Tailored Cyber Risk Solutions for Community Banks As a community - PDF document

Tailored Cyber Risk Solutions for Community Banks As a community financial institution, your cyber risks and regulatory expectations are growing faster than your resources to deal with them. Unfortunately, a single public cybersecurity or data breach can pose an existential threat to a community bank. SECURE HALO TM CyberFortis™ was formed to address community banks’ need for ASSESSMENT high quality cybersecurity services at a price they can afford. IMPROVES Leveraging a decade of experience supporting the federal government and insurance industry, CyberFortis™ helps EFFICIENCY community banks prevent and detect cyber threats and correct and recover from cyber intrusions. » Easily distribute assessment to CyberFortis™ also ensures your institution meets and exceeds all vendors, supply chain, regulatory requirements, all through a variety of reasonably priced acquisition targets and track tiered solutions. completion » View immediate results and Prepare for New Regulatory Focus on prioritized recommendations Third-Party Risks in convenient dashboard » Inform C-suite and Board with Outsourced third-party service providers have always been subject Executive Summary to regulatory scrutiny. Now, regulatory expectations regarding the » Take deeper dive into each cyber readiness of your vendors is even greater. Secure Halo™ is a report by drilling-down into user-friendly, online tool that enables your institution to assess your domains and subcategories vendors’ cybersecurity risks and readiness. » Make faster and better- informed decisions on security With Secure Halo, you can look at third-party risks and readiness investments, risk transfer, either in aggregate or take a deeper dive by vendor or risk domain. compliance readiness Secure Halo also allows you to track remediation efforts by your vendors. » Scalable to business size and need www.cyberfortis.com

CyberFortis™ Focuses on Community Banks To date, community banks have been forced to rely on general “check the box” products which lack sufficient detail, or turn to high-priced Meet Increased consulting firms that may or may not have the skills necessary to effectively support them. Unlike other service providers who offer Regulatory and cybersecurity “add-on” modules, CyberFortis™ is solely focused on Cybersecurity assessing and remediating your cyber risks. Demands While the FFIEC Cybersecurity Assessment Tool (CAT) is a good starting » Prepare for compliance and place, it is not enough to combat ever evolving cyber risks. improve security posture Furthermore, as regulatory expectations continue to ratchet up, the need for high-quality partners with experience in cybersecurity » PCI DSS becomes even more important. CyberFortis™ provides a suite of » FISMA services to assess your institution’s risks and readiness with detailed » SEC findings and recommendations, as well as executive summaries that allow your officers and board to make informed decisions. » FFIEC » GLBA Enterprise Solutions for All Sizes » DFS » Measure effectiveness of We can provide support to large, complex organizations or become security programs across an extension of the team for smaller companies and banks with fewer third-party service providers resources. Within our comprehensive suite of capabilities, we offer: » Reveal vulnerability gaps • Secure Halo™ enterprise security assessments mapped » Make better-informed security to NIST and international standards to improve cyber investments posture, mitigate vendor risk, and qualify for cyber insurance » Establish or improve cyber risk governance • Advisory services including compliance readiness, security program development, and training • Professional and Managed Security Services utilizing leading vulnerability management products To learn more about CyberFortis™ , visit www.cyberfortis.com CONTACTS David Cotney Will Durkee 617-429-1755 301-304-1700 dcotney@cyberfortis.com wdurkee@tscadvantage.com

CYBERSECURITY A Call to Action for Bank Management and Investors 1

Today’s Panelists Scott Arnold Chris Marinac David Cotney Advisor, CyberFortis Director of Research Regulatory Dir, CyberFortis Board Member, McHenry FIG Partners Fmr. Mass. Banking Savings Bank Commissioner 2

Agenda Cyber Risks for 2019 Enterprise Risk Management Approach NY DFS Regulations as a Template for Best Practices Third Party Vendor Risk 3

