Global Risk Institute Cyber Security for Financial ... · Global Risk Institute Cyber Security for...
Transcript of Global Risk Institute Cyber Security for Financial ... · Global Risk Institute Cyber Security for...
Global Risk Institute
Cyber Security for Financial Institutions
Including “You’ve Been Hacked!” Case Study
Our Mission
GRI is the premier risk management institute, that defines thought leadership in risk management for financial institutions globally. It brings together leaders from industry, academic and government to draw actionable insights on emerging risks globally.
2
3
GRI Member Institutions – as of March 2017
3 3
4
The current risk landscape: what are the top risks? Perspective from the World Economic Forum
4
Global Risk Institute
Cyber Security – Case Study
“You’ve Been Hacked!”
5
6
Cybersecurity – Case Study: “You’ve Been Hacked”
Set UpFor the balance of this session we will be in business case mode, with all of us having a role:
•As Audience Participants, you will all assume the role of Board Members of the State Teachers Pension Plan (STPP)•Rob Bauer will play the role of chairman of the board and moderate your discussion •Alex LaPlante will play the role of our CRO, and will provide us with periodic updates as the case unfolds•…and I will play the role of your CEO (i.e. the fall guy)
6
7
BackgroundState Teachers Pension Plan (STPP; fictitious) is a large, public, defined benefits pension plan, with 250,000 active and retired members.The Pension Plan has over $200bn in assetsOnce a year the Chief Technology Officer attends the Board meeting to review their technology strategy, including their approach to cybersecurity.
7
Cybersecurity – Case Study: “You’ve Been Hacked”
8
BackgroundAt the most recent Board update, the CTO outlined the key aspects of STPP’s cybersecurity framework, which includes:
•Segregation of duties within the technology group•Employee and member username and passwords
•Encryption of critical data•Firewalls, intruder detection software
We also have an Israel based cyber security firm on retainer to help monitor / test our systems
8
Cybersecurity – Case Study: “You’ve Been Hacked” cont.
9
Cybersecurity – Case Study
We are assembled today to review our most recent financial results.•As we are about to start the review of the financial results we are interrupted by our Chief Risk Officer
The internet is trending rumors of a significant system hack into a major Pension Plan; our name is on the list of possible victims and we are starting to get calls from our members.
•The rumor is that both personal and financial information of plan members has been stolen and is about to be released, unless a ransom bribe is paid.•We have no evidence that we have been hacked or that any information has been stolen from us / we have not been contacted and are not convinced we are the target•We have up to date, state of the art cyber security framework and technology tools•Our malware and detection tools show no evidence of intrusion, and the security firm we retain see no signs of intrusion, although they know of recent sophisticated attacks that have gone undetected for weeks•And while we normally see hundreds of attempted attacks every day, last night we were bombarded with thousands of attacks; we believe we repelled them
9
10
Discuss in your break out groups:•What 3 questions do you have for management?
•What 3 recommendations do you have for management?
10
Cybersecurity – Case Study
11
The most recent internal audit review of STPP’s cybersecuritypractices included the following highlights:
•Basic cybersecurity procedures are in place, but:•Role of the CISO is not formalized and is not widely understood across the firm•Some components of our cyberdefences are past due for upgrade•There were three incidents in the last year of employees sharing usernames and passwords, in order to complete their work more efficiently.•The cybersecurity framework requires significant upgrade, and must be formalized (including approval by the board of directors)•The definition of “critical data” needs to be updated and formalized•Communication to employees is sporadic and rules based – no formal communication on training program
•While there were ongoing/numerous attacks, our current defenses were able to block them.
11
Cybersecurity – Case Study: “You’ve Been Hacked” cont.
12
Update: The CRO has established a crisis management team including the CISO, business leaders, human resources and corporate communications•The team will work 24/7 until the problem is resolved•The CISO has also just concluded a cross industry conference call, with 30 participants from across the industry and regulators (these calls are now being held every 4 hours)• There is significant concern and confusion across the industry• 2 firms have detected unusual threats in the last 24 hours, but both have been repelled; they appear to be denial of service attacks launched from abroad
CRO also informs the Board that we encrypt all member and employee financial data•Unlikely that the encryption can be broken, but…•An employee could mistakenly provide access to an attacker or a rogue employee could grab / sell unencrypted data, in small increments.•One of our employees who had been involved in the password sharing incident noted by Internal Audit called in sick this morning and we have not been able to reach him• Also, a mid level technology employee resigned last week / not likely related to this incident but we are following up
12
Cybersecurity – Case Study
13
Return to your break out groups:•Internal audit is recommending a formal Enterprise Cyber Risk Management Framework:
•Identify 3 benefits of a more formal framework
•Ransomware attacks sometimes go on for weeks
•What do you think of the crisis management team that has been assembled – any concerns or suggestions?
