Financial Services IT & Cybersecurity Risk...GRANT THORNTON BREAKFAST SEMINAR Supervisory...
Transcript of Financial Services IT & Cybersecurity Risk...GRANT THORNTON BREAKFAST SEMINAR Supervisory...
© 2016 Grant Thornton Ireland. All rights reserved
Financial Services IT & Cybersecurity Risk
30 November 2016
© 2016 Grant Thornton Ireland. All rights reserved.
Agenda
8.00am Setting the scene
Mike Harris, Grant Thornton
8.05am Guest Speaker
Mary-Elizabeth McMunn, Central Bank of Ireland
8.25am IT & Cybersecurity risk
Mike Harris, Grant Thornton
9.05am Q&A
© 2016 Grant Thornton Ireland. All rights reserved.
Sli.do
• Simply enter sli.do into the address bar of your browser • Sign in with event code #GTcyber • Touch the ‘ask’ screen if you wish to put a question to a
panellist – you can do so anonymously or sign your name to it.
GRANT THORNTON BREAKFAST SEMINAR
Supervisory Expectations on Management of IT & Cybersecurity Risks
Mary-Elizabeth McMunn Head of Supervisory Risk Division, Policy & Risk Directorate 30 November 2016
Topics Covered in Presentation
• Introduction
• Supervisory Initiatives
• Publication of Cross Industry Guidance
• High Level Findings
• Key Messages for Industry on Cybersecurity
• Questions for Senior Leadership & Concluding Remarks
5
IT is intrinsic to the provision of financial services
6 Sources: Gemalto, IBM/Ponemon 2015, Microsoft Advanced Threat Analytics, Verizon DBIR 2016.
IT
Strategy
Innovation
Data
Customer relations
Critical operations
Digitis-ation
What firms are saying…
1. Business interruption 2. Market developments
3. Cyber incidents 4. Natural catastrophes
5. Changes in legislation/regulation 6. Macroeconomic developments
7. Reputational or brand damage 8. Fire, explosion
9. Political risks
10. Theft, fraud and corruption 7 Source: Allianz Risk Barometer: Top Business Risks Survey 2016
What is preventing firms from being better prepared against cyber risks?
Top 10 Global Business Risks for 2016
1. Lack of understanding
2. Financial implications not fully analysed
3. Budget constraints
Supervisory Initiatives
• Key IT/cyber risk initiatives through 2015-16 include:
IT risk inspection team in Banking Supervision established
Themed review of operational risk around cybersecurity in investment firms
Auditors review in certain firms on governance around cybercrime
Dear CEO letter to investment firms on cyber fraud
Dedicated operational risk policy team established
Publication of Cross Industry Guidance
8
Publication of Cross Industry Guidance
Key Objectives
Emphasis on Board and SM responsibility
Raise standards of governance and management
of IT related risks across supervised sectors
Drive actions to strengthen firms’ resilience to IT
failures and cybersecurity incidents
9
Operational resilience
Consumer Protection
Financial Stability
• Impetus: Consolidate findings and articulate clear expectations to industry
Introduction to the Guidance
10
Who
How
What
• All Central Bank regulated firms
• Firms should use it to inform future development of their IT governance and risk management frameworks.
• Principle of proportionality applies.
• Key supervisory findings
• Expectations informed by generally accepted good practices in:
IT Governance
IT Risk Management
Cybersecurity
Outsourcing of IT Systems and Services
High Level Findings 1. IT and cyber risks not sufficiently prioritised by Senior Leadership
2. Insufficient alignment of the business & IT strategies
3. Inadequate security awareness training of staff
4. IT risk assessment and identification processes are insufficiently robust
5. Poor data management practices
6. Incident response capabilities vary great among firms
7. Weaknesses in the management of IT outsourcing arrangements
11
Recent Events
134,000 customer records (unauthorised use of employee credentials)
£2.5m cash stolen from 9,000 accounts (unknown)
500m records breached, potential impact on Verizon merger (2014 hack, disclosed 2016)
FriendFinder Network – 412m customer records breached (hack)
Madison Square Garden Co. payments processing (malware)
12
Key Messages for Industry (cybersecurity)
• Cyber risk should be among the Board’s top priorities
• Identify your ‘crown jewels’ and adequately safeguard
• Prepare for the worst
• Participate in cyber information sharing networks
• Address the human factor
13
Human Error
14
Some Questions for Senior Leadership • What are the key IT and cybersecurity risks facing your firm?
• Do you know what your critical IT and data assets are and how they are being
safeguarded?
• How does the firm assure itself that IT risk controls are being implemented effectively?
• Does the firm consider cyber event scenarios in its business continuity and disaster
recovery planning?
• When considering your strategic priorities, IT infrastructure, risk management and
culture, outsourcing arrangements and cyber situational awareness:
Are you comfortable with the level of IT risk your firm is taking?
