cybersecurity – a regional perspective€¢ business continuity management ... regulations...

15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 1

Cybersecurity – A Regional Perspective

Daryl PereiraPartner, CybersecurityKPMG

https://kpmgbrandcentral.brandwizard.net/app/asset/asset_search.aspx?catid=757&libid=2



Rise of cyberwarfare and increased number of sophisticated attacks through internet / mobile channels / ATM / online systems

Recent high profile outages have increased the regulator’s focus on business and technology resilience

Increased off-shoring of business processes, use of cloud computing, consolidation of local platforms onto global platforms

Singapore, Hong Kong, Japan,Australia, ASEAN

Global/Regional Financial Hubs

Drivers for Enhancing Your Cybersecurity & IT Risk Management Practices

Three major trends affecting the Financial Sector have led to a tightening of IT regulations to maintain Asia’s status as a financial hub


APAC Regulators lead the way with new IT & Cybersecurity Regs

CHINA TAIWANHONGKONG

MALAYSIA

SINGAPOREList of Singapore regulatory guidelines and circulars applicable:• Guidelines on Outsourcing, 2005• MAS Notice 634 on Banking Secrecy Outsourcing Conditions• IT Outsourcing Circular 2011, updated 2014• Business Continuity Management Guidelines, 2005• Further Guidance on Business Continuity Management, 2008• Preparedness for Avian Influenza Pandemic and Security Threats• Personal Data Protection Act (PDPA), 2012• Guidelines for Technology Risk Management, June 2013• Notice on Technology Risk Management, June 2013• Consultation Paper - MAS Outsourcing Notice Oct 2014• Consultation Paper - MAS Outsourcing Guidelines Oct 2014• Circular – BYOD, 2014• Circular – Vulnerability Assessment & Penetration Testing, 2014• Circular – Cybersecurity for Board, Nov 2015

List of Australia regulatory guidelines and circulars applicable:• Prudential Practice Guide PPG 234 – Management of security risk in information

and information technology• Prudential Practice Guide PPG 231 – Outsourcing • Prudential Standard CPS 231 – Outsourcing• Prudential Standard APS 232 – Business Continuity Management• Prudential Standard CPS 232 – Business Continuity Management• Prudential Practice Guide PPG 233 — Pandemic Planning and Risk Management• Prudential Standard SPS 220 – Risk Management• Guidance Note AGN 232.1 – Risk Assessment and Business Continuity

Management

List of Taiwan regulatory guidelines and circulars applicable:• FSC - Act Governing Issuance of Electronic Stored Value Cards • FSC Regulations Governing Internal Operating Systems and Procedures for the

Outsourcing of Financial Institution Operation• FSC - Implementation Rules of Internal Audit and Internal Control System of Financial

Holding Companies and Banking Industries• Central Bank - Regulations Governing the Clearinghouse’s Plan of Security Measures

for Personal Information files • FSC - Regulations Governing Maintenance of Personal Information Files by the Non-

government Institutions as Designated by the Financial Supervisory Commission Nov 2013

• Taiwan Personal Information Protection Act (PIPA) 2012• FSC - Standard of personal data files safety and maintenance plan for financial industry

(SPPDF)

List of Hong Kong regulatory guidelines and circulars :• HKMA – TM-G-1 - General Principles for Technology Risk Management • HKMA - Supervisory Policy Manual - Reputation risk management• HKMA - Supervisory Policy Manual - Supervision of E-banking• HKMA – OR-1 - Operational Risk Management• HKMA - Supervisory Policy Manual - Business Continuity Planning• HKMA - Strengthening Security Controls for Internet Banking Services• HKMA – SA-1 - Outsourcing• HKMA – Customer Data Protection Oct 2014• Privacy Commissioner - “Guidance on the Proper Handling of Customers’ Personal Data for

the Banking Industry” Oct 2014

List of Malaysia regulatory guidelines and circulars :• GPIS 1 – Guidelines on Management• Malaysia Personal Data Protection Act (PDPA) 2010 • BNM/RH/GL_018_1 – Guidelines on Data Management and MIS

