2017 NMLS Cybersecurity Panel€¦ · •Section 5 of the FTC Act, codified at 15 U.S.C. § 45, empowers the Commission to prevent all “unfair or deceptive acts or practices in

9th Annual Conference & Training l Austin, TX

Tom Bayer, Chief Information Officer, CSBSDavid Tallman, Partner, Mayer Brown

Josh Weinberg, EVP, First Choice Loan Services Inc.John Haring, Dir. Compliance Enablement, Ellie Mae Inc.

Cybersecurity Assessment


Regulatory Framework

• US generally has sector-specific privacy regimes (e.g., financial services, healthcare, and education).

• State laws fill gaps or raise standards (e.g., breach notification and data security).

• These federal and state laws establish frameworks that financial institutions may be required to comply with or best practices they may be encouraged to implement. These include:• State Data Breach Notification and Data Security Laws (e.g.,

Massachusetts security law and pending NYSDFS cybersecurity regulations);

• Federal Agency Guidance (e.g., FFIEC IT Handbook and SEC/FINRAguidance); and

• Other Data Security Obligations (e.g., NIST and PCI DSS).


Gramm-Leach-Bliley Act

• GLBA imposes “affirmative and continuing obligations” on financial institutions to protect the “security and confidentiality” of their customers’ nonpublic personal information. • GLBA establishes compulsory standards to protect

customers against unauthorized access to or use of such information which could result in substantial harm.

• The FTC, SEC, federal banking regulators, and other regulators have promulgated regulations implementing this requirement

• Federal banking regulators have used authority to require consumer notices in the event of unauthorized access to personal data.


FTC Act

• Section 5 of the FTC Act, codified at 15 U.S.C. § 45, empowers the Commission to prevent all “unfair or deceptive acts or practices in or affecting commerce.”

• Since 2005, the FTC has used its authority to bring regulatory actions against companies “with allegedly deficient cybersecurity that failed to protect consumer data against hackers.” FTC v. Wyndham Worldwide Corp., 799 F. 3d 236, 240 (3rd. Cir. 2015).

• Banks and insurance companies are outside scope of FTC authority.


State Data Breach and Security Laws• Forty-seven states, the District of Columbia, and multiple

U.S. territories have data breach notification laws covering unauthorized access to certain personal information.

• Common features of these laws include:• Required notice to consumers and/or the state regulators;

• Delayed notice obligation for law enforcement or remediation purposes; and

• Exceptions from notice for encrypted data.

• Some states also impose data security requirements on companies handling personal information about their residents.

• Compliance with these state laws is generally enforced by the state’s attorney general.


State Law: Massachusetts

• The Standards for the Protection of Personal Information of Residents of the Commonwealth, “establishes minimum standards to be met in connection with the safeguarding of personal information.” These standards include: • A comprehensive written information security

program;• Requirements for all third-party vendors; • Encryption of all transmitted files containing personal

information or files stored on laptops or portable devices; and

• Reasonable monitoring of systems for unauthorized use.


Potential State Regulation: New York• New York Department of Financial Services (DFS) proposed

cybersecurity regulations affecting banks, insurers, and other financial services firms licensed, registered, or otherwise subject to DFS authority on September 13, 2016 (revised December 2016)

• DFS contemplates the proposed regulation becoming effective on March 1, 2017, with a 180-day transition period for most provisions.

• New York’s proposed rule is detailed and prescriptive. It would impose significant requirements including:

• Written policies and procedures (e.g. information security plan, incident response plan);

• Appointment of a Chief Information Security Officer, who provides annual reports to the covered entity’s board;

• Annual certification by the Board or a senior officer of compliance with the regulations, with materials supporting the certification kept available for five years;

• Annual penetration tests and bi-annual vulnerability assessments, along with an annual risk assessment;

• Directing covered entity to push equivalent requirements down to third-party providers;

• Notification to DFS within 72 hours of any breach with a “reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity”; and

• Technical controls including encryption and multi-factor authentication (or equivalent compensating controls)


Industry Standards: NIST

• In February 2013, President Obama issued Executive Order 13636, which called for the development of a voluntary, risk-based Cybersecurity Framework.

• The resulting document, released in February 2014 by the National Institute of Standards and Technology “uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs” without creating new regulatory requirements.

• According to the Director of NIST, the Framework “provides a consensus description of what's needed for a comprehensive cybersecurity program.”

• In December 2015, NIST called for comments on using the framework to improve cybersecurity risk management, sharing best practices, and long-term governance of the framework and hosted a workshop in April 2016 to discuss ways to update the Framework.


Industry Standards: PCI / ISO• PCI Data Security Standard (DSS): The PCI Security

Standards Council is a global forum dedicated to designing security standards for the financial services industry. The PCI DSS “provides an actionable framework for developing a robust payment card data security process—including prevention, detection and appropriate reaction to security incidents.”

• ISO/IEC 27001:2013: This standard developed by the International Organization for Standardization delineates best practices for information security management and also includes standards for evaluating organization-specific information security risks.


FFIEC IT Handbook

• Federal Financial Institutions Examination Council (FFIEC) released an updated Management section to the IT Handbook used by federal bank examiners.

• These revisions reflect the development and incorporation of cybersecurity concepts as part of information security.

• The Handbook outlines principles for sound IT governance and explains how IT risk management (ITRM) relates to enterprise-wide risk management and governance.

• In addition, the Handbook: • Emphasizes FFIEC’s view that appropriate IT governance structures and processes are

essential to a financial institution and assigns responsibility for IT management to the board, senior management, and line managers; and

• Outlines the ITRM process as: (i) risk identification; (ii) risk measurement; (iii) risk mitigation; and (iv) risk monitoring and reporting.

• The examination procedures include an evaluation of: (i) the institution’s cybersecurity risk and remediation activities, and (ii) the board’s and executive management’s involvement in IT activities and risk management.


FFIEC Cybersecurity Guidance

• Regulators increasingly expect financial institutions to ensure they evaluate their readiness to identify, mitigate, and respond to cyber threats.• FFIEC’s assessment tool may not be appropriate for large,

complex institutions, which will need to develop their own processes and programs.

• Regulators expect financial institutions to more closely monitor their relationships with third-party service providers.• FFIEC recently issued guidance entitled Strengthening the

Resilience of Outsourced Technology Services that addresses service provider risk management and incorporates emerging issues, such as cyber resilience.


FFIEC Cybersecurity Guidance

• FFIEC also has recently issued guidance addressing how financial institutions should prepare for and respond to cybersecurity incidents involving extortion, malware, or compromised credentials.

• June 2016 guidance on risks associated with attacks on interbank messaging and wholesale payment networks.

• November 2015 guidance on risks associated with attacks involving extortion (i.e., ransomware)

• June 2015 Cybersecurity Self-Assessment Tool• March 2015 guidance on response to destructive software attacks (i.e.,

malware)• March 2015 guidance on response to attacks that compromise user

credentials• April 2014 guidance on risks associated with attacks on ATMs and card

authorization systems• April 2014 guidance on risks associated with distributed denial-of-service (D-

DoS) attacks on public websites• July 2012 guidance on approaching risks associated with outsourced cloud

computing solutions


Two Types of Businesses

“Those that have been hacked and know it

Those that have been hacked and don’t!”

Richard Clarke


This is not the most effective way to plan!


Why IT Matters

• The law(s) require IT• NIST, FFIEC, GLBA, FCRA, State Laws

• CA AG: “The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

• IT’s necessary to run our companies• Networks and Infrastructure, Vendor Management,

Outsourcing

• Our companies are better because of IT• Secure companies are Trusted, trade secrets stay

Protected, Business is Uninterrupted


The Basics• Cyber Security is in the headlines and top of mind for

Regulators and the public.• What’s important to your regulator should be important to you!

