cybersecurity for the mortgage industry › wp-content › uploads › 2015 › ... · cyber...

Confidential and Proprietary, Any use of this material without the specific permission of RedWolf Cybersecurity Group, LLC is strictly prohibited

Cybersecurity for the Mortgage Industry

www.RedWolfCyber.com

Presenters: Auzzie K. Brown and Jordan Brown

http://www.redwolfcyber.com/

Agenda

Why Cybersecurity best practice is not optional

Regulatory Requirement / Environment

Business Value

Face of the Threat

Cybersecurity Best Practices

Decision to Outsource vs. Insource

Conclusion


Gramm Leach Bliley - ActWhy Cybersecurity Best Practices are not Optional


Gramm Leach Bliley Act, Section 501(b) / FTC, PART 314—STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION:

FINANCIAL INSTITUTIONS SAFEGUARDS: Shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards:

(1)to insure the security and confidentiality of customer records and information

(2) to protect against any anticipated threats or hazards to the security or integrity of such records

(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer

SecurityGramm Leach Bliley Act, Section 502 of the Subtitle, subject to certain exceptions / CFPB Laws and Regulations:Prohibits a financial institution from disclosing non-public personal information about a consumer to nonaffiliated third parties, unless the institution satisfies various notice and opt-out requirements, and provided that the consumer has not elected to opt out of the disclosure.

Customer Notification Requirements: The policies and practices of the institution on sharing of information with nonaffiliated third parties, including: ◦the categories of persons with whom information is shared; and ◦the policies and practices of the institution on disclosing information about persons who are no longer customers;

•the categories of information that are collected by the

institution; •the policies that the institution has to protect confidentiality and security; and

•disclosures required by the Fair Credit Reporting Act.

•Protecting the nonpublic personal information of consumers.

Privacy and Security

FTC / CFPB Examination SharingMOU, DatedMarch 12, 2015

The Regulators and Jurisdiction

Interagency Cooperation on Cybersecurity


Regulatory Agency Responsibility Regulatory Authority

Required Standards

Authority to Levy Penalties and Fines

Interagency Collaboration / Cooperation

Consumer FinancialProtection Bureau (CFPB)

Privacy of Customer Information

The Dodd-Frank Act,subtitle A of Title V of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6802-6809)

Yes Yes Yes

Federal Trade Commission (FTC)

Security of Customer Information

15 U.S.C. 6801(b), 6805(b)(2).

Yes Yes Yes


Business Value of Cybersecurity Program

Survivability of your Business

Conserve Resources Regulator fines/penalties Loss of customers

Employee Recruiting Tool

Competitive Marketing Advantage Consumer Confidence

Brand Reputation

“The average total cost of a data breach increased from 3.52 to $3.79 million. The

average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study.”

Benchmark research sponsored by IBM Independently conducted by Ponemon Institute LLC May 2015


“(Sec. 106) Liability protections are provided to entities acting in accordance with this title that: (1)

monitor information systems; or (2) share or receive indicators or defensive measures”

TITLE I - CYBERSECURITY INFORMATION SHARING

By Deirdre Walsh and Ted Barrett, CNN, December 16, 2015

Business Value of Cybersecurity Program


“The risks to your organization of noncompliance are:

• criminal, civil, statutory, regulatory or contractual penalties.”

“The development and execution of organizational security policies and standards will:

• maximize compliance and minimize the resources your organization has to spend to undergo internal and external compliance audits.”

The Basic Components of an Information Security Program MBA Residential Technology Forum (RESTECH) Information Security Workgroup, September 2015

“62% of cyber-breach victims are small to mid-size businesses, which are at the greatest risk for an attack. Their level of preparation is low, and the costs of customer notification alone can be enough to do a small company irreparable financial harm.”May 27, 2015 | By Rosalie L. Donlon, PropertyCasualty360.com

Impetus for Cybersecurity Best Practices

“We write today regarding potential new regulations from the New York State Department of Financial Services (NYDFS) aimed at increasing cyber security defenses within the financial sector. It is our hope that this letter will help spark additional dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cyber security standards for financial institutions.”

Memorandum to Financial and Banking Information Infrastructure Committee

(FBIIC) Members, New York State Department of Financial Services (NYDFS), November 9, 2015

“There is a demonstrated need for robust regulatory action in the cyber security space, and the Department is now considering a new cyber security regulation for financial institutions.”


