Tailored Cyber Risk Solutions for Community Banks As a community - - PDF document

Tailored Cyber Risk Solutions for Community Banks

As a community financial institution, your cyber risks and regulatory expectations are growing faster than your resources to deal with

• them. Unfortunately, a single public cybersecurity or data breach

can pose an existential threat to a community bank. CyberFortis™ was formed to address community banks’ need for high quality cybersecurity services at a price they can afford. Leveraging a decade of experience supporting the federal government and insurance industry, CyberFortis™ helps community banks prevent and detect cyber threats and correct and recover from cyber intrusions. CyberFortis™ also ensures your institution meets and exceeds all regulatory requirements, all through a variety of reasonably priced tiered solutions.

Prepare for New Regulatory Focus on Third-Party Risks

Outsourced third-party service providers have always been subject to regulatory scrutiny. Now, regulatory expectations regarding the cyber readiness of your vendors is even greater. Secure Halo™ is a user-friendly, online tool that enables your institution to assess your vendors’ cybersecurity risks and readiness. With Secure Halo, you can look at third-party risks and readiness either in aggregate or take a deeper dive by vendor or risk domain. Secure Halo also allows you to track remediation efforts by your vendors.

www.cyberfortis.com

SECURE HALOTM ASSESSMENT IMPROVES EFFICIENCY

» Easily distribute assessment to vendors, supply chain, acquisition targets and track completion » View immediate results and prioritized recommendations in convenient dashboard » Inform C-suite and Board with Executive Summary » Take deeper dive into each report by drilling-down into domains and subcategories » Make faster and better- informed decisions on security investments, risk transfer, compliance readiness » Scalable to business size and need

CyberFortis™ Focuses on Community Banks

To date, community banks have been forced to rely on general “check the box” products which lack sufficient detail, or turn to high-priced consulting firms that may or may not have the skills necessary to effectively support them. Unlike other service providers who offer cybersecurity “add-on” modules, CyberFortis™ is solely focused on assessing and remediating your cyber risks. While the FFIEC Cybersecurity Assessment Tool (CAT) is a good starting place, it is not enough to combat ever evolving cyber risks. Furthermore, as regulatory expectations continue to ratchet up, the need for high-quality partners with experience in cybersecurity becomes even more important. CyberFortis™ provides a suite of services to assess your institution’s risks and readiness with detailed findings and recommendations, as well as executive summaries that allow your officers and board to make informed decisions.

Enterprise Solutions for All Sizes

We can provide support to large, complex organizations or become an extension of the team for smaller companies and banks with fewer

• resources. Within our comprehensive suite of capabilities, we offer:
• Secure Halo™ enterprise security assessments mapped

to NIST and international standards to improve cyber posture, mitigate vendor risk, and qualify for cyber insurance

• Advisory services including compliance readiness,

security program development, and training

• Professional and Managed Security Services utilizing

leading vulnerability management products

Meet Increased Regulatory and Cybersecurity Demands

» Prepare for compliance and improve security posture » PCI DSS » FISMA » SEC » FFIEC » GLBA » DFS » Measure effectiveness of security programs across third-party service providers » Reveal vulnerability gaps » Make better-informed security investments » Establish or improve cyber risk governance CONTACTS David Cotney 617-429-1755 dcotney@cyberfortis.com Will Durkee 301-304-1700 wdurkee@tscadvantage.com To learn more about CyberFortis™, visit www.cyberfortis.com

CYBERSECURITY

A Call to Action for Bank Management and Investors

1

Today’s Panelists

2

David Cotney

Regulatory Dir, CyberFortis

• Fmr. Mass. Banking

Commissioner

Scott Arnold

Advisor, CyberFortis Board Member, McHenry Savings Bank

Chris Marinac

Director of Research FIG Partners

Agenda

Third Party Vendor Risk NY DFS Regulations as a Template for Best Practices Enterprise Risk Management Approach Cyber Risks for 2019

3

Cyber Risks for 2019

OCC Supervisory Focus

Cybersecurity and

• perational resiliency

are literally top of the list.

Threats Increasing

“Banks have seen an uptick in attempted cyberattacks in recent weeks.” “Federal

• fficials are stepping up

warnings to banks about cyberthreats.” WSJ 10/1/2018 “Botnets increasingly prey on small banks and credit unions.” “Thirty billion malicious login attempts from Nov. 2016 to June 2017.”

American Banker 9/20/2018

Remediation Costs Rising

“…firms spent an average of $2.92 for every dollar of fraud

• r theft stemming

from a digital attack” – an increase of 9% from a year earlier.

