Emerging Issues: Cybersecurity. Directors College 2015

Similar documents
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Interpreting the FFIEC Cybersecurity Assessment Tool

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Cybersecurity Assessment Tool

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

FFIEC Cybersecurity Assessment Tool

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool

Cybersecurity and Data Protection Developments

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

FDIC InTREx What Documentation Are You Expected to Have?

Information Security Controls Policy

Why you should adopt the NIST Cybersecurity Framework

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Cybersecurity and the Board of Directors

Cybersecurity for Health Care Providers

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Cybersecurity and Examinations

Cyber Resilience. Think18. Felicity March IBM Corporation

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Cybersecurity, safety and resilience - Airline perspective

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

CISO as Change Agent: Getting to Yes

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Checklist: Credit Union Information Security and Privacy Policies

Defensible and Beyond

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Cyber Risks in the Boardroom Conference

Industrial Control System Cyber Security

External Supplier Control Obligations. Cyber Security

Cybersecurity The Evolving Landscape

GUIDANCE NOTE ON CYBERSECURITY

Bradford J. Willke. 19 September 2007

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

Cybersecurity- A Regulatory Perspective. Robert J. Lipot, CRISC Senior Financial Institutions Examiner Department of Business Oversight

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Vulnerability Assessments and Penetration Testing

ISAO SO Product Outline

Standing Together for Financial Industry Resilience Quantum Dawn 3 After-Action Report. November 19, 2015

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

Effective Cyber Incident Response in Insurance Companies

Security Driven Compliance

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Must Have Items for Your Cybersecurity or IT Budget in 2018

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Juniper Vendor Security Requirements

2017 Annual Meeting of Members and Board of Directors Meeting

InfoSec Risks from the Front Lines

Medical Device Cybersecurity: FDA Perspective

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

A company built on security

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cyber security tips and self-assessment for business

Cybersecurity Survey Results

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Canada Life Cyber Security Statement 2018

Illinois Cyber Navigator Program

Welcome to Today s Web Seminar!

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Security Diagnostics for IAM

DHS Election Task Force Updates. Geoff Hale, Elections Task Force

Keys to a more secure data environment

Cybersecurity Auditing in an Unsecure World

Sage Data Security Services Directory

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Heavy Vehicle Cyber Security Bulletin

Business continuity management and cyber resiliency

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Digital Wind Cyber Security from GE Renewable Energy

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Cyber Security Program

Election Infrastructure Security: The How and Why of It

SFC strengthens internet trading regulatory controls

Internet of Things Toolkit for Small and Medium Businesses

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

NW NATURAL CYBER SECURITY 2016.JUNE.16

Supply Chain Integrity and Security Assurance for ICT. Mats Nilsson

Transcription:

Emerging Issues: Cybersecurity Directors College 2015

Agenda/Objectives Define Cybersecurity Cyber Fraud Trends/Incidents FFIEC Cybersecurity awareness initiatives Community Bank expectations FFIEC Cybersecurity Self-Assessment Tool Cybersecurity Resources 2

Cybersecurity What is Cybersecurity??? 3

Cybersecurity The process of protecting information by preventing, detecting, and responding to attacks. - National Institute of Standards and Technology How internal and external threats are managed to protect information assets and the supporting infrastructure! 4

Emerging Technologies 5

1,809 1,462 910 725 713 15,002 15,740 17,472 20,083 23,938 Millions Millions 3,203 3,744 3,638 3,574 4,348 5,699 6,006 5,828 5,580 5,616 Millions Millions Cyber Fraud Trends Account Takeover Losses Wire Fraud Trends $25,000 $100 $10,000 $50 $20,000 $80 $8,000 $40 $15,000 $60 $6,000 $30 $10,000 $40 $4,000 $20 $5,000 $20 $2,000 $10 $- 2Q 2013 3Q 2013 4Q 2013 1Q 2014 2Q 2014 $- $- 2Q 2013 3Q 2013 4Q 2013 1Q 2014 2Q 2014 $- Avg. Loss per SAR No. of SARs Total Losses Avg. Loss per SAR No. of SARs Total Losses Unauthorized Electronic Intrusions Credit / Debit Card Fraud $25,000 $30 $30,000 $350 $20,000 $15,000 $10,000 $5,000 $25 $20 $15 $10 $5 $25,000 $20,000 $15,000 $10,000 $5,000 $300 $250 $200 $150 $100 $50 $- 2Q 2013 3Q 2013 4Q 2013 1Q 2014 2Q 2014 $- $- 2Q 2013 3Q 2013 4Q 2013 1Q 2014 2Q 2014 $- Avg. Loss per SAR No. of SARs Total Losses Avg. Loss per SAR No. of SARs Total Losses 6 Based on SAR file data