Framework • Risk Management Guidelines on Risk Governance• BNM/RH/GL/ 013-3 – Guidelines on Business Continuity Management• Payment Systems Act 2003• Digital Signatures Act 1997• Computer Crimes Act 1997• Electronic Commerce Act 2006• BNM Minimum Guidelines on the provision of Internet Banking Cap. 2a

List of China regulatory guidelines and circulars :• Guidelines for the Security Assessment of Electronic Banks• CBRC - Notice on improving risk management and services for Internet banking

business• Guidelines on the Risk Management of Commercial Banks’ Information Technology• Measures for the Administration of electronic banking• Emergency Management of Banking Important Information Systems (for Trial

Implementation• Public Security Bureau - Financial Institution Computer Information System Security

Protection Regulation• CBRC - Guidelines on the Management of Outsourcing Risks of Banking Financial

Institutions• CBRC - Guidelines for the Supervision of Information Technology Outsourcing Risks of

Banking Financial Institutions• National Standard - Global Privacy & Data Security

AUSTRALIA


The Board & Senior Management’s Role

Technology Risk and Cyber Security


Board & Senior Management oversight of cyber is no longer leading practice…it’s required

Intellectual property losses including patentedand trademarked material, client lists andcommercially sensitive data

Time lost due to investigating the losses, keeping shareholders advised and supporting regulatory authorities (financial, fiscal, and legal)

Property losses of stock or information leading todelays or failure to deliver

Penalties, which may be legal or regulatory finessuch as regulatory fines, for data breach and privacy breaches

Administrative resource to correct the impact suchas restoring client confidence, communications toauthorities, replacing property, and restoring theorganisation’s business to its previous levels

Reputational losses causing your market value todecline; loss of goodwill and confidence bycustomers and suppliers

Potential impacts and possible implications for the Board & Senior Management

Investors, governments, global regulators and customers are increasingly challenging Boardmembers and C-level Executives to activelydemonstrate diligence in this area. Regulatorsexpect personal information to be protected andsystems to be resilient to both accidents anddeliberate attacks.


Business Disruption is the Costliest Consequence of Cyber Attacks

HSBC suffers online banking cyber-attack29 January 2016

Sony says cyber attack will cost them $15m to remediate (direct cost), and an unquantifiable cost in reputational damage (indirect cost)

November 2014 cyber attack

The World Economic Forum (WEF) has estimated that failure to defend against cyber-attacks will

have an aggregate impact on the global economy of around US$3 trillion by 2020. Risk Nexus report from the Atlantic Council,

2015


Nature of technology risk & the cyber threat

Cybersecurity is now the World’s 3rd Corporate-Risk Priority Overall Lloyd’s City Risk Index 2015-2025 analyses the potential impact on the economic output (GDP@Risk) of 301 of

the world’s major cities from 18 manmade and natural threats.

*Source: Lloyd’s City Risk Index 2015-2025

A total of $294bn of 301 cities’ projected GDP is at risk from cyber attack

Cyber attack presents a greater risk to economic performance than Terrorism or sovereign default combined.



KPMG CIO SURVEY: Major cyber attacks in last 2 years by country

United States22%

Greece 13%Canada 16%Finland 19%

Luxembourg 21%Norway 21%

Switzerland 21%Belgium 26%

United Kingdom 28%

Italy 30%Germany 31%Ireland 34%

Sweden 36%Poland 36%France 50%Spain 53%

Australia 29%China 30%Japan 30%Hong Kong 31%Singapore 32%India 33%New Zealand 35%Vietnam 39%

Global Average

28%

Source: KPMG CIO survey 2016

Below global average

Global average

Above global average

% of cyber attacks experienced:


The five most common cybersecurity mistakes





Mistake #1:“We have to achieve 100 percent security.”

Reality:100 percent security is neither feasible nor the appropriate goal.



Mistake #2:“When we invest in best-in-class technical tools, we are safe.”

Reality:Effective cybersecurity is less dependent on technology than you think.



