An (Outsider’s) View · from Inside the Beltway Denyette DePierro Vice President & Senior...
Transcript of An (Outsider’s) View · from Inside the Beltway Denyette DePierro Vice President & Senior...
An (Outsider’s) View
from Inside the Beltway
Denyette DePierroVice President & Senior Counsel, CybersecurityOffice of Advocacy and InnovationAmerican Bankers Association
• Embattled White House under investigation
• Midterm Elections
• What happens when things go wrong?
aba.com 1-800-BANKERS
FFIEC IT Handbook 2018 Updates
• Business Continuity Management
• Operations, Infrastructure, and Architecture
• Development and Acquisition
• Outsourcing Technology Services
• Payments
aba.com 1-800-BANKERS
FFIEC Agency Priorities – IT Exams
1. “Fundamental” Internal Controls
2. Cyber hygiene
3. IT asset inventory and reporting
4. Patching
5. Ongoing Staff Education and Training
6. Threat intel and vulnerability management
7. Third party risk: interconnectedness
8. Third party risk: cybersecurity
QUESTIONS?
www.fsscc.org/files/galleries/FSSCC_Cyber_Insurance_Purchasers_Guide_FINAL-TLP_White.pdf
2016Information
Security Exam Toolhttp://www.aba.com/Tools/Function/Technology/Documents/IT-Examination-
Toolkit.pdf
https://www.aba.com/Tools/Function/Cyber/Pages/
IncidentResponseGuide.aspx
Incident Response: Natural Disasters
Harvey:
https://www.aba.com/Tools/Function/Fraud/Pages/hurricane-
harvey.aspx
Irma:
https://www.aba.com/Tools/Function/Fraud/Pages/hurricane-
irma.aspx
• Department of Homeland Security
• Department of Energy
• FEMA
• Banking Agencies
• FS-ISAC
An Executive Summary:The Issue the Profile Addresses, Its Development as a Solution, Its Benefits, and Support
The Issue: Domestic and international regulatory agencies asking the same question in
many different ways, stretching already scarce cybersecurity talent.
The Profile as a Solution: The Profile, Version 1.0, which is a common, standardized
approach that can act as a baseline for examination and future cyber regulation - fill out once per exam cycle, report out many.
Voluntary with Many Benefits, Including:• Provides more consistent and efficient processing of examination material by both firms
and regulators.
• Allows Regulators and Firms to focus on what’s important.
• Establishes an Industry best practice beyond regulatory use.
Supporting Associations:
Benefits Explored - Efficiencies Gained
73% Reduction for Community Institution Assessment Questions. For the least complex and interconnected institutions, it is expected that they would answer a total of 145 questions (9 tiering questions + 136 Diagnostic Statement questions). As compared to another widely-used assessment tool’s 533 questions, this represents a 73% reduction.
49% Reduction in Assessment Questions for the Largest Institutions. For the most complex and interconnected institutions, the reduction also is significant. With the Profile, it is expected that such institutions would answer 279 questions (2 tiering questions + 277 Diagnostic Statement questions) as compared to the other widely-used assessment’s 533, a 49% reduction.
Regulatory Redundancy & ComplexityTo assess compliance with a
requirement defined in multiple
sources…
…each regulator asks for information in a different way…
…to which a financial institution provides a different response.
EXAMPLE 1
Requirement that the
organization will have a formal
third party due diligence and
monitoring program.
OCC 2013-29, FRSR 13-19, ANPR/4, NYDFS/500.11,
FFIEC/4, COBIT 5, ISA 62443-2-1:2009, ISA 62443-3-
3:2013, ISO/IEC 27001:2013, NIST SP 800-53
OCC: “Provide a description of outsourced application development arrangements.”
A listing of approved application development suppliers
FRB: “Provide documentation on third party relationship lifecycle”
Third Party Oversight Policy, Standards, other materials
NFA: “Provide documentation on due diligence on critical service providers”
Overview of Firmwide Critical Supplier function
FINRA: “Provide information on ongoing due diligence on existing vendors”
Overview of Third Party Oversight function
NFA: “Provide information on measures to conduct due diligence on third party providers with access to the firm’s data or information systems.”
Overview of Third Party Control Assessment process
EXAMPLE 2
Requirement that the
organization will conduct risk
assessment to define,
implement and monitor controls
to address the risks presented by
each third party.
OCC 2013-29, FRSR 13-19, ANPR/4, NYDFS/500.11, FFIEC/4
OCC: “Provide a detail of Third party Risk Assessment process”
Overview of Inherent Risk Rating, Control Assessment Questionnaire, Contracting process
FINRA: “Provide understanding of vendor relationships, outsourced systems and processes as part of the firm’s risk assessment process”
Overview of Third Party Oversight function and control assessment process
CFTC: “Provide cybersecurity risk assessments of vendors and business partners”
Overview of Third Party Oversight function and risk assessments
OCC: “Provide the most recently completed supplier risk assessment”
Supplier risk and control assessment results for specified suppliers
NFA: “Describe how the bank assesses threats posed through any third party”
Overview of Third Party Oversight function, Inherent Risk Rating and Control Assessments
EXAMPLE 3
Requirement that the organization has established policies, plans and procedures to identify and manage risks associated with third parties.
