cyber risk the new business risk
play

Cyber Risk: the New Business Risk Current and Future Regulatory - PowerPoint PPT Presentation

Aug 17, 2022 •176 likes •407 views

Cyber Risk: the New Business Risk Current and Future Regulatory Expectations Presented By: Thomas G. Hinkel CISA, CCSA, CRISC, CCSA, CBCP VP Compliance Services Safe Systems, Inc. tom.hinkel@safesystems.com Safe Systems The Compliance

  1. Cyber Risk: the New Business Risk Current and Future Regulatory Expectations Presented By: Thomas G. Hinkel CISA, CCSA, CRISC, CCSA, CBCP VP – Compliance Services Safe Systems, Inc. tom.hinkel@safesystems.com Safe Systems The Compliance & Technology Partner for Financial Institutions

  2. Agenda • Size, Scope, and Spending • Regulatory History & Recent Regulations (Inc. CAT) • Current Threat Environment • Best Cyber Controls • Next Steps Safe Systems The Compliance & Technology Partner for Financial Institutions

  3. FDIC Cybersecurity Awareness Webinar Safe Systems The Compliance & Technology Partner for Financial Institutions

  4. FFIEC “… cyber threats [are] perhaps the foremost risk facing banks today … [and] represents one of the major, if not the major, risk facing banks today.” (Thomas J. Curry, Remarks at New England Council, Jul. 24, 2015) Safe Systems The Compliance & Technology Partner for Financial Institutions

  5. Safe Systems The Compliance & Technology Partner for Financial Institutions

  6. FFIEC “ A bank should evaluate and manage cyber risk as it does any other business risk. It is not simply the obligation of those employees in the server room, but rather an enterprise-wide initiative involving all employees .” - FFIEC Safe Systems The Compliance & Technology Partner for Financial Institutions

  7. FI Cybersecurity Spending Wells Fargo currently spends $250M. Citigroup annual budget - $300M. J.P. Morgan Chase to double spending in 2016 to $500M. BoA will spend $400M this year (2015), but could be more. “…the only place in the company that doesn’t have a budget constraint is cybersecurity.” – CEO Brian Moynihan Safe Systems The Compliance & Technology Partner for Financial Institutions

  8. How Ready Are Banks For The Rapidly Rising Threat Of Cyberattack? • “Despite the many positives that technology brings to the global banking industry, it also comes with a host of challenges. At or near the top of the list, in Standard & Poor's Ratings Services' opinion, is cybersecurity .” • “…we view weak cybersecurity as an emerging risk that has a potential to result in a negative rating actions. If we were to believe that a bank is ill-prepared to withstand a cyberattack, we could downgrade the bank before an actual attack .” Safe Systems The Compliance & Technology Partner for Financial Institutions

  9. Cyber Insurance Check for the following coverage: • IT equipment and facilities: Damage to the information assets and technology throughout the institution. • Media reconstruction • Extra expense: The extra costs of continuing operations • E-banking activities • Business interruption • Valuable papers and records: Cost to restore or replace papers and records • Errors and omissions Understand Exclusions and Limitations Safe Systems The Compliance & Technology Partner for Financial Institutions

  10. Regulatory History February 2013 - May 7, 2014 – FDIC President signs presents webinar to Executive Order ~6,500 FI CEO’s and February 6, 2015 – February 1, 2016 – “Improving Critical senior managers. November 10, 2015 – FFIEC Releases June 30, 2015 - FFIEC FDIC Supervisory Infrastructure “ Executive Leadership FFIEC updates Appendix J to BCP Releases Cybersecurity Insights publishes “A Cybersecurity,” and of Cybersecurity: Management Handbook addressing Assessment Tool Framework for Presidential Policy What Today's CEOs Handbook Cyber Resiliance Cybersecurity” Directive “Critical Need to Know About Infrastructure Security the Threats They Don't and Resilience.” See.” Safe Systems The Compliance & Technology Partner for Financial Institutions

  11. Current Threat Environment Malware – Malicious software • Often delivered via email (phishing, spear phishing) generally used to gain access to or to damage a computer or • Examples include Ransomware system. Distributed Denial of Service (DDoS) - Attack attempts to make a machine or network connected • Cannot be prevented to the Internet unavailable to its intended users. • DDoS attacks to distract a target organization while Compound Attacks – More than perpetrating another form of attack. one method of attack is deployed simultaneously. • Simultaneous attacks on the Bank and their core processor. Safe Systems The Compliance & Technology Partner for Financial Institutions

