Cyber Security and Vendor Management Examinations from

the Regulators and Auditors Perspective

Rory Guenther, CISASenior Examiner, Operational Risk Specialist,

Federal Reserve Bank of Mpls

Brent Siegel, CSOP, CRFS, MBA, eBCStrategic Executive Consultant, Broken Sales

Consulting

THIRD PARTY SERVICE PROVIDERS

Vendor Management

What is a Third-Party?

“Third Party” is broadly defined to include all entities that have entered into a business relationship with the institution…”

3

Third Party Vendor Management as a Priority

FI must establish and maintain a compliant vendor management program

Examiners are giving more attention to vendor management

Bank’s exposure to violations committed by a third party service provider

Civil money penalties

4

Civil Money Penalties

Bank assessed $7,800,000 in part due to Bank’s oversight of affiliate and third-party service providers.

Bank required to refund approximately $140 million to customers and pay $25 million penalty for deceptive marketing tactics used by their vendors.

Bank pays $175 million to settle accusation that its independent brokers discriminated against black and Hispanic borrowers.

Focus of settlement was failure to police the behavior of independent loan brokers.

5

Civil Money Penalties, cont.

Bank assessed $21 million for insufficient oversight which allowed bank loan officers and outside brokers to adjust rates and fees without regard to borrower risk which resulted in brokers extracting larger overpayments. (Fair Lending)

Bank assessed $112.5 million for insufficient oversight of affiliate and third party service providers. (UDAP)

Bank assessed $200 million for insufficient oversight of third party telemarketers (Deceptive Marketing)

Bank assessed $11.2 million for insufficient oversight and control of TPSP system integration challenges and insufficient due diligence to note prior consumer complaints against TP. (UDAP)

Bank assessed $210 million for insufficient oversight of third parties to insure they followed the bank provided scripts. (Unfair and deceptive sale of credit card add-on product.)

6

What Is the Guidance?

Consists of SR 13-19/CA 13-21 letter (Guidance on Managing Outsourcing Risk) and an attached policy statement on managing outsourcing risk

Supplements existing guidance for technology service providers

Refer to the FFIEC Outsourcing Technology Services Booklet (June 2004) at http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services.aspx

Applies to all financial institutions supervised by the Federal Reserve but other regulators have issued similar guidance

7

What’s New?

Applicability of guidance to outsourced activities beyond core bank processing and information technology-related services

Enhanced risk management that institutions should have for better oversight and management of outsourcing risk

Additional guidance pertaining to key aspects (attributes, governance, and operational effectiveness) of an institution’s service provider risk management program

8

Areas of Emphasis

Types of risk exposure

Board of directors and senior management responsibilities

Service provider risk management programs

Additional risk considerations

9

Third Party Risk Types

10

Adverse business impact – Includes Sales AgentsStrategic:

Negative public opinionReputation:

Failed internal processes, people or systemsOperational

Problems with service or product delivery

Unable to meet contractual arrangements

Violations of laws, regulations or internal policies

Country, culture, or geopolitical

Transactional:

Financial:

Compliance:

Foreign:

Board and Senior Management Responsibilities

Ensuring outsourced activities are conducted in a safe and sound manner and in compliance with appropriate laws and regulations

Approving institution-wide vendor management policies that mitigate outsourcing risk

Reporting to the board of directors on adherence to policies governing outsourcing arrangements

11

Elements of the Service Provider Risk Management Program

Risk assessment

Due diligence for the selection of service providers

Contract provisions and considerations

Incentive compensation review

Oversight and monitoring of service providers

Business continuity and contingency plans

12

What Constitutes Significant TP Relationship?

Relationship is new – or involves new FI activities Has material effect on FI’s revenues or expenses TP performs critical functions TP stores, access, transmits, or performs transactions with sensitive

customer information Increases FI’s geographic market Performs a service involving lending or card payment transactions Poses risks that could affect earnings, capital, or reputation Provides product or service that covers large number of consumers Provides product or service that implicates higher risk consumer

protection regulations Involves deposit taking arrangements Markets products directly to FI customers that could pose risk of

financial loss to individual

13

Risk Tiers Based on Inherent Risk

Some integration Some reliance Interruption leads to

moderate operational impact

High transition cost/effort

No integration Cost & performance

drives relationship Interruption leads to

limited operational impact

Moderate transition cost/effort

Define Risk Severity Levels

Inherent Risk is a function of Organizational and Profile risk

Highly integrated High reliance Interruption leads to

significant operational impact

High transition cost/effort

Customer Facing?

