Upload
vantu
View
230
Download
6
Embed Size (px)
Citation preview
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 1
Cybersecurity – A Regional Perspective
Daryl PereiraPartner, CybersecurityKPMG
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 2
Rise of cyberwarfare and increased number of sophisticated attacks through internet / mobile channels / ATM / online systems
Recent high profile outages have increased the regulator’s focus on business and technology resilience
Increased off-shoring of business processes, use of cloud computing, consolidation of local platforms onto global platforms
Singapore, Hong Kong, Japan,Australia, ASEAN
Global/Regional Financial Hubs
Drivers for Enhancing Your Cybersecurity & IT Risk Management Practices
Three major trends affecting the Financial Sector have led to a tightening of IT regulations to maintain Asia’s status as a financial hub
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 3
APAC Regulators lead the way with new IT & Cybersecurity Regs
CHINA TAIWANHONGKONG
MALAYSIA
SINGAPOREList of Singapore regulatory guidelines and circulars applicable:• Guidelines on Outsourcing, 2005• MAS Notice 634 on Banking Secrecy Outsourcing Conditions• IT Outsourcing Circular 2011, updated 2014• Business Continuity Management Guidelines, 2005• Further Guidance on Business Continuity Management, 2008• Preparedness for Avian Influenza Pandemic and Security Threats• Personal Data Protection Act (PDPA), 2012• Guidelines for Technology Risk Management, June 2013• Notice on Technology Risk Management, June 2013• Consultation Paper - MAS Outsourcing Notice Oct 2014• Consultation Paper - MAS Outsourcing Guidelines Oct 2014• Circular – BYOD, 2014• Circular – Vulnerability Assessment & Penetration Testing, 2014• Circular – Cybersecurity for Board, Nov 2015
List of Australia regulatory guidelines and circulars applicable:• Prudential Practice Guide PPG 234 – Management of security risk in information
and information technology• Prudential Practice Guide PPG 231 – Outsourcing • Prudential Standard CPS 231 – Outsourcing• Prudential Standard APS 232 – Business Continuity Management• Prudential Standard CPS 232 – Business Continuity Management• Prudential Practice Guide PPG 233 — Pandemic Planning and Risk Management• Prudential Standard SPS 220 – Risk Management• Guidance Note AGN 232.1 – Risk Assessment and Business Continuity
Management
List of Taiwan regulatory guidelines and circulars applicable:• FSC - Act Governing Issuance of Electronic Stored Value Cards • FSC Regulations Governing Internal Operating Systems and Procedures for the
Outsourcing of Financial Institution Operation• FSC - Implementation Rules of Internal Audit and Internal Control System of Financial
Holding Companies and Banking Industries• Central Bank - Regulations Governing the Clearinghouse’s Plan of Security Measures
for Personal Information files • FSC - Regulations Governing Maintenance of Personal Information Files by the Non-
government Institutions as Designated by the Financial Supervisory Commission Nov 2013
• Taiwan Personal Information Protection Act (PIPA) 2012• FSC - Standard of personal data files safety and maintenance plan for financial industry
(SPPDF)
List of Hong Kong regulatory guidelines and circulars :• HKMA – TM-G-1 - General Principles for Technology Risk Management • HKMA - Supervisory Policy Manual - Reputation risk management• HKMA - Supervisory Policy Manual - Supervision of E-banking• HKMA – OR-1 - Operational Risk Management• HKMA - Supervisory Policy Manual - Business Continuity Planning• HKMA - Strengthening Security Controls for Internet Banking Services• HKMA – SA-1 - Outsourcing• HKMA – Customer Data Protection Oct 2014• Privacy Commissioner - “Guidance on the Proper Handling of Customers’ Personal Data for
the Banking Industry” Oct 2014
List of Malaysia regulatory guidelines and circulars :• GPIS 1 – Guidelines on Management• Malaysia Personal Data Protection Act (PDPA) 2010 • BNM/RH/GL_018_1 – Guidelines on Data Management and MIS
Framework • Risk Management Guidelines on Risk Governance• BNM/RH/GL/ 013-3 – Guidelines on Business Continuity Management• Payment Systems Act 2003• Digital Signatures Act 1997• Computer Crimes Act 1997• Electronic Commerce Act 2006• BNM Minimum Guidelines on the provision of Internet Banking Cap. 2a
List of China regulatory guidelines and circulars :• Guidelines for the Security Assessment of Electronic Banks• CBRC - Notice on improving risk management and services for Internet banking