  12. FFIEC Cybersecurity Assessment Tool Inherent Risk Profile  Technologies and Connection Types  Delivery Channels  Online/Mobile Products and Technology Services  Organizational Characteristics  External Threats Safe Systems The Compliance & Technology Partner for Financial Institutions

  13. FFIEC Cybersecurity Assessment Tool Cybersecurity Maturity  Cyber Risk Management and Oversight  Threat Intelligence and Collaboration  Cybersecurity Controls  External Dependency Management  Cyber Incident Management and Resilience Safe Systems The Compliance & Technology Partner for Financial Institutions

  14. Cybersecurity Management & Oversight “The Assessment results should be communicated to the chief executive officer (CEO) and Board.” -FFIEC Safe Systems The Compliance & Technology Partner for Financial Institutions

  15. Cybersecurity Cycle Safe Systems The Compliance & Technology Partner for Financial Institutions

  16. Cyber Controls • Threat Intelligence • Security Awareness Training Employees – Entry level to  Board. Make it role specific. Contractors  Customers  Merchants  Third-parties  • Patch Management Programs Safe Systems The Compliance & Technology Partner for Financial Institutions

  17. Summary - Final Thoughts - Employees are a weak link. Train, test, retrain, retest, repeat. Customers are a weak link. Awareness training, outreach. Outsourced relationships are a weak link. • Due diligence, contracts, & ongoing oversight (SOC reports) are key. • Focus on detective and corrective/responsive controls. Safe Systems The Compliance & Technology Partner for Financial Institutions

  18. Summary - Final Thoughts - Don’t Update and test overemphasize your incident preventive response plan. controls, focus on detective and Don’t forget responsive / third-parties. corrective. Information “Self - sharing is assessments” important, but are increasingly most is just important. noise. • Challenge is converting noise into actionable intelligence. Safe Systems The Compliance & Technology Partner for Financial Institutions

  19. Final Thoughts Cyber risk is a substantial business risk. A bank’s board and senior management must understand the seriousness of the threat environment and create a cybersecurity culture throughout the organization. - FDIC Safe Systems The Compliance & Technology Partner for Financial Institutions

  20. Final Thoughts The effective identification and mitigation of cyber risk must be grounded in a strong governance structure with the full support of the board and senior management. - FDIC Safe Systems The Compliance & Technology Partner for Financial Institutions

  21. Keeping Informed - Additional Resources - • www.safesystems.com/cybersecurity/ • www.complianceguru.com • www.safesystems.com/ECAT/ • FFIEC Cybersecurity Awareness http://ffiec.gov/cybersecurity.htm • FDIC Cyber Challenge: A Community Bank Cyber Exercise https://www.fdic.gov/regulations/resources/directo r/technical/cyber/purpose.html Safe Systems The Compliance & Technology Partner for Financial Institutions

  22. Thomas G. Hinkel CISA, CRISC, CCSA, CRMA, CBCP VP – Compliance Services Safe Systems, Inc. tom.hinkel@safesystems.com www.safesystems.com www.complianceguru.com Safe Systems The Compliance & Technology Partner for Financial Institutions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Managing Cyber Risk for State Governments IU Cybersecurity Risk Management Program

Managing Cyber Risk for State Governments IU Cybersecurity Risk Management Program

Managing Cyber Risk for State Governments IU Cybersecurity Risk Management Program Multidisciplinary (Law, Secure Computing, & Business) Built on IUs Cybersecurity Certificates Applied Cybersecurity Risk Management Capstone

1.22k views • 75 slides
Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management

Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management

Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management Association Date: August 18, 2016 Agenda An Overview of Cyber Risk Exposures 1. Legal & Regulatory Trends 2. Marshs Cyber Risk Management

649 views • 31 slides
Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk Challenges in Assessing and Mitigating Cyber Risk Mustaque Ahamad, Saby Mitra and Paul Royal Georgia Tech Information Security Center Georgia Tech

763 views • 16 slides
Cyber Risk as Systemic Risk Jon Danielsson Systemic Risk Centre London School of Economics

Cyber Risk as Systemic Risk Jon Danielsson Systemic Risk Centre London School of Economics

