File Sharing Use Cases in Financial Services

© 2016 BlackBerry. All Rights Reserved. 1

1

File Sharing Use Cases in Financial Services

Jeff Holleran

Vice President, Corporate Strategy

July, 2017


2

Agenda

Secure File Sharing in Financial Services

Financial Services Use Cases

Next Steps

Secure File Sharing in Financial Services


4

Financial Services: Key File Security Drivers

Regulations - Multiple Requirements:

Data Security and Encryption

Strong Authentication and User Management

Protection of Customer Data

Chain of Custody and Compliance Reporting

DLP Support

Intellectual Property Protection

Internal Technology and Systems

Management and Maintenance of Client IP

Corporate Governance and Confidentiality

Mergers and Acquisitions

Executive-Level Communications

Maintenance of Mandated Internal Business Firewalls

Threat Intelligence Sharing


5

Regulatory Requirements

NYDFS 500 GLBA/ FFIEC PCI DSS GDPR

Protection of Customer Info X X X X

Encryption X X X X

Access Controls X X X X

Compliance Logging and Reporting X X X X

Oversight of External Users X X X X

Incident Monitoring and Reporting X X X

Section 500.15 Encryption of Nonpublic Information.

(a) As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement

controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both

in transit over external networks and at rest.


6

Best-Practices Security Standards

ISO/IEC 27001 Certification

ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring,

reviewing, maintaining and improving an information security management system."

SOC2 Type 2 external audits against AICPA auditing standards

A SOC 2 report helps to address third-party risk concerns by evaluating internal controls, policies, and

procedures that directly relate to the security of a system at a service organization.

FIPS 140-2

U.S. government (NIST) computer security standard used to approve cryptographic modules.

Financial Services firms and their technology partners should conform to the following standards:

The following standards provide best-practices security benchmarks for technology providers:

US DoD ITAR & DFARS Compliance (NIST 800-53 and NIST 800-171)

US HIPAA compliance and reporting

UK Cyber Essentials Standards


7

File Sharing Throughout the FS Enterprise

CEO

Board of

Directors

• SEC filings

• Tax/audit filings

• SOX reports

• Placements

• Board reports

CIO /

CTO

Investment

Banking

Human

Resources

• Compliance reports: GLBA, SOX, PCI, etc.

• Contracts

• Proprietary systems

• Compensation

• Bonus data

• Employee equity grants

CFO

Market

Research

Legal

Real Estate

Services

• Contracts

• Corp dev/M&A

• eDiscovery

• Outside counselBusiness

Partners

Investors

Banking

Customers

M&A

Parties

Banking

Services

• Board documents

• Strategy plans

EXTERNAL

• Buy-side research

• Sell-side research

• Advisory Services

• M&A deal materials

• Mortgage documents

• Ecological assessment documents

• Property debt documents

• Loans, Letter of Credit

• Performance report

• Wealth Management/ Investment fund performance data

Regulators

Outsourced

Operations

Industry

Groups

Outside

Attorneys

Risk

Assessment

Sharing


8

File Sharing Today: Major Risk Factors

The average organization has

13 file sync applications in use – most

not approved or managed by IT

1376% of organizations send traffic

to Dropbox (2GB/mo. on average)

76%

Source: Netskope, Palo Alto Networks, Gartner

Of non-sanctioned cloud

services used in FS firms are

cloud storage and webmail apps

40%Of cloud DLP violations at FS

Firms involve Webmail, Cloud

Storage or Collaboration Apps

72%


Secure Enterprise File Sharing Requirements

Security & Compliance Productivity

File Encryption

Encryption at rest, in transit and in use

FIPS 140-2 certified crypto-modules

File Access and Usage Controls

Only Authorized Users May Access Data and Files

Restrict File Redistribution

DRM, watermarking and online-only mode

Administrative Controls

Fine-Grained User and Policy Management

Ability to Revoke or Change Access Automatically or

Manually

Logging and Auditing

All Data Access Events Must Be Captured and Logged

Flexible Compliance Reporting

DLP Integration and Support

Collaborative Workspaces

Accessible via browser and apps

Cross-Platform Support

Platform Agnostic

Secure Access, Productivity and Synchronization

Extend and Secure Existing Repositories

“Protect-in-Place”

Provide Access and Sharing W/O File Migration

Support Existing Workflows & Systems

Robust Integration Architecture

Development API’s and SDK’s

Financial Services

Case Studies


11

Common Financial Services Requirements

SHARING TO AGENTS / MERCHANTS

EXTERNAL AUDIT REPORTING

M&A / COMMERCIAL TRANSACTIONS

LOAN / CREDIT INFORMATION

Remote access / mobile productivity

• Control sensitive / regulated information shared to agents

• Capture data from remote locations on mobile devices

• Securely synced folders

Securely collaborate with 3rd parties

• Sharing spreadsheets, models, numbers, etc.

