Tim Segerson, Deputy Director NCUA E&I Cybersecurity and Examinations October 6, 2016 Chicago, IL
Connected Devices Declining costs + increased bandwidth + powerful algorithms will spur a new information revolution as everything connects and interconnects 2
Banking s UBER Moment ** New and Evolving Risks Digital World Requires Digital Risk Management Strategy Public Demands and Expectations Evolve Our Responsibilities Evolve https://fortunedotcom.files.wordpress.com/2016/06/fintech_003.png **Citi GPS; Digital Disruption, How FinTech is Forcing Banking to a Tipping Point, March 2016 pg. 12. 3
Changing Threat Environment https://threatpost.com/locky-ransomware-borrows-tricks-from-dridex/116304/ 4
Recent Report on Breaches by Security Firm (July 2016) 2015 2016 Hacking and Malware Caused Breaches in Banks and CUs 27% 43% % all breaches in Fin. Inst. < $35mm total revenue 54% 81% Beazely Breach Insights (07/2016) Revenue Threshold 35,000,000 Gross Income to Average Assets all FICU 4.64% Estimated Target Asset Range 754,310,345 # CU > $750 mm = > 5,000 Small Institutions are increasingly attractive targets to hackers and fraudsters. Why? Ransomware attacks rising sharply Twice the number of breach responses in first 6 months as in all of 2015 @ Small = $750mm; most CU can be considered targets of choice 5
Changing Threat Environment Back Office Systems 6
Risk Trends Existing vulnerabilities continue to be exploited. New platforms create new ways to exploit Financial Institutions and consumers. Lines between cyber actors are blurring as attack tools are commercialized. Interconnectivity is expanding the sources of risk. Technology advances speed transactions and minimize intermediaries. 7
Defining Critical Infrastructure 8
CU Technology CU Technology Footprint @ 03/31/2016 7000 6000 5830 5000 4000 4908 4304 3000 2000 1000 0 1044 82% 18% 72% 98% Website No Website Transaction Website Internet Access # total % total 9
CU Technology Core Processing Systems in Credit Unions 4000 3500 3000 In-House Turnkey 3604 Managed Service (online) Inhouse developed Manual Other # total % total 70.00% 60.00% 50.00% 2500 2000 1500 2208 40.00% 30.00% 1000 20.00% 500 0 20 35 85 60.55% 37.10% 0.34% 0.59% 1.43% 10.00% 0.00% 10
Some Recent Outcomes Frequent Baseline Compliant Limited Evolving Inconsistent Range Use of CAT as Risk Assessment Work with CU staff to work through disparities Ransomware is everywhere train train train- backup backup - backup 11
FFIEC Cybersecurity Assessment Tool Objective To help institutions identify their risks and determine their cybersecurity maturity. The Assessment provides a repeatable and measureable process to inform management of their institution s risks and cybersecurity preparedness. Two Parts to the CAT Part One: Complete The Inherent Risk Profile Inventory and determine risk drivers in your organization Part Two: Complete the Cybersecurity Maturity Assessment. Benchmark your security program 12
FFIEC Cybersecurity Assessment Tool Part One: Complete The Inherent Risk Profile Inventory and determine risk drivers in your organization Part Two: Complete the Cybersecurity Maturity Assessment. Benchmark your security program 13
Cybersecurity Maturity Assessment Domain Assessment Factors 1 Cyber Risk Management & Oversight Governance Risk Management Resources Training and Culture 2 Threat Intelligence & Collaboration Intelligence Sourcing Monitoring and Analyzing Information Sharing 3 Cybersecurity Controls Preventative Controls Detective Controls Corrective Controls 4 External Dependency Management Connections Relationships Management 5 Cyber Incident Management & Resilience Incident Resilience Planning and Strategy Detection, Response and Mitigation Escalation and Reporting 14
Cybersecurity Maturity/Risk Relationship Highest Risk Institutions Innovative Experimental new and emerging technologies Advanced Intermediate Lowest Risk Institutions Evolving Baseline Minimum expected performance to comply with regulations and existing guidance 15
FFIEC Cybersecurity Assessment Tool Inherent Risk Levels Least Minimal Moderate Significant Most Cybersecurity Maturity Level for Each Domain Innovative Advanced Intermediate Evolving Baseline Elevated Investment Underinvestment 16
Additive Model Structure BASELINE Items to review List of threat intelligence resources (e.g. industry groups, consortiums, threat and vulnerability reporting services). Management reports on cyber intelligence. Verify FI has conducted interviews with vendors as needed. Threat Info Source(s) Active Monitoring Enhance Risk EVOLVING Analyze Tactics, Perform Risk Mitigation INTERMEDIATE Formal Threat Intelligence Program Collection Protocols Read-only repository ADVANCED Cyber Intelligence Model Multi-source Real- Time Threat Intelligence Threat Intel on Geopolitical Events INNOVATIVE Threat Analysis Team Investment in Transformational Threat Intelligence Technology 17
Cybersecurity Risk Exam Strategy So What is the Game Plan for NCUA? 18
NCUA s Tool Box GLBA Compliance (Part 748 Compliance Review) CAT Structured Cybersecurity Review NCUA Structured IT/IST Exam Work plans FFIEC Comprehensive IT Examination Handbooks Outsourced Expert Testing/Consultation Resources drive the frequency of tool application 19
Cyber/IT Examination Vision Cyber/IT Exam Program Vision - NCUA Advanced Review Specialized Areas Financial Examiner Review SME Review Specialist Review Outside Financial Examiner Scope Risk Profile Driven Risk Profile Driven NCUA/FFIEC Selected Reviews Risk Profile Driven Risk Profile Driven Risk Profile Driven CAT Structured Assessment Alternating Years Alternating Years Alternating Years Part 748 Review Periodic Periodic Periodic Procedures may vary based on individual credit union risk footprint and exam team staffing. CAT goal is periodic full coverage (across multiple exam cycles) Individual risk assessment by examiner will drive final review steps. Less Frequent Legend More Frequent Likely Improbable Unlikely Examiners scale the review in this area based on their understanding of risk (your risk profile). Under expected cyclical reviews, we plan to collect assessments on all institutions over a multiyear period to understand industry gaps and adjust exam strategies. 20
Structured Risk Management Review Policy, Strategy and Appropriateness Policy Compliance Management Controls, Reporting and Monitoring Policy Outcomes Inherent and Residual Risk Capital at Risk Well developed policies scaled to size and complexity fits business strategy Independence and cultural commitment (budget, training, data systems, tone at the top) Properly trained and experienced Resources Procedures and Internal Controls Internal Audit, validations, mitigation steps, quality control Robust reporting, measuring, mitigation and decision structure Actual levels and direction of risk Modeled outcomes under stressed conditions How well do you selfregulate? 21
FFIEC Agencies Use URSIT Audit Management Development and Acquisition Support and Delivery NCUA uses URSIT only on Specialized Examinations of IT Vendors consistent with FFIEC Policies 22
Key Risk Drivers Transaction Strategic Reputation Management Component CAMEL Composite Compliance Risk dimensions drive weighting of Component and Overall Composite. Severe deficiencies can affect the Composite rating 23
Exam Current State RISO Review Risk Focused Targeted Review SME Review Risk Focused Targeted Review Baseline Review 748 compliance + Payments review SME Review may layer over the existing 748 and Payments Reviews. RISO/SME may custom target broad risk management or focused risk area during review depending on risk drivers 24
CAT Review Vision Interactive Review Initial Information Request Joint exploration of the Information Modeling using the CAT structure Inherent Risk Identified Characteristics identified Discussion/Sharing Results Share/review with management 2017 Work with Management to Identify Opportunities 25
CAT Impact Pre-exam More data requested in advance Advance review of available information Initial risk classification Initial attribute identification During Exam New discussions in new areas Review of results verify output Observe and verify activity based attributes Post Exam Aggregate anonymized data across industry and institutional features Inform supervisory process and industry guidance. 26
Exam Future State Baseline* Cyclical 748/payment review Cyclical C.A.T. structured review Intermediate Periodic Baseline/CAT during apportioned cycles Resilience, Governance, External Dependency, Good Hygiene Deeper review likely in selected areas Advanced Team or multiple specialized staff performing more comprehensive and in depth review. Observe and evaluate *Baseline procedures will be completed on interchanging multiyear cycles, or when risk indicators warrant. 27
NCUA on Forward Plan Extensive Examiner Training Field Reviews and Data Collection through early 2017 Tool/Process improvement 2 nd qtr 2017. Process Rollout mid-2017 ish * *Commitment to Ensure Tight Process and Well Trained Examiner Before Rollout. 28
Questions? Tim Segerson, Dep. Dir. E&I, NCUA email segerson@ncua.gov Phone 703-518-6397 29