Building Blocks for Effective Compliance Risk Assessment (Cyber) Brian McGrath Rohan Singla

Transcription

1 Building Blocks for Effective Compliance Risk Assessment (Cyber) Brian McGrath Rohan Singla

2 Risk Assessment Agenda & Timing Topic Timing Facilitator's address 9:00 to 9:05 Risk Assessment Overview 9:05 to 9:45 Cyber Risk Assessments 9:45 to 10:30 Break 10:30 to 10:45 Initial Q&As 10:45 to 10:55 Case Studies 10:55 to 11:10 Model Answers 11:10 to 11:30 Final Q&A and Close 11:30 to 12:00

3 Building Blocks for Effective Compliance: Risk Assessment Brian McGrath

4 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System

5 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System

6 Role and Context Risk Assessment is essentially about Measuring a Risk Risk being the effect of uncertainty on objectives

7 Role and Context

8 Role and Context Have to set the context: How to assess? The risk of flooding in the room The risk of a power failure in the building The risk of internal fraud The risk of a being non-compliant with Regulation The risks of new Regulatory Requirement

9 Role and Context Risk Management Process: Risk Identification Risk Assessment Risk Mitigation and Control Risk Reporting

10 Role and Context Risk Assessment Prioritisation Remediation, Action, Management

11 Role and Context Risk Assessments can be conducted at different levels within a firm. Strategic / Organisational Level Executive Team / Business Unit Level Team Leader Process / Task Level Process Owner Stakeholder linked with the level Board Regulators Shareholders

12 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System

13 Assessment Types Risk Assessment Types exist for all Types of Risk: Credit Risk Reputational Risk Regulatory Risk Operational Risk Insurance Risk

14 Assessment Types Risk Assessment Approaches Top-Down Overview Executive / Board Level, across whole organisation or business line Bottom-Up Scenario Analysis Risk & Control Self Assessment Conducted from the lowest level of the organisation Low Frequency, High Impact Events New Product Risk Assessments Risk Assessing new products or services particular importance in the Regulatory / Conduct Risk context Change Risk Assessments Change in processes, structures, organisation Before and After examination

15 Assessment Types Thematic Risk Assessments Business Continuity AML Regulation / Legislative Code Vendor / Outsourcing Risk Assessment Cyber Risk Assessment Overview (Risk) Assessment of the impact of being unable to conduct business Business Line, Customer, Portfolio, Product, Delivery Channel Risk Assessment per Regulation as it applies to an Institution (Risk) Assessing a Vendor or a 3rd Party Agent More on this later

16 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System

17 Assessment Scoring Measuring a Risk The effect of uncertainty on objectives IMPACT PROBABILILTY LIKELIHOOD CONTEXT (What is the objective?)

18 Assessment Scoring An Assessment Scale is required: LIKELIHOOD Frequent CONTEXT (What is the objective?) Rare Low High IMPACT

19 Assessment Scoring Context Serving Customers: Financial Operations Customers Regulators Quantitative Qualitative Context of the specific organisation Historical Basis

20 Likelihood Assessment Scoring Financial < 50,000 Regulatory Reputational Operational Regulatory reportable issue Local Press Coverage Non critical service disrupted Impact $50,000 to $250,000 Regulator overseen remediation National Press Coverage Critical Service Disrupted < 5 hours $>250,000 Risk Mitigation Plan / Regulatory Fine International Press Coverage Critical Service Disrupted >5 hours Extremely Likely Reasonably Likely Very Rare 1 2 3

21 Assessment Scoring Have created a spectrum of Risk Apply (useful) labels: Low Medium High Minor Moderate Major Team Business Unit Group

22 Assessment Scoring Scores, arising from Assessment need to be applied: Typically on an Inherent and Residual Basis Inherent / Gross Basis The Risk, without controls, protection, mitigants Residual / Net Basis The Risk, with (current) controls, protection, mitigants

23 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System

24 Risk Assessment Process Re-Cap Risk Identification Risk Assessment Risk Mitigation and Control Risk Reporting Self-Assessment Facilitated Workshop(s) Questionnaire / Interviews Roundtable Process Mapping

25 Risk Assessment Process Process Mapping Particularly common approach to the risk assessment of operational processes 1. Identify process for risk assessment 2. Process Owners, stakeholders map out process:

26 Risk Assessment Process Process Mapping 3. Identification of the risks within the process Risk #1 Risk #2

27 Risk Assessment Process Process Mapping 4. Inherent Risk Score 5. Control Articulation 6. Residual Score Risk #1 Inherent Risk Score Controls Residual Score Risk #2 Inherent Risk Score Controls Residual Score

28 Risk Assessment Process Overall Consistency Risk / Control Catalogues Set approach to Risk / Control Articulation Regular Reviews Periodic Reviews Re-Assessment Sign-off / Assertions / Confirmations Trigger Events Changes in Environment Significant Events : Internal and External

29 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System

30 Features Risk #1 Inherent Risk Score Controls Residual Score To the list of Risks, Controls and Scores, need to add: Context Business Unit, Process, Product, Division Risk Owner Remediation Points Categorisations Person, typically in Management, with responsibility for the Risk usually linked Product / Process Owner. Critical for Strategic / Cross-Enterprise Risks. Connect the Risk Assessment, with the Risks with over exposure, controls not operating correctly. Categories of Risk Types, Control Types Drive out Actions Particularly useful in large organisation

31 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System

32 Risk Assessment Presentation Risk Assessments are collated and aggregated for Management. Traffic Light / Red Amber Green system is useful to display and highlight key areas of attention.

33 Risk Assessment Presentation Defining the R.A.G Red Amber Green Top 20% of the risk population Risks requiring immediate remediation Risks requiring Senior Management review and approval Risks with recent financial impacts Middle 40% of the risk population Risks which require regular and constant monitoring / testing Risks requiring Middle Management review and approval Risks with historical financial exposure Bottom 40% of the risk population Risks which require periodic evaluation Risks requiring Team Leader / Team Management review and approval Risks with no historical financial exposure

34 Risk Assessment Presentation Risk HeatMaps Impact Quarter on Quarter Trend Stable Increase Decrease Likelihood

35 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System

36 Risk Assessment & System Over time, Risk Assessments will evolve, and the tools and processes to support will also evolve. The requirements of such tools and processes will develop overtime: Manage Robustly Share Data Maintain Lots of Data Maintain Data

37 Risk Assessments & Systems Purpose Built SharePoint Access Excel

38 Risk Assessments & Systems System Features System Features Real Time Accessibility Audit Trail & Historical Records Stability and Security Reporting Capabilities Benefits Continuous Maintenance Change Management & Trend Analysis Robust IT support & Confidential Records Analysis & Quality Outputs Workflow Assist regular processes

39 CHANGING RISK ENVIRONMENT AND RISK ASSESSMENT PITFALLS

40 Risk Assessment Role and Context Assessment Scoring Pitfalls Features Process Assessment Types Examples Presentation System

41 Pitfalls Death by Excel Spreadsheet Simplified Approach Rationalised System to support Plan / Map out future state

42 Pitfalls Risk #10 Process Mapping: Risk #1 Risk #2 Risk #9 Risk #6 Risk #7 Risk #3 Risk #8 Risk #4 Risk #5

43 Pitfalls Inconsistency of Use Bias Risk Rating / Topics Likelihood Impact Centralised Quality Assurance / Review Cycle of Reviews Peer Comparison Reviews Substantiation of Ratings

44 Pitfalls In-action following the Risk Assessments Remediation is a key objective Maintain a remediation log + focus and visibility on progress Report remediation requirements to management

45 Cyber Security: Risk Assessment Rohan Singla

46 Agenda Introduction to Cyber Security What is the problem? Current Irish trends: denial of service cyber extortion customer attacks How should you respond? What are other companies doing?

47 INTRODUCTION TO CYBER SECURITY

48 Introduction to cyber security Cyber attacks on banks have increased dramatically over the last decade exposing: Sensitive personal and business information Disrupting critical operations High costs on the economy (estimated to be 800 million in Ireland)

49 Introduction to cyber security Cyber security is the ability to protect or defend an organisation's online systems and technology from attack R = T X V X C

50 Introduction to cyber security The economy depends on a stable, safe, and resilient online environment A vast array of networks allows us to: Communicate and travel Power our homes Run our economy Provide government services

51 Introduction to cyber security 10 years ago, they looked like this

52 Introduction to cyber security Now they look like this

53 WHAT IS THE PROBLEM?

54 Increasing issues

55 Focus

56 2015 Irish regulator focus

57 Increasing impact on financial services Rogue employees Data breaches Theft of customer information Organised crime Denial of service Financial crime Reputational damage Regulatory fines Financial loss Reduced shareholder value Loss of competitive advantage Drop in share price Lack of customer trust Operational downtime Cyber security demonstrates regulatory compliance and good governance and is expected by customers, partners and shareholders

58 WHAT'S HAPPENING CURRENTLY?

59 Carbanak the biggest bank heist ever

60 Denial of service for cash

61 DD4BC the professionals

62

63 Irish financial services organisation targeted Day 1 2:00PM: Received from DD4BC seeking 6,000 in 24 hours to avoid systems outage Day 1 4:00PM: Systems offline after large flood of traffic. Attack stops after 5 minutes. Day 1 6:00PM: Datacentre provider says it will take 3 days to put defences in place Day 2 2:00PM: Further from DD4BC extending deadline by 24 hours

64 Cyber extortion in Ireland

65 Cyber extortion in Ireland The issue: large amount of data unavailable no malware alerts scramble to restore files no idea how it happened The response: forensic investigation malware identified as cryptolocker.e Anti virus did not identify it until 4 days after attack call centre staff member had clicked link while surfing for new furniture