TIER 1

TIER 2

TIER 3

No integration Cost & performance

drives relationship Interruption has no

operational impact Minimal transition

cost/effort

TIER 4

TOP 10 REGULATOR EXPECTATIONS

15© 2014 EastPay. All Rights Reserved

1. Due Diligence Prior to Vendor Selection

Review of all available information about a potential third party, focusing on the entity's financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls

16© 2014 EastPay. All Rights Reserved

1. Due Diligence Prior to Vendor Selection(cont’d)

Evaluation of a third party may include the following items:

Audited financial statements, annual reports, SEC filings, and other available financial indicators

Significance of the proposed contract on the third party's financial condition

Experience and ability in implementing and monitoring proposed activity

Business reputation

17© 2014 EastPay. All Rights Reserved

1. Due Diligence Prior to Vendor Selection (cont’d)

Qualifications and experience of the company's principals

Strategies and goals, including service philosophies, quality initiatives, efficiency improvements, and employment policies

Existence of any significant complaints or litigation, or regulatory actions against the company

Ability to perform the proposed functions using current systems or the need to make additional investment

18© 2014 EastPay. All Rights Reserved

1. Due Diligence Prior to Vendor Selection (cont’d)

Use of other parties or subcontractors by the third party

Scope of internal controls, systems and data security, privacy protections, and audit coverage

Business resumption strategy and contingency plans

Knowledge of relevant consumer protection and civil rights laws and regulations

Adequacy of management information systems

Insurance coverage

19© 2014 EastPay. All Rights Reserved

2. Vendor Selection

Audit Requirements

Identify regulation requirements of FI

Resources and Technology

Support System

Policies, procedures, and service organization control reports

Disaster recovery plan

Reputation

20© 2014 EastPay. All Rights Reserved

3. Contract Negotiation

Audit rights, self assessments, monthly compliance reviews, obtain vendor’s annual SOC report on its control compliance

Service level agreements and financial penalties

© 2014 EastPay. All Rights Reserved 21

4. Contract Scope

Timeframe covered by the contract

Frequency, format, and specifications of the service or product to be provided

Other services to be provided by the third party, such as software support and maintenance, training of employees, and customer service

© 2014 EastPay. All Rights Reserved 22

4. Contract Scope (cont’d)

Requirement that the third party comply with all applicable laws, regulations, and regulatory guidance

Authorization for the institution and the appropriate federal and state regulatory agency to have access to records of the third party as are necessary or appropriate to evaluate compliance with laws, rules, and regulations

© 2014 EastPay. All Rights Reserved 23

4. Contract Scope (cont’d)

Identification of which party will be responsible for delivering any required customer disclosures

Insurance coverage to be maintained by the third party

Terms relating to any use of bank premises, equipment, or employees

© 2014 EastPay. All Rights Reserved 24

4. Contract Scope (cont’d)

Permissibility/prohibition of the third party to subcontract or use another party to meet its obligations with respect to the contract, and any notice/approval requirements

Authorization for the institution to monitor and periodically review the third party for compliance with its agreement

Indemnification

© 2014 EastPay. All Rights Reserved 25

5. Implementation

Access management

Review system access reports at least monthly to ensure users of outsourced service are authorized

Transaction monitoring

Change management

FI should approve any changes made by vendor

System backup

26© 2014 EastPay. All Rights Reserved

6. Monitoring

Audits

Service Organization Control (SOC) Reports –Vendor’s compliance with their own policies

IT Controls

Statement on Standards for Attestation Engagements No. 16 (SSAE 16), formerly known as Statement on Auditing Standards No. 70 (SAS 70)

© 2014 EastPay. All Rights Reserved 27

7. Ensure Proposed Relationship is consistent with FI’s Strategic Plan and Overall Strategy Step one in Risk Assessment Process

Management should analyze benefits, costs, legal aspects, and potential risks associated with Third-Party

Expanded analysis should be conducted if product or service is new for FI

FI personnel conducting analysis should have appropriate knowledge and skills to conduct

28© 2014 EastPay. All Rights Reserved

8. Ensure vendor management program risk-ranks vendors based on:

Access to other confidential (i.e. proprietary) information?

Criticality of the product/service they provide?

Complexity of the product/service?

29© 2014 EastPay. All Rights Reserved

9. Adherence to Service Level Agreements and Contract Provisions

Formal Policy that defines SLA program

SLA monitoring process

Recourse process for non-performance

Escalation process

Dispute resolution process

Termination process

© 2014 EastPay. All Rights Reserved 30

10. File Bank Service Company Act when Required

Section 7 of Bank Service Company Act (12 U.S.C. 1867) requires insured financial institutions to notify their appropriate federal banking agency in writing of contracts or relationships with third parties that provide certain services to the institution

31© 2014 EastPay. All Rights Reserved

10. File Bank Service Company Act when Required (cont’d)

Section 7(c)(2) of the Bank Service Company Act states that any FDIC-supervised institution that has services performed by a third party "shall notify such agency of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first."

© 2014 EastPay. All Rights Reserved 32

10. File Bank Service Company Act when Required (cont’d)

As defined in Section 3 of the Act, these services include "check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution."