15
Concluding Remarks
16
• Continued focus by Central Bank
• Guidance should inform existing and
future development of IT RMF
• Supervisors/ Inspectors will
reviewing progress
• Ongoing dialogue to inform policy
development
Thank you
17
© 2016 Grant Thornton Ireland. All rights reserved
Financial Services IT & Cybersecurity Risk
30 November 2016
Mike Harris Partner Grant Thornton Ireland
© 2016 Grant Thornton Ireland. All rights reserved.
Agenda
• introduction • practical considerations
– IT governance – IT risk – cybersecurity – outsourcing
• conclusions
© 2016 Grant Thornton Ireland. All rights reserved.
Introduction
© 2016 Grant Thornton Ireland. All rights reserved.
Attacks continue and escalate
© 2016 Grant Thornton Ireland. All rights reserved.
Corporate risk management
22
NYSE Survey Cybersecurity in the Boardroom
© 2016 Grant Thornton Ireland. All rights reserved.
Corporate risk management
23
NYSE Survey Cybersecurity in the Boardroom
© 2016 Grant Thornton Ireland. All rights reserved.
Attacks continue and escalation
© 2016 Grant Thornton Ireland. All rights reserved.
Cyber & IT governance & risk
© 2016 Grant Thornton Ireland. All rights reserved.
Focus
• IT governance • IT risk management • outsourcing
© 2016 Grant Thornton Ireland. All rights reserved.
Cyber security
© 2016 Grant Thornton Ireland. All rights reserved.
The board
• senior manager with accountability for information security
• or a board member with appropriate training
• board satisfaction that:
– policies and procedures are robust and can comprehensively facilitate the firm’s cyber-security needs
© 2016 Grant Thornton Ireland. All rights reserved.
The board
• Cyber-security as a standing agenda item at board meetings
• an understanding at board level of the assets and information of most value to the firm
• a clear reporting line to the board for cyber-security incidents
© 2016 Grant Thornton Ireland. All rights reserved.
Cyber strategy
Cyber security strategy focusing on what needs to be protected
Everyone be aware of the role that they have to play in making their firm cyber-secure
Identify priorities for protection starting with a risk assessment and gap analysis
Effective policies embed cyber-security within the business
© 2016 Grant Thornton Ireland. All rights reserved.
Cyber strategy
© 2016 Grant Thornton Ireland. All rights reserved.
Cyber frameworks
Prepare • cyber security risk
and threat assessment
• security process or technical assessments
• security policy development
• third party cyber security assurance
Protect • security architecture • security technology implementation eg
SIEM (outsourcing!) • security process design and
implementation • identity and access management • privacy and data protection • data classification • enterprise application integrity • business continuity and disaster recovery • penetration testing
React • security operations
and monitoring • security and data
breach incident response
Change • security program
strategy and planning
• security governance • security awareness
© 2016 Grant Thornton Ireland. All rights reserved.
Cyber strategy
Identify
Protect
Detect
Respond
Recover
Critical CE Capability
- 5 - - 4 - - 3 - - 2 - - 1 - 1
Initial or Ad-hoc
Capability Gap
2 Repeatable
3 Managed & Measurable
4 Optimised
Asset Management, Governance, Risk Assessment, Risk Management Strategy
Access Control, Awareness Training, Data Security, Information Protection Processes and Procedures, Maintenance, Protective Technology
Response Planning, Communications, Analysis, Mitigation, Improvements
Recovery Planning, Improvements, Communication
Anomalies and events, Security Continuous Monitoring, Detection Processes
© 2016 Grant Thornton Ireland. All rights reserved.
Dealing with incidences
• established procedures to deal with a successful attack
• contingency plans in the event of a systems breach or data compromise
• report any substantial attack/ successful breach of systems to the Central Bank
© 2016 Grant Thornton Ireland. All rights reserved.
Dealing with incidences
© 2016 Grant Thornton Ireland. All rights reserved.
Ability to withstand a significant cyber attack
© 2016 Grant Thornton Ireland. All rights reserved.
Staff training and awareness
• training for staff with periodic testing of responses to cyber attack scenarios
© 2016 Grant Thornton Ireland. All rights reserved.
Third parties
• third party cyber-security standards
• minimise impact should the third party be subject to cyber attack
© 2016 Grant Thornton Ireland. All rights reserved.
Other
• payment processes
• protection of mobile devices
• regular IT audit & penetration tests
• keeping up to date on current cybersecurity threats
© 2016 Grant Thornton Ireland. All rights reserved.
And finally
• If an entity relies on the IT infrastructure of their parent/group, formal sign-off of a localised version of the policies is recommended to ensure that they are appropriate for the local firm
© 2016 Grant Thornton Ireland. All rights reserved.
Conclusions
© 2016 Grant Thornton Ireland. All rights reserved.
Conclusions
• standards based approach is best
• structure & risk assessment
• however not a compliance exercise
• need a structured Cyber strategy
• with formal project management
© 2016 Grant Thornton Ireland. All rights reserved.
Questions
© 2016 Grant Thornton Ireland. All rights reserved.
Feedback form
© 2016 Grant Thornton Ireland. All rights reserved.
Thank you!