Rethinking Cyber Security Approach
•
0 likes•716 views
A new approach to cyber security for banks
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (12)
Similar to Rethinking Cyber Security Approach
Similar to Rethinking Cyber Security Approach (20)
More from Stéphanie Baruk
More from Stéphanie Baruk (8)
Recently uploaded
Recently uploaded (20)
Rethinking Cyber Security Approach
- 2. Agenda An evolving cyber threat landscape1 3 A new approach to Cyber Security 4 Key success factors to transform Cyber Security 5 Appendix Focus on recent regulatory evolutions2
- 3. 3 Rethinking Cyber Security An evolving cyber threat landscape Emergence of new risks Sophistication of attacks and multiplicity of adversaries Increased costs and impacts Regulatory scrutiny Traditional boundaries have shifted with the explosion of data and interconnectedness Emerging technologies and reliance on third parties have created a borderless infrastructure resulting in increased exposure The sophistication of cyber attacks has increased exponentially while the defensive approach remained the same Risk is no longer limited to financial criminal and skilled hackers but also hacktivist groups driven by political or social agendas and nation‐states to create havoc in the markets Financial services are seeing increased costs with an estimate of $30M in 2014 Number of incidents but also higher complexity of responding to threats have contributed to higher losses More than financial losses, reputational damage and loss of market confidence deserve full attention at the highest levels of the company Financial institutions are placed under greater scrutiny from the regulators Cyber risk management practices are now evaluated as part of regular examination processes In today’s environment with cyber threats being unavoidable, early detection, responsiveness, rapidity to recover and integration into a comprehensive framework are key for financial institutions
- 4. 4 Rethinking Cyber Security Focus on recent regulatory evolutions Corporate governance, including organization and reporting structure for cyber security related issues Management of cyber security issues and written information security policies and procedures Resources devoted to information security and overall risk management Assessment of risks raised by shared infrastructure Protections against intrusion Information security testing and monitoring, including penetration testing Incident detection and response processes, including monitoring Training of information security professionals as well as all other personnel Management of third‐party service providers Integration of information security into business continuity and disaster recovery documentation Cyber security insurance coverage and other third‐ party protections On November 3rd 2014, FFIEC released observations from the recent cyber security assessment FFIEC recommended regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center On April 15th 2014, the SEC had announced the OCIE will audit more than 50 registered broker‐dealers and investment advisers for cyber security preparedness On Feb 3rd 2015, the OCIE issued a summary observations from examinations conducted On Feb 3rd 2015, the FINRA issued a new report on cyber security, which details practices that firms can tailor to their business model as they strengthen their cyber security efforts The Report on Cyber security Practices draws in part from the results of FINRA's recent targeted examination On December 10th 2014, NYDFS issued examination guidance to banks outlining new targeted cyber security preparedness assessments Targeted cyber security assessments will be integrated as ongoing, regular part of DFS Exam Process Audit check‐list
- 5. 5 Rethinking Cyber Security Moving towards an enterprise‐wide cyber risk management Reputational damage Loss of share values, loss of market confidence Business disruption Inability to execute trades, to access to information Fraud and theft of intellectual property Financial, loss of competitive edge, specific techniques Cyber risk must become a concern for the entire enterprise starting from the Board, and be factored into strategic decisions Today • Ad‐hoc approach • IT solely responsible for protecting computers and networks • Security architecture very weak • No governance framework and escalation process Target • Ad‐hoc approach patching up weaknesses rather than anticipating threats • Dedicated resources but still embedded in IT • Minimal security built in to the design process • Cost‐benefit approach, integrated into the enterprise (see Appendix) • Continuous monitoring programs enhancing situational awareness and risk culture established • CISO independent of IT and has voice at the C‐Suite table • Technology infrastructure deployed to support security processes Enterprise‐wide cyber risk management IT‐focused …facing a diverse array of impacts Organizations have made significant security improvements but they have not kept pace with today’s adversaries and sophisticated attacks…
- 6. 6 Rethinking Cyber Security Identify ‐ Protect – Detect – Respond – Recover (NIST Framework) | What’s next (1/3) Key takeawaysObjectives • Establish and implement a cyber security governance framework that supports decision making and escalation within the organization to identify and manage cyber security risks • Define risk management policies, processes and structures coupled with relevant controls tailored to the nature of the risks Enhance the governance framework • Define a governance framework to support decision making based on risk appetite • Ensure active senior management and board‐level engagement with cyber security issues • Identify frameworks and standards to address cyber security • Use metrics and thresholds to manage the performance of the program • Dedicate resources to achieve the desired risk posture 1 • Conduct regular assessments to identify and measure cyber security risks associated with firm assets and vendors, determine the likelihood of the occurrence of the threat and identify system vulnerabilities • Prioritize, monitor and implement their remediation Implement a Risk Assessment Program • Identify and maintain an inventory of assets authorized to access the firm’s network and, as a subset thereof, critical assets that should be accorded prioritized protection • Conduct comprehensive risk assessments that include: An assessment of external and internal threats and asset vulnerabilities Prioritized and time‐bound recommendations to remediate risks • Enhance vigilance through experience‐based learning and continuous monitoring programs to help capture risk signals across the ecosystem 2 • Implement technical controls to protect firm software and hardware that stores and processes data, as well as the data itself. Set‐up technical controls • Implement a defense‐in‐depth strategy to address known and emerging threats with reinforced security layers • Select controls appropriate to the firm’s technology and threat environment, such as: identity and access management; data security and encryption, penetration testing. 3
- 7. 7 Rethinking Cyber Security Identify ‐ Protect – Detect – Respond – Recover (NIST Framework) | What’s next (2/3) Key takeawaysObjectives • Provide a framework to manage a cyber security incident in a way that limits damage, increases the confidence of external stakeholders, and reduces recovery time and costs • Establish policies and procedures and define clear roles and responsibilities for escalating and responding to cyber security incidents Prepare an incident response planning • Set up practices for incident response and integrate them into business continuity and disaster recovery documentation: Containment and mitigation strategies for multiple incident types and recovery plans for systems and data Communication plan for outreach to relevant stakeholders Measures to maintain client confidence • Enhance resilience through simulated testing and crisis management processes 4 • Manage cyber security risk that can arise across the lifecycle of vendor relationships using a risk‐ based approach to vendor management Mitigate vendor risks • Perform pre‐contract due diligence on prospective service providers and perform ongoing due diligence on existing vendors • Establish contractual terms appropriate to the sensitivity of information and systems to which the vendor may have access • Include vendor relationships and outsourced systems as part of the firm’s ongoing risk assessment process; • Establish, maintain and monitor vendor entitlements so as to align with firm risk appetite and information security standards 5 • Provide cyber security trainings tailored to staff needs • Enhance the risk‐awareness across the organization Train staff • Define cyber security training needs requirements • Identify appropriate cyber security training update cycles • Deliver interactive training with audience participation to increase retention • Develop training around information from the firm’s loss incidents, risk assessment process and threat intelligence gathering 6
- 8. 8 Rethinking Cyber Security Identify ‐ Protect – Detect – Respond – Recover (NIST Framework) | What’s next (3/3) Key takeawaysObjectives • Use cyber threat intelligence to improve ability to identify, detect and respond to cyber security threats Use cyber intelligence • Assign responsibility for cyber security intelligence gathering and analysis at the organizational and individual levels • Establish mechanisms to disseminate threat intelligence and analysis rapidly to appropriate groups within the firm • Evaluate threat intelligence from tactical and strategic perspectives, and determine the appropriate time frame for the course of action • Participate in appropriate information sharing organizations and periodically evaluate the firm’s information‐sharing partners 7 • Evaluate the utility of cyber insurance as a way to transfer some risk as part of their risk management processes • Conduct an analysis to ensure alignment between existing coverage and risk assessment processes Assess cyber insurance • For firms that have cyber security coverage, conduct a periodic analysis of the adequacy of the coverage provided in connection with the firm’s risk assessment process to determine if the policy and its coverage align with the firm’s risk assessment and ability to bear losses • For firms that do not have cyber insurance, evaluate the cyber insurance market to determine if coverage is available that would enhance the firm’s ability to manage the financial impact of cyber security events. 8 It is now time to implement measures to address cyber security challenges by leveraging traditional risk management methods
- 11. 11 • Identify cyber risks throughout the firm Main roles and responsibilities • Make sure risks are properly mitigated and monitor remediation actions if any • Prepare and release communications in case of incidents • Make sure that processes and systems comply with privacy and data protection laws and internal control measures • Integrate the cyber security framework into business continuity and disaster recovery plans • Develop the accounting framework for cyber risk • Quantify cyber risks and assess the utility of cyber insurance • Consider regulation, litigation possibilities, contractual obligations, and the firm’s ability to provide third parties with evidence of proper data protection processes • Ensure that the control framework is in place Rethinking Cyber Security Appendix | Involvement required across the organization
- 12. MONTREAL 202 – 1819 Bd Rene Levesque O. Montreal, Quebec, H3H2P5 PARIS 25, rue Alphonse de Neuville 75017, Paris, France NIORT 19 avenue Bujault 79000 Niort, France NEW YORK 1441, Broadway Suite 3015, New York NY 10018, USA SINGAPORE Level 25, North Tower, One Raffles Quay, Singapore 048583 HONG KONG 905, 9/F, Kinwick Centre 32 Hollywood Road, Central, Hong Kong LONDON 50 Great Portland Street London W1W 7ND, UK GENEVA Rue de Lausanne 80 CH 1202 Genève, Suisse