Impetus for Cyber Best PracticesFTC vs. Wyndham Resorts

“U.S. Court Affirms FTC Authority

to Enforce Data Breach Rules

In a decision that cites a litany of

basic security blunders, the United

States Third Circuit Court of Appeals

unanimously found that the Federal

Trade Commission has the authority

to sue Wyndham Hotels for

DECEPTIVE cyber-security

practices that, "taken together,

unreasonably and unnecessarily

exposed consumers' personal data to

unauthorized access and theft.“

E- Week, By Wayne Rash, Posted August 24, 2015

Does your Company ConsumerPrivacy and SecurityPolicy mirror itsInformation Security Program?

?Typical Mortgage Privacy/SecurityStatement:

To Protect your personal identifiableinformation from unauthorized accessand Use, we use security measures that comply withfederal law. These

Measures include computersafeguards, secured files and buildings.We require all Companies with whom we share Your information

to keep it confidential

Face of the Threat

External Threat:• Third Party Vendors, trusted suppliers of technical, computer and

security equipment, software and hardware

Advanced Persistent Threats (APT):• Undetected, continuous computer hacking processes to gain access to a

high-value organization’s network. • Phishing emails or other tricks to fool employees into downloading

malware• Goal is to steal data

Insider and Internal Threats:• Employee, contractor, supplier, or business partner who has authorized

yet uncontrolled access to systems and/or sensitive information • Acts can be malicious or unintended



Recent Cybersecurity Breaches

“On May 21, 2015, Homestead discovered thatA Cyber attacker carried out a sophisticated attackon our website and we believe the attacker gainedunauthorized access to data belonging to some ofHomestead’s customers. The information accessedmay have included names, home and work address,Social security numbers, bank and other accountnumbers…”

Homestead Funding Corporation, Albany, NewYork, June 8, 2015

“HSBC has informed New Hampshire's Attorney

General of a compromise of some records of current

and former mortgage customers of its HSBC

Finance unit. In the breach, some personal

information about mortgage accounts was

"inadvertently made accessible via the Internet,"

including customers' names, Social Security

numbers, account numbers, old account information

and possibly some phone numbers, the bank wrote in

a letter to state officials”

April 16, 2015, HSBC Finance Notifies Mortgage

Customers of Data Breach, By Penny Crosman

The Securities and Exchange Commission is the latest federal agency turning up the heat on companies whose lax cybersecurity has contributed to breaches of user data.

The SEC's action, along with those last month at the Federal Trade Commission and in federal courts, is starting to sketch out a pattern of dwindling tolerance for negligence by companies

in protecting their computer systems. Last week, the SEC announced a settlement with St. Louis-based R.T. Jones Capital Equities Management, which lost the personally identifiable information (PII) of approximately 100,000 people.

By John Fontana, Identity Matters, September 30, 2015

Superior Mortgage Corp., a lender with 40 branch offices in 10 states and multiple Web sites, has agreed to settle Federal Trade Commission charges that it violated federal law by failing to provide reasonable security for sensitive

customer data and falsely claiming that it encrypted data submitted online. The settlement bars future deceptive claims and requires the company to establish data security procedures that will be reviewed by

independent third-party auditors for 10 years.

FTC File No.052-3136


Recent Cybersecurity Breaches

Last year, according to the Mount Olympus Mortgage Co. in

Irvine, several of its officers secretly downloaded confidential information on hundreds of loan customers and transferred five gigabytes of data to a competitor.

The loan officers then deleted files and emails on their computers and went to work for that rival, Chicago-based lender Guaranteed Rate, which has offices in Irvine, Newport Beach and Santa Ana.

But Mount Olympus, a 38-employee operation also known as MOMco, recovered the information, including more than 1,000 emails between its former mortgage bankers and their soon-to-be new employer, according to a lawsuit it filed last year in Orange County Superior Court.

“It’s nerve-wracking and obscene,” said MOMco President Michael Arnall. “The damage to our business is very, very high.”

