Shaping Your Future in Banking Cybersecurity

Statistics May Not Surprise You
• Cybercrime Has Jumped to the Most Reported Economic
Crime in PWC’s Global Economic Crime Survey.
• The US Commercial Bank with the lowest security
posture is one of the top 10 largest financial service
organizations in the US by revenue.
• Only one of the top 10 largest banks, Bank of America,
received an overall “A” grade in the PWC Security
Scorecard
• Nearly 1 out of 5 financial institutions use an email
service provider with severe security vulnerabilities.
• Best performing in IT Security: Goldman Sachs, Exchange
Bank, BNP Paribase Fortis, and Banco Popolare
--PricewaterhouseCoopers Scorecard 2016
(c) Dawn Yankeelov, 2017.

Breach Activity and Threats
Amplifying Focus
**In October 2016, cybercriminals launched major DDoS
attacks>>Twitter, Netflix, PayPal, Pinterest and the
PlayStation Network+
**40,000 Tesco Bank accounts compromised in a cyberattack
November 2016 – reported roughly 9,000 customers had as
much as £600 (approximately $763) siphoned from their
accounts.
**December 14, 2016: 2014 data breach affected 500 million
users. In December, the company discovered another from
2013...one billion Yahoo accounts, making it the largest data
breach in history..

Big Banks Are Paying Attention
• Financial Cybersecurity Systems predicted to grow
to $68 billion by 2020
• J.P. Morgan Chase, Bank of America, Citigroup,
and Wells Fargo combined spend $1.5 billion on
cybersecurity annually.
• US Financial Industry Cybersecurity Ranked No. 4
out of 18 of the US Economy’s Industries in 2016

Market Indicators: Specific Bank
Issues
• Network Security Issues: Weak, and insecure TLS cipher
suites, expired SSL certificates, open FTP ports, open SMB
ports
• Detected malware in nearly half of the largest 20 US
commercial banks in a month snapshot last year —i.e.
Ponyloader and Vertexnet
• Verizon Data Breach reported patching cadence as big issue
for banks
• Using end-of-life products often a setup for data breaches

Public Policy: New Standards
Coming
• More Information-Sharing In Your Future
• More Protections for Personal Information
• More Players Onboard with “Ideas” from NIST to State
Finance-Specific boards, to ABA to the Federal Reserve
Board, the Office of the Comptroller of the Currency and the
Financial Institutions Examination Council.
• New York Leading the Way
• State Governors Pushing
• Mega-Bank Group Has Formed
• A Push to Adherence to Federal Guidelines
• More and More Risk Management
• Training for Staff

Newer Influencers
*Mobile Banking
*Internet of Things (IoT)
*Life in “the Cloud”
*Cybersecurity Workforce Gap
*SWIFT breaches and New Steps

New Standards/Guideline
Implications to Follow
• Federal Reserve Board, Office of the Comptroller of the
Currency and the Federal Deposit Insurance Corporation new
minimum standards – Deadline for Comments Ended Jan.17
• Specific for banks with $50 billion in assets
1. Secure, immutable, offline storage of records for loan data and
accounts
2. Capacity to recover from a disruptive attack within 2 hours
3. Separate senior leaders in charge of cyber-risk management
(CISO)
4. Spells out risk preparation and recovery

These New Advanced Notice of Proposed
Rule-Making (ANPR) Standards
Public comments are available on the Board’s Web site:
http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm
Categories of interest: governance, risk mgmt., internal dependency
mgmt., external dependency mgmt., incident response, cyber resilence,
situational awareness
Expected under Cyber Goverance -- Requiring covered entities to
develop a written, board-approved, enterprise-wide cyber risk
management strategy, complete with policies and reporting
structures.

These New Advanced Notice of Proposed
Rule-Making (ANPR) Standards
• Agencies may require banks of size to identify
and rank all outside vendors, and inside interconnections among
assets and their associated cyber risks so as to prioritize their
mitigation.
• On-file plans may be required for incident response and
situational awareness--“Anticipate, withstand, contain, and
rapidly recover from a disruption caused by a significant cyber
event.”
Challenges:
>>Identification of “Sector Critical Systems” at a Financial
Institution
>>Quick Recovery Provision

New York, New York: The
Bellwether
• Revised Proposal of NYDFS as of 1/13/2017:
• Controls designed to protect “nonpublic information” and
their information systems
• Now defined as sensitive personal info in
combinations, not any identified
• Includes business-related information, not just
individuals – info must be defined as having a
“material adverse impact” if lost
• Periodic Risk Assessment $$$$
• “to inform design of cyber program”

More Clarity: NY Dept. of
Financial Svs.
• Negated and Taken Out in the Proposed Actions:
• Encrypt All Types of Customer Info at Rest and in
Transit
• Now to Encrypt Non-Public Information (sensitive
information), similar to Massachusetts and Nevada law
• Now to encrypt business information not related to
individuals
Creating Country’s First Encryption Requirement for
Sensitive Business Info

More Clarity: NY Dept. of
Financial Services
*Requirements Relating to Multi-Factor Authentication Narrowed
• Risk-Based Authentication specific to “internal networks
from an external network,” potentially including
employee remote access, and customer access to online
accounts
*Logging and Audit Trail Requirements—Less Extensive
*72-Hour reporting requirement for NYDFS where any other govt.
reporting is required--“material harm of operations”
*Required will be the board of directors annual certification of
compliance provision in its original form
Effective Date of Revised Regs. Anticipated: March 1, 2017
First Certificate of Compliance: Feb. 15, 2018

Phased Compliance Period
 One Year for Penetration Testing, Risk
Assessment, Multifactor Authentication, and
General Cybersecurity Awareness Training
 18 Months from the Effective Date for Audit Trail,
Application Security, Data Retention Practices,
and Monitoring Authorized User Activity
 Two Years for Third-Party Service Requirements
New comment period ends Jan. 28th
before finalization
expected.

NYDFD Designation: CISO
*Rework of regulations requires that someone in bank be
designated a CISO, not a new hire

Getting Onboard With Cyber:
Credit Unions
• National Association of Credit Unions working
with Financial Services Information Sharing
And Analysis Center
• Issued Statement on More Extensive Measures
Needed to Protect Consumers’ Sensitive
Financial Data. Nov 23, 2016.

Voluntary Resource Opportunity
On June 30, 2015, the Federal Financial Institutions
Examination Council (FFIEC),1
on behalf of its members,
issued a Cybersecurity Assessment Tool (Assessment)
that financial institutions may use to evaluate their risks
and cybersecurity preparedness.
Noted for Community Banks as incorporating NIST
Framework ideas, FFIEC Information Technology
Examination Handbook, and others.
https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT
%20FAQs.pdf

FFIEC Cyber Tool Link
https://www.ffiec.gov/cyberassessmenttool.htm

Board Level Resources
The 2017 Edition of the NACD Director’s Handbook on
Cyber-Risk Oversight
(National Association of Corporate Directors)
The Handbook was the first non-government resource to
be featured on the U.S. Department of Homeland Security’s
US-CERT C3 Voluntary Program website.
(United States Computer Emergency Readiness Team)
Links:
https://www.nacdonline.org/Resources
https://www.us-cert.gov/ccubedvp/business

Other Resources
Identify
Protect
Detect
Respond
Recover

Other Resources
The CRR is based on the CERT
Resilience Management Model
A Process Improvement Model
developed by Carnegie Mellon
University’s Software Engineering
Institute for Managing
Operational Resilience.
Focus On People, IT & Facilities

War Games Ahead
• Proposed Information Sharing by Big Banks
• Involved includes J. P. Morgan Chase & Co., Bank of
America Corp., State Street Corp., and Goldman Sachs Group
• Will share knowledge of threats to banking industry
• Prepare Comprehensive responses when attacked
• Conduct War Games for the largest institutions only
• Why?
• J.P. Morgan Chase breached two years ago exposing 76
million records of households
• Umbrella organization is Financial Services Information
Sharing and Analysis Center

FS-ISAC

Cybersecurity Information
Sharing Act
Dataprotectionreport.com

Required by Law
96% of financial organizations have a
documented disaster recovery (DR) plan.
The vast majority are also using a
considerable array of DR tools, and
making a significant investment in DR
overall.
86% replicate data
85% execute backups
68% have active-active designs
• http://www.peak10.com/2016-financial-services-and-it-study/
http://www.availabilitydigest.com/public_articles/01
01/what_is_active-active.pdf

Reality of Compliance—Test,
Test, Not Just Annually
One-quarter of the organizations who do execute testing
usually uncover problems or gaps, which begs the question:
how many untested environments are operating with glitches?
--Peak 10 data study

Mobile Banking Issues
"There is a massive transformation in flight [in our industry]…
nearly half of our customers only go to a physical branch once
a year and we expect that number to be closer to 70% very
soon."
- Kim Hammonds, Group Chief Operating Officer at Deutsche
Bank (CEO panel at Dreamforce 2016)
Identity Theft Resource Center's database (1/17/17) shows that mobile devices pose the
smallest data breach threat. Companies should focus on securing laptops, external
hard drives and cloud services using encryption to lower their risk of a breach.

Cloud-based Technologies for
Banking
• Pluses Include:
• The Opportunity to Standardize IT across an
organization
• Make IT updates Across the units
• Cloud technology enables quick scale and processing
capacity to react to changes in customer demand
• Workforce management--remote and personalized
schedules
• The Keys: Velocity, Elasticity, Availability
• 2016 Factoid: Of the world’s 38 largest financial institutions and insurance
companies, 25 have already signed up with Microsoft and are beginning to put
applications in the cloud. -- Letstalkpayments.com

Cloud-Based Cyber
Nearly 70 percent of respondents said their
company is using cloud-based cybersecurity
services, according to PwC's Global State of
Information Security Survey 2016.
Caveat: Scrutinize a contract and be
aware of the provider’s liability in case of
data loss or breach.
Cloud Security Alliance says for cloud services: Include multifactor
authentication on all hosts, host-based and network-based intrusion detection
systems; Apply the concept of least privilege; Network segmentation, and
Patching shared resources.