Mistake #3:“Our weapons have to be better than those of our attackers.”

Reality:The security policy should primarily be determined by your goals, not those of your attackers.



Mistake #4:“Cybersecurity compliance is all about effective monitoring.”

Reality:The ability to learn is just as important as the ability to monitor.



Mistake #5:“We need to recruit the best IT security professionals to defend ourselves against cybercrime.”

Reality:Cybersecurity is not a department, but an attitude.


Nature of Technology Risk & the Cyber Threat





The Challenges Faced by Today’s Organisations

External threats

1

Organised crime, nation-states, cyber espionage, hactivism, insider threats

Change in the way business is

conducted

2

Cloud computing, big data, social media, consumerisation, BYOD, mobile banking

Rapid technology change

3

Critical national infrastructure, smart/metering, internet of all things

Changing market and client need

Strategic shift, situational awareness, intelligence sharing, cyber response

Regulatory compliance

4

Data loss, privacy, records management

5



New “vectors” of threats are accelerating the concernYesterday…

Today…

Bad “actors”

Isolated criminals

“Script kiddies”

Targets

Identity theft

Self-promotion opportunities

Theft of services

“Target of opportunity”

Bad “actors”

Organised criminals

Nation states

Hactivists

Insiders

Targets

Intellectual property

Financial information

Strategic advantage

Espionage

Sabotage

“Target of choice”


Recent cybersecurity incidents





Financial Services sector

Impact

Observation

SWIFT releases software and guidance on April 25 to help spot and block related attacks, including altered database records.

Loss of US$ 81 million

Transfer and payout in Philippines points to sophisticated, global cybercriminal gang

Custom malware showed a high level of knowledge of SWIFT Alliance Access software, its functionality and its deployment in banks

The malware and attack tools used in this attack remain a threat for all SWIFT customers.

Central Bank of Bangladesh2016

One of the largest electronic cash thefts

publically acknowledged



Energy sector

Impact

Observation

Rising concerns over Critical Infrastructure being the next targets – e.g. Industrial Control Systems (ICS) / Supervisory Control and Data Acquisition (SCADA) infrastructure

Approximately 225,00 home affected by the massive power outage which last for several hours in Ivano-Frankivsk region of Western Ukraine

Attackers infiltrated the power companies using SCADA Hijacking Techniques

Highly destructive malware infected at least 3 Ukrainian regional electric power distribution companies

Though power has been restored, control centres are still not fully operational more than 2 months after the attack

Ukrainian Energy Provider2015

World’s first publicly acknowledged power

outage caused by cyber attack



Government sector

Impact

Observation

Stolen records included personally identifiable information such as Social Security numbers, names, dates and places of birth, pay history, etc and addresses and information about friends and family.

Affected an estimated total of 21.5 million current, former and prospective federal employees

Possibly the largest cyber breach of government data in the history of the United States, tracing back to 2014

Theft of detailed security-clearance-related background information

Fingerprints of 5.6 million people were stolen, and intelligence officers’ true identities may have been compromised

Office of Personnel Management US Government

2015

Possibly the worst government data

breaches



Insurance sector

Impact

Observation

Reputational loss in Anthem regarding IT Security

PID of 80 million customers and clients were stolen, including Social Security Numbers

Setup of evil WellPoint / Anthem infrastructure in the Internet

Targeted attack (APT) by cyber espionage group

Infrastructure and malware was also used for attack on US Defense contractor

Anthem2015

Biggest data theft in healthcare industry



Pharmaceutical Sector

Senior pharmaceutical and healthcare

executives targeted for inside information

Impact

Observation

IDs and passwords of senior executives at 100+ firms were compromised and used to read business correspondence

FIN4 Hackers crafted sophisticated spear phishing emails targeting senior executives with knowledge of M&A and market-moving data

Stolen data all revenue-related, key insider information for future stock price

Focus on deal makers using well-crafted, personal and relevant emails and documents

60 publically traded companies operating worldwide targeted

Pharmaceutical Industry Leaders2014



Entertainment sector

Impact

Observation

Sensitive personal and corporate data were leaked, including emails, salaries and unreleased movies

