Financial services Security deficits in an interconnected ... · Security deficits in an...

Financial services

Security deficits in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Introduction // 1

Introduction

Contacts

Linking security and risk

Technology is not enough

Inside jobs increase

Rising third-party risks

Regulators tighten rules

Support from the top

Incidents and costs mount

Financial services

Security deficits in an interconnected worldKey findings from The Global State of Information Security® Survey 2015

It will come as no surprise to most financial services executives that information security incidents are continuing to rise, as are the costs of these intrusions.

In the past two years, sophisticated cyber adversaries around the world have launched powerful distributed denial of service (DDoS) attacks against banks, siphoned off billions of dollars from deposit accounts, stolen millions of payment card records, and infiltrated many national stock exchanges.

Despite these attacks, many global financial services companies have not implemented the right processes and technologies to prevent, detect, and respond to security risks. In particular, many do not adequately address threats from third parties and “insiders” like employees and partners with trusted access.

Others disregard essential governance, operational processes, and people capabilities that enable rapid detection and response to compromises.

As regulators around the world move to tighten compliance requirements for financial services organizations, improvements in these security practices will become increasingly essential to safeguard data as well as ensure compliance with global regulatory bodies.

“International financial services firms are at greater risk than ever, and by all estimates those threats will only increase,” says Joe Nocera, a Principal in PwC’s Cybersecurity Practice. “That’s why global organizations should prioritize their investments based upon risk focusing on the most critical business assets. Then they can strategically invest in the right combination of security processes, technologies, and awareness and training programs. In today’s world, it’s not a matter of if an incident will happen but rather when, and firms must be prepared to respond.”

next

prev

In other words, it’s no longer possible to protect all data, networks, and applications at the highest level, but a proactive cybersecurity program will enable financial services firms to prioritize protection and more quickly react to incidents that are all but inevitable.

Financial services


Incidents and costs mount // 2

3M

2M

1M

5K

4K

3K

Average number of detected incidents Estimated total financial losses

Incidents

Sources of incidents

Security spending

2013

4,628

2014

4,978

2013

$2.7M

2014

$3.4MContacts






Introduction



next

prev

Detected incidents have maintained a steady upward momentum.

The Global State of Information Security® Survey 2015 (GSISS) shows that, among 758 global financial services respondents, the number of detected incidents—we define a security incident as any adverse incident that threatens some aspect of computer security —increased 8% this year over 2013.

GSISS 2015: Financial services results at a glance➻ Click or tap each title to view data

Incidents and costs mountYet security spending has not kept pace, particularly among smaller businesses.

The costs of security incidents jumped 24%, with big losses leading the way

The number of financial firms reporting losses of $10 million to $19.9 million increased by a head-turning 141% over last year.

Financial services




Contacts







Introduction Incidents and costs mountYet security spending has not kept pace, particularly among smaller businesses.

Current employees Former employees

50%

40%

30%




Hackers Competitors

next

prev

Incidents


Security spending

2013

33%

2014

44%

2013

25%

2014

28%

2014

26%

2013

36%

2013

11%

2014

20%



Financial services




Contacts







Introduction Incidents and costs mountYet security spending has not kept pace, particularly among smaller businesses.




Average annual IS budget IS spend as percentage of IT budget

next

prev

Small organizationsRevenues less than $100M

Medium organizationsRevenues $100M–$1B

Large organizationsRevenues more than $1B




Incidents

Security spending

6M

3M

9M

15%

12%

9%

2013

$1.0M

2014

$0.6M

2013

$2.2M

2013

$10.7M

2014

$11.3M

2013

15.4%

2014

14.7%

2013

3.6%

2014

3.3%

2013

3.3%

2014

3.7%

Small organizationsRevenues less than $100M

Medium organizationsRevenues $100M–$1B

Large organizationsRevenues more than $1B

2014

$2.6M

Financial services




Contacts







IntroductionWhile security events and costs continue to escalate, security spending has not kept pace, particularly among smaller businesses.

