IIB s Risk Management and Regulatory Examination / Compliance Seminar

Transcription

1 IIB s Risk Management and Regulatory Examination / Compliance Seminar Cybersecurity: Regulatory Developments and Industry Practices Presented at: CUNY Graduate Center October 25, :00 a.m. 10:15 a.m. Moderator: Walter J. Mix III, Managing Director and Financial Services Practice Group Leader, BRG (Berkeley Research Group) Panelists: Melissa Hall, Of Counsel, Morgan, Lewis and Bockius, LLP James Talbot, Counsel, Skadden, Arps, Slate, Meagher and Flom, LLP Mike Hartigan, New York Chief Information Security Officer Credit Agricole - Corporate and Investment Bank BRG (Berkeley Research Group) 550 South Hope Street, Suite 2150, Los Angeles, CA Website:

2 Cybersecurity Attack Map.ipviking.com 2

3 Overview Moderator Walter J. Mix III Managing Director and Financial Services Practice Group Leader, BRG (Berkeley Research Group) Cybersecurity Some Keys to Success Cybersecurity: Regulatory Developments and Industry Practices DFS s Cybersecurity Proposal and Cybersecurity Incident Response Plans Third Party Cybersecurity Regulatory Developments 3

4 Cybersecurity Some Keys to Success Walter J. Mix III Managing Director and Financial Services Practice Group Leader, BRG (Berkeley Research Group) Patchwork of Cyber Guidance / Home-Host Country Issues? How Cybersecurity Relates to ERM / Corporate Governance Litigation Example 4

5 Multiple Sources of Guidance What is the Primary Operational Risk Banks Face? Panama Papers Takeaways SWIFT Incident Bangladesh Incident Guidance From FFIEC, DFS, EU, NACHA, New Fed / OCC / FDIC Overlap or Complimentary? Home / Host Countries 5

6 Some Issues to Consider Corporate Governance / Board Management Roles Risk Assessment Outsourcing Vendor Management Latest Security / Penetration Testing Cybersecurity Program Properly Tailored? 3 Lines of Defense Monitoring Audit Proper Staffing Training Tailored Post Event Plan, Actual Response and Management Examination Reports Phishing of Your Employees What is OOBA? Multi-Factor Authentication? 6

7 ERM and Cybersecurity Issues to Consider Does Your Risk Assessment Address Risk / Risk Profile? Independently Developed? Best Practices? Measurable? Quality of Reports to Board / Management Multi-Disciplinary Team FFIEC Assessment Tool-Baseline, Evolving, Intermediate, Advanced and Innovative Risk Governance / Board Level: Engaged, Formalized, Ongoing Communication and Training Risk Management Tailored to Risk Profile People: Executive Team Awareness, Threat Recognition, Training, Accountability, Multi-disciplinary Team and Contingency Plans Process: Fully Integrated within ERM Framework, Measurement / Monitoring and Continuous Improvement/Changing Requirements Technology: Centralized, Monitoring, Threat Alerts and IT Investments Vendor Management 7

8 Litigation A Hypothetical Litigation Scenario When Your Bank has been Sued? Not Us! Commercially Reasonable Basis An Ounce of Prevention 8

9 Panelist Melissa Hall Of Counsel, Morgan, Lewis and Bockius, LLP Cybersecurity: Regulatory Developments and Industry Practices 9

10 CYBERSECURITY: REGULATORY DEVELOPMENTS AND INDUSTRY PRACTICES Melissa R. H. Hall IIB Seminar on Risk Management and Regulatory Examination/Compliance Issues October 25, Morgan, Lewis & Bockius LLP

11 CYBERSECURITY AND PAYMENT SYSTEMS

12 Increased Cybersecurity Incidents Cause Increased Regulatory Concerns In response to the SWIFT attacks, FFIEC released its Joint Statement on Cybersecurity of Interbank Messaging and Wholesale Payment Networks Encourages financial institutions to review their risk management practices and controls, including authentication, authorization, fraud detection, and response management systems Directs financial institutions to rely on the guidance in the FFIEC IT Examination Handbook and any guidance from payment system providers OCC has identified cybersecurity as the primary operational risk for banks. OCC s Semiannual Risk Perspective outlines the various areas of risk and concern. FFIEC s Cybersecurity Assessment Tool Still voluntary! 12

