Cyber Security for the future of financial services

Transcription

1 Cyber Security for the future of financial services Thio Tse Gan May Deloitte & Touche Enterprise Risk Services Pte Ltd 1

2 Global trends & outlook 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 2

3 Cyber-attacks are on the rise $400B+ is the annual cost to the global economy from cybercrime [1] 15% o f i n c i d e n t s s t i l l t a k e d a y s t o d i s c o v e r [2] 55% o f i n c i d e n t s i n v o l v e a b u s e o f p r i v i l e g e d a c c e s s [2] Numbers denote industry wise breakup of 2014 data breach incidents Healthcare Financial Services Educational Government 50% recipients open s and click on phishing links within the first hour of receiving them [2] 90% chance that at least one person will fall prey to a phishing campaign with just 10 s [2] 99.9% of the exploited vulnerabilities were compromised more than a year after CVE * was published [2] 11% Per capita cost of data breach was highest in US in 2015 [4] $217 8% 18% 27.5% increase in the data breaches in various industries from 2013 [5] $154 63% 229 Average number of days attackers maintained presence after infiltration and before detection [3] $201 $217 Global Average 2014 [1] Net Losses: Estimating the Global Cost of Cybercrime by Center for Strategic and International Studies; [2] Verizon 2015 Data Breach Investigations Report; [3] Mandiant -Trends 2014: Beyond the Breach, published April 10, 2014; [4] Ponemon 2015 Cost of Data Breach Study: Global Analysis ; [5] ITRC Breach Statistics ; * CVE (Common Vulnerabilities and Exposures) is a dictionary of publically known information security vulnerabilities and exposures Deloitte & Touche Enterprise Risk Services Pte Ltd

4 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 4

5 Rampant cyber attacks observed around the world in 2015 and million personal details leaked in data breach in VTech 80 million records exposed in attack launched on Anthem Inc million records exposed in 3 attacks launched on TalkTalk Group $81 million stolen from Central Bank of Bangladesh in a bank heist National pension system hacked in Japan and 1.25 million people s personal data was exposed 19.7 million people s personal details stolen in attack launched on U.S. Office of Personnel Management U.S. IRS hacked 100,000 personal details stolen and used to generate PINS for Social Security numbers in 2 separate attacks 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 5

6 Complex regulatory requirements created to curb rise of cyber crime European Union EU Data Protection Directive 1995, EU Privacy and Electronic Communications Directive (as amended in 2011), Data Retention Directive Member states implement Directives as their own national laws. Regulation of Investigatory Powers Act 2000 Russia Federal Law No. 152-FZ on personal data 2006 Canada PIPEDA Privacy Act 1988 and Provincial privacy Laws US Federal HIPPA 1996, GLBA 1999, COPPA 1998, CAN-SPAM Do Not Call Improvement Act 2007, Safe Harbor Principles 2000, FCRA (as amended in 2003) Patriot Act 2001 Switzerland Federal Data Protection Act 1992 on personal data 2006 China Decision on strengthening Internet information protection, guideline for personal information protection South Africa Electronic Communications Act Singapore Personal Data Protection Act 2013 Dubai Data Protection Act 2007 Australia Australian Federal Privacy Act Anti-Spam Act 2004 Japan Personal Information Protection Act 2003 Philippines Data Privacy Act 2011 New Zealand Privacy Act 1993 Costa Rica Law No Undisclosed Information Law. Law No Protection in the Handling of the Personal Data of Individuals California California Online Privacy Protection Act 2003, Security Breach Notice (Civil Code 1798 Formerly SB 1386) 2003 Mexico Federal Law on the Protection of Personal Data Held by Private Parties 2010 Argentina Protection of Personal Data Law Deloitte & Touche Enterprise Risk Services Pte Ltd 6

7 Technology regulatory landscape Financial Services Vietnam Circular no. 01/2011/TT-NHNN Safety, secrecy guidelines of the information technology systems in banking operation Circular no. 12/2011/TT-NHNN Management and utilization of digital signatures, sigital certificates and SBV digital signature verification services Circular no. 29/2011/TT-NHNN Security and Secrecy of internet banking services Thailand BOT Notification No Guideline for the Preparation of IT Contingency Plan 2008 BOT Notification No. SorNorSor. 26/2552 Guidelines for Development of IT Contingency Plan 2008 BOT Notification No. SorNorSor.6/2557 Supervisory Guidelines on IT Outsourcing BOT Notification No. SorNorSor. 26/551 Supervisory Guidelines for Security of E-Banking Services 2008 Malaysia BNM Guidelines on Data Management and Management information Systems 2011 Guidelines on management of IT Environment (GPIS 1) 2004 Singapore Personal Data and Privacy Act MAS Notice 644 on Technology Risk Management SRD TR 01/2014 System vulnerability assessments and penetration testing SRD TR 02/2014 IT security risk posed by personal mobile devices SRD TR 01/2015 Early detection of cyber intrusions SRD TR 03/2015 Technology risk and cyber security training for Board MAS Notice 634 Bankig Secrecy Conditions for Outsourcing Guidelines on Outsourcing Consultation Paper on Notice on Outsourcing Consultation Paper on Guidelines on Outsourcing 2014 Business Continuity Management guidelines 2013 SRD TR 01/2011 Information technology outsourcing Indonesia Law of The Republic of Indonesia No. 11 of 2008 Concerning Electronic Information And Transactions OJK No. 1/POJK.05/2015 Risk Management in Non- Bank Financial Services No. 9/15/PBI/2007 Implementation of Risk Management in the Use of Information Technology by Commercial Banks 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 7

8 Organizations spent $75.4 billion on information security in 2015 according to Gartner Organizations are spending more money and paying more attention than they ever have but for many the problem seems to be getting worse Deloitte & Touche Enterprise Risk Services Pte Ltd 8

9 Moving into digitization

10 World Economic Forum report Glimpsing the future The Future of Financial Services: How disruptive innovations are reshaping the way financial services are structured, provisioned and consumed An Industry Project of the Financial Services Community Prepared in collaboration with Deloitte 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 10

11 What s the deal? Is cyber security a consideration in your plans innovate? 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 11

12 Failures & challenges 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 12

13 Failure & challenges Failure to include security as part of the design principles Businesses demand features, function and time to market Addressing the incident and failing to detect the campaigns Perpetrators strategise and take a longer term view Dont miss the forest for the trees. Shortage of competent cyber security professionals Demand is outstripping supply. Willingness to accept non security IT professionals as replacements. Ineffective threat analytics Use of technology with limited data sets and arcade rules sets. Limited value owing to the rush to implement and lacking integration Deloitte & Touche Enterprise Risk Services Pte Ltd 13

14 Cyber Security Deloitte & Touche Enterprise Risk Services Pte Ltd 14

15 Building a resilient cyber security organization This means having the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents Secure Vigilant Resilient Are controls in place to guard against known and emerging threats? Can we detect malicious or unauthorized activity, including the unknown? Can we act and recover quickly to minimize impact? Cyber governance Cyber threat intelligence Cyber threat mitigation Cyber incident response 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 15

16 Cyber security design 5 design principles Design principles: everything is a potential threat Build the requirement of security as a core. Actionable intelligence: threat-centric defense Correlation and inductive technique required. Look beyond just security data. Revamp information sharing Pepetrators share intelligence to effectively compromise organisation. Why aren t organisations sharing information about pepetrators? There is a need for situation awareness. Automation: what and how The shortage will continue. Tools and automation exist to create accuracy. 里应外合 Combating the issue together Internal cyber security, external cyber security providers, vendors Deloitte & Touche Enterprise Risk Services Pte Ltd 16

17 Cyber Security Trends The Integrity Conundrum Integrity is the forgotten security domain. Maintaining the integrity of data, business process, and people is going to be increasingly critical. Business Security Establishing security researchers across the business units that handle sensitive data (seen in big Tech companies to increase agility). Live-Fire Exercises Conducting sophisticated APT style attacks, emulation and cyber range testing against critical systems and people assets. Defining Normal Establishing accurate baselines in order to identify anomalous activity and behaviour for investigation. People Are Key Embedding the psychology of security in the business and finding the right SecOps analysts will be key for on-going management of cyber risk. Collaborative Security Recognising that this cyber can t be solved alone and developing and promoting a collaborative security environment across the business. Real-Time Security Ops Developing the next generation of SOC and reducing the time taken to detect and respond to an ever increasing threat landscape. Disruptive Technology Risks Recognising that new technologies like wearable's, 3D printing and inmemory computing all have security implications and planning for this. Auto-Corrective Security Automating security processes and tools using the latest security technology to free up people and time Deloitte & Touche Enterprise Risk Services Pte Ltd 17

18 No such thing as hacker-proof.. if you build it they will come

19 Cyber Security 3.0 Deloitte principles Cyber Security 3.0 Model Secure Vigilant Resilient Are controls in place to guard against known and emerging threats? Can we detect malicious or unauthorized activity, including the unknown? Cyber Governance Can we act and recover quickly to minimize impact? Design principles Actionable intelligence Intelligence sharing Automation Integration Design security into core IT infrastructure Develop a threatcentric defence Create situational awareness Increase accuracy in operational security Eliminate vulnerabilities by working together 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 19

20 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see for a more detailed description of DTTL and its member firms. Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte s more than 225,000 professionals are committed to making an impact that matters. Deloitte serves 4 out of 5 Fortune Global 500 companies. This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication Deloitte & Touche Enterprise Risk Services Pte Ltd 20