Emerging Issues: Cybersecurity Directors College 2015
Agenda/Objectives Define Cybersecurity Cyber Fraud Trends/Incidents FFIEC Cybersecurity awareness initiatives Community Bank expectations FFIEC Cybersecurity Self-Assessment Tool Cybersecurity Resources 2
Cybersecurity What is Cybersecurity??? 3
Cybersecurity The process of protecting information by preventing, detecting, and responding to attacks. - National Institute of Standards and Technology How internal and external threats are managed to protect information assets and the supporting infrastructure! 4
Emerging Technologies 5
1,809 1,462 910 725 713 15,002 15,740 17,472 20,083 23,938 Millions Millions 3,203 3,744 3,638 3,574 4,348 5,699 6,006 5,828 5,580 5,616 Millions Millions Cyber Fraud Trends Account Takeover Losses Wire Fraud Trends $25,000 $100 $10,000 $50 $20,000 $80 $8,000 $40 $15,000 $60 $6,000 $30 $10,000 $40 $4,000 $20 $5,000 $20 $2,000 $10 $- 2Q 2013 3Q 2013 4Q 2013 1Q 2014 2Q 2014 $- $- 2Q 2013 3Q 2013 4Q 2013 1Q 2014 2Q 2014 $- Avg. Loss per SAR No. of SARs Total Losses Avg. Loss per SAR No. of SARs Total Losses Unauthorized Electronic Intrusions Credit / Debit Card Fraud $25,000 $30 $30,000 $350 $20,000 $15,000 $10,000 $5,000 $25 $20 $15 $10 $5 $25,000 $20,000 $15,000 $10,000 $5,000 $300 $250 $200 $150 $100 $50 $- 2Q 2013 3Q 2013 4Q 2013 1Q 2014 2Q 2014 $- $- 2Q 2013 3Q 2013 4Q 2013 1Q 2014 2Q 2014 $- Avg. Loss per SAR No. of SARs Total Losses Avg. Loss per SAR No. of SARs Total Losses 6 Based on SAR file data
Incident Reports 20 18 16 Security Incidents ViSION Technology Incident Reporting System (TIRS) 14 12 10 8 6 4 2 0 SQL/Java Injection Employee Error/Abuse Wire/ACH Fraud Malware Cust. Comp. Compromise Internet Banking DDoS 3rd Party Card Breach Network Security Pysical Security 3Q 2013 4Q 2013 1Q 2014 2Q 2014 3Q 2014 7
Cybersecurity FFIEC established Cybersecurity and Critical Infrastructure Working Group (CCIWG) - June 2013 Piloted Cybersecurity Assessment Mid-2014 Released Cybersecurity Assessment Observations November 2014 Released Cybersecurity Self-Assessment Tool June 2015 Regularly releasing Statements and Alerts www.ffiec.gov/cybersecurity.htm - June 2014 8
Cybersecurity Expectations Understand your cybersecurity inherent risk Routinely discuss cybersecurity Maintain awareness of threats and vulnerabilities Establish and maintain a dynamic control environment incorporating emerging risks Be prepared to respond: Incident Response and Disaster Recovery Planning 9
Cybersecurity Assessment Tool User s Guide KEY COMPONENTS Inherent Risk Profile Cybersecurity Maturity Tool Overview for CEOs & Boards of Directors Appx A: Mapping Baseline Statements to FFIEC IT Handbook SUPPORTING MATERIALS Appx B: Mapping Cybersecurity Assessment Tool to NIST Cybersecurity Framework Appx C: Glossary 10
Cybersecurity Assessment Tool Consistent with the principles in FFIEC Information Technology Examination Handbook (IT Handbook) National Institute of Standards and Technology (NIST) Cybersecurity Framework Industry accepted cybersecurity practices 11
Cybersecurity Inherent Risks Cybersecurity inherent risk is the amount of risk posed by an institution s activities and connections, notwithstanding risk-mitigating controls in place. Inherent risk incorporates the type, volume, and complexity of technology-related operations such as connection types, products and services offered, and technologies used. Cybersecurity Self-Assessment Tool released June 2015 12
Cybersecurity Assessment Tool Inherent Risk Profile Categories Technologies and Connection Types Delivery Channels Online/Mobile Products and Technology Services Organizational Characteristics External Threats 13
Cybersecurity Assessment Tool Inherent Risk Profile Risk Levels Least Inherent Risk Minimal Inherent Risk Moderate Inherent Risk Significant Inherent Risk Most Inherent Risk Type, volume, and complexity of operations and threats directed at the institution 14
Cybersecurity Assessment Cybersecurity Maturity: Measures current practices and overall preparedness in five domains: Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity Controls External Dependency Management Cyber Incident Management and Resilience 15
Governance Risk Management Program Identify Assess Mitigate 16
Threat Intelligence Share Information Share information with peers Prevent future attacks success Exchange information to improve security posture Gather Information News FS-ISAC US-CERT FFIEC Monitor & Analyze Determine whether the institution is vulnerable to current threats Ensure appropriate risk management strategies are in place to identify and respond FS-ISAC (Financial Services Information Sharing and Analysis Center): www.fsisac.com 17
Cybersecurity Controls Preventative Controls Prevent a threat from coming in contact with associated weakness/vulnerabilities. Preventative controls may be physical (e.g., card access) and/or logical (e.g., firewalls, tokens, usernames and passwords). Detective Controls Identify and alert to the presence of a vulnerability or threat. Detective controls may include scanning for vulnerabilities and engaging independent parties to conduct penetration testing and vulnerability assessments. May also include active logging and alerting. Corrective Controls Assist with recovering from unwanted occurrences or mitigate the effects or a threat being manifested. Corrective controls may include patch management and timely resolution of penetration test findings. Controls and processes should be dynamic! 18
External Dependency Managing connectivity to third-party service providers, business partners, customers, or others and the institution s expectations and practices to oversee these relationships. How is our institution connecting to third parties and ensuring they are managing their cybersecurity controls? What are our third parties responsibilities during a cyber attack? How are these outlined in incident response plans? 19
Cyber Resilience Cyber Incident Mgt. & Resilience? In the event of a cyber attack, how will our institution respond internally and with customers, third parties, regulators, and law enforcement? How are cyber incident scenarios incorporated in our institution s business continuity and disaster recovery plans? Have these plans been tested? Involves Incident: Detection, Response, Mitigation, Escalation, Reporting, Resilience 19
Cybersecurity Assessment Tool Maturity Levels Innovative Advanced Intermediate Evolving Baseline 21
Cybersecurity Maturity Level for Each Domain FFIEC Cybersecurity Assessment Tool Inherent Risk Levels Least Minimal Moderate Significant Most Innovative Advanced Intermediate Evolving Baseline 22
Cybersecurity FFIEC Cybersecurity Webpage http://www.ffiec.gov/cybersecurity.htm Statement on Destructive Malware Statement on Compromised Credentials Cybersecurity Assessment Tool FFIEC IT Examination Handbooks Updated BCP in February 2015 others coming soon 23
Questions Tammy Allwein Examiner(IT) tallwein@fdic.gov 24