Introduction Systemic Risk Cyber as systemic Conclusion Cyber Risk as Systemic Risk Jon Danielsson Systemic Risk Centre London School of Economics www.systemicrisk.ac.uk June 10 th 2016 Introduction Systemic Risk Cyber as systemic

351 views • 24 slides
Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to

Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to

Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to prepare for Cyber Risk: 3 2 1 Understand the tech & Cyber insurance Focus on company interconnected risks culture 2 Policy: Protection &

774 views • 18 slides
Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

FREE Lifelong Learning Event for Fasset Members Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk assessment control matrix management process Governance Risk appetite Agenda for and risk Risk

1.28k views • 105 slides
Mark Fernandes Principal, Cyber Risk Services + FUTURE OF CYBER CYB CYBER SINGU GULAR ARIT

Mark Fernandes Principal, Cyber Risk Services + FUTURE OF CYBER CYB CYBER SINGU GULAR ARIT

Mark Fernandes Principal, Cyber Risk Services + FUTURE OF CYBER CYB CYBER SINGU GULAR ARIT ITY How cyber is becoming a key aspect of the ubiquity generation. CYBER SUMMIT More to come 3 2018 Deloitte Cyber Risk Services 4 2018

514 views • 19 slides
Risk How to assess risk? Javier Estrada No universal agreement about it IESE Business

Risk How to assess risk? Javier Estrada No universal agreement about it IESE Business

Emerging Markets (II): Risk Javier Estrada ADFIN Winter/2014 1. Risk in EMs Introductory issues Wrong focus and implications Political risk: Assessment and incorporation 2. Where to Account for Risk? Possibilities

637 views • 10 slides
Business Strategy Risk Assessment Risk Assessment Nikolaos Karanasios Assistant Professor CEO

Business Strategy Risk Assessment Risk Assessment Nikolaos Karanasios Assistant Professor CEO

Business Strategy Risk Assessment Risk Assessment Nikolaos Karanasios Assistant Professor CEO of the Serres Business & Innovation Centre 05 Risk concept Risk concept Definitions Risk types Risk origin Risk calculation

282 views • 12 slides
Cyber Risk Research at CCRS Jennifer Copic Research Assistant Cambridge Centre for Risk Studies

Cyber Risk Research at CCRS Jennifer Copic Research Assistant Cambridge Centre for Risk Studies

Cambridge Centre for Risk Studies Advisory Board Research Showcase 24 January 2017 Cyber Risk Research at CCRS Jennifer Copic Research Assistant Cambridge Centre for Risk Studies Largest Cyber Data Exfiltration Event: Yahoo August 2013

296 views • 18 slides
Assessing your Cyber Risk A Real Life Case Study Presented by: Liz Limjuco, Marsh Mike Paulino,

Assessing your Cyber Risk A Real Life Case Study Presented by: Liz Limjuco, Marsh Mike Paulino,

Assessing your Cyber Risk A Real Life Case Study Presented by: Liz Limjuco, Marsh Mike Paulino, CSG International Cindy Stevens, Colorado Springs Utilities Agenda What is Cyber Insurance Overview of Cyber Risk Quantifying Cyber

508 views • 23 slides
Cyber Risk Insurance or loss of information from, IT systems and networks. 1. Do I need it? As

Cyber Risk Insurance or loss of information from, IT systems and networks. 1. Do I need it? As

Cyber insurance covers the losses relating to damage to, Cyber Risk Insurance or loss of information from, IT systems and networks. 1. Do I need it? As a business of any size, it is likely you will rely on information technology (IT)

253 views • 6 slides
Risk Assessment Reduce the workers and Biosafety is an inexact science, and

Risk Assessment Reduce the workers and Biosafety is an inexact science, and

Risk Analysis Biosafety Risk assessment, Risk Risk analysis encom passes Management & risk risk assessm ent, risk communication m anagem ent, and risk com m unication. Ephy Khaemba International Livestock Research Institute

506 views • 11 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Cyber Risk Trends: Q1 2017 Sponsored By: Cyber Risk Trends: Q1 2017 Visit www.advisenltd.com at

Cyber Risk Trends: Q1 2017 Sponsored By: Cyber Risk Trends: Q1 2017 Visit www.advisenltd.com at