• Risk should be identified and balanced by controls.• The more complex the products and environment, the greater the need

for heightened scrutiny and frequent review.

• Technology investment is expensive and not an one time event.• Not doing costs way more!• End of life for Windows XP Support is a data security risk.• IT and Data Security are connected, but not the same.

• Business Continuity Plans are critical and must include Privacy, Data Security, IT and DR.

• Hope for the best, prepare for the worst.• Outside influences will eventually have a dramatic impact on your

business.


Minimum Considerations

• Resources Vs Requirements• Size matters!• Balance between cost and support

• Future State Vision and Business Plan• Infrastructure needs to support today and tomorrow.• The only way to get there is by planning for the future

now.

• Vendor Management and Outsourcing• Networks, Servers, and Hosting• Loan Process functions – Docs, PPE, Compliance

Review tools, AMCs, Sub-Servicing• Ps & Ps


Being in business carries riskSuccessful companies are able to

tolerate risk while minimizing exposure and liability.

• The only way to be 100% compliant, is to do no business.

• Manage Risk – Controls and Policies:• Physical/Branch security (Remote Employees)• Prevent Credential Sharing• BYOD• Employee Separation/Termination


Best Practices and Recommendations

• Be Prepared:• BCP, DR, Breach, Notification Testing

• Have a Plan:• Know what data is where, who owns it, and

how it can be restored.

• Routine Audit:• You don’t know what you don’t know, but

that’s what you need to know most!


Resources• DOJ Cybersecurity Unit – “Best Practices for Victim Response and

Reporting of Cyber Incidents”• https://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/crimin

al_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents2.pdf

• FFIEC Appendix J – “Strengthening the Resilience of Outsourced Technology Services”

• http://www.fdic.gov/news/news/financial/2015/fil15009.html

• DHS/NCSAM – “Stop, Think, Connect”• https://www.dhs.gov/national-cyber-security-awareness-month?utm_source=govdelivery

• FinCEN - Advisory on Email Compromise Fraud Schemes• www.fincen.gov/sites/default/files/advisory/2016-09-09/FIN-2016-A003.pdf

• Treasury and US Intelligence - Protecting Your Networks from Ransomware

• http://csbs.informz.net/csbs/data/images/How%20to%20Protect%20Your%20Networks%20from%20Ransomware_%20Technical%20Guidance%20Documen.pdf


“Everyone’s a potential target. Like any other business or industry these days, the mortgage industry is a target for cyber-attacks from adversaries that can range from hacktivists, to organized criminals, to nation-states. These group’s attack methods are constantly evolving and becoming more advanced. As a result, lenders need adaptive, rapidly evolving and comprehensive security solutions in order to protect themselves from these emerging threats.” – Dr. Selim Aissi, Chief Security Officer

Ellie Mae


Five functions of a sound cybersecurity program1. Identify2. Protect3. Detect4. Respond5. Recover

Source: National Institute of Standards and Technology (NIST)



Five Pillars of Protection

1. Endpoint Defense – Desktops, laptops, etc. are the first point of attack and network vulnerability.

2. Perimeter Defense – To get the broadest protection, start where systems interface with the rest of the world.

3. Access Control Defense – Protect access to critical information assets in order to protect against malicious actors trying to perform credential harvesting or lateral movement.

4. Data Control Defense – Protect customer data where it is stored (data-at-rest) as the last resort to protect critical assets when all other security controls fail.

5. Assurance Defense – Policies and Procedures need to be in place (e.g. governance, risk, compliance, patch management, certificate management, penetration and red team testing, security awareness) for the other four pillars to be effective.


Critical Components of an Effective Cybersecurity Program


Questions?


Thank You!

Documents

2017 NMLS Cybersecurity Panel€¦ · •Section 5 of the FTC Act, codified at 15 U.S.C. § 45, empowers the Commission to prevent all “unfair or deceptive acts or practices in