Cybersecurity and Examinations

Similar documents
Interpreting the FFIEC Cybersecurity Assessment Tool

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Emerging Issues: Cybersecurity. Directors College 2015

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Cybersecurity and the Board of Directors

Table of Contents. Sample

Cybersecurity and Data Protection Developments

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

Security Driven Compliance

FDIC InTREx What Documentation Are You Expected to Have?

FFIEC Cybersecurity Assessment Tool

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Cybersecurity for Service Providers

Cybersecurity Assessment Tool

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Rethinking Information Security Risk Management CRM002

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Information Security Controls Policy

Vulnerability Assessments and Penetration Testing

Cybersecurity in Higher Ed

Sage Data Security Services Directory

CYBER SECURITY TAILORED FOR BUSINESS SUCCESS

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Certified Information Security Manager (CISM) Course Overview

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Must Have Items for Your Cybersecurity or IT Budget in 2018

IT Risk: Cybersecurity

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Cylance Axiom Alliances Program

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Regulatory Update Cyber Security

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

SIEMLESS THREAT DETECTION FOR AWS

RiskSense Attack Surface Validation for IoT Systems

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

THE POWER OF TECH-SAVVY BOARDS:

Cybersecurity Supervising a Moving Target

Cybersecurity and Hospitals: A Board Perspective

Cybersecurity. Securely enabling transformation and change

EMPOWER PEOPLE IMPROVE LIVES INSPIRE SUCCESS

Cyber Attack: Is Your Business at Risk?

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

SPECIALIST CYBER SECURITY SERVICES & CYBER VULNERABILITY HEALTH CHECK FOR SMALLER COMPANIES

IT People has been offering end-to-end IT outsourcing & staffing solutions to companies since two decades.

Building a strong platform strategy: IT and cybersecurity implications November 15, 2018

Building a Resilient Security Posture for Effective Breach Prevention

Cyber Protections: First Step, Risk Assessment

CYBERSECURITY MATURITY ASSESSMENT

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

IT risks and controls

CYBER RESILIENCE & INCIDENT RESPONSE

FFIEC Cybersecurity Assessment Tool

The Windstream Enterprise Advantage for Banking

State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

Cyber Fraud What can you do about it?

Taking a Business Risk Portfolio (BRP) Approach to Information Security

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

A Comprehensive Guide to Remote Managed IT Security for Higher Education

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Machine-Based Penetration Testing

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Defensible and Beyond

TSC Business Continuity & Disaster Recovery Session

Information Technology General Control Review

Gujarat Forensic Sciences University

2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Run the business. Not the risks.

Emerging Technologies The risks they pose to your organisations

to Enhance Your Cyber Security Needs

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Supply Chain Integrity and Security Assurance for ICT. Mats Nilsson

Machine-Based Penetration Testing

Transcription:

Tim Segerson, Deputy Director NCUA E&I Cybersecurity and Examinations October 6, 2016 Chicago, IL

Connected Devices Declining costs + increased bandwidth + powerful algorithms will spur a new information revolution as everything connects and interconnects 2

Banking s UBER Moment ** New and Evolving Risks Digital World Requires Digital Risk Management Strategy Public Demands and Expectations Evolve Our Responsibilities Evolve https://fortunedotcom.files.wordpress.com/2016/06/fintech_003.png **Citi GPS; Digital Disruption, How FinTech is Forcing Banking to a Tipping Point, March 2016 pg. 12. 3

Changing Threat Environment https://threatpost.com/locky-ransomware-borrows-tricks-from-dridex/116304/ 4

Recent Report on Breaches by Security Firm (July 2016) 2015 2016 Hacking and Malware Caused Breaches in Banks and CUs 27% 43% % all breaches in Fin. Inst. < $35mm total revenue 54% 81% Beazely Breach Insights (07/2016) Revenue Threshold 35,000,000 Gross Income to Average Assets all FICU 4.64% Estimated Target Asset Range 754,310,345 # CU > $750 mm = > 5,000 Small Institutions are increasingly attractive targets to hackers and fraudsters. Why? Ransomware attacks rising sharply Twice the number of breach responses in first 6 months as in all of 2015 @ Small = $750mm; most CU can be considered targets of choice 5

Changing Threat Environment Back Office Systems 6

Risk Trends Existing vulnerabilities continue to be exploited. New platforms create new ways to exploit Financial Institutions and consumers. Lines between cyber actors are blurring as attack tools are commercialized. Interconnectivity is expanding the sources of risk. Technology advances speed transactions and minimize intermediaries. 7

Defining Critical Infrastructure 8

CU Technology CU Technology Footprint @ 03/31/2016 7000 6000 5830 5000 4000 4908 4304 3000 2000 1000 0 1044 82% 18% 72% 98% Website No Website Transaction Website Internet Access # total % total 9

CU Technology Core Processing Systems in Credit Unions 4000 3500 3000 In-House Turnkey 3604 Managed Service (online) Inhouse developed Manual Other # total % total 70.00% 60.00% 50.00% 2500 2000 1500 2208 40.00% 30.00% 1000 20.00% 500 0 20 35 85 60.55% 37.10% 0.34% 0.59% 1.43% 10.00% 0.00% 10

Some Recent Outcomes Frequent Baseline Compliant Limited Evolving Inconsistent Range Use of CAT as Risk Assessment Work with CU staff to work through disparities Ransomware is everywhere train train train- backup backup - backup 11

FFIEC Cybersecurity Assessment Tool Objective To help institutions identify their risks and determine their cybersecurity maturity. The Assessment provides a repeatable and measureable process to inform management of their institution s risks and cybersecurity preparedness. Two Parts to the CAT Part One: Complete The Inherent Risk Profile Inventory and determine risk drivers in your organization Part Two: Complete the Cybersecurity Maturity Assessment. Benchmark your security program 12

FFIEC Cybersecurity Assessment Tool Part One: Complete The Inherent Risk Profile Inventory and determine risk drivers in your organization Part Two: Complete the Cybersecurity Maturity Assessment. Benchmark your security program 13

Cybersecurity Maturity Assessment Domain Assessment Factors 1 Cyber Risk Management & Oversight Governance Risk Management Resources Training and Culture 2 Threat Intelligence & Collaboration Intelligence Sourcing Monitoring and Analyzing Information Sharing 3 Cybersecurity Controls Preventative Controls Detective Controls Corrective Controls 4 External Dependency Management Connections Relationships Management 5 Cyber Incident Management & Resilience Incident Resilience Planning and Strategy Detection, Response and Mitigation Escalation and Reporting 14

Cybersecurity Maturity/Risk Relationship Highest Risk Institutions Innovative Experimental new and emerging technologies Advanced Intermediate Lowest Risk Institutions Evolving Baseline Minimum expected performance to comply with regulations and existing guidance 15

FFIEC Cybersecurity Assessment Tool Inherent Risk Levels Least Minimal Moderate Significant Most Cybersecurity Maturity Level for Each Domain Innovative Advanced Intermediate Evolving Baseline Elevated Investment Underinvestment 16

Additive Model Structure BASELINE Items to review List of threat intelligence resources (e.g. industry groups, consortiums, threat and vulnerability reporting services). Management reports on cyber intelligence. Verify FI has conducted interviews with vendors as needed. Threat Info Source(s) Active Monitoring Enhance Risk EVOLVING Analyze Tactics, Perform Risk Mitigation INTERMEDIATE Formal Threat Intelligence Program Collection Protocols Read-only repository ADVANCED Cyber Intelligence Model Multi-source Real- Time Threat Intelligence Threat Intel on Geopolitical Events INNOVATIVE Threat Analysis Team Investment in Transformational Threat Intelligence Technology 17

Cybersecurity Risk Exam Strategy So What is the Game Plan for NCUA? 18

NCUA s Tool Box GLBA Compliance (Part 748 Compliance Review) CAT Structured Cybersecurity Review NCUA Structured IT/IST Exam Work plans FFIEC Comprehensive IT Examination Handbooks Outsourced Expert Testing/Consultation Resources drive the frequency of tool application 19

Cyber/IT Examination Vision Cyber/IT Exam Program Vision - NCUA Advanced Review Specialized Areas Financial Examiner Review SME Review Specialist Review Outside Financial Examiner Scope Risk Profile Driven Risk Profile Driven NCUA/FFIEC Selected Reviews Risk Profile Driven Risk Profile Driven Risk Profile Driven CAT Structured Assessment Alternating Years Alternating Years Alternating Years Part 748 Review Periodic Periodic Periodic Procedures may vary based on individual credit union risk footprint and exam team staffing. CAT goal is periodic full coverage (across multiple exam cycles) Individual risk assessment by examiner will drive final review steps. Less Frequent Legend More Frequent Likely Improbable Unlikely Examiners scale the review in this area based on their understanding of risk (your risk profile). Under expected cyclical reviews, we plan to collect assessments on all institutions over a multiyear period to understand industry gaps and adjust exam strategies. 20

Structured Risk Management Review Policy, Strategy and Appropriateness Policy Compliance Management Controls, Reporting and Monitoring Policy Outcomes Inherent and Residual Risk Capital at Risk Well developed policies scaled to size and complexity fits business strategy Independence and cultural commitment (budget, training, data systems, tone at the top) Properly trained and experienced Resources Procedures and Internal Controls Internal Audit, validations, mitigation steps, quality control Robust reporting, measuring, mitigation and decision structure Actual levels and direction of risk Modeled outcomes under stressed conditions How well do you selfregulate? 21

FFIEC Agencies Use URSIT Audit Management Development and Acquisition Support and Delivery NCUA uses URSIT only on Specialized Examinations of IT Vendors consistent with FFIEC Policies 22

Key Risk Drivers Transaction Strategic Reputation Management Component CAMEL Composite Compliance Risk dimensions drive weighting of Component and Overall Composite. Severe deficiencies can affect the Composite rating 23

Exam Current State RISO Review Risk Focused Targeted Review SME Review Risk Focused Targeted Review Baseline Review 748 compliance + Payments review SME Review may layer over the existing 748 and Payments Reviews. RISO/SME may custom target broad risk management or focused risk area during review depending on risk drivers 24

CAT Review Vision Interactive Review Initial Information Request Joint exploration of the Information Modeling using the CAT structure Inherent Risk Identified Characteristics identified Discussion/Sharing Results Share/review with management 2017 Work with Management to Identify Opportunities 25

CAT Impact Pre-exam More data requested in advance Advance review of available information Initial risk classification Initial attribute identification During Exam New discussions in new areas Review of results verify output Observe and verify activity based attributes Post Exam Aggregate anonymized data across industry and institutional features Inform supervisory process and industry guidance. 26

Exam Future State Baseline* Cyclical 748/payment review Cyclical C.A.T. structured review Intermediate Periodic Baseline/CAT during apportioned cycles Resilience, Governance, External Dependency, Good Hygiene Deeper review likely in selected areas Advanced Team or multiple specialized staff performing more comprehensive and in depth review. Observe and evaluate *Baseline procedures will be completed on interchanging multiyear cycles, or when risk indicators warrant. 27

NCUA on Forward Plan Extensive Examiner Training Field Reviews and Data Collection through early 2017 Tool/Process improvement 2 nd qtr 2017. Process Rollout mid-2017 ish * *Commitment to Ensure Tight Process and Well Trained Examiner Before Rollout. 28

Questions? Tim Segerson, Dep. Dir. E&I, NCUA email segerson@ncua.gov Phone 703-518-6397 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback