Dealing with Risks in the Financial Industry

Transcription

1 Jack Henry & Associates, Inc. Dealing with Risks in the Financial Industry Tom Williams June 15,

2 Banking is a Risky Business INTERNAL RISK EXTERNAL 2

3 Risks impacting the Banking Industry Skills Economic Financial Performance Payments Natural Disasters Card Fraud Cyber Attacks Internal Fraud Vendor Management Terrorism 3

4 JHA Risk Forum Survey Results 1. Cyber Threats 2. Card Fraud 3. Disaster Recovery 4. Data Security 5. Vendor Management 6. Regulatory Scrutiny 7. Insider Fraud 4

5 What is Your FI s Risk Profile for each Risk? Cyber Security Disaster Recovery Vendor Management LOW RISK Moderate RISK HIGH RISK Card Fraud Payments Internal Fraud Each organization should continually strive to move toward the Low Risk area 5

6 What is Your FI s Risk Profile for each Risk? Cyber Security Disaster Recovery Vendor Management Holistic Enterprise Risk Card Fraud Payments Internal Fraud 6

7 What is Your FI s Risk Enterprise Risk Profile? Holistic Enterprise Risk LOW RISK Moderate RISK Internal Fraud HIGH RISK 7

8 Payment Triggers Triggers Causing Transformation Payment Regulation 1 EMV Requirements 2 Faster Payments 3 Rise of Mobile Payments 4 Millennial Growth 5 Durbin Amendment to Wall Street Reform and Consumer Protection Act Decline in free accounts from 76% in 2009 to 38% in 2013 Higher bank charges, an effort to replace fee revenue, banks charged households $1-3 Billion Led to 1M customers pushed out of the formal financial system Durbin Cost - $6.6 8 Billion Risk allocation to the merchant or bank that does not comply with EMV regulations EMV at POS when fully implemented has already begun to cause CNP fraud to increase dramatically As of Dec. 15, only 44% U.S. merchants will be EMV-ready by the Oct. 1st liability shift EMV-readiness will not reach 90% until 2017 Limited faster payments today, 95% of the largest FIs will offer same day ACH origination services by year end 100% to offer sameday payroll by year end 95% to offer same-day B2B payments plus expedited bill pay, P2P by year end Real time payment providers forming: The Clearing House, Early Warning/clearXchange etc. Weekly mobile banking usage (28% consumers) has matched weekly branch visits (27% consumers) Research in 2015 suggested more than half of mobile phone owners (119M adults) banked via mobile Mobile payment volume is growing faster than ever before Student loans are increasing - more than 54% with a student loan say it impacts their ability to save Financial independence is delayed experiencing delays in buying their own home, owning automobiles and making other large services Delayed experience in managing assets - will lead to need for FI assistance, $30T will be transferred from baby boomers during the next years SOURCE: 1 - International Center for Law and Economics Paper, Electronic Payments Coalition; 2- How Ready Are U.S. Merchants for EMV?, The Strawhecker Group (TSG); 3- Nation's Financial Institutions On Target To Offer Same Day ACH Payments In 2016, NACHA; MOBILE BANKING FINANCIAL INSTITUTION SCORECARD, Javelin, April 2014; 5 - BofA Better Money Habits Millennial Report, Fall

9 Payment Innovations: Real Time Payments What are the Risks or Issues of Real-Time Payments for Financial Institutions? Increased potential for fraud Less time to detect and react to possible fraud manual detection is not viable Authentication challenges in real-time payments FI Actions Real-time behavior analytics Enrollment Multi-factor authentication Login Service-use (pattern and velocity checks) Device identity Tokenization Operating rules: prevent pull debit trans Individual FI policies: transaction ceiling 9

10 Enhancements in Payment Services Dynamic CVV Coming to Fruition 80% of U.S. consumers would prefer to use a credit card with a dynamic CVV when shopping online SOURCE: Report: Consumers Prefer Dynamic CVV, CardNotPresent.com, March

11 Cyber Security 11

12 12

13 2. Payment Warnings Data Breaches Continue - Fraud Behavior Shifts to CNP and Application Fraud CARDS SSNs Number of breaches Difference % Number of records 64M.8M 98% Number of breaches % Number of records 16M 164M 148% SOURCE: 2015 DATA BREACH FRAUD IMPACT REPORT, Javelin Strategy & Research, February

14 Attack Vectors Phishing Removable Drives Physical Phone Elicitation 14

15 Making Security a Priority CyberSecurity requires a multi-layered defense involving perimeter protection as well as effective internal protection against malware and data exfiltration, plus user education. Firewall Monitoring & Management Intrusion Prevention Server Management- Host Intrusion Monitoring Advanced Malware Protection esat Employee Security Awareness Training First layer of defense Protect ports of entry to the financial institution Raw traffic analysis Cloud Services DDOS Mitigation Monitor all incoming and outgoing traffic Looking for virus and hacker signatures Provided by Cisco IDS, Fortinet, SonicWall, SourceFire Event log monitoring Vulnerability security scanning Hosted DNS Anomaly Detection Service Effectively blocks malware downloads, unsafe web redirects, data exfiltration, command & control activity and malicious phishing links Web based training w/ quiz & reporting Content updated regularly Separate module for Board members Monthly Security Timely Tips newsletter 15

16 Risk & Fraud Protection - Digital Channels Space Login authentication (MFA, Tokens, Out-of-Band Challenges, Bio-Metrics/ Touch ID) High Risk Transaction monitoring (ACH, Wires, External Transfers, Bill Payments) Real-time activity alerts (TXT, Native Push, ) Self-service Debit Card controls (turn on/off, report lost or stolen, limits, location and transaction type rules) Malware & Phishing attack prevention 16

17 Gladiator Incident Alert (IA) Powered by Lastline Superior Detection Detects unknown threats (APTs, ATAs, zero-days, etc.) Specifically designed to evade firstgeneration APT sandbox appliances. Advanced Threat Intelligence Contains active command and control (C&C) servers with zero-day exploits Toxic web sites Malware distribution points identified as having breach intent 17

18 Gladiator Incident Alert 18

19 Solutions must focus on behavior and threat intelligence 19

20 Incident Response Procedures Incident Determination Incident Notification Incident Assessment Incident Response & Containment Incident Eradication Incident Recovery Incident Documentation 20

21 FFIEC Cybersecurity Assessment Tool 21

22 Business Continuity / Disaster Recovery 22

23 For our discussion today: Your bank after the disaster event. 23

24 Comparison - Customer Expectations vs Executive Perception Customer Expectations Executive s Perceived Recovery Level Actual Recovery Level Recovery Gap Same as Normal Service Slightly Delayed Service Delayed Service Severely Delayed Service No Servic e 1 Hour 12 Hours 24 Hours 36 Hours 48+ Hours Service Level after Disaster Recovery Timeline 24

25 The Gap: Customer Expectations vs Actual Recovery Time? Lack of an Enterprise Wide Business Continuity Plan that has been tested at multiple levels The technology recovery strategy for systems and applications not adequate to meet shorter Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Key personnel not available. Availability of skilled personnel. Plan out of date. Alternate work locations not identified and equipped. 25

26 The Four Major Components of Recovery People Employees Customers BCP / DR Teams Vendors Support organizations Fire / Police Utilities Regulators Facilities Alternate work areas Repaired facilities Recovery centers Hospitals Shelter areas Mobile Recovery Units Off-site storage facilities Technology Systems Servers Applications Data Telecommunications Routers Firewalls An Enterprise Wide Plan that ties the above components together 26

