SlideShare a Scribd company logo

Cybersecurity_Alert_Dec_16_2014

Paul Ferrillo
Paul Ferrillo
1 of 4
Download to read offline
Weil, Gotshal & Manges LLP Though other more notorious cyber security breaches have recently flooded the news, there can be no question that some of the more startling breaches have involved major financial institutions.1 Indeed, the cyber threats to the banking industry are real and upon us, and are cropping up in ways we potentially did not think of previously: Vulnerabilities in mobile banking pose another new and highly sophisticated danger, as mobile banking vulnerabilities may exist on mobile devices that are not patched, and malware can be developed to specifically target the use of mobile devices. One example of this type of vulnerability is the Zeus-in-the-Middle malware, a mobile version of the GameOver Zeus malware, which itself was one of the most sophisticated types of malware the FBI ever attempted to disrupt. GameOver Zeus was designed to steal banking credentials that criminals could then use to initiate or redirect wire transfers to overseas bank accounts. All told, the malware infected over 1 million computers worldwide and caused over $100 million in estimated losses.2 In continued recognition of persistent threats upon the banking industry, on December 10, 2014, Benjamin J. Lawsky, Superintendent of the New York Department of Financial Services (NYDFS), issued a guidance letter to NYDFS-regulated banks outlining specific cyber security-related factors that will be reviewed as part of a bank’s annual review. In this release, Superintendent Lawsky stated: It is our hope that integrating a targeted cyber security assessment directly into our examination process will help encourage a laser-like focus on this issue by both banks and regulators. Cyber hacking is a potentially existential threat to our financial markets and can wreak serious havoc on the financial lives of consumers. It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks.3 With the non-stop breach activity we have seen over the last few weeks, both state and federal regulators are showing their concern, and urging regulated entities to improve their cyber security postures immediately before the “bad guys” can wreak as much havoc on the U.S. financial markets as they have on other U.S. companies, particularly those in the retail sector.4 Alert Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014 New York Department of Financial Services Issues Cyber Security Guidance Letter By Paul A. Ferrillo
Weil, Gotshal & Manges LLP 2 This alert will discuss the recently announced cyber security guidance issued by NYDFS as well as other recent statements issued by various federal regulators concerning their own annual examinations or desk audits. NYDFS Guidance Superintendent Lawsky’s guidance letter is very specific, and encourages banks to provide comprehensive answers to very important cyber governance issues, including: ■■ Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks; ■■ Resources devoted to information security and overall risk management; ■■ The risks posed by shared infrastructure; ■■ Protections against intrusion, including multi- factor or adaptive authentication and server and database configurations; ■■ Information security testing and monitoring, including penetration testing; ■■ Incident detection and response processes, including monitoring; ■■ Training of information security professionals as well as all other personnel; ■■ Management of third-party service providers; ■■ Integration of information security into business continuity and disaster recovery policies and procedures; and ■■ Cyber security insurance coverage and other third- party protections.5 This guidance may be seen as a welcome blessing for the many New York-based financial institutions or financial services organizations (or pieces of them) that are also regulated by the SEC’s Office of Compliance,6 FINRA,7 or the FDIC, OCC, and/ or FFEIC8 – each of which has announced either guidance or street sweep letters for annual audits/ reviews of its respective regulated entities. Thankfully, much of the guidance issued by these organizations to their respective regulated entities is similar to that issued by NYDFS. Conflicting guidance would have only confused the question of “best cyber security practices” even further, and could have caused regulated entities double or triple the compliance work in order to keep up with each involved agency. In the inherently perplexing area of cyber security, we need more good answers, rather than more questions to be answered by regulatory entities. Good Cyber Governance and Cyber Compliance The NYDFS guidance is also well-placed in that it focuses not just on “data protection” measures, which are but a piece of the puzzle, but also on “incident detection and response… and on the integration of information security into business continuity and disaster recovery policies and procedures,” as well as cyber security insurance coverage. These three pieces go together like a hand in a glove. As recent major data breaches have taught us, it is more than likely that despite state of the art firewall and anti-virus protection, every day New York- regulated entities are subjected to thousands of cyber security “events” of various intensity and complexity. Those thousands of events require sophisticated incident detection tools to determine whether they are actually “incidents” in disguise, which would then require immediate remediation and/or counter-measures. Unfortunately, despite the best efforts of companies, it is estimated by some that at least 90% of all intrusion detection systems might not be able to catch the most sophisticated hack.9 The name of today’s game is not being “cyber perfect” (because we can’t be) but remaining “cyber resilient,”10 i.e., being able to take a cyber-punch and get back off the canvas through a battle-tested incident response and data recovery plan aimed at getting the organization back in business as soon as possible. Helping maintain resiliency is cyber insurance, which can potentially defray the huge (and potentially crippling) costs of a cyber-breach forensic investigation and recovery efforts.11 Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014
Weil, Gotshal & Manges LLP 3 As noted above, NYDFS-regulated banks, financial institutions, and some insurance companies may not be subject to just NYDFS regulation, but to other federal regulations as well.12 For these reasons, New York-regulated organizations need to become more culturally “cyber compliant”-based organizations. Essentially, instead of “checking the box” once every audit cycle, cyber security procedures, training and policies (along with incident detection hardware and software) need to be revisited by internal IT departments and outside IT experts more than just once a year. Unfortunately, despite our best efforts, what is state-of-the-art today may not be state-of-the- art tomorrow. Cyber security processes, procedures, and internal discussions need to be documented when necessary to evidence improvements when made. And solid information concerning cyber security events, incidents, and incident responses needs to come to the attention of the board of directors in a timely fashion so that boards can exercise their fiduciary duties regarding enterprise risk management. Good cyber security is a living, breathing concept and needs to be treated as such. 1. See “J.P. Morgan Says About 76 Million Households Affected By Cyber Breach”, available at http://www.wsj. com/articles/j-p-morgan-says-about-76-million-households- affected-by-cyber-breach-1412283372. 2. See testimony of Joseph Demarest, Assistant Director of the FBI’s Cyber Division, available at http:// insurancenewsnet.com/oarticle/2014/12/11/senate-banking- housing-and-urban-affairs-committee-hearing-a-577571. html#.VI4J74E8KrU. 3. See Press Release of NYDFS Superintendent Benjamin Lawsky, available at http://www.dfs.ny.gov/about/ press2014/pr1412101.htm. 4. See “Happy Holidays becomes ‘Happy Data Breaches’”, available at http://thehill.com/blogs/congress-blog/ technology/226972-happy-holidays-becomes-happy-data- breaches. 5. Id. 6. See OCIE Cyber Security Initiative (which applies to registered broker-dealers and registered investment advisers), available at http://www.sec.gov/ocie/ announcement/Cybersecurity+Risk+Alert++%2526+Appen dix+-+4.15.14.pdf. 7. See FINRA Targeted Cyber Security Exam Letters, found at http://www.finra.org/Industry/Regulation/Guidance/ TargetedExaminationLetters/P443219. 8. See testimony of Office of the Comptroller of the Currency’s Senior Critical Infrastructure Officer Valerie Abend, December 10, 2014, available at http://www.occ. gov/news-issuances/congressional-testimony/2014/pub- test-2014-165-written.pdf. 9. See “FBI: Sony hack would work on ‘90 percent’ of public, private firms”, available at http://thehill.com/ policy/cybersecurity/226657-fbi-sony-hack-would-work- on-99-percent-of-companies. We note that the forensic investigation of the Sony hack is continuing, so the final word is not out yet on the sophistication of the attack. 10. See “Five questions (and answers) about North Korea and the Sony hack”, available at http://www.washingtonpost. com/blogs/monkey-cage/wp/2014/12/14/five-questions- and-answers-about-north-korea-and-the-sony-hack/ (noting that “There is really no such thing as a secure system, but there are things one can do to boost protection. Redundancy, resilience and backup networks, as well as decentralization, are all tactics that need to be used by important government branches and corporations.”) 11. See “Will Banks Be Required to Have Cyber-Insurance?” available at http://www.bankinfosecurity.com/will-banks- be-required-to-have-cyber-insurance-a-7673 (noting “…what cyber-risk insurance can do is provide some measure of financial support in case of a data breach or cyber-incident”); see generally “Cyber Security, Cyber Governance, and Cyber Insurance,” available at http:// blogs.law.harvard.edu/corpgov/2014/11/13/cyber-security- cyber-governance-and-cyber-insurance/. 12. See e.g., SEC Regulation S-ID, which generally requires “SEC or CFTC registrants (e.g., investment advisers, investment companies, broker-dealers, commodity pool advisors, futures commission merchants, retail foreign exchange dealers, commodity trading advisers, introducing brokers, swap dealers, and major swap participants) to establish and maintain programs that detect, prevent, and mitigate identity theft, if they maintain certain types of accounts for clients.” See PWC Memo “Identity Theft Regulation: Are you under the SEC/CFTC microscope?” available at http://www.pwc.com/us/en/ financial-services/regulatory-services/publications/ identity-theft-regulation.jhtml. Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014
Weil, Gotshal & Manges LLP 4 Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014 If you have questions concerning the contents of this issue, please speak to your regular contact at Weil, or to: Paul A. Ferrillo (NY) Bio Page paul.ferrillo@weil.com +1 212 310 8372 © 2014 Weil, Gotshal & Manges LLP. All rights reserved. Quotation with attribution is permitted. This publication provides general information and should not be used or taken as legal advice for specific situations that depend on the evaluation of precise factual circumstances. The views expressed in these articles reflect those of the authors and not necessarily the views of Weil, Gotshal & Manges LLP. If you would like to add a colleague to our mailing list, please click here. If you need to change or remove your name from our mailing list, send an email to weil.alerts@weil.com.

Recommended

CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!topseowebmaster
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
CS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudCS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudPaige Rasid
 
Cybersecurity infographic
Cybersecurity infographicCybersecurity infographic
Cybersecurity infographicCSC Australia
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutionsJonny Nässlander
 
Cyber Client Alert
Cyber Client AlertCyber Client Alert
Cyber Client AlertGraeme Cross
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkDivya Kothari
 

Recommended

CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!topseowebmaster
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
CS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudCS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudPaige Rasid
 
Cybersecurity infographic
Cybersecurity infographicCybersecurity infographic
Cybersecurity infographicCSC Australia
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutionsJonny Nässlander
 
Cyber Client Alert
Cyber Client AlertCyber Client Alert
Cyber Client AlertGraeme Cross
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkDivya Kothari
 
Insurance for Cyber Risks
Insurance for Cyber RisksInsurance for Cyber Risks
Insurance for Cyber Riskssmithjgdc
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015Paul Ferrillo
 
Information Security
Information SecurityInformation Security
Information Securitytrunko
 
Securing Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonSecuring Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonEljay Robertson
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-finalΔρ. Γιώργος K. Κασάπης
 
Outsourcing
OutsourcingOutsourcing
Outsourcingkarlhennessy
 
2017 FS-ISAC Security Conference
2017 FS-ISAC Security Conference2017 FS-ISAC Security Conference
2017 FS-ISAC Security ConferenceDavid Sweigert
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firmsJake Weaver
 
NCRIC Analysis of Cyber Security Emergency Management
NCRIC Analysis of Cyber Security Emergency ManagementNCRIC Analysis of Cyber Security Emergency Management
NCRIC Analysis of Cyber Security Emergency ManagementDavid Sweigert
 
The CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber InsuranceThe CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber InsuranceJoseph Brunsman
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 securityat MicroFocus Italy ❖✔
 
Marriage of Cyber Security with Emergency Management -- NEMA
Marriage of Cyber Security with Emergency Management -- NEMAMarriage of Cyber Security with Emergency Management -- NEMA
Marriage of Cyber Security with Emergency Management -- NEMADavid Sweigert
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security ServicesRainer Mueller
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoVictor Oluwajuwon Badejo
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook Kristin Judge
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)PwC France
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010Scientia Groups
 
Line following using maze simulator
Line following using maze simulatorLine following using maze simulator
Line following using maze simulatorSharjeel Sarwar
 
100 golden rules of english grammar
100 golden rules of english grammar100 golden rules of english grammar
100 golden rules of english grammarHimmat Singh
 

More Related Content

What's hot

Insurance for Cyber Risks
Insurance for Cyber RisksInsurance for Cyber Risks
Insurance for Cyber Riskssmithjgdc
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015Paul Ferrillo
 
Information Security
Information SecurityInformation Security
Information Securitytrunko
 
Securing Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonSecuring Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonEljay Robertson
 
2017 FS-ISAC Security Conference
2017 FS-ISAC Security Conference2017 FS-ISAC Security Conference
2017 FS-ISAC Security ConferenceDavid Sweigert
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firmsJake Weaver
 
NCRIC Analysis of Cyber Security Emergency Management
NCRIC Analysis of Cyber Security Emergency ManagementNCRIC Analysis of Cyber Security Emergency Management
NCRIC Analysis of Cyber Security Emergency ManagementDavid Sweigert
 
The CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber InsuranceThe CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber InsuranceJoseph Brunsman
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
Marriage of Cyber Security with Emergency Management -- NEMA
Marriage of Cyber Security with Emergency Management -- NEMAMarriage of Cyber Security with Emergency Management -- NEMA
Marriage of Cyber Security with Emergency Management -- NEMADavid Sweigert
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook Kristin Judge
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)PwC France
 

What's hot (20)

Insurance for Cyber Risks
Insurance for Cyber RisksInsurance for Cyber Risks
Insurance for Cyber Risks
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015
 
Information Security
Information SecurityInformation Security
Information Security
 
Securing Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay RobertsonSecuring Cyber Space- Eljay Robertson
Securing Cyber Space- Eljay Robertson
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final
 
Outsourcing
OutsourcingOutsourcing
Outsourcing
 
2017 FS-ISAC Security Conference
2017 FS-ISAC Security Conference2017 FS-ISAC Security Conference
2017 FS-ISAC Security Conference
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firms
 
NCRIC Analysis of Cyber Security Emergency Management
NCRIC Analysis of Cyber Security Emergency ManagementNCRIC Analysis of Cyber Security Emergency Management
NCRIC Analysis of Cyber Security Emergency Management
 
The CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber InsuranceThe CPAs Guide to Buying Cyber Insurance
The CPAs Guide to Buying Cyber Insurance
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White Paper
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 security
 
Marriage of Cyber Security with Emergency Management -- NEMA
Marriage of Cyber Security with Emergency Management -- NEMAMarriage of Cyber Security with Emergency Management -- NEMA
Marriage of Cyber Security with Emergency Management -- NEMA
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security Services
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & Co
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
 

Viewers also liked

Line following using maze simulator
Line following using maze simulatorLine following using maze simulator
Line following using maze simulatorSharjeel Sarwar
 
100 golden rules of english grammar
100 golden rules of english grammar100 golden rules of english grammar
100 golden rules of english grammarHimmat Singh
 
Aula do dia 21 de novembro investimentos
Aula do dia 21 de novembro investimentosAula do dia 21 de novembro investimentos
Aula do dia 21 de novembro investimentosJose Roberto Yasoshima
 
Portfolio_Hui_Jiang
Portfolio_Hui_JiangPortfolio_Hui_Jiang
Portfolio_Hui_JiangHui Jiang
 
BYU Women's Conference -- April 2015, Sacrament
BYU Women's Conference -- April 2015, SacramentBYU Women's Conference -- April 2015, Sacrament
BYU Women's Conference -- April 2015, Sacramentruthrenlund
 
MAKE MY DAY - How to Change Your Colleague’s World
MAKE MY DAY - How to Change Your Colleague’s WorldMAKE MY DAY - How to Change Your Colleague’s World
MAKE MY DAY - How to Change Your Colleague’s WorldAlex Yates
 
新建 Microsoft word 文档
新建 Microsoft word 文档新建 Microsoft word 文档
新建 Microsoft word 文档CTOWATCH
 
SlideShare Dashboard | Communications
SlideShare Dashboard | CommunicationsSlideShare Dashboard | Communications
SlideShare Dashboard | CommunicationsAlex Yates
 
Noora Heikkilä/Frankfurt Book Fair 2014
Noora Heikkilä/Frankfurt Book Fair 2014Noora Heikkilä/Frankfurt Book Fair 2014
Noora Heikkilä/Frankfurt Book Fair 2014Tamlit
 
CDN implmentation consideration
CDN implmentation considerationCDN implmentation consideration
CDN implmentation considerationAvi Shalisman
 

Viewers also liked (15)

Line following using maze simulator
Line following using maze simulatorLine following using maze simulator
Line following using maze simulator
 
100 golden rules of english grammar
100 golden rules of english grammar100 golden rules of english grammar
100 golden rules of english grammar
 
Aula do dia 21 de novembro investimentos
Aula do dia 21 de novembro investimentosAula do dia 21 de novembro investimentos
Aula do dia 21 de novembro investimentos
 
Portfolio_Hui_Jiang
Portfolio_Hui_JiangPortfolio_Hui_Jiang
Portfolio_Hui_Jiang
 
BYU Women's Conference -- April 2015, Sacrament
BYU Women's Conference -- April 2015, SacramentBYU Women's Conference -- April 2015, Sacrament
BYU Women's Conference -- April 2015, Sacrament
 
thesis report 2012
thesis report 2012thesis report 2012
thesis report 2012
 
Annual Report 2014 - 2015 WEB
Annual Report 2014 - 2015 WEBAnnual Report 2014 - 2015 WEB
Annual Report 2014 - 2015 WEB
 
Mohamed-NOUr-2
Mohamed-NOUr-2Mohamed-NOUr-2
Mohamed-NOUr-2
 
Shuja khan cv
Shuja khan cvShuja khan cv
Shuja khan cv
 
MAKE MY DAY - How to Change Your Colleague’s World
MAKE MY DAY - How to Change Your Colleague’s WorldMAKE MY DAY - How to Change Your Colleague’s World
MAKE MY DAY - How to Change Your Colleague’s World
 
新建 Microsoft word 文档
新建 Microsoft word 文档新建 Microsoft word 文档
新建 Microsoft word 文档
 
SlideShare Dashboard | Communications
SlideShare Dashboard | CommunicationsSlideShare Dashboard | Communications
SlideShare Dashboard | Communications
 
Noora Heikkilä/Frankfurt Book Fair 2014
Noora Heikkilä/Frankfurt Book Fair 2014Noora Heikkilä/Frankfurt Book Fair 2014
Noora Heikkilä/Frankfurt Book Fair 2014
 
CDN implmentation consideration
CDN implmentation considerationCDN implmentation consideration
CDN implmentation consideration
 
Maroc
MarocMaroc
Maroc
 

Similar to Cybersecurity_Alert_Dec_16_2014

A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docxwrite30
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6seadeloitte
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Booz Allen Hamilton
 
Not Prepared for Hacks .docx
Not Prepared for Hacks .docx Not Prepared for Hacks .docx
Not Prepared for Hacks .docxhallettfaustina
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCybAnastaciaShadelb
 
You Are the Target
You Are the TargetYou Are the Target
You Are the TargetEMC
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106Ted Richmond
 
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditCyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditNationalUnderwriter
 
No National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseNo National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseWilliam McBorrough
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Risks Of A Dos Attack
Risks Of A Dos AttackRisks Of A Dos Attack
Risks Of A Dos AttackAshley Thomas
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsDavid Sweigert
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to knowNathan Desfontaines
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...Invincea, Inc.
 

Similar to Cybersecurity_Alert_Dec_16_2014 (20)

A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
Cybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future AttacksCybersecurity After WannaCry: How to Resist Future Attacks
Cybersecurity After WannaCry: How to Resist Future Attacks
 
Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docx
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
 
Not Prepared for Hacks .docx
Not Prepared for Hacks .docx Not Prepared for Hacks .docx
Not Prepared for Hacks .docx
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
You Are the Target
You Are the TargetYou Are the Target
You Are the Target
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
 
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditCyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
 
No National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseNo National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law Please
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Risks Of A Dos Attack
Risks Of A Dos AttackRisks Of A Dos Attack
Risks Of A Dos Attack
 
American Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standardsAmerican Bar Association guidelines on Cyber Security standards
American Bar Association guidelines on Cyber Security standards
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
 

Cybersecurity_Alert_Dec_16_2014

  • 1. Weil, Gotshal & Manges LLP Though other more notorious cyber security breaches have recently flooded the news, there can be no question that some of the more startling breaches have involved major financial institutions.1 Indeed, the cyber threats to the banking industry are real and upon us, and are cropping up in ways we potentially did not think of previously: Vulnerabilities in mobile banking pose another new and highly sophisticated danger, as mobile banking vulnerabilities may exist on mobile devices that are not patched, and malware can be developed to specifically target the use of mobile devices. One example of this type of vulnerability is the Zeus-in-the-Middle malware, a mobile version of the GameOver Zeus malware, which itself was one of the most sophisticated types of malware the FBI ever attempted to disrupt. GameOver Zeus was designed to steal banking credentials that criminals could then use to initiate or redirect wire transfers to overseas bank accounts. All told, the malware infected over 1 million computers worldwide and caused over $100 million in estimated losses.2 In continued recognition of persistent threats upon the banking industry, on December 10, 2014, Benjamin J. Lawsky, Superintendent of the New York Department of Financial Services (NYDFS), issued a guidance letter to NYDFS-regulated banks outlining specific cyber security-related factors that will be reviewed as part of a bank’s annual review. In this release, Superintendent Lawsky stated: It is our hope that integrating a targeted cyber security assessment directly into our examination process will help encourage a laser-like focus on this issue by both banks and regulators. Cyber hacking is a potentially existential threat to our financial markets and can wreak serious havoc on the financial lives of consumers. It is imperative that we move quickly to work together to shore up our lines of defense against these serious risks.3 With the non-stop breach activity we have seen over the last few weeks, both state and federal regulators are showing their concern, and urging regulated entities to improve their cyber security postures immediately before the “bad guys” can wreak as much havoc on the U.S. financial markets as they have on other U.S. companies, particularly those in the retail sector.4 Alert Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014 New York Department of Financial Services Issues Cyber Security Guidance Letter By Paul A. Ferrillo
  • 2. Weil, Gotshal & Manges LLP 2 This alert will discuss the recently announced cyber security guidance issued by NYDFS as well as other recent statements issued by various federal regulators concerning their own annual examinations or desk audits. NYDFS Guidance Superintendent Lawsky’s guidance letter is very specific, and encourages banks to provide comprehensive answers to very important cyber governance issues, including: ■■ Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks; ■■ Resources devoted to information security and overall risk management; ■■ The risks posed by shared infrastructure; ■■ Protections against intrusion, including multi- factor or adaptive authentication and server and database configurations; ■■ Information security testing and monitoring, including penetration testing; ■■ Incident detection and response processes, including monitoring; ■■ Training of information security professionals as well as all other personnel; ■■ Management of third-party service providers; ■■ Integration of information security into business continuity and disaster recovery policies and procedures; and ■■ Cyber security insurance coverage and other third- party protections.5 This guidance may be seen as a welcome blessing for the many New York-based financial institutions or financial services organizations (or pieces of them) that are also regulated by the SEC’s Office of Compliance,6 FINRA,7 or the FDIC, OCC, and/ or FFEIC8 – each of which has announced either guidance or street sweep letters for annual audits/ reviews of its respective regulated entities. Thankfully, much of the guidance issued by these organizations to their respective regulated entities is similar to that issued by NYDFS. Conflicting guidance would have only confused the question of “best cyber security practices” even further, and could have caused regulated entities double or triple the compliance work in order to keep up with each involved agency. In the inherently perplexing area of cyber security, we need more good answers, rather than more questions to be answered by regulatory entities. Good Cyber Governance and Cyber Compliance The NYDFS guidance is also well-placed in that it focuses not just on “data protection” measures, which are but a piece of the puzzle, but also on “incident detection and response… and on the integration of information security into business continuity and disaster recovery policies and procedures,” as well as cyber security insurance coverage. These three pieces go together like a hand in a glove. As recent major data breaches have taught us, it is more than likely that despite state of the art firewall and anti-virus protection, every day New York- regulated entities are subjected to thousands of cyber security “events” of various intensity and complexity. Those thousands of events require sophisticated incident detection tools to determine whether they are actually “incidents” in disguise, which would then require immediate remediation and/or counter-measures. Unfortunately, despite the best efforts of companies, it is estimated by some that at least 90% of all intrusion detection systems might not be able to catch the most sophisticated hack.9 The name of today’s game is not being “cyber perfect” (because we can’t be) but remaining “cyber resilient,”10 i.e., being able to take a cyber-punch and get back off the canvas through a battle-tested incident response and data recovery plan aimed at getting the organization back in business as soon as possible. Helping maintain resiliency is cyber insurance, which can potentially defray the huge (and potentially crippling) costs of a cyber-breach forensic investigation and recovery efforts.11 Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014
  • 3. Weil, Gotshal & Manges LLP 3 As noted above, NYDFS-regulated banks, financial institutions, and some insurance companies may not be subject to just NYDFS regulation, but to other federal regulations as well.12 For these reasons, New York-regulated organizations need to become more culturally “cyber compliant”-based organizations. Essentially, instead of “checking the box” once every audit cycle, cyber security procedures, training and policies (along with incident detection hardware and software) need to be revisited by internal IT departments and outside IT experts more than just once a year. Unfortunately, despite our best efforts, what is state-of-the-art today may not be state-of-the- art tomorrow. Cyber security processes, procedures, and internal discussions need to be documented when necessary to evidence improvements when made. And solid information concerning cyber security events, incidents, and incident responses needs to come to the attention of the board of directors in a timely fashion so that boards can exercise their fiduciary duties regarding enterprise risk management. Good cyber security is a living, breathing concept and needs to be treated as such. 1. See “J.P. Morgan Says About 76 Million Households Affected By Cyber Breach”, available at http://www.wsj. com/articles/j-p-morgan-says-about-76-million-households- affected-by-cyber-breach-1412283372. 2. See testimony of Joseph Demarest, Assistant Director of the FBI’s Cyber Division, available at http:// insurancenewsnet.com/oarticle/2014/12/11/senate-banking- housing-and-urban-affairs-committee-hearing-a-577571. html#.VI4J74E8KrU. 3. See Press Release of NYDFS Superintendent Benjamin Lawsky, available at http://www.dfs.ny.gov/about/ press2014/pr1412101.htm. 4. See “Happy Holidays becomes ‘Happy Data Breaches’”, available at http://thehill.com/blogs/congress-blog/ technology/226972-happy-holidays-becomes-happy-data- breaches. 5. Id. 6. See OCIE Cyber Security Initiative (which applies to registered broker-dealers and registered investment advisers), available at http://www.sec.gov/ocie/ announcement/Cybersecurity+Risk+Alert++%2526+Appen dix+-+4.15.14.pdf. 7. See FINRA Targeted Cyber Security Exam Letters, found at http://www.finra.org/Industry/Regulation/Guidance/ TargetedExaminationLetters/P443219. 8. See testimony of Office of the Comptroller of the Currency’s Senior Critical Infrastructure Officer Valerie Abend, December 10, 2014, available at http://www.occ. gov/news-issuances/congressional-testimony/2014/pub- test-2014-165-written.pdf. 9. See “FBI: Sony hack would work on ‘90 percent’ of public, private firms”, available at http://thehill.com/ policy/cybersecurity/226657-fbi-sony-hack-would-work- on-99-percent-of-companies. We note that the forensic investigation of the Sony hack is continuing, so the final word is not out yet on the sophistication of the attack. 10. See “Five questions (and answers) about North Korea and the Sony hack”, available at http://www.washingtonpost. com/blogs/monkey-cage/wp/2014/12/14/five-questions- and-answers-about-north-korea-and-the-sony-hack/ (noting that “There is really no such thing as a secure system, but there are things one can do to boost protection. Redundancy, resilience and backup networks, as well as decentralization, are all tactics that need to be used by important government branches and corporations.”) 11. See “Will Banks Be Required to Have Cyber-Insurance?” available at http://www.bankinfosecurity.com/will-banks- be-required-to-have-cyber-insurance-a-7673 (noting “…what cyber-risk insurance can do is provide some measure of financial support in case of a data breach or cyber-incident”); see generally “Cyber Security, Cyber Governance, and Cyber Insurance,” available at http:// blogs.law.harvard.edu/corpgov/2014/11/13/cyber-security- cyber-governance-and-cyber-insurance/. 12. See e.g., SEC Regulation S-ID, which generally requires “SEC or CFTC registrants (e.g., investment advisers, investment companies, broker-dealers, commodity pool advisors, futures commission merchants, retail foreign exchange dealers, commodity trading advisers, introducing brokers, swap dealers, and major swap participants) to establish and maintain programs that detect, prevent, and mitigate identity theft, if they maintain certain types of accounts for clients.” See PWC Memo “Identity Theft Regulation: Are you under the SEC/CFTC microscope?” available at http://www.pwc.com/us/en/ financial-services/regulatory-services/publications/ identity-theft-regulation.jhtml. Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014
  • 4. Weil, Gotshal & Manges LLP 4 Cyber Security, Cyber Governance, and Cyber Insurance December 16, 2014 If you have questions concerning the contents of this issue, please speak to your regular contact at Weil, or to: Paul A. Ferrillo (NY) Bio Page paul.ferrillo@weil.com +1 212 310 8372 © 2014 Weil, Gotshal & Manges LLP. All rights reserved. Quotation with attribution is permitted. This publication provides general information and should not be used or taken as legal advice for specific situations that depend on the evaluation of precise factual circumstances. The views expressed in these articles reflect those of the authors and not necessarily the views of Weil, Gotshal & Manges LLP. If you would like to add a colleague to our mailing list, please click here. If you need to change or remove your name from our mailing list, send an email to weil.alerts@weil.com.