Effective Practices for Insider Threats and Third-Party Risk Management Thursday, February 22 10:00 a.m. 11:00 a.m. Financial institutions are subject to threats on multiple fronts. Two threats of significant and growing concern to our industry include insiders, such as employees, and third parties, such as vendors. We necessarily rely on and trust both insiders and third parties; however, we must exert appropriate oversight if we are to prevent that trust from being violated by either malicious actors, or careless actions or inactions. During this session, panelists discuss case studies and share effective practices firms can use to manage and mitigate these risks, and develop and improve both their insider risk and third-party risk management programs. Moderator: David Yacono Senior Director FINRA Technology, Cyber & Information Security Panelists: Brice Cook Director, Insider Risk Program FINRA Technology, Cyber & Information Security Kishen Sridharan Cybersecurity Partnership and Outreach Executive Raymond James Financial Homayun Yaqub Executive Director JPMorgan Chase & Co. 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Effective Practices for Insider Threats and Third-Party Risk Management Panelist Bios: Moderator: David Yacono is Senior Director of Cyber & Information Security at FINRA. His current responsibilities include FINRA s software security program, which provides security assurance services to a portfolio of more than 100 internally developed systems, as well as FINRA s third-party risk management program which evaluates, monitors, and manages the cybersecurity risk posed by FINRA s vendors, cloud providers, and other third-party relationships. Mr. Yacono is also responsible for FINRA s IT Security Risk Management and Compliance programs, which ensures compliance with IT security standards including FISMA, PCI-DSS, and FBI-CJIS. Since joining FINRA in 1999 he has served in various roles responsible for ensuring the secure and reliable operation of FINRA s information technology systems, including security architect and security engineer. Mr. Yacono specializes in the application of information security processes, methodologies, and tools to protect the confidentiality, integrity, and availability of information and information processing systems, with special emphasis on financial services; he has nearly 25 years of experience in cybersecurity. Mr.Yacono earned a Bachelor of Science in Electrical Engineering from the University of Maryland, and holds current certifications as a Certified Information Systems Security Professional (CISSP), a Certified Secure Software Lifecycle Professional (CSSLP), and a Certified Third Party Risk Management Professional (CTPRP). Panelists: Brice Cook is FINRA s first Director for Insider Risk, formally establishing the program after joining FINRA in early 2017. In this role, he leads a collaborative company-wide effort to develop, implement, and execute technical and non-technical processes needed to create a holistic system to manage insider risks. Before Mr. Cook came to FINRA, he retired as a Supervisory Criminal Investigator after 29 years of Federal Government service protecting some of the Nation s most critical assets. The last 22 years of his Federal Government tenure was at the Department of Energy, serving as a Director in the Office of Corporate Security and leading efforts in Insider Threat, Special Access Programs, Human Reliability Programs, Investigations, Threat Management, and Executive Protection. Mr. Cook s accomplishments include; establishing the DOE s first formal Insider Threat Program, founding the Protective Services Working Group a group of over 50 Federal organizations protecting the nation s leadership of which he also served as Chair, serving as a Chair in the Defense Department s Combating Terrorism Technical Support Office, which provided expertise and oversight in the research and development of personnel protection technologies, serving as a board member of the FBI Joint Terrorism Task Force Executive Board and the DHS Advisory Board for Law Enforcement Officers Flying Armed, and developing policy and guidance for the Federal Government on security professional development and continuity programs. Mr. Cook is a graduate of the 244th session of the FBI National Academy, the Federal Law Enforcement Training Center, and the Federal Executive Institute. Mr. Cook has a Master s in Public Administration from American University. He has a Bachelor s degree from Washington State University. He also holds professional certificates as a Certified Information Systems Security Professional (CISSP) and Insider Threat Program Management (ITPM). Mr. Cook has even worked on the FOX Television show America s Most Wanted, where he supported investigations that led to the arrest of over 150 wanted persons. Kishen Sridharan is the Cybersecurity Partnership & Outreach Executive, reporting to the Chief Information Security Officer of Raymond James. In this strategic role, he focuses on strengthening and growing Raymond James network of relationships with outside organizations like industry associations (e.g. FS-ISAC and SIFMA), peers, government/law enforcement entities, universities, potential new strategic suppliers, and community. He determines level of engagement, assesses ROI to Raymond James, and makes sure Raymond James is a valuable contributing partner in return. In prior roles at Raymond James, Mr. Sridharan helped established a Product Management mindset, framework, and governance structure to deliver highly valuable business outcomes, particularly those which support the Strategic Roadmap. This is the stepping stone to formally convert the InfraSec organization to an as a Service model. Before that, he stood up a Project Management Office within InfraSec. Mr. Sridharan has almost 16 years of experience in various facets of technology, project implementation and business process improvement. His experience ranges from compliance, risk management and information assurance to strategic information security consulting. He earned his Bachelor of Science from the Pennsylvania State University in Management Science, Information 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2
Systems and International Business and an MBA from the University of Maryland. He is a certified Project Management Professional (PMP) and a Scrum Master (CSM). Homayun Yaqub is Executive Director in JPMorgan Chase and Company s Global Security and Investigations team managing the firm s Insider Threat program. Prior to joining JPMorgan Chase in 2015, Mr. Yaqub served in the U.S. Intelligence Community and Department of Defense with more than 20 years of experience leading sensitive intelligence activities and related programs worldwide. Mr. Yaqub was also a founding member of The MASY Group, a Washington D.C. based security, intelligence, and risk consulting firm supporting both public and private sector clients. He began his career as a U.S. Army officer serving in various roles throughout the United States, the Middle East, South Asia, and Europe. Mr. Yaqub holds a Masters in Conflict Analysis and Resolution from George Mason University and Bachelors in International Business from James Madison University. 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 3
2018 Cybersecurity Conference February 22 New York, NY Effective Practices for Insider Threats and Third-Party Risk Management
Panelists Moderator David Yacono, Senior Director, FINRA Technology, Cyber & Information Security Panelists Brice Cook, Director, Insider Risk Program, FINRA Technology, Cyber & Information Security Kishen Sridharan, Cybersecurity Partnership and Outreach Executive, Raymond James Financial Homayun Yaqub, Executive Director, JPMorgan Chase & Co. 1
To Access Polling Under the Schedule icon on the home screen, Select the day, Choose the Effective Practices for Insider Threats and Third-Party Risk Management session, Click on the polling icon: 2
Polling Question 1 Firm Size 1. My firm staff size is: a. More than 1000 b. 251 to 1000 c. 51 to 250 d. 11 to 50 e. 10 or fewer 3
Polling Question 2 Characterizing Insider and Third-party Risk 2. For my firm, Insider Risk is: a. A substantial concern b. A moderate concern c. A minor concern d. A negligible concern (e.g., due to extremely small firm size.) e. Not sure 4
Polling Question 3 Characterizing Insider and Third-party Risk 3. For my firm, Third-party Risk is: a. A substantial concern. The security of my third parties significantly affects my ability to protect my systems/data/processes. b. A moderate concern c. A minor concern. There s no obvious way that a security deficiency of one of my third parties could significantly harm me. d. Not a concern. I have no dependencies on third parties. e. Not sure 5
Characterizing Insider and Third-Party Risks Importance of Insider and Third-Party risk Significance relative to other risk sources. Trends in emphasis? Drivers? 6
Identifying Threat Agents and Risk Factors Insider Risk Who are the insider threats? Risk factors to consider? Strategies for focusing, prioritizing. Third-party Risk What are the third-party threats? Risk factors to consider? Strategies for focusing, prioritizing. 7
Polling Question 4 Insider Risk Management 4. My firm s Insider Risk Program is: a. Mature. Robust strategy with well-defined processes. Advanced controls including Predictive Analysis, Behavioral Analytics b. Established. A defined insider risk strategy backed by processes and tools that enable enterprise-wide information aggregation and correlation (e.g., SIEM.) c. Nascent. Basic controls in use, but no overarching strategy. d. Nonexistent. Needed, but not yet established. e. None needed. We don t see the need for an insider risk program. 8
Insider Risk Management Methodology Lifecycle: Vetting, Monitoring, Adjudicating, Detection, Analysis Insider Risk Kill Chain High-risk employees, assets, operations Control Techniques: Basic: SOD, POLP, training, others? Better: Log aggregation, SIEM, others? Best: UEBA, leveraging data/analytics, others? Recruitment/ Tipping Point Search and Recon Exploitation Acquisition Exfiltration Insider Risk Kill Chain 9
Polling Question 5 Third-party Risk Management 5. My firm s Third-party Risk Program is: a. Mature. Robust strategy with well-defined processes that are applied to all third parties, and that are quantitatively measured. b. Established. A defined third-party risk management strategy backed by processes and tools. c. Nascent. Some controls in place (e.g., vendor questionnaire), but no overarching strategy. d. Nonexistent. We use third parties, but no explicit risk mgmt controls. e. None needed. We don t use third-parties that impact our risk profile. 10
Third-party Risk Management Methodology Identifying, Prioritizing Third Parties Sources of risk: People, Process, Technology Assessment Processes, Techniques, Timing Assurance/Evidence Expectations Controlling Risks Contract Provisions, Other techniques. Risk Acceptance? Show stoppers? Monitoring, Detecting changes Changes at third party. Changes in relationship with third party. Supporting Tools, Services Coordination w/ org stakeholders Infosec, purchasing, legal, etc. 11
Advice for Smaller Firms Insider Risk Difference in risk for smaller firms? Control priorities. Effective insider risk management on a budget. Third-party Risk Difference in risk for smaller firms? Control priorities. Effective third-party risk management on a budget. 12
2018 Cybersecurity Conference February 22 New York, NY THANK YOU!