cyber security april 2016 presentation

Cyber Security: Challenges for the RegulatorJFSC COO Mike Jeacock & JFSC Head of ICT Denis Philippe

› JFSC Chief Operating OfficerMike Jeacock

› An evolving Commission

› An agile & open regulator

› Technology ›To fulfil international responsibilities

›To protect & defend our systems

› An active Cyber Programme›Ownership of risks & obligations

› Introduction

› Subjected to approximately 3,800 network security attack attempts DAILY

› Process over 5,000 emails per day with up to 34% of inbound traffic being rejected due to identified threats

› Website screening prevents access to high risk content (< 0.1% traffic)

› What happens to the JFSC

› Executive

32% of Boards do not receive information security updates

45% of Boards do not believe it is important

› Fire Metaphor

FIRE

Opportunistic Threat

Indiscriminate

Exploits vulnerability

Owns everything

› Human

› Vigilant

› More complex

› Vulnerable

50% of people take some form of confidential information with them when they leave an organisation

› Case Studies›Sleeper

›Chinese restaurant

›Starbucks

›Me

› Human factors

› JFSC Head of ICT Denis Philippe

“Commission held information1, in all its forms, written, recorded electronically or printed, will be protected from accidental or intentional unauthorized access, modification, or destruction throughout its life cycle”

› 1This includes all information created or owned by the Commission as well as information collected by or provided to the Commission by external parties for the execution of the Commission’s activities

› Cyber-Security Mission Statement

› Definitions of what we protect:

› Private & personal information ›Legal definition versus what people actually value

› What?

GapExtended

Reputational Risk

› Why?

› Mitigate Risk – “Data is a commodity of interest to many”

› Extensive investment in providing an interconnected and online mode of stakeholder engagement is being balanced with a significant effort and investment in our security to protect the systems and data we are collecting and holding

› How?

› The JFSC Gold Standard

› This blend of NIST and ISO allows us to speak to other regulators and registries in security terms they understand

5 Pillars based on a blend of NIST and ISO27001

Identify Protect Detect Respond Recover

› Governance and Landscape

› Governance Policy framework from 125 to 12

› Understanding the landscape

› The JFSC holds diverse sets of information:

› Market sensitive information› Incorporations

›Mergers and Acquisitions

›Fund Products

› Beneficial ownership information

› Security Interest information

Manage the value equation, it is about delivering value Cyber-security should be seen as a business benefit and not just a cost

› Protect

› Building new systems

› Building walls is not enough

› Flexibility and collaboration are key

› Improved intelligence will improve detection

› Understand the landscape threats

› Building an e-Enabled JFSC

› Developing a new platform environment with security baked in from the start

› Delivering joined up services

› Delivering new Registers from a common platform (SIR, JAR)

› Move to more services online

› Increased surface area requires a different approach to security

› Building new systems – changing risks

› Detect

› Behavioural analytics – not magic

› Real-time visibility

› 7.6 million network / data events per day at JFSC

› Detect

“If the product doesn't give you a why, it is only an illusion of security.” Amit Yoran – President, RSA

› Humanware

› Focus is turning to people

› Soft targets = weak link in the chain

› Cultural evolution through training and secure behaviours

› Understanding the landscape

People Skills KnowledgeHumanware

2.0

› 40% of daily actions are driven without thinking:› Changing gear› Tying shoe laces› Locking the front door

› Bad habits include:› Writing down passwords› Leaving screens unlocked› Clicking on emails and links without knowing what they are or where they go

› “Evidence has shown that a large number of cyber hygiene issues have become bad habits.” Bikash Barai

› Habits

› Two areas of the brain we are interested in:

› Goal directed part (Pre-frontal cortex)›Responsible for conscious and deliberate activity

›Slower functioning

› Habit part (Basal Ganglia)›Fast›Near automatic function›Does not require thought

› Habits

› Changing habits

Trigger Routine Reward

› Example 1: Stop writing down passwords

Trigger:

Password expiry

Old Routine:

Write down password

New Routine:

Write down a clue

Reward:

Feeling secure

Rehearse and repeat at least 20 times

› Example 2: Stop clicking on Phishing links

Trigger: Legitimate entity

asking for personal details

Old Routine: Share details

New Routine: Validate

legitimacy of entity

Reward:

Feeling secure

› IP theft or sabotage for their own benefit or that of others

› Have a training and awareness plan

› Malicious

of those who steal data do so in their last month of work

of those who steal data do so two months before leaving

50%

70%

Ref: Dawn Cappelli

› Island opportunity

› What about the local aspect?

Is there a need to ensure that cyber-security is embedded as a pre-requisite to doing business?

Is there a place for cyber in the regulatory framework?

Who should set and monitor any local standards?

Should the standards be scalable?

› Key discussion points

›An agreed cyber standard for financial services sector

›Apply existing international standards

›Guidelines for consumers and industry

›The need for a minimum standard

›Build a collaborative environment to discuss real-time cyber incidents and issues

› Closing remarks

› Things to spend time on

Communicating through collaboration

Targeting resources where they are most effective

Patching people as well as systems, Humanware 2.0

Follow us at @JerseyFSC

Like us at Jersey Financial Services Commission

Follow us at Jersey Financial Services Commission

JFSC COO Mike JeacockM.Jeacock@jerseyfsc.org

Head of ICT Denis PhilippeD.Philippe@jerseyfsc.org