33© 2014 EastPay. All Rights Reserved

Cybercrime & Cybersecurity

DDoS, Account Takeover, Fraud!

Cybersecurity

The process for managing cyber threats and vulnerabilities and for protecting information and information systems by identifying, defending against, responding to, and recovering from attacks.

35

Cybersecurity Conundrum

“You have to be right all of the time, those exploiting you only have to be right once.”

- Ancient cybersecurity proverb

Cybercrime – Where & Why?

Where do cyber attacks come from?

What is the Motivation?

Ideology – making a political statement

Extortion – demand for payment to avoid website attack

Competition – disrupt a competitors online services

Fraud – used as a tool to aid in unauthorized financial gain

37

Trends

How do Cyber Criminals gain Access?

Deception via DDoS

Spam

Phishing Attempts

Spoofed Web Pages

Popup Ads & Warnings

Malware (Trojans, worms, etc.)

Theft (Laptops, thumb drives, etc.)

Email Attachments

Downloads

Social mediums

39

What is a denial of service attack?

Objective(s):

Render a service unavailable

Cripple the infrastructure

Typical targets:

Bank

Credit card payment servicers

Mode of attack: Saturate the target with external requests for connectivity or communication

Distributed DoS (DDoS)

A DDoS attack is performed when hundreds, or possibly thousands, of computers simultaneously request services or bandwidth from the same target computer.

The attack is executed with networks of computers which are controlled by malicious software which has been installed on a user’s computer.

The antivirus detection rate for botnet malware is less than 40 percent. For additional information, visit: https://zeustracker.abuse.ch/index.php.

41

Financial Institution Mitigating Actions

Targeted banks have been very successful in employing numerous means of thwarting the DDoS attacks.

There has been unprecedented sharing of information amongst the targeted banks as well as with their regulators and other government agencies.

Banks are working with service providers to address the problems and to scrub/reduce the attack volumes.

Leading DDoS protection providers (Prolexic, VeriSign, Akamai, etc.)

Internet Service Providers - AT&T, Verizon, etc.

42

Adhere to these best practices

Don’t assign all resources to DDoS mitigation.

Dedicate at least some staff to watching entry systems during attacks.

Make sure everything is patched.

Keep your security up to date.

Have dedicated DDoS protection.

Scrambling to find a solution in the midst of an emergency only adds to the chaos—and any intended diversion.

43

Technology Enabling Fraud

As payments have evolved significantly, largely due to technological advancements, so has the sophistication of EFT fraud. Expertly crafted emails, malicious links on legitimate websites (such as social networking sites), and other methods are used to place malware within the networks of corporate customers. The malware then harvests security information, including login credentials, subsequently allowing the criminals to initiate electronic payments through hijacked accounts.

44

WHO

Law enforcement agencies are reporting a significant increase in funds transfer fraud involving the exploitation of valid online banking credentials belonging to small and medium sized businesses.

Eastern European organized crimes groups are believed to be predominantly responsible for the activities that are also employing witting and unwitting accomplices in the United States (money mules) to receive, cash and forward payments from thousands to millions of dollars to overseas locations via popular money and wire transfer services.

45

The FFIEC Guidance Supplement

Effective 1/1/2012:

On June 28th, 2011 the Federal Financial Institutions Examination Council FFIEC) released a supplement to the 2005 “Authentication in an Internet Banking Environment” guidance that describes the measures financial institutions should take to protect Internet banking customers from online fraud.

46

Three Primary Requirements

Risk Assessments

Layered Security

Customer Education & Awareness

47

Fundamentals of Cyber Security Risk Management

Senior Management Buy-in/Corporate Governance

Defense-in-Depth (Gap Analysis and

External Resources/Relationships, Feeds, and Awareness

Robust Monitoring/Oversight

Respond

Test Monitoring and Incident Response Plans

48

Note

Similar to the 2005 guidance, the June 2011 supplement applies to all electronic banking delivery channels, including the mobile banking channel.

Whether financial institutions provide all or part of their electronic banking activities to customers through in-house systems or outsourced, service-provider arrangements, the institutions are responsible and accountable for conformance with the 2005 guidance and the 2011 supplement. (VENDOR MANAGEMENT)

49

IT/Cybersecurity Controls Cheat sheet

Where is your data?

What is normal?

How do you know?

Questions?

© 2014 EastPay. All Rights Reserved 51

Contact The Presenter(s)

Rory Guenther, CISASenior Examiner, Operational Risk Specialist

rory.guenther@mpls.frb.org612-204-6392

Brent SiegelVice Presidentbrent@giact.com214-644-0450 x216

Pam Rodriguez, AAP, CIA, CISAEVP, Risk Management & Educationprodriguez@eastpay.org800-681-4224, ext 305