27 Four Possible Environments & JHA Solutions Scenario 1 Core: In House Servers: In House Scenario 2 Core: In House Servers: Outsourced Scenario 3 Core: Outsourced Servers: In House Scenario 4 Core: Outsourced Servers: Outsourced JHA Solution Hosted High Availability (HHA) Enterprise Level Recovery (CELR) Colocation in Branson Mountain Hosted Network Service (HNS) JHA Solution Hosted High Availability (HHA) Enterprise Level Recovery (CELR) Co-location in Branson Mountain Hosted Network Service (HNS) JHA Solution Remote Data Entry (RDE) Enterprise Level Recovery (CELR) Colocation in Branson Mountain Hosted Network Service (HNS) JHA Solution Remote Data Entry (RDE) Enterprise Level Recovery (CELR) Colocation at Branson Mountain 27

28 In-House Processing Considerations Responsible for the restoration of the following: Recovery of Core System Recovery of Server / Network Recovery Exchange Servers - Domain Controllers JHA & 3 rd Party Applications Telecommunications - Voice Recovery Equipment setup & Reconfiguration Facilities 28

29 Cost Cost Vs. Level of Commitment Technology Infrastructure Lower Higher Minutes RPO=near zero, RTO <1min, Automatic Server/Workload/Network/Data SYSPLEX RPO=Near zero, RTO <1Hr. to 4 hours, Automatic Server/Workload/Network/Data Automatic Site Switch RPO=Near Zero, RTO <1Hr. to 4 hours, Manual Disk or Tape Data Mirroring Point-in-Time Backup to Tape / Disk RPO > 15 min. RTO= 4+ hours, Manual PiT or SW Data Replication. RPO=4+ hours, RTO=8 to 24 hours, Manual Data Base Log Replication & Host Log Apply at Remote Hours RPO<24 hours RTO = 8-24 hours Electronic Tape Vaulting Continuous Availability- Disaster Avoidance RTO=Days, RPO>24 hours Tape, HW ATOD Days Multi-Site Failover / Fallback Traditional Recovery 29

30 High Availability Recovery Solution CENTURION HOSTED HIGH AVAILABILITY FOR CORE RPO = Last Transaction RTO = ~15 min. RTO = ~30 min. Customer Primary Site MPLS Riverbed Switch 4 Sight Branson DR Center Core SAN IVR Branch 1, 2, or 3 Yellow Hammer Riverbed Switch Switch 30 Core Tape 4 Sight IVR SAN Network SAN

31 High Availability Recovery Solution HIGHER AVAILABILITY FOR CORE RPO = Last Transaction RTO = ~15 min. RTO = ~30 min. Customer Primary Site MPLS Riverbed Switch 4 Sight IVR Branson DR Site Core SAN Branch 1, 2, or 3 Yellow Hammer Riverbed Switch Switch 31 Core Tape 4 Sight IVR SAN Network SAN

32 Benefits of Hosted Network Services (HNS) 32

33 Out-Sourced Processing Considerations Responsible for the restoration of the following: Connectivity back to the Core Processing Site (jconnect Backup Router) Server / Network Recovery Exchange Servers - Domain Controllers JHA & 3 rd Party Applications Telecommunications - Voice Recovery Equipment setup & Reconfiguration Facilities A plan to deal with a disaster that strikes the facility 33

34 Branson, MO Mountain Host Site 34

35 The Disaster Avoidance Concept 35

36 Disaster Avoidance Concept Disaster Avoidance Decision Switch to Secondary System Potential Disaster Event Disaster TIME Disaster Avoidance Period Recovery of Business still Required Recovery of Technology Avoided (RTO) 36

37 Outlink Processing Center Disaster Avoidance DP 1 DP DR DP 2 DP 3 DP DA DP 1 Branson Core Director DP 2 CIF 20/20 DP 3 SilverLake Data Replication 37 37

38 Centurion Suite of Services 38

39 Contact Information Tom Williams Business Continuity Strategy Manager Jack Henry & Associates Centurion Disaster Recovery Services