MATT MASIN, STAFF PHOTOGRAPHER By MARGOT ROOSEVELT / STAFF WRITER

Cyber angst: Orange County companies zero in on data breachesFeb. 27, 2015

http://www.ocregister.com/reporter-profile/margot-2225-roosevelt


Risk Mitigation Strategies

Best Practice Mortgage Information Security Strategies


• Regulatory Compliance to protectCustomers nonpublic information

• Adds Business Value

• Information Security Best PracticesConsistent with Federal FinancialInstitutions Evaluation Council (FFIEC)

Mortgage EmployeeCyber Quiz

Human Behavior /Social Engineering

Risk Assessment/Risk Maturity Assessment

Mortgage Policies /Procedures

Threat Intelligence

Cybersecurity Risk Assessment / Maturity Best Practice Process


Risk Assessment

Prioritize Risk & Develop Strategy

Risk Remediation

Cyber Risk Management Maintenance

Areas of FocusCybersecurity Policy Documents

Annual Technology Review

Employee Cybersecurity Awareness Program

Annual Cybersecurity Review

Cybersecurity Strategy

Cybersecurity Strategy Implementation Plan

Cybersecurity Operations/MGMTCyber Incident Management

Cybersecurity Policies and Procedures - Documented Program


“You shall develop, implement, and maintain a comprehensive information security program that is written” FTC PART 314—STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION; eCFR December 4, 2015

• Establishes foundation to meet regulatory requirement of a written cybersecurity program and commensurate with FFIEC Guidelines

People

Processes

Technology

• Is the organization following the practices outlined in their policies and procedures?

• Are policies and procedures aligned with GLB - Act Privacy and Security Requirements?

• Are they current/relevant to cope with the current threat environment?

Mortgage

Employee Cybersecurity Training & Awareness Program


“ (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and

disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures. (c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or

otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.” FTC PART 314—STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION; eCFR December 4, 2015

Mortgage Industry specific Employee Cybersecurity Quiz• Addresses:

Employees at all levels (Executive, Managers, Supervisors and employees)

Regulatory Requirements Security Best Practices

• Establishes baseline common cyber awareness knowledge of employees

• Encourage employee behavior to engage in Cybersecurity Best Practices

Demonstrates to Auditors / Regulators a culture of Cybersecurity Compliance

• “Automated and documented” record of training to provide to auditors (e.g., similar to anti-money laundering quiz)

• Prepares employees for auditor interviews

Mortgage Employee


*Cyber Risk Profile and Maturity Assessment Framework

Inherent Risk Profile Assessment Areas• Technologies and Connection Types• Delivery Channels• Online/Mobile Products and Technology Services • Organizational Characteristics• External Threats

GovernanceTraining and CultureThreat IntelligenceMonitoring and

AnalyzingPreventative

Controls

Detective ControlsCorrective ControlsConnectionsIncident Resilience

Planning and StrategyDetection, Response and

MitigationEscalation and Reporting

Cybersecurity Maturity Domains Assessment Areas

*Consistent with Federal Financial Institutions Evaluation Council (FFIEC) Guidelines, June 2015

Risk Assessment and Maturity Model / Report Sample


Inherent Risk Levels

Cybersecurity Maturity Level

Domain Example: Corporate Wi-Fi Network

Least Minimal Moderate Most Significant

Innovative

Advanced

Intermediate

Evolving

Baseline

X

Cost of In-house Staffing


Should you Insource Information Security Staff?

*Average Annual salaries of standard Information Security Team: Chief Information Security Officer $140,250 - $222,500 Data Security Analyst $113,500 - $160,000 Systems Security Administrator $105,500 - $149,500 Network Security Administrator $103,250 - $147,000 Network Security Engineer $110,250 - $152,750 Information Systems Security Manager $129,750 - $182,000

*Robert Half Technology 2016 Salary Guide

Total: $702,500 - $1,023,750

Average increase6-7% Annually

Conclusion


Protecting customer data is the life blood of your organizations future

Employee Security Awareness Training is essential!

Severity and frequency of breaches will increase regulatory oversight Company’s under reporting of breaches Company’s unaware they have been breached

Ever-changing threat and compliance environment requires a strategy: Risk Assessment Risk Prioritization Remediation Process

Individual States have additional Cybersecurity Standards organizations must meet

Engage Cybersecurity Professionals to advise Risk Mitigation efforts


Address: 11654 Plaza America Drive, Suite 237Reston, VA 20190

Phone: 1-877-675-5259 x702

Emails: [email protected]

[email protected]

[email protected]

www.RedWolfCyber.com

mailto:[email protected]



http://www.rredwolfcyber.com/