how cyber security fits into your enterprise risk ... cohn.pdf · how cyber security fits into your...
TRANSCRIPT
MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2014 Wolf & Company, P.C.
How Cyber Security Fits Into Your
Enterprise Risk Management Program
Michael D. Cohn, CPA, CISA, CGEIT
Cybersecurity – Are You
Ready for What’s Next?
The FFIEC has been busy this summer. The recently released report has
highlighted areas where financial institutions could do better and added
some recommendations for institutions to adopt in the wake of all the cyber
security threats being presented. While you can’t take it as “Advice,” it
would be prudent to expect these recommendations will be areas future
regulators may spend some time.
• What other programs will be impacted by the increase in Cybersecurity
requirements
• How cybersecurity affects your current risk assessment processes
• How to choose the right person to be responsible for preparedness
• What additional information your training programs should contain
• How and what to report to your Board
2
3
Can we take more
risk and remain safe?
4
Are We Safe?
5
Are We Still Safe?
6
And Now?
7
Top 10 Industry Trends for 2015
10. Market risk – Uneven geographic recovery; New Employment
patterns
9. Strategic risk – new business models
8. Price risk – commercial loan interest rates
7. Human Capital risk – migration from Gen X leaders to Gen Y
6. Capital risk – long term capital plans
5. Regulatory risk – BSA, Fair Lending, UDAAP
4. Operational risk
3. Enterprise risk – linking risk assessment to audit, monitoring, and
KRIs
2. Vendor risk
8
Top 10 Industry Trends for 2015
10. Market risk – Uneven geographic recovery; New Employment
patterns
9. Strategic risk – new business models
8. Price risk – commercial loan interest rates
7. Human Capital risk – migration from Gen X leaders to Gen Y
6. Capital risk – long term capital plans
5. Regulatory risk – BSA, Fair Lending, UDAAP
4. Operational risk
3. Enterprise risk – linking risk assessment to audit, monitoring, and
KRIs
2. Vendor risk
1. Technology & Cyber Risk
9
10
Cyber Risk Impact
to Other Risk
Management
Programs
11
Cyber Risk Life Cycle
12
Risk Assessment(Identify)
Audit & Monitor Controls
Governance & Oversight
Business Changes Regulatory Changes
(Key) Risk Indicators
Security Functions(Protect, Detect, Respond, Recover)
Scale of Vendor Management
Programs
Source: Federal Reserve Bank of San Francisco. Presented at California Bankers Association,
Bank Counsel Seminar, Huntington Beach, CA, May 2, 201313
$500
million
$1
billion$20
billion
$50
billion
$1
trillion
50
Vendors200
Vendors
900
Vendors10,500
Vendors
25,000
Vendors
Vendor Management
• Enhanced Due Diligence and Ongoing Monitoring Activities
– How do you vet, select and monitoring third party service providers
– Vulnerability management (i.e. recent SSL vulnerabilities)
– Integrating Incident Response Plans and Tests
– Cybersecurity questionnaires
– Cyber Monitoring programs
– Cyber insurance
• Contract language (Better transparency)
– Termination clauses
– Oversight over sub-contractors
– Right to audit (required remediation)
– Security report and questionnaires
– Event log (more than 90 days; min 1 year, 2 is better))
– BCP documentation
– Vulnerability responses
– Cyber insurance
14
Not enough consideration made to preparing for cyber events.
