Cyber Risks: A Practical Guide and Update for Financial ... 2015... · Enterprise Risk Management (ERM) Need to understand and approach cybersecurity as an enterprise-wide risk management

IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

Cyber Risks: A Practical Guide and Update for Financial Professionals

Session 602


Not If… but When???

Recent Headlines

“Millions of Children Exposed to ID Theft Through Anthem Breach”

“Target hit with breach of 70-110 million customers”

“JP Morgan says 76 million client accounts hacked”

“SONY hacking scandal expands”

“Home Depot reports 56 million accounts compromised”


US National Security Mandate

“No foreign nation, no hacker, should be able to shut down

our networks, steal our trade secrets or invade the privacy of

American families, especially our kids.”

President Barack Obama, 2015 State of the Union address


New Cybersecurity Legislation

Cybersecurity Enhancement Act of 2014

Signed into law December 18, 2014, this act provides for ongoing, voluntary

public-private partnership to improve cybersecurity and strengthen research and

development, workforce development, education, public awareness and

preparedness.

National Cybersecurity Protection Act of 2014

Signed into law December 18, 2014, this act codifies an existing operations center

for cybersecurity.

Cybersecurity Workforce Assessment Act

Signed into law December 18, 2014, the act directs the Secretary of Homeland

Security, within 180 days and annually thereafter, to conduct an assessment of

the cybersecurity workforce of the Department of Homeland Security (DHS).


SEC Alerts

Office of Compliance Inspections and Examinations – February 2015 Alert

Addressing Brokerage and Advisory Firms

Examined 57 Broker-Dealers and 49 Registered Investment Advisors

Most have been subject of an attack

Majority have adopted written information security policies

Majority conduct periodic risk assessments

Office of Investor Education and Advocacy – Security Tips Pick a “strong” password

Use two-step verification

Different passwords for different accounts

Avoid using public computers

Caution with wireless connections

Be careful clicking links sent to you

Secure mobile devices

Check account statements and trade confirmations


Cybersecurity for Insurance Industry

New York State Department of Financial Services:

Report on Cybersecurity for Insurance

Cyber attacks against financial services institutions, including insurance

companies, are becoming increasingly frequent and sophisticated.

Insurance firms often possess large amounts of personally identifiable

information (“PII”) and protected health information (“PHI”).

Safeguarding such information in digital format is technologically challenging

and expensive.

PII and PHI are becoming more valuable on the black market, which increases

incentives for cyber attacks.


Anthem Health Insurance

Cyber-thieves gained access to the addresses, employment information and

Social Security numbers of 80 million customers and employees.

Encryption is currently not required by law. However, experts say that even if

data encrypted, the breach could have still occurred.

A data set containing health information can fetch $40 to $50 per record on the

black market.


Cybersecurity as critical component of Enterprise Risk Management (ERM)

Need to understand and approach cybersecurity as an enterprise-

wide risk management issue, not just an IT issue

Sarbanes-Oxley compliance provides little assurance of an effective security

program to manage cyber threats.

Companies must provide an annual “health check” report of the organization’s

cybersecurity program.

This comprehensive report must cover all domains of the cybersecurity and be

conducted by either the internal audit staff or an outside vendor that specializes

in cybersecurity.


Board Responsibility

Less than 15% of Internal Audit Executives surveyed said their boards are actively involved in cybersecurity preparedness

Source: IIA Audit Executive Center Pulse of the Profession - 2014


Is Target a case of Fiduciary Failure?

Target Data Breach

Did Target’s board breach its fiduciary duty by failing to maintain proper

internal controls related to data security?

A recommendation was made for the ouster of 7 of 10 board members for

failing to provide sufficient risk oversight.

However, due to insufficient evidence of director oversight failure, the

board members were reelected, but boards should take notice to treat

cybersecurity risk seriously.


Emerging Technology

Technology Trends

Data Analytics

Social Media

Collaborative

Applications

In Memory Computing

Mobile Devices

Cloud Computing


ERM & Cybersecurity

Effective ERM leveraging Cybersecurity Principles

Understand and approach cybersecurity as an enterprise-wide risk

management issue, not just an IT issue.

Adequate access to cybersecurity expertise, and discussions about cyber-risk

management to be given regular and adequate time on the board agenda.

Directors should set the expectation that management will establish an

enterprise-wide risk management framework with adequate staffing and budget.

Ensure that Cyber risk discussions include identification of which risks to avoid,

accept, mitigate, or transfer through insurance, and plans associated with each

approach. source: National Association of Corporate Directors (NACD)


ERM Framework

Leverage a Security Risk Management Framework

ISO 27005 provides guidelines for information security risk management.

Based on the ISO 27000(X) series, it is designed to assist the implementation

of information security based on a risk management approach.

Organizations can align their internal security policies to ISO 27005 and map IT

risks at the business process level.

Specifies a structured, systematic and rigorous process from analyzing risks to

creating a risk treatment plan by leveraging a risk based approach.


Risk Based Approach

Develop a security strategy focused on business

drivers and protecting high-value data

Define the organization’s overall risk appetite

Identify the most important information and

applications, where they reside and who has/needs

access

Assess the threat landscape and your security

program maturity – model your real exposures

Get governance right – security is a board-level priority

Allow good security to drive compliance – not vice versa

Measure leading indicators to catch problems while they are still small

Accept manageable risks that improve performance

Know your weaknesses – and address them!

Assume breaches will occur – improve processes that complicate, detect and respond

Balance the fundamentals with emerging threat and vulnerability management

Establish and rationalize access control models for applications and information

Protect key identities and roles because they have access to the crown jewels

Identify the real risks: Protect what matters most:

Sustain your security program:

Make security everyone's responsibility — it's a business problem, not just an IT problem

Align all aspects of security (information, privacy, physical and business continuity) with the business

Spend wisely in controls and technology – invest more in people and process

Selectively consider outsourcing or co-sourcing operational security program areas

Embed security in the business:


Cybersecurity Framework


Foundational Components

Component What are the issues? Implications

Executive

buy-in

• Leadership on cybersecurity strategy, plan and execution

comes from lower organizational levels or is seen as an IT

issue.

• There is not a consistent threat management system in

place; threats are not regularly discussed in the

boardroom.

• Organizations need to involve senior leadership in

cybersecurity.

• Lack of executive buy-in opens the doors to

mistakes and cyber criminals; cybersecurity will

miss the necessary direction and investments

Resources • Cybersecurity tasks are not adequately resourced and/or

performed by skilled people.

• Cybersecurity teams do not have visibility and knowledge

about attacks

• Cyber threats are overlooked or the response is

too late.

• Cyber criminals successful using phishing are a

result of a lack of security awareness.

Performance • Many organizations are spread too thin: they maintain too

many cyber capabilities and — as a result — with

moderate effectiveness.

• The effectiveness of cybersecurity is not measured.

• Foundational cybersecurity processes are not

working properly, leaving a broad range of options

for those performing an advanced persistent

threat (APT).

Access to

data

• Employees are a risk to cybersecurity, and their Identity

and Access management (IAM) program is weak

• Excessive manual processing and irregular reviews or

reports make it too easy for employees to have

inappropriate access to data.

• Movers, leavers and joiners are a key cyber risk area.

• We have seen that employees are seen as a huge

threat for cybersecurity; while organizations are

looking for hackers coming in from the outside,

fraud is already happening from the inside.

Cost vs.

value

• Too many organizations view the costs of cybersecurity as

considerable

• Organizations do not appreciate the benefits of the

measures they already have.

• Organizations significantly underestimate the potential cost

of a cyber attack.

• Organizations must understand they are under

daily attack, the attackers show no signs of giving

up, they are getting smarter and more targeted.

The next breach could be fatal.


Incident Response Process Flow

Preparation

Monitoring & Detection

Breach Investigation

Data Flow Containment

Notification & Remediation

Lessons Learned

• Prep: Process Definition, Data Classification, Table Top Exercise

• Detect: Receive Notification from Business Unit, IT

• Investigate: Determine if a Data Breach has Occurred

• Contain: Ensure that Data Leakage is Stopped

• Remediate: External Notifications & Remediation

• Learn: Varies with Incident * Program phases are based on SANS security incident handling

model


Cybersecurity Checkup

Management needs to ask the following questions

1. Does your organization use a security framework?

2. What are the top 5 organizational risks related to cybersecurity that your

company is faced with?

3. How are your employees made aware of their role related to cybersecurity?

4. Are external and internal threats considered when planning your

cybersecurity program?

5. How is security governance managed within your organization?

6. In the event of a serious breach, has management developed an effective

response protocol and educated your organization?


Do you know this guy?

F_L_U_F_F_Y

Yes! – I’m in…


Internal Controls

Control employee access to systems and information

Terminations Majority of data breaches occur immediately after employees

leave the company. Maintaining strong control over access rights is critical to

enterprise security.

Segregation of Duties - Many companies provide access to employees to

perform job functions but fail to review / remove access when they move to new

role / functions.

Governance – Rotate IT and Data security individuals and assign oversight of

these roles and individuals to an independent IT governance entity.


Vendor Risk Management

Control vendor access to systems and information

Clients, vendors and business partners (e.g. outsourcing) have various reasons

for access to systems and information.