business• Guidelines on the Risk Management of Commercial Banks’ Information Technology• Measures for the Administration of electronic banking• Emergency Management of Banking Important Information Systems (for Trial
Implementation• Public Security Bureau - Financial Institution Computer Information System Security
Protection Regulation• CBRC - Guidelines on the Management of Outsourcing Risks of Banking Financial
Institutions• CBRC - Guidelines for the Supervision of Information Technology Outsourcing Risks of
Banking Financial Institutions• National Standard - Global Privacy & Data Security
AUSTRALIA
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 4
The Board & Senior Management’s Role
Technology Risk and Cyber Security
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 5
Board & Senior Management oversight of cyber is no longer leading practice…it’s required
Intellectual property losses including patentedand trademarked material, client lists andcommercially sensitive data
Time lost due to investigating the losses, keeping shareholders advised and supporting regulatory authorities (financial, fiscal, and legal)
Property losses of stock or information leading todelays or failure to deliver
Penalties, which may be legal or regulatory finessuch as regulatory fines, for data breach and privacy breaches
Administrative resource to correct the impact suchas restoring client confidence, communications toauthorities, replacing property, and restoring theorganisation’s business to its previous levels
Reputational losses causing your market value todecline; loss of goodwill and confidence bycustomers and suppliers
Potential impacts and possible implications for the Board & Senior Management
Investors, governments, global regulators and customers are increasingly challenging Boardmembers and C-level Executives to activelydemonstrate diligence in this area. Regulatorsexpect personal information to be protected andsystems to be resilient to both accidents anddeliberate attacks.
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 6
Business Disruption is the Costliest Consequence of Cyber Attacks
HSBC suffers online banking cyber-attack29 January 2016
Sony says cyber attack will cost them $15m to remediate (direct cost), and an unquantifiable cost in reputational damage (indirect cost)
November 2014 cyber attack
The World Economic Forum (WEF) has estimated that failure to defend against cyber-attacks will
have an aggregate impact on the global economy of around US$3 trillion by 2020. Risk Nexus report from the Atlantic Council,
2015
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 7
Nature of technology risk & the cyber threat
Cybersecurity is now the World’s 3rd Corporate-Risk Priority Overall Lloyd’s City Risk Index 2015-2025 analyses the potential impact on the economic output (GDP@Risk) of 301 of
the world’s major cities from 18 manmade and natural threats.
*Source: Lloyd’s City Risk Index 2015-2025
A total of $294bn of 301 cities’ projected GDP is at risk from cyber attack
Cyber attack presents a greater risk to economic performance than Terrorism or sovereign default combined.
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 8
Nature of technology risk & the cyber threat
KPMG CIO SURVEY: Major cyber attacks in last 2 years by country
United States22%
Greece 13%Canada 16%Finland 19%
Luxembourg 21%Norway 21%
Switzerland 21%Belgium 26%
United Kingdom 28%
Italy 30%Germany 31%Ireland 34%
Sweden 36%Poland 36%France 50%Spain 53%
Australia 29%China 30%Japan 30%Hong Kong 31%Singapore 32%India 33%New Zealand 35%Vietnam 39%
Global Average
28%
Source: KPMG CIO survey 2016
Below global average
Global average
Above global average
% of cyber attacks experienced:
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 9
The five most common cybersecurity mistakes
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 10
The five most common cybersecurity mistakes
Mistake #1:“We have to achieve 100 percent security.”
Reality:100 percent security is neither feasible nor the appropriate goal.
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 11
The five most common cybersecurity mistakes
Mistake #2:“When we invest in best-in-class technical tools, we are safe.”
Reality:Effective cybersecurity is less dependent on technology than you think.
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 12
The five most common cybersecurity mistakes
Mistake #3:“Our weapons have to be better than those of our attackers.”
Reality:The security policy should primarily be determined by your goals, not those of your attackers.
