Opening keynote presentation at Operational Resilience in Financial Services summit, with Freshfields, UK Finance and City & Financial Global. Focus on measuring cyber risk at suppliers to mitigate harm.
Non Text Magic Studio Magic Design for Presentations L&P.pptx
Keynote at Operational Resilience summit - Financial Services - 18th Nov 2019
1. Opening Keynote at the Operational
Resilience Summit in Financial Services
Measuring
operational resilience & regulatory compliance
to mitigate harm from cyber-attacks on the extended enterprise
Kevin Duffey, CEO, Cyber Rescue Alliance, 19
th
November 2019
2. Opening Keynote at the Operational
Resilience Summit in Financial Services
Measurement drives maturity
So please participate – anonymously – in today’s measurements
2
#OpRes
About 210 delegates
attended the Summit
on Operational
Resilience in Financial
Services on 18
November 2019.
Delegates interacted
via Slido.
Responses on one
question are shown on
the right.
3. Opening Keynote at the Operational
Resilience Summit in Financial Services
You’re sitting near some world leaders
in Operational Resilience
Opening Keynote at the Operational
Resilience Summit in Financial Services
4. Opening Keynote at the Operational
Resilience Summit in Financial Services
You’re sitting near some world leaders
in Operational Resilience
www.slido.com #OpRes
Some world leaders in Operational Resilience
Opening Keynote at the Operational
Resilience Summit in Financial Services
5. Opening Keynote at the Operational
Resilience Summit in Financial Services
Discussion Paper: July 2018
5
Operational Resilience is the ability to prevent, respond to, recover
and learn from operational disruptions, that might include:
• physical attacks
• cyber attacks
• IT system outages
• third-party supplier failure
• fire, flood, severe weather and pandemic flu
Building the UK financial sector’s operational resilience
6. Opening Keynote at the Operational
Resilience Summit in Financial Services
Measurement drives maturity
So please participate – anonymously – in today’s measurements
6
#OpRes
About 210 delegates
attended the Summit
on Operational
Resilience in Financial
Services on 18
November 2019.
Delegates interacted
via Slido.
Responses on one
question are shown on
the right.
7. Opening Keynote at the Operational
Resilience Summit in Financial Services
Sources of Risk to UK Financial System
Future of Finance review by Huw van Steenis – June 2019
8. Opening Keynote at the Operational
Resilience Summit in Financial Services
Cyber & Technology Resilience: FCA Survey
Research – First published: 27/11/2018 – Last updated:
14/01/2019
3rd Party Failure
Cyber Attack
9. Opening Keynote at the Operational
Resilience Summit in Financial Services
UK Share of Phishing Attacks, worldwide
National Cyber Security Centre, August 2019
10. Opening Keynote at the Operational
Resilience Summit in Financial Services
Cyber & Technology Resilience: FCA Survey
Research – First published: 27/11/2018 – Last updated:
14/01/2019
Financial ServicesGrowth in peak size of
“Denial of Service”
cyber attacks
Percentage of targets
of “Denial of Service”
cyber attacks
11. Opening Keynote at the Operational
Resilience Summit in Financial Services
12. Opening Keynote at the Operational
Resilience Summit in Financial Services
Richard F Smith, former CEO of Equifax
“The challenge of building a website to
notify consumers proved overwhelming,
and regrettably, mistakes were made.”
Richard F. Smith, 4th Oct 2017
13. Opening Keynote at the Operational
Resilience Summit in Financial Services
Report on Recovery Plans
European Central Bank – July 2018
Financial Services
The ECB has
concluded
that some
plans "might
be too large to
actually be
used in a
crisis.”
14. Opening Keynote at the Operational
Resilience Summit in Financial Services
Report on Recovery Plans
European Central Bank – July 2018
Financial Services
15. Opening Keynote at the Operational
Resilience Summit in Financial Services
Richard F Smith, former CEO of Equifax
16. Opening Keynote at the Operational
Resilience Summit in Financial Services
March 8th, 2019
17. Opening Keynote at the Operational
Resilience Summit in Financial Services
March 8th, 2019
Equifax Used What Internal Auditors Called an “Honor System” for
Patching Vulnerabilities.
Equifax had no formalized method of validating the successful installation
of patches. Audit referred to this approach as an “honor system” in which
the IT team would notify the security team once patches were complete.
18. Opening Keynote at the Operational
Resilience Summit in Financial Services
What does an
“honor system” for
patching look like?
19. Opening Keynote at the Operational
Resilience Summit in Financial Services
What does an
“honor system” for
patching look like?
20. Opening Keynote at the Operational
Resilience Summit in Financial Services
What does an
“honor system” for
patching look like?
21. Opening Keynote at the Operational
Resilience Summit in Financial Services
CQUEST
CQUEST consists of multiple-choice questions covering all aspects of cyber resilience, such as:
• Does the firm have a board-approved cyber security strategy?
• How does it identify and protect its critical assets?
• How does it detect and respond to an incident, recover and learn from the experience?
New cyber resilience assessment from PRA & FCA
21
22. Opening Keynote at the Operational
Resilience Summit in Financial Services
Measurement of Cyber Risk should be as
objective, timely & dynamic as for Market Risk
23. Opening Keynote at the Operational
Resilience Summit in Financial Services
Automated measurement drives behaviour
At least monthly, present an objective Security Scorecard showing trends
Overall Grade
Application Security
DNS Health
Network Security
Patching Cadence
24. Opening Keynote at the Operational
Resilience Summit in Financial Services
Resilience across Extended Enterprise
Regulators have woken up to third party & supply chain cyber risks
24
Entities should review third parties on an ongoing
basis to manage their cyber risks.
Entities should include critical third parties when they
exercise their cyber incident response plans.
What are your expectations of suppliers' security?
How much will you pay extra to a secure supplier?
21 March 2019
25. Opening Keynote at the Operational
Resilience Summit in Financial Services
Cyber Risk is dynamic
25
Suppliers with a poor cyber score can get much worse very quickly
This supplier
had a very low
score (72) for
most of 2019.
Then
something
happened at
end of June.
26. Opening Keynote at the Operational
Resilience Summit in Financial Services
Measurement drives maturity
So please participate – anonymously – in today’s measurements
26
#OpRes
About 210 delegates
attended the Summit
on Operational
Resilience in Financial
Services on 18
November 2019.
Delegates interacted
via Slido.
Responses on one
question are shown on
the right.
27. Opening Keynote at the Operational
Resilience Summit in Financial Services
Cyber Risk is dynamic
27
How quickly should you know that a supplier has been compromised?
An obvious reason their
score has a low score in July
is that its systems were not
just vulnerable: they were
compromised.
Malware was being
distributed from their
systems, starting at the end
of June.
Example Supplier
28. Opening Keynote at the Operational
Resilience Summit in Financial Services
How to measure cyber risk at Peers?
28
Your security will never be perfect, but you should know if it’s worse than average
Censored Censored Censored Censored Censored
29. Opening Keynote at the Operational
Resilience Summit in Financial Services
How to measure cyber risk at Suppliers?
29
The greatest risk of your data being breached is via your suppliers
Censored Censored Censored Censored Censored Censored
30. Opening Keynote at the Operational
Resilience Summit in Financial Services
Let’s work together to build
Operational Resilience
Please connect on LinkedIn to Kevin Duffey
Editor's Notes
Measurement provides evidence
Evidence sparks insight
Insight drives maturity development in operational resilience
Measure if you have sprung back from the weekend
EUCR
FSCCC
FSSCC
CREST
NSCC
BOE
PRA
FCA
Hamilton Series
Safe Harbour??
EUCR
FSCCC
FSSCC
CREST
NSCC
BOE
PRA
FCA
Hamilton Series
Safe Harbour??
”We struggled with remediation” is one of the unfortunate confessions that Richard Smith had to make to Congress, after resigning from Equifax.
How did the breach feel for him? Perhaps like it did for Atiur Rahman in Bangladesh…
”We struggled with remediation” is one of the unfortunate confessions that Richard Smith had to make to Congress, after resigning from Equifax.
How did the breach feel for him? Perhaps like it did for Atiur Rahman in Bangladesh…
”We struggled with remediation” is one of the unfortunate confessions that Richard Smith had to make to Congress, after resigning from Equifax.
How did the breach feel for him? Perhaps like it did for Atiur Rahman in Bangladesh…
10 April 2019 - Joint Advice of the European Supervisory Authorities. Need for legislative improvements relating to ICT risk management requirements in the EU financial sector. Appropriate management of third party risks is an important part of risk management, especially with regard to cloud services.
European Central Bank – 28 June 2019:There was general agreement amongst Euro Cyber Resiience Board that third party risk remains a key risk area.