Globally, investments in information security inched up 3% over the year before. And while financial firms invested more heavily in recent years, security spending has been stalled at less than 4% of the total IT budget for the past seven years.

next

prev

In analyzing this year’s GSISS responses, we identified five critical areas that financial services firms should consider.

Addressing these issues can help financial firms better detect and defend against threats and increase their cyber resiliency.

“Executive teams and boards can no longer afford to view cyber security as merely a technology problem,” says Stephen Russell, Managing Director at PwC. “The cost of defending against cyber threats has risen sharply and regulators are focusing on how well financial institutions are defending themselves against these threats.”

Due to a lack of investment, many financial firms are falling behind in implementing up-to-date processes and tools to detect and respond to today’s evolving security threats. Year-over-year, we saw a lack of progress—and in many cases, significant attrition—in the use of secure access controls, risk and vulnerability assessments, threat monitoring and analysis, third-party security safeguards, and employee awareness and training programs, to name a few.

New regulatory requirements

Executive and Board support for security

Insider incidents

Third-party risks

Over-reliance on technology

Incidents and co

1

2

3

4

5

Security breaches not only impact a financial institution’s bottom line, but also its reputation, brand, and intellectual property.

Financial services



Falling behind in security safeguards

Secure access-control measures

Threat assessments Active monitoring/analysis of information security intelligence

Require third parties to comply with our privacy policies


Contacts







Introduction

20142013

20142013

20142013

20142013

20142013

20142013

20142013

20142013

20142013

20142013

20142013

20142013

Penetration testing Vulnerability assessments Risk assessments on internal systems

Intrusion-detection tools

Employee awareness and training program

Security audits Incident response-process to report and handle breaches to third parties that handle data

Risk assessments on third- party vendors

66%

73%

61%

64%

59%

74%

59%

67%

59%

63%

58%

65%

58%

67%

58%

71%

57%

66%

57%

71%

57%

63%

56%

60%

Financial services


Support from the top // 7

To be effective, cybersecurity should be integrated into the firm’s overall enterprise risk-management framework, and the CEO and Board should “own” the responsibility for managing cyber resiliency.

“We consider institutions to be cyber-resilient when they have a comprehensive, well-crafted, cyber-risk management program in place—with management held accountable for the program’s performance and results,” says Stephen Russell, Managing Director at PwC.

Senior executives should establish a strong culture of security and cyber resilience by setting an affirmative “tone at the top.” Doing so will demand that executives proactively communicate the importance of security across the enterprise, a practice that 71% of financial services respondents say they have implemented. Beyond that, executive leaders should engage the Board in the discussion and management of cybersecurity risks.


Contacts







Introduction Support from the topCybersecurity is no longer simply an IT concern. Today, it is a critical business issue that demands the attention—and the active stewardship—of the Chief Executive Officer and the Board of Directors.

Board participation is essential to reaching an appropriate decision on the level of cyber risk an organization will accept and to building responses around those parameters. It also can be a key factor in ensuring that security practices are adequately funded—an approach that most financial firms do not pursue. Only 44% of respondents say their Boards are involved in setting security budgets.

Beyond the Board, risk-based cybersecurity will require cross- functional cooperation between leaders from IT, security, legal counsel, risk management, finance, and human resources. This team should meet regularly to coordinate and communicate information security issues, a practice that 56% of financial services respondents say they have implemented.

How Boards participate in security

next

prev

The responses are telling

Only one-third (33%) of respondents say their Board is involved in the review of security and privacy risks, a number that is particularly low given the criticality of enterprise-wide cyber-risk awareness.

Most firms have not done so. We know because we asked survey respondents to detail how their Boards participate in cybersecurity initiatives.

Overall security strategy

50%

44%

37%

33%

26%

23%

20%

Security budget

Security policies

Review of security and privacy risks

Security technologies

Review roles and responsibilities of security organization

Review of security and privacy testing

Financial services


Regulators tighten rules // 8

These types of regulatory guidance and requirements will very likely intensify in the future.