• Control how files are used, who is accessing them, when and where

• Revoke access to documents after deal

Regulated, non-public information

• Share confidential, non-public documents with outside auditors

• Compliance regulations

Protecting customer statements (PII)

• Collaborating on loan / credit information throughout lifecycle

• Providing regulated statements, capital calls, tax documents

LITIGATION / TRAIL CASES

Sharing to outside counsel

• Simple and secure sharing of files (some large – 10 GB)

• Prevent forwarding of information and revoke access after trial


12

USERSBUSINESS NEED BENEFITSRequirement 3.4: All credit

card data needs to be encrypted or

rendered unreadable.

• PCI certification on portfolio basis

• Already adopted for secure

collaboration Easy to apply to

PCI

• Executives (SVP / VP)

• Managers

• Customer representatives

• Anyone who touches customer

credit card information

• Persistent AES-256 encryption

• Encryption and controls

travel with the file

• All file activities are fully tracked for

auditability

Case Study: PCI DSS Compliance -

Protecting Customer Personal DataCustomer Overview

American financial services company operating in

business banking, retail banking and wealth management

Payment Card

Industry Data

Security Standard

(PCI DSS)


13

Case Study: Agent Network Regulatory Audit

USERSBUSINESS NEED BENEFITS

Each of the 2,500 agencies must

undergo regulatory audit every 18

months

Requires collection of policies

from 10-20 customers, approx. 20

documents per customer

No secure standard process for

sharing files

Auditors (India)

Audit Manager

Regional Sales Manager

Independent Agency

Minimize security risk by

standardizing the process.

Control who has access, how long,

what they can do with the file, etc.

Track activity for access to

sensitive data. Export audit logs for

records.

Customer Overview

Global provider of insurance, annuities and employee benefit programs, serving 90 million customers.


14

USERSBUSINESS NEED BENEFITSNeed to protect business documents

for transactions.

• Replace Intralinks with a mobile-

friendly solution

• Globally accessible by 1,000

internal users and 15,000 limited

partners

• Board members

• Internal employees and contractors:

Sales, PR, Legal

• Limited partners

• Rolled out globally

• Easily integrated with existing portal

with APIs – no change to user

experience

• Added security controls on

business documents

Case Study: Securing Investor Relations

Customer Overview

One of the world’s largest private equity firms.


15

Case Study: Wealth Management Advisors

USERSBUSINESS NEED BENEFITSEstablish a mobility strategy

• Securely share and work on

mobile devices

• WMAs spent hours printing &

shredding files

• Must be easy enough to use for

senior executives and board

members

• Wealth Management Advisors

(WMA)

• Clients

• Senior executives and board

members

• Reduce the amount of paper used,

resulting in $440K worth of carbon

credits

• Save time to spend with clients,

doing more value-added work

Customer Overview

Large European bank, operating in more

than 50 countries globally.

What Next?


17

Perform a Security Audit and Review

BlackBerry Shield Security Audit and Review Program

Option One: Online Self-Assessment

Option Two: 90-Minute Detailed Personal Review

For more information:

https://us.blackberry.com/enterprise/security/mobile-security-best-practices

• Device security policy management

• Security administrator controls

• OS integrity and malware controls

• Encryption (at rest, in transit)

• Authentication

• Data leak prevention

• Secure communications and content protection

• Application security

• Availability

Technical Controls Administrative Controls

• Mobile Device Lifecycle Management

• Application security

• Organizational security structure

• Security configuration change management

• Risk assessment

• Security incident and response

• Governance/HR and Legal

• Security awareness training

BlackBerry Offers a FREE Security Audit

https://us.blackberry.com/enterprise/security/mobile-security-best-practices

Thank You…

Questions?