Unique factors of events:
– Customers/Clients affected by cyber incident
– Consideration for employee hit by ID Theft
– Third party providers/suppliers affected by cyber incident
– Transportation affected by cyber incident
– Remote working capabilities affected by cyber incident
• Consider utilities and availability of employee homes
• Plan for loss of personnel and key and backup locations for
extended periods of time
– Cyber Incident Response Plans should be incorporated to
BCP
Enhancements To Your BCP
Here is Where We Are Today
16
More People
More Process
More Technology
More Policy
More Procedures
More Governance
More Regulation
Social Media
Risk
Assessment
Vendor
Risk
Asses
sment Fair Lending
Risk
Assessment
Operations
Risk
Assessment
RDC Risk
Assessment
BSA/OFAC
Risk
Assessment
ID Theft
Red
Flags
Risk
Assess
mentIT Entity Level
Risk
Assessment
Customer
Information
Risk
Assessment
Market Risk
Assessment
New Product
Risk
Assessment
MFA Risk
Assessment
Vendor Risk
Assessment
Business
Continuity
Risk
Assessment
Interest
Rate
Risk
Liquidity Risk
Management
Credit Risk
Management
17
3 Organizing Principles
to ERM Programs
Emerging Threat Landscape
OPERATIONS:
• Technology risk
• Cyber risk
• Multi-factor authentication
risk
• Model risk
• Privacy risk
• Transaction risk
• ACH risk
• RDC risk
• Mobile Banking risk
• Regulatory Compliance risk
• BSA/OFAC risk
• Fair Lending risk
• UDAAP risk
• Social Media risk
• Profit risk
• Board of Director risk
• Key Employee risk
18
• Vendor risk
• Business Continuity risk
• Legal risk
• Compensation risk
• Financial Reporting risk
MARKET:
• Credit risk
• Interest Rate risk
• Liquidity risk
• Foreign Exchange risk
• Price risk
New Product risk
Strategic risk
Reputation risk
Today’s ThreatsEmerging
Threats Areas
Your Risk DNA Map
19
TransactionInformation
TechnologyVendor
Business
ContinuityCredit
Interest
RatePrice Liquidity
Personal Checking L H H H H H H H L L L L
Business Checking H M L H H H L M L L L L
Savings Accounts L H H H H M H H L L L L
Retail CD L H L H H M M M L L L L
Internet Banking H H H H H H H H M M M M
Residential Mortgages M H M H H M H H H H H M
Home Equity L M L H H M H H H H L M
Consumer L M L M M M M M H M M M
Commercial Real Estate H M M M L H L M H H H H
Asset Backed H M M M L M L M H H H M
C & I H M M M L H L M H H H M
Trusts & IRA L M M L H L H H L L M L
Brokerage M M H H H H H H L L L M
Cash Management M M L H H M M M M M M M
Merchant Card Services M M M M M M M M M M M M
Treasury Management M H H M H M M M L M M H
IT Operations L M L H M H L L L L L L
RETAIL BANKING
LENDING
INVESTMENTS
BUSINESS SERVICES
CORPORATE SERVICES
Market
StrategicProducts and Services Reputation
Operations Customer
Information
Regulatory
Compliance
Your Risk DNA Map
20
TransactionInformation
TechnologyVendor
Business
ContinuityCredit
Interest
RatePrice Liquidity
Personal Checking L H H H H H H H L L L L
Business Checking H M L H H H L M L L L L
Savings Accounts L H H H H M H H L L L L
Retail CD L H L H H M M M L L L L
Internet Banking H H H H H H H H M M M M
Residential Mortgages M H M H H M H H H H H M
Home Equity L M L H H M H H H H L M
Consumer L M L M M M M M H M M M
Commercial Real Estate H M M M L H L M H H H H
Asset Backed H M M M L M L M H H H M
C & I H M M M L H L M H H H M
Trusts & IRA L M M L H L H H L L M L
Brokerage M M H H H H H H L L L M
Cash Management M M L H H M M M M M M M
Merchant Card Services M M M M M M M M M M M M
Treasury Management M H H M H M M M L M M H
IT Operations L M L H M H L L L L L L
RETAIL BANKING
LENDING
INVESTMENTS
BUSINESS SERVICES
CORPORATE SERVICES
Market
StrategicProducts and Services Reputation
Operations Customer
Information
Regulatory
Compliance
Your Risk DNA Map
21
TransactionInformation
TechnologyVendor
Business
ContinuityCredit
Interest
RatePrice Liquidity
Personal Checking L H H H H H H H L L L L
Business Checking H M L H H H L M L L L L
Savings Accounts L H H H H M H H L L L L
Retail CD L H L H H M M M L L L L
Internet Banking H H H H H H H H M M M M
Residential Mortgages M H M H H M H H H H H M
Home Equity L M L H H M H H H H L M
Consumer L M L M M M M M H M M M
Commercial Real Estate H M M M L H L M H H H H
Asset Backed H M M M L M L M H H H M
C & I H M M M L H L M H H H M
Trusts & IRA L M M L H L H H L L M L
Brokerage M M H H H H H H L L L M
Cash Management M M L H H M M M M M M M
Merchant Card Services M M M M M M M M M M M M
Treasury Management M H H M H M M M L M M H
IT Operations L M L H M H L L L L L L
RETAIL BANKING
LENDING
INVESTMENTS
BUSINESS SERVICES
CORPORATE SERVICES
Market
StrategicProducts and Services Reputation
Operations Customer
Information
Regulatory
Compliance
Current Impact to
Risk Assessments
22
“Risk assessment is not
the end but the end of
the beginning.”