Consider, for instance, the European Union General Data Protection Regulation, which is on track to be finalized in 2015. The regulation is expected to add new requirements for breach notification to individuals, require organizations that handle personal data to conduct risk assessments and audits, and increase fines for compromised businesses.1 Other regulatory bodies have announced intentions to assess financial institutions for risk vulnerability and risk-mitigation policies and procedures.2

Business continuity/disaster recovery plans


Contacts







Introduction Regulators tighten rulesRecent actions by industry regulators in the US and Europe have signaled they may require proof that financial services firms have implemented a robust security program.

1 Vormetric Data Security, Security measures to go under spotlight as new Data Protection Directive approaches, July 8, 2014

2 PwC, Understanding and preparing for OCIE cybersecurity exams, May 2014

next

prev

What it may take to pass a security exam

40%

80%

60%

Incident-management response process

Secure access-control measures

Threat assessments

Privileged user access

Patch-management tools

Security-event correlation tools

Have cyber insurance

Employee security awareness training program

Encryption of smartphones

71%66% 66%

61% 60% 58% 57% 57% 57%

51%

100%

http://blog.vormetric.com/2014/07/08/security-measures-go-spotlight-new-data-protection-directive-approaches/



http://www.pwc.com/en_US/us/increasing-it-effectiveness/publications/assets/pwc-ocie-cybersecurity-exams.pdf

http://www.pwc.com/en_US/us/increasing-it-effectiveness/publications/assets/pwc-ocie-cybersecurity-exams.pdf

Financial services


Regulators tighten rules // 9


Contacts







IntroductionGuidance from the US Securities and Exchange Commission (SEC) suggests that US financial services firms should seriously consider investing in cyber insurance. In fact, the Commission included cyber insurance on its list of possible factors that may be used in examinations. What’s more, the SEC goes so far as to indicate that financial services firms should be prepared to undergo examinations to actually prove their preparedness. In other words, traditional check-the-box regulatory compliance is no longer sufficient.

Firms must become more strategic because, in the near future, regulators may dictate a robust framework for cybersecurity.

Using leading industry frameworks such as ISO 27001 or the NIST Cybersecurity Framework as a guide, many survey respondents do not appear capable of “passing” security examinations. Doing so will require that financial firms build a thorough risk-based cybersecurity practice that includes the following capabilities:

» A culture of security led by the C-suite and Board

» An incident response plan that is regularly tested

» Assessment and monitoring of third-party partners for security risks

» Advanced threat intelligence and analysis to understand business-specific threats

» Assessment of the role of cyber insurance

» Basic security fundamentals such as strong organizational governance processes and ongoing employee awareness programs

Regulators may also expect financial services organizations to share threat intelligence and response tactics across the organization as well as with private and public-sector partners. Many financial firms around the world already participate in the Financial Services Information Sharing and Analysis Center (FS ISAC), a global forum that was formed in 1999.

next

prev

Such collaborations have indirectly led to new types of security preparedness, including industry-wide exercises that simulate cyber attacks on financial institutions and enable participants to work together and share response tactics. Reaching beyond enterprise boundaries to share threat intelligence and response insights is an effective way to advance security. It’s also an initiative that financial firms may be judged on in future security exams.

Among survey respondents, 62% say they collaborate with others to improve security, a considerable gain over last year (55%).

Financial services


Rising third-party risks // 10

40%

80%

60%

100%


Contacts







Introduction

As recent high-profile breaches so unequivocally proved, third-party partners with access to networks and data can generate serious negative publicity and reputational harm, not to mention crippling financial losses.

For threat actors, partners and supply chains represent a weak link through which they can gain access to a financial firm’s network and data for quick monetary payoff. More far-sighted adversaries may infiltrate an organization’s third-party partners as a means to gain a foothold on the financial services firm’s ecosystem for long-term exfiltration of business plans, financial documents, and trade secrets.