66 Customer attacks in Ireland Malware based: s from known individuals forwarded from CFO to controller 900,000 transferred in 8 hours Social engineering: grooming of finance staff 8-9 month lead time helpful demeanour 600,000 in one incident in Northern Ireland Corporate customers increasingly aggressive in recovery

67 Social engineering There s a sucker born every minute Phineas T. Barnum

68 Phishing etc. Phishing Pharming Vishing Spear Phishing Trojan Phishing Baiting

69 Old fashioned credit card theft

70

71 Simple data theft: Typical scenario Member of staff obtains a job with a competitor / organisation in the same sector Copies data accessible to them onto a USB Pen / web-mails via Gmail / copies it to Dropbox etc. Does something stupid so the theft is detected. Motivation? Stupidity, Greed, Anger.

72 Data theft USB Pen or Thumb Drive Portable Hard Drive. MP3 Players, Digital Cameras, Memory Cards, PDAs CD / DVD. Web-mail Printing Remote Access

73 Data theft risk factors Sudden resignation / departure of staff Departure of staff to commercial competitors Departure of staff to start their own business or other enterprises Staff with access to sensitive data involved in disciplinary or relationship issues Staff leaving under redundancy Staff in personal relationships with persons in competing organisations Staff in personal relationships with journalists Companies undergoing financial or industrial relations problems

74 Hacking there s nothing like advertising!

75 Political hacking

76 Personal data theft

77 But don't forget...

78 HOW SHOULD YOU RESPOND?

79 Cyber Risk Assessment Approach Develop Cyber Risk Framework Understand Current State Gap Assessment Recommendations and Reporting Define cyber security Define cyber crime & risks Customize cyber security frameworks (e.g. ISO 27001, NIST etc.) to your organisation requirements Identify focus areas Review existing documentation Interview stakeholders Review previous assessment work completed CBI thematic reviews Identify gaps in each of the focus areas Identify security implications of each gap Prioritise the gaps based on their impact and effort to remediate Develop specific recommendations to remediate the identified gaps Prioritised recommendations Cyber Security Framework to assess Interviews with Key stakeholders Existing Documentation: Review Prioritized Gaps, Implications, and Recommendations for: Cyber Risk Assessment report Cyber Threat Intelligence Cyber Incident Response Cyber Governance Previous reviews: Security management program assessment

80 What are the SEC saying? Assess: information & technology used threats & vulnerabilities controls & processes governance & management Develop cyber security strategy: access control encryption data loss prevention monitoring backups incident response plan Implement: polices procedures training

81 Central Bank of Ireland themed reviews Approach: questionnaires on site assessment fund managers investment firms stockbrokers banking next Focused on: risk management board awareness & involvement cyber policies and procedures access management

82 WHAT ARE COMPANIES DOING?

83 Cyber security universe Prepare Cyber security risk and threat assessment Security process or technical assessments Security policy development Third party cyber security assurance Protect Security architecture Security technology implementation Security process design and implementation Identity and access management Privacy and data protection Data classification Enterprise application integrity Business continuity and disaster recovery Penetration testing PCI DSS React Security operations and monitoring Security and data breach incident response Change Security program strategy and planning Security governance Security awareness

84 Cyber security areas of concern Roles and responsibilities are clearly defined Governance, Risk Appetite & Management level reports are in place (KRI/KPI) and cover cyber security incidents and breaches The company complies with relevant regulation/ legislation Policies & standards articulate and support company s cyber security objectives Incident management processes and business continuity exercises include cyber security Information Asset Register is in place Formal risk acceptance and insurance covers unmitigated risks Effective assurance of control design and operation in place, especially for controls based at third parties Awareness Human firewall training in place Certifications to meet the company s cyber security requirements

85 Initial Q&A

86 Case Studies

87 Case Studies A Retail Bank (or Credit Union) Lending and Deposit Taking. Seeks methodology to Risk Assess Changes in Processes. The Retail Bank operates in two jurisdictions. i. What could the Risk Assessment Type be? ii.what could the Risk Assessment Criteria be? iii.what would be the challenges in implementing? iv.what could the features of the Risk Assessment Template look like? v.what could the features of the Risk Assessment Template look like?

88 Case Study Cyber Security A small tier financial services company was notified by a government agency that a cyber attack on their computer network had occurred. Computer systems compromised contained payment card data, as well as other Personally Identifiable Information (PII) regarding the bank s customers, was stored and transmitted in the environment. i. What would you have done different to avoid such breaches or minimise the impact? ii. What are the different risks at this stage i.e. after the compromise? iii.what steps can be taken now to remediate or stop the attack? iv.what next steps would you recommend after the breach has been stopped and remediated? v.what are the ramifications? Who is affected by this incident and who is responsible for it within the affected company?

89 Model Answers

90 Final Q&A

91 Close