Cyber Security From The Front Lines Glenn A Siriano October 2015
Agenda Setting the Context Business Considerations The Path Forward Q&A
Cyber Security Context
Cyber Has Become a Boardroom Conversation June 2011 Electronic transaction processing company target of Cyber attack. Global Payments reported that its servers housing personal information collected from merchants were attacked impacting between 1.5 million and 7 million customers. The company confirmed that expenses associated with the breach totaled more than $92 million including professional services fees, credit monitoring, identity protection insurance, fraud charges, and fines. Source: Bank Info Security July 2013 Hackers use malware over several year period to steal more than 160 million credit card numbers. Cyber attackers from Russia and Ukraine collaborated in a scheme to target major corporate networks including NASDAQ, Dow Jones, and Heartland Payment Systems and were able to steal more than 160 million credit card numbers between 2005 and 2012. In total, the separate and devious operations spanned the globe, resulting in at least $300 million in losses to companies and individuals. Source: NY Daily News January 2015 Anthem breach thought to impact between 69 80 million customer records. The second-largest health-insurer reported that hackers compromised its network using a stolen password to access a database containing personal information from current and former customers. Initial estimates indicate the breach could result in more than $100 million in financial consequences. Source: C-Net
Cyber Risk Perfect Storm Growing Threat Level Bad Actors have evolved, Retail is 5 th worst sector and 75% of data loss incidents in Retail are hacking related (2012)* Changing Technology Landscape Consumerization of IT, Cloud and eroding perimeter Compliance Pressure Compliant does not necessarily mean sustainably (cyber) resilient * KPMG s 2012 Data Loss Barometer; a global insight into lost and stolen information.
Major market forces for Cyber in 2015 and Beyond Every day increasingly sophisticated and intelligent attackers are targeting the crown jewel information assets of organizations. Business impacts include lost revenues, operational disruption, remediation costs, claims and fines. Smarter attackers with more resources, better tooling, and advanced goals. EVOLVING THREAT ACTORS Drumbeat of fear, uncertainty, and doubt especially about embedded systems / industrial control systems. Total information security spending is expected to reach $76.9bn in 2015 (source: Gartner). Marketing departments have taken note. CHANGING IT DELIVERY MODELS TOP CYBER RISKS IN 2015 HEIGHTENED MEDIA COVERAGE New IT capabilities from BYOD to cloud to big data have serious impact on the security controls we need and can use. INCREDIBLE VENDOR CLAIMS Our top security risk: misallocation of scarce resources both time and money.!
2015 Cyber by the Numbers: Audit Committee Research and KPMG AC Focus Area 55% of Audit Committee respondents feel that they should devote more time or significantly more time on Cyber for their agenda Cyber Oversight 50% of Boards have assigned Cyber oversight responsibilities to the Full Board or Audit Committee Organizations with structured leadership and strategy reduce average per record cost of a breach by $6.59/record lost) Brand Damage Loss of customer data can result in reputational risk and organizational brand damage (Companies average $3.32 million in brand damage per breach) Training & Awareness Organizations must invest in Cyber training and awareness for All employees, including C-Level Executives. It only takes One employee opening an email attachment to open the door for cyber criminals
Improving Oversight of Cyber is No Longer Leading Practice It s Required Over recent years many global organizations have been victims of cybercrime. Investors, governments, and global regulators are increasingly challenging board members to actively demonstrate diligence in this area. Regulators expect personal information to be protected and systems to be resilient to both accidents and deliberate attacks. Potential impacts and possible implications for the board Intellectual property losses including patented and trademarked material, client lists and commercially sensitive data Reputational losses causing your market value to decline; loss of goodwill and confidence by customers and suppliers Penalties, which may be legal or regulatory fines such as regulatory fines, e.g., for data privacy breaches, and customer and contractual compensation, for delays Property losses of stock or information leading to delays or failure to deliver Time lost due to investigating the losses, keeping shareholders advised and supporting regulatory authorities (financial, fiscal, and legal) Administrative resource to correct the impact such as restoring client confidence, communications to authorities, replacing property, and restoring the organization business to its previous levels
Typical Key Drivers of Cyber Mergers and acquisitions Launch of new services Complex regulatory requirements Big Data Technology automation Consumer trust and brand protection Third party management
Integrity Approach People Threats Compliance Governance Process Personal Cyber Defined Technology Data Confusion in the Market Forensic Privacy Disaster Compliance Business Issue Complexity Value Theft Criticality Data Loss Reporting & Metrics Transformation Technology Availability Challenge Insecurity Board-Level Issue Security Global Competitive Advantage Confidentiality Financial Loss Complexity Evolving Threat Intelligence Dynamic Breach Top of Mind Security Information Risk Business Resilience Cybersecurity Vulnerability KPMG Cyber Services Strategic Cyber Security and Information Protection Services Risk-based protection of information in alignment with its value to the organization Information that is available to the business in the right way, at the right time, and to the right people Breach Response & Investigation Services A streamlined approach to accessible, protected Information
Business Considerations
Top Industry Issues/Challenges Market trends Continued increase in regulations and regulatory enforcement (with greater global cooperation) across all industries Increased expectations of technology and offshore resources to increase the efficiency and effectiveness of delivery Cost pressures coupled with regulatory pressure to standardize technology and processes across disparate parts of the organization. The rising external threat is demanding a proactive intelligence based approach to anticipating and reacting to the external threat. Regulator focus and recent media attention on insider based incidents have increased attention on insider threat. Regulators and Boards have demanded accountability across all lines of defense with the need for centralized ownership of Cyber within the second line of defense Market trends The explosion of data across the organization, especially in unstructured data stores has demanded a refined approach to identification and protection of critical data across the enterprise. Managing identity across the enterprise continues to be a common regulatory and audit finding. Risk is increased with the influx of temporary and contingent work-force. Some, with elevated or privileged levels of access.
Emerging Cyber Risks Insider Threats: Data loss caused by negligent or malicious actions of authorized internal users. Data security incidents can be caused by employees or contingent workers with data access as a result of negligent behavior or malicious acts. Additionally, given the transient nature of the contingent workforce, it also presents challenges to help ensure the data stays within the organization upon individual s departure. Data Proliferation: An expanding data footprint increases the risk of data loss or disclosure. As we have seen in most of financial services institutions unstructured data represents a large percentage of the total data within the environment. Because of the heavy business reliance on data analytics and the mobilization of data across various devices and platforms, multiple copies of data are being generated. Since there are limited options to control unstructured data access, unstructured data represents serious risks to data confidentiality, integrity, and availability. New & Emerging Technology: Adopting new technology introduces potential vulnerabilities. As more business is conducted online to improve customer experience, and IT plans to leverage cloud services, mobile technologies and technology outsourcing to provide services that offer flexibility, scalability, and achieve cost savings, these initiatives can lead to new risks to organization s overall information security posture. Cyber Attacks & Malware: Business operations and connectivity opens infrastructure to risks. As the business seek to provide customers with more timely and accurate data, expanded offerings and programs, more interfaces, and more opportunities for access to information, perimeter and access control standards should be in line with the level of data criticality and confidentiality.
Regulatory Developments and Priorities Payment Card Industry (PCI) Standard Updates Increasing Supervision by the Office of the Comptroller of the Currency (OCC) Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment In April 2015, the PCI Security Standards Council released v3.1 of it Data Security Standard (DSS) in response to several high-profile vulnerabilities related to the Secure Sockets Layer (SSL) protocol (i.e., POODLE, Heartbleed, BERserk, FREAK, Logjam, RC4, etc.). As a result, SSL and early versions of the Transport Layer Security (TLS) protocol are no longer considered to be strong cryptography and cannot be used as a security control after June 30, 2016. Comptroller of the Currency Thomas J. Curry recently referred to cyber threats as the foremost risk facing banks today and one of the major, if not the major, risk facing businesses of all sorts. 1 In the OCC s 2015 Semiannual Risk Perspective, cyber threats and operational risk (i.e., information security, data protection, and third-party risk management) were listed as top supervisory priorities for community and midsize banks over the next 12 months. In the summer of 2014, the FFIEC piloted a cybersecurity examination work program that focused on cybersecurity inherent risk and preparedness and emphasized the need for information sharing. Drawing on the results of this pilot, the FFIEC released a Cybersecurity Assessment Tool in June 2015 to help banks evaluate their cybersecurity inherent risk profile and determine their level of cybersecurity maturity. 1 Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts July 24, 2015
Regulatory Focus Areas and Industry Activities Regulatory Focus Areas Industry Activities Evaluation of Cybersecurity Inherent Risk Top-Down Enterprise Risk Assessments Enterprise Risk Management and Oversight Cybersecurity Assessments and Benchmarking Threat Intelligence and Collaboration Refresh Information Governance Model Data Classification and Risk-Based Controls External Dependency and Vendor Risk Management Cyber Incident Management and Resilience (BCP/DR) Revamp Identity Management and Access Control Review Impact of Emerging Technology (Cloud, Social Media, etc.) and Products Enhance Application Security/SDLC Integration Data and Network Protection Practices Enhance Data & Information Protection Payment System and Data Hardening Information Sharing Cloud Security Social Engineering and Insider Threats Application Security Data Loss Prevention (DLP) Privileged Access Management Improve Security Monitoring and Incident Management Participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) Infrastructure Obsolescence Management Develop and Revise Policy & Standards Maintain an Effective End-User Awareness Program Change Management Improve Third-Party Vendor Security Assessment Program
The Path Forward
Cyber as Cost-Efficient Risk Management At the heart of KPMG s approach to Cyber Security is the objective of helping clients maximize the value of their cyber security investment. Information Risk becomes Business Advantage Security as an IT Cost Technology platform centric Bottom-line focused Driven by IT Automation focused Success measured by timely deployment of technology Technology is always the answer Poor ROI from many programs Starts with data (report on what I have, not what I need) Security as a Business Investment Target operating model centric Strategically aligned with business objectives Business led Process focused Value added service delivery Success measured by achieving business value Technology is one enabler of transformation Considers the security needs within the larger technology portfolio Analytics enabled Reduce time to value
Comprehensive View to Cyber Maturity Six Key Aspects of Cyber Cyber maturity address the following: Key domain layers Leadership and Governance Layer Describes how Boards and Executive Management demonstrate due diligence, ownership, and effective management of risk. People Layer Describes the level and integration of a security culture that empowers and helps ensure the right people, skills, culture, and knowledge. Business Continuity Layer Describes preparations for a security event and ability to prevent or lessen the impact through successful crisis and stakeholder management. Operations and Technology Layer The level of control measures implemented to address identified risks and reduce the impact of compromise. Information Risk Management Layer Details the approach to achieve thorough and effective risk management of information throughout the organization and its delivery and supply partners. Legal and Compliance Layer Meeting regulatory and compliance obligations as relevant.
The Result End-to-End Cyber Protection PREVENT DETECT RESPOND IMPROVE The approach is designed to be simple and effective, and most importantly, aligned with business needs. KPMG has aligned how we deliver our core cyber services accordingly: Helps the company understand how to align their cyber agenda with their dynamic business and compliance priorities. Helps the business maintain their cyber agenda as business and technology programs evolve, providing greater visibility and understanding of changing risks. Helps the company effectively and efficiently respond to cyber Incidents and conduct forensic analysis and detailed investigations. Helps the company build and improve their programs and processes, supported by the right organization and technology, to improve their cyber agenda. Attributes: Prevention STRATEGY AND GOVERNANCE Comprehensive in breadth (Target Operating Model) Benefits driven from strategy through execution Information driven approach CYBER DEFENSE Attributes: Detection End-to-end configuration Security Operations and Monitoring Security analytics DIGITAL RESPONSE SERVICES Attributes: Response Digital evidence preservation and cyber investigations services Post-Breach analysis and mitigation Aligned with business priorities and compliance needs TRANSFORMATION Attributes: Improvement Informed by technology strategy Long-term engagement delivery Business Outcome Focused
High-level board oversight questions Based on our board outreach and education programs, these are the three most common questions at the executive management and board levels today: 1. What are the new cybersecurity threats and risks and how do they affect our organization? 2. Is our organization s cybersecurity program ready to meet the challenges of today s (and tomorrow s) cyber threat landscape? KPMG s Global Cyber Maturity Framework Domains Board Engagement & Oversight 3. What key risk indicators should I be reviewing at the executive management and board levels to perform effective risk management in this area? We designed a Global Cyber Maturity Framework specifically to assist organizations in addressing these critical questions by combining the most relevant aspects of international cybersecurity frameworks (e.g., NIST, ISO, AU35, ANSI, SANS, etc.).
Cyber risk management A framework for exercising oversight responsibility LEGAL AND COM PLIANCE Regulatory and international certification standards as relevant LEADERSHIP AND GOVERNANCE Management demonstrating due diligence, ownership, and effective management of risk OPERATIONS AND TECHNOLOGY The level of control measures implemented to address identified risks and reduce the impact of compromise Board Engagement & Oversight HUM AN FACTORS The level and integration of a security culture that empowers and helps to ensure the right people, skills, culture, and know ledge BUSINESS CONTINUITY AND CRISIS M ANAGEM ENT Preparations for a security event and ability to prevent or reduce the impact through successful crisis and stakeholder management INFORMATION RISK MANAGEMENT The approach to achieve thorough and effective risk management of information throughout the organization and its delivery and supply partners
Information Risk Mgmt Human Factors Leadership and Governance Board oversight and engagement summary Key performance indicators How Should the Board Engage? How Does the Board Gain Comfort? (Key Performance Indicators) Understand governance structure and meet team Review output of capability assessment Review and approve strategy and funding Participate in general board education Request periodic updates of program Security spend as a percent of overall IT budget Capability maturity review output Certifications w ithin key leadership positions Number of board education sessions (frequency) Set the tone for the culture Review patterns/trends of personnel issues Understand training & awareness protocols Percentage of employee/contractors attending training Trends related to cyber from whistleblower or ethics Understand risk management approach and risk Review and approve risk tolerance Understand third-party supplier program Review and question program metrics Risk Assessment output / linkage to ERM program Risk tolerance measures and metrics Number of high risk third-party suppliers and review Review metric output (see other sections)
Legal & Compliance Operations & Business Continuity Board oversight and engagement summary Key performance indicators How Should the Board Engage? How Does the Board Gain Comfort? (Key Performance Indicators) Understand current response capability Review status of overall plan maturity M eet w ith communications personnel Participate in table-top exercises Number of mission critical business processes with Number of table top exercises (frequency) and results Understand current maturity of control Review relevancy of selected control Review relevant incident trend metrics Meet with CIO or equivalent to understand and information technology trends Percentage of crown-jewel assets included in Risk rating of security vulnerabilities (considering asset Cyber incident trends metrics Understand regulatory landscape impacting Clarify audit committee requirements for Review litigating inventory trends Review and approve cyber insurance Open regulatory and/or litigation matters Cyber insurance policy benchmarking with peer
Thank you Presentation by Glenn Siriano KPMG LLP gsiriano@kpmg.com 203-521-8129
2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.