and Bank Examinations Leveraging FFIEC Cybersecurity Assessment, - PowerPoint PPT Presentation

Presenting a live 90-minute webinar with interactive Q&A Cyber Threats to Banks and Financial Institutions: Regulatory Requirements and Bank Examinations Leveraging FFIEC Cybersecurity Assessment, Navigating Board of Director Risks and Third-Party Vendor Management TUESDAY, APRIL 5, 2016 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific Today’s faculty features: Jason M. Halper, Partner, Orrick Herrington & Sutcliffe , New York Aravind Swaminathan, Partner, Orrick Herrington & Sutcliffe , Seattle The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10 .

Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-873-1442 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

Continuing Education Credits FOR LIVE EVENT ONLY In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you email that you will receive immediately following the program. For additional information about continuing education, call us at 1-800-926-7926 ext. 35.

Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to “Conference Materials” in the middle of the left - • hand column on your screen. • Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program. • Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon. •

April 5, 2016 Cyber Threats to Banks and Financial Institutions: Regulatory Requirements and Bank Examinations Aravind Swaminathan (Seattle), Global Co-Chair Cybersecurity and Data Privacy Jason Halper (New York), Co-Chair Financial Institutions Litigation Practice

Scope of the Problem “There are only ‘two categories’ of companies affected by trade secret theft – those that know they’ve been compromised and those that don’t know yet.” Former Attorney General Eric Holder 6

World Economic Forum: Cyber is Top 5 Global Risk Source: World Economic Forum Global Risks 2014 7 Privileged & Confidential

Knowing the Adversary

Threat Actors Threat Type Who and What Industrial Control Targeted attack that seeks to disrupt the activities of large-scale companies or System Attack organizations, including industrial control systems (e.g., Stuxnet) Organized crime rings targeting corporate data, such as personal information, Organized Crime health information, credit cards, for financial motives (e.g., Target) Employee or contractor using access to release or ex-filtrate information for Insiders personal, competitive, or financial gain (e.g., Wikileaks) Advanced Persistent Organized and state-funded groups methodically infiltrating the enterprise, often Threat (APT) have maintained presence for months or even years (e.g., “Deep Panda”) Highly visible attacks to advance “movements,” based on political, policy, religious Hacktivism views, to raise PR spotlight, embarrass, effect change (e.g., Anonymous) 9

Attack Targets “The top two industries affected are the same as previous years: Public and Financial Services .” 10 Source: Verizon 2015 Data Breach Investigations Report

Attack Methodologies 11 Source: Verizon 2015 Data Breach Investigations Report

Average Loss to Organization Average Loss to Organization In 2012 In 2014 Average Total Cost $5.5 million $6.5 million (direct and indirect expenses, e.g., forensic experts, outsourcing hotline, free credit monitoring, discounts, customer loss, diminished customer acquisition) Cost per compromised record $188/record $217/record Source: Ponemon Institute/IBM, 2015 Cost of Data Breach Study: United States • Averages based on small breaches of 5,000 to 99,000 records • Breaches >100,000 records were excluded because they would “skew” the results 12

Regulatory Developments

Regulatory Landscape: Which Way Are They Coming From? 14

FFIEC Cybersecurity Assessment Tool Inherent Risk Cybersecurity Maturity Technologies and connection types Risk management and oversight Delivery channels Controls Online/Mobile products & technology svcs External dependency management Organizational characteristics Incident management External threats Regulators explicitly using in bank examinations: • Office of the Comptroller of Currency • National Credit Union Association 15

NY Department of Financial Services November 9, 2015 Potential New NYDFS Cyber Security Regulation Requirements • Required Policies and Procedures (e.g., data governance/classification, identity access management, incident response) • Third Party Service Provider Management (e.g., multi-factor authentication, encryption, notification for cybersecurity incidents, indemnification, security audits, reps/warranties re InfoSec) • Chief Information Security Officer • Cybersecurity personnel and intelligence • Annual penetration testing and quarterly vulnerability assessments • Audit trails for privileged user access, protection of logs, etc. • Notification to NYDFS if reasonably likely to materially affect operations or triggers NY state notice, board notification, NPHI or “private information” 16

Other Regulatory Guidance on Cybersecurity Overview of Key Elements from SEC/FINRA:* Identification of Risks & Cybersecurity Governance Risks Associated with Vendors and other Third Parties   Documented information security policy Cybersecurity assessment of vendors and third parties  Establish cybersecurity roles and responsibilities  Details of cybersecurity risk in third party contracts  Periodic assessment of cybersecurity risks  Network segregation of third party access   Periodic assessment of physical security risks Logging and control of third party access  Network mapping and inventory of technology resources  Cybersecurity insurance Detection of Unauthorized Activity  Incorporate cybersecurity into BCP plan  Create baseline of network traffic and events  Event aggregation and correlation Protection of Firm Network and Information  Detection of events/intrusions, malicious code, unauthorized  Employee training and written guidance users and devices  User access controls  Penetration testing and vulnerability scanning  Use of encryption  Data loss prevention  Change management procedures – test environment  Documented incident response plan  Audits of security policies *SEC National Exam Program Alert, Vol. IV, Issue 4 “Cybersecurity Examination Sweep Summary” (Feb. 3. 2015) FINRA, “Report on Cybersecurity Practices” (Feb. 2015) 17

Vendor Management  Vendors can be the “weak link” (Target HVAC) – public entities rely on hundreds or even thousands of vendors for core operations/services  Proactive Risk Mitigation » Pre-contract due diligence, calibrated to sensitivity level of data to be handled by vendor – e.g., vendor MUST have an IR Plan » Contractual terms with appropriate risk shifting / allocation – e.g., will you require vendor to carry cyber insurance? » Absolute clarity on definition of “breach” and mutual reporting and cost obligations in breach event » Audit rights, ability to exercise such rights (e.g., questionnaires) » Ongoing due diligence and willingness (ability) to terminate 18

Employee and Customer/Client Training Employee training is key • Tailor to meet staff needs • Interactive training with participation • Index to past experiences and threat intelligence • Lather, rinse, repeat Customer training emphasis (SEC) • 65% of broker dealers offer provide customers with information on reducing cybersecurity risks • 19% of advisers provide steps that can reduce cybersecurity risks 19

Recent Enforcement R.T. Jones , Investment Advisor (Sept. 22, 2015)  Rule 30(a) of Regulation S- P (“Safeguards Rule”) – written policies and procedures reasonably designed to: (1) insure security/confidentiality of customer records/info, (2) protect against anticipated threats or hazards to the security/integrity of customer records/info, (3) protect against unauthorized access to or use of customer records and information  Client PII (100,000 individuals) on 3rd party-hosted server, hacker gained full access/copy rights; no harm established  No reasonably designed safeguards: no risk assessments, encryption, firewalls, or incident response procedures  Censured + $75,000 civil penalty + remedial efforts 20