Get Involved: Public Policy
• Participate in organizations like CompTIA
• Join Your Local Technology Council – 53 Across the US
• Give Comments During Comment Periods for Banking
Regulation
• Participate at the State Level in local fusion centers and other
Cybersecurity Centers of Excellence at Universities and New
Initiatives
• i.e. Idaho – 10 cyber initiatives
• Attend Flyins to DC
• Following proposed banking legislations
• NIST Cyber Working Groups

At the Office: Cyber Workforce
Gap
The demand for cybersecurity experts is growing 12 times
faster than the current U.S. job market, making
cybersecurity one of the most highly sought-after careers in
the country.
• Source: https://niccs.us-cert.gov/
Every year in the U.S. there are 128,000 openings for
Information Security Analysts, but only 88,000 workers
currently employed in those positions – a talent shortfall of
40,000 workers for cybersecurity’s largest job.
http://cyberseek.org/heatmap.html

Federal Partners in Cyber
 NIST -- National Institute of Standards and Technology
NIST is the federal technology agency that works with industry to
develop and apply technology, measurements, and standards.
 NICE -- The National Initiative for Cybersecurity Education
 NICERC -- Cyber Literacy Curriculum, Computer Science
Curriculum, STEM Curriculum, and Teacher Resources from
National Integrated Cyber Education Research.

NIST Working Groups
National Initiative for Cybersecurity Education (NICE)
Working Group
The NICE Working Group (NICEWG) has been established to
provide a mechanism in which public and private sector
participants advance cybersecurity education, training, and
workforce development.
Industry: Andre Thornton, Technical Leadership Programs
and STEM IS&GS Engineering & Technology at Lockheed
Martin Corporation
Government: Rodney Petersen, Director of NICE at the
National Institute of Standards and Technology

To Join
• For NICE Working group: Email to NICEWG@nist.gov
with the subject line: “NICEWG Subscribe”, and with your
full name and email address in the body of the message.

For the Bank Teller:
In Walks Awareness Training
 Your biggest security risk works in-house
 Empower your workforce to reduce that risk
 95% of all security breaches involve
human error
95% of

Simplicity: ATAATA

Where to Begin
• Vulnerability
Assessment

NIST Cybersecurity Framework
__Currently 1.1 Version
____Current Comment Period Ends April 10, 2017
_______Comments can be sent to:
cyberframework@nist.gov
https://www.nist.gov/cyberframework
The Core presents industry standards, guidelines, and
practices in a manner that allows for communication of
cybersecurity activities and outcomes across the
organization from the executive level to the
implementation/operations level.

NIST
Cybersecurity
Framework
https://www.pwc.com/us/en/increasing-it-
effectiveness/publications/assets/adopt-the-nist.pdf
NEW: Managing Cyber Supply
Chain Risks via clarification of
key terms --accounting for
authentication, authorization and
identity proofing) and an
introduction of measurement
methods for cybersecurity.
8th Annual NICE Conference –
November 7-8, 2017 in Dayton,
OH

Back in the Spotlight: Financial
Services Sector Coordinating
Council

Financial Services Sector
Coordinating Council

Sent to Congress from FSSCC
• Invest Further in Financial Services Supporting Infrastructure
and Risk Based Cyber R&D
• Pursue a Holistic and Streamlined Approach to Cybersecurity
Regulation
• Establish Global Cyber Norms and Cyber Deterrence and
Response Capabilities
• Prioritize Essential “Lifeline” Sectors in Planning and Event
Response
• Develop a Technology Capable Workforce
• Noted: The Financial Systemic Resilience and Analysis Center
(FSARC) established in 2016 by financial service firms
designated as “critical infrastructure” to mitigate systemic risk
from cyber threats.

Final Takeaways
• Make Data Driven Decisions
• Take a Proactive Stance
• Take Broad View of Risk Management
• Have Governance and Designate a CISO role
• Strengthen Cyber Practices Around Compliance
• Test, Test and Mitigate
• Have Governance and Designate a CISO role
• Be Willing to Collaborate with Peers and Industry
• Attend to the Human Factor Internally- Train and Develop
Workforce

Questions?

Aspectx
Your Communications and Public Policy Firm
*Competitive Intelligence & Industry Analysis*Public
Policy*Joint Application Design*Marketing*Public Relations &
Social Media*Business Development*Web Development &
Content Marketing Founder and President Dawn
Yankeelov
www.aspectx.com
dawny@aspectx.com Twitter: @dawnyaspectx 502-292-2351
TALK—Technology Association of Louisville Kentucky
And TECNA www.tecna.org @talklou

Shaping Your Future in Banking Cybersecurity

Shaping Your Future in Banking Cybersecurity

More Related Content

What's hot

Similar to Shaping Your Future in Banking Cybersecurity

More from Dawn Yankeelov

Recently uploaded

Shaping Your Future in Banking Cybersecurity