A new approach to cyber security in financial services in the US

1. Rethinking Cyber Security
March 2015
Stephanie Baruk sbaruk@chappuishalder.com

2. Agenda
An evolving cyber threat landscape1
3 A new approach to Cyber Security
4 Key success factors to transform Cyber Security
5 Appendix
Focus on recent regulatory evolutions2

3. 3
Rethinking Cyber Security
An evolving cyber threat landscape
Emergence
of new risks
Sophistication
of attacks and
multiplicity of
adversaries
Increased
costs and
impacts
Regulatory
scrutiny
 Traditional boundaries have shifted
with the explosion of data and
interconnectedness
 Emerging technologies and reliance on
third parties have created a borderless
infrastructure resulting in increased
exposure
 The sophistication of cyber attacks has
increased exponentially while the
defensive approach remained the same
 Risk is no longer limited to financial
criminal and skilled hackers but also
hacktivist groups driven by political or
social agendas and nation‐states to
create havoc in the markets
 Financial services are seeing increased
costs with an estimate of $30M in 2014
 Number of incidents but also higher
complexity of responding to threats
have contributed to higher losses
 More than financial losses, reputational
damage and loss of market confidence
deserve full attention at the highest
levels of the company
 Financial institutions are placed under
greater scrutiny from the regulators
 Cyber risk management practices are
now evaluated as part of regular
examination processes
In today’s environment with cyber threats being unavoidable, early detection, responsiveness,
rapidity to recover and integration into a comprehensive framework are key for financial institutions

4. 4
Rethinking Cyber Security
Focus on recent regulatory evolutions
 Corporate governance, including organization and
reporting structure for cyber security related issues
 Management of cyber security issues and written
information security policies and procedures
 Resources devoted to information security and
overall risk management
 Assessment of risks raised by shared infrastructure
 Protections against intrusion
 Information security testing and monitoring,
including penetration testing
 Incident detection and response processes, including
monitoring
 Training of information security professionals as well
as all other personnel
 Management of third‐party service providers
 Integration of information security into business
continuity and disaster recovery documentation
 Cyber security insurance coverage and other third‐
party protections
 On November 3rd 2014, FFIEC released observations
from the recent cyber security assessment
 FFIEC recommended regulated financial institutions
participate in the Financial Services Information Sharing
and Analysis Center
 On April 15th 2014, the SEC had announced the OCIE will
audit more than 50 registered broker‐dealers and
investment advisers for cyber security preparedness
 On Feb 3rd 2015, the OCIE issued a summary
observations from examinations conducted
 On Feb 3rd 2015, the FINRA issued a new report on cyber
security, which details practices that firms can tailor to
their business model as they strengthen their cyber
security efforts
 The Report on Cyber security Practices draws in part
from the results of FINRA's recent targeted examination
 On December 10th 2014, NYDFS issued examination
guidance to banks outlining new targeted cyber security
preparedness assessments
 Targeted cyber security assessments will be integrated as
ongoing, regular part of DFS Exam Process
Audit check‐list

5. 5
Rethinking Cyber Security
Moving towards an enterprise‐wide cyber risk management
Reputational damage
Loss of share values, loss of
market confidence
Business disruption
Inability to execute trades,
to access to information
Fraud and theft of
intellectual property
Financial, loss of competitive
edge, specific techniques
Cyber risk must become a concern for the entire enterprise starting from the Board, and be factored
into strategic decisions
Today
• Ad‐hoc approach
• IT solely responsible for protecting computers and
networks
• Security architecture very weak
• No governance framework and escalation process
Target
• Ad‐hoc approach patching up weaknesses
rather than anticipating threats
• Dedicated resources but still embedded in IT
• Minimal security built in to the design process
• Cost‐benefit approach, integrated into the enterprise
(see Appendix)
• Continuous monitoring programs enhancing situational
awareness and risk culture established
• CISO independent of IT and has voice at the C‐Suite table
• Technology infrastructure deployed to support security
processes
Enterprise‐wide
cyber risk
management
IT‐focused
…facing a diverse array of impacts
Organizations have made significant security improvements but they have not kept pace with
today’s adversaries and sophisticated attacks…

6. 6
Rethinking Cyber Security
Identify ‐ Protect – Detect – Respond – Recover (NIST Framework) | What’s next (1/3)
Key takeawaysObjectives
• Establish and implement a cyber security
governance framework that supports decision
making and escalation within the organization to
identify and manage cyber security risks
• Define risk management policies, processes and
structures coupled with relevant controls tailored
to the nature of the risks
Enhance the
governance
framework
• Define a governance framework to support decision making based on
risk appetite
• Ensure active senior management and board‐level engagement with
cyber security issues
• Identify frameworks and standards to address cyber security
• Use metrics and thresholds to manage the performance of the program
• Dedicate resources to achieve the desired risk posture
1
• Conduct regular assessments to identify and
measure cyber security risks associated with firm
assets and vendors, determine the likelihood of
the occurrence of the threat and identify system
vulnerabilities
• Prioritize, monitor and implement their
remediation
Implement a Risk
Assessment Program
• Identify and maintain an inventory of assets authorized to access the
firm’s network and, as a subset thereof, critical assets that should be
accorded prioritized protection
• Conduct comprehensive risk assessments that include:
 An assessment of external and internal threats and asset vulnerabilities
 Prioritized and time‐bound recommendations to remediate risks
• Enhance vigilance through experience‐based learning and continuous
monitoring programs to help capture risk signals across the ecosystem
2
• Implement technical controls to protect firm
software and hardware that stores and processes
data, as well as the data itself.
Set‐up technical
controls
• Implement a defense‐in‐depth strategy to address known and emerging
threats with reinforced security layers
• Select controls appropriate to the firm’s technology and threat
environment, such as:
 identity and access management;
 data security and encryption,
 penetration testing.
3

7. 7
Rethinking Cyber Security
Identify ‐ Protect – Detect – Respond – Recover (NIST Framework) | What’s next (2/3)
Key takeawaysObjectives
• Provide a framework to manage a cyber security
incident in a way that limits damage, increases
the confidence of external stakeholders, and
reduces recovery time and costs
• Establish policies and procedures and define
clear roles and responsibilities for escalating and
responding to cyber security incidents
Prepare an incident
response planning
• Set up practices for incident response and integrate them into business
continuity and disaster recovery documentation:
 Containment and mitigation strategies for multiple incident types and
recovery plans for systems and data
 Communication plan for outreach to relevant stakeholders
 Measures to maintain client confidence
• Enhance resilience through simulated testing and crisis management
processes
4
• Manage cyber security risk that can arise across
the lifecycle of vendor relationships using a risk‐
based approach to vendor management
Mitigate vendor
risks
• Perform pre‐contract due diligence on prospective service providers
and perform ongoing due diligence on existing vendors
• Establish contractual terms appropriate to the sensitivity of information
and systems to which the vendor may have access
• Include vendor relationships and outsourced systems as part of the
firm’s ongoing risk assessment process;
• Establish, maintain and monitor vendor entitlements so as to align with
firm risk appetite and information security standards
5
• Provide cyber security trainings tailored to staff
needs
• Enhance the risk‐awareness across the
organization
Train staff
• Define cyber security training needs requirements
• Identify appropriate cyber security training update cycles
• Deliver interactive training with audience participation to increase
retention
• Develop training around information from the firm’s loss incidents, risk
assessment process and threat intelligence gathering
6

8. 8
Rethinking Cyber Security
Identify ‐ Protect – Detect – Respond – Recover (NIST Framework) | What’s next (3/3)
Key takeawaysObjectives
• Use cyber threat intelligence to improve ability to
identify, detect and respond to cyber security
threats
Use cyber
intelligence
• Assign responsibility for cyber security intelligence gathering and
analysis at the organizational and individual levels
• Establish mechanisms to disseminate threat intelligence and analysis
rapidly to appropriate groups within the firm
• Evaluate threat intelligence from tactical and strategic perspectives, and
determine the appropriate time frame for the course of action
• Participate in appropriate information sharing organizations and
periodically evaluate the firm’s information‐sharing partners
7
• Evaluate the utility of cyber insurance as a way to
transfer some risk as part of their risk
management processes
• Conduct an analysis to ensure alignment
between existing coverage and risk assessment
processes
Assess cyber
insurance
• For firms that have cyber security coverage, conduct a periodic analysis
of the adequacy of the coverage provided in connection with the firm’s
risk assessment process to determine if the policy and its coverage align
with the firm’s risk assessment and ability to bear losses
• For firms that do not have cyber insurance, evaluate the cyber
insurance market to determine if coverage is available that would
enhance the firm’s ability to manage the financial impact of cyber
security events.
8
It is now time to implement measures to address cyber security challenges by leveraging traditional
risk management methods

9. 9
Rethinking Cyber Security
Key Success Factors
Make cyber security matters a strategic business problem which deserves full attention at the
executive level
1
Strengthen the cyber risk‐aware culture through training programs adopting a more human‐centric
approach and create cyber threat intelligence unit to sustain a dynamic intelligence‐driven approach
2
Build cyber “fusion centers” that better integrate many different teams to boost intelligence, speed
response, reduce costs and leverage scarce talent
3
Place efforts on automation and analytics to create internal and external risk transparency and to
improve the quality and speed of real‐time cyber threat analysis
4
Implement a science‐based approach to cyber risk management, quantifying the cost of cyber risk
and taking a cost‐benefit approach to risk mitigation
5
Benefit from building industry relationships and expanding collaboration beyond company
boundaries
6

10. Agenda
An evolving cyber threat landscape1
3 A new approach to Cyber Security
4 Key success factors to transform Cyber Security
Appendix
Focus on recent regulatory evolutions2
5

11. 11
• Identify cyber risks throughout the firm
Main roles and responsibilities
• Make sure risks are properly mitigated and monitor remediation actions if any
• Prepare and release communications in case of incidents
• Make sure that processes and systems comply with privacy and data protection laws and internal
control measures
• Integrate the cyber security framework into business continuity and disaster recovery plans
• Develop the accounting framework for cyber risk
• Quantify cyber risks and assess the utility of cyber insurance
• Consider regulation, litigation possibilities, contractual obligations, and the firm’s ability to provide
third parties with evidence of proper data protection processes
• Ensure that the control framework is in place
Rethinking Cyber Security
Appendix | Involvement required across the organization

12. MONTREAL
202 – 1819 Bd Rene
Levesque O.
Montreal, Quebec,
H3H2P5
PARIS
25, rue Alphonse de
Neuville
75017, Paris, France
NIORT
19 avenue Bujault
79000 Niort, France
NEW YORK
1441, Broadway
Suite 3015, New York
NY 10018, USA
SINGAPORE
Level 25, North Tower,
One Raffles Quay,
Singapore 048583
HONG KONG
905, 9/F,
Kinwick Centre 32
Hollywood Road,
Central, Hong Kong
LONDON
50 Great Portland Street
London W1W 7ND, UK
GENEVA
Rue de Lausanne 80
CH 1202 Genève,
Suisse