13
Cybersecurity – Case Study
14
Update:
The CRO has good news – we are not the victim
A municipal pension fund has been identified as the victim
Significant member personal and financial information was stolen and members are reporting significant levels of fraudulent transactions
The hackers were supported by a rogue employee in the technology group who was able to point them to unencrypted data
Can we all rest easy now?
14
Cybersecurity – Case Study
Global Risk Institute
Appendix: Answer Guide
“You’ve Been Hacked!”
15
16
What Questions should the Board ask of Management?• Do we have communication obligations to members, employees or regulatory / law
enforcement authorities?• Do we have communication policies and templates to follow?• Do we have legal advice to guide us?
• Do we have a technology back up site / can we seamlessly cross over to that site?
• Have we activated a call tree and have we been able to contact all employees?• Have we maintained regular training and communication to our employees so that
they always remain “cyber aware”• Do we have a cybersecurity framework, complete with• A cyber risk appetite statement, established key risk indicator metrics, a thorough
cyber risk assessment and ongoing reporting?
16
Appendix: Answer Guide
17
What Questions should the Board ask of Management?• Do we have an approved response protocol?• Do we war game out scenarios to test how we would respond to various hack
scenarios?• Do we participate in industry forums?• Share threat information?• Share cyber defense responses?• Support cross industry communication, research and development?
17
Appendix: Answer Guide
18
What Recommendations do you have for Management?• Near Term: Consider shutting down the network immediately, until we have
clarity• Send a communication to employees and members, being clear that we are taking this step
as a precaution as we await clarity on the situation• Ask all members and employees to immediately change their passwords (include direction
on strong password protocols)• Reach out to the regulators proactively and make them aware of the situation and the
precautionary steps we are taken as the situation unfolds
18
Appendix: Answer Guide
19
What Recommendations do you have for Management?
• Longer term: Post the crisis, do a complete review and formalization of your cybersecurity framework, and present the revised framework to the Board for approval• The Board will task (or establish) a sub‐committee as the lead on cybersecurity• The revised framework must include a cyber risk appetite statement, a complete
assessment of the firm’s cyber risks, an articulation of our most “at risk” assets and the potential cost of a cyber breach under various scenarios, preventative and mitigating tools and processes that are in place, and a commitment for an annual third party review of the framework and practices to ensure we remain at best practices
• Develop a response protocol• including specific communication template recommendations that the Senior Executive Team
and Legal Council agree is appropriate and fulfills our legal / regulatory requirements• Establish a cross industry forum for regular discussions and information sharing
19
Appendix: Answer Guide
Global Risk Institute
Appendix: Additional Slides
20
21
The current risk landscape: what are the top risks? Perspective from Annual GRI Survey of Members
21
2.2%
2.8%
3.9%
4.4%
6.6%
11.6%
11.6%
13.8%
14.4%
17.1%
Gvmt spending & taxing
Operational Risk
Weakening Global Trade
Regulatory Risk
Oil prices
Interest rates
Geopolitcal
Consumer Debt
Housing Market
Cyber Risk
Top Risks for Canadian Financial System
22
Cyberattacks
•As organizations are increasingly “networked” they are increasingly hackable•Working assumptions should include:
•Threat to your network are persistent, and•…you will be hacked
•Threats are from numerous players of varying sophistication across the globe•Organized crime, state sponsorship, social activists, individuals, insiders•There are increasing numbers of ransomware (for bribes) or denial or service attacks
•Damage goes beyond financial ‐ includes reputation impact and brand damage•GRI member firms consistently identify cybersecurity amongst their very top concerns
22
23
Cyberattacks
• Firms require continuous monitoring and investment to fight back against cyber threats:
•User account controls
•Increasingly using advanced authentication
•Cryptography – very effective when used appropriately
•Intruder detection software
•Firewalls – filtering and blocking
• Still, Cyber breaches continue to grow at an alarming rate
23
24
Cyberattacks
Examples of serious breaches in recent years:•Yahoo!
•Announced both the largest (1 million clients) and second largest (500,000 clients) breaches in history, 2‐3 years after the breaches occurred
•Panama Papers•Hactivists stole 11.5 million files, totallling 2.6 terabytes (would take 2600 pick up trucks to carry books containing that much info)
•Canadian Ministries•Hackers decribed as “child’s play” their efforts to shut down a number of Canadian Federal government ministries websites
•Goldcorp Inc.•15 gigabytes of company information, including payroll information and bank account data
•Democratic National Committee•Dyn
•Botnet is one of the fastest growing threats•A zombie network of 100,000 household computers/devices brought Dyn (and therefore much of the internet across the U.S.) down
•Operation “Aurora”•See next page
24
25
Operation “Aurora”
•Operation aurora was a major attack in 2009, on companies including Google and Adobe
•Defense industry style of attach•Game changer for attacks on commercial businesses•Most likely state sponsored – China
•Utilized malware, encryption technology, stealth programming and zero day vulnerabilities in Internet Explorer•Entered corporate networks via employee computer and devices, after they visited a malicious site•Employee’s devices became a “beachhead” for the attackers into the company’s network
•Brought attention to the threats of the widening network, and requirements for broader security measures
25
26
Cyberattacks
Examples of serious breaches in the Financial Services Industry:
•Japan Pension Services (2015; 1.25 million members)
•JP Morgan (2014; 83 million customers)
•Central Bank of Bangladesh (2016; $81mm)
• See following slide for details
26
27
Central Bank of Bangladesh
Hackers stalked the central bank for two weeks before strikingLikely organized crime / very sophisticated (similar to state sponsored)Infiltrated and utilized Malware to cover tracks, allow multiple reentry points, orchestrate a series of transactions
Attempted to transfer $1bn:•$20 million to Sri Lanka accounts ‐ blocked / returned•$850 million blocked by Federal Reserve Bank of New York•$81million to Philippines got through / unaccounted for•Director of Central Bank was forced to resign
27
28
Cybersecurity – Role of the Board and Senior Executives
Board Members and Senior Executives need to make sure their respective organizations are adequately prepared for cyberattacks
•Don’t need to be technology experts on firewalls and encryption, but•… should be strategically aware of the cybersecurity program
It is often the CEO and Board Members who are held accountable following a material cyberattack
28
29
Cybersecurity – Role of the Board and Senior Executives cont.
Questions that should be asked:•Do we have a formal cybersecurity framework? Based on COBIT/ NIST?•What are the top 5 cyber risks we face?
•How often are we attacked?•How are employees made aware/trained for their role?•Are roles and responsibilities clear?
•The business leaders•The Chief Information Security Officer•Internal Audit
•Do we have response protocol in the event of an attack?
29
30
World Economic Forum Research Paper: “Advancing Cyber Resilience”
• Published Feb 2017 – In collaboration with Boston Consulting and Hewlett Packard• Continued technology adoption creates an urgency• Calls on Board to focus on Cyber Resiliency – bringing together cyber strategy and cyber security• The goal is to ensure a durable network as the economy becomes more digitized
• Key components include• 10 Board Principles for cyber resilience ‐ including Risk Appetite, Assessment, Reporting, independent
third party reviews• Board Cyber Risk Framework – brings together cyber impact and probability, across a number of cyber
threats and vulnerabilities
30
31
World Economic Forum: Board Cyber Risk Assessment Framework
31
Cyber Risk
X
Cyber Incident ProbabilityCyber Incident Impact
Assets at Risk X Loss of… Vulnerabilities X Threats
Intangible AssetsIP, Reputation, Compliance
Tangible AssetsFinancial, Physical, Production Systems,
Infrastructure
Greater GoodSafety of Life / Health, Civil Liberties,
Individual privacy
Confidentiality
Integrity / Accountability
Availability
People / Culture
Process and Organization
Technology and Infrastructure
Disgruntled Customers
Human Error
Supply chain/ Partner Errors
Insider Action
Hactivism
Crime
Sabotage
Corporate Espionage
Terrorism
State Action
Force Majeure
32
Wrap Up ‐ GRI Areas of Focus
• GRI has published a number of articles on cyber risk over the past year• Introduction to Quantum Computing / Implications for cyber security• Canada’s policy approach to cybersecurity (compared to market leaders; need to evolve)
• Board Education Programs• Role of the Board• “You’ve been Hacked” Business Simulation
• GRI Annual Conference
• Funding Ongoing Research• University of Waterloo / Quantum Cybersecurity
32