Cyber-Security

FAS Annual ConferenceSeptember 12, 2014

Maysar Al-SamadiVice President, Professional Standards

IIROC

Cyber-Security

IIROC Rule 17.16 BCP

The regulatory landscape

Canadian Government policy

The Canadian financial sector

The US regulatory response

Cyber-insurance

Cybersecurity Risk Factors and Concerns

David Mussington, PhD., CISSPSenior VP Cybersecurity

Juno Risk Solutions

Agenda

Background – David Mussington

How severe are cyber-security risks?

Who are the actors of concern?

What protection approaches are available?

Conclusions and Principal Takeaways

Questions

How serious are cybersecurity risks, and what exactly is the threat?

Financial Services are the most highly targeted of critical infrastructures by cyber criminals

Cyberspace allows for low probability of detection/high payoff illicit activity

Evolution in attack capabilities and speed is outstripping defensive measures

Recent occurrences (most notably the Snowden revelations) have pointed out the potential damage that flows from insiders

Who are the actors of concern, and what do they want?

What protection approaches are available, and what are some best practices?

Best practice approaches based on proven standards (e.g., NIST, ISO, CBEST, CCS-20 (SANS))

Industry offerings – MSSP and commercial anti-virus software and cybersecurity service vendors

Assistance from Financial Services Sector peers

Government support – CCIRC (Public Safety Canada), RCMP

Other Support Possibilities: not for profit groups, academia

Conclusions and Principal “Takeaways …”

The cybersecurity challenge is escalating;

Defense/Protection capabilities are falling behind

Information sharing within and across industries and with government is the best way to improve defenses and risk awareness;

Systemic risks can be transmitted from those with weak cybersecurity protections to those with stronger programs –“weakest link” problems are endemic;

Best practice solutions exist, but require a systematic and strategic effort to produce meaningful risk mitigation impact

Richard Livesley

Director, Strategy and PlanningGlobal Information and Technology Risk Management

Information Security Perspectives

Risk to BMO = Threat x Vulnerability x Consequence of a breach

Threat is bigger• Three types

– Espionage – stealing our stuff– Disruptive – hurting the network we have become reliant on– Destructive – emerging threat that could target critical infrastructure and be catastrophic

• Lots of attackers– Nation States – China is the largest– Criminal Gangs – Russia has the most– Hacktivists – Less sophisticated but still a nuisance

Vulnerability is larger• We are increasing the ‘attack surface’ : Social, Mobile, Analytics, Cloud• The ‘cyber domain’ is still new with little governance by any legal authority• The Internet design is flawed – designed to communicate between trusted partners, not those with malicious intent

Consequence of a breach have severely harmed companies• Customer trust• Financial consequences

11

Protecting the Bank involves the entire BankThere are two major planks to the program that cover the range of capabilities we are building

12

Together as a Company

• Crisis Management

• Customer Authentication and

Awareness Training

• Employee Access Management and

Awareness Training

• Supplier Risk Assessments

• Industry & Regulatory Requirements

such as GLBA, FFIEC, PCI DSS

Within Technology

• Application Software Security

• Data Security

• Network Security

• Vulnerability Management

• Threat Monitoring & Management

• Security Incident Response

• Risk Management Functions

However, the challenge to create safe cyberspace will not be resolved with a company’s eco-system

13

Priority What we need to do Why

Improving cross-sector sharing

• Automated sharing of actionable intelligence• A common framework to enable discussion

(NIST cybersecurity framework?)• Stronger partnerships between energy, telco’s

and financial institutions

The threats are immediate and one sectors weakness impacts othersThe knowledge of each sector strengthens the others

Stronger private and public partnerships

• Faster and more effective sharing of information• Legislative clarity on rights and accountabilities

eg privacy• Stronger governance of the internet

Ensures regulatory and legislative actions focus on the right areas

A more cyber aware culture with personal accountability

• A more educated population who understand how bets to protect themselves AND who recognize a weakness on their device threatens others – not just themselves

The health of cyberspacecannot be isolated to individual companies