Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Monetary Authority of Singapore

1,112 views

Published on

6th BankTech Asia - Daryl Pereira's presentation

Published in: Business

Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Monetary Authority of Singapore

  1. 1. Future Proofing the Banking Industry: Technology Risk Management Daryl Pereira Partner, Information Protection & Business Resiliency KPMG ASEAN Management Consulting
  2. 2. DRIVERS FOR ENHANCING TECHNOLOGY RISK © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 2 DRIVERS Online Outsourcing Channels (ATM, credit cards, internet / mobile) ASEAN’s emergence as a global financial hub System Resilience Increased off-shoring of business processes, use of cloud computing, consolidation of local platforms onto global platforms Rise of cyber crime and cyber warfare. Increased number of sophisticated attacks on online systems, internet, mobile, payments, ATM, websites Trend of tightening regulations by ASEAN Regulators to build-up and maintain status as financial hub Recent high profile outages have caused business disruption, reputational damage, and increased the regulator’s focus on resilience MANAGEMENT (TRM) © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  3. 3. Impact THE CYBER THREATS ARE REAL INCREASING IMPACT AND FREQUENCY OF ATTACKS ON FINANCIAL SERVICES INDUSTRY Loss of trust and differentiation in the eyes of customers Time December 2013 Standard Chartered Customer Data Theft from 3rd party vendor June 2012 Draft MAS Notice & Guidelines on TRM released © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. June - July 2014 DBS & OCBC System Outage November 2013 Target Network Breach & Credit Card Data Theft June 2013 Final MAS Notice & Guidelines on TRM released September 2014 Draft MAS Notice and Guidelines on Outsourcing released January 2014 Korean Credit Card Breach July 2014 JP Morgan Hack and Customer Data Loss
  4. 4. Data Protection •Data stolen and re-routed, giving attackers the potential to use information to profit on rogue stock market transactions •Weak link - Hackers entered inter-company networks through a vulnerable firm in order to reach other companies •Hedge funds linked to brokers conducting trades for them via secure connections – lower risk. Targeted by phishing emails which open virtual doors. Board & Management Oversight © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 4 ANATOMY OF CYBER ATTACKS ON THE FINANCIAL INDUSTRY Technology Risk Management System Resiliency Incident Detection, Prevention & Reporting IT Outsourcing Management •Over past 2 years, the computer networks of dozens of banks, funds managers, and other Financial Services firms have been infiltrated by hackers from Eastern European countries. • Disruption to firm’s high-speed trading platforms, causing loss of business continuity and resulting in reputational damage. •Attacks often go undetected. Hackers stole passwords of CFO of US hedge fund, then drained US$1.5M in under 2 minutes using 3 wire transfers – each under $500K, the amount that would have triggered an alarm. © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  5. 5. Key Change 1: The Guidelines and Circulars within the Red Box are superseded by the new TRM Guideline and Notice. IT Outsourcing Circular (July 2011) Personal Data Protection Act (October 2012) © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 5 ONE REGULATOR’S RESPONSE – MAS MAS recent Technology Risk Management Guidelines/ Circulars Key Change 2: Notices impose legally binding requirements KEY REGULATORY THEMES Outsourcing Online systems / eChannels Customer information protection Resilience MAS Notice 634 (May 2004) Two Factor Authentication (November 2005) End Point Security and Data Protection Circular (March 2009) Information Systems Reliability, Resiliency And Recoverability (July 2010) Guidelines on Outsourcing (July 2005) Business Continuity Management Guidelines (June 2003); Further Guidance on BCM (January 2006) Internet Banking and Technology Risk Management Guidelines (June 2008) Technology Risk Management Guidelines (Final Released on 21 June 2013) Notice on Technology Risk Management (Final Released on 21 June 2013) Key Change 3: Each type of FI is issued with separate Notices , for example: • Banks • Insurance companies • Security exchanges • Clearing houses • Capital market services • Stored value facilities • Trust Companies © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  6. 6. BOARD AND SENIOR MANAGEMENT OVERSIGHT Risk Identification © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 6 REQUIREMENT 1 – TECHNOLOGY RISK MANAGEMENT & IT GOVERNANCE Risk Matrix TRM Notice requirements: • Establish a framework for identifying critical systems and information assets TRM Guidelines requirements: • Establish a Technology Risk Management Framework to manage technology risks in a systematic and consistent manner • Board of directors and senior management should ensure that a sound and robust risk management framework is established and maintained Recommended Solutions: • Board and senior management ownership and oversight of IT decisions covering both run-the-business (RTB) and change-the-business (CTB) activities • Embedding IT risk assessment process into governance framework • Combination of business impact analysis (BIA) and customer impact analysis Risk Monitoring & Review Risk Treatment Risk Analysis & Quantification Risk Assessment Process for TRM Framework Critical systems Risk Tracker Major IT decisions © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  7. 7. Q: Critical Systems – will failure cause significant disruptions to operations OR materially impact service to customers? Routers & Firewalls © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Routers & Firewalls 7 REQUIREMENT 2 – SYSTEM RESILIENCY TRM Notice requirements: • Maintain high availability for critical systems • Maximum allowable unscheduled downtime within 12 months shall not exceed 4 hours • RTO for critical systems should be 4 hours or less • Perform yearly testing on RTO verification TRM Guidelines requirements: • Specific RTO and RPO should be defined for IT systems and applications. Recommended Solutions: • High availability (HA) infrastructure (mirror production sites) for critical applications. Across industry the 4 hour RTO is not easy to achieve and requires increased investment • Enhance Incident Management process to track the resolution time • Review DR plans to make sure the RTO defined for critical systems are end-to-end • Decrease intervals between data snapshots (more recovery points) INTERNET Application Servers Database Servers Production Site Application Servers Database Servers DR Site Real-time replica Definitions: RTO = Recovery Time Objective RPO = Recovery Point Objective © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  8. 8. © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 8 What is your definition of “upon discovery” When the incident occurs/is detected in the system? When your technician diagnoses the incident? When your management “recognises” or “approves” it as an incident? 60 min 60 min REQUIREMENT 3 – INCIDENT MANAGEMENT & REPORTING TRM Notice requirements: • Inform MAS about IT security incidents & system malfunctions* within 60 minutes upon discovery • Submit Incident report including root cause & impact analysis to MAS within 14 days from the occurrence of the incident * That have severe and widespread impact on the FI’s operations or materially impacts the FI’s service to its customers Recommended Solutions: • Establish classification / identification/ reporting process for security incidents and malfunctions. This includes defining of reportable and non-reportable incidents. • Use of automated monitoring/ reporting tools to facilitate timely escalation to senior management • Structured framework for root-cause and impact analysis I can’t remember my password, tried 10 times without success and the account is now locked. Is this reportable to MAS? © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  9. 9. Published in July 2011 to guide the Financial Institutions to evaluate and manage IT outsourcing risks © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 9 A typical CIO dashboard will track KPIs for management decision making, as well as outsourcing services and risk indicators (KRIs) Where is the data stored? ? ? ? ? The public cloud is "like outsourcing your data to unknown parties located in unknown places with unknown intentions" REQUIREMENT 4 – OUTSOURCING GOVERNANCE TRM Guidelines requirements: • Establish a framework, policies and procedures to evaluate, approve, review, control and monitor the risks Recommended Solutions: • Establish a risk-based outsourcing framework • Conduct onsite visit / inspection on the outsourced data centres (both onshore and offshore) at least annually. • Establish SLA that specifies the service metrics, KPIs, Key Risk Indicators (KRIs) and reporting procedures • Assess the ability of service providers to isolate and clearly identify the FIs’ data while engaging cloud computing services © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  10. 10. REQUIREMENT 5 – CUSTOMER DATA PROTECTION & DLP © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Internal Conversation Fax Phone Calls External Interactions 10 Data Flow and Potential Risk Points Copy Archive External Interface (Biz partners, Govt Org etc.) Snail Mail Work @ home or client Dispose Read Download Lost / Stolen Copy eMail Remote access Organisation’s Premises Risk Point Risk Point Risk Point Risk Point Data Warehou se (CRM) Print Human Interaction s Read Data Centre Outsourced Service Providers / Call Centres Back up / Archival Risk Point Risk Point Paper Documents End user Devices Printer Clients/Partners Documents Risk Point Risk Point •What and where is your “sensitive data”? •Could the integrity or confidentiality of customer information be compromised? TRM Guidelines requirements: • Sensitive information stored on IT systems, servers and databases should be encrypted and protected Recommended Solutions: • Establish Data Governance Framework • Define data classification policy to identify critical data for protection • Review the life cycle of critical data to identify possible data leakage risks (input -> processing -> extracting/reporting -> storage -> deletion) • Implement controls to counter - measure the Data Leakage Prevention (DLP) risks © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  11. 11. REQUIREMENT 6 – SOURCE CODE REVIEW For in-house developments, we can embed Source Code Review into the SDLC SDLC Requirements “LIVE” © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 11 Design Development Testing A CIO of local bank was disappointed with a J2EE web-based system offered by a prominent vendor ... “We were shocked because their understanding of information security standards didn’t meet our expectations at all. Serious security breaches and weaknesses in the system were discovered during the testing phase: someone could have easily executed an SQL injection into the database, for example. That caused a lot of problems in rolling it out, and we suffered tremendous delays.” Source: CIO Asia, Jan/Feb 2006 Security Requirements Security Design and Architecture Review Source Code Security Review Risk Assessment Network Penetration Testing Application Security Testing Security Training Application Network Systems Policies & Procedures IT Security Controls Review Host Security Assessment Periodic Assessment Secure Software Development Life Cycle What about softwares developed by third party vendors??? TRM Guidelines requirements: • Exercise due diligence in ensuring its applications have appropriate security controls Recommended Solutions: • Enforce source code requirement within the SDLC cycle for internally developed software. • Perform due-diligence (e.g. source code escrow, review 3rd party reports over the SDLC process) for the software acquired from third party software vendors © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  12. 12. REQUIREMENT 7 – TECHNOLOGY REFRESH PLANNING Operating systems no longer supported or reaching end-of-life © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 12 Products Released Lifecycle Start Date Mainstream Support End Date Extended Support End Date Service Pack Support End Date Windows 2000 Advanced Server 3/31/2000 6/30/2005 7/13/2010 Windows 2000 Datacenter Server 11/13/2000 6/30/2005 7/13/2010 Windows 2000 Professional Edition 3/31/2000 6/30/2005 7/13/2010 Windows 2000 Server 3/31/2000 6/30/2005 7/13/2010 Windows XP Professional 12/31/2001 4/14/2009 4/8/2014 8/30/2005 Windows XP Professional x64 4/24/2005 4/14/2009 4/8/2014 4/14/2009 Edition Source: http://support.microsoft.com/gp/lifeselectwin Mainstream Support phase: paid support, security update support , Non-security hot fix support, incident support, warranty claims, design changes and feature requests Extended Support phase: paid support, security update support Qn 1: Do you have a Software Asset Management (SAM) tool to assist you with tracking your complete list of software inventory? Qn 2: Are there any designated staff to monitor the patch levels and end-of-service systems based on the software inventory? Qn 3: Is there a risk assessment process and road map to patch software (applications, databases, operating systems, etc) and retire old technology? TRM Guidelines requirements: • Establish a technology refresh plan to replace systems and software that are end-of-support (EOS) Recommended Solutions: • Establish an IT application and platform roadmap to define system lifecycle and upgrade requirements • Maintain an IT hardware and software inventory using Software Asset Management (SAM) tool to monitor the patch status and EOS systems © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  13. 13. Lost / Stolen Copy eMail Remote access REQUIREMENT 8 – END USER DEVELOPMENT © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 13 Where are your End User developed applications (EUC) and how are they protected? Qn 1: Do you know if any staff are using EUCs? Is there an inventory? Qn 2: Are there EUCs used by management to make important decisions or for reporting purposes? Qn 3: Where are these critical EUCs? Qn 4: Are these critical EUCs well protected? Data Flow and Potential Risk Points Copy Archive Internal Conversation External Interface (Biz partners, Govt Org etc.) Fax Phone Calls External Interactions Snail Mail Work @ home or client Dispose Read Download Organisation’s Premises Risk Point Risk Point Risk Point Risk Point Data Warehous e (CRM) Print Read Data Centre Outsourced Service Providers / Call Centres Back up / Archival Risk Point Risk Point Paper Document s Human Interactions End user Devices Printer Clients/Partners Documents Risk Point Risk Point TRM Guidelines requirements: • Implement access and data protection controls for critical end user developed applications Recommended Solutions: • Establish an overall framework to define and manage End User developed applications/ programs • Risk assessment and data classification to identify critical EUCs to be protected © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  14. 14. REQUIREMENT 9 – DATA CENTRE PROTECTION Is your data centre protected against the following? © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 14 Data Centre – Common Areas of Focus for Threat and Vulnerability Assessment TRM Guidelines requirements: • Obtain and assess the Threat and Vulnerability Assessment (“TVRA”) report of the service provider’s Data Centre facility on a periodic basis • For new outsourcing, perform TVRA at the feasibility study stage Recommended Solutions: • Identify Data Centres that host applications which process/store Singapore customer data, both locally and overseas • FI or Data Centre service provider to engage specialists to perform a TVRA review for these identified Data Centres, and submit the report to MAS © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  15. 15. Common TRM challenges KPMG has identified across FS industry © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 15 Group & Localised IT Risk Management Framework & Governance structure Critical System Assessment process (Business Impact + Customer Impact) System resiliency against single point of failure risk Business continuity: RTO =/< 4 hrs critical applications per 12 month window Timely response and reporting of security incidents and system malfunctions, i.e. with 60 minutes upon discovery Assessment of security risks (e.g., DDOS, MITMA and skimming) on internet banking, mobile banking and payment cards Restrict access to privileged user accounts and monitoring activity Encryption of sensitive data - both data in motion and data at rest IT Outsourcing Framework with HQ and 3rd parties, SLA monitoring KRIs IT Control Maturity Level LOW HIGH 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 Self-Assessment for Common TRM challenges 1 2 3 4 5 1 2 3 4 5 © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  16. 16. © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 16 Next steps to address IT Risk Management Increase investment in HA Infrastructure to ensure continuity of business services in the event of an incident. Refine business/IT end-to-end recovery process Group-wide detailed assessment of all systems to determine list of Critical Applications. Include vendor provided systems Embed an IT risk assessment process into your governance framework, and use this to oversee Management decision-making concerning strategic RTB and CTB Establish incident management process, including outsourced processes. Define escalation structure to smooth decision-making around reporting of incidents to Regulator Critical Systems Assessment Framework Board & Management oversight of Technology related Risks System Resiliency / High Availability Incident Management Process Conduct a detailed gap analysis between management policies / control environment versus MAS TRM. Establish action plan to remediate gaps. Gap Analysis Implement appropriate policies, procedures, controls and tools/systems to remediate gaps in system resiliency, customer data protection, cybersecurity, Remediation and outsourcing. © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  17. 17. © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 17 How KPMG can help you? Our service offering to help you to addressing technology risks With a deep understanding of the regulatory guidelines and circulars on technology risk management, complemented by a rich experience in providing regulatory compliance advisory works, KPMG can elevate you towards the next level of compliance with optimised cost. Design Technology Risk Management framework and governance structures Gap Assessment based on existing / new technology risk management regulations from Regulators in Singapore and other locations IT Outsourcing Framework and vendor assurance review IT Security strategy & governance Critical System Assessment process / IT Risk Assessments (new / current business initiatives) Incident Management process for IT security incidents and system malfunctions Develop IT policies and procedures (including resiliency, technology re-fresh plan, data classification & data governance, IT security roadmap, Data Leakage Protection & encryption) IT Assurance and Controls Review Training on technology risk management & regulatory compliance Source code review, penetration testing, SIEM configuration, system vulnerability management Follow-up on MAS inspection reports / audit findings IT risk monitoring Industry / market wide Business Continuity Management & Disaster Recovery exercises
  18. 18. © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 18 THANK YOU DARYL PEREIRA PARTNER, INFORMATION PROTECTION & BUSINESS RESILIENCY darylpereira@kpmg.com.sg KPMG MANAGEMENT CONSULTING RISK & REGULATION | COST & EFFICIENCY | CUSTOMER & GROWTH © 2014 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

×