23
- Mike Cohn, 2005
Risk Management Response to
Risk Assessment Results
1. Control Testing
Are our junior associates processing transactions safely?
2. Monitoring
Are our business processes functioning safely?
E.g.; Vendor. Compliance.
3. Policies & Procedures
Did management construct an environment to operate safely?
4. Key Risk Indicators
Can we reasonably evaluate if we will perform safely tomorrow?
24
Cyber Threat Agents & Threats
• Threat Agents
Organized crime
Nation-state and spies
Terrorists
Hacktivists
• Common Cyber Threats to Financial Institutions
Corporate account takeover
Advanced malware
ATM cash out scams
Denial of Service
25
Monitoring our Resilience: Key
Indicators of Compromise (IOC) • Key IOC
What type of activity would indicate that you have a breach
Based on IT operations and processes
Security information and event management (SIEM)
Logging configuration
Correlate events from assets (servers, workstations, routers, IDS/IPS,
etc…)
Network time protocol (NTP) synchronization
Incident Response Procedures
Known and common events
IOC
• IOC examples
Electronic banking activity
Failed or successful login to default administrator user accounts
Unauthorized change to security settings
Suspicious transactions initiated from new IP address
Suspicious transactions new payee
Customer notifies FI there is a fraudulent transaction26
Key IOC Continued
• IOC examples
Network activity
Failed or successful login to default administrator user accounts
Attempt to login to a disabled user account
Successful login to non-domain (or local) user account (i.e. Administrator
user account on member server)
Member added to privilege group (user account privilege escalation)
Audit log cleared
Audit policy change
Unauthorized change to security settings
Suspicious transactions
Unusual outbound network activity (where is your data going?)
Anti-virus alert
IDS/IPS alert
Web filter alert
Employee notifies IT that they may have clicked on a link or divulged
sensitive information
Malware fingerprint
27
Enterprise Risk Management’s
(Key) Risk Indicators
28
Quantitative Measures
• Credit Risk → Stress Testing
• IRR → Earnings Simulation
• Liquidity Risk → Capital Mgmt.
Qualitative Measures
• 3rd Party Risk → Monitoring
• IT Risk → Monitoring
• Compliance → Monitoring
300 Baseline Risk Indicators
29
INDICATOR NAME INDICATOR NAME INDICATOR NAME INDICATOR NAMECredit Allowance to total nonaccrual loans Products Net change in core deposits
Monthly comparison of: Allowance to total loans Collateral Type Net change in new accounts versus closed accounts
Commercial & Residential Loans by types Non-performing assets to total assets Geographic (by county) Trend Analysis
a. Growth numbers quarterly Total loans to total assets Concentration limits by product type including security
assets
ALCO
Percentage of loan types over total loans OREO to total assets Risk rating migration by loan type Quarterly Ratio Reporting including Peer
Non-accrual and non-performing loans residential Other assets to total assets Loan balances by risk rating by loan type Interest Income/Avg Earning Assets
Non-accrual and non-performing loans commercial Net charge offs to total loans Loans with policy exceptions Interest Expense/Avg Earning Assets
OREO a. By type - Consumer and Commercial/CRE % with details by type of exception if significant Net Int Income/ Avg Earning Assets
ALLL OREO to average assets Capital Net Non-Core Funding Dependency Ratio
30 day and over past due commercial & residential loan Classified assets to capital Tangible ratio Excluding CDs over $100 thousand
a. Include aggregate past due and non-accrual loans Total Past due & nonaccrual loans as % of each loan Tier 1 Ratio Excluding CDs over $250 thousand
Overdrawn tax escrow balances Non-performing as % of each loan category Total Risk Based Capital ST Non-Core Funding Dependency to Total Assets
Charge-offs by type of asset/loan type Number of delinquent notes by loan category Tangible common equity ST Non-Core Funding Dependency to Total LT Assets
Broker Monitoring Charge-off ratios by loan/asset type as % Annual market share Core Deposts as % of Aver Assets
Repurchase Claims Quarterly LTV and DTI and Credit scores by loan type Stress test results Brokered Deposits to Deposits
QC review statistics (monitoring oversight of 1st line) % of risk rating downgrades made by loan review
function, rather than by loan officer
Liquidity/Funding Brokered Deposits Maturing less than 1 Year to
Brokered Deposits
Loss Mitigation (Servicing) Quarterly Total Liquid Assets to Total Assets Growth in categories of loans and deposits
CRE Concentration for 100% & 300% ratio Unencumbered Liquid Assets to Total Assets On-hand liquidity ratio
Monthly/Quarterly ratios of: Concentrations exceeding 25% of Risk Based Capital
by:
1, 3, 12 month base and stress iflows to total outflows Outside bank rating - Moody's, S&P. IRA
Nonaccrual commercial loans to total commercial loans Individual Borrower BASEL III Rations (LCR & Net Stable Funding Ratio) NII at risk and EVE at risk sensitivity calculations
a. Peer ratios and regulatory classified/criticized ratios Small Inter-related Groups Borrrowings maturing or putable Gap measures
Nonaccrual loans to total loans Individual Project Single non FHLB provider Loans/Assets
a. Peer ratios and regulatory classified/criticized ratios
quarterly
Single Repayment Source Deposits Investments/Assets
Nonaccrual loans and OREO to total assets Concentrations exceeding 100% of Risk Based Capital DDA overdrafts over 60 days Loans/Deposits
Allowance to non-accrual commercial loans Industry DDA overdrafts in excess of $5,000 Efficiency Ratio
Can 30-50 Key risk indicators keep the institution safe?
Does Your Institution
Look Like This?
30
Functional Risk Area Number of Risk
Indicators
Credit risk 72
Interest Rate risk 52
Liquidity risk 38
Regulatory Compliance risk 31
Transaction risk 21
