An (Outsider’s) View
from Inside the Beltway
Washington Bankers Association2018 Northwest Compliance ComferenceWednesday, October 3, 2018
Denyette DePierroVice President & Senior CounselCenter for Payments and CybersecurityAmerican Bankers Association
Rumors:What’s happening in DC?
Trends: TechnologyCybersecurityPrivacy
What’s Happening in DC?
WHAT ABOUT TRUMP!?
• Embattled White House under investigation
• Midterm Elections
• What happens when things go wrong?
• Dodd Frank Reform
• Cannabis Banking
• Privacy & Data Breach
Regulatory and Legislative
Response?
Watch the headlines
RiskCulture
is Shifting
Fintech = Third Party Risk Management
Watch the headlines
Dwolla Enforcement Action
Social Media Risk
Management
www.haveibeenpwned.com
Social Media
Social Engineering
Business Email Compromise
Operational Risk
Physical Security Risk
Build Network of “Trust”
<blah>
Build a network of “trust”!!!
ZeroFox. 2016.
What is Social Media Risk?
14
1. Compliance & Legal Risk
2. Reputational Risk
3. Operational Risk
4. In Real Life (IRL) Risk
• Misuse of brand identity
• Reputation management
• Inadequate human resources
• Malware infections
• Data loss
• Breach of information security
• Breach of privacy
• Decreased employee productivity
• Legal liability
• Fraud/Scams
• Social Engineering
Real or Fake?From: Emily Clark [mailto:[email protected]] Sent: Thursday, November 24, 2016 12:25 AMTo: Webmaster <[email protected]>Subject: Infographic for Cybersecurity/Fraud
Hi,
We recently just published a new animated infographic entitled 'The Online Shopper's Saga: In Search of a Secure Payment Solution' which I think you might be interested in reading and possibly sharing with your readers, here’s the link:
https://www.totalprocessing.com/blog/secure-payment-solution-infographic/
Let me know what you think, we have it as both the animated version (gifographic) you see here and a standard flat infographic if you like it, I’d be happy to write you a unique intro to go with it as well if you thought it was something worth sharing with your audience.
Keep up the good work!
Best regards,
Emily Clark
Impersonations
ZeroFOX, 2017
Media Risk
Media Risk
Social Media Security Checklist Identify your organization’s social media footprint: active and dormant accounts, key individuals.
Obtain ‘Verified Accounts’ for your Company and Brand on Social Media to provide assurance to customers that they are interacting with legit account.
Enable two-factor authentication for social media accounts to deter hijacking.
Monitor for impersonation accounts, scams, fraud, and social media account hijacking, and, when malicious, arrange for takedown.
Initiate employee training on social media security hygiene.
Incorporate social media into your informational security policy and incident response plans.
Incorporate social media accounts in the IT password policy requirements.
Develop a multidisciplinary approach to information security.
Consider occasional third party reviews of your program.
Social Media Resources
aba.com 1-800-BANKERS
Checklist - Employee Use
Personal vs. professional use
Personal brand v. bank brand
Authorized spokespeople
Permissions level
Access during work day
Access on work v. personal devices
Access to bank’s wifi
Privacy settings
See something? Say something.
aba.com 1-800-BANKERS
Checklist - Confidentiality & Content
What is prohibited proprietary and confidential information?
Customers personal financial information and transactions
Bank operations
Employee routine and work habits
Personal routine, habits, and vacations
aba.com 1-800-BANKERS
Checklist - Photographs and “Selfie” Risk
Locations
Employees
Technology
Customers
Events
Always Do a Background Check
Clean Desk Policy
No Selfie Zone
aba.com 1-800-BANKERS
Checklist – Content and Monitoring
Customer complaints, comments, and compliments
Compliant language, links, and disclosures
Mention of bank name, directors, senior staff
Fraudulent accounts and mirror sites
Non-public details about bank operations
Details of routines, habits, vacation schedules
Employee Complaints
25
FFIEC Social Media Risk Management Guidance (2013)
FFIEC Social Media Risk Guidance
FFIEC Guidance: Social Media Risk Management (2013)
“A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social
media.”
“The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human
resources, and marketing.”
Reputation Risk – Fraud and Brand Identity.
“Risk may arise in many ways…spoofs of institution communications, and activities in which fraudsters masquerade as the institution…Financial
institutions should have appropriate policies in place to monitor and address in a timely manner the fraudulent use of the financial institution's brand,
such as through phishing or spoofing attacks.”
Operational Risk:
“A financial institution should pay particular attention to the [FFIEC IT] booklets "Outsourcing Technology Services" and "Information Security" when
using social media, and include social media in existing risk assessment and management programs.”
“Social media is one of several platforms vulnerable to account takeover and the distribution of malware. A financial institution should ensure that the
controls it implements to protect its systems and safeguard customer information from malicious software adequately address social media usage.
Incident Response:
Financial institutions' incident response protocol regarding a security event, such as a data breach or account takeover, should include social media….
FFIEC IT Handbook
Regulation ofSocial Media Risk
FFIEC Information Security Booklet (2016)
Objective 2: Determine whether management promotes effective governance of the information security program through a strong information security culture, defined information security responsibilities and accountability, and adequate resources to support the program.
I.A. Security Culture (p. 3). The board and management should:• Understand and support information security,• Provide appropriate resources for developing, implementing, and maintaining the information security program, and• Foster an information security program in which management and employees are committed to integrating the program into
the institution’s lines of business, support functions, and third-party management program.
Indictors of Mature InfoSec culture: Integration of new initiatives.A stronger security culture generally integrates information security into new initiatives from the outset, and throughout the life cycle of services and applications.
FFIEC IT Handbook
Regulation ofSocial Media Risk
FFIEC Information Security Booklet (2016)
Objective 4: As part of the information security program, determine whether management has established risk identification processes.
II.A. Risk Identification (p. 7) An information security program should have documented processes to identify threats and vulnerabilities continuously.
Threats Can be a natural occurrence, technology or physical failure, person with intent to harm, or who unintentionally causes harm.
Information is available from:• Public sources: news media, blogs, government publications and announcements, and websites.• Private sources: information security vendors, and information-sharing organizations.
FFIEC IT Handbook
Regulation ofSocial Media Risk
FFIEC Information Security Booklet (2016)
Objective 6: Determine whether management effectively implements controls to mitigate identified risk.
II.C.7(e) Training (p. 17). Management should:1. Educate users about their security roles and responsibilities and communicate them through acceptable use policies. 2. Hold all employees, officers, and contractors accountable for complying with security and acceptable use policies3. Ensure that the institution’s information and other assets are protected. 4. Have the ability to impose sanctions for noncompliance.
Content:• Training materials for most users focus on issues such as end-point security, log-in requirements, and password administration
guidelines.• Training programs should include scenarios capturing areas of significant and growing concern, such as phishing and social engineering
attempts, loss of data through e-mail or removable media, or unintentional posting of confidential or proprietary information on social media.
• Training should change to reflect the risk environment.• Employing training should be annual.
Cybersecurity
aba.com 1-800-BANKERS
What’s the next vulnerability?
aba.com 1-800-BANKERS
What’s the next vulnerability?
• Internet of Things
• Artificial Intelligence
• Big Data
• National Digital
Infrastructure
• Social Media/Social
Engineering
• Government Security
and Data Protection
• Smart City
/Interconnectedness
aba.com 1-800-BANKERS
aba.com 1-800-BANKERS
Regulatory and Legislative Response?
Watch the headlines
NIST IOT “Trust” Proposal
aba.com 1-800-BANKERS
City as smartphone
“…Sidewalk thinks of smart cities as being rather like smartphones. It sees
itself as a platform provider responsible for offering basic tools (from software
that identifies available parking spots to location-based services monitoring
the exact position of delivery robots)….Sidewalk plans to let third parties
access the data and technologies, just as developers can use Google’s and
Apple’s software tools to craft apps.
City as fintech
aba.com 1-800-BANKERS
How do we protect
what we don’t
control?
aba.com 1-800-BANKERS
What’s the next
(smart city)
vulnerability?
aba.com 1-800-BANKERS
Cybersecurity & IT
Exam Trends
aba.com 1-800-BANKERS
FFIEC IT Handbook 2018 Updates
• Business Continuity Management
• Operations, Infrastructure, and Architecture
• Development and Acquisition
• Outsourcing Technology Services
• Payments
aba.com 1-800-BANKERS
The
Cultural
Shift
aba.com 1-800-BANKERS
FFIEC Agency Priorities – IT Exams
1. “Fundamental” Internal Controls
2. Cyber hygiene
3. IT asset inventory and reporting
4. Patching
5. Ongoing Staff Education and Training
6. Threat intel and vulnerability management
7. Third party risk: interconnectedness
8. Third party risk: cybersecurity
aba.com 1-800-BANKERS
The
Cultural
Shift
aba.com 1-800-BANKERS
Was there anything weird?
aba.com 1-800-BANKERS
The
Cultural
Shift
QUESTIONS?
www.fsscc.org/files/galleries/FSSCC_Cyber_Insurance_Purchasers_Guide_FINAL-TLP_White.pdf
https://www.aba.com/Tools/Function/Cyber/Pages/
IncidentResponseGuide.aspx
2016Information
Security Exam Toolhttp://www.aba.com/Tools/Function/Technology/Documents/IT-Examination-
Toolkit.pdf
THIS IS A SPECIAL ANNOUNCEMENT
aba.com 1-800-BANKERS
aba.com 1-800-BANKERS
aba.com 1-800-BANKERS
aba.com 1-800-BANKERS
DO YOU EU?
