Cyber-Security. FAS Annual Conference September 12, 2014



Similar documents
Dealer Member Cyber-security

Cybersecurity Awareness. Part 1

Cybersecurity: What CFO s Need to Know

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Internet Governance and Cybersecurity Patrick Curry MACCSA

Ed McMurray, CISA, CISSP, CTGA CoNetrix

NIST Cybersecurity Framework & A Tale of Two Criticalities

Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards

Cybersecurity Awareness for Executives

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

Big Data, Big Risk, Big Rewards. Hussein Syed

Managing cyber risks with insurance

How To Protect Yourself From A Hacker Attack

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Click to edit Master title style

Logging In: Auditing Cybersecurity in an Unsecure World

Address C-level Cybersecurity issues to enable and secure Digital transformation

Into the cybersecurity breach

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

Cyber Security - What Would a Breach Really Mean for your Business?

Defending Against Data Beaches: Internal Controls for Cybersecurity

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

Cyber Security for your Connected Health Device

Supplier Vigilance: A Critical Layer of Defense

CYBER SECURITY SERVICES PWNED

Cyberspace Situational Awarness in National Security System

VENDOR MANAGEMENT. General Overview

An Overview of Large US Military Cybersecurity Organizations

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Cybersecurity and internal audit. August 15, 2014

Defending Against Cyber Security Threats to the Payment and Banking Systems

Cyberprivacy and Cybersecurity for Health Data

Cyber Incident Management Planning Guide. For IIROC Dealer Members

S. ll IN THE SENATE OF THE UNITED STATES

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

FFIEC Cybersecurity Assessment Tool

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Obtaining Enterprise Cybersituational

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Cybersecurity The role of Internal Audit

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

CYBERSECURITY RISK MANAGEMENT

Actions and Recommendations (A/R) Summary

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

THE EVOLUTION OF CYBERSECURITY

The Onslaught of Cyber Security Threats and What that Means to You

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Cyber Security Risks for Banking Institutions.

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Securing the Cloud Infrastructure

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Overview TECHIS Carry out risk assessment and management activities

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

The Next Generation of Security Leaders

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

POLICIES TO MITIGATE CYBER RISK

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

Cybersecurity: Protecting Your Business. March 11, 2015

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Cybersecurity Issues for Community Banks

Lessons from Defending Cyberspace

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Security & privacy in the cloud; an easy road?

How To Handle A Threat From A Corporate Computer System

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

I n f o r m a t i o n S e c u r i t y

Continuous Network Monitoring

Think STRENGTH. Think Chubb. Cyber Insurance. Andrew Taylor. Asia Pacific Zone Product Manager Chubb Pro PI, Media, Cyber

Cyber Security From The Front Lines

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

EY Cyber Security Hacktics Center of Excellence

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Presented by Evan Sylvester, CISSP

Transcription:

Cyber-Security FAS Annual Conference September 12, 2014

Maysar Al-Samadi Vice President, Professional Standards IIROC

Cyber-Security IIROC Rule 17.16 BCP The regulatory landscape Canadian Government policy The Canadian financial sector The US regulatory response Cyber-insurance

Cybersecurity Risk Factors and Concerns David Mussington, PhD., CISSP Senior VP Cybersecurity Juno Risk Solutions

Agenda Background David Mussington How severe are cyber-security risks? Who are the actors of concern? What protection approaches are available? Conclusions and Principal Takeaways Questions

How serious are cybersecurity risks, and what exactly is the threat? Financial Services are the most highly targeted of critical infrastructures by cyber criminals Cyberspace allows for low probability of detection/high payoff illicit activity Evolution in attack capabilities and speed is outstripping defensive measures Recent occurrences (most notably the Snowden revelations) have pointed out the potential damage that flows from insiders

Who are the actors of concern, and what do they want?

What protection approaches are available, and what are some best practices? Best practice approaches based on proven standards (e.g., NIST, ISO, CBEST, CCS-20 (SANS)) Industry offerings MSSP and commercial anti-virus software and cybersecurity service vendors Assistance from Financial Services Sector peers Government support CCIRC (Public Safety Canada), RCMP Other Support Possibilities: not for profit groups, academia

Conclusions and Principal Takeaways The cybersecurity challenge is escalating; Defense/Protection capabilities are falling behind Information sharing within and across industries and with government is the best way to improve defenses and risk awareness; Systemic risks can be transmitted from those with weak cybersecurity protections to those with stronger programs weakest link problems are endemic; Best practice solutions exist, but require a systematic and strategic effort to produce meaningful risk mitigation impact

Information Security Perspectives Richard Livesley Director, Strategy and Planning Global Information and Technology Risk Management

Risk to BMO = Threat x Vulnerability x Consequence of a breach Threat is bigger Three types Espionage stealing our stuff Disruptive hurting the network we have become reliant on Destructive emerging threat that could target critical infrastructure and be catastrophic Lots of attackers Nation States China is the largest Criminal Gangs Russia has the most Hacktivists Less sophisticated but still a nuisance Vulnerability is larger We are increasing the attack surface : Social, Mobile, Analytics, Cloud The cyber domain is still new with little governance by any legal authority The Internet design is flawed designed to communicate between trusted partners, not those with malicious intent Consequence of a breach have severely harmed companies Customer trust Financial consequences 11

Protecting the Bank involves the entire Bank There are two major planks to the program that cover the range of capabilities we are building Together as a Company Within Technology Crisis Management Customer Authentication and Awareness Training Employee Access Management and Awareness Training Supplier Risk Assessments Industry & Regulatory Requirements such as GLBA, FFIEC, PCI DSS Application Software Security Data Security Network Security Vulnerability Management Threat Monitoring & Management Security Incident Response Risk Management Functions 12

However, the challenge to create safe cyberspace will not be resolved with a company s eco-system Priority What we need to do Why Improving crosssector sharing Automated sharing of actionable intelligence A common framework to enable discussion (NIST cybersecurity framework?) Stronger partnerships between energy, telco s and financial institutions The threats are immediate and one sectors weakness impacts others The knowledge of each sector strengthens the others Stronger private and public partnerships Faster and more effective sharing of information Legislative clarity on rights and accountabilities eg privacy Stronger governance of the internet Ensures regulatory and legislative actions focus on the right areas A more cyber aware culture with personal accountability A more educated population who understand how bets to protect themselves AND who recognize a weakness on their device threatens others not just themselves The health of cyberspace cannot be isolated to individual companies 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information