Rising third-party risksFinancial institutions are increasingly worried about their ability to combat threats that can arise from sharing networks and data with business partners, service providers, contractors, and suppliers.

next

prev

Established security/baselines/standards for external partners/customers/ suppliers/vendors

Require third parties (including outsourcing vendors) to comply with our privacy policies

Incident response-process to report and handle breaches to third parties that handle data

Inventory of all third parties that handle personal data of employees and customers

Risk assessments on third-party vendors

Conduct compliance audits of third parties that handle personal data of customers and employees

Key gaps in third-party security

62% 59% 57% 57% 55% 55%

Financial services


Rising third-party risks // 11


Contacts







Introduction“Banks have sustained large losses—both in dollars and in public confidence—as a result of successful attacks on interrelated third parties, such as major retailers,” said Thomas J. Curry, US Comptroller of the Currency, at a recent Risk Management Association (RMA) conference. “I’ve been heavily focused on this particular type of operational risk because of the pace at which it is increasing and because of its potential to undermine confidence in our institutions.”3

If the security practices of third-party partners are lacking, those even farther down the chain may represent an event more dangerous unknown.

We believe that increased investment in third-party security is critical to closing this security gap. Yet when we asked respondents to name their top security spending priorities for the coming year, only 43% said they would boost budgets for monitoring and testing of business partners and vendors. While this suggests that financial firms are starting to understand the importance of third-party security, it’s also worth noting that it represented the least-cited spending priority.

3 Office of the Comptroller of the Currency, remarks by Thomas J. Curry, Comptroller of the Currency, May 8, 2014

next

prev

Monitoring and detecting unauthorized activity by third parties and supply chains can be difficult because their employees often have trusted access to a financial firm’s facilities, systems, and data. The situation becomes particularly hazardous when the security capabilities of third parties do not meet the stringent requirements of the financial services firm.

It’s a risk that is familiar to many financial firms participating in our survey.

This year, 41% of respondents say they detected security incidents perpetrated by current and former service providers, contractors, consultants, and suppliers. While many financial services companies have detected third-party compromises, most have done very little to protect themselves.

Consider, for instance, that fewer than two-thirds (62%) of respondents have established security baselines and standards for external partners, suppliers, and vendors. Just 59% require business partners to comply with their privacy policies. In essence, these firms have not taken even the most basic steps to ensure third-party security.

Only 34% of financial services respondents say they have assessed the security of third-party outsourcers over the past 12 months. Roughly the same number (33%) report that they began monitoring fourth-party relationships over the past year.

http://www.occ.gov/news-issuances/speeches/2014/pub-speech-2014-69a.pdf

Financial services


Inside jobs increase // 12


Contacts







Introduction Inside jobs increaseThe number of incidents attributed to insiders—current and former employees, in particular—increased substantially this year, even as the readiness of financial firms to manage these risks diminished.

The increase in insider incidents portends potentially serious implications.

In the 2014 US State of Cybercrime Survey, we found that almost one-third (32%) of respondents said insider crimes are more costly or damaging than incidents perpetrated by outsiders.4 In part, that’s because internal threat actors hold the advantage since they are more likely to know where valuable data is stored and what processes and technologies are in place to protect this information.

It’s not that financial services employees are overwhelmingly careless or malicious, however. Increasingly, external threat actors leverage social engineering to steal credentials of employees with privileged access to data and networks, then use that information to infiltrate the financial firm’s networks. More universal deployment of tools to monitor user access and activity would help organizations detect this type of compromise.

Insider cybercrimes get less attention in the press, and they also appear to be off the radar of financial services companies.

Many firms do not have an insider-threat program in place, which leaves them unprepared to prevent, detect, and respond to insider threats.

Employees and managers are critical to an insider-threat management program because they are often in a position to notice suspicious behavior or risk indicators. Consequently, employee training forms the spine of an effective security program. So it’s a bit alarming that the percentage of respondents who say their organization has an employee training and awareness program dropped to 57%, from 66% the year before.

It’s good news, however, that almost half of respondents (49%) say they plan to increase their investment in employee awareness in the coming year.

4 2014 US State of Cybercrime Survey, co-sponsored by CSO magazine, CERT division of the Software Engineering Institute at Carnegie Mellon University, PwC, and US Secret Service, March–April 2014

next

prev

Almost half (44%) of respondents attribute security incidents to existing staff, making current employees the most cited source of incidents; the second most frequently mentioned perpetrator is former employees, at 28%.