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 13
The five most common cybersecurity mistakes
Mistake #4:“Cybersecurity compliance is all about effective monitoring.”
Reality:The ability to learn is just as important as the ability to monitor.
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 14
The five most common cybersecurity mistakes
Mistake #5:“We need to recruit the best IT security professionals to defend ourselves against cybercrime.”
Reality:Cybersecurity is not a department, but an attitude.
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 15
Nature of Technology Risk & the Cyber Threat
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 16
Nature of technology risk & the cyber threat
The Challenges Faced by Today’s Organisations
External threats
1
Organised crime, nation-states, cyber espionage, hactivism, insider threats
Change in the way business is
conducted
2
Cloud computing, big data, social media, consumerisation, BYOD, mobile banking
Rapid technology change
3
Critical national infrastructure, smart/metering, internet of all things
Changing market and client need
Strategic shift, situational awareness, intelligence sharing, cyber response
Regulatory compliance
4
Data loss, privacy, records management
5
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 17
Nature of technology risk & the cyber threat
New “vectors” of threats are accelerating the concernYesterday…
Today…
Bad “actors”
Isolated criminals
“Script kiddies”
Targets
Identity theft
Self-promotion opportunities
Theft of services
“Target of opportunity”
Bad “actors”
Organised criminals
Nation states
Hactivists
Insiders
Targets
Intellectual property
Financial information
Strategic advantage
Espionage
Sabotage
“Target of choice”
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 18
Recent cybersecurity incidents
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 19
Recent cybersecurity incidents
Financial Services sector
Impact
Observation
SWIFT releases software and guidance on April 25 to help spot and block related attacks, including altered database records.
Loss of US$ 81 million
Transfer and payout in Philippines points to sophisticated, global cybercriminal gang
Custom malware showed a high level of knowledge of SWIFT Alliance Access software, its functionality and its deployment in banks
The malware and attack tools used in this attack remain a threat for all SWIFT customers.
Central Bank of Bangladesh2016
One of the largest electronic cash thefts
publically acknowledged
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 20
Recent cybersecurity incidents
Energy sector
Impact
Observation
Rising concerns over Critical Infrastructure being the next targets – e.g. Industrial Control Systems (ICS) / Supervisory Control and Data Acquisition (SCADA) infrastructure
Approximately 225,00 home affected by the massive power outage which last for several hours in Ivano-Frankivsk region of Western Ukraine
Attackers infiltrated the power companies using SCADA Hijacking Techniques
Highly destructive malware infected at least 3 Ukrainian regional electric power distribution companies
Though power has been restored, control centres are still not fully operational more than 2 months after the attack
Ukrainian Energy Provider2015
World’s first publicly acknowledged power
outage caused by cyber attack
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 21
Recent cybersecurity incidents
Government sector
Impact
Observation
Stolen records included personally identifiable information such as Social Security numbers, names, dates and places of birth, pay history, etc and addresses and information about friends and family.
Affected an estimated total of 21.5 million current, former and prospective federal employees
Possibly the largest cyber breach of government data in the history of the United States, tracing back to 2014
Theft of detailed security-clearance-related background information
Fingerprints of 5.6 million people were stolen, and intelligence officers’ true identities may have been compromised
Office of Personnel Management US Government
2015
Possibly the worst government data
breaches
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 22
Recent cybersecurity incidents
Insurance sector
Impact
Observation
Reputational loss in Anthem regarding IT Security
PID of 80 million customers and clients were stolen, including Social Security Numbers
Setup of evil WellPoint / Anthem infrastructure in the Internet
Targeted attack (APT) by cyber espionage group
Infrastructure and malware was also used for attack on US Defense contractor
Anthem2015
Biggest data theft in healthcare industry
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 23
Recent cybersecurity incidents
Pharmaceutical Sector
Senior pharmaceutical and healthcare
executives targeted for inside information
Impact
Observation
IDs and passwords of senior executives at 100+ firms were compromised and used to read business correspondence
FIN4 Hackers crafted sophisticated spear phishing emails targeting senior executives with knowledge of M&A and market-moving data
Stolen data all revenue-related, key insider information for future stock price
Focus on deal makers using well-crafted, personal and relevant emails and documents
60 publically traded companies operating worldwide targeted
Pharmaceutical Industry Leaders2014
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 24
Recent cybersecurity incidents
Entertainment sector
Impact
Observation
Sensitive personal and corporate data were leaked, including emails, salaries and unreleased movies
Company's inner workings completely exposed
North Korea is blamed for the attack
When the breach was discovered, Sony had been infiltrated for one year
Massive impact to Sony Pictures, its employees and clients
Sony Pictures2014
Biggest data theft of a company to date
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 25
A framework for managing technology risk and cybersecurity
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 26
Based on KPMG’s annual Board survey of the world’s largest companies, these are the three most common questions at the C-level Executive Management and Board levels today:
1. What are the new cybersecurity threats and risks and how do they affect our organisation?
2. Is my organisation’s cybersecurity program ready to meet the challenges of today’s (and tomorrow’s) cyber threat landscape?
3. What key risk indicators should I be reviewing at the executive management and board levels to perform effective risk management in this area?
KPMG’s Global Cyber MaturityFramework Domains
Managing technology risk and cyber security:
High-level board oversight questions
Threat Intelligence
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 27
LEGAL AND COMPLIANCE
Regulatory and international certification standards as relevant
OPERATIONS AND TECHNOLOGY
The level of control measuresimplemented to addressidentified risks and minimise the impact of compromise
BUSINESS CONTINUITY AND CRISIS MANAGEMENT
Preparations for a security event and ability to prevent or minimise the impact through successful crisis and stakeholder management
INFORMATION RISK MANAGEMENT
The approach to achieve comprehensive and effective risk management of information throughout the organisation and its delivery and supply partners
HUMAN FACTORS
The level and integration of a security culture that empowers and ensures the right people, skills, culture, and knowledge
LEADERSHIP AND GOVERNANCE
Management demonstrating due diligence, ownership, and effective management of risk
Managing technology risk and cyber security:
Strategic Lever 1: A Strategic and Holistic Organisation-wide Approach is needed
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 28
RESPOND
Incident response capability is built by drafting playbooks, performing regular incident response exercises and doing red team testing.
The capability to delay transactions for fraud investigations and having trained call centre employees are most important in being able to modern online banking attacks.
DETECT
Real-time detection of incidents and fraudulent transactions requires correlation of information from various data sources (data analytics).
Monitor customer behaviour, transactions and log files from applications and systems.
Robust incident detection requires processes and trained people.
THREAT INTELLIGENCE
Acquiring external threat information
Keep up to date on current and future threats
Connect with external intelligence sources, information sharing with other banks, cooperation with police and law enforcement.
Threat Intelligence
Prevention will ultimately fail. Actionable threat intelligence combined with detection and
response capability is the key to managing Cyber Risks
PREVENTProtecting customers and your own infrastructure requires measures on people, processes and technology layers.
Managing technology risk and cyber security:
Strategic Lever 2: Actionable Threat Intelligence is the Key to Managing Cyber Threats
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 29
In Summary
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 30
Action Points to do NOW!1. Accountability for technology risk and cyber security
Ensure accountabilities at staff and management levels are clear. Ownership of the cybersecurity strategy must start at the Board and C-level Executives level
2. Managing cyber risk holistically across the enterprise
Business units must own and embrace cyber security as a priority
3. Conduct a Cybersecurity Maturity Assessment
To identify gaps in the way cyber risks are managed.
Focus on protecting critical information & systems, reduce human factors risk, and build capability to detect and respond to persistent cyber attacks.
4. Remember: Technical solutions are only one piece of managing the risk
Joint business and IT approach that looks at people, process, and tools
30
15 July 2016© KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. 31
Conclusion
31
Lever 1: Strategic,
Organisation-wide
approach
Lever 2: Actionable
Threat Intelligence
Cyber Security Readiness
Cybersecurity Maturity
Assessment
Cybersecurity & Technology Risk FrameworksISO 27000
series: Cyber Security
MAS/ HKMA TRM Guidelines NIST OthersCOBIT
kpmg.com/socialmedia kpmg.com/app
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
15 July 2016 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.
©
Contact Details
Daryl Pereira
Partner, Cybersecurity KPMG Management Consulting +65 6411 [email protected]