GDPR For the Rest of Us
A Risk-Based Approach to
GDPR
HOW
DID
THIS
HAPPEN?
10/4/2018 58
10/4/2018 59
DO
YOU
EU?
aba.com 1-800-BANKERS
Do you really know your customer?
What’s your real global footprint?
aba.com 1-800-BANKERS
What is GDPR?
Regulation (EU) 2016/6791 General Data Protection Regulation (GDPR)
Regulates the processing by an individual, a company or an organization of personal data relating to
individuals in the EU
Effective: May 25, 2018Penalties: up to $20M Euros or 4% of global annual revenues
aba.com 1-800-BANKERS
What is GDPR?
GDPR does not apply to:
• Personal data of deceased persons, or of legal entities.
• Data used by an individual for purely personal applications (e.g., sending party invite to friends in EU)
• Crime exemption: information sharing between organizations for the purpose of security, and preventing unauthorized access to systems and cyber crime.
aba.com 1-800-BANKERS
What is GDPR User Data?
• Definition is broad and may vary.
• Includes:
– Online identifiers
– Email address
– IP address
– ‘Cookies’
…but not anonymized data.
aba.com 1-800-BANKERS
Does GDPR Apply to You?
GDPR applies to any company that chooses to do business:
1) In the EU
OR
2) With a person in the EU
aba.com 1-800-BANKERS
Does GDPR Apply to Me?
Example #2: When GDPR does not apply to Non-EU Companies
• Your company is service provider based outside the EU.
• It provides services to customers outside the EU.
• Your clients can use your services when they travel to other countries, including within the EU.
Conclusion:
Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
aba.com 1-800-BANKERS
GDPR and Banking Activities
• International Foreign Exchange
• International Wires
• Remittances
• Wealth Management and Trust Services
• Payments
Do You EU?
Nine Questions
#1 Have you formed or do you own a
controlling interest in a
European Union legal entity?
#2Do you have an EU business license or
permission to conduct business in
the EU?
#3Do you own or lease office space or employ
personnel or technology in the EU
to conduct business in the EU?
#4Do you have vendor
relationships to access EU markets or to
process the personal data of EU citizens or
residents?
#5 Do you own or
operate websites with EU top-level
domains?
#6 Do you specifically market
products or services through your bank’s
website to people in the EU in one of the 24 EU languages and/or in an
EU currency?
#7Do you allow media marketing
partners such as Facebook, Google, Yahoo, to use EU-based search engines for
retargeting and analytics, or does your banking website use cookies and track IP addresses
and users from the EU?
#8Do you envisage doing business
with people in the EU by directing marketing efforts
towards the EU or directly and intentionally facilitating access for potential EU
customers to your products
and services?
#9Do you hold personal data that identifies an individual in the EU?
If you answered “no” to these
nine questions, it is likely that
GDPR does not apply to yourinstitution.
aba.com 1-800-BANKERS
GDPR Response Plan
DO A DATA SELF ASSESSMENT!
Consider your corporate family tree.
Identify customers in the EU.
Review policies and procedures.
Develop GDPR memo.
Retain legal counsel or consultant.
QUESTIONS?
About the Speaker
Denyette DePierroVice President & Senior Counsel, American Bankers Association
Denyette DePierro joined the American Bankers Association in March 2008. Prior to joining ABA, Denyette was Legislative Counsel at the Independent Community Bankers of America (ICBA) in Washington, D.C. and the California Independent Bankers in Newport Beach, California. Denyette received her J.D. and M.DR from the Pepperdine School of Law, where she was a fellow at the Straus Institute for Dispute Resolution. She received a B.A. from the University of California, Santa Barbara, and was a European Union Fellow at the University of Padua in Padua, Italy in Developmental Economics. At ABA, Denyette focuses on the state, federal, and international regulation of technology, cybersecurity, privacy, data security and emerging trends in banking, including fintech, blockchain, internet of things (IOT), artificial intelligence, and social media.
Email: [email protected]: 202.663.5333Twitter: @DenyetteDLinkedIn: linkedin.com/in/depierro