Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cybersecurity Risk Management for Financial Institutions

917 views

Published on

The New York State Department of Financial Services has been closely monitoring this ever-growing threat and has proposed regulations that would require financial services companies to adopt a cybersecurity program to protect their customers, employees, data and operations. Its proposed changes are expected to take effect on March 1, 2017. Financial services companies would have until Feb. 15, 2018, to submit a certificate of compliance with the program. Components of New York's proposed cybersecurity program are outlined in this article.

Published in: Services
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Cybersecurity Risk Management for Financial Institutions

  1. 1. Cybersecurity Risk Management for Financial Institutions RISK CONSULTING AND INSURANCE SERVICES
  2. 2. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS2 Cyber and Data Risks for Financial Institutions “The persistent threat of internet attacks is a societal issue facing all industries, especially the Financial Services industry. Once largely considered an IT problem, the rise in frequency and sophistication of cyber-attacks now requires a shift in thinking on the part of Bank CEOs that management of a Bank’s Cybersecurity Risk is not simply an IT issue, but a CEO and Board of Directors issue.” SOURCE: Conference of State Bank Supervisors Cybersecurity 101 Resource Guide
  3. 3. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS Why is cyber risk a top concern? 3 Cyber crime is exploding. Regulatory compliance, stakeholder concerns, liability, litigation, business interruption, reputation . . . there’s a lot to manage and a lot at stake.
  4. 4. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS Cyber and Data Risks for Financial Institutions 4 In 2016, 88% of security attacks in the finance industry fell into three categories:  48% Web Application Attacks (14% in 2014) Hackers find and exploit application vulnerabilities, often content management systems (CMS) or e-commerce platforms.  34% Denial-of-Service (32% in 2014) A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users. Ransomware falls in this category.  6% Crimeware (not ranked in 2014) Use of a physical “skimmer” on an ATM, point-of- sale (POS) terminal or gas pump to read the data on your card’s magnetic strip as you pay. SOURCE: Verizon 2016 Data Breach Investigations Report - Financial Services AllIndustriesFinancialServices
  5. 5. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS Data Breach in Dollars Cost (US companies):  $7.01M = average total cost of a data breach  $221 = average cost paid per compromised (lost or stolen) record*  29,611 = the average number of breached records per incident  $3.97M = cost of lost business ($3.72 in 2015) 5 Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) metrics:  $5.83M when MTTI < 100 days  $8.01M when MTTI > 100 days  $5.24M when MTTC < 30 days  $8.85M when MTTC > 30 days SOURCE: IBM Global Technology Services – Special Report from Ponemon Institute, LLC – 2016 Cost of Data Breach Study: Global Analysis*“Record” = Information that identifies the natural person (individual) whose information has been lost or stolen in a data breach
  6. 6. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS6 Cyber risk is clear. The question is, what is the best approach for your institution? ​We recommend a holistic approach to risk – one that identifies vulnerability, establishes internal controls, implements IT barriers, mitigates the risk with a cyber-specific insurance program, and includes a recovery plan. ​CBIZ Cyber Service Teams include financial, risk, IT and insurance professionals who work with clients from multiple perspectives to develop a comprehensive protection plan customized to your industry compliance requirements and your organizational needs. A HOLISTIC approach includes Cyber Risk Management (CBIZ Financial Risk & Advisory Consulting) and Cyber Risk Mitigation (CBIZ Bank Insurance Program).
  7. 7. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS7 Cyber Risk Management CBIZ Risk & Advisory Services ​Business risks abound in today's world. The rise of sophisticated data breaches coupled with the increased demands on organizational leaders make robust risk management policies essential. ​CBIZ Risk & Advisory experts work closely with you to understand the full scale of your cyber risk, starting with your industry’s unique risk factors and working down to the specific security policies you have in place. ​CBIZ can help you design or improve existing documented policies, procedures and controls and can review existing device configurations. ​CBIZ risk consulting assesses and manages the full spectrum of cyber risk. For example:  Security Program Review / Development / Remediation  Infrastructure Design / Assessment / Remediation  Penetration Testing  Vulnerability Assessments  Web Application / Web Services Assessments  Mobile Application Assessments  Social Engineering and Facility Breach Exercises  IT Risk Assessments / IT Audit and Compliance Engagements  Incident Response  Digital Forensics / Litigation Support  Service Organization Control (SOC) Reporting
  8. 8. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS8 ​The best defense is a good offense. ​Having a proactive, robust plan in place can help minimize the potential damage from a breach and get your organization back on track more quickly in the wake of a disruptive event. ​The first step is assessment. Keys to Cyber Risk Management CBIZ Risk & Advisory Services Identify Protect Detect Respond Recover IDENTIFY internal and external cyber risks – Risk Assessment to identify threats/vulnerabilities, measure/communicate risk. PROTECT organizational systems, assets and data – Internal Controls, Staff Training, Data Security, Insurance. RESPOND to a potential cybersecurity event – Have a structure in place and routinely audit the Incident Response Plan. RECOVER from a cybersecurity event by restoring normal operations and services – Disaster recovery can be built into insurance coverage DETECT system intrusions, data breaches and unauthorized access – System Monitoring reinforces Protection.
  9. 9. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS Important first step: Help your organization quickly assess how prepared you are to face cyber crime 12 Yes/No Questions Rankings: 1. Beginner 2. Intermediate 3. Advanced 4. Proficient If an organization ranks Beginner or Intermediate, a more in-depth evaluation is recommended. 9 Quick Preparedness Assessment CBIZ Risk & Advisory Services Click for downloadable copy
  10. 10. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS10 Cyber Risk Management CBIZ Risk & Advisory Services The Risk Advisor - Volume 4 (newsletter) Lessons Learned from Cyber Incidents in 2016 (article) 3 Strategies to Reduce the Risk of Cyber-Attacks (article) Three questions every board should ask about enterprise risks (blog) Insights & Resources 7 Ways to Strengthen Cybersecurity: Questions to Ask About Third-Party Providers (article) Why Would an Accounting Firm Go Diving in Your Bank’s Trash Dumpster? (podcast)
  11. 11. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS ​As cyber threats have grown in scope and impact, cyber insurance has become a key feature of an enterprise- wide cyber risk management strategy. ​Risk transfer through cyber insurance bolsters customer and business partner confidence and supports industry expectations that a cyber risk strategy is implemented. ​CBIZ Insurance Services examines your risks, measures their potential impact and recommends appropriate coverage and strategies to manage or mitigate the risks. Cyber Risk Mitigation CBIZ Insurance Services 11 ​Four reasons you need cyber coverage: 01 02 03 04 INCREASINGLY STRINGENT LAWS AND REGULATIONS – Failure to comply places your operations and reputation at enormous risk. TECHNOLOGICAL ADVANCES have made it easier to store, transport, steal and lose sensitive information. OUTSOURCING – You bear the burden of any privacy breach stemming from outsourced operations such as entrusting outside contractors to handle sensitive data. USER ERROR – All too common exposure can results from simply copying records to the wrong file, revealing personal identification information via batch email communications, forgetting the shred confidential information.
  12. 12. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS12 ​Cyber can’t be a “footnote” to general P&C. ​When an incident is suffered, INSURANCE provides the bank the funds to quickly respond and recover. ​Most carriers now exclude most cyber risks from their P&C, Bond, D&O and E&O policies. ​Coverage may not even be offered unless protections and protocols are in place. ​The first step in mitigation is comprehensive risk and policy review. Cyber Risk Mitigation Program CBIZ Insurance Services Identify Protect Customize Ensure Review IDENTIFY your cyber risk exposures and perform an in- depth insurance policy review for proper coverages. PROTECT your institution by working with insurance advisors experienced in the Banking and Financial Services sector. ENSURE your cyber coverage includes cyber liability, data breach, regulatory claims, social media and website issues, cyber extortion, business interruption. REVIEW your cyber risk exposures and insurance coverages with your Insurance Program advisor. CUSTOMIZE your coverage areas to include bank buildings, property, crime bond (wire transfers, debit card fraud), directors and officers insurance (board oversight liability) and all-inclusive cyber coverage.
  13. 13. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS13 Bank insurance policies (particularly Directors and Officers insurance and Cyber insurance) are not standard. Policy language and required procedures imbedded within the policy can expose an organization or individual to under-insured or uninsured risk. That’s why, as a first step, it’s critical to assess your current coverage and compare it with your analyzed risks. You also want to make sure cyber, crime bond and D&O policies work together, not in opposition to each other. Insurance Policy Review CBIZ Insurance Services
  14. 14. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS14 Banking & Financial Services Quarterly Hot Topics (e-newsletter) Cyber Risk – No Longer Simply an “IT” Issue (article) Cyber Liability Insurance FAQ (article) Biz Tips: Key Issues in Bank Insurance Today (podcast) How the CBIZ Bank Insurance Program Can Help Your Business (videocast) Cyber Risk Mitigation CBIZ Insurance Services Insights & Resources CBIZ Cyber Risk Management Expert: Effective Solutions for Banks (article + podcast)
  15. 15. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS CASE STUDIES 15 Faulty Banking Scam Email Breach Online Banking Data Breach Data Breach – Board Litigation Business Interruption Ransomware
  16. 16. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS16 ​The Company used an international Supplier for weekly material shipments that were released upon payment. A request was received from Supplier to send payments to a new bank. The request appeared standard because the Supplier often changed banks. Case Study: Company Loses $400,000+ in Faulty Banking Scam Issue ​Hackers accessed the Supplier email system and learned about the payment process. Posing as the Supplier, hackers sent an email instructing the Company to send payments to another bank. $400,000+ in Supplier payments were sent to the wrong bank. The Attack ​Because the Company always paid, the Supplier continued to release materials. Because the Company received material, they did not realize the Supplier was not receiving their payments. Hackers intercepted delinquent payment inquiry emails from the Supplier to the Company. Key Findings ​Any information can be valuable in the wrong hands. Internal controls are essential to effective operations. DO NOT rely on email alone to communicate with your key vendors. Lessons Learned
  17. 17. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS17 ​Company relied on commonly used email system. Cybersecurity and social engineering training and awareness programs were not in place. Case Study: Email Breach Provides Access to Payroll and PII Data Issue ​Hackers bypassed network security and compromised the corporate email server. The hackers gained access to an email containing an attached payroll file. The Attack ​The hackers setup specific rules to forward emails meeting certain criteria to an external email address. Emails were still being received by the intended recipient so neither the sending parties nor receiving parties had any knowledge of the interception. Key Findings ​Data and intellectual property are NOT always the hacker’s target. A current, actionable and efficient incident response plan is critical to responding to a breach. TEST REGULARLY! Internal controls are essential to effective operations. Lessons Learned
  18. 18. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS18  Bank provides clients with documentable training and training materials.  Encourage the client to require two people to initiate a transfer.  Encourage the client to set a daily limit.  Bank implements dual factor authentication.  Bank requires call back prior to initiating transfer over.  Make sure that Computer Crime is included in the bond and that it includes any theft where the Bank is held liable.  Procedure should require a banker to call back the customer at a preassigned phone number prior to initiating a transfer over $25,000. ​Attackers stole the username and password to a client's online bank account and used the credentials to transfer $440,000 to an account in Cyprus. Client alleges that the bank failed to implement commercially reasonable security measures as defined in the Funds Transfer Act provisions of the UCC. Issue – Stolen User Name and Password Prevention – Best Practices Insurance Case Study: Online Banking
  19. 19. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS19 Case Study: Data Breach via Theft or Loss of Devices/Media ​Ensure proper physical security of electronic and physical restricted data:  Lock down workstations and laptops  Secure work area, files, laptops and portable equipment before leaving  Shred sensitive paper records  Don’t leave sensitive information lying around unprotected (on printers, fax machines) or visible (computer, electronic devises, car or home)  Use security measures for portable devices and laptops, both encryption and physical security  Delete personal identity information and other restricted data when it is no longer needed  Be prepared with a data breach disaster plan  Provide employee training  Audit regularly to test your plan and program  Implement software to remotely wipe data on mobile devices  Conduct regular vulnerability risk assessment  Vet any vendor that has access to data  A cyber liability policy will typically provide coverage for the costs associated with a breach as well as associated lawsuits.  The bank’s property policy will provide coverage for the theft of the physical equipment.  Recommendations: o Consider a cyber liability policy that includes Data Breach services and not solely a coverage limit o Make sure the cyber liability policy includes coverage for lost data by a bank vender o Check the cyber liability policy for procedure requirements to maintain coverage o Make sure that the loss of paper personal data is covered in addition to electronic data o Make sure that both intentional and accidental breaches of data are covered InsurancePrevention Practices
  20. 20. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS20 Case Study: Data Breach – Board Litigation  Add Cybersecurity Briefing as a regular board agenda item.  Provide Cyber Risk education and training for Officers and Directors.  Create a record of the Board’s involvement in cyber risk management and training.  The board should understand related regulations, including the state data breach notification laws.  Board should annually approve the Cyber Risk Management Plan.  Most Directors and Officers (D&O) policies cover litigation against directors and officers relating to breach of cyber fiduciary duties.  Because of the increased frequency of events and growing cost of cyber incidents, some carriers are starting to exclude this coverage. Verify that the D&O policy does not exclude litigation relating to a data breach.  Some Cyber Liability policies include coverage for Directors and Officers relating to breach of cyber fiduciary duties. InsurancePrevention Practices Recent high profile attacks on big name brands have triggered law suits naming individual Directors. Shareholders, customers and vendors are pursuing legal recourse against executives for breaching the fiduciary duty to manage cyber risk.
  21. 21. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS21  Create a formal program – Begin by capturing all systems used by the organization based on their functions, processes and the data they store.  Document risk management program that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments.  Include employee education and limit employee access and authority to an as- needed basis.  Integrate your Incident Response Plans with Business Continuity / Disaster Recovery Plans.  Train and test everyone on their role and responsibilities in Incident Response, Business Continuity and Disaster Recovery. ​Proper coverage will include lost income due to the event:  Profits that would have been earned had the event not occurred  Operating expenses, such as utilities, that must be paid even though business temporarily ceased  Rented or leased equipment ​Hackers are exploiting flaws in computer systems, crippling the performance of normal business operations. The attacks include malicious code and denial of service that may make your website, applications and processes unusable to employees and customers alike. ​Viruses, worms or other code may delete critical information on hard drives and other hardware. Further, financial institutions can suffer business interruption from third-party vendors upon whom they rely to perform daily business. Issue – Hackers Exploit Flaws Prevention – Best Practices Insurance Case Study: Business Interruption
  22. 22. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS22  Frequent backups of data.  Employee training regarding clicking links or opening documents.  Consider network segmentation to minimize the spread of ransomware should your organization become infected.  Extortion coverage is an option in most cyber policies. Since these demands tend to be relatively modest amounts, the deductible should be watched. Some Kidnap and Ransom coverage includes Electronic Extortion.  The carrier needs to agree before a ransom is paid.  Do not disclose that you have insurance. ​Hackers access a computer system, often using a phishing scam that tricks employees into opening a document or clicking on a bad link, which then infects the system with malicious software that uses encryption algorithms to lock up the data. ​In order to regain access to their encrypted files, companies must pay ransom. “If you don’t pay the $20,000 ransom within 72 hours, your data will be gone forever.” Issue – Phishing Scam Prevention – Best Practices Insurance Case Study: Ransomware
  23. 23. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS23 Crown Castle initially engaged CBIZ to classify our data and create a risk taxonomy before beginning red team exercises. The collaboration with our staff and reporting of real-time results throughout the duration of our engagement has allowed Crown Castle to recognize the benefits of these services immediately. Their best practice recommendations and hands-on approach has helped our company strengthen its security infrastructure. Tom Keaton Internal Audit Manager Crown Castle International Client Feedback
  24. 24. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS24 CBIZ CYBER TEAM Serving Financial Institutions Practice Leaders:  Chris Roach Managing Director & National IT Leader CBIZ Risk & Advisory Services  Kris St. Martin Vice President & Bank Program Director CBIZ Insurance Services
  25. 25. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS25 CBIZ Cyber Team for Financial Institutions KRIS ST. MARTIN Vice President and Bank Program Director CBIZ Insurance Services Kris has more than 23 years of direct bank experience in audit, procedures, IT security, lending and board training. Kris has held many positions in the banking industry in security, including Senior Lending Officer, President, CEO and Board Chair. Kris has been providing risk mitigation services to the financial industry since 2009 including cyber, directors & officers and crime bond insurance. 763.549.2267 | kstmartin@cbiz.com CHRIS ROACH Managing Director and National IT Practice Leader CBIZ Risk & Advisory Services Chris has extensive experience in information technology, risk management, business management and using technology to mitigate business risks. He consults for both public and privately held companies. Chris holds certifications as Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Controls (CRISC). He is a former IT Risk Partner at KPMG. 713.871.1118 | croach@cbiz.com Practice Leaders
  26. 26. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS26 CBIZ Cyber Team for Financial Institutions W. REMONDE BRANGMAN Practice Leader Vendor Risk Management CBIZ Risk & Advisory Services Remonde has more than 35 years experience in governance, risk management, internal audit, ISO 31000, ISO 27000 (information security management), vendor risk, fraud investigation and forensic accounting. Remonde is a former chief audit executive of a $10 Billion Global Bank. He has served Fortune 100 companies as well as local, state, federal and foreign government entities. 240.396.1063 | rbrangman@cbiz.com DAMIAN CARACCIOLO Vice President Executive Protection Practice CBIZ Insurance Services Damian has more than 25 years experience in executive and business management liability lines, including cyber liability (network security and privacy), commercial crime and kidnap, ransom and extortion. Damian has held several management positions with a Fortune 500 company. In addition, his broad background brings expertise in International Risks, Labor Organization, Commercial and Construction Surety bonding. 443.472.8096 | dcaracciolo@cbiz.com Subject Matter Experts
  27. 27. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS27 CBIZ Banking & Financial Services Newsletter Executive Committee KRIS ST. MARTIN – Vice President, Bank Program Director, CBIZ Insurance Services CHRIS ROACH – Managing Director and National IT Practice Leader, CBIZ Risk & Advisory Services W. REMONDE BRANGMAN – Director and National Practice Leader, Vendor Risk Management, CBIZ Risk & Advisory Services JAKE McDONALD – Senior Manager, Credit Risk Advisory, CBIZ MHM, LLC TODD GORDON – Vice President of Sales, CBIZ Benefits & Insurance JAY MESCHKE – President, EFL Associates & CBIZ Human Capital Service KEVIN NUSSBAUM – Vice President of Client Development, CBIZ, Inc. Check out the issue archive online. Four to Six interesting articles each issue.
  28. 28. CYBERSECURITY RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS Kris St. Martin CBIZ Bank Insurance Chris Roach CBIZ Risk & Advisory Remonde Brangman Vendor Risk Damian Caracciolo Executive Risk 28 Our cyber risk team will be happy to take your call or respond to your email. Feel free to contact our Practice Leaders with any questions you may have. To learn more about CBIZ, we invite you to visit www.cbiz.com. Questions Connect with us on LinkedIn

×