Protect information assets by assigning IT security to specifically monitor their

activities when accessing network and hardware (i.e. hard drives).

Consider having an IT Risk Assessment performed that evaluates the controls

and safeguards the vendor has in place to ensure that information assets are

protected from unauthorized access.


Tech-Enabled Framework

ERM Framework

Predictive Analytics

Streaming Social Media

ERM Software

Risk Dashboards


Leveraging Data Analytics

Data analytics can be used to…

Identify the risks that have resulted from the exponential growth of technology

and the internet, and our increasing reliance on both.

Provide a comprehensive view of internal and external risks by alerting decision

makers about potential fraud, unusual network traffic patterns, hardware

failures, and security breaches.

Convert data into actionable information, helping businesses move their

cybersecurity measures from a reactive state to a proactive state.


Insurance Fraud

Organizations lost an average of 5% of their

revenues to fraud. That computes to a loss

of over $3.5 trillion per year.

The U.S. insurance industry estimated cost

of fraud is approximately $30 billion a year.

Most of this expense is absorbed by policy holders in the form of higher

insurance premiums, to the tune of about $300 a year per family.

Source: National Insurance Crime Bureau.

Transactions can be analyzed to detect data anomalies that may be

indicative of a fraud.


Fighting Fraud with Data Analytics

Transactions can be analyzed to detect data anomalies that may be

indicative of a fraud.

Investigation

Detection

Prevention

Monitoring

Alert

Notification

Fraud

Pattern

Analysis

Claim Process

& Settlement

Inquire &

Analyze Investigation

Inte

gra

tio

n

Con

fig

ura

tio

n

Pla

tfo

rm

Evaluation &

Decision

Fraud Monitoring & Performance Optimization

From Claim Notification to Claim Closure

Rules &

Predictive

Analysis

Fraud

Detection

Strategy

Calibration &

Simulation

Online

Detection

Mass

Detection

Source: SAP


Board Responsibility

• Target

• ISS recommended the ouster of 7 of 10 board members for failing

to provide sufficient risk oversight.

• Glass Lewis took a different stance, concluding there was

insufficient evidence of director oversight failure.

• The board members were reelected, but boards are on notice to

treat cybersecurity risk more seriously.

• Shareholder derivative law suite alleging Target’s board breached

its fiduciary duty by failing to maintain proper internal controls

related to data security.


EisnerAmper Risk Survey

• 2014 Board of Directors Survey – Concerns About Risks Confronting Boards

• Opinions of Directors of more than 250 publicly traded, private, not-for-profit,

and private equity owned companies

• Findings

• Reputation remains leading concern; cybersecurity is growing

• Board admits lack of understanding of new media and cyber issues

• Most companies feel they are addressing risk very well, but less than 40% of

respondents have an ERM program fully implemented, 22% don’t have one

• Why is cybersecurity important? • “IT/Cybersecurity is also tough to understand — but could cause severe damage.”

• “IT because much of the vital…work the org does depends on reliability and security of

IT”


EisnerAmper Risk Survey


Three Lines of Defense Drives Governance Structure

Clarity of Roles and Responsibilities Structured into “Three Lines of

Defense”

Senior Management

Board of Directors / Audit Committee

1st

Line of Defense 2nd

Line of Defense 3

rd Line of

Defense

Ad

min

istratio

n

Con

tro

ls

In

te

rn

al C

on

tro

l

Me

asu

re

s

Financial Control

Security

Risk Management

Quality

Compliance

Legal

Assurance

&

Validation

INTERNAL AUDIT

Ex

te

rn

al A

ud

ito

r /

Re

gu

lato

r

Where Internal Audit Can Help in Cyber-Security

Internal audit is equipped to do much of the work

necessary for companies to grasp their cyber-risks.

• 80 percent process-based

• A business process issue as much as it was an IT issue

Cyber-risk assessments need to be a top-down exercise

• Align risks to the business, strategy, and objectives:

• what type of information the company produces and what does the

company want to protect.

Internal audit can play a role in validating a company’s

response plan


Thank You!

Greg Fritsky, Director

Redwood Software

10 Denise Drive

Allentown, NJ 08501

[email protected]

(609) 468-6994

www.redwood.com

Jerry Ravi, Partner

Eisner Amper LLP

111 Wood Avenue South

Iselin, NJ 08830

[email protected]

(732) 243-7590

www.eisneramper.com

mailto:[email protected]

http://www.redwood.com/

mailto:[email protected]

http://www.eisneramper.com/


Please Complete the Session Evaluation Form on the Conference App

Documents

Cyber Risks: A Practical Guide and Update for Financial ... 2015... · Enterprise Risk Management (ERM) Need to understand and approach cybersecurity as an enterprise-wide risk management