Company's inner workings completely exposed

North Korea is blamed for the attack

When the breach was discovered, Sony had been infiltrated for one year

Massive impact to Sony Pictures, its employees and clients

Sony Pictures2014

Biggest data theft of a company to date


A framework for managing technology risk and cybersecurity




Based on KPMG’s annual Board survey of the world’s largest companies, these are the three most common questions at the C-level Executive Management and Board levels today:

1. What are the new cybersecurity threats and risks and how do they affect our organisation?

2. Is my organisation’s cybersecurity program ready to meet the challenges of today’s (and tomorrow’s) cyber threat landscape?

3. What key risk indicators should I be reviewing at the executive management and board levels to perform effective risk management in this area?

KPMG’s Global Cyber MaturityFramework Domains

Managing technology risk and cyber security:

High-level board oversight questions

Threat Intelligence


LEGAL AND COMPLIANCE

Regulatory and international certification standards as relevant

OPERATIONS AND TECHNOLOGY

The level of control measuresimplemented to addressidentified risks and minimise the impact of compromise

BUSINESS CONTINUITY AND CRISIS MANAGEMENT

Preparations for a security event and ability to prevent or minimise the impact through successful crisis and stakeholder management

INFORMATION RISK MANAGEMENT

The approach to achieve comprehensive and effective risk management of information throughout the organisation and its delivery and supply partners

HUMAN FACTORS

The level and integration of a security culture that empowers and ensures the right people, skills, culture, and knowledge

LEADERSHIP AND GOVERNANCE

Management demonstrating due diligence, ownership, and effective management of risk


Strategic Lever 1: A Strategic and Holistic Organisation-wide Approach is needed


RESPOND

Incident response capability is built by drafting playbooks, performing regular incident response exercises and doing red team testing.

The capability to delay transactions for fraud investigations and having trained call centre employees are most important in being able to modern online banking attacks.

DETECT

Real-time detection of incidents and fraudulent transactions requires correlation of information from various data sources (data analytics).

Monitor customer behaviour, transactions and log files from applications and systems.

Robust incident detection requires processes and trained people.

THREAT INTELLIGENCE

Acquiring external threat information

Keep up to date on current and future threats

Connect with external intelligence sources, information sharing with other banks, cooperation with police and law enforcement.

Threat Intelligence

Prevention will ultimately fail. Actionable threat intelligence combined with detection and

response capability is the key to managing Cyber Risks

PREVENTProtecting customers and your own infrastructure requires measures on people, processes and technology layers.


Strategic Lever 2: Actionable Threat Intelligence is the Key to Managing Cyber Threats


In Summary




Action Points to do NOW!1. Accountability for technology risk and cyber security

Ensure accountabilities at staff and management levels are clear. Ownership of the cybersecurity strategy must start at the Board and C-level Executives level

2. Managing cyber risk holistically across the enterprise

Business units must own and embrace cyber security as a priority

3. Conduct a Cybersecurity Maturity Assessment

To identify gaps in the way cyber risks are managed.

Focus on protecting critical information & systems, reduce human factors risk, and build capability to detect and respond to persistent cyber attacks.

4. Remember: Technical solutions are only one piece of managing the risk

Joint business and IT approach that looks at people, process, and tools

30


Conclusion

31

Lever 1: Strategic,

Organisation-wide

approach

Lever 2: Actionable

Threat Intelligence

Cyber Security Readiness

Cybersecurity Maturity

Assessment

Cybersecurity & Technology Risk FrameworksISO 27000

series: Cyber Security

MAS/ HKMA TRM Guidelines NIST OthersCOBIT

kpmg.com/socialmedia kpmg.com/app

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

15 July 2016 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.

©

Contact Details

Daryl Pereira

Partner, Cybersecurity KPMG Management Consulting +65 6411 [email protected]

http://kpmg.com/socialmedia

http://kpmg.com/socialmedia

cybersecurity – a regional perspective€¢ business continuity management ... regulations...

Documents