1. Speaker Firms and Organization:
Cybint
Roy Zur
CEO and Founder
Thank you for logging into todayâs event. Please note we are in standby mode. All Microphones will be muted until the event
starts. We will be back with speaker instructions @ 02:55pm. Any Questions? Please email: info@theknowledegroup.org
Group Registration Policy
Please note ALL participants must be registered or they will not be able to access the event.
If you have more than one person from your company attending, you must fill out the group registration form.
We reserve the right to disconnect any unauthorized users from this event and to deny violators admission to future events.
To obtain a group registration please send a note to info@theknowledgegroup.org or call 646.202.9344.
Presented By:
April 06, 2017
1
Sponsored by:
Ludwig & Robinson PLLC
Salvatore Scanio
Member
Kaufman Rossin , P.A.
Alejandro Mijares, CISA, CRISC, MSMIS
Manager, Risk Advisory Services
Partner Firms:
2. April 06, 2017
2
ď Please note the FAQ.HELP TAB located to the right of the main presentation. On this page you will find answers to the top questions asked by
attendees during webcast such as how to fix audio issues, where to download the slides and what to do if you miss a secret word. To access this
tab, click the FAQ.HELP Tab to the right of the main presentation when youâre done click the tab of the main presentation to get back.
ď For those viewing the webcast on a mobile device, please note:
o These instructions are for Apple and Android devices only. If you are using a Windows tablet, please follow the instructions for viewing
the webcast on a PC.
o The FAQ.HELP TAB will not be visible on mobile devices.
o You will receive the frequently asked questions & other pertinent info through the apps chat window function on your device.
o On Apple devices you must tap the screen anywhere to see the task bar which will show up as a blue bar across the top of the screen.
Click the chat icon then click the chat with all to access the FAQâs.
o Feel free to submit questions by using the âquestionsâ function built-in to the app on your device.
o You may use your deviceâs âpinch to zoom functionâ to enlarge the slide images on your screen.
o Headphones are highly recommended. In the event of audio difficulties, a dial-in number is available and will be provided via the appâs
chat function on your device.
3. April 06, 2017
3
ď Follow us on Twitter, thatâs @Know_Group to receive updates for this event as well as other news and pertinent info.
ď If you experience any technical difficulties during todayâs WebEx session, please contact our Technical Support @ 866-779-3239. We will post the
dial information in the chat window to the right shortly and itâs available in the FAQ.Help Tab on the right. Please redial into the webcast in case of
connectivity issue where we have to restart the Webex event.
ď You may ask a question at anytime throughout the presentation today via the chat window on the lower right hand side of your screen. Questions
will be aggregated and addressed during the Q&A segment.
ď Please note, this call is being recorded for playback purposes.
ď If anyone was unable to log in to the online webcast and needs to download a copy of the PowerPoint presentation for todayâs event, please send
an email to: info@theknowledgegroup.org. If youâre already logged in to the online Webcast, we will post a link to download the files shortly and itâs
available in the FAQ.Help Tab
4. April 06, 2017
4
ď If you are listening on a laptop, you may need to use headphones as some laptops speakers are not sufficiently amplified enough to hear the
presentations. If you do not have headphones and cannot hear the webcast send an email to info@theknowledgegroup.org and we will send you
the dial in phone number.
ď About an hour or so after the event, you'll be sent a survey via email asking you for your feedback on your experience with this event today - it's
designed to take less than two minutes to complete, and it helps us to understand how to wisely invest your time in future events. Your feedback is
greatly appreciated. If you are applying for continuing education credit, completions of the surveys are mandatory as per your state boards and
bars. 6 secret words (3 for each credit hour) will be given throughout the presentation. We will ask you to fill these words into the survey as proof
of your attendance. Please stay tuned for the secret word. If you miss a secret word please refer to the FAQ.Help tab to the right.
ď Speakers, I will be giving out the secret words at randomly selected times. I may have to break into your presentation briefly to read the secret
word. Pardon the interruption.
5. April 06, 2017
5
ď We need your insights -- We are conducting some special research to improve The Knowledge Group for you. Give us ten minutes on the phone
and we will give you six months of FREE CE webcasts. Please click the link found in the upper right âChat Boxâ to sign up and participate. We look
forward to hearing from you.
Link to sign-up and participate: http://bit.ly/2nK1ZsB
6. April 06, 2017
6
LogRhythm, a leader in security intelligence and
analytics, empowers organizations around the globe to
rapidly detect, respond to and neutralize damaging
cyber threats. The companyâs award-winning
platform unifies next-generation SIEM, log
management, network and endpoint forensics and
advanced security analytics. In addition to protecting
customers from the risks associated with cyber threats,
LogRhythm provides innovative compliance automation
and assurance, and enhanced IT intelligence.
Sponsored By:
7. Partner Firms:
April 06, 2017
7
Kaufman Rossin has represented Florida businesses for more than
50 years and serves international clients in dozens of countries. The
CPA and advisory firm is one of the largest in the U.S., providing
traditional accounting, audit and tax services, as well as business, risk
and forensic advisory services. The firm has won significant awards,
including repeat honors as the Best Accounting Firm to Work For
among large firms nationwide and locally. With more than 300 team
members, the firm prides itself on offering the resources of a
powerhouse, personally delivered. Go beyond the numbers at
kaufmanrossin.com.
Cybint specializes in providing smart solutions in the fields of cyber intelligence and cyber
security.
Our leading team at Cybint is composed of skilled, experienced, ex â military officers from elite
intelligence and technology units, specializing in the characterization of operational, intelligence
and business needs, and also in training-on and implementation of know-how.
Our team members have years of experience in the fields of military intelligence and business
intelligence, and their expertise in this world enables them to understand the inherent power of
knowledge and information and to convey these directly to the client.
Recently Cybint Partnered with a leading vocational training company in the U.S. (The BARBRI
Group) to provide assessment, training, and tools to dramatically increase online research,
analysis, and security skills for legal and financial businesses.
8. Partner Firm:
April 06, 2017
8
Ludwig & Robinson, founded in 1992, consists of lawyers with diverse
experience acquired at major law firms. The firm represents clients in
litigation and counseling throughout the United States and the world, and is
affiliated with a leading German law firm.
Whether as local, national or international counsel, the firm provides a range
of services in a manner that is insightful, responsive and cost-effective.
L&Râs clients include multinational corporations, insurers, banks and
financial institutions, air carriers, not-for-profit organizations, technology
start-ups, universities, foreign entities and nationals, and other individuals.
Applying insights gained in decades of trial and appellate litigation, including
novel and complex cases, the firm has an exceptional record of serving its
clientâs interests while obtaining often precedent-setting results.
9. Brief Speaker Bios:
Alejandro Mijares, CISA, CRISC, MSMIS
Alejandro Mijares is Risk Advisory Services Manager at Kaufman Rossin where he provides internal IT audit, system validation, and
information security review services to financial institutions supervised by the FDIC, FRB, State of Florida, and OCC. He has
performed IT and Cybersecurity risk assessments, IT controls reviews, and evaluation of IT governance regulations and processes for
more than 25 banks and foreign agencies in Florida.
April 06, 2017
9
Roy Zur
Roy Zur, the CEO and founder of "Cybint solutions", has more than 12 years of experience in cyber and intelligence operations from
the Israeli security forces (Retired Major), and has developed cyber training programs and technology for financial institutions, law
firms and government agencies around the world. Prior to leading Cybint, he received his LLM and MBA from Tel-Aviv University and
served as a legal adviser in the Israeli Supreme Court, and as the chairman of the Israeli Legislation Research Center (OMEK
Institute), overseeing 150 researchers, who work with the Israeli Parliament (the Knesset).
âş For more information about the speakers, you can visit: https://theknowledgegroup.org/event-homepage/?event_id=1945
Salvatore Scanio
Salvatore Scanio is a member of the Washington, D.C. law firm, Ludwig & Robinson PLLC, where his practice focuses on domestic
and international litigation involving banking, insurance, and other commercial disputes. He attended Tulane University where he
earned B.A., M.B.A., and J.D. degrees. Mr. Scanio has over 20 years of experience in financial litigation, and advises clients as to
liability, defenses and loss recovery on a wide range of bank and corporate fraud and cybercrime, including check fraud, credit and
debit card fraud, wire transfer and ACH fraud, Ponzi schemes, malware attacks, and data breaches.
10. Over the past few years, the financial services industry has been a favorite target of cyber criminals, who are not only trying to gain direct
access to money, but are also going after sensitive data that they can use for identity theft and hold hostage in ransomware attacks.
The breaches at JPMorgan in 2014 and Bangladeshâs Central Bank in 2016, which both resulted into millions of dollars in losses,
illustrate the dangers posed by cybercrime to banks and other financial institutions. Cyber security is no longer an IT issue; it is a
business risk that bank leadership needs to pay attention to.
The industry is doing what it can to mitigate the risk of exposure to malicious cyber attacks; however, a recent study found that it often
takes months for a company to detect such an attack. By that time, hackers have likely already stolen large amounts of sensitive data.
In this two-hour LIVE Webcast, a panel of distinguished professionals and thought leaders will discuss how cybercrime is affecting the
financial services industry and how bank leadership can create a robust information security program to mitigate the risk of a cyber
attack.
Key topics include:
⢠A Review of Recent High-Profile Cases
⢠Key Weaknesses in the Financial Sector
⢠Cyber Crisis Management
⢠Strengthening the Network and Minimizing Threats
⢠Regulatory Framework of Cybersecurity Enforcement
April 06, 2017
10
11. Featured Speakers:
April 06, 2017
11
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
SEGMENT 2:
Roy Zur
CEO and Founder
Cybint
12. Introduction
Alejandro Mijares is Risk Advisory Services Manager at Kaufman Rossin where he provides internal IT audit, system
validation, and information security review services to financial institutions supervised by the FDIC, FRB, State of Florida,
and OCC. He has performed IT and Cybersecurity risk assessments, IT controls reviews, and evaluation of IT governance
regulations and processes for more than 25 banks and foreign agencies in Florida. Alejandroâs work experience also
includes analyzing and evaluating information technology security risks and internal controls, process mapping, system
validation, SSAE 16 review services, and providing Sarbanes-Oxley external and internal audits for clients in a variety of
industries, including financial services companies, healthcare, retail and technology. He is a Certified Information Systems
Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), with a Masterâs degree in Management
Information Systems and a Bachelorâs degree in Accounting and Information Systems.
April 06, 2017
12
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
13. April 06, 2017
13
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
Cybercrime:
Maximizing
Opportunities and
Minimizing Threats
for Financial
Institutions
14. Todayâs Agenda
ď The Dark Web & Cyber Threats
ď Regulatory framework of cybersecurity
ď FFIEC information security booklet (Sept. 2016)
ď Control Environment Vulnerabilities
ď Most common weaknesses and controls
ď Strengthening the network and minimizing the potential impact of threats
ď Networks Controls
ď Indicators of Compromise (IOC)
April 06, 2017
14
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
19. FFIEC Info Sec 2016
ď Updated in September 2016
ď Incorporates cybersecurity language
ď Reduced redundancy regarding management material
ď Refocuses on IT/IS Risk
ď§ Introduce risk management cycle
⢠Identify
⢠Measure
⢠Mitigate
⢠Monitor & Report
ď Update of information security processes
ď Includes revised examination procedures
ď Use the word âshould; and âmayâ more than 500 times
April 06, 2017
19
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
20. FinCen (FIN-2016-A005)
ď The Financial Crimes Enforcement Network (FinCEN) issued an advisory on October 25, 2016,
advising banks to report cyber attack activity
ď In the advisory, FinCEN also clarified the responsibilities of financial institutions as outlined in the
Bank responsible for anti-money laundering oversight
ď Guidance provided on details to include in SAR narratives
ď Focus on information sharing between departments
April 06, 2017
20
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
21. Cyber Security
⢠(FIN-2016-A005) guidance defines the following terms:
â Cyber-Event: An attempt to compromise or gain unauthorized electronic access to electronic
systems, services, resources, or information
â Cyber-Enabled Crime: Illegal activities (e.g., fraud, money laundering, identity theft) carried out
or facilitated by electronic systems and devices, such as networks and computers
â Cyber-Related Information: Information that describes technical details of electronic activity
and behavior, such as IP addresses, timestamps, and Indicators of Compromise (IOCs). Cyber-
related information also includes, but is not limited to, data regarding the digital footprint of
individuals and their behavior
April 06, 2017
21
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
22. Cyber Security
⢠(FIN-2016-A005) provides guidance in the following areas:
â Reporting cyber-enabled crime and cyber-events through Suspicious Activity Reports
â Including relevant and available cyber-related information (IP addresses with time stamps etc.) in
SAR narratives
â Collaborating between BSA/AML units and in-house cyber-security units to identify suspicious
activity
â Sharing information among financial institutions to guard against and report money laundering,
terrorism financing, and cyber-enabled crime
*It is important to note that even if no transactions occur a SAR may still be filed if the acts are,
âintended to be part of an attempt to conduct, facilitate, or affect an unauthorized transaction or
series of unauthorized transactions aggregating or involving at least $5,000 in funds or assets.â
April 06, 2017
22
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
23. Cyber Risk Management Program (based on FFIEC)
April 06, 2017
23
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
â˘In line with
Boardâs risk
appetite
â˘Control Testing
â˘Regular updates to
the Board and
senior
management
â˘Likelihood
â˘Potential Impact
â˘Inventory
â˘Threats
Risk
Identification
Risk
Measurement
Risk Mitigation
Risk
Monitoring &
Reporting
24. Cybersecurity Program
April 06, 2017
24
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
IT/IS
Internal Controls
Independent
Testing
CISO/ISO Training
SENIOR MANAGEMENT
Implementation of policies and procedures | Allocation of resources | Sets risk
tolerance
BOARD OF DIRECTORS
Responsible for internal control structure | Sets risk appetite
25. Cyber Risk Management Program
April 06, 2017
25
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
With an understanding of risk tolerance, Banks can
prioritize cybersecurity activities, enabling organizations to
make informed decisions about cybersecurity expenditures.
Risk Appetite Risk Tolerance
The amount of risk, on a broad level,
that an entity is willing to accept in
pursuit of its mission
The acceptable level of variation that
management is willing to allow for any
particular risk as the enterprise pursues
its objectives
Defined by the board Defined by management
26. What do Regulators Expect?
ď Board of directors and audit committee have sufficient knowledge to provide oversight of cyber
risks
ď Comprehensive understanding of enterprise cyber risk
ď Authority and autonomy of CISO
ď Sufficient resources are allocated to cyber compliance
ď Ownership of the audit process resides with the audit committee
⢠Robust independent testing
⢠A comprehensive audit scope
⢠Findings and conclusions are clearly stated
⢠Supporting documentation is clear, detailed, and organized
April 06, 2017
26
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
28. Cyber Security Weaknesses
⢠People
⢠Lack of a strong cyber risk program
⢠Oversight
⢠Policies
⢠Control
⢠Lack of investment in cyber security
April 06, 2017
28
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
⢠Reactive mentality instead
of a proactive mentality
⢠Ignore signs of a cyber
attack (i.e., being
targeted)
⢠Incident response program
without forensic vendors
29. Cyber Security Controls
⢠Define risk appetite and risk tolerance
⢠Develop a cyber risk management program
⢠Training including phishing, vishing, penetration
testing (including physical)
April 06, 2017
29
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
⢠Train board of directors
⢠Implement preventive and detective controls
⢠Design IOC as KRIs
⢠Identify a forensic team
31. Network Segmentation
What is it?
⢠Splitting a computer network into subnetworks, each being a network segment
April 06, 2017
31
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
What are the benefits?
⢠Improve performance
⢠Increase traffic efficiency
⢠Reduce network problems
⢠Limit your exposure to security threats
⢠Improve usersâ access control
⢠Increase reliability and efficiency of the
network
32. Firewall Controls (based on FFIEC)
ď Network perimeter defense tools (e.g., border router and firewall) are used
ď Firewall rules are audited or verified at least quarterly
ď Firewall logs are used for correlations with other evets (e.g., network, application)
ď Automated tools detect unauthorized changes to critical system files, firewalls, IPS/IDS, or other
security devices
ď Access control list are implemented
April 06, 2017
32
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
33. Network Assessments
ď Perform independent audits
ď Independent testing (including phishing, penetration testing, and vulnerability scanning) is conducted
according to the risk assessment for external-facing systems and the internal network
ď Independent penetration testing is performed on Internet-facing applications or systems before they
are launched or undergo significant change
April 06, 2017
33
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
35. Comparison
April 06, 2017
35
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
IOC
ďź Help answer the
question âWhat
happened?â
ďź Reactive in nature
ďź Point in time
KRI
ďź Are the prime risk
monitoring
indicators for the
Bank
ďź Cannot be
expected to
capture all
potentials losses
IOA
ďź Help answer the
question âWhat is
happening and
why?â
ďź Proactive in nature
ďź Real Time
37. KRI Benefits
ď Provide early warning
ď Provide backward-looking view on risk events
ď Enable documentation and analysis of trends
ď Provide an indication of risk appetite and tolerance
ď Increase the likelihood of achieving strategic objectives
ď Assist in optimizing risk governance
April 06, 2017
37
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
39. April 06, 2017
39
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
30.0%
12.0%
67.6%
18.1%
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
% of Employees Opening emails % of Employees Clicking on Link
Bank vs. DBIR Benchmark
Q1 2017 Results
DBIR Benchmark
40. April 06, 2017
40
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
Targets Q1 2017
% of
Targets Q4 2016
% of
Targets
Targets Passed 172 81.9% 261 96.7%
Targets Failed 38 18.1% 9 3.3%
TotalTargets Tested 210 100.0% 270 100.0%
Break downof targets that failed Q1 2017
% of
Targets Q4 2016
% of
Targets
First time clickingonphish 37 97.4% 9 100.0%
Repeat offender* 1 2.6% - 0.0%
TotalFailed Targets 38 100.0% 9 100.0%
* A repeat offender is anemployee who clicked ona link duringa prior campaign.
41. IOC/IOA
ďź Indicators of Compromise (IOC) / Indicators of Attack (IOA) are pieces of forensic data, such as data
found in system log entries or files, that identify potentially malicious activity on a system or network
ďź Improve incident response and computer forensics
ďź Helps organizations and individuals share information among the IT/IS community
April 06, 2017
41
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
42. IOC as KRI examples
⢠Log-In Red Flags (i.e. after hours)
⢠Unusual Outbound Network Traffic
⢠Creation of new accounts specially admin accounts
⢠Anomalies in Privileged User Account Activity
⢠Geographical Irregularities
April 06, 2017
42
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
43. Introduction
Roy Zur, the CEO and founder of "Cybint solutions", has more than 12 years of experience in cyber and intelligence
operations from the Israeli security forces (Retired Major), and has developed cyber training programs and technology for
financial institutions, law firms and government agencies around the world. Prior to leading Cybint, he received his LLM and
MBA from Tel-Aviv University and served as a legal adviser in the Israeli Supreme Court, and as the chairman of the Israeli
Legislation Research Center (OMEK Institute), overseeing 150 researchers, who work with the Israeli Parliament (the
Knesset).
April 06, 2017
43
SEGMENT 2:
Roy Zur
CEO and Founder
Cybint
44. April 06, 2017
44
SEGMENT 2:
Roy Zur
CEO and Founder
Cybint
"It's The End Of The World As We Know It"
73. Introduction
Salvatore Scanio is a member of the Washington, D.C. law firm, Ludwig & Robinson PLLC, where his practice focuses on
domestic and international litigation involving banking, insurance, and other commercial disputes. He attended Tulane
University where he earned B.A., M.B.A., and J.D. degrees. Mr. Scanio has over 20 years of experience in financial
litigation, and advises clients as to liability, defenses and loss recovery on a wide range of bank and corporate fraud and
cybercrime, including check fraud, credit and debit card fraud, wire transfer and ACH fraud, Ponzi schemes, malware
attacks, and data breaches. He regularly publishes articles in the area of payment fraud and cybercrime. His prior
experience includes serving as in-house counsel with a large commercial bank, now part of Capital One Bank. He currently
is a member of the Federal Reserve Systemâs Secure Payment Task Force, advising the Fed on payment security matters.
For more information on Mr. Scanioâs experience and publications, please refer to his firmâs website at:
http://www.ludwigrobinson.com/attorneys/salvatore-scanio
April 06, 2017
73
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
74. Financial Institution Exposure for Cybercrime
April 06, 2017
74
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
75. Financial Institution Exposure for Cybercrime
April 06, 2017
75
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
â Legal Regime for Allocating Liability for Unauthorized Funds Transfers
â Wire Transfers
â Automated Clearing House (âACHâ) Transactions
â SWIFT (Society for Worldwide Interbank Financial Telecommunication)
â Uniform Commercial Code Article 4A
â Key/Recent Cases
â Recent Developments on Reporting Cybercrime
â Reducing Legal Risk
â Shifting Liability for Payment Card Fraud/Data Breaches
76. Legal Regime for Allocating Liability for Unauthorized Funds Transfers (EFTs)
April 06, 2017
76
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
⢠Consumer ACH
⢠Electronic Funds Transfer Act/Reg. E
⢠$50 Consumer Liability
⢠Wire Transfer/Non-Consumer ACH
⢠Uniform Commercial Code Article 4A
⢠SWIFT
⢠Correspondent Banking Agreements
⢠UCC Article 4A
77. UCC Article 4A Loss Allocation
April 06, 2017
77
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
⢠UCC § 4A-204: receiving bank bears strict liability (plus
interest) for unauthorized EFTs, where either:
⢠The âsecurity procedureâ provision was not met under
UCC § 4A-202; or
⢠The customer was not the source of the security leak
under UCC § 4A-203
78. § 4A-202: âSecurity Procedureâ
Defense to Strict Liability
April 06, 2017
78
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
Five Elements:
1. Bank and Customer agreed to a âsecurity procedureâ
2. âSecurity Procedureâ is âcommercially reasonableâ
3. Bank complied with the âsecurity procedureâ
4. Bank complied with customerâs written instructions
5. Bank processed the EFT in âgood faithâ
79. Security Procedure
April 06, 2017
79
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
⢠Security Procedure is:
⢠âprocedure established by agreementâ of bank and customer
⢠to verify âthat a payment order . . . is that of the customerâ or to
detect error
⢠Security Procedure may require âalgorithms or other codes, identifying
words or numbers, encryption, callback procedures or similar security
devices.â
⢠Security Procedures are not internal bank procedures
80. Security Procedure
April 06, 2017
80
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
⢠Experi-Metal, Inc. v. Comerica Bank, 2010 U.S. Dist. LEXIS 68149 (E.D. Mich. July 8,
2010) (security procedure is the secure token technology)
⢠Chavez v. Mercantil Commercebank, N.A., 701 F.3d 896 (11th Cir. 2012) (rejecting catch-
all clause in its customer agreement that the bank âmay use . . . any other means to verify
any Payment Order or related instructionâ)
⢠Banco Del Austro, S.A. v. Wells Fargo Bank, N.A., 2016 U.S. Dist. LEXIS 144477
(S.D.N.Y. Oct. 18, 2016) (security procedures did not include BSA/Patriot Act required
fraud detection policies and procedures)
81. âCommercially Reasonableâ Security Procedure
April 06, 2017
81
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
⢠Question of law for court (compliance is fact question)
⢠Two Separate Methods to Establish:
1. Customer declined âcommercially reasonableâ security procedure offered by
the bank and agreed in writing to another security procedure (focus on bank
customer agreement)
⢠Choice Escrow and Land Title, LLC v. BankcorpSouth Bank, 754 F.3d 611
(8th Cir. 2014)
⢠Experi-Metal, Inc. v. Comerica Bank, 2010 U.S. Dist. LEXIS 68149 (E.D.
Mich. July 8, 2010)
82. âCommercially Reasonableâ Security Procedure
April 06, 2017
82
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
2. Complex Four-factor test:
1. âwishes of the customer expressed to the bankâ
2. âcircumstances of the customer known to the bank, including the size, type, and
frequency of payment orders normally issued by the customer to the bankâ
3. âalternative security procedures offered to the customerâ
4. âsecurity procedures in general use by customers and receiving banks similarly
situatedâ
⢠Patco Constr. Co., Inc. v. Peopleâs United Bank, 684 F.3d 197 (1st Cir. 2012)
⢠The First Circuit emphasized that the bankâs adoption of a âone-size-fits-allâ $1
threshold for all customers, to target universally low-dollar fraud, violated âArticle 4Aâs
instruction to take the customerâs circumstances into account.â
⢠The court also based its conclusion on the fact that the bank did not utilize other
security measures ânot uncommonâ in the industry.
83. âCommercially Reasonableâ
Security Procedure:
Banking Agency Guidelines
April 06, 2017
83
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
⢠Federal Financial Institutions Examination Council (âFFIECâ), Authentication in an Internet
Banking Environment (Oct. 2005)
⢠FFIEC, Supplement to Authentication in an Internet Banking Environment (June 2011)
⢠FFIEC, Cybersecurity Assessment Tool (June 2015)
⢠FFIEC, IT Examination Handbook, Information Security (Sept. 2016)
⢠New York State Department of Financial Services, Cybersecurity Requirements for
Financial Services Companies, 23 NYCRR pt. 500 (Effective Mar. 1, 2017)
84. Bank Acted in Good Faith Requirement
April 06, 2017
84
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
⢠Good Faith = âhonesty in fact and the observance of reasonable commercial
standards of fair dealingâ
⢠Mixed subjective/objective test
⢠Experi-Metal, Inc. v. Comerica Bank, 2011 U.S. Dist. LEXIS 62677 (E.D. Mich.
June 13, 2011)
⢠Choice Escrow and Land Title, LLC v. BankcorpSouth Bank, 754 F.3d 611 (8th
Cir. 2014)
⢠Banco Del Austro, S.A. v. Wells Fargo Bank, N.A., 2016 U.S. Dist. LEXIS
144477 (S.D.N.Y. Oct. 18, 2016)
85. Other Major Defenses
April 06, 2017
85
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
⢠Customer Proves It Was Not the Source of the Security
Leak
⢠Internal Investigations
⢠Criminal Investigations
⢠UCC One-Year Notice Rule (UCC § 4A-505)
86. Reducing EFT Fraud Risks
April 06, 2017
86
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
⢠Deposit/Online Services Agreements
⢠Define Security Procedure
⢠Customer Acknowledgment as to Commercially Reasonable Security Procedure
⢠Provision for Offered But Rejected Security Procedures
⢠Address Other Written Customer Instructions (âThe bank is not required to follow a written
instruction that violates a written agreement with the customer or notice of which is not received
at a time and in a manner affording the bank a reasonable opportunity to act on it before the
payment order is accepted.â)
⢠Indemnification for Attorneysâ Fees (Choice Escrow)
⢠Update Information Security Program
⢠Assessment Follow-up
87. Regulatory Reporting of Cybercrime
April 06, 2017
87
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
⢠Department of the Treasury, Financial Crimes Enforcement
Network, Advisory to Financial Institutions on Cyber Events
and Cyber-Enabled Crime (Oct. 25, 2016)
⢠Suspicious Activity Reports
⢠NY State Dept. of Finâl Services
⢠72-Hour Notice of Cybersecuity Event, 23 NYCRR
500.17(a)
88. Payment Card Fraud Liability Shifting
April 06, 2017
88
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
⢠EMV Card Network Liability Shift Oct. 1, 2015 from Issuer to Acquirer/Merchant:
1. counterfeit magnetic stripe card copied from chip card used at non-chip terminal;
2. Lost or stolen chip-and-PIN card processed as (a) magnetic stripe or (b) signature chip-
card at non-PIN terminal
⢠Claims by Issuing Banks Against Merchants for Data Breaches
⢠Card Network Loss-Allocation Assessments
⢠In re Target Corp. Cust. Data. Sec. Breach Litig, 64 F. Supp. 3d 1304 (D. Minn. 2014)
(motion to dismiss), 2016 U.S. Dist. LEXIS 63125 (D. Minn. May 12, 2016) (settlement)
⢠In re The Home Depot , Inc. Cust. Data. Sec. Breach Litig, 2016 U.S. Dist. LEXIS 65111
(N.D. Ga. May 18, 2016) (motion to dismiss); Doc. 327, No. 1:14-MD-02583 (N.D. Ga.
Mar. 8, 2017) (settlement motion)
⢠First Choice Fed. Credit Union v. The Wendyâs Co., 2017 U.S. Dist. LEXIS 20754 (W.D.
Pa. Feb. 13, 2017) (motion to dismiss)
89. April 06, 2017
89
Contact Info:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
E: amijares@kaufmanrossin.com
T: 305.498.3336
Salvatore Scanio
Member
Ludwig & Robinson PLLC
E: sscanio@ludwigrobinson.com
T: 202.289.7605
Roy Zur
CEO and Founder
Cybint
E: Roy.zur@barbri.com
T: 929.351.6091
90. âş You may ask a question at anytime throughout the presentation today. Simply click on the question mark icon located on the floating tool bar on the bottom right side of your screen. Type
your question in the box that appears and click send.
âş Questions will be answered in the order they are received.
Q&A:
April 06, 2017
90
SEGMENT 1:
Alejandro Mijares, CISA,
CRISC, MSMIS
Manager, Risk Advisory Services
Kaufman Rossin , P.A.
SEGMENT 3:
Salvatore Scanio
Member
Ludwig & Robinson PLLC
SEGMENT 2:
Roy Zur
CEO and Founder
Cybint
91. April 06, 2017
91
ABOUT THE KNOWLEDGE GROUP
The Knowledge Group is an organization that produces live webcasts which examine regulatory
changes and their impacts across a variety of industries. âWe bring together the world's leading
authorities and industry participants through informative two-hour webcasts to study the impact of
changing regulations.â
If you would like to be informed of other upcoming events, please click here.
Disclaimer:
The Knowledge Group is producing this event for information purposes only. We do not intend to
provide or offer business advice.
The contents of this event are based upon the opinions of our speakers. The Knowledge Group does
not warrant their accuracy and completeness. The statements made by them are based on their
independent opinions and does not necessarily reflect that of The Knowledge Groupâs views.
In no event shall The Knowledge Group be liable to any person or business entity for any special,
direct, indirect, punitive, incidental or consequential damages as a result of any information gathered
from this webcast.
Certain images and/or photos on this page are the copyrighted property of 123RF Limited, their
Contributors or Licensed Partners and are being used with permission under license. These images
and/or photos may not be copied or downloaded without permission from 123RF Limited
Editor's Notes
Definition of information security was updated
Helps Management should identify, measure, mitigate, monitor, and report IT risks that threaten the safety and soundness of an institution. An effective ITRM process is regularly updated and aligns IT and business objectives. This process should have a higher level of formality in more complex institutions.
1. Risk management is the ongoing process of identifying, assessing, and responding to risk.
2. To manage risk, organizations should understand the likelihood that an event will occur and the resulting impact.
3. With this information, Banks can determine the acceptable level of risk for delivery of services and can express this as their risk tolerance.
4. Implementation of risk management programs offers Banks the ability to quantify cyber risks.
5. Help Banks identify an appropriate risk response: mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk.
Web applications hosted in servers with customer information
Local admin in workstations
Phishing tests perform once a year
Lack of patch management process
Banks are among the most targeted institutions for cyberattacks. Not only do they hold vast amounts of money and sensitive personal information, but ATMs and online and mobile banking services are exposed to hackers.
1 - By having segments that do not share traffic, if a computer becomes compromised in one segment, it does not automatically give the attacker access to computers on another segment.
2 - Each segment can be secured differently through security software and firewalls, so that an attacker would have to breach different security suites to access different segments, which makes it harder to compromise the system as a whole.
3 - Containing network problems: : Limiting the effect of local failures on other parts of network
4 - Controlling visitor access: Visitor access to the network can be controlled by implementing VLANs to segregate the network.