ch&cie - cyber security - banks - teaser
TRANSCRIPT
Agenda
An evolving cyber threat landscape1
3 A new approach to Cyber Security
4 Key success factors to transform Cyber Security
5 Appendix
Focus on recent regulatory evolutions2
3
Rethinking Cyber SecurityAn evolving cyber threat landscape
Emergence of new risks
Sophistication of attacks and multiplicity of adversaries
Increased costs and impacts
Regulatory scrutiny
Traditional boundaries have shifted with the explosion of data and interconnectedness
Emerging technologies and reliance on third parties have created a borderless infrastructure resulting in increased exposure
The sophistication of cyber attacks has increased exponentially while the defensive approach remained the same
Risk is no longer limited to financial criminal and skilled hackers but also hacktivist groups driven by political or social agendas and nation‐states to create havoc in the markets
Financial services are seeing increased costs with an estimate of $30M in 2014
Number of incidents but also higher complexity of responding to threats have contributed to higher losses
More than financial losses, reputational damage and loss of market confidence deserve full attention at the highest levels of the company
Financial institutions are placed under greater scrutiny from the regulators
Cyber risk management practices are now evaluated as part of regular examination processes
In today’s environment with cyber threats being unavoidable, early detection, responsiveness, rapidity to recover and integration into a comprehensive framework are key for financial institutions
4
Rethinking Cyber SecurityFocus on recent regulatory evolutions
Corporate governance, including organization and reporting structure for cyber security related issues
Management of cyber security issues and written information security policies and procedures
Resources devoted to information security and overall risk management
Assessment of risks raised by shared infrastructure
Protections against intrusion
Information security testing and monitoring, including penetration testing
Incident detection and response processes, including monitoring
Training of information security professionals as well as all other personnel
Management of third‐party service providers
Integration of information security into business continuity and disaster recovery documentation
Cyber security insurance coverage and other third‐party protections
On November 3rd 2014, FFIEC released observations from the recent cyber security assessment
FFIEC recommended regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center
On April 15th 2014, the SEC had announced the OCIE will audit more than 50 registered broker‐dealers and investment advisers for cyber security preparedness
On Feb 3rd 2015, the OCIE issued a summary observations from examinations conducted
On Feb 3rd 2015, the FINRA issued a new report on cyber security, which details practices that firms can tailor to their business model as they strengthen their cyber security efforts
The Report on Cyber security Practices draws in part from the results of FINRA's recent targeted examination
On December 10th 2014, NYDFS issued examination guidance to banks outlining new targeted cyber security preparedness assessments
Targeted cyber security assessments will be integrated as ongoing, regular part of DFS Exam Process
Audit check‐list
5
Rethinking Cyber SecurityMoving towards an enterprise‐wide cyber risk management
Reputational damageLoss of share values, loss of
market confidence
Business disruptionInability to execute trades, to access to information
Fraud and theft of intellectual property
Financial, loss of competitive edge, specific techniques
Cyber risk must become a concern for the entire enterprise starting from the Board, and be factored into strategic decisions
Today
• Ad‐hoc approach• IT solely responsible for protecting computers and
networks• Security architecture very weak• No governance framework and escalation process
Target
• Ad‐hoc approach patching up weaknesses rather than anticipating threats
• Dedicated resources but still embedded in IT• Minimal security built in to the design process
• Cost‐benefit approach, integrated into the enterprise (see Appendix)
• Continuous monitoring programs enhancing situational awareness and risk culture established
• CISO independent of IT and has voice at the C‐Suite table • Technology infrastructure deployed to support security
processes
Enterprise‐wide cyber risk
management
IT‐focused
…facing a diverse array of impactsOrganizations have made significant security improvements but they have not kept pace with today’s adversaries and sophisticated attacks…
6
Rethinking Cyber SecurityIdentify ‐ Protect – Detect – Respond – Recover (NIST Framework) | What’s next (1/3)
Key takeawaysObjectives
• Establish and implement a cyber security governance framework that supports decision making and escalation within the organization to identify and manage cyber security risks
• Define risk management policies, processes and structures coupled with relevant controls tailored to the nature of the risks
Enhance the governance framework
• Define a governance framework to support decision making based on risk appetite
• Ensure active senior management and board‐level engagement with cyber security issues
• Identify frameworks and standards to address cyber security
• Use metrics and thresholds to manage the performance of the program
• Dedicate resources to achieve the desired risk posture
1
• Conduct regular assessments to identify and measure cyber security risks associated with firm assets and vendors, determine the likelihood of the occurrence of the threat and identify system vulnerabilities
• Prioritize, monitor and implement their remediation
Implement a Risk Assessment Program
• Identify and maintain an inventory of assets authorized to access the firm’s network and, as a subset thereof, critical assets that should be accorded prioritized protection
• Conduct comprehensive risk assessments that include: An assessment of external and internal threats and asset vulnerabilities Prioritized and time‐bound recommendations to remediate risks
• Enhance vigilance through experience‐based learning and continuous monitoring programs to help capture risk signals across the ecosystem
2
• Implement technical controls to protect firm software and hardware that stores and processes data, as well as the data itself.
Set‐up technical controls
• Implement a defense‐in‐depth strategy to address known and emerging threats with reinforced security layers
• Select controls appropriate to the firm’s technology and threat environment, such as: identity and access management; data security and encryption, penetration testing.
3
7
Rethinking Cyber SecurityIdentify ‐ Protect – Detect – Respond – Recover (NIST Framework) | What’s next (2/3)
Key takeawaysObjectives
• Provide a framework to manage a cyber security incident in a way that limits damage, increases the confidence of external stakeholders, and reduces recovery time and costs
• Establish policies and procedures and define clear roles and responsibilities for escalating and responding to cyber security incidents
Prepare an incident response planning
• Set up practices for incident response and integrate them into business continuity and disaster recovery documentation: Containment and mitigation strategies for multiple incident types and
recovery plans for systems and data Communication plan for outreach to relevant stakeholders Measures to maintain client confidence
• Enhance resilience through simulated testing and crisis management processes
4
• Manage cyber security risk that can arise across the lifecycle of vendor relationships using a risk‐based approach to vendor management
Mitigate vendor risks
• Perform pre‐contract due diligence on prospective service providers and perform ongoing due diligence on existing vendors
• Establish contractual terms appropriate to the sensitivity of information and systems to which the vendor may have access
• Include vendor relationships and outsourced systems as part of the firm’s ongoing risk assessment process;
• Establish, maintain and monitor vendor entitlements so as to align with firm risk appetite and information security standards
5
• Provide cyber security trainings tailored to staff needs
• Enhance the risk‐awareness across the organization
Train staff
• Define cyber security training needs requirements
• Identify appropriate cyber security training update cycles
• Deliver interactive training with audience participation to increase retention
• Develop training around information from the firm’s loss incidents, risk assessment process and threat intelligence gathering
6
8
Rethinking Cyber SecurityIdentify ‐ Protect – Detect – Respond – Recover (NIST Framework) | What’s next (3/3)
Key takeawaysObjectives
• Use cyber threat intelligence to improve ability to identify, detect and respond to cyber security threats
Use cyber intelligence
• Assign responsibility for cyber security intelligence gathering and analysis at the organizational and individual levels
• Establish mechanisms to disseminate threat intelligence and analysis rapidly to appropriate groups within the firm
• Evaluate threat intelligence from tactical and strategic perspectives, and determine the appropriate time frame for the course of action
• Participate in appropriate information sharing organizations and periodically evaluate the firm’s information‐sharing partners
7
• Evaluate the utility of cyber insurance as a way to transfer some risk as part of their risk management processes
• Conduct an analysis to ensure alignment between existing coverage and risk assessment processes
Assess cyber insurance
• For firms that have cyber security coverage, conduct a periodic analysis of the adequacy of the coverage provided in connection with the firm’s risk assessment process to determine if the policy and its coverage align with the firm’s risk assessment and ability to bear losses
• For firms that do not have cyber insurance, evaluate the cyber insurance market to determine if coverage is available that would enhance the firm’s ability to manage the financial impact of cyber security events.
8
It is now time to implement measures to address cyber security challenges by leveraging traditional risk management methods
9
Rethinking Cyber SecurityKey Success Factors
Make cyber security matters a strategic business problem which deserves full attention at the executive level
1
Strengthen the cyber risk‐aware culture through training programs adopting a more human‐centric approach and create cyber threat intelligence unit to sustain a dynamic intelligence‐driven approach
2
Build cyber “fusion centers” that better integrate many different teams to boost intelligence, speed response, reduce costs and leverage scarce talent
3
Place efforts on automation and analytics to create internal and external risk transparency and to improve the quality and speed of real‐time cyber threat analysis
4
Implement a science‐based approach to cyber risk management, quantifying the cost of cyber risk and taking a cost‐benefit approach to risk mitigation
5
Benefit from building industry relationships and expanding collaboration beyond company boundaries
6
Agenda
An evolving cyber threat landscape1
3 A new approach to Cyber Security
4 Key success factors to transform Cyber Security
Appendix
Focus on recent regulatory evolutions2
5
11
• Identify cyber risks throughout the firm
Main roles and responsibilities
• Make sure risks are properly mitigated and monitor remediation actions if any
• Prepare and release communications in case of incidents
• Make sure that processes and systems comply with privacy and data protection laws and internal control measures
• Integrate the cyber security framework into business continuity and disaster recovery plans
• Develop the accounting framework for cyber risk
• Quantify cyber risks and assess the utility of cyber insurance
• Consider regulation, litigation possibilities, contractual obligations, and the firm’s ability to provide third parties with evidence of proper data protection processes
• Ensure that the control framework is in place
Rethinking Cyber SecurityAppendix | Involvement required across the organization
MONTREAL202 – 1819 Bd Rene
Levesque O.Montreal, Quebec,
H3H2P5
PARIS25, rue Alphonse de
Neuville75017, Paris, France
NIORT19 avenue Bujault
79000 Niort, France
NEW YORK1441, Broadway
Suite 3015, New YorkNY 10018, USA
SINGAPORELevel 25, North Tower,
One Raffles Quay, Singapore 048583
HONG KONG905, 9/F,
Kinwick Centre 32 Hollywood Road,
Central, Hong Kong
LONDON50 Great Portland StreetLondon W1W 7ND, UK
GENEVARue de Lausanne 80
CH 1202 Genève, Suisse