CYBER RESILIENCE AND CRISIS MANAGEMENT IN THE SECURITIES INDUSTRY FEBRUARY 6, 2014
Karl Schimmeck • Karl Schimmeck is Managing Director of Financial Services Operations at SIFMA. He brings over 15 years of experience in operations, technology, finance and risk management. He is responsible, as staff advisor, for supporting SIFMA’s work on technology, business resiliency, operational risk and cybersecurity issues. • Prior to joining SIFMA, Mr. Schimmeck held finance and operational risk positions at Goldman Sachs specifically in the areas of Derivative Operations and Shared Services. Additionally, he worked for PTC, a firm focused on providing product development and data management solutions, from 2000 to 2006, holding program management and strategy positions within their global services advisory practice. Prior to that he served in the United States Marine Corps during which time he achieved the rank of Captain. • He holds an MBA from the NYU Stern School of Business and a BS in Industrial Engineering from Cornell University. 2
Timothy J. Nagle • Member of the Data Privacy, Security and Management team and the Global Regulatory Enforcement group. • Previously in house counsel with a global financial services firm where he supported security, privacy and technology executives including the Chief Information Security Officer and the privacy breach response team. • Served as counsel to the Deputy Director for Information tnagle@reedsmith.com Systems Security at NSA; directly supported the network (202) 414 9225 penetration testing team. Washington, D.C. • Broad background in technology, security, investigations and privacy in both government and industry. • Supports financial institution clients as well as clients in the energy, government contracting, retail and health care sectors on data security and privacy matters. • Certified Information Privacy Professional; maintains active federal government security clearance. 3
Agenda • Background and current threat environment • Results of Quantum Dawn 2 • Components of an Effective Cyber Incident Response Plan • Outlook for 2014 • Five Takeaways for Your Organization 4
Cybersecurity as a Risk Consideration • Loss of data confidentiality, integrity or availability impacts proprietary data, client information, and system functionality • FINRA Regulatory and Examination priorities for 2014 include cybersecurity. • OCC lists security and reliability as systemic operational risks (e.g. DDOS Guidance) • SEC CF Disclosure Guidance on Cybersecurity o “a computer system failure or security breach could disrupt the company’s business and damage its reputation” 5
Intelligence Community Threat Assessment 6
Intelligence Threat Assessment (cont.) 7
FINRA Regulatory and Exam Priorities (2014) Cybersecurity Cybersecurity remains a priority for FINRA in 2014 given the ongoing cybersecurity issues reported across the financial services industry. In recent years, many of the nation’s largest financial institutions were targeted for disruptions through a range of different types of attacks. The frequency and sophistication of these attacks appears to be increasing. In light of this ongoing threat, FINRA continues to be concerned about the integrity of firms’ infrastructure and the safety and security of sensitive customer data. Our primary focus is the integrity of firms’ policies, procedures and controls to protect sensitive customer data. FINRA’s evaluation of such controls may take the form of examinations and targeted investigations. 8
OCC Semiannual Risk Perspective – Fall 2013 Increasingly sophisticated cyber-threats, expanding reliance on technology, and changing regulatory requirements heighten operational risk. • Cyber -threats continue to increase in sophistication and frequency and require heightened awareness and appropriate resources to identify, mitigate, and respond to the associated risks. Known impacts include reduced availability or diminished response times of online banking Web sites, identity theft, fraud, and theft of intellectual property. The costs and resources needed to manage the risks continue to increase; at the same time, the tools and knowledge to conduct the attacks are more readily available. Additionally, institutions’ early adoption of new technology and their growing reliance on third- party providers may expand the overall system’s vulnerabilities to these attacks. According to industry threat reports, attackers may increasingly target smaller institutions that they perceive to lack the resources necessary to identify and prevent successful attacks. Sometimes attackers execute denial-of-service attacks to divert attention away from other systems, such as wire transfers. Moreover, the interconnectedness of systems across the banking industry creates growing concern that cyber-attacks may increasingly affect multiple organizations at once. 9
Positive Results of Quantum Dawn 2 Brought together key members of business, operations, technology, security, and crisis management teams, allowing them to escalate and respond to cyber-attack scenarios effectively. The ongoing public-private partnership between the sector and various government and regulatory agencies that play a critical role in protecting the markets and investor confidence was furthered. Highlighted the value of information sharing via the Financial Services Information Sharing and Analysis Center (FS-ISAC), SIFMA, established peer-to-peer relationships and other trade organizations as an enabler to a more effective response. Participants executed on the core components of the incident command structure as defined in the sector playbook and other relevant protocols. 10
Lessons Learned from Quantum Dawn 2 Improve coordination between business and technology leaders during cyber incident analysis and response. Firms need to be more fully aware of the impacts. Enhance protocols to promote increased communication and information sharing among market participants. The speed of sharing needs to increase. Invest in next-generation capabilities to support systemic risk analytics, information sharing, and crisis management. The speed of analysis needs to increase. Formalize public awareness and communications strategies with a view to promote trust and confidence in the markets. Communicating to entities impacted is not optional. 11
Scope • Internal Systems • Employees or System Users (Insider Threat) o Internal versus external actor may change response actions • Vendors o Supporting critical functions o Providing response and recovery capabilities • Counterparties, exchanges, trading platforms o Your systems may not be impacted, but you must have options for continued operations 12
Components of an Effective Cyber Incident Response Plan “There are two kinds of companies. Those that have been hacked, and those that have been hacked but don’t know it yet.” House Intelligence Committee Chairman Mike Rogers (R. - MI) 13
Components of an Effective Cyber Incident Response Plan 1. Assign an executive to be responsible for the development, maintenance and implementation of the plan, integrating incident-response efforts across business units and geographies and communicating internally. 2. Identify risks, threats/vulnerabilities, and potential failure modes. Review them continually to reflect changes in the threat and operating environment. 3. Develop easily accessible quick-response guides for likely scenarios. 4. Identify a core team and establish processes and authority for significant decisions such as when to isolate compromised areas of the network. 5. Maintain relationships with key external entities such as law enforcement, industry groups (FS-ISAC), outside counsel and security firms. 14
Components of an Effective Cyber Incident Response Plan 6. Maintain a repository of agreements with critical service providers and event response firms to identify expected service levels and recovery objectives. 7. Ensure that business continuity and response plans are readily accessible to all business units and are routinely updated. 8. Plan for how you would interact with law enforcement, either because their involvement is necessary or because they informed you of the activity. 9. Identify the individuals on the core team or business units who are critical to incident response and ensure redundancy. 10. Routinely test scenarios and responses to evaluate plans and identify changes in operational or personnel requirements (include critical service providers). 15
Considerations for Event Response • Initial Response o Consider Legal Department direction of the “Investigation” to preserve the option of asserting Attorney-Client Privilege o Create agreed protocol to limit confusion, prevent redundant or inconsistent internal or external communications and maintain regularity of process o Breach response by security and investigations groups must also include corporate communications, line of business, regulatory relations, Compliance, and Legal • Use of External Resources o Vendor security and investigations staff if they have a role o Law enforcement or industry group support • Notifications to Clients, Customers, Counterparties, Regulators or State Entities o Consider both state and federal requirements o May be based on contract or operating rules o Interested regulators may include FRB, FDIC, SEC/FINRA, CFPB and FTC 16
Recommend
More recommend