13 Malware and Compromised Credentials SWIFT attacks were not an attack on the SWIFT network itself A combination of malware and compromised access credentials allowed the thieves to access the system Social engineering, phishing, etc. are a real and ongoing concern Hard to eliminate human error FFIEC identified malware and compromised credentials as meriting particular focus by financial institutions cybersecurity risk assessments Issued joint statements in

14 FRB s Secure Payments Task Force Part of the FRB s overall faster payments initiative Has noted that there is no universally accepted way to verify identity of payment systems participants Secure Payments Task Force is considering possible solutions, including identity management practices, sharing of fraud and cyber-threat information, and ways to analyze data Report is expected sometime in

15 Don t Forget About Other Participants in Payment Systems Credit card networks and NACHA also lead cybersecurity efforts Payment Card Industry Data Security Standard (PCI DSS) EMV chip credit card NACHA s ACH Risk Management Strategy 15

16 INTERAGENCY ENHANCED CYBER RISK MANAGEMENT STANDARDS

17 Interagency Enhanced Cyber Risk Management Standards ANPR Hot off the presses! Released October 19, 2016 by the FDIC, OCC and FRB Would established enhanced cyber risk management standards for the largest and most interconnected entities, as well as for services that these entities receive from third parties. Would apply to depository institutions and depository institution holding companies with total consolidated assets of $50 billion; U.S. operations of foreign banking organization with total U.S. assets of $50 billion or more, financial market infrastructure companies and nonbank financial companies supervised by the FRB. ANPR presents 39 questions on which the agencies are seeking comment. 17

18 Interagency Enhanced Cyber Risk Management Standards ANPR More stringent standards on systems that are critical to the functioning of the financial sectors ( sector-critical systems ) Seeking comment on what systems should be sector-critical systems Proposed 2 hour recovery time objective (RTO) for sector-critical systems Divides enhanced cyber risk standards into 5 categories: Cyber risk governance Cyber risk management Internal dependency management External dependency management Incident response, cyber resilience and situational awareness 18

19 Some Proposed Requirements Cyber risk governance would implement standards similar to governance standards for large, complex financial institutions e.g., board-level oversight and written governance plans, accountability of senior management, oversight independent from business lines, etc. Cyber risk management would be an independent function reporting to chief risk officer or board of directors, and internal audits would need to assess cyber risk management Internal dependency management would include an inventory of all business assets on an enterprise-wide basis prioritized according to the assets criticality to the business functions they support, the firm s mission, and the financial sector 19

20 5 Categories of Cyber Risk Management External dependency management would include having the ability to monitor in real time all external dependencies and trusted connection that support an entity s cyber risk management strategy Covered entities would need to develop effective incident response and cyber resilience governance, strategies and capacities that enable them to anticipate, withstand, and rapidly recover from disruptions caused by cyber events, including establishing an enterprise-wide cyber resilience and incident response programs Cyber resilience would require secure, offline storage of critical records, as well establishing plans to transfer functions to another entity or service provider if the entity or service provider subject to a cyber incident is unable to perform Situational awareness would require ongoing threat monitoring and threat intelligence gathering 20

21 Some Takeaways Cybersecurity isn t going away as a business or regulatory issue Banking regulators and other participants in the payment system are active in oversight and management of cybersecurity issues Pay attention to the regulatory guidance out there FFIEC, FDIC, OCC, Federal Reserve, credit card network rules, NACHA rules Ensure you have a cybersecurity risk assessment plan that is appropriately scaled to your level of risk and is dynamic enough to adapt to changes in cybersecurity threats Don t forget about cyber resiliency Consider submitting comments to the ANPR Agencies are considering whether to issue regulations, guidance, or something else 21

22 Melissa R. H. Hall Washington, DC Melissa R. H. Hall represents US and overseas banks, nonbank financial services companies, investors in financial services, and technology companies in regulatory and corporate matters. She advises them on a wide range of state and federal financial regulatory laws and regulations. She provides counsel on financial regulatory compliance and enforcement, including state and federal licensing requirements, consumer financial products and compliance, payment systems, corporate and transactional matters, financial institution investment and acquisition, and the development of new financial services products. 22

