Cybersecurity- A Regulatory Perspective. Robert J. Lipot, CRISC Senior Financial Institutions Examiner Department of Business Oversight

Transcription

1 Cybersecurity- A Regulatory Perspective Robert J. Lipot, CRISC Senior Financial Institutions Examiner Department of Business Oversight 1

2 Cybersecurity Issues Executive Order Key Areas of Focus Cyber Assessment Cyber Insurance Discussion Topics States and Federal Regulators Promote Awareness Awareness & Information Activities

3 Cybersecurity Issues Heightened Attacksmany commercial & financial services Accessibility of systems via Internet or wireless activity More mobile society wanting on-line access 24 x 7 from anywhere Global nature of the financial business arena

4 President s Executive Order (02/12/2013) Executive Order (EO) Improving Critical Infrastructure Cybersecurity The EO has gotten the attention of Congress and regulators regarding ability to protect technology and manage cyber risks Why?- Many business have not properly addressed this

5 Cybersecurity Awareness- Importance Cyber criminals are becoming more active towards financial entities and/or its customers Break-ins and attempted/actual thefts more prevalent Not a matter of if, but when There has to be a method of determining awareness and preparedness of financial institutions

6 Key Areas to Focus On Web Facing Devices and Apps Security Monitoring Connection Security Mobile Devices/IoT DLP- What a hacked PC/ means to a hacker Privileged Accounts

7 Web Facing Devices and Applications Key Hacker targets: Websites All Mobile Devices Online Banking Mobile Banking App Stores Internet of Things (IoT)

8 Security Monitoring-Internal & External Threats Continuous monitoring system and network activity from sensors, devices, tools, etc.: Firewalls Routers Intrusion Detection Systems Intrusion Prevention Systems Audit Logs Anti-Malware (viruses, spyware, etc.)

9 Connection Security Knowledge of logical and physical connections, e.g.: Core providers Internet Service Providers Wireless Networks Virtual Private Networks Wire Transfer/ACH Systems Network/Core Processor Devices Telecommunications Room

10 Mobile Devices are Targeted-DLP BYOD vs. Licensee-owned Types, e.g.: Smart/Mobile Phones Tablets/Notebooks Laptops Thumb Drives Internet of Things Data Permitted Applications Allowed Device Security

11 Hacked PC (Krebs on Security)

12 Hacked (Krebs on Security)

13 Privileged/Admin Access Skeleton Key - all access key Access to key functions such as add, delete, change, etc. employee rights and permissible activities- a key to gaining system control Access to key controls such as auditing, logging, etc. that would record a cyber event

14 Privileged/Admin Access Could also permit root access which allows them to change operating system controls Most of cyber theft is committed with privileged access

15 Cybersecurity Factors Common Security Mistakes Cybersecurity Assessment Tool (CAT) FFIEC Cyber Information Cyber Insurance Regulator Awareness FS-ISAC

16 Common Security/Cyber Mistakes/Examination Issues Not a once and done activity No knowing where the data is at all times Forgetting about all tech items employed Not ensuring security is entity-wide and everyone plays a roll

17 Common Security/Cyber Mistakes/Examination Issues Address different age groups and cultures Security is an afterthought Not knowing who is targeting the entity Not fully understanding the implications of thirdparty risks to the financial institution

18 Cybersecurity Assessment Assessment methodology: FFIEC has provided a Cyber Assessment methodology for financial institution use - information at It assists in determining how much cybersecurity effort has been performed by the Licensee Based on NIST (National Institution for Standards & Technology) Examiners are reviewing to ensure Licensees are at the Assessment Baseline IT Exam processes have been updated to account for cybersecurity

19 FFIEC Cybersecurity Assessment Tool Currently- voluntary Awareness of the Tool Examiners should inform management of FFIEC link As usual, expect more information- stay tuned (cont.)

20 FFIEC Cyber Web Page

21 Highlight- FFIEC s Cyber Maturity

22 Definitions of Maturity Levels

23 Risk/Maturity Relationship

24 FFIEC- CAT Domains

25 Cyber Risk Insurance Has been around for only a short time Used as a Transfer Risk option As of Jan 2015, most states have mandatory data breach notification standards Expenses of handling /covering such losses are increasing -may be an option for our Licensees Some states are looking at examinations to include cyber insurance, e.g. NY Is expected to grow substantially

26 Cyber Risk Ins. Coverage Theft or manipulation of sensitive or private information Computer viruses, malware, etc. Computer fraud Could have a high deductible and only a percentage of coverage after that May only be obtained from some insurance companies Ins. Coverage will require certain conditions

27 Cyber Insurance Summary Not all policies are created equal Certain cyber risks may be covered, some not Licensees need to shop around for terms, conditions, coverages, and deductibles Costs will vary depending on size and complexity of our Licensees along with items in bullet #2 Need due diligence in looking for appropriate coverage specific to the Licensee

28 Regulators Promote Awareness and Information Activities (some examples) FFIEC Cybersecurity webinar for Board and senior management and guidance FFIEC Cyber awareness (link on main web page)

29 Regulators Promote Awareness and Information Activities (some examples) State Example: Cybersecurity in the Golden State-Kamala Harris Cyber Doc: Conference of State Bank Supervisors (CSBS) Corporate Account Takeover (CATO) webinar and guidance (on CSBS website)

30 Financial Services- Information Sharing and Analysis Center Provides a wealth of information to financial institutions FFIEC encourages becoming a member for certain benefits Website: FS-ISAC

31 Quick Cybersecurity Recap Need for management to realize the importance of awareness, preparation, and ongoing alertness Thus, Cybersecurity efforts should be discussed at key management committees and reported to Board

32 Cybersecurity Summary IT systems need to be updated regularly Staff training and vigilance are key components for prevention Licensees can t be caught asleep at the switch!!

33 References