bt powerpoint template tilly - cybersecurity - nydfs security r… · cybersecurity nydfs cyber...
TRANSCRIPT
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International.
CybersecurityNYDFS Cyber Security Rule + More
March 24, 2017
1
Learning objectives
1. Developments in cybersecurity disclosure and
assurance requirements
2. Reduce the FUD: advanced threats in today’s
business context
3. Tried and true fundamentals to protect against
advanced threats
2
Cybersecurity is a hot topic
of organizations
rated cyberattacks
as a top three
threat
83%
organizations have
experienced at least one
security incident in the
past year – 60% were
serious
CompTIA’s 2016 International Trends in
Cybersecurity
3 out
of 4
How do we protect ourselves from a data
breach?
Is our organization prepared to identify and
respond to a data breach?
Are we doing enough to mitigate
cybersecurity risks?
Many organizations are
now wondering:
3
What is happening?
> For many companies, business value resides in its data and network systems.
> A sophisticated community of “hacktivists”, cyber criminals, and organized crime
syndicates wants to cause competitive harm and financial loss by exploiting
technical and social vulnerabilities of information assets.
> This combination leads to a high-likelihood of data breaches.
“It is not a matter of if, but when …”– Countless leaders and security professionals
4
1934SEC Act
1974Privacy Act
1996HIPAA
1998Safe HarborEuropean Union
2000CFR17 Part 248 Brokers Consumer
Protection
2001Cybersecurity Enhancement Act
2006Wisconsin
Data Breach Law
2006PCI DSS
2009HITECH
2010Massachusetts
Privacy Law
NERC CIP 2012FINRA
2013Executive Order
Cybersecurity
2013FFIEC
Social media guidance
4
Regulatory response over
time
5
2014SEC OCIE
Cybersecurity
Guidance
2015SEC
Investment Manager
Cyber Guidance
2015FINRA & SEC
Survey Results
2015FFIEC
Cybersecurity
Assessment
Tool
2015FTC
Start with Security
2016NAIC
Data Security
Model Law
2016NY DFS
23 CFR 500Cybersecurity Rule
2017SWIFT
Mandatory
Cybersecurity Controls
5
Regulatory response over
time
6
Developing disclosure and
assurance requirements
7
Section Description
Section 500.02 Cybersecurity Program
Section 500.03 Cybersecurity Policy
Section 500.04 Chief Information Security Officer
Section 500.05 Penetration Testing and Vulnerability
Assessments
Section 500.06 Audit Trail
Section 500.07 Access Privileges
Section 500.08 Application Security
Section 500.09 Risk Assessment
Section 500.10 Cybersecurity Personnel and Intelligence
Section 500.11 Third Party Information Security Policy
Section 500.12 Multi-Factor Authentication
Section 500.13 Limitations on Data Retention
Section 500.14 Training and Monitoring
Section 500.15 Encryption of Nonpublic Information
Section 500.16 Incident Response Plan
Section 500.17 Notices to Superintendent
> [23 NYCRR Part 500 (Financial Services
Law)]
New York Department of
Financial Services
8
Compliance timeline
9
What’s in effect now?
10
Changes from proposed
to final regulation:
Effective March 1, 2017
Section Key changes Key considerations
500.01
Definitions
Addition of definition of third party service provider.
Change in the definition of nonpublic information.
While the definition of non-public
information has narrowed, entities need
to clearly understand all definitions when
they evaluate compliance with the law.
500.02
Cybersecurity
Program
Ability to leverage the cybersecurity program of an
affiliate so long as that program covers the entity
and all information / documentation is available to
the superintendent upon request.
While it may be advantageous to
leverage the cybersecurity program of an
affiliate, entities must make sure all
provisions are applicable and still make
adjustments as appropriate for their
specific environment and risks.
500.03
Cybersecurity
Policy
Inclusion of concept that policy is based on the
cybersecurity risk assessment.
Addition of “asset inventory and device
management” as a required covered area and the
removal of “capacity and performance planning.”
An effective cybersecurity policy
addresses key risks that an entity faces.
As such, the foundation of the policy
should be the entity’s risk assessment.
500.07
Access
Privilege
Removal of the words “solely to those individuals
who require such access to such systems in order to
perform their responsibilities” as it relates to user
access to a more relaxed burden “shall limit user
access privileges.”
While this appears to have been a
relaxed requirement, entities will still
need controls in place to manage all
users to key systems, which should be
based on their specific needs given their
role within the organization.
11
Changes from proposed
to final regulation:
Effective March 1, 2017
cont.
Section Key changes Key considerations
500.10
Cybersecurity
Personnel and
Intelligence
Training for cybersecurity personnel changed from
required to “must provide for.”
Language has been added to accept a third party be
used as cybersecurity personnel; previously, it was
written that resources had to be “employed.”
It can be challenging for many
organizations to maintain the requisite
cyber knowledge to ‘keep up’ with the
constantly changing landscape. Entities
should seriously consider looking to
outside third party providers to
complement their talent in-house.
500.16
Incident
Response Plan
Nominal verbiage changes, no material impact. Incident response plans are a critical
piece of an effective cybersecurity
program. Similar to business continuity
and disaster recovery plans, incident
response plans should be tested often to
ensure the ability of the entity to execute
the plan.
500.17
Notices to
Superintendent
Addition of a notification requirement, in addition to
those required by a governmental or regulatory
body, also included are cybersecurity events which
“have a reasonable likelihood of materially harming
any material part of the normal operation(s) of the
covered entity.”
The Jan. 15 certification filing deadline for each year
has been moved to Feb. 15 of each year.
In order for entities to certify their
compliance, all the considerations in this
law need to be addressed, tested and
monitored on an ongoing basis.
Governance of the cybersecurity program
will be a critical component to ensuring
ongoing compliance.
12
Transition period:
Effective March 1, 2018
13
Transition period:
Effective March 1, 2018
cont.
Section Key changes Key considerations
500.04 (b)
Chief
Information
Security Officer
(CISO)
New verbiage indicating CISO may be employed by
an affiliate and authorization to utilize a third party in
addition to an employee of the covered entity.
The reporting requirements to the Board of Directors
(BOD) or governing body changed from bi-annual to
annual.
Reporting on the confidentiality provision of the
program has been restricted to confidentiality of
non-public information from all information systems
and a materiality consideration has been added to
reporting on risks.
Even though the provision allows for
flexibility in who can serve the CISO role,
the covered entity is still fully responsible
for compliance. Consistency in annual
reporting will be critical to ensure the
BOD or governing body can understand
changes in the risk environment.
500.05
Penetration
Testing and
Vulnerability
Assessments
Penetration testing was originally required annually
and vulnerability assessment quarterly. This has
been softened to annually and bi-annually based on
the risk assessment.
Ongoing management of the
vulnerabilities identified in the
assessments will be the largest challenge
of meeting the spirit of this requirement.
14
Transition period:
Effective March 1, 2018
cont.
Section Key changes Key considerations
500.09
Risk
Assessment
Changed annual requirement to periodic.
Risk assessment went from being a component to
the foundation of the cybersecurity program. Is now
the basis for: Cybersecurity program, the
cybersecurity policy, penetration testing and
vulnerability assessments, audit trails, third party
service provider security polices, multi-factor
authentication and encryption.
The basis for many of the law’s other
requirements starts with an entity’s risk
assessment. As the foundation of the
cybersecurity program, entities should
not underestimate the level of effort
required to perform an appropriate
assessment.
500.12
Multi-Factor
Authentication
(MFA)
Addition of risk based approach for MFA.
Flexibility of increased reliance on effective internal
controls.
Required use of MFA for database servers has been
removed.
Required use of MFA for accessing systems or data
from an external network has been softened to
required use to access internal networks from
external networks, unless the CISO has approved
the use of “reasonably equivalent” or more secure
controls.
While MFA is not specifically required,
entities should consider implementing
MFA for key systems to strengthen their
security posture.
500.14 (b)
Training and
Monitoring
Required regular cybersecurity training has been
changed such that the entity must provide for
regular cybersecurity training based on their risk
assessment.
Regular training of staff, IT personnel and
executives remains paramount to
maintain effective cybersecurity program.
15
Transition period:
Effective Sept. 1, 2018
16
Transition period:
Effective Sept. 1, 2018
cont.
Section Key changes Key considerations
500.06
Audit Trail
“Reconstruct all records” became “to the extent
applicable based on risk.”
Addition of the word “material” relating to financial
transactions.
Elimination of requirements relating to forensic
reconstruction, specifically over: Data logging,
protection from tampering, logging of physical
access to hardware and logging of system events.
Reduction of six year retention period to five.
While the regulation now bases the
requirement on the entity’s risk
assessment, 500.06.(a).2 still requires
entities to maintain audit trails that will
enable effective cyber event detection
and response. This will continue to be a
challenge for many organizations.
500.08
Application
Security
Evaluating and assessing all externally developed
changed to evaluating or assessing of externally
developed (changed “and” to “or” and removed
“all”).
Changed annual review requirement to periodic.
The requirement will still be challenging
for many entities. Secure in-house
development is a critical control to
ensuring system security. For third party
developed applications, it will be
important for entity’s to obtain assurance
from their vendors that security testing
has been performed.
500.13
Limitations on
Data Retention
Timely destruction of data has been changed to
periodic. Adherence to applicable laws and
regulations still applies.
Many organizations will struggle with this
requirement as the proliferation of data
across distributed networks and systems
will make it challenging to ‘prove’ secure
destruction of all of the data.
17
Transition period:
Effective Sept. 1, 2018
cont.
Section Key changes Key considerations
500.14 (a)
Training and
Monitoring
Entities must implement procedures and controls to
monitor authorized and unauthorized access to non-
public information.
Monitoring of access to nonpublic data
will still be challenging and entities will
need to consider the implementation of
systems to ensure compliance with this
requirement
500.15
Encryption of
Nonpublic
Information
Encryption of all data has been softened to “shall
implement controls including encryption.” The word
“all” has been removed and it is now based in the
entity’s risk assessment.
The expiration date of reliance on compensating
controls for a period of one year (data in transit) and
five years (data at rest) has been removed and is
now indefinite hinging on the approval of
compensating controls by the CISO at least
annually.
While the law does not require encryption
if it is deemed infeasible, organizations
still need to evaluate the feasibility and
develop / implement compensating
controls to protect the data if they can’t
encrypt the data. While this may sound
easier said than done, it will be important
for entities to document their assessment
and not just jump to the conclusion that
compensating controls are the most
appropriate solution given their systems,
architectures and data being processed.
18
Transition period:
Effective March 1, 2019
Section Key changes Key considerations
500.11
Third Party
Service Provider
Security Policy
Reduction of annual requirement to periodic and
based on risk assessment.
Removal of the word “prompt” notification relating to
cybersecurity events at / with third parties.
Allowance of reliance on the policy of an affiliate
which is also a covered entity.
Introduction of the words “to the extent applicable.”
This will be a challenge for many
organizations and is reflected in the two
year transitional period. To ensure
success, the development of a formal
vendor management program may be
required to demonstrate compliance.
19
NY DFS - Section 500.03
Cybersecurity policy
Each covered entity shall implement and maintain a written cybersecurity
policy setting forth the covered entity’s policies and procedures for the
protection of its information systems and nonpublic information stored on
those information systems. The cybersecurity policy shall address, at a
minimum, the following areas:
Information securityData governance and classification
Access controls and identity
management
Business continuity and disaster
recovery planning and resources
Systems operations and availability
concerns
Systems and network security
Systems and network monitoring
Systems and application
development and quality assurance
Physical security and environmental
controls
Customer data privacy
Vendor and third-party service
provider management
Risk assessment Incident response
20
Cybersecurity attestation
examination engagement
> Current ASEC (Assurance Services Executive Committee)
project to develop an approach for CPA firms to perform
attest engagements related to cybersecurity
> Two primary objectives of the engagement:
o Provide a broad range of users information about the entity’s
cybersecurity risk management program that may be useful in
their decision making
o Address the needs of external users (investors, analysts,
vendors and business partners) who need information to help in
the evaluation of management’s process for managing cyber
risks
> Broader than SOC 2 – covers all aspects of an entity’s
cybersecurity management program
> Likely to be a general use report
21
SOC trends:
AICPA ASEC - cybersecurity
> Key Premises− Acknowledges the fundamental reality of cybersecurity: an entity that
operates in cyberspace is likely to experience one or more security
events or breaches at some point in time, regardless of the
effectiveness of the entity’s cybersecurity controls
− This acknowledgment is essential to dispel potential misconceptions
that an unqualified practitioner’s opinion in the proposed cybersecurity
examination engagement report implies that the entity’s controls would
prevent all security events from occurring within the organization
− Instead, when such events occur, an effective cybersecurity risk
management program focuses on the controls the entity has designed,
implemented and operated to detect, respond to, mitigate and recover
from, on a timely basis, those events
22
SOC trends:
SSAE18
> SSAE18− Released April 2016 and Effective May 2017
− Supersedes Statement on Standards for Attestation
Engagements No. 16 (SSAE16)
> Highlights− Clarity on IPE (Information Provided By Entity)
− Monitoring the Effectiveness of Controls at Subservice
Organizations
> Includes mapping of controls to address their complementary user
entity controls (CUECs)
− Require Identification of material 4th Parties (AT-C.320.A9)
23
NAIC Cybersecurity Task Force
NAIC Cybersecurity Task Force: > The mission of the Cybersecurity (EX) Task Force is to consider issues
concerning cybersecurity as they pertain to the role of state insurance
regulators.