Cyber Risks for 2019 OCC Supervisory Threats Remediation Costs Focus Increasing Rising Cybersecurity and “Banks have seen an “…firms spent an uptick in attempted operational resiliency average of $2.92 for cyberattacks in recent are literally top of the every dollar of fraud weeks.” “ Federal list. or theft stemming officials are stepping up from a digital attack” warnings to banks about – an increase of 9% cyberthreats.” WSJ 10/1/2018 from a year earlier. ABA 10/3/2018 “Botnets increasingly prey on small banks and credit unions.” “Thirty billion malicious login attempts from Nov. 2016 to June 2017.” American Banker 9/20/2018 4

Enterprise Risk Management Adopting ERM Security vs. Philosophy Compliance Practical Steps • Critical Asset Inventory • Risk Assessment • Risk Management Plan 5

NY Department of Financial Services Best Practices Many financial Best practices that Influence of NY DFS services companies banks should look to cybersecurity covered adopt regulation Even if not regulated Ownership by Board and October 2017 the NAIC C-Suite adopted its Insurance by NY DFS Data Security Model Law (NAIC Model) which Comprehensive Cyber closely follows NY DFS Risk Assessment concepts Possibility of other Management of cyber jurisdictions looking to risk of third party NY DFS regulation (or vendors parts therein) as a model 6

• Scottrade Bank’s breach underlines third-party vendor risk • Exposed nonpublic information of 20,000 consumer and business customers Must We • Contained commercial loan application information for a B2B unit of the bank Be Our • Included 48,000 lessee credit profiles and 11,000 guarantor files • Social Security Numbers, names, addresses, Brothers’ phone numbers, passwords, credit report credentials Keeper? • Third-party vendor’s cloud server did not have all security protocols in place • Information had no encryption • Breach happened in the midst of an acquisition of Scottrade by TD Ameritrade Sources: American Banker, CSO Online 7

How Regulators View Third-Party Risk Management 1 2 3 Increasing Regulators expect Recent OCC guidance robust TPRM encourages cyber risks program, including collaboration on related to third establishing risk TPRM to leverage tolerance, resources and parties independent reviews, promote knowledge AND active board transfer involvement 8

Bank is ultimately responsible for making its own decisions: • Risk tolerance and risk controls Expectations • Mitigating controls and of Banks remediation • Whether to renew or terminate a contract 9

What Else Regulators Are Thinking Have you ever said, “I’ve met FFIEC CAT baseline, so I’m OK”? • That’s a concern for regulators. • Threats are evolving • Banks’ products, services, and environments are changing • Achieving baseline is only good enough on the date it was completed 10

What Can a Bank Do? First, don’t think of the CAT or other tools as a check the box annual exercise. Use your cybersecurity risk assessment to reexamine your inherent risk profile and maturity level before you introduce new products, services, or initiatives, including new third-party connections, M & A, etc. Finally, securing the assets of the bank and your customers requires moving from baseline (a compliance-driven approach) to higher maturity levels (an enterprise risk approach) 11

Questions 12

For More Information www.cyberfortis.com David J. Da . Cot Cotney Sc Scott Arnold Executive Vice President & Advisor Regulatory Director Cy CyberFortis-TS TSC CyberFortis-TS Cy TSC Cell 646.670.2603 Ce Cell 617.429.1755 Ce Email sarnold@cyberfortis.com Em Email dcotney@cyberfortis.com Em 13

Secure Halo™ Improves Understanding of Cyber Risk Companies need meaningful insight into how vulnerable they are to expanding and evolving digital risks. The Secure Halo™ platform provides a holistic view of cyber risk exposure, including from leading threat vectors like insider threat and third-party dependencies, to empower market-driven and threat-based decisions while also meeting regulatory requirements. Secure Halo™ Secure Halo™ is completed in a user-friendly, intuitive, online format Assessment that provides a holistic assessment of your enterprise security. The Improves Efficiency platform offers a prioritized list of recommendations, according to the responses given, based on the significance of impact and the » View Immediate results and level of effort needed to implement them, leading to consequential prioritized recommendations in and efficient changes to security practices. Through in-depth analysis convenient dashboard of individual security controls across multiple risk domains, Secure » Easily distribute assessment to Halo™ helps determine an organization’s ability to protect, detect, clients or vendors, and track and recover from cyber incidents. completion » Make faster and better-informed decisions » Scalable to business size and need www.cyberfortis.com