Cyber Risk Trends: Q1 2017 Sponsored By: Cyber Risk Trends: Q1 2017 Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording of todays webinar Many Thanks to our Sponsor! About Advisen Advisen

530 views • 39 slides
PREDICTIVE MODELING CONFERENCE Data Workshop Cyber Risk Models Loss Aggregation Models

PREDICTIVE MODELING CONFERENCE Data Workshop Cyber Risk Models Loss Aggregation Models

PREDICTIVE MODELING CONFERENCE Data Workshop Cyber Risk Models Loss Aggregation Models Advisens Data Assets CYBER RISK MODELS Cyber Case Count over Time Cyber Cases Entered per Day Case Type Composition Total : 21,817 Distribution

967 views • 51 slides
Whats The Next Big Thing in Telecom & IT? Cloud DaaS Desktop as a Service

Whats The Next Big Thing in Telecom & IT? Cloud DaaS Desktop as a Service

Whats The Next Big Thing in Telecom & IT? Cloud DaaS Desktop as a Service Supercharge Your Desktop! Cloud IaaS Infrastructure as a Service Cloud Computing Work Smarter in the Cloud Cloud Single Sign-On Securely Access Many

627 views • 19 slides
SECURING DATA IN A BANKING DOMAIN 1 WHOAMI Federico Leven @ ReactoData

SECURING DATA IN A BANKING DOMAIN 1 WHOAMI Federico Leven @ ReactoData

HADOOP UNDER ATTACK SECURING DATA IN A BANKING DOMAIN 1 WHOAMI Federico Leven @ ReactoData federico@reactodata.net Big Data + Open Source from 2012 Web : http://www.reactodata.net Big Data Meetup coordinator Twitter: @reactodata

378 views • 22 slides
ATLAS Computing: from Development to Operations Dario Barberis CERN & Genoa University/INFN

ATLAS Computing: from Development to Operations Dario Barberis CERN & Genoa University/INFN

ISGC - 27 March 2007 ATLAS Computing: from Development to Operations Dario Barberis CERN & Genoa University/INFN Dario Barberis: ATLAS Computing 1 ISGC - 27 March 2007 Outline Major operations in 2007 Computing Model in a nutshell

531 views • 21 slides
Key messages Supply Chain / Logistics Technological Transformation Border should

Key messages Supply Chain / Logistics Technological Transformation Border should

FUTURE OF COMMERCIAL BORDER CROSSINGS: LEVERAGING EMERGING LOGISTICS TECHNOLOGIES Key messages Supply Chain / Logistics Technological Transformation Border should Leverage existing/emerging technology in logistics Make land

251 views • 14 slides
Grid Computing Jos Cardoso Cunha Dep. Informtica CITI Centre for Informatics and

Grid Computing Jos Cardoso Cunha Dep. Informtica CITI Centre for Informatics and

Grid Computing Jos Cardoso Cunha Dep. Informtica CITI Centre for Informatics and Information Technologies Faculdade de Cincias e Tecnologia Universidade Nova de Lisboa Motivation 1. Concept of a Grid 2. Grid Architecture 3.

542 views • 20 slides
Competition of Distributed and Multiagent Planners (CoDMAP) http://agents.cz/codmap Michal

Competition of Distributed and Multiagent Planners (CoDMAP) http://agents.cz/codmap Michal

Competition of Distributed and Multiagent Planners (CoDMAP) http://agents.cz/codmap Michal Stolba and Anton n Komenda { stolba,komenda } @agents.fel.cvut.cz Department of Computer Science, Faculty of Electrical Engineering, Czech

214 views • 20 slides
Problem Symptom Reduction Technique Identify the real problems MAY 15, 2019 Business

Problem Symptom Reduction Technique Identify the real problems MAY 15, 2019 Business

Aristotelian Problem Symptom Reduction Technique Identify the real problems MAY 15, 2019 Business Solutions Specialist Technical Analyst Business Analyst Business Architect eliciting information root cause analysis problem

649 views • 32 slides
participatory governance syros_14.07.2012 the power of the crowd some facts crowd (people)

participatory governance syros_14.07.2012 the power of the crowd some facts crowd (people)

participatory governance syros_14.07.2012 the power of the crowd some facts crowd (people) has power and wisdom 70% of a decision for a product or procedure is made from what others are saying (so we must get involved) participatory

634 views • 12 slides

More recommend