Adopted cybersecurity principles document
> 12 Principles
Insurance Data Security Model Law
24
NAIC 12 principles guidance:
Company
• Confidential and/or personally identifiable consumer information collected, stored or transferred should be appropriately safeguarded
• Planning for incident response by insurers and other regulated entities is an essential component to an effective cybersecurity program
• Insurers should take steps to ensure that third parties and service providers have controls in place to protect data
• Cybersecurity risks should be incorporated into ERM processes
• Cybersecurity must include all facets of an organization
• IT internal audit findings should be reported to the board of directors (or a committee thereof)
• Insurers should engage in an information-sharing and analysis organization (ISAO) to stay informed of emerging threats
Principle 2
Principle 8
Principle 10
Principle 7
Principle 9
Principle 11
• Provide periodic and timely training (inclusive of an assessment) regarding security and cybersecurity threat awareness and protectionPrinciple 12
25
NAIC 12 principles guidance:
Regulators
• Insurance regulators have responsibility to ensure customer data is secure
• Regulators should mandate insurers have systems in place to alert consumers in a timely manner of a breach
• State insurance departments and the NAIC are also responsible for ensuring consumer information sent to NAIC/Departments is secure
• Guidance must be flexible, scalable, practical and consistent with nationally recognized efforts (i.e., NIST)
• Guidance should include a minimum set of standards, but be risk-based and consider the resources of an individual insurer
• State regulators should provide regulatory oversight, which would include cybersecurity considerations into Financial and Market Conduct exams
Principle 1
Principle 4
Principle 6
Principle 3
Principle 5
26
NAIC Cybersecurity Model Law
> Key Components
o Information security program
o Risk assessment
o Risk management
o Oversight by board of directors
o Oversight of third parties
o Notification of data breach
27
Reduce the FUD
Threats explained, simple and foundational solutions
28
Phishing
Source: Verizon 2016 Data Breach Investigations Report
DefinitionA form of social engineering in which a message, typically an email, with a
malicious link or attachment is sent to a victim with the intent of tricking the
recipient to open an attachment.
Actions to take now
Email filtering
Awareness training
(simulated phishing)
Network segmentation
Strong authentication
Monitoring of outbound traffic
Phishing…is a means to
install
persistent
malware
Email leads
to a phony
site to
capture user
input
29
Web application attacks
Source: Verizon 2016 Data Breach Investigations Report
DefinitionAny incident in which a web application was the vector of attack. This
includes exploits of code-level vulnerabilities in the application as well as
thwarting authentication mechanisms.
Actions to take now
Patch – especially CMS platforms
and third party plug-ins
Validate inputs
Strong authentication
95% of
confirmed
web app
breaches
were
financially
motivated
30
Vulnerabilities
Source: Verizon 2016 Data Breach Investigations Report
InsightsOlder vulnerabilities are still heavily targeted; a methodical patch approach
that emphasizes consistency and coverage is more important than
expedient patching.
Actions to take now
Patch applications
(browsers)
Whitelist executables
Back-ups
Cyber-
espionage
features
external
threat.Actors
infiltrating
victim
networks
seeking
sensitive
internal data and trade
secrets
31
Social Engineering In Depth
Bruce Schneier – ‘Amateurs hack systems,
professionals hack people.’
32
Social Engineering
• Social engineering is the
attempt by an attacker to trick
prospective victims into
performing actions that will
benefit the attacker.
• Social engineering preys upon
four qualities of human nature:
Our tendency to trust people and
familiar things
Our desire to be helpful to other
people
Our fear of getting into trouble
Our carelessness
“Maquette Trojan Horse”, a gift from
Brad Pitt to the Turkish town Canakkale,
used in the movie, “Troy”
(Source: Wikipedia)
33
Social Engineering Used To
Facilitate A Data Breach
> Social engineering is increasingly used as a
tactic in the commission of a larger cyber attack
leading up to a data breach.
SE SE SE SESE
Points in the cyber attack chain
where social engineering (SE)
tactics may be employed.
34
Social Engineering
Attacks and Techniques
Whaling
Pretexting
> Tactics: impersonation,
coercion, sympathy,
playing to victim’s ego
35
Phishing, Smishing, Vishing and Whaling
Social Engineering
Attacks and Techniques
Smishing
Whaling: Spear phishing for the BIG fish
36
Social Engineering
Attacks and Techniques
Watering-Hole Attack
Dropped USB Stick
Attacking When It Is Least Expected
37
Social Engineering
Attacks and Techniques
Harvesting Publicly Available Information
38
Best Practice Recommendations
To Address The Social
Engineering Threat
1. Use technology and tools to limit the exposure to social
engineering attacks.
2. Train employees to recognize and correctly respond to
phishing attempts that tools do not catch.
3. Have an incident response plan in place to discover,
contain, eradicate and recover from the damage that
caused by a successful phishing email attack.
39
Subcontractors and vendors
Trends:
Source: Verizon 2016 Data Breach Investigations Report
According to Soha Systems Survey on Third Party Risk
63%of all data breaches can be
attributed to a third party
vendor
800-171
(DFARS)
40
Ransomware: emerging threat
According to FBI statistics, $209 million in
ransomware payments have been extorted from
businesses and institutions during the first three
months of 2016.
1 Billionevents per year
if this pace
continues
50%of employees open
phishing emails
different types of
ransomware100
of recently surveyed
companies hit
23%
41
Ransomware lifecycle
ONGOING
COMMUNICATION
CONTINUOUS PROTECTION | Network | Systems | People
ATTACK CONTAIN REMEDIATE
• Web
browsing
• Free
downloads
Unplug devices
Research and
identify
Scope infected
systems
Shrink attack
footprint
Options include:
• Pay
• Decrypt
• Restore data
42
Key actions
Know your “crown jewels”
Implement security awareness and training
Collaborate with IT and security staff on response
Lines of communication and decision authority
Post-recovery verification of systems and data
43
Tried and true security
measures
44
Interesting statistics
> More than 90 percent of breaches were avoidable
through simple or intermediate controls:
o Eliminate unnecessary data
o Patching of systems
o Actually look at your logs
> Companies go back to the basics once breached:
o 53 percent training and awareness
o 49 percent additional manual controls
o 52 percent expand use of encryption
o 19 percent security certification or audit
45
Lessons learned from Anthem
> Better and more frequent employee security awareness
training
> Multi-factor authentication
> Encrypted data at rest
> Response speed and process
o Incident response plan and testing
Source: NAIC CyberSecurity Taskforce meeting with Anthem CIO, 3/29/15.
46
A robust cybersecurity program is critical
46
GOVERNANCE AND POLICIES
Governance practices
Policies and procedures
Change management
Performance measurement
Enterprise risk management
Business continuity management
CYBERSECURITY PROGRAM
TRAINING &
COMMUNICATION
Communication with industry groups
Awareness training
Cross-area training (IT security,
audit, engineering)
Skill building:
Security
Security testing
Audit
INCIDENT RESPONSE
MANAGEMENT
Response plan
and team
Crisis management
Investigation team
Collaboration with:
Component manufacturers
Service providers
Incident response teams
Law enforcement
CYBER RISK
ASSESSMENT
Cybersecurity risk assessments
Enterprise risk management linkage
Red team technical assessments
Standards compliance/readiness assessments
CYBERSECURITY
COUNTERMEASURES
Access management
Network/infra. security
Change controls
Physical security
Backup
Real-time monitoring
Threat intelligence
Encryption
Secure development
Third-party control
Personnel security
Antimalware tools
Component cert.
Vulnerability assessment
MONITORING
Controls assessment
Performance metrics
Systems monitoring
Compliance/certification
External audit
External reporting
Internal audit
Audit committee
47
Five principles boards should consider
Directors should understand the legal implications of cyber risks as they related to their company’s specific circumstances.
Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
Board-management discussion of cyber-risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.
V
IV
III
II
I
48
Keys to Executive Cyber Risk Oversight
49
Thank you
Chris TaitPrincipal, Risk Services
MBA, CISA, CFSA,CCSK,CCSFP
414.777.5515