4. 4
Rethinking Cyber Security
Focus on recent regulatory evolutions
Corporate governance, including organization and
reporting structure for cyber security related issues
Management of cyber security issues and written
information security policies and procedures
Resources devoted to information security and
overall risk management
Assessment of risks raised by shared infrastructure
Protections against intrusion
Information security testing and monitoring,
including penetration testing
Incident detection and response processes, including
monitoring
Training of information security professionals as well
as all other personnel
Management of third‐party service providers
Integration of information security into business
continuity and disaster recovery documentation
Cyber security insurance coverage and other third‐
party protections
On November 3rd 2014, FFIEC released observations
from the recent cyber security assessment
FFIEC recommended regulated financial institutions
participate in the Financial Services Information Sharing
and Analysis Center
On April 15th 2014, the SEC had announced the OCIE will
audit more than 50 registered broker‐dealers and
investment advisers for cyber security preparedness
On Feb 3rd 2015, the OCIE issued a summary
observations from examinations conducted
On Feb 3rd 2015, the FINRA issued a new report on cyber
security, which details practices that firms can tailor to
their business model as they strengthen their cyber
security efforts
The Report on Cyber security Practices draws in part
from the results of FINRA's recent targeted examination
On December 10th 2014, NYDFS issued examination
guidance to banks outlining new targeted cyber security
preparedness assessments
Targeted cyber security assessments will be integrated as
ongoing, regular part of DFS Exam Process
Audit check‐list
6. 6
Rethinking Cyber Security
Identify ‐ Protect – Detect – Respond – Recover (NIST Framework) | What’s next (1/3)
Key takeawaysObjectives
• Establish and implement a cyber security
governance framework that supports decision
making and escalation within the organization to
identify and manage cyber security risks
• Define risk management policies, processes and
structures coupled with relevant controls tailored
to the nature of the risks
Enhance the
governance
framework
• Define a governance framework to support decision making based on
risk appetite
• Ensure active senior management and board‐level engagement with
cyber security issues
• Identify frameworks and standards to address cyber security
• Use metrics and thresholds to manage the performance of the program
• Dedicate resources to achieve the desired risk posture
1
• Conduct regular assessments to identify and
measure cyber security risks associated with firm
assets and vendors, determine the likelihood of
the occurrence of the threat and identify system
vulnerabilities
• Prioritize, monitor and implement their
remediation
Implement a Risk
Assessment Program
• Identify and maintain an inventory of assets authorized to access the
firm’s network and, as a subset thereof, critical assets that should be
accorded prioritized protection
• Conduct comprehensive risk assessments that include:
An assessment of external and internal threats and asset vulnerabilities
Prioritized and time‐bound recommendations to remediate risks
• Enhance vigilance through experience‐based learning and continuous
monitoring programs to help capture risk signals across the ecosystem
2
• Implement technical controls to protect firm
software and hardware that stores and processes
data, as well as the data itself.
Set‐up technical
controls
• Implement a defense‐in‐depth strategy to address known and emerging
threats with reinforced security layers
• Select controls appropriate to the firm’s technology and threat
environment, such as:
identity and access management;
data security and encryption,
penetration testing.
3
7. 7
Rethinking Cyber Security
Identify ‐ Protect – Detect – Respond – Recover (NIST Framework) | What’s next (2/3)
Key takeawaysObjectives
• Provide a framework to manage a cyber security
incident in a way that limits damage, increases
the confidence of external stakeholders, and
reduces recovery time and costs
• Establish policies and procedures and define
clear roles and responsibilities for escalating and
responding to cyber security incidents
Prepare an incident
response planning
• Set up practices for incident response and integrate them into business
continuity and disaster recovery documentation:
Containment and mitigation strategies for multiple incident types and
recovery plans for systems and data
Communication plan for outreach to relevant stakeholders
Measures to maintain client confidence
• Enhance resilience through simulated testing and crisis management
processes
4
• Manage cyber security risk that can arise across
the lifecycle of vendor relationships using a risk‐
based approach to vendor management
Mitigate vendor
risks
• Perform pre‐contract due diligence on prospective service providers
and perform ongoing due diligence on existing vendors
• Establish contractual terms appropriate to the sensitivity of information
and systems to which the vendor may have access
• Include vendor relationships and outsourced systems as part of the
firm’s ongoing risk assessment process;
• Establish, maintain and monitor vendor entitlements so as to align with
firm risk appetite and information security standards
5
• Provide cyber security trainings tailored to staff
needs
• Enhance the risk‐awareness across the
organization
Train staff
• Define cyber security training needs requirements
• Identify appropriate cyber security training update cycles
• Deliver interactive training with audience participation to increase
retention
• Develop training around information from the firm’s loss incidents, risk
assessment process and threat intelligence gathering
6
8. 8
Rethinking Cyber Security
Identify ‐ Protect – Detect – Respond – Recover (NIST Framework) | What’s next (3/3)
Key takeawaysObjectives
• Use cyber threat intelligence to improve ability to
identify, detect and respond to cyber security
threats
Use cyber
intelligence
• Assign responsibility for cyber security intelligence gathering and
analysis at the organizational and individual levels
• Establish mechanisms to disseminate threat intelligence and analysis
rapidly to appropriate groups within the firm
• Evaluate threat intelligence from tactical and strategic perspectives, and
determine the appropriate time frame for the course of action
• Participate in appropriate information sharing organizations and
periodically evaluate the firm’s information‐sharing partners
7
• Evaluate the utility of cyber insurance as a way to
transfer some risk as part of their risk
management processes
• Conduct an analysis to ensure alignment
between existing coverage and risk assessment
processes
Assess cyber
insurance
• For firms that have cyber security coverage, conduct a periodic analysis
of the adequacy of the coverage provided in connection with the firm’s
risk assessment process to determine if the policy and its coverage align
with the firm’s risk assessment and ability to bear losses
• For firms that do not have cyber insurance, evaluate the cyber
insurance market to determine if coverage is available that would
enhance the firm’s ability to manage the financial impact of cyber
security events.
8
It is now time to implement measures to address cyber security challenges by leveraging traditional
risk management methods
11. 11
• Identify cyber risks throughout the firm
Main roles and responsibilities
• Make sure risks are properly mitigated and monitor remediation actions if any
• Prepare and release communications in case of incidents
• Make sure that processes and systems comply with privacy and data protection laws and internal
control measures
• Integrate the cyber security framework into business continuity and disaster recovery plans
• Develop the accounting framework for cyber risk
• Quantify cyber risks and assess the utility of cyber insurance
• Consider regulation, litigation possibilities, contractual obligations, and the firm’s ability to provide
third parties with evidence of proper data protection processes
• Ensure that the control framework is in place
Rethinking Cyber Security
Appendix | Involvement required across the organization
12. MONTREAL
202 – 1819 Bd Rene
Levesque O.
Montreal, Quebec,
H3H2P5
PARIS
25, rue Alphonse de
Neuville
75017, Paris, France
NIORT
19 avenue Bujault
79000 Niort, France
NEW YORK
1441, Broadway
Suite 3015, New York
NY 10018, USA
SINGAPORE
Level 25, North Tower,
One Raffles Quay,
Singapore 048583
HONG KONG
905, 9/F,
Kinwick Centre 32
Hollywood Road,
Central, Hong Kong
LONDON
50 Great Portland Street
London W1W 7ND, UK
GENEVA
Rue de Lausanne 80
CH 1202 Genève,
Suisse