cyber security tips and resources for financial institutions
TRANSCRIPT
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
1
JOIN. ENGAGE. LEAD.
CYBER SECURITY TIPS AND RESOURCES FOR FINANCIAL INSTITUTIONS Managing Risk
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
2
JOIN. ENGAGE. LEAD.
CYBER SECURITY RISK
• Both preparing for and responding to cyber attacks increase the cost of doing business.
• Attacks are increasingly more sophisticated.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
3
JOIN. ENGAGE. LEAD.
CYBER SECURITY RISK (CONT.)
Risks come directly through banking operations and
through third-party providers. Impacts individual bank and
entire payments system.
Attacks come from criminals, politically hostile
sources, and insiders.
Data risks are difficult to control (legacy systems and
manual points in any process compound the
difficulty of threats).
Cyber Threats
Smaller institutions at most risk.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
4
JOIN. ENGAGE. LEAD.
MANAGING CYBER SECURITY RISKS
Governance
Vendor management
Threat intelligence
Incident response
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
5
JOIN. ENGAGE. LEAD.
MANAGING CYBER SECURITY RISK: GOVERNANCE
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
6
JOIN. ENGAGE. LEAD.
GOVERNANCE
Policies, Procedures, & Controls
Assess risks
Identify gaps
Update
Test
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
7
JOIN. ENGAGE. LEAD.
MANAGING CYBER SECURITY RISK: VENDOR MANAGEMENT
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
8
JOIN. ENGAGE. LEAD.
COMPLIANCE RESPONSIBILITY
Even if your vendor is responsible for day-to-day
management of certain products or services, the responsibility
for all compliance requirements resides with
your institution.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
9
JOIN. ENGAGE. LEAD.
MONITOR YOUR VENDORS
Monitor your vendors’ performances to help ensure that your company meets
its long-term strategic goals.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
10
JOIN. ENGAGE. LEAD.
MULTIPLE FACETS
Be aware that vendor risk management is part of many operational risk activities, including:
Scenario analysis.
Risk control self-assessments (RCSAs).
Key risk indicators (KRIs).
Information security.
Business continuity planning.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
11
JOIN. ENGAGE. LEAD.
Regulators have consistently advised banks to oversee vendors just as they would any division of the bank and will hold the bank
accountable for any vendor-related risk management lapses.
ACCOUNTABILITY
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
12
JOIN. ENGAGE. LEAD.
MANAGING CYBER SECURITY RISK: THREAT INTELLIGENCE
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
13
JOIN. ENGAGE. LEAD.
SOURCES OF INTELLIGENCE
Audit reports. Fraud detection analysis tools.
BSA/AML monitoring tools.
Cyber security services.
U.S. Treasury, Office of Foreign Assets Control.
Financial Services Information and Sharing Analysis
Center (FS-ISAC).
InfraGard (a partnership
between the FBI and the private
sector).
United States Secret Service:
Electronic Crimes Task Forces.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
14
JOIN. ENGAGE. LEAD.
MANAGING CYBER SECURITY RISK: INCIDENT RESPONSE
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
15
JOIN. ENGAGE. LEAD.
INCIDENT RESPONSE: PLAN, PREPARE, AND TEST
Plan & Prepare • Response policy and plan
prior to incident. • Quick response guides for
likely incidents. • Response team leader:
– Designate executive as plan and response point person and ensure redundancy.
• Response team: – Escalates internally
– Notifies externally.
Test • Train. • Run simulations routinely. • Include key stakeholders. • Fine-tune response
capabilities.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
16
JOIN. ENGAGE. LEAD.
MANAGING CYBER SECURITY RISK: IT RESOURCES
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
17
JOIN. ENGAGE. LEAD.
IT RESOURCES
FFIEC IT Examination HandBook InfoBase
Introduction to the FFIEC’s Cybersecurity Assessment
Framework for Improving Critical Infrastructure
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
18
JOIN. ENGAGE. LEAD.
Learn more about cyber security through RMA’s premier publication, The RMA Journal: http://ebiz.rmahq.org/eBusPPRO/CustomerProfile/RMAJournalArticleSearch/tabid/393/Default.aspx
Subscribe to The RMA Journal today!
LEARN MORE
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
19
JOIN. ENGAGE. LEAD.
SHARE THIS PRESENTATION
Visit http://www.rmahq.org for information on risk management.
Visit our blog at http://rmablog.rmahq.org/ RMA is a member-driven professional association whose sole purpose is to advance sound risk principles in the financial services industry.
RMA helps its members use sound risk principles to improve institutional performance and financial stability, and enhance the risk competency of individuals through information, education, peer sharing, and networking.
Become a member today.