Information Technology risk 21
Reputation risk 14
Vendor risk 12
Strategic risk 6
Business Continuity risk 3
Customer Information risk 3
Price risk 2
TOTAL 275
Uncovering the Gaps Create
Opportunities for Improvement
31
TransactionInformation
TechnologyVendor
Business
ContinuityCredit
Interest
RatePrice Liquidity
RETAIL BANKING
Personal Checking 10 1 1 1 8 3 2 2 0 30 0 7
Business Checking 10 1 1 1 8 3 2 2 0 30 0 7
Savings Accounts 10 1 1 1 8 3 2 2 0 30 0 7
Retail CD 10 1 1 1 8 3 2 2 0 30 0 7
Internet Banking 0 1 1 1 8 3 2 2 0 0 0 0
LENDING
Residential Mortgages 9 1 1 1 8 3 2 3 17 1 0 0
Home Equity 9 1 1 1 8 3 2 3 17 1 0 0
Consumer 6 1 1 1 8 3 2 3 15 1 0 0
Commercial Real Estate 18 1 1 1 8 3 2 3 30 30 0 3
Asset Backed 11 1 1 1 8 3 2 3 25 30 0 3
C & I 11 1 1 1 8 3 2 3 25 30 0 3
INVESTMENTS
Trusts & IRA 2 1 1 1 8 3 2 4 2 0 0 0
Brokerage 0 1 3 1 8 3 2 4 1 0 0 0
BUSINESS SERVICES
Cash Management 0 1 1 1 8 3 2 2 0 0 0 0
Merchant Card Services 0 1 1 1 0 3 2 3 0 0 0 0
CORPORATE SERVICES
Treasury Management 6 0 2 1 8 3 0 2 0 13 3 26
IT Operations 0 0 0 12 10 3 2 2 0 0 0 0
Market
Products and Services Strategic Reputation
Operations Customer
Information
Regulatory
Compliance
-8
1 3 4
+8
2. e. Rate-sensitive Assets/Assets(%)
2. f. Rate-sensitive Liabilities/Assets %)
2.d. Maintain Interest Expense/ Avg. Assetswithin acceptable limits (%)
2.c. Maintain EVE above acceptable levelswithup/down 100, 200, 300 bps rate shocks
2.b. Maintain Duration gap betweenacceptable levels with up/down 100, 200,…
2.a. Achieve satisfactory CAMELS ratings forSensitivity to Market Risk
2. Market/ Risk Earnings
1 3 44.a. Achieve satisfactory CAMELS ratings for
Liquidity
4.b. Maintain Satisfactory Net Non-CoreFunding Dependence (%)
4.c. maintain satisfactory Net Short-TermLiabilities/ Assets (%)
4.d. Maintain satisfactory FHLB fundingavailability
4.e. Maintain acceptable liquidity ratios (%)
4.f. Maintain Acceptable Levels of pledgedsecurities
4. Liquidity
100
100
300
4
1 3
200
200
400
8
4
3.g. Maintain C&I within limits to RBC (%)
3.f. Maintain Residential 1-4 within limits to RBC(%)
3.e. Maintain CRE Loans/ Total RBC withinacceptable level (%)
3.d. Maintain ALLL within acceptable level(3000s)
3.c. Maintain Non-Performing Loans/ Loanswithin acceptable level (%)
3.b. Maintain Non-Performing Assets/ Assetswithin acceptable level (%)
3.a. Achieve satisfactory CAMELS ratings forAsset Quality
3. Credit Risk
1
20
6
3
30
8
4
1.d. Maintain Leverage Ratio within acceptablelevels (%)
1.c. Maintain capital ratios above regulatorycapital requirements (%)
1.b Maintain Total Equity/ Total Assets withinacceptable limits (%)
1.a Achieve satisfactory CAMELS ratings forCapital Adequacy
1. Capital Adequacy
1
1
Green Risk is within acceptable threshold Current Level
Yellow Increase in risk as threshold has been breached 12 month Avg
Red Increase in risk as threshold has been breached
Legend
10.7
17.5 17.7
10.3 10.4
6.0
..89 .99
63.963.7
33.1.32.2
5.5
5.65.5
7.0
379.5378.2
.159.6155
5.8
9.5
30.6
29.428.6
7.0
10.9
.12 .12
KRI Dashboard
Risk Appetite Key Risk Indicators
Informing the
Board
33
34
They Should Hear This!
What Threats Can Kill Us? Others Just Hurt!
Final Thought
“As we know, there are known knowns.
That is to say there are things we know we know.
We also know there are known unknowns.
That is to say we know there are some things we do not
know.
But there are also unknown unknowns.
The ones we don't know we don't know.”
Donald Rumsfeld, Feb. 12, 2002, Department of Defense news briefing
36
Mike Cohn, CPA, CISA, CGEIT
Wolf & Company, P.C.
Member of the Firm
Director, WolfPAC Solutions Group
Voice: (617) 428-5488
Email: [email protected]
LinkedIn: mikecohn1
Twitter: @MikeDCohn
www.wolfandco.com
www.wolfpacsolutions.com