acceptable risk If necessary, comply with applicable suspicious activity reporting
What do you need to do? 1. Perform a Cybersecurity Assessment 2. Test cybersecurity controls 3. Incorporate cybersecurity into Business Continuity /Disaster Recovery Planning 4. Incorporate cybersecurity into Incident Response Planning 5. Train, educate, and increase awareness of cybersecurity
Cybersecurity Questions Preparedness What is the process for ensuring ongoing and routine discussions by the Board and senior management about cyber threats and vulnerabilities to the bank? How is accountability determined for managing cyber risks across the bank? Does this include management s accountability for business decisions that may introduce new cyber risks? What is the process for ensuring ongoing employee awareness and effective response to cyber risks?
Cybersecurity Questions Inherent Risk What types of connections does the bank have? How is the bank managing these connections in light of the rapidly evolving threat and vulnerability landscape? Does the bank need all of our connections? Would reducing the types and frequency of connections improve risk management? How does the bank evaluate evolving cyber threats and vulnerabilities in the risk assessment process for the technologies in use and the products and services offered? How do the connections, products and services offered, and technologies used collectively affect the overall inherent cybersecurity risk? Proprietary & Confidential
Experian Data Breach Industry Forecast 1. POS breaches decline with better card security 2. Password compromises increase with Hackers targeting the Cloud 3. Healthcare breaches increase, particularly medical ID theft because of vulnerable doctor offices and clinics 4. Shifting responsibility for breaches from IT to corporate leadership 5. Employee mistakes become company s biggest threats 6. Increase in 3 rd party breaches via the Internet
Are you ready?
Questions??? 1-800-243-0416 Peggy Hinshaw x507 phinshaw@netbankaudit.com