23 Our Global Reach Our Locations Africa Asia Pacific Europe Latin America Middle East North America Almaty Astana Beijing Boston Brussels Chicago Dallas Dubai Frankfurt Hartford Houston London Los Angeles Miami Moscow New York Orange County Paris Philadelphia Pittsburgh Princeton San Francisco Santa Monica Shanghai Silicon Valley Singapore Tokyo Washington, DC Wilmington 23

24 THANK YOU This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar outcomes. Links provided from outside sources are subject to expiration or change. Attorney Advertising Morgan, Lewis & Bockius LLP 24

25 Panelist James Talbot Counsel, Skadden, Arps, Slate, Meagher and Flom, LLP DFS s Cybersecurity Proposal Cybersecurity Incident Response Plans 25

26 DFS s Cybersecurity Proposal October 25, 2016 Presented by: Jamie Talbot Beijing / Boston / Brussels / Chicago / Frankfurt / Hong Kong / Houston / London Los Angeles / Moscow / Munich / New York / Palo Alto / Paris / São Paulo / Seoul Shanghai / Singapore / Tokyo / Toronto / Washington, D.C. / Wilmington DFS s Cybersecurity Proposal 26 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

27 Overview of DFS Proposal Stated goal: Set minimum standards while preserving flexibility Requirement: Create a Cybersecurity Program Risk assessment Defensive infrastructure Detect, respond to and recover from incidents Meet other regulatory reporting requirements DFS s Cybersecurity Proposal 27 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

28 Covered Entities and Nonpublic Information Covered Entities Individuals or entities operating under a license or similar authorization under NY banking, insurance or financial services laws» Some exceptions for smaller entities Nonpublic Information Information about individuals received or generated in course of financial services relationship (GLBA) Information about an individual s health received or generated in the course of a health care relationship (HIPAA) Information that can be used to distinguish or trace an individual s identity (linked or linkable to the individual) Information that, if disclosed or tampered with, could have a material adverse impact on operations, business or security DFS s Cybersecurity Proposal 28 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

29 Cybersecurity Policy Written Cybersecurity Policy Information security Business continuity Data governance Access controls System and application development security Vendor management Incident response plan DFS s Cybersecurity Proposal 29 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

30 Staffing, Reporting and Technical Requirements Chief Information Security Officer Security personnel (with training) Reporting By CISO to Board (bi-annual) By Board or senior officers to DFS (annual certification of compliance) Specific technical requirements Multifactor authentication for access to internal systems Monitor web access patterns Encryption in transit and at rest DFS s Cybersecurity Proposal 30 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

31 Additional DFS Requirements Security testing Penetration testing (annually) Vulnerability assessment (quarterly) Risk Assessment (annually) Limit and monitor access to information Audit trail Access and Reconstruction Limit data retention DFS s Cybersecurity Proposal 31 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

32 Breach Notification Notice to DFS superintendent of any cybersecurity event that: has a reasonable likelihood of materially affecting normal operations OR affects nonpublic information If any other regulator was notified, notify DFS 72 hour deadline Unsuccessful attacks can be cybersecurity events DFS s Cybersecurity Proposal 32 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

33 Problems with Breach Notification Can an unsuccessful attack ever give rise to a reasonable likelihood of materially affecting the normal operation of the business? Does an unsuccessful attack that would have affected nonpublic information have to be reported? Even if no material impact? What if the company isn t sure of the effect within the 72 hour deadline? Not just personally identifiable information No exception for law enforcement requests End result: far more reporting DFS s Cybersecurity Proposal 33 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

34 Haven t We Seen this Movie? Echoes of existing laws, regulatory guidance and industry best practice GLBA, HIPAA, NIST, FTC, FFIEC guidance, PCI requirements, etc. Few conflicts with existing laws DFS s Cybersecurity Proposal 34 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

35 Differences from Existing Requirements Obligations, not guidance Expanded scope Non-HIPAA entities must now meet HIPAA-like standards Nonpublic information broadened not just PII Linked or linkable Additional internal reporting Certification Specific staffing requirements Broader notification requirements DFS s Cybersecurity Proposal 35 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

36 Industry Concerns Additional costs and compliance burdens Compliance certification Reporting One-size-fits-all Many already doing much of this Company is both victim of attack and liability target Tension for reporting More to come? DFS s Cybersecurity Proposal 36 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

