Financial Services IT & Cybersecurity Risk...GRANT THORNTON BREAKFAST SEMINAR Supervisory...

© 2016 Grant Thornton Ireland. All rights reserved

Financial Services IT & Cybersecurity Risk

30 November 2016

© 2016 Grant Thornton Ireland. All rights reserved.

Agenda

8.00am Setting the scene

Mike Harris, Grant Thornton

8.05am Guest Speaker

Mary-Elizabeth McMunn, Central Bank of Ireland

8.25am IT & Cybersecurity risk

Mike Harris, Grant Thornton

9.05am Q&A


Sli.do

• Simply enter sli.do into the address bar of your browser • Sign in with event code #GTcyber • Touch the ‘ask’ screen if you wish to put a question to a

panellist – you can do so anonymously or sign your name to it.

GRANT THORNTON BREAKFAST SEMINAR

Supervisory Expectations on Management of IT & Cybersecurity Risks

Mary-Elizabeth McMunn Head of Supervisory Risk Division, Policy & Risk Directorate 30 November 2016

Topics Covered in Presentation

• Introduction

• Supervisory Initiatives

• Publication of Cross Industry Guidance

• High Level Findings

• Key Messages for Industry on Cybersecurity

• Questions for Senior Leadership & Concluding Remarks

5

IT is intrinsic to the provision of financial services

6 Sources: Gemalto, IBM/Ponemon 2015, Microsoft Advanced Threat Analytics, Verizon DBIR 2016.

IT

Strategy

Innovation

Data

Customer relations

Critical operations

Digitis-ation

What firms are saying…

1. Business interruption 2. Market developments

3. Cyber incidents 4. Natural catastrophes

5. Changes in legislation/regulation 6. Macroeconomic developments

7. Reputational or brand damage 8. Fire, explosion

9. Political risks

10. Theft, fraud and corruption 7 Source: Allianz Risk Barometer: Top Business Risks Survey 2016

What is preventing firms from being better prepared against cyber risks?

Top 10 Global Business Risks for 2016

1. Lack of understanding

2. Financial implications not fully analysed

3. Budget constraints

Supervisory Initiatives

• Key IT/cyber risk initiatives through 2015-16 include:

IT risk inspection team in Banking Supervision established

Themed review of operational risk around cybersecurity in investment firms

Auditors review in certain firms on governance around cybercrime

Dear CEO letter to investment firms on cyber fraud

Dedicated operational risk policy team established

Publication of Cross Industry Guidance

8

Publication of Cross Industry Guidance

Key Objectives

Emphasis on Board and SM responsibility

Raise standards of governance and management

of IT related risks across supervised sectors

Drive actions to strengthen firms’ resilience to IT

failures and cybersecurity incidents

9

Operational resilience

Consumer Protection

Financial Stability

• Impetus: Consolidate findings and articulate clear expectations to industry

Introduction to the Guidance

10

Who

How

What

• All Central Bank regulated firms

• Firms should use it to inform future development of their IT governance and risk management frameworks.

• Principle of proportionality applies.

• Key supervisory findings

• Expectations informed by generally accepted good practices in:

IT Governance

IT Risk Management

Cybersecurity

Outsourcing of IT Systems and Services

High Level Findings 1. IT and cyber risks not sufficiently prioritised by Senior Leadership

2. Insufficient alignment of the business & IT strategies

3. Inadequate security awareness training of staff

4. IT risk assessment and identification processes are insufficiently robust

5. Poor data management practices

6. Incident response capabilities vary great among firms

7. Weaknesses in the management of IT outsourcing arrangements

11

Recent Events

134,000 customer records (unauthorised use of employee credentials)

£2.5m cash stolen from 9,000 accounts (unknown)

500m records breached, potential impact on Verizon merger (2014 hack, disclosed 2016)

FriendFinder Network – 412m customer records breached (hack)

Madison Square Garden Co. payments processing (malware)

12

Key Messages for Industry (cybersecurity)

• Cyber risk should be among the Board’s top priorities

• Identify your ‘crown jewels’ and adequately safeguard

• Prepare for the worst

• Participate in cyber information sharing networks

• Address the human factor

13

Human Error

14

Some Questions for Senior Leadership • What are the key IT and cybersecurity risks facing your firm?

• Do you know what your critical IT and data assets are and how they are being

safeguarded?

• How does the firm assure itself that IT risk controls are being implemented effectively?

• Does the firm consider cyber event scenarios in its business continuity and disaster

recovery planning?

• When considering your strategic priorities, IT infrastructure, risk management and

culture, outsourcing arrangements and cyber situational awareness:

Are you comfortable with the level of IT risk your firm is taking?

15

Concluding Remarks

16

• Continued focus by Central Bank

• Guidance should inform existing and

future development of IT RMF

• Supervisors/ Inspectors will

reviewing progress

• Ongoing dialogue to inform policy

development

Thank you

17

© 2016 Grant Thornton Ireland. All rights reserved

Financial Services IT & Cybersecurity Risk

30 November 2016

Mike Harris Partner Grant Thornton Ireland


Agenda

• introduction • practical considerations

– IT governance – IT risk – cybersecurity – outsourcing

• conclusions


Introduction


Attacks continue and escalate


Corporate risk management

22

NYSE Survey Cybersecurity in the Boardroom

Presenter

Presentation Notes

Waiting for parliament to adopt FRS 105 into legislation.


Corporate risk management

23

NYSE Survey Cybersecurity in the Boardroom

Presenter

Presentation Notes

Waiting for parliament to adopt FRS 105 into legislation.


Attacks continue and escalation


Cyber & IT governance & risk


Focus

• IT governance • IT risk management • outsourcing


Cyber security


The board

• senior manager with accountability for information security

• or a board member with appropriate training

• board satisfaction that:

– policies and procedures are robust and can comprehensively facilitate the firm’s cyber-security needs

Presenter

Presentation Notes

Firms should assume that they will be subject to a successful cyber-attack or business interruption. For this reason, the incident management approach needs to deal with cybersecurity threats and resilience to reduce both the probability of occurrence and the impact when it does. With that in mind, IT related risk management must be comprehensive and robust, addressing key risk areas such as business strategy alignment, outsourcing, change management, cybersecurity, disaster recovery and business continuity.


The board

• Cyber-security as a standing agenda item at board meetings

• an understanding at board level of the assets and information of most value to the firm

• a clear reporting line to the board for cyber-security incidents


Cyber strategy

Cyber security strategy focusing on what needs to be protected

Everyone be aware of the role that they have to play in making their firm cyber-secure

Identify priorities for protection starting with a risk assessment and gap analysis

Effective policies embed cyber-security within the business


Cyber strategy


Cyber frameworks

Prepare • cyber security risk

and threat assessment

• security process or technical assessments

• security policy development

• third party cyber security assurance

Protect • security architecture • security technology implementation eg

SIEM (outsourcing!) • security process design and

implementation • identity and access management • privacy and data protection • data classification • enterprise application integrity • business continuity and disaster recovery • penetration testing

React • security operations

and monitoring • security and data

breach incident response

Change • security program

strategy and planning

• security governance • security awareness


Cyber strategy

Identify

Protect

Detect

Respond

Recover

Critical CE Capability

- 5 - - 4 - - 3 - - 2 - - 1 - 1

Initial or Ad-hoc

Capability Gap

2 Repeatable

3 Managed & Measurable

4 Optimised

Asset Management, Governance, Risk Assessment, Risk Management Strategy

Access Control, Awareness Training, Data Security, Information Protection Processes and Procedures, Maintenance, Protective Technology

Response Planning, Communications, Analysis, Mitigation, Improvements

Recovery Planning, Improvements, Communication

Anomalies and events, Security Continuous Monitoring, Detection Processes


Dealing with incidences

• established procedures to deal with a successful attack

• contingency plans in the event of a systems breach or data compromise

• report any substantial attack/ successful breach of systems to the Central Bank

Presenter

Presentation Notes

When the firm becomes aware of an IT incident that could have a material impact on consumers or on the firm’s ability to provide services, minimising customer detriment, the resumption of critical business operations and timely customer communications should be key components of any incident management plan.


Dealing with incidences


Ability to withstand a significant cyber attack

Presenter

Presentation Notes

Identify Critical Assets -> Put adequate controls in place to protect those assets, e.g. Information Classification / DLP Segregate Critical Databases and use Encryption technologies wherever possible Segregate Web Services into DMZ and Wi-Fi networks Dual Layer Firewalls IDS/IPS controls, Good Signature Management Ensure adequate Log Management -> Poor logging and Monitoring = Inability to detect Updated Anti Virus Solution Vulnerability Management (Patching updates for both OS and Applications layer)


Staff training and awareness

• training for staff with periodic testing of responses to cyber attack scenarios


Third parties

• third party cyber-security standards

• minimise impact should the third party be subject to cyber attack


Other

• payment processes

• protection of mobile devices

• regular IT audit & penetration tests

• keeping up to date on current cybersecurity threats


And finally

• If an entity relies on the IT infrastructure of their parent/group, formal sign-off of a localised version of the policies is recommended to ensure that they are appropriate for the local firm


Conclusions


Conclusions

• standards based approach is best

• structure & risk assessment

• however not a compliance exercise

• need a structured Cyber strategy

• with formal project management


Questions


Feedback form


Thank you!

Financial Services IT & Cybersecurity Risk...GRANT THORNTON BREAKFAST SEMINAR Supervisory...

Documents

Transcript of Financial Services IT & Cybersecurity Risk...GRANT THORNTON BREAKFAST SEMINAR Supervisory...