28%

44%

http://www.pwc.com/en_US/us/increasing-it-effectiveness/publications/assets/2014-us-state-of-cybercrime.pdf

Financial services


Inside jobs increase // 13

Data loss prevention (DLP) tools

Audit/monitor user compliance with security policy

Conduct personnel background checks


Contacts







IntroductionTools to manage insider threats next

prev

Unauthorized use/access-monitoring tools

Security strategy for employee use of personal devices on the enterprise

User-activity monitoring tools

Security technologies supporting Web 2.0 exchanges such as social networks, blogs

Security strategy for social media

Behavioral profiling and monitoring

Employee security awareness training program

63% 60% 60% 59% 57%

57% 56% 53% 53% 48%

Financial services


Technology is not enough // 14


Contacts







Introduction

Truth is, sophisticated cyber adversaries are often in the vanguard of innovation, and are constantly working to circumvent technologies as solutions vendors develop them.

That’s why financial services organizations should ensure that technology solutions are deployed on top of a foundation of sound governance, operational processes, and people skills.Consider, for instance, detection and analysis of cyber threats. Tools to identify and analyze threats are critical, but timely mitigation of incidents will also demand up-to-date response processes and properly trained personnel.

Acting upon alerts triggered by technology tools will require that key stakeholders receive immediate reports that enable them to proactively and quickly respond. An effective response will be best accomplished through the development of prepared responses, or playbooks, that provide step-by-step guidelines on roles, responsibilities, and actions. These playbooks should be frequently tested so that security and operational personnel are well-prepared to quickly mitigate incidents.

In an era in which cyber compromise is virtually certain, a coordinated approach to incident response is critical to the bottom line, as well as reputation and compliance. So it’s a bit surprising to find that 29% of survey respondents have no incident response process. It’s also worrisome that one-third say they have no business continuity/disaster recovery plans to ensure operations are quickly returned to normal with minimum disruption.

Technology is not enoughMany financial services firms view technology solutions as the best bet to protect their networks and data.

Essential governance and operational processes

next

prev

40%

80%

60%

Classification of business value of data

Governance, risk, and compliance tools

Incident-management response process

Incident response-process to report & handle breaches to third parties

Procedures dedicated to protecting intellectual property

Program to identify sensitive assets

Risk assessments on internal systems

Risk assessments on third-party vendors

Security audits

71% 69%

59% 58% 57% 57% 57% 56%52%

Financial services


Linking security and risk // 15


Contacts







Introduction

Protective measures remain important, of course, but processes and tools to detect, analyze, and respond to incidents are key to cyber resiliency and to the ongoing success of any financial services business.

Linking security and risk As incidents continue to proliferate, it’s becoming clear that cyber risks can never be completely eliminated.

To make this adjustment, financial services firms should reposition their security strategy by more closely linking technologies, processes, and tools with the firm’s broader risk- management activities. Doing so will result in a cyber-resilient program that can effectively manage risks based on the business’s tolerance for risk.

next

prev

How much revenue would we lose if our business processes were impacted by a cyber event?

Do we have capabilities to quickly respond to a cyber attack?

Have we identified our most critical business assets and do we understand their value to our adversaries?

Do we know where to invest to reduce cyber risks?

Is the business resilient enough to survive a cyber attack?

Five questions you should ask

1 2 3 4 5

Financial services


Contacts // 16

Contacts








Introduction

Shawn ConnorsPrincipal646 471 [email protected]

Christopher MorrisPrincipal617 530 [email protected]

Joe NoceraPrincipal312 298 [email protected]

Stephen RussellManaging Director203 539 [email protected]

ContactsTo have a deeper conversation about cybersecurity, please contact:

Financial services

prev

www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity

PwC helps organisations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 184,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

The Global State of Information Security® is a registered trademark of International Data Group, Inc.

next

Andrew TonerPrincipal646 471 [email protected]

Prakash VenkataManaging Director617 530 [email protected]

United States

Financial services Security deficits in an interconnected ... · Security deficits in an...

Documents

Transcript of Financial services Security deficits in an interconnected ... · Security deficits in an...