Cyber Risk Management Solutions

Fall 2015

Thomas Compliance Associates, Inc. 2015

Cyber Risk Management Examiners are raising the bar on Cyber

Security compliance Result of the rapidly changing

technological environment IT exams getting tougher because there is

more technology risk than ever before Agencies independent authority conducts

audits of examiner’s audit programs Agencies making many changes to its

exam procedures pursuant to recommendations

Cyber Risk Management The FFIEC realizes most banks rely on

independent vendors for all or part of cyber risk management efforts

Not all third party vendors are regulated

All vendors are not the same in terms of appropriate security controls

Agencies see advantages in standardizing expectations for Cyber Risk Management

Cybersecurity Assessment Tool Released by the FFIEC on June 30, 2015 Expectations are the Board of Directors

will use this tool to assess cybersecurity risk

The Board is responsible for recognizing the cyber risks you are accepting and what mitigating controls are in place.

Assessment Tool has two partso Part 1 - Inherent Risk Profileo Part 2 - Cybersecurity Maturity (mitigating

controls)

Cybersecurity Assessment ToolPart 1 - Inherent Risk Profile

Relies greatly on your ability to identify where sensitive customer data resides throughout your organization.

Early stages indicate examiners will “take your word for it” provided you have documented that you have made a reasonable effort.

Software is now available which can identify all NCI (nonpublic Customer Information) wherever it resides on your various systems.

Cybersecurity Assessment ToolPart 1 - Inherent Risk Profile

Examiners will quickly evolve and require you to be able to demonstrate, not guess, that you know the location of sensitive data.

Also expect that when you get hacked (not if you get hacked) you know what information was stolen.

Cybersecurity Assessment ToolPart 2 - Cybersecurity MaturityAnalyzes several factors to determine the controls and risk mitigating practices that are already being practicedCybersecurity Preparedness includes: Risk Management and Oversight Threat Intelligence and Collaboration Cybersecurity controls External dependency management Cyber incident management and resilience

Cybersecurity Preparedness

Risk Management and Oversight Governance, allocation off resources and training and

awareness of employees

Threat Intelligence and Collaboration Gathering, monitoring, analyzing and sharing information

from multiple sources on cyber threats and vulnerabilities

Cybersecurity PreparednessCybersecurity controls A combination of preventive, detective or preventative

External dependency management Includes connectivity to third party providers, business

partners, customers or others and your institution’s expectations and practices to oversee these relationships

Cyber incident management and resilience Detection, response, mitigation, escalation, reporting and

resilience

Cybersecurity – Preparing for the Next IT Examination

Board should be prepared to answer questions about information security during next IT exam

Document the Board’s participation in training; use available FFIEC resources

Cybersecurity – Preparing for the Next IT Examination Be able to exhibit that the Board and

Management understand supervisory expectations and have a high awareness of cybersecurity risks (threats and vulnerabilities) and how that risk is mitigated

IT Officer should have completed Cybersecurity Assessment Tool

Documented, reasonable approach InfoGPS puts you half a step ahead of your examiners

Cybersecurity and My BankAre you plugged into the Cloud?

Cybersecurity and My BankAre you plugged into the Cloud?

Google, Bing, Yahoo Search

Social Media Lexis Nexus FinCEN Core Vendor Services Local IT Outsourcing

Cybersecurity and My BankAre you plugged into the Cloud?So are the Cyber Criminals

Cybersecurity and My BankAre you plugged into the Cloud?So are the Cyber Criminals

How do Banks Address this Risk ?

Cybersecurity and My Bank

TCA addresses Cybersecurity in its IT Audit Program

IT Audit is a Method of Measuring and Managing Risk

IT Audit

IT AuditFundamental Components

Risk Assessments

Asset Management

Confidential Data

IT AuditExaminers Now View the Enterprise Througha Cybersecurity Lens

Examiner IT Audit Requirements

Show me your IT Risk Assessment

Show me your Enterprise Assets

Show me where your Sensitive Information Resides

Show me your IT Risk Assessment

Show me your Enterprise Assets

Show me where your Sensitive Information Resides

Can Your Bank Respond to These Examiner Requirements?

Completes much of your IT Risk Assessment Cyber-security Assessment Tool

Inventories your Enterprise Assets (HW, SW, Applications)

Identifies where your Customer Information Reside Monitors and Reports on the Creation and

Movement of Sensitive Data

There is a Product that Addresses these Compliance Mandates!!!

Back to the Future, an Old Requirement

Gramm Leach Bliley Act 1999

(GLBA)

Joint Release “Safeguarding of Customer Information”

FFIEC IT Handbook

Institutions may establish an information data classification program to identify and rank data, systems, and applications in order of importance. Classifying data allows the institution to ensure

consistent protection of information and other critical data throughout the system. Classifying systems

allows the institution to focus its controls and efforts in an efficient and structured manner.

2015 Cybersecurity Assessment Requirement

Page 22: IT Asset Management - Baseline

• An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.

• Organizational assets (e.g., hardware, systems, data, and applications) are prioritized for protection based on the data classification and business value.

Cybersecurity Assessment Tool Underscores Fundamentals.Cyb

er incident managemen

t and resilienc

e

External dependency management

Cybersecurity controls

Threat Intelligence and Collaboration

Risk Management and Oversight

Do the Fundamental First: Know your IS AssetsAn accurate knowledge of your IS Assets, specifically your data assets, is critical to perform ALL of the following:

• Compliance & Audit• IS Risk Assessment• Craft the Information Security Program• Prepare for Business Resiliency• Prepare for Incident Response• Obtain favorably priced Cyber Security Insurance• Properly educate your board• Properly apply controls to protect your Data.

Cybersecurity Summary

FI’s are critically dependent on IT to conduct business operations – There is increasing interconnectedness between different business sectors.

Cyber threats are very rapidly evolving and it is no longer a matter of those who have been hacked and those who haven’t

Cybersecurity Summary Examiners now acknowledge all FI’s have

been or will be hacked – let that sink in for a minute!

The difference will be those who know what data was compromised and those who do not

Those who do not will be required to devote significant resources to determine what was lost, who was affected and how to resolve enforcement actions and manage significant reputation risks. As a result you will see examiners establishing new standards for identification and management of Non Public Personal Information

Cybersecurity SummaryBottom Line The OCC (and all of the Regulatory Agencies) are

reviewing and updating current guidance and examination procedures to align with changing cybersecurity risk

Your choice of vendor for IT Audit is critical and you must ensure the vendor is adjusting their audit approach to be consistent with the significant changes being made by examiners

Your next IT examination will be tougher than any IT examination before it – your ability to exhibit an understanding of your risk and how you manage it is paramount

Questions?

Please use the Chat feature to submit questions now!

TCA, Inc.1-800-934-REGSwww.tcaregs.com

©2015 TCA, INC.