ABA 10/3/2018

4

Enterprise Risk Management

Adopting ERM Philosophy Security vs. Compliance Practical Steps

• Critical Asset Inventory
• Risk Assessment
• Risk Management Plan

5

6

NY Department of Financial Services Best Practices

Many financial services companies covered Even if not regulated by NY DFS Best practices that banks should look to adopt

Ownership by Board and C-Suite Comprehensive Cyber Risk Assessment Management of cyber risk of third party vendors

Influence of NY DFS cybersecurity regulation

October 2017 the NAIC adopted its Insurance Data Security Model Law (NAIC Model) which closely follows NY DFS concepts Possibility of other jurisdictions looking to NY DFS regulation (or parts therein) as a model

7

• Scottrade Bank’s breach underlines

third-party vendor risk

• Exposed nonpublic information of 20,000

consumer and business customers

• Contained commercial loan application

information for a B2B unit of the bank

• Included 48,000 lessee credit profiles and

11,000 guarantor files

• Social Security Numbers, names, addresses,

phone numbers, passwords, credit report credentials

• Third-party vendor’s cloud server did not

have all security protocols in place

• Information had no encryption
• Breach happened in the midst of an

acquisition of Scottrade by TD Ameritrade

Sources: American Banker, CSO Online

Must We Be Our Brothers’ Keeper?

How Regulators View Third-Party Risk Management

8

Increasing cyber risks related to third parties

1

Regulators expect robust TPRM program, including establishing risk tolerance, independent reviews, AND active board involvement

2

Recent OCC guidance encourages collaboration on TPRM to leverage resources and promote knowledge transfer

3

9

Expectations

• f Banks

Bank is ultimately responsible for making its own decisions:

• Risk tolerance and risk controls
• Mitigating controls and

remediation

• Whether to renew or terminate a

contract

10

What Else Regulators Are Thinking

Have you ever said, “I’ve met FFIEC CAT baseline, so I’m OK”?

• That’s a concern for regulators.
• Threats are evolving
• Banks’ products, services, and

environments are changing

• Achieving baseline is only good

enough on the date it was completed

What Can a Bank Do?

11

First, don’t think of the CAT or other tools as a check the box annual exercise. Use your cybersecurity risk assessment to reexamine your inherent risk profile and maturity level before you introduce new products, services, or initiatives, including new third-party connections, M & A, etc. Finally, securing the assets of the bank and your customers requires moving from baseline (a compliance-driven approach) to higher maturity levels (an enterprise risk approach)

Questions

12

For More Information

13

Sc Scott Arnold Advisor Cy CyberFortis-TS TSC Ce Cell 646.670.2603 Em Email sarnold@cyberfortis.com Da David J. . Cot Cotney Executive Vice President & Regulatory Director Cy CyberFortis-TS TSC Ce Cell 617.429.1755 Em Email dcotney@cyberfortis.com

www.cyberfortis.com

Secure Halo™ Improves Understanding of Cyber Risk

Companies need meaningful insight into how vulnerable they are to expanding and evolving digital risks. The Secure Halo™ platform provides a holistic view of cyber risk exposure, including from leading threat vectors like insider threat and third-party dependencies, to empower market-driven and threat-based decisions while also meeting regulatory requirements. Secure Halo™ is completed in a user-friendly, intuitive, online format that provides a holistic assessment of your enterprise security. The platform offers a prioritized list of recommendations, according to the responses given, based on the significance of impact and the level of effort needed to implement them, leading to consequential and efficient changes to security practices. Through in-depth analysis

• f individual security controls across multiple risk domains, Secure

Halo™ helps determine an organization’s ability to protect, detect, and recover from cyber incidents.

Secure Halo™ Assessment Improves Efficiency

» View Immediate results and prioritized recommendations in convenient dashboard » Easily distribute assessment to clients or vendors, and track completion » Make faster and better-informed decisions » Scalable to business size and need

www.cyberfortis.com

Cyber Risk Assessment Tailored to Your Needs How it Works

1) Once you subscribe to Secure HaloTM, you’ll be given a login to setup your account 2) Fill out the assessment questionnaire 3) Submit assessment and view report

What You Get

Overall Client Risk Profile Score Domain Maturity Level Scores with detailed subcategories by domain Resilience Score that exceeds compliance obligations (HIPAA, PCI-DSS, SEC) Top-30 Prioritized Recommendations to achieve “quick wins” based

• n the security impact and level of effort to remediate

Other CyberFortis™ Services

» Cybersecurity Assessments » Compliance Readiness » Third-Party Cyber Risk Management » Managed Security Services » Security Programs & Strategic Planning » Training & Education Programs

www.cyberfortis.com

PHYSICAL SECURITY