Ten Questions Your Board Should be asking
about Cyber Security
Eric Wright, CPA, CITP
• Started my career with Schneider Downs in 1983.
• Responsible for all IT audit and system implementations services provided by the firm.
• I have had the fortune of supporting a wide variety of clients in all industries.
• Graduated from Waynesburg College ,magna cum laude with a BS in Mathematics and Computer Science.
• Chair the PICPA IT Assurance Committee.
• Member of the AICPA sub-committee on privacy.
Agenda
• Recent History • Fun Facts
• Risks facing Financial Institutions
• 10 Questions your Board should be asking • What can you do
2014 Year of the Mega Breach
• Sony – Shut down the company’s IT systems for 2 weeks
• Target – 40 million credit cards stolen
• JP Morgan Chase – 83 million customers’ data was stolen
• eBay – 145 million records compromised • Home Depot – 56 million credit cards
Ponemon Security Study
• The average cost of a data breach has increased 15% to 3.5 million
• The average cost paid for each lost or stolen record that contained sensitive
information increased more than 9% from $136 to $145
Fun Facts
• 1 in 10 US citizens are subject to identity theft
• If you make more than 70K, you are 2x more likely to be targeted
• In 2013, 13.1 million consumers were victims of identity theft
• 52% of all fraud involved on-line transactions
2009 Breaches by Type
2013 Breaches by Type
3% 4% 12% 6% 13% 14% 16% 33% Stolen Documents Improper Disposal Email disclosure UnknownWeb- Based Hacks Stolen Computer Social Engineering Hacking
The Black Market Value of Data We Process
• Health Care Record - $50
• Credit Card - $2 - $15
• Social Security No. - $5 when packaged
with a name
• Name and password to Bank Account - $1,000
11
2015
1998 2000 2002 2004 2006 2008 2010 2012 2014
Emerging e-Banking Technologies 7/15/1998
Technology Services Supplied by Outside Firms
11/28/2000
Revised e-Banking and (IT) Audit Guidance 10/21/2004
Business Continuity Planning Released 3/19/2008
Remote Deposit Capture Technology 1/14/2009
Risks that Financial Institutions Face
• Financial – Forensics
– Public Relations – Credit Monitoring – Penalties and Fines
– Loss of Customers/Revenue – Lawsuits and Legal Cost
– Drop in Stock Price • Reputational
Reputational Damage
• Front page news
• Notifying customers, employees, government agencies
• Public outcry
• Loss of customer trust
Question 1
So, What is the Industry Recommending?
• On June 30th, the FFIEC released their cyber security assessment tool
– Help institutions identify their risks and determine their cyber security maturity
– It is a repeatable and measurable process to keep management informed of their
Cyber Security Assessment Tool
• The tool has two components
– Inherent Risk Profile – fancy name for risk assessment
– Cyber Security Maturity Evaluation • The adoption of the tool is strictly
“voluntary” at this time
• The FFIEC has targeted June of 2016 as the timeline to include in their
Inherent Risk Profile Categories
• Technologies and Connection Types • Delivery Channels
• Online/Mobile Products and Technology Services
Cyber Security
1. Cyber Risk Management &
Oversight
2. Threat Intelligence & Collaboration
3. Cyber Security Controls
4. External Dependency
Management
5. Cyber Incident Management & Resilience
• Governance
• Risk Management • Resources
• Training and Culture
• Intelligence Sourcing • Monitoring and Analyzing • Information Sharing • Preventative Controls • Detