SlideShare a Scribd company logo

A Look At Evolving Cybersecurity Policy for Financial Institutions 2021

ā€¢Download as PPTX, PDFā€¢
ā€¢
Dawn Yankeelov
Dawn Yankeelov

Dawn Yankeelov, a cyber policy leader in Kentucky, speaks to the changing landscape for banking cybersecurity policy for a SecuretheVillage workgroup in the Summer of 2021.

Technology
1 of 44
A Look At Evolving Cybersecurity Policy for Financial Institutions Dawn Yankeelov, President, Aspectx & Executive Director, Technology Association of Louisville Kentucky July 16, 2021
Looking Back to 2016ā€¦ Statistics May Not Surprise You ā€¢ Cybercrime Jumped to the Most Reported Economic Crime in PWCā€™s Global Economic Crime Survey in 2016. ā€¢ The US Commercial Bank with the lowest security posture was one of the top 10 largest financial service organizations in the US by revenue. ā€¢ Only one of the top 10 largest banks, Bank of America, received an overall ā€œAā€ grade in the PWC Security Scorecard ā€¢ Nearly 1 out of 5 financial institutions used an email service provider in 2016 with severe security vulnerabilities. ā€¢ Best performing in IT Security in 2016: Goldman Sachs, Exchange Bank, BNP Paribase Fortis, and Banco Popolare --PricewaterhouseCoopers Scorecard 2016
Big Banks Are Paying Attention 2021 ā€” The financial services industry faced unprecedented cybersecurity costs and ... New legislation is on the horizon in several statesā€¦ At a Congressional hearing in May this year, the chief executives of Wall Streetā€™s six largest banks were asked to name the greatest threat to their companies and the wider financial system. They did not mention the global pandemic, climate change or factors that contributed to the 2008 financial crisis. The most popular answer instead was ā€œcybersecurity.ā€ ā€“ NYT, July 3, 2021
Manpower: On It in IT JPMorgan Chase alone spends about $600 million each year on cybersecurity efforts and has ā€œmore than 3,000 employeesā€ working on the issue in some way. July 8, 2021 1:23 PM EDT Finance Morgan Stanley faces data breach, corporate client info stolen in vendor hack The bank said attackers accessed information by exploiting a vulnerability in the vendor's server, Accellion FTA. While the exposure was patched within five days, the attackers obtained a decryption key even though the files were encrypted.
Us Cyberspace Solarium Commission Puts Financial Sector at Top of Critical Infrastructure Solarium.gov
Public Policy: New Standards Coming ā€¢ More Information-Sharing In Your Future ā€¢ More Protections for Personal Information ā€¢ More Players Onboard with ā€œIdeasā€ from NIST to State Finance- Specific boards, to ABA to the Federal Reserve Board, the Office of the Comptroller of the Currency and the Financial Institutions Examination Council. ā€¢ New York Leading the Way ā€¢ State Governors Pushing ā€¢ Mega-Bank Group Has Formed ā€¢ A Push to Adherence to Federal Guidelines ā€¢ More and More Risk Management ā€¢ Training for Staff
Influencers *Mobile Banking *Internet of Things (IoT) *Life in ā€œthe Cloudā€ *Cybersecurity Workforce Gap
Social Engineering Fears Predominate According to CSI recent survey data, the overwhelming majority (81%) of bankers view social engineering as the greatest cybersecurity threat in 2021. ā€¢ Customer-targeted phishing: The topmost cybersecurity threat identified by bankers was social engineering aimed at customers via phishing (34%). This coincides with recent reports of large scale email impersonation attacks, pretending to be from the recipientā€™s personal bank and trying to trick them into providing sensitive information about their accounts. ļ‚· Employee-targeted phishing: Almost as many bankers (32%) are most worried about phishing aimed at internal targets that let attackers into internal systems. This concern is well-founded. Employees working from home and burdened by new financial and family challenges due to the pandemic are ripe targets for cybercriminals.
Anticipation.ā€¦. Implications to Follow The Financial Stability Board (FSB) has published responses to its consultation on regulatory and supervisory issues relating to outsourcing and third-party relationships. Recommended: ā€¢the development of global standards on outsourcing and third-party risk management; ā€¢the adoption of consistent definitions and terminology; ā€¢pooled audits, certificates and reports. A rise in the use of mobile finance apps was noticed by two other parties: hackers and regulators. Hackers increased attacks intended to steal personal information or cardholder data, while regulators became increasingly concerned with financial data security compliance. The developers of financial services apps need to ensure data security compliance to operate in various markets, reassure their customers that they are handling their data with care, and importantly, reduce risk and exposure associated with regulatory censure. --https://securityboulevard.com/2021/02/top-2021-banking-and-fintech-security- regulations/
Global Legislation Impactsā€¦Anti-Money Laundering, Cybersecurity Requirements, etc. Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) Canadaā€™s anti-money laundering legislation introduced significant changes in June 2021. The expanded ruleset will change how politically-exposed persons are reported on, and will bring cryptocurrencies under the remit of reporting obligations. One of the most significant of these changes is that foreign Money Services Businesses (MSBs), which had not previously been obligated to report under the FINTRAC legislation, will now do so. This will significantly increase reporting obligations and associated risks for foreign fintech firms operating in the Canadian market. --https://www.fintrac-canafe.gc.ca/covid19/flexible-measures-eng
Mobile Apps Under Surveillance Financial data security compliance is critical for all fintech and mobile banking app developers for a number of reasons, including: ļ‚§ Reducing costs of data breaches ļ‚§ Avoiding regulatory fines ļ‚§ Maintaining customer trust and loyalty ļ‚§ Capacity to operate in multiple jurisdictions ļ‚§ https://www.intertrust.com/blog/top-2021-banking-and-fintech- security-regulations/
Ante Upped--Financial Data Security Compliance California Consumer Privacy Act (CCPA) --The new changes introduced to the CCPA on January 1 will demand data compliance. It will also widen the net. The actā€™s core provisions already grant consumers the rights to access held about them, demand its deletion, and opt-out from future these only previously applied to ā€œfor-profitā€ businesses, such as those in excess of $25 million. For finance and mobile banking developers doing business in layer of financial data security compliance that they need to fulfill. --https://www.jdsupra.com/legalnews/ab-713-ccpa-requirements-take-effect- 42027/
Critical Infrastructure & Supply Chain Language in Legislation The Cyber Incident Notification Act of 2021 places its primary focus on the federal supply chain. However, the CINA expands this coverage to ā€œcovered entitiesā€ that includes owners and operators of critical infrastructure. The full definition of covered entities has not been drafted yet, and the bill tasks the Cybersecurity & Infrastructure Security Agency (CISA) with drafting a definition that will include ā€œat a minimum, Federal contractors, owners or operators of critical infrastructure, and nongovernmental entities that provide cybersecurity incident response services.ā€ --https://www.agileit.com/news/cyber-incident-notification-act/ --Led by Mark Warner, Senate Intelligence Chair, Marco Rubio, and Susan Collins
36-Hour Data Breach Reporting Rules for Significant Incidents Specifically, the Proposed Rule would require banking organizations to notify their primary federal regulators within 36 hours of becoming aware of a ā€œcomputer-security incidentā€ that rises to the level of a ā€œnotification incident.ā€ In addition to covering incidents involving unauthorized access to customer information, it would apply to some events where data was rendered temporarily unavailable, such as ransomware and distributed denial-of- service attacks. The rule would also require bank service providers to notify ā€œat least two individualsā€ at an affected banking organization-customer immediately after experiencing a computer-security incident that it believes ā€œin good faith could disrupt, degrade, or impair services provided for four or more hours.ā€ A 36-hour deadline appears to be one of the most rigorous timeframes of any U.S. breach reporting scheme. --Banking Law Committee Journal, April 28, 2021
The Circle Widensā€¦Proposed Banking Cyber-Incident Notification Rules Could Apply to Fintech Players The rule was issued Jan. 12, 2021, by the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC). The ruleā€™s comment period concluded April 12. Three Key Takeaways 1. Fintechs should confirm whether their existing banking organization clients have designated them as bank service providers under the BSCA. 2. Fintechs should review existing commercial agreements and standard forms to incorporate provisions requiring a banking organization client to notify the fintech should the client designate the fintech as a bank service company. 3. Fintechs (and their banking organization clients) should proactively ensure that these agreements and forms also adequately provide for notification procedures (including timing and contact information) to facilitate compliance with the proposed rules. --https://www.jonesday.com/en/insights/2021/01/fintech-proposed-banking-cyberincident-notification-rules-could-apply-to-you-too --https://www.reedsmith.com/en/perspectives/2021/04/proposed-rule-would-require-faster-reporting-of-cyber-incidents-by-banks
American Bankers Association Weighs in --https://www.fdic.gov/resources/regulations/federal-register- publications/2021/2021-computer-security-incident-notification-3064-af59-c- 016.pdf A common source of concern is the misperception that the Proposal intends to replace existing notice requirements with a short, fixed, prescriptive timeline. There also is concern that the Proposal is overbroad, and would create burdensome overreporting contrary to the spirit of its articulated intent to provide ā€œearly awarenessā€ of severe and operationally debilitating occurrences. This concern lies in the belief that the Proposal as written would attach prescriptive mandatory reporting to an array of events, both the actual, materially harmful and extraordinary, as well as the merely possible or mundane. In practice, this would compel banks to overreport nondisruptive events to their primary federal regulator as well as use limited resources to review voluminous overreports from bank service providers. ā€¦..there remains cautious concern as to how the Proposal will be implemented and enforced. --
FinCEN announces eight areas of focus and advises preparation for issuance of new regulations On June 30, 2021, the U.S. Department of Treasuryā€™s Financial Crimes Enforcement Network (ā€œFinCENā€) issued the first government-wide priorities for anti-money laundering (ā€œAMLā€) and countering the financing of terrorism (ā€œCFTā€) policy (the ā€œPrioritiesā€). FinCEN has not yet issued the regulations governing how the Priorities must be incorporated into Covered Institutionsā€™ AML programs. Cybercrime, including Relevant Cybersecurity and Virtual Currency Considerations: FinCEN states that it is particularly concerned about three types of cybercrime: (1) cyber- enabled financial crime, such as phishing campaigns or other fraudulent schemes against financial institutions; (2) ransomware attacks; and (3) ā€œthe misuse of virtual assets that exploits and undermines their innovative potential, including through laundering of illicit proceeds.ā€ FinCEN notes that it issued an advisory in 2016 describing the typologies and red flags related to cybercrime to assist Covered Institutions compliance and cybersecurity units. --https://www.jdsupra.com/legalnews/fincen-issues-anti-money-laundering-and-3281702/
So What About the Statesā€¦ ā€¢ All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted security breach notification laws that require businesses or governments to notify consumers or citizens if their personal information is breached. ā€¢ Lawmakers continue to review existing laws, however. At least 22 states, introduced or considered measures in 2021 that would amend existing security breach laws. Bills were enacted in three statesā€”Georgia, North Dakota and Utah so far in 2021.
Summary of Legislation The most common trends in legislation this year include proposals that would: ļ‚· Establish or shorten the time frame within which an entity must report a breach. ļ‚· Require state or local government entities to report data breaches. ļ‚· Provide an affirmative defense for entities that had reasonable security practices in place at the time of a breach. ļ‚· Expand definitions of "personal information" (e.g., to include biometric information, health information, etc.). ļ‚· Require private sector entities to report breaches to the state attorney general or other state entity. --https://www.ncsl.org/research/telecommunications-and-information-technology/2021- security-breach-legislation.aspx
State Cybersecurity Safe Harbor Legislation 2021 has already been a big year for state cybersecurity safe harbor legislation. --Two states, Utah and Connecticut, have recently enacted or introduced a breach litigation safe harbor to incentivize businesses to protect personal information by adopting industry- recognized cybersecurity frameworks such as the National Institute of Standards and Technology's (NIST) Cybersecurity Framework and the Center for Internet Security's (CIS) Critical Security Controls. --In March 2021, Utah became the second state, after Ohio, to adopt a cybersecurity safe harbor statute for businesses impacted by a data breach. Specifically, an entity that "creates, maintains, and reasonably complies" with a written cybersecurity program modeled after one of several named cybersecurity frameworks may have an affirmative defense to certain claims if the program is in place at the time it experiences a breach of its system security. --"Breach of system security" is defined under the law to mean an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information. --https://www.mondaq.com/unitedstates/security/1067364/2021-developments-in-state-cybersecurity-safe-harbor- laws
Vendor Management --Effective vendor management (for both compliance and certainty) requires more than a sales demonstration. --It requires a thorough analysis of vendor financials, SOC reports, security, and confidentiality. --Having legal counsel review vendor contracts for regulatory compliance and effective security can provide significant assurances that the chosen vendors are protecting customer assets and minimizing legal exposure. ----https://www.fmjlaw.com/financial-institutions-banks-cybersecurity- 2021/
Vendor Management With virtual banking replacing the retail branch, financial institutions are not immune from this phenomenon, despite the sensitivity of data under their management. They are faced with the challenge of finding a WFH environment that is as safe and secure as an in-office environment. To reach that goal, financial institutions will need to revisit, update and implement stronger technology policies into their employee handbooks. Those policies should incorporate not only cyber protection but also institutional protection for potential employee breaches. --https://www.fmjlaw.com/financial-institutions-banks-cybersecurity-2021/
Vendor Management ****To summarize, it is important to take inventory of (1) vendor agreements, (2) privacy policies, (3) employee technology policies, and (4) incident response plans.*** --Analyze those relative to regulatory and insurance requirements and determine what steps need to be made for maximum protection. ----https://www.fmjlaw.com/financial-institutions-banks-cybersecurity-2021/
Resources https://www.fdic.gov/resources/bankers/information-technology/ ļ‚· Cybersecurity o FFIEC Cybersecurity Assessment Tool assists institutions with identifying cybersecurity risks and determining preparedness o FrequentlyAsked Questions provide information related to the FFIEC CybersecurityAssessment Tool ļ‚· Technology Outsourcing: Informational Tools for Community Bankers provides resources for selecting service providers, drafting contract terms, and providing oversight for multiple service providers ļ‚· FDIC Technical Assistance Videos o CybersecurityAwareness, a video series designed to assist bank directors with understanding cybersecurity risks and related risk management programs o Cyber Challenge: A Community Bank Cyber Exercise designed to encourage community financial institutions to discuss operational risk issues and the potential impact of information technology disruptions on common banking functions
Voluntary Resource Opportunity On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC),1 on behalf of its members, issued a Cybersecurity Assessment Tool (Assessment) that financial institutions may use to evaluate their risks and cybersecurity preparedness. Noted for Community Banks as incorporating NIST Framework ideas, FFIEC Information Technology Examination Handbook, and others. https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT% 20FAQs.pdf
FFIEC Cyber Tool Link https://www.ffiec.gov/cyberassessmenttool.htm
Board Level Resources The 2020 Edition of the NACD Directorā€™s Handbook on Cyber-Risk Oversight (National Association of Corporate Directors) The Handbook was the first non-government resource to be featured on the U.S. Department of Homeland Securityā€™s US- CERT C3 Voluntary Program website. (United States Computer Emergency Readiness Team) Links: https://www.nacdonline.org/insights/publications.cfm?Item Number=67298
STAKEHOLDER ENGAGEMENT AND CYBER INFRASTRUCTURE RESILIENCE The Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR) division within Cybersecurity and Infrastructure Security Agency (CISA) streamlines strategic outreach to government and industry partners, by leveraging capabilities, information and intelligence, and subject matter experts in order to meet stakeholder requirements. SECIR programs and initiatives build public, private and international partnerships and capacity for resilience across the Nationā€™s critical infrastructure and the cybersecurity community. For more information, email SECIRFrontOffice@hq.dhs.gov. Vision An engaged and informed customer base driven to achieve a resilient and secure cyber space ecosystem. Mission ā€¢Initiate and sustain strategic Critical Infrastructure (CI) & State, Local, Tribal and Territorial (SLTT) partnerships to develop approaches for longer cyber risk management. ā€¢Engage SLTT and CI partners to implement comprehensive but specific cyber preparedness and protective activities ā€¢Perform outreach and education activities and advocate for DHS cyber capabilities
Cybersecurity & The Public Trust Equation But resilience against a cyber run doesnā€™t preclude damage to the economy, Mr. Duffie and Mr. Younger noted. Financial markets, probably more than any other critical infrastructure except elections, require public trust to operate. This can quickly erode, even if an attack isnā€™t widespread. Darrell Duffie, a professor at Stanfordā€™s business school, examined the potential impact of a ā€œcyber runā€ in a paper published with Joshua Younger, a managing director at JPMorgan. --https://www.nytimes.com/2021/07/03/business/dealbook/hacking-wall- street.html
Self-Assessment from BECTF Bankers Electronic Crimes Task Force (BECTF) with state bank regulators & US Secret Servicesā€”Ransomware Self-Assessment Tool https://www.csbs.org/sites/default/files/2020-10/R- SAT_0.pdf
Around the World ā€“ Less Prep ā€œIn terms of cyber maturity, Latin America still needs significant advances. The recent OECD study, Digital Security Risk Management, highlights that only three of the 21 countries in Latin America have a defined national digital security strategy, indicating that the region is not yet sufficiently prepared. This is largely due to gaps in legal and regulatory structures. Other aspects that corroborate the criticality of the situation involve the limited investment in cybersecurity technology and the deficit of talent in cybersecurity.ā€-- Homero Valiatti has been working at ItaĆŗ Unibanco since 2018 and is currently Information Security Superintendent. In this role, Homero is responsible for the evolution of the institution's cybersecurity.
FS-ISAC (c) Dawn Yankeelov, 2017.
Reality of Complianceā€”Test, Test, Not Just Annually One-quarter of the organizations who do execute testing usually uncover problems or gaps, which begs the question: how many untested environments are operating with glitches? --Peak 10 data study
Get Involved: Public Policy ā€¢ Participate in organizations like CompTIA ā€¢ Join Your Local Technology Council ā€“ 60+ Across the US ā€¢ Give Comments During Comment Periods for Banking Regulation ā€¢ Participate at the State Level in local fusion centers and other Cybersecurity Centers of Excellence at Universities and New Initiatives ā€¢ Attend Flyins to DC ā€¢ Following proposed banking legislations ā€¢ NIST Cyber Working Groups
At the Office: Cyber Workforce Gap Every year in the U.S. there are 128,000 openings for Information Security Analysts, but only 88,000 workers currently employed in those positions ā€“ a talent shortfall of 40,000 workers for cybersecurityā€™s largest job. http://cyberseek.org/heatmap.html
Federal Partners in Cyber NIST -- National Institute of Standards and Technology NIST is the federal technology agency that works with industry to develop and apply technology, measurements, and standards. NICE -- The National Initiative for Cybersecurity Education NICERC now Cyber.org -- Cyber Literacy Curriculum, Computer Science Curriculum, STEM Curriculum, and Teacher Resources from National Integrated Cyber Education Research.
A Banking Cybersecurity Profile to Enhance and Simplify Your Risk Assessment DOWNLOAD CRI CYBERSECURITY PROFILE V1.1, NOVEMBER 12, 2020 The CRI Cyber Profile v1.1 includes: 1.User Guide, 2.Mappings to National Association of Insurance Commissioners (NAIC) IT handbook, 3.V.1.1 Frequently Asked Questions (FAQ), 4.Summary of v1.1 updates and revisions, 5.Mapping to NIST Cyber Security Framework (CSF), and 6.Mapping between NIST CSF/ISO IEC 27001 ā€¢The Roadmap Forward ā€¢Impact Tiering Questionnaire ā€¢Industry Press Release: CRI Cyber Profile v1.1, November 12, 2020 --
Explanation of Banking Cybersecurity Profile The banking industry saw a need for a more harmonized approach to cybersecurity that supports strong oversight while conserving talent and resources, and ensuring safety and soundness. The Financial Services Sector Cybersecurity Profile acts as a shared baseline for examination across federal regulatorsā€”in a way that makes the most sense for the individual institution. ā€¢developed by the Financial Services Sector Coordinating Council (global, regional, midsize and community banks, along with representatives from other key agencies) ā€¢designed to deploy resources more effectively ā€¢reduces time spent on reconciling exam issues ā€¢integrates widely used standards and supervisory expectations ā€¢compliments the NIST cybersecurity framework
Back in the Spotlight: Financial Services Sector Coordinating Council
For the Bank Teller: In Walks Awareness Training ļƒ˜ Your biggest security risk works in-house ļƒ˜ Empower your workforce to reduce that risk ļƒ˜ 95% of all security breaches involve human error 95% of
Simplicity: Mimecast (ATAATA)
Final Takeaways ā€¢ Make Data Driven Decisions ā€¢ Take a Proactive Stance ā€¢ Take Broad View of Risk Management ā€¢ Have Governance and Designate a CISO role ā€¢ Strengthen Cyber Practices Around Compliance ā€¢ Test, Test and Mitigate ā€¢ Have Governance and Designate a CISO role ā€¢ Be Willing to Collaborate with Peers and Industry ā€¢ Attend to the Human Factor Internally- Train and Develop Workforce
Questions?
Aspectx Your Communications and Public Policy Firm *Competitive Intelligence & Industry Analysis*Public Policy*Joint Application Design*Marketing*Public Relations & Social Media*Business Development*Web Development & Content Marketing Founder and President Dawn Yankeelov www.aspectx.com dawny@aspectx.com Twitter: @dawnyaspectx 502-292-2351 TALKā€”Technology Association of Louisville Kentucky www.talklou.com And TECNA www.tecna.org @talklou

Recommended

Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity
Dawn Yankeelov
Ā 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
Ā 
Dodd-Frank's Impact on Regulatory Reporting
Dodd-Frank's Impact on Regulatory ReportingDodd-Frank's Impact on Regulatory Reporting
Dodd-Frank's Impact on Regulatory Reporting
HEXANIKA
Ā 
Legal issues of domain names & trademarks
Legal issues of domain names & trademarksLegal issues of domain names & trademarks
Legal issues of domain names & trademarks
Matt Siltala
Ā 
CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ, Inc.
Ā 
EAI Checklist
EAI ChecklistEAI Checklist
EAI Checklist
Ideba
Ā 
Digital Asset Transfer Authority Bit license comment letter (21 10-14)
Digital Asset Transfer Authority Bit license comment letter (21 10-14)Digital Asset Transfer Authority Bit license comment letter (21 10-14)
Digital Asset Transfer Authority Bit license comment letter (21 10-14)
DataSecretariat
Ā 
What Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure SectorWhat Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure Sector
CBIZ, Inc.
Ā 

Recommended

Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity
Dawn Yankeelov
Ā 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
Ā 
Dodd-Frank's Impact on Regulatory Reporting
Dodd-Frank's Impact on Regulatory ReportingDodd-Frank's Impact on Regulatory Reporting
Dodd-Frank's Impact on Regulatory Reporting
HEXANIKA
Ā 
Legal issues of domain names & trademarks
Legal issues of domain names & trademarksLegal issues of domain names & trademarks
Legal issues of domain names & trademarks
Matt Siltala
Ā 
CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ, Inc.
Ā 
EAI Checklist
EAI ChecklistEAI Checklist
EAI Checklist
Ideba
Ā 
Digital Asset Transfer Authority Bit license comment letter (21 10-14)
Digital Asset Transfer Authority Bit license comment letter (21 10-14)Digital Asset Transfer Authority Bit license comment letter (21 10-14)
Digital Asset Transfer Authority Bit license comment letter (21 10-14)
DataSecretariat
Ā 
What Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure SectorWhat Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure Sector
CBIZ, Inc.
Ā 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
Paul Ferrillo
Ā 
Web and Social Media Archiving: A Growing Necessity For the Financial Industry
Web and Social Media Archiving: A Growing Necessity For the Financial IndustryWeb and Social Media Archiving: A Growing Necessity For the Financial Industry
Web and Social Media Archiving: A Growing Necessity For the Financial Industry
PageFreezer
Ā 
21595
2159521595
21595
Sushmita Das
Ā 
Regulators on the Move ā€“ Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move ā€“ Recent Treasury and Comptroller Actions: How They Af...Regulators on the Move ā€“ Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move ā€“ Recent Treasury and Comptroller Actions: How They Af...
Winston & Strawn LLP
Ā 
Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016
Ben-Ari Boukai
Ā 
Technology Facilitating the Regulatory Reporting
Technology Facilitating the Regulatory ReportingTechnology Facilitating the Regulatory Reporting
Technology Facilitating the Regulatory Reporting
NIIT Technologies
Ā 
NIIT Technologies regulatory reporting
NIIT Technologies regulatory reportingNIIT Technologies regulatory reporting
NIIT Technologies regulatory reporting
NIIT Technologies
Ā 
Data Privacy
Data PrivacyData Privacy
Data Privacy
cliff_rudolph
Ā 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Richik Sarkar
Ā 
RA_WhitePaper_RisksRewards_Rollins_2 15 16
RA_WhitePaper_RisksRewards_Rollins_2 15 16RA_WhitePaper_RisksRewards_Rollins_2 15 16
RA_WhitePaper_RisksRewards_Rollins_2 15 16
Nita Rollins, Ph.D.
Ā 
S26: Techsauce | A New World of FinTech Regulation: What the Future Holds (23...
S26: Techsauce | A New World of FinTech Regulation: What the Future Holds (23...S26: Techsauce | A New World of FinTech Regulation: What the Future Holds (23...
S26: Techsauce | A New World of FinTech Regulation: What the Future Holds (23...
Kullarat Phongsathaporn
Ā 
Why is Regulatory Reporting tough?
Why is Regulatory Reporting tough?Why is Regulatory Reporting tough?
Why is Regulatory Reporting tough?
HEXANIKA
Ā 
The Rise of FinTech_ How Is It Revolutionizing The Future of Finance_.pdf
The Rise of FinTech_ How Is It Revolutionizing The Future of Finance_.pdfThe Rise of FinTech_ How Is It Revolutionizing The Future of Finance_.pdf
The Rise of FinTech_ How Is It Revolutionizing The Future of Finance_.pdf
Anil
Ā 
Securities Insight: Securities Enforcement
Securities Insight: Securities EnforcementSecurities Insight: Securities Enforcement
Securities Insight: Securities Enforcement
LexisNexis
Ā 
Blockchain & AML - The Yin & Yang
Blockchain & AML - The Yin & YangBlockchain & AML - The Yin & Yang
Blockchain & AML - The Yin & Yang
Syed Hassan Talal
Ā 
What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore? What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore?
Abraham Vergis
Ā 
BAFT-IFSA Social Media and Banking Global Webinar - June 2013
BAFT-IFSA Social Media and Banking Global Webinar - June 2013 BAFT-IFSA Social Media and Banking Global Webinar - June 2013
BAFT-IFSA Social Media and Banking Global Webinar - June 2013
Berwin Leighton Paisner
Ā 
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Ian Beckett
Ā 
The FinTech 2.0 Paper: rebooting financial services
The FinTech 2.0 Paper: rebooting financial servicesThe FinTech 2.0 Paper: rebooting financial services
The FinTech 2.0 Paper: rebooting financial services
Edwin Soares
Ā 
Not Prepared for Hacks .docx
Not Prepared for Hacks .docx Not Prepared for Hacks .docx
Not Prepared for Hacks .docx
hallettfaustina
Ā 
TALK Public Policy 2022
TALK Public Policy 2022TALK Public Policy 2022
TALK Public Policy 2022
Dawn Yankeelov
Ā 
Discussing Guidance & Liabilities Regarding Reopening
Discussing Guidance & Liabilities Regarding ReopeningDiscussing Guidance & Liabilities Regarding Reopening
Discussing Guidance & Liabilities Regarding Reopening
Dawn Yankeelov
Ā 

More Related Content

Similar to A Look At Evolving Cybersecurity Policy for Financial Institutions 2021

employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
Paul Ferrillo
Ā 
Web and Social Media Archiving: A Growing Necessity For the Financial Industry
Web and Social Media Archiving: A Growing Necessity For the Financial IndustryWeb and Social Media Archiving: A Growing Necessity For the Financial Industry
Web and Social Media Archiving: A Growing Necessity For the Financial Industry
PageFreezer
Ā 
21595
2159521595
21595
Sushmita Das
Ā 
Regulators on the Move ā€“ Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move ā€“ Recent Treasury and Comptroller Actions: How They Af...Regulators on the Move ā€“ Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move ā€“ Recent Treasury and Comptroller Actions: How They Af...
Winston & Strawn LLP
Ā 
Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016
Ben-Ari Boukai
Ā 
Technology Facilitating the Regulatory Reporting
Technology Facilitating the Regulatory ReportingTechnology Facilitating the Regulatory Reporting
Technology Facilitating the Regulatory Reporting
NIIT Technologies
Ā 
NIIT Technologies regulatory reporting
NIIT Technologies regulatory reportingNIIT Technologies regulatory reporting
NIIT Technologies regulatory reporting
NIIT Technologies
Ā 
Data Privacy
Data PrivacyData Privacy
Data Privacy
cliff_rudolph
Ā 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Richik Sarkar
Ā 
RA_WhitePaper_RisksRewards_Rollins_2 15 16
RA_WhitePaper_RisksRewards_Rollins_2 15 16RA_WhitePaper_RisksRewards_Rollins_2 15 16
RA_WhitePaper_RisksRewards_Rollins_2 15 16
Nita Rollins, Ph.D.
Ā 
S26: Techsauce | A New World of FinTech Regulation: What the Future Holds (23...
S26: Techsauce | A New World of FinTech Regulation: What the Future Holds (23...S26: Techsauce | A New World of FinTech Regulation: What the Future Holds (23...
S26: Techsauce | A New World of FinTech Regulation: What the Future Holds (23...
Kullarat Phongsathaporn
Ā 
Why is Regulatory Reporting tough?
Why is Regulatory Reporting tough?Why is Regulatory Reporting tough?
Why is Regulatory Reporting tough?
HEXANIKA
Ā 
The Rise of FinTech_ How Is It Revolutionizing The Future of Finance_.pdf
The Rise of FinTech_ How Is It Revolutionizing The Future of Finance_.pdfThe Rise of FinTech_ How Is It Revolutionizing The Future of Finance_.pdf
The Rise of FinTech_ How Is It Revolutionizing The Future of Finance_.pdf
Anil
Ā 
Securities Insight: Securities Enforcement
Securities Insight: Securities EnforcementSecurities Insight: Securities Enforcement
Securities Insight: Securities Enforcement
LexisNexis
Ā 
Blockchain & AML - The Yin & Yang
Blockchain & AML - The Yin & YangBlockchain & AML - The Yin & Yang
Blockchain & AML - The Yin & Yang
Syed Hassan Talal
Ā 
What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore? What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore?
Abraham Vergis
Ā 
BAFT-IFSA Social Media and Banking Global Webinar - June 2013
BAFT-IFSA Social Media and Banking Global Webinar - June 2013 BAFT-IFSA Social Media and Banking Global Webinar - June 2013
BAFT-IFSA Social Media and Banking Global Webinar - June 2013
Berwin Leighton Paisner
Ā 
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Ian Beckett
Ā 
The FinTech 2.0 Paper: rebooting financial services
The FinTech 2.0 Paper: rebooting financial servicesThe FinTech 2.0 Paper: rebooting financial services
The FinTech 2.0 Paper: rebooting financial services
Edwin Soares
Ā 
Not Prepared for Hacks .docx
Not Prepared for Hacks .docx Not Prepared for Hacks .docx
Not Prepared for Hacks .docx
hallettfaustina
Ā 

Similar to A Look At Evolving Cybersecurity Policy for Financial Institutions 2021 (20)

employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
Ā 
Web and Social Media Archiving: A Growing Necessity For the Financial Industry
Web and Social Media Archiving: A Growing Necessity For the Financial IndustryWeb and Social Media Archiving: A Growing Necessity For the Financial Industry
Web and Social Media Archiving: A Growing Necessity For the Financial Industry
Ā 
21595
2159521595
21595
Ā 
Regulators on the Move ā€“ Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move ā€“ Recent Treasury and Comptroller Actions: How They Af...Regulators on the Move ā€“ Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move ā€“ Recent Treasury and Comptroller Actions: How They Af...
Ā 
Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016Cyber ANPR Regulatory Alert - October 2016
Cyber ANPR Regulatory Alert - October 2016
Ā 
Technology Facilitating the Regulatory Reporting
Technology Facilitating the Regulatory ReportingTechnology Facilitating the Regulatory Reporting
Technology Facilitating the Regulatory Reporting
Ā 
NIIT Technologies regulatory reporting
NIIT Technologies regulatory reportingNIIT Technologies regulatory reporting
NIIT Technologies regulatory reporting
Ā 
Data Privacy
Data PrivacyData Privacy
Data Privacy
Ā 
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security Enforcement and Litigation Trends and Developments in Privacy and Data Security
Enforcement and Litigation Trends and Developments in Privacy and Data Security
Ā 
RA_WhitePaper_RisksRewards_Rollins_2 15 16
RA_WhitePaper_RisksRewards_Rollins_2 15 16RA_WhitePaper_RisksRewards_Rollins_2 15 16
RA_WhitePaper_RisksRewards_Rollins_2 15 16
Ā 
S26: Techsauce | A New World of FinTech Regulation: What the Future Holds (23...
S26: Techsauce | A New World of FinTech Regulation: What the Future Holds (23...S26: Techsauce | A New World of FinTech Regulation: What the Future Holds (23...
S26: Techsauce | A New World of FinTech Regulation: What the Future Holds (23...
Ā 
Why is Regulatory Reporting tough?
Why is Regulatory Reporting tough?Why is Regulatory Reporting tough?
Why is Regulatory Reporting tough?
Ā 
The Rise of FinTech_ How Is It Revolutionizing The Future of Finance_.pdf
The Rise of FinTech_ How Is It Revolutionizing The Future of Finance_.pdfThe Rise of FinTech_ How Is It Revolutionizing The Future of Finance_.pdf
The Rise of FinTech_ How Is It Revolutionizing The Future of Finance_.pdf
Ā 
Securities Insight: Securities Enforcement
Securities Insight: Securities EnforcementSecurities Insight: Securities Enforcement
Securities Insight: Securities Enforcement
Ā 
Blockchain & AML - The Yin & Yang
Blockchain & AML - The Yin & YangBlockchain & AML - The Yin & Yang
Blockchain & AML - The Yin & Yang
Ā 
What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore? What's new with Cybersecurity in Singapore?
What's new with Cybersecurity in Singapore?
Ā 
BAFT-IFSA Social Media and Banking Global Webinar - June 2013
BAFT-IFSA Social Media and Banking Global Webinar - June 2013 BAFT-IFSA Social Media and Banking Global Webinar - June 2013
BAFT-IFSA Social Media and Banking Global Webinar - June 2013
Ā 
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Fintech 2.0 - Rebooting Financial Services - Blockchain Clearing
Ā 
The FinTech 2.0 Paper: rebooting financial services
The FinTech 2.0 Paper: rebooting financial servicesThe FinTech 2.0 Paper: rebooting financial services
The FinTech 2.0 Paper: rebooting financial services
Ā 
Not Prepared for Hacks .docx
Not Prepared for Hacks .docx Not Prepared for Hacks .docx
Not Prepared for Hacks .docx
Ā 

More from Dawn Yankeelov

TALK Public Policy 2022
TALK Public Policy 2022TALK Public Policy 2022
TALK Public Policy 2022
Dawn Yankeelov
Ā 
Discussing Guidance & Liabilities Regarding Reopening
Discussing Guidance & Liabilities Regarding ReopeningDiscussing Guidance & Liabilities Regarding Reopening
Discussing Guidance & Liabilities Regarding Reopening
Dawn Yankeelov
Ā 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber Resilience
Dawn Yankeelov
Ā 
Cyber Security Threats Facing Small Businesses--June 2019
Cyber Security Threats Facing Small Businesses--June 2019Cyber Security Threats Facing Small Businesses--June 2019
Cyber Security Threats Facing Small Businesses--June 2019
Dawn Yankeelov
Ā 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
Dawn Yankeelov
Ā 
The Case for EDR: What's In Your Toolkit
The Case for EDR: What's In Your ToolkitThe Case for EDR: What's In Your Toolkit
The Case for EDR: What's In Your Toolkit
Dawn Yankeelov
Ā 
Cyber Security Resilience by KY CISO David Carter
Cyber Security Resilience by KY CISO David CarterCyber Security Resilience by KY CISO David Carter
Cyber Security Resilience by KY CISO David Carter
Dawn Yankeelov
Ā 
Cyber Security Resilience from Metro Louisville Govt.
Cyber Security Resilience from Metro Louisville Govt. Cyber Security Resilience from Metro Louisville Govt.
Cyber Security Resilience from Metro Louisville Govt.
Dawn Yankeelov
Ā 
Cybersecurity Information From KY's CISO
Cybersecurity Information From KY's CISOCybersecurity Information From KY's CISO
Cybersecurity Information From KY's CISO
Dawn Yankeelov
Ā 
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachLegal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Dawn Yankeelov
Ā 
Kentucky's Cyber Enclave
Kentucky's Cyber EnclaveKentucky's Cyber Enclave
Kentucky's Cyber Enclave
Dawn Yankeelov
Ā 
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Dawn Yankeelov
Ā 
RCM Brain: AI Bots in Healthcare
RCM Brain: AI Bots in HealthcareRCM Brain: AI Bots in Healthcare
RCM Brain: AI Bots in Healthcare
Dawn Yankeelov
Ā 
Kentucky's Cyber Engineering Pathway for Teens By Scott U'Sellis
Kentucky's Cyber Engineering Pathway for Teens By Scott U'SellisKentucky's Cyber Engineering Pathway for Teens By Scott U'Sellis
Kentucky's Cyber Engineering Pathway for Teens By Scott U'Sellis
Dawn Yankeelov
Ā 
PSST: Seamless Data Solutions
PSST: Seamless Data Solutions PSST: Seamless Data Solutions
PSST: Seamless Data Solutions
Dawn Yankeelov
Ā 
RCM Brain: AI Bots in Healthcare
RCM Brain: AI Bots in Healthcare RCM Brain: AI Bots in Healthcare
RCM Brain: AI Bots in Healthcare
Dawn Yankeelov
Ā 
Cybersecurity Trends & Startups by Gula Tech Adventures
Cybersecurity Trends & Startups by Gula Tech AdventuresCybersecurity Trends & Startups by Gula Tech Adventures
Cybersecurity Trends & Startups by Gula Tech Adventures
Dawn Yankeelov
Ā 
How I Will Phish You
How I Will Phish You How I Will Phish You
How I Will Phish You
Dawn Yankeelov
Ā 
Understanding Research & Development Tax Credits in KY
Understanding Research & Development Tax Credits in KYUnderstanding Research & Development Tax Credits in KY
Understanding Research & Development Tax Credits in KY
Dawn Yankeelov
Ā 
Blockchain: An Explanation by Frost, Brown & Todd Attorneys
Blockchain: An Explanation by Frost, Brown & Todd Attorneys Blockchain: An Explanation by Frost, Brown & Todd Attorneys
Blockchain: An Explanation by Frost, Brown & Todd Attorneys
Dawn Yankeelov
Ā 

More from Dawn Yankeelov (20)

TALK Public Policy 2022
TALK Public Policy 2022TALK Public Policy 2022
TALK Public Policy 2022
Ā 
Discussing Guidance & Liabilities Regarding Reopening
Discussing Guidance & Liabilities Regarding ReopeningDiscussing Guidance & Liabilities Regarding Reopening
Discussing Guidance & Liabilities Regarding Reopening
Ā 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber Resilience
Ā 
Cyber Security Threats Facing Small Businesses--June 2019
Cyber Security Threats Facing Small Businesses--June 2019Cyber Security Threats Facing Small Businesses--June 2019
Cyber Security Threats Facing Small Businesses--June 2019
Ā 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
Ā 
The Case for EDR: What's In Your Toolkit
The Case for EDR: What's In Your ToolkitThe Case for EDR: What's In Your Toolkit
The Case for EDR: What's In Your Toolkit
Ā 
Cyber Security Resilience by KY CISO David Carter
Cyber Security Resilience by KY CISO David CarterCyber Security Resilience by KY CISO David Carter
Cyber Security Resilience by KY CISO David Carter
Ā 
Cyber Security Resilience from Metro Louisville Govt.
Cyber Security Resilience from Metro Louisville Govt. Cyber Security Resilience from Metro Louisville Govt.
Cyber Security Resilience from Metro Louisville Govt.
Ā 
Cybersecurity Information From KY's CISO
Cybersecurity Information From KY's CISOCybersecurity Information From KY's CISO
Cybersecurity Information From KY's CISO
Ā 
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the BreachLegal Issues in Data Privacy and Security: Response Readiness Before the Breach
Legal Issues in Data Privacy and Security: Response Readiness Before the Breach
Ā 
Kentucky's Cyber Enclave
Kentucky's Cyber EnclaveKentucky's Cyber Enclave
Kentucky's Cyber Enclave
Ā 
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Ā 
RCM Brain: AI Bots in Healthcare
RCM Brain: AI Bots in HealthcareRCM Brain: AI Bots in Healthcare
RCM Brain: AI Bots in Healthcare
Ā 
Kentucky's Cyber Engineering Pathway for Teens By Scott U'Sellis
Kentucky's Cyber Engineering Pathway for Teens By Scott U'SellisKentucky's Cyber Engineering Pathway for Teens By Scott U'Sellis
Kentucky's Cyber Engineering Pathway for Teens By Scott U'Sellis
Ā 
PSST: Seamless Data Solutions
PSST: Seamless Data Solutions PSST: Seamless Data Solutions
PSST: Seamless Data Solutions
Ā 
RCM Brain: AI Bots in Healthcare
RCM Brain: AI Bots in Healthcare RCM Brain: AI Bots in Healthcare
RCM Brain: AI Bots in Healthcare
Ā 
Cybersecurity Trends & Startups by Gula Tech Adventures
Cybersecurity Trends & Startups by Gula Tech AdventuresCybersecurity Trends & Startups by Gula Tech Adventures
Cybersecurity Trends & Startups by Gula Tech Adventures
Ā 
How I Will Phish You
How I Will Phish You How I Will Phish You
How I Will Phish You
Ā 
Understanding Research & Development Tax Credits in KY
Understanding Research & Development Tax Credits in KYUnderstanding Research & Development Tax Credits in KY
Understanding Research & Development Tax Credits in KY
Ā 
Blockchain: An Explanation by Frost, Brown & Todd Attorneys
Blockchain: An Explanation by Frost, Brown & Todd Attorneys Blockchain: An Explanation by Frost, Brown & Todd Attorneys
Blockchain: An Explanation by Frost, Brown & Todd Attorneys
Ā 

Recently uploaded

"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
Ā 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
Ā 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
Ā 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
Ā 
What is an RPA CoE? Session 2 ā€“ CoE Roles
What is an RPA CoE? Session 2 ā€“ CoE RolesWhat is an RPA CoE? Session 2 ā€“ CoE Roles
What is an RPA CoE? Session 2 ā€“ CoE Roles
DianaGray10
Ā 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
Ā 
PoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeck
PoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeck
PoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
Ā 
GlobalLogic Java Community Webinar #18 ā€œHow to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 ā€œHow to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 ā€œHow to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 ā€œHow to Improve Web Application Perfor...
GlobalLogic Ukraine
Ā 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
Ā 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
Sunil Jagani
Ā 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
Ā 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
Ā 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
Ā 
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
Mydbops
Ā 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo GĆ³mez Abajo
Ā 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
Ā 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
Ā 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
Ā 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
Ā 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
Ā 

Recently uploaded (20)

"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Ā 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
Ā 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
Ā 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Ā 
What is an RPA CoE? Session 2 ā€“ CoE Roles
What is an RPA CoE? Session 2 ā€“ CoE RolesWhat is an RPA CoE? Session 2 ā€“ CoE Roles
What is an RPA CoE? Session 2 ā€“ CoE Roles
Ā 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Ā 
PoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeck
PoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeck
PoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Ā 
GlobalLogic Java Community Webinar #18 ā€œHow to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 ā€œHow to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 ā€œHow to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 ā€œHow to Improve Web Application Perfor...
Ā 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
Ā 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
Ā 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
Ā 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Ā 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
Ā 
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
Ā 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Ā 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
Ā 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
Ā 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Ā 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Ā 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Ā 

A Look At Evolving Cybersecurity Policy for Financial Institutions 2021

  • 1. A Look At Evolving Cybersecurity Policy for Financial Institutions Dawn Yankeelov, President, Aspectx & Executive Director, Technology Association of Louisville Kentucky July 16, 2021
  • 2. Looking Back to 2016ā€¦ Statistics May Not Surprise You ā€¢ Cybercrime Jumped to the Most Reported Economic Crime in PWCā€™s Global Economic Crime Survey in 2016. ā€¢ The US Commercial Bank with the lowest security posture was one of the top 10 largest financial service organizations in the US by revenue. ā€¢ Only one of the top 10 largest banks, Bank of America, received an overall ā€œAā€ grade in the PWC Security Scorecard ā€¢ Nearly 1 out of 5 financial institutions used an email service provider in 2016 with severe security vulnerabilities. ā€¢ Best performing in IT Security in 2016: Goldman Sachs, Exchange Bank, BNP Paribase Fortis, and Banco Popolare --PricewaterhouseCoopers Scorecard 2016
  • 3. Big Banks Are Paying Attention 2021 ā€” The financial services industry faced unprecedented cybersecurity costs and ... New legislation is on the horizon in several statesā€¦ At a Congressional hearing in May this year, the chief executives of Wall Streetā€™s six largest banks were asked to name the greatest threat to their companies and the wider financial system. They did not mention the global pandemic, climate change or factors that contributed to the 2008 financial crisis. The most popular answer instead was ā€œcybersecurity.ā€ ā€“ NYT, July 3, 2021
  • 4. Manpower: On It in IT JPMorgan Chase alone spends about $600 million each year on cybersecurity efforts and has ā€œmore than 3,000 employeesā€ working on the issue in some way. July 8, 2021 1:23 PM EDT Finance Morgan Stanley faces data breach, corporate client info stolen in vendor hack The bank said attackers accessed information by exploiting a vulnerability in the vendor's server, Accellion FTA. While the exposure was patched within five days, the attackers obtained a decryption key even though the files were encrypted.
  • 5. Us Cyberspace Solarium Commission Puts Financial Sector at Top of Critical Infrastructure Solarium.gov
  • 6. Public Policy: New Standards Coming ā€¢ More Information-Sharing In Your Future ā€¢ More Protections for Personal Information ā€¢ More Players Onboard with ā€œIdeasā€ from NIST to State Finance- Specific boards, to ABA to the Federal Reserve Board, the Office of the Comptroller of the Currency and the Financial Institutions Examination Council. ā€¢ New York Leading the Way ā€¢ State Governors Pushing ā€¢ Mega-Bank Group Has Formed ā€¢ A Push to Adherence to Federal Guidelines ā€¢ More and More Risk Management ā€¢ Training for Staff
  • 7. Influencers *Mobile Banking *Internet of Things (IoT) *Life in ā€œthe Cloudā€ *Cybersecurity Workforce Gap
  • 8. Social Engineering Fears Predominate According to CSI recent survey data, the overwhelming majority (81%) of bankers view social engineering as the greatest cybersecurity threat in 2021. ā€¢ Customer-targeted phishing: The topmost cybersecurity threat identified by bankers was social engineering aimed at customers via phishing (34%). This coincides with recent reports of large scale email impersonation attacks, pretending to be from the recipientā€™s personal bank and trying to trick them into providing sensitive information about their accounts. ļ‚· Employee-targeted phishing: Almost as many bankers (32%) are most worried about phishing aimed at internal targets that let attackers into internal systems. This concern is well-founded. Employees working from home and burdened by new financial and family challenges due to the pandemic are ripe targets for cybercriminals.
  • 9. Anticipation.ā€¦. Implications to Follow The Financial Stability Board (FSB) has published responses to its consultation on regulatory and supervisory issues relating to outsourcing and third-party relationships. Recommended: ā€¢the development of global standards on outsourcing and third-party risk management; ā€¢the adoption of consistent definitions and terminology; ā€¢pooled audits, certificates and reports. A rise in the use of mobile finance apps was noticed by two other parties: hackers and regulators. Hackers increased attacks intended to steal personal information or cardholder data, while regulators became increasingly concerned with financial data security compliance. The developers of financial services apps need to ensure data security compliance to operate in various markets, reassure their customers that they are handling their data with care, and importantly, reduce risk and exposure associated with regulatory censure. --https://securityboulevard.com/2021/02/top-2021-banking-and-fintech-security- regulations/
  • 10. Global Legislation Impactsā€¦Anti-Money Laundering, Cybersecurity Requirements, etc. Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) Canadaā€™s anti-money laundering legislation introduced significant changes in June 2021. The expanded ruleset will change how politically-exposed persons are reported on, and will bring cryptocurrencies under the remit of reporting obligations. One of the most significant of these changes is that foreign Money Services Businesses (MSBs), which had not previously been obligated to report under the FINTRAC legislation, will now do so. This will significantly increase reporting obligations and associated risks for foreign fintech firms operating in the Canadian market. --https://www.fintrac-canafe.gc.ca/covid19/flexible-measures-eng
  • 11. Mobile Apps Under Surveillance Financial data security compliance is critical for all fintech and mobile banking app developers for a number of reasons, including: ļ‚§ Reducing costs of data breaches ļ‚§ Avoiding regulatory fines ļ‚§ Maintaining customer trust and loyalty ļ‚§ Capacity to operate in multiple jurisdictions ļ‚§ https://www.intertrust.com/blog/top-2021-banking-and-fintech- security-regulations/
  • 12. Ante Upped--Financial Data Security Compliance California Consumer Privacy Act (CCPA) --The new changes introduced to the CCPA on January 1 will demand data compliance. It will also widen the net. The actā€™s core provisions already grant consumers the rights to access held about them, demand its deletion, and opt-out from future these only previously applied to ā€œfor-profitā€ businesses, such as those in excess of $25 million. For finance and mobile banking developers doing business in layer of financial data security compliance that they need to fulfill. --https://www.jdsupra.com/legalnews/ab-713-ccpa-requirements-take-effect- 42027/
  • 13. Critical Infrastructure & Supply Chain Language in Legislation The Cyber Incident Notification Act of 2021 places its primary focus on the federal supply chain. However, the CINA expands this coverage to ā€œcovered entitiesā€ that includes owners and operators of critical infrastructure. The full definition of covered entities has not been drafted yet, and the bill tasks the Cybersecurity & Infrastructure Security Agency (CISA) with drafting a definition that will include ā€œat a minimum, Federal contractors, owners or operators of critical infrastructure, and nongovernmental entities that provide cybersecurity incident response services.ā€ --https://www.agileit.com/news/cyber-incident-notification-act/ --Led by Mark Warner, Senate Intelligence Chair, Marco Rubio, and Susan Collins
  • 14. 36-Hour Data Breach Reporting Rules for Significant Incidents Specifically, the Proposed Rule would require banking organizations to notify their primary federal regulators within 36 hours of becoming aware of a ā€œcomputer-security incidentā€ that rises to the level of a ā€œnotification incident.ā€ In addition to covering incidents involving unauthorized access to customer information, it would apply to some events where data was rendered temporarily unavailable, such as ransomware and distributed denial-of- service attacks. The rule would also require bank service providers to notify ā€œat least two individualsā€ at an affected banking organization-customer immediately after experiencing a computer-security incident that it believes ā€œin good faith could disrupt, degrade, or impair services provided for four or more hours.ā€ A 36-hour deadline appears to be one of the most rigorous timeframes of any U.S. breach reporting scheme. --Banking Law Committee Journal, April 28, 2021
  • 15. The Circle Widensā€¦Proposed Banking Cyber-Incident Notification Rules Could Apply to Fintech Players The rule was issued Jan. 12, 2021, by the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC). The ruleā€™s comment period concluded April 12. Three Key Takeaways 1. Fintechs should confirm whether their existing banking organization clients have designated them as bank service providers under the BSCA. 2. Fintechs should review existing commercial agreements and standard forms to incorporate provisions requiring a banking organization client to notify the fintech should the client designate the fintech as a bank service company. 3. Fintechs (and their banking organization clients) should proactively ensure that these agreements and forms also adequately provide for notification procedures (including timing and contact information) to facilitate compliance with the proposed rules. --https://www.jonesday.com/en/insights/2021/01/fintech-proposed-banking-cyberincident-notification-rules-could-apply-to-you-too --https://www.reedsmith.com/en/perspectives/2021/04/proposed-rule-would-require-faster-reporting-of-cyber-incidents-by-banks
  • 16. American Bankers Association Weighs in --https://www.fdic.gov/resources/regulations/federal-register- publications/2021/2021-computer-security-incident-notification-3064-af59-c- 016.pdf A common source of concern is the misperception that the Proposal intends to replace existing notice requirements with a short, fixed, prescriptive timeline. There also is concern that the Proposal is overbroad, and would create burdensome overreporting contrary to the spirit of its articulated intent to provide ā€œearly awarenessā€ of severe and operationally debilitating occurrences. This concern lies in the belief that the Proposal as written would attach prescriptive mandatory reporting to an array of events, both the actual, materially harmful and extraordinary, as well as the merely possible or mundane. In practice, this would compel banks to overreport nondisruptive events to their primary federal regulator as well as use limited resources to review voluminous overreports from bank service providers. ā€¦..there remains cautious concern as to how the Proposal will be implemented and enforced. --
  • 17. FinCEN announces eight areas of focus and advises preparation for issuance of new regulations On June 30, 2021, the U.S. Department of Treasuryā€™s Financial Crimes Enforcement Network (ā€œFinCENā€) issued the first government-wide priorities for anti-money laundering (ā€œAMLā€) and countering the financing of terrorism (ā€œCFTā€) policy (the ā€œPrioritiesā€). FinCEN has not yet issued the regulations governing how the Priorities must be incorporated into Covered Institutionsā€™ AML programs. Cybercrime, including Relevant Cybersecurity and Virtual Currency Considerations: FinCEN states that it is particularly concerned about three types of cybercrime: (1) cyber- enabled financial crime, such as phishing campaigns or other fraudulent schemes against financial institutions; (2) ransomware attacks; and (3) ā€œthe misuse of virtual assets that exploits and undermines their innovative potential, including through laundering of illicit proceeds.ā€ FinCEN notes that it issued an advisory in 2016 describing the typologies and red flags related to cybercrime to assist Covered Institutions compliance and cybersecurity units. --https://www.jdsupra.com/legalnews/fincen-issues-anti-money-laundering-and-3281702/
  • 18. So What About the Statesā€¦ ā€¢ All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted security breach notification laws that require businesses or governments to notify consumers or citizens if their personal information is breached. ā€¢ Lawmakers continue to review existing laws, however. At least 22 states, introduced or considered measures in 2021 that would amend existing security breach laws. Bills were enacted in three statesā€”Georgia, North Dakota and Utah so far in 2021.
  • 19. Summary of Legislation The most common trends in legislation this year include proposals that would: ļ‚· Establish or shorten the time frame within which an entity must report a breach. ļ‚· Require state or local government entities to report data breaches. ļ‚· Provide an affirmative defense for entities that had reasonable security practices in place at the time of a breach. ļ‚· Expand definitions of "personal information" (e.g., to include biometric information, health information, etc.). ļ‚· Require private sector entities to report breaches to the state attorney general or other state entity. --https://www.ncsl.org/research/telecommunications-and-information-technology/2021- security-breach-legislation.aspx
  • 20. State Cybersecurity Safe Harbor Legislation 2021 has already been a big year for state cybersecurity safe harbor legislation. --Two states, Utah and Connecticut, have recently enacted or introduced a breach litigation safe harbor to incentivize businesses to protect personal information by adopting industry- recognized cybersecurity frameworks such as the National Institute of Standards and Technology's (NIST) Cybersecurity Framework and the Center for Internet Security's (CIS) Critical Security Controls. --In March 2021, Utah became the second state, after Ohio, to adopt a cybersecurity safe harbor statute for businesses impacted by a data breach. Specifically, an entity that "creates, maintains, and reasonably complies" with a written cybersecurity program modeled after one of several named cybersecurity frameworks may have an affirmative defense to certain claims if the program is in place at the time it experiences a breach of its system security. --"Breach of system security" is defined under the law to mean an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information. --https://www.mondaq.com/unitedstates/security/1067364/2021-developments-in-state-cybersecurity-safe-harbor- laws
  • 21. Vendor Management --Effective vendor management (for both compliance and certainty) requires more than a sales demonstration. --It requires a thorough analysis of vendor financials, SOC reports, security, and confidentiality. --Having legal counsel review vendor contracts for regulatory compliance and effective security can provide significant assurances that the chosen vendors are protecting customer assets and minimizing legal exposure. ----https://www.fmjlaw.com/financial-institutions-banks-cybersecurity- 2021/
  • 22. Vendor Management With virtual banking replacing the retail branch, financial institutions are not immune from this phenomenon, despite the sensitivity of data under their management. They are faced with the challenge of finding a WFH environment that is as safe and secure as an in-office environment. To reach that goal, financial institutions will need to revisit, update and implement stronger technology policies into their employee handbooks. Those policies should incorporate not only cyber protection but also institutional protection for potential employee breaches. --https://www.fmjlaw.com/financial-institutions-banks-cybersecurity-2021/
  • 23. Vendor Management ****To summarize, it is important to take inventory of (1) vendor agreements, (2) privacy policies, (3) employee technology policies, and (4) incident response plans.*** --Analyze those relative to regulatory and insurance requirements and determine what steps need to be made for maximum protection. ----https://www.fmjlaw.com/financial-institutions-banks-cybersecurity-2021/
  • 24. Resources https://www.fdic.gov/resources/bankers/information-technology/ ļ‚· Cybersecurity o FFIEC Cybersecurity Assessment Tool assists institutions with identifying cybersecurity risks and determining preparedness o FrequentlyAsked Questions provide information related to the FFIEC CybersecurityAssessment Tool ļ‚· Technology Outsourcing: Informational Tools for Community Bankers provides resources for selecting service providers, drafting contract terms, and providing oversight for multiple service providers ļ‚· FDIC Technical Assistance Videos o CybersecurityAwareness, a video series designed to assist bank directors with understanding cybersecurity risks and related risk management programs o Cyber Challenge: A Community Bank Cyber Exercise designed to encourage community financial institutions to discuss operational risk issues and the potential impact of information technology disruptions on common banking functions
  • 25. Voluntary Resource Opportunity On June 30, 2015, the Federal Financial Institutions Examination Council (FFIEC),1 on behalf of its members, issued a Cybersecurity Assessment Tool (Assessment) that financial institutions may use to evaluate their risks and cybersecurity preparedness. Noted for Community Banks as incorporating NIST Framework ideas, FFIEC Information Technology Examination Handbook, and others. https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT% 20FAQs.pdf
  • 26. FFIEC Cyber Tool Link https://www.ffiec.gov/cyberassessmenttool.htm
  • 27. Board Level Resources The 2020 Edition of the NACD Directorā€™s Handbook on Cyber-Risk Oversight (National Association of Corporate Directors) The Handbook was the first non-government resource to be featured on the U.S. Department of Homeland Securityā€™s US- CERT C3 Voluntary Program website. (United States Computer Emergency Readiness Team) Links: https://www.nacdonline.org/insights/publications.cfm?Item Number=67298
  • 28. STAKEHOLDER ENGAGEMENT AND CYBER INFRASTRUCTURE RESILIENCE The Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR) division within Cybersecurity and Infrastructure Security Agency (CISA) streamlines strategic outreach to government and industry partners, by leveraging capabilities, information and intelligence, and subject matter experts in order to meet stakeholder requirements. SECIR programs and initiatives build public, private and international partnerships and capacity for resilience across the Nationā€™s critical infrastructure and the cybersecurity community. For more information, email SECIRFrontOffice@hq.dhs.gov. Vision An engaged and informed customer base driven to achieve a resilient and secure cyber space ecosystem. Mission ā€¢Initiate and sustain strategic Critical Infrastructure (CI) & State, Local, Tribal and Territorial (SLTT) partnerships to develop approaches for longer cyber risk management. ā€¢Engage SLTT and CI partners to implement comprehensive but specific cyber preparedness and protective activities ā€¢Perform outreach and education activities and advocate for DHS cyber capabilities
  • 29. Cybersecurity & The Public Trust Equation But resilience against a cyber run doesnā€™t preclude damage to the economy, Mr. Duffie and Mr. Younger noted. Financial markets, probably more than any other critical infrastructure except elections, require public trust to operate. This can quickly erode, even if an attack isnā€™t widespread. Darrell Duffie, a professor at Stanfordā€™s business school, examined the potential impact of a ā€œcyber runā€ in a paper published with Joshua Younger, a managing director at JPMorgan. --https://www.nytimes.com/2021/07/03/business/dealbook/hacking-wall- street.html
  • 30. Self-Assessment from BECTF Bankers Electronic Crimes Task Force (BECTF) with state bank regulators & US Secret Servicesā€”Ransomware Self-Assessment Tool https://www.csbs.org/sites/default/files/2020-10/R- SAT_0.pdf
  • 31. Around the World ā€“ Less Prep ā€œIn terms of cyber maturity, Latin America still needs significant advances. The recent OECD study, Digital Security Risk Management, highlights that only three of the 21 countries in Latin America have a defined national digital security strategy, indicating that the region is not yet sufficiently prepared. This is largely due to gaps in legal and regulatory structures. Other aspects that corroborate the criticality of the situation involve the limited investment in cybersecurity technology and the deficit of talent in cybersecurity.ā€-- Homero Valiatti has been working at ItaĆŗ Unibanco since 2018 and is currently Information Security Superintendent. In this role, Homero is responsible for the evolution of the institution's cybersecurity.
  • 33. Reality of Complianceā€”Test, Test, Not Just Annually One-quarter of the organizations who do execute testing usually uncover problems or gaps, which begs the question: how many untested environments are operating with glitches? --Peak 10 data study
  • 34. Get Involved: Public Policy ā€¢ Participate in organizations like CompTIA ā€¢ Join Your Local Technology Council ā€“ 60+ Across the US ā€¢ Give Comments During Comment Periods for Banking Regulation ā€¢ Participate at the State Level in local fusion centers and other Cybersecurity Centers of Excellence at Universities and New Initiatives ā€¢ Attend Flyins to DC ā€¢ Following proposed banking legislations ā€¢ NIST Cyber Working Groups
  • 35. At the Office: Cyber Workforce Gap Every year in the U.S. there are 128,000 openings for Information Security Analysts, but only 88,000 workers currently employed in those positions ā€“ a talent shortfall of 40,000 workers for cybersecurityā€™s largest job. http://cyberseek.org/heatmap.html
  • 36. Federal Partners in Cyber NIST -- National Institute of Standards and Technology NIST is the federal technology agency that works with industry to develop and apply technology, measurements, and standards. NICE -- The National Initiative for Cybersecurity Education NICERC now Cyber.org -- Cyber Literacy Curriculum, Computer Science Curriculum, STEM Curriculum, and Teacher Resources from National Integrated Cyber Education Research.
  • 37. A Banking Cybersecurity Profile to Enhance and Simplify Your Risk Assessment DOWNLOAD CRI CYBERSECURITY PROFILE V1.1, NOVEMBER 12, 2020 The CRI Cyber Profile v1.1 includes: 1.User Guide, 2.Mappings to National Association of Insurance Commissioners (NAIC) IT handbook, 3.V.1.1 Frequently Asked Questions (FAQ), 4.Summary of v1.1 updates and revisions, 5.Mapping to NIST Cyber Security Framework (CSF), and 6.Mapping between NIST CSF/ISO IEC 27001 ā€¢The Roadmap Forward ā€¢Impact Tiering Questionnaire ā€¢Industry Press Release: CRI Cyber Profile v1.1, November 12, 2020 --
  • 38. Explanation of Banking Cybersecurity Profile The banking industry saw a need for a more harmonized approach to cybersecurity that supports strong oversight while conserving talent and resources, and ensuring safety and soundness. The Financial Services Sector Cybersecurity Profile acts as a shared baseline for examination across federal regulatorsā€”in a way that makes the most sense for the individual institution. ā€¢developed by the Financial Services Sector Coordinating Council (global, regional, midsize and community banks, along with representatives from other key agencies) ā€¢designed to deploy resources more effectively ā€¢reduces time spent on reconciling exam issues ā€¢integrates widely used standards and supervisory expectations ā€¢compliments the NIST cybersecurity framework
  • 39. Back in the Spotlight: Financial Services Sector Coordinating Council
  • 40. For the Bank Teller: In Walks Awareness Training ļƒ˜ Your biggest security risk works in-house ļƒ˜ Empower your workforce to reduce that risk ļƒ˜ 95% of all security breaches involve human error 95% of
  • 42. Final Takeaways ā€¢ Make Data Driven Decisions ā€¢ Take a Proactive Stance ā€¢ Take Broad View of Risk Management ā€¢ Have Governance and Designate a CISO role ā€¢ Strengthen Cyber Practices Around Compliance ā€¢ Test, Test and Mitigate ā€¢ Have Governance and Designate a CISO role ā€¢ Be Willing to Collaborate with Peers and Industry ā€¢ Attend to the Human Factor Internally- Train and Develop Workforce
  • 44. Aspectx Your Communications and Public Policy Firm *Competitive Intelligence & Industry Analysis*Public Policy*Joint Application Design*Marketing*Public Relations & Social Media*Business Development*Web Development & Content Marketing Founder and President Dawn Yankeelov www.aspectx.com dawny@aspectx.com Twitter: @dawnyaspectx 502-292-2351 TALKā€”Technology Association of Louisville Kentucky www.talklou.com And TECNA www.tecna.org @talklou