37 Key Dates November 12, 2016 Comment period closes January 1, 2017 Regulation takes effect June 30, 2017 Compliance grace period expires January 15, st annual compliance certification DFS s Cybersecurity Proposal 37 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

38 Cybersecurity Incident Response Plans October 25, 2016 Presented by: Jamie Talbot Beijing / Boston / Brussels / Chicago / Frankfurt / Hong Kong / Houston / London Los Angeles / Moscow / Munich / New York / Palo Alto / Paris / São Paulo / Seoul Shanghai / Singapore / Tokyo / Toronto / Washington, D.C. / Wilmington DFS s Cybersecurity Proposal 38 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

39 As soon as a cyberattack hits, everyone s IQ drops 50 points. Cybersecurity Incident Response Plans 39 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

40 Incident Response Plans: No Longer Just a Good Idea DFS requirement (proposed) Response clock is accelerating Privacy advocates and activists Insurance plans Delay may increase liability Cybersecurity Incident Response Plans 40 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

41 72 Hours is Not Much Time Detect activity Identify activity as an incident Determine how to stop the incident Determine impact What was accessed What was copied Source Review legal requirements Who needs to be notified? Prepare and submit formal notification Cybersecurity Incident Response Plans 41 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

42 Don t Delay! When a cyberattack hits, companies cannot waste time figuring out: What to do Who should be involved Who should make decisions What external parties (regulators, customer, etc.) should be contacted What is the state of the law Scrambling to figure out the team and an action plan once an incident occurs is inefficient and dramatically increases the risk of a misstep Cybersecurity Incident Response Plans 42 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

43 Establishing a Rapid Response Team Identify team members and project lead IT, legal, security, PR/communications, HR, risk management, corporate management, government relations Outside counsel Create a playbook of how incidents will be handled Determine how incidents will be identified Prioritize and classify the incident Establish protocols to determine who should be notified Establish protocols to mitigate and remediate Establish protocols for how incidents will be documented Include logistical information» Backup contacts» Communication channels Cybersecurity Incident Response Plans 43 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

44 DFS Required Contents of Plan Per the DFS Proposal, plan MUST address the following: Internal processes for responding to an incident (including unsuccessful attacks) Goals of the plan Definition of clear roles, responsibilities and levels of decision-making authority External and internal communications and information sharing Remediation of any identified weaknesses in IT systems and controls Documentation and reporting regarding incidents and related incident response activities Evaluation and revision of the plan following an incident Cybersecurity Incident Response Plans 44 Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

45 Panelist Mike Hartigan New York Chief Information Security Officer Credit Agricole Corporate and Investment Bank Third Party Cybersecurity Regulatory Developments 45

46 ANNUAL SEMINAR ON RISK MANAGEMENT AND REGULATORY EXAMINATION/COMPLIANCE ISSUES Third Party Cyber Security Regulatory Developments Mike Hartigan October 25 th, 2016

47 Third Party Cyber Security Assessment Agenda Page 47 Cyber Security: Regulatory Developments and Industry Practices

48 Cyber Security Assessment within the Third Party Program Page 48 Cyber Security: Regulatory Developments and Industry Practices

49 Step 1 - Third Party Program Scoping & Risk Classification Page 49 Cyber Security: Regulatory Developments and Industry Practices

50 Step 2 - Conducting the TSP Cyber Security Assessment Page 50 Cyber Security: Regulatory Developments and Industry Practices

51 Step 3 - Residual Risk Management Page 51 Cyber Security: Regulatory Developments and Industry Practices

52 Third Party Service Provider Risk Assessment Considerations Page 52 Cyber Security: Regulatory Developments and Industry Practices

53 Third Party Service Provider FFIEC & DFS Regulatory Developments Page 53 Cyber Security: Regulatory Developments and Industry Practices

54 Regulatory Cyber Security Landscape Page 54 Cyber Security: Regulatory Developments and Industry Practices

55 Questions Page 55 Cyber Security: Regulatory Developments and Industry Practices

56 Appendix - DFS Cyber Security Requirement Page 56 Cyber Security: Regulatory Developments and Industry Practices

57 Conclusion Thank You! Questions? 57