OCC 2013-29, FRSR 13-19, ANPR/4, NYDFS/500.02, FFIEC/4
Taiwan Financial Supervisory Commission: “Please describe the review process for Third Party Risk Management Policy”
Overview of Policy review process and frequency
Reserve Bank of India: “Describe outsourcing andvendor management process controls”
Third Party Oversight Policy, Standards, assessment process, Minimum Control Requirements for suppliers
Central Bank of Philippines (BSP): “Describe how the bank considers strategic and business objectives prior to outsourcing”
Overview of Third Party Oversight function, including engagement initiation and approvals requirements
Documented Agency Statements of Support
FFIEC: The Federal Financial Institutions Examination Council (FFIEC) is commemorating the 15th annual National Cybersecurity Awareness Month, an initiative to raise awareness about the importance of cybersecurity, by publishing a Cybersecurity Resource Guide …These resources are actionable and help financial institutions manage cybersecurity risk regardless of whether they use the FFIEC Cybersecurity Assessment Tool, NIST Cybersecurity Framework, Financial Services Sector Specific Cybersecurity Profile, or any other methodology to assess their cybersecurity preparedness.”(Statement made in an FFIEC October 30th email to financial institutions and trade associations).
NIST: “…[O]ne of the more detailed Cybersecurity Framework-based, sector regulatory harmonization approaches to-date.” (Statement from NIST’s Oct 18th letter to the FSSCC).
Documented Agency Statements of Support (Cont.)
Federal Reserve: “While we're not going to mandate the use of the profile, we'll welcome any financial institution to provide information to us using the structure and taxonomy of the profile, we see that as a boon for harmonization.” (Statement made at Oct 25th Profile Launch Event).
OCC: “If the industry moves to use this cybersecurity profile, that is what we will base our assessments on….” (Statement made at Oct 25th Profile Launch Event).
FDIC: “That was one of the things, at the FDIC, that we were most interested in is looking at the tiering…I think we need some time with it, our examiners need to get out there and see how institutions are using and applying it.” (Statement made at Oct 25th Profile Launch Event).
SEC: “We've seen vacancies in cybersecurity [jobs] go up to 3 million, so to the extent that we can rationalize and cut down on that duplication, allowing those scarce resources to start driving toward protecting the enterprise, I think we're in a good space.” (Statement made at Oct 25th Profile Launch Event).
Scaling by Impact
Tier 1: National/Super-National Impact• Designated most critical by one or more US or North
American regulatory agencies and/or bodies (e.g., GSIB designation; Executive Order 13636, Section 9 designation).
• Implies the gross cyber risk exposure of an organization or service categorized as Level 1 has the most potential adverse impact to the overall stability of the North American economy and potentially beyond.
Tier 4: Localized Impact • Organizations which typically serve a relatively small
number of customers.• Institutions at this level have a limited impact on the
Financial Services Sector. • Typical characteristics include: (a) Institutions with a
localized presence (e.g., community banks, state banks); and (b) Providers of services which do not impact the ability of other institutions to provide services that would warrant higher tier designations.
Tier 2: Subnational Impact• Providers of mission critical services.• Providers of a high # of services to end-consumers
with customer counts rising into the millions (over 5M).
• Though not designated as Level 1, implies the gross cyber risk exposure of an organization or service categorized as Level 2 has substantial potential adverse impact to the financial services sector and regions of a nation, but has not risen to the level of most concern.
Tier 3: Sector Impact• Institutions with a high degree of
interconnectedness, with certain institutions acting as key nodes within and for the sector.
• Processor of data for between 1-5 million customers.
• The nature of services that these firms provide to others in the sector plays a significant role in determining those firms’ criticality.
27
7 D
iag
no
sti
cs
26
2 D
iag
no
stic
s1
88
Dia
gn
osti
cs
13
6 D
iag
no
stic
s
Each “Impact Tier” is defined based on specific characteristics. The Questionnaire will “off-ramp” firms based on their responses to questions.
Rationale: In order to maintain regulatory acceptance of the Profile, a baseline, free Profile is required. However, in order to increase use, enhanced functionality is required.
Activities to Support Goal: (1) Source developer with a high premium on interface design, security, modularity, and ability to auto ingest supervisory issuances and correlate with existing Profile; (2) Focus group sessions to assess requirements, gain feedback on mock-ups.
Associated Expenditures: Travel for focus groups, and tool development fees.
Rationale: In order to gain intlacceptance and stave off similar
supervisory requirements in areas such asoperational risk, it will be necessary to
integrate between 3-4 intl regulations per year.
Activities to Support Goal: Identify priority regimes based on discussions with with non-US trade assns.
(IIB/IIF), international and US supervisory bodies.
Associated Expenditures: Intl travel, and consulting fees for mapping and recalibration of Profile components.
Rationale: As leading agencies such as the Federal Reserve, OCC, and NYDFS become comfortable with the Profile during the examination process, other agencies and implementing firms, in turn, will as well.
Activities to Support Goal: (1) Agency by agency walk-throughs of the Profile; (2) targeted conference
presentations; (3) examination site visits with keyfirms and agencies to collect lessons learned and
make tool adjustments as needed.
Associated Expenditures: Travel, development of implementation guidance.
Three Year Plan: Four Areas of Focus
Rationale: Supervisory agencies are appropriately calibrating their examiner training efforts based on financial institution usage (agencies have requested implementers’ names).
Activities to Support Goal: (1) Implementation workshops; (2) targeted conference presentations; (3) site visits with key firms and personnel to collect lessons learned; (4) examination walk-throughs at key firms to address exam challenges.
Associated Expenditures: Travel, development of implementation guidance, workshop associated costs.
(2) Examiner Education &
Training
(1) Financial Institution
Implementation
(3) Integration of Global Cyber
Regulatory Regimes
(4) Tool Automation &
Enhanced Functionality
Websites• https://www.fsscc.org/Financial-Sector-Cybersecurity-
Profile
• https://www.fsscc.org/The-Profile-FAQs
• https://www.fsscc.org/files/galleries/NIST_Letter_of_Support_re_FSSCC_Financial_Services_Sector_Cybersecurity_Profile.pdf
aba.com 1-800-BANKERS
What is GDPR?
Regulation (EU) 2016/6791 General Data Protection Regulation (GDPR)
Regulates the processing by an individual, a company or an organization of personal data relating to
individuals in the EU
Effective: May 25, 2018Penalties: up to $20M Euros or 4% of global annual revenues
aba.com 1-800-BANKERS
What is GDPR?
GDPR does not apply to:
• Personal data of deceased persons, or of legal entities.
• Data used by an individual for purely personal applications (e.g., sending party invite to friends in EU)
• Crime exemption: information sharing between organizations for the purpose of security, and preventing unauthorized access to systems and cyber crime.
aba.com 1-800-BANKERS
What is GDPR User Data?
• Definition is broad and may vary.
• Includes:
– Online identifiers
– Email address
– IP address
– ‘Cookies’
…but not anonymized data.
aba.com 1-800-BANKERS
Does GDPR Apply to You?
GDPR applies to any company that chooses to do business:
1) In the EU
OR
2) With a person in the EU
aba.com 1-800-BANKERS
Does GDPR Apply to Me?
Example #2: When GDPR does not apply to Non-EU Companies
• Your company is service provider based outside the EU.
• It provides services to customers outside the EU.
• Your clients can use your services when they travel to other countries, including within the EU.
Conclusion:
Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
aba.com 1-800-BANKERS
GDPR and Banking Activities
• International Foreign Exchange
• International Wires
• Remittances
• Wealth Management and Trust Services
• Payments
#3Do you own or lease office space or employ
personnel or technology in the EU
to conduct business in the EU?
#4Do you have vendor
relationships to access EU markets or to
process the personal data of EU citizens or
residents?
#6 Do you specifically market
products or services through your bank’s
website to people in the EU in one of the 24 EU languages and/or in an
EU currency?
#7Do you allow media marketing
partners such as Facebook, Google, Yahoo, to use EU-based search engines for
retargeting and analytics, or does your banking website use cookies and track IP addresses
and users from the EU?
#8Do you envisage doing business
with people in the EU by directing marketing efforts
towards the EU or directly and intentionally facilitating access for potential EU
customers to your products
and services?
If you answered “no” to these
nine questions, it is likely that
GDPR does not apply to yourinstitution.
aba.com 1-800-BANKERS
GDPR Response Plan
DO A DATA SELF ASSESSMENT!
Consider your corporate family tree.
Identify customers in the EU.
Review policies and procedures.
Develop GDPR memo.
Retain legal counsel or consultant.
The New
Risk
Approach
Relationships
• Build deep relationships across first and
second lines.
• Easily connect product with the people
who have answers.
Clarity
• Translate banking jargon.
• Communicate in clearly
understandable and
actionable language.
Risk Ranking
• Prioritize of identified risks
and next steps.
Action-Oriented
• Manage beyond the checklist.
• Understand the risks and what is
needed to mitigate/close risks
Right-Sized
• Understand the details.
• Work with your experts to
identify risk.
• Tailor the risk anxiety to the
scope and intent of the
project or product.
CapOne. 2018.
About the Speaker
Denyette DePierroVice President & Senior Counsel, American Bankers Association
Denyette DePierro joined the American Bankers Association in March 2008. Prior to joining ABA, Denyette was Legislative Counsel at the Independent Community Bankers of America (ICBA) in Washington, D.C. and the California Independent Bankers in Newport Beach, California. Denyette received her J.D. and M.DR from the Pepperdine School of Law, where she was a fellow at the Straus Institute for Dispute Resolution. She received a B.A. from the University of California, Santa Barbara, and was a European Union Fellow at the University of Padua in Padua, Italy in Developmental Economics. At ABA, Denyette focuses on the state, federal, and international regulation of technology, cybersecurity, privacy, data security and emerging trends in banking, including fintech, blockchain, internet of things (IOT), artificial intelligence, and social media.
Email: [email protected]: 202.663.5333Twitter: @DenyetteDLinkedIn: linkedin.com/in/depierro