Incident Reports 20 18 16 Security Incidents ViSION Technology Incident Reporting System (TIRS) 14 12 10 8 6 4 2 0 SQL/Java Injection Employee Error/Abuse Wire/ACH Fraud Malware Cust. Comp. Compromise Internet Banking DDoS 3rd Party Card Breach Network Security Pysical Security 3Q 2013 4Q 2013 1Q 2014 2Q 2014 3Q 2014 7

Cybersecurity FFIEC established Cybersecurity and Critical Infrastructure Working Group (CCIWG) - June 2013 Piloted Cybersecurity Assessment Mid-2014 Released Cybersecurity Assessment Observations November 2014 Released Cybersecurity Self-Assessment Tool June 2015 Regularly releasing Statements and Alerts www.ffiec.gov/cybersecurity.htm - June 2014 8

Cybersecurity Expectations Understand your cybersecurity inherent risk Routinely discuss cybersecurity Maintain awareness of threats and vulnerabilities Establish and maintain a dynamic control environment incorporating emerging risks Be prepared to respond: Incident Response and Disaster Recovery Planning 9

Cybersecurity Assessment Tool User s Guide KEY COMPONENTS Inherent Risk Profile Cybersecurity Maturity Tool Overview for CEOs & Boards of Directors Appx A: Mapping Baseline Statements to FFIEC IT Handbook SUPPORTING MATERIALS Appx B: Mapping Cybersecurity Assessment Tool to NIST Cybersecurity Framework Appx C: Glossary 10

Cybersecurity Assessment Tool Consistent with the principles in FFIEC Information Technology Examination Handbook (IT Handbook) National Institute of Standards and Technology (NIST) Cybersecurity Framework Industry accepted cybersecurity practices 11

Cybersecurity Inherent Risks Cybersecurity inherent risk is the amount of risk posed by an institution s activities and connections, notwithstanding risk-mitigating controls in place. Inherent risk incorporates the type, volume, and complexity of technology-related operations such as connection types, products and services offered, and technologies used. Cybersecurity Self-Assessment Tool released June 2015 12

Cybersecurity Assessment Tool Inherent Risk Profile Categories Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats 13

Cybersecurity Assessment Tool Inherent Risk Profile Risk Levels Least Inherent Risk Minimal Inherent Risk Moderate Inherent Risk Significant Inherent Risk Most Inherent Risk Type, volume, and complexity of operations and threats directed at the institution 14

Cybersecurity Assessment Cybersecurity Maturity: Measures current practices and overall preparedness in five domains: Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience 15

Governance Risk Management Program Identify Assess Mitigate 16

Threat Intelligence Share Information Share information with peers Prevent future attacks success Exchange information to improve security posture Gather Information News FS-ISAC US-CERT FFIEC Monitor & Analyze Determine whether the institution is vulnerable to current threats Ensure appropriate risk management strategies are in place to identify and respond FS-ISAC (Financial Services Information Sharing and Analysis Center): www.fsisac.com 17

Cybersecurity Controls Preventative Controls Prevent a threat from coming in contact with associated weakness/vulnerabilities. Preventative controls may be physical (e.g., card access) and/or logical (e.g., firewalls, tokens, usernames and passwords). Detective Controls Identify and alert to the presence of a vulnerability or threat. Detective controls may include scanning for vulnerabilities and engaging independent parties to conduct penetration testing and vulnerability assessments. May also include active logging and alerting. Corrective Controls Assist with recovering from unwanted occurrences or mitigate the effects or a threat being manifested. Corrective controls may include patch management and timely resolution of penetration test findings. Controls and processes should be dynamic! 18

External Dependency Managing connectivity to third-party service providers, business partners, customers, or others and the institution s expectations and practices to oversee these relationships. How is our institution connecting to third parties and ensuring they are managing their cybersecurity controls? What are our third parties responsibilities during a cyber attack? How are these outlined in incident response plans? 19

Cyber Resilience Cyber Incident Mgt. & Resilience? In the event of a cyber attack, how will our institution respond internally and with customers, third parties, regulators, and law enforcement? How are cyber incident scenarios incorporated in our institution s business continuity and disaster recovery plans? Have these plans been tested? Involves Incident: Detection, Response, Mitigation, Escalation, Reporting, Resilience 19

Cybersecurity Assessment Tool Maturity Levels Innovative Advanced Intermediate Evolving Baseline 21

Cybersecurity Maturity Level for Each Domain FFIEC Cybersecurity Assessment Tool Inherent Risk Levels Least Minimal Moderate Significant Most Innovative Advanced Intermediate Evolving Baseline 22

Cybersecurity FFIEC Cybersecurity Webpage http://www.ffiec.gov/cybersecurity.htm Statement on Destructive Malware Statement on Compromised Credentials Cybersecurity Assessment Tool FFIEC IT Examination Handbooks Updated BCP in February 2015 others coming soon 23

Questions Tammy Allwein Examiner(IT) tallwein@fdic.gov 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback