Cyber Security Risks for Banking Institutions. September 8, 2014 1
Administrative CPE regulations require that online participants take part in online questions Must respond to a minimum of four questions per 50 minutes. Polling questions will appear on your media player Results will be reviewed in the aggregate; no responses will be tracked back to any individual or organization To ask a question, use the Ask a Question box on your media player Technical issues: use the? button in the upper-right corner of your webcast player to access our new online help portal If this does not resolve your issue, please submit a question through the Ask a Question box, and you will receive a reply from our technical staff shortly in the Answered Questions box. 2 2
KPMG Presenters Brian Stephens Partner National Sector Leader, Banking & Capital Markets Ron Plesco Managing Director National Lead of Cyber Investigations Glenn Siriano Principal Information Protection & Business Resiliency 3 3
Agenda Cyber activity 2014 & Beyond The New Normal FS Industry Activities to Manage/Mitigate Information Protection Risks Regulator Hot-buttons and lessons learned KPMG Observations 4 4
Anticipate Attacks. Avoid Breaches. Every business is becoming digital. Leaders need to know IT and be able to align with the business needs. Technology is an enabler. But it comes at a price. CEO departure watershed for IT, business alignment - ZDNet May 5, 2014 5 5
Polling Question #1 Approximately what percentage of your total operating costs has increased to deal with cyber security concerns (staffing, budget, etc). 1. No change 2. 0%-5% 3. 6%-10% 4. 11%-15% 5. Over 15% 6. Not sure 6 6
Security Spend Climbing Gartner estimates overall security spend on technology and services market at $67.2 billion in 2013. Breaches increasing by 20%. Cost of those breaches increasing 30%. Billions spent on cyber security and much of it wasted. -Sydney Morning Herald April 3, 2014 7 7
Yet Applications are more Vulnerable # Vendor History Average Vulnerabilities Trend Name 2002 2012 2002 2011 2011 2012 10year 1 year 1 Oracle 240 342 429 2 Apple 160 253 297 3 Google 52 294 279 4 Mozilla 87 116 202 5 IBM 113 168 175 6 Microsoft 221 254 172 16 Readhat 112 128 162 7 Cisco 93 167 160 8 Adobe 72 200 146 23 Novell 113 177 145 9 Linux 76 86 115 10 Moodle 7 2 94 8 8
New Vectors of Threats are Accelerating the Concern YESTERDAY Bad Actors Isolated criminals Script Kiddies Target of Opportunity Targets Identity Theft Self Promotion Opportunities Theft of Services TODAY Bad Actors Organized criminals Foreign States Hactivists Target of Choice Targets Intellectual Property Financial Information Strategic Access 9 9
Polling Question #2 In the last 12 months, has your bank invested in cyber intelligence technologies such as big data stores, intelligence feeds (FSISAC), etc.? 1. Yes 2. No 3. Not sure 10 10
Impacts 11 11
Cyber Risk Perfect Storm Growing Threat Level Bad Actors have evolved, Retail is 5 th worst sector and 75% of data loss incidents in Retail are hacking related (2012)* Changing Technology Landscape Consumerization of IT, Cloud and eroding perimeter Compliance Pressure Compliant does not necessarily mean sustainably (cyber) resilient * KPMG s 2012 Data Loss Barometer; a global insight into lost and stolen information. 12 12
Proliferation of Do It Yourself Kits Malware offered for $249 with a service level agreement (SLA) and replacement warranty if the creation is detected by any antivirus within 9 months 13 13
Losses are Mounting $100 billion annual loss to the U.S. economy (2013). $100 billion to $500 billion annual loss to Global economy (2013). $23.6 million average loss by U.S. financial services companies (2013). 14 14
Cyber Activity 2014 & Beyond - Changes in Security Models Traditional perimeter defense approach being replaced with a multi-layered approach Security intelligence becoming critical to aggregate and analyze information New models emerging for identity and trust: Biometrics Merger of personal and business identities Cloud encryption gateways to encrypt when data leaves the organization Drive towards proactive intelligent security: Real time actionable insight for threats Adopt new techniques to analyze log data Baseline user behavior & detect anomalies 15 15
Polling Question #3 In the last 12 months, has your bank increased focus on the Internal Threat of cyber security including the building of user activity profiles, monitoring of employee and contractor use? 1. Yes 2. No 3. Not sure 16 16
Here s What You Can Do Focus your attention here Attack Surface Threats Security Products Assume you are, or will be, compromised. Focus on limiting your attack surface and prioritize based upon exposure and risk and conduct a independent investigation. 17 17
Confusion Reigns 18 18
FS Industry Activities to Manage/Mitigate Information Protection Risks Top down risk assessment using industry standard (ISO 27001, COBIT, etc.) Re-think governance model Revamp Identity Management & Access Control Review impact of emerging and disruptive technology (cloud, social media, etc.) Enhance Application Security/SDLC Integration Enhance Data & Information Management Improve Security Operations Center & Monitoring & Incident Management Enhance Infrastructure Develop and Revise Policy & Standards Maintain an effective end-user Awareness program Improve 3 rd party vendor security assessment program Mobile banking security enhancements 19 19
Polling Question #4 Given the increased threats and sophistication of attacks, in the past 12 months has your bank voluntarily shifted from ISO based compliance to the adoption of NIST standards? 1. Yes 2. No 3. Not sure 20 20
Regulator Hot-Buttons Appropriate vendor due diligence Cloud Security People as the weakest link Payment systems Application Security Data Loss Prevention (DLP) Privileged Access and Monitoring BCP testing & resiliency planning 21 21
Polling Question #5 Given the increased focus on data governance, has your organization hired or created a Chief Data Officer role in the last 12 months? 1. Yes 2. No 3. Not sure 22 22
1: Team The Incident Response team lacks a proper balance between skill-set, size and management oversight. 23
2: Process Processes and procedures related to incident response are not tailored to the organization. 24
3: Tools Cyber Incident Response tools are inadequate, unmanaged, untested, underutilized, or absent. 25
4: Data Data pertinent to an incident is not readily available. 26
5: Politics The Incident Response team lacks authority and visibility in the organization. 27
Q&A 28
Thank You Ron Plesco Managing Director National Lead of Cyber Investigations KPMG LLP rplesco.com 717-260-4602 Glenn Siriano Principal Information Protection & Business Resiliency KPMG LLP gsiriano@kpmg.com 203-521-8129 Brian Stephens Partner National Sector Leader, Banking & Capital Markets KPMG LLP bbstephens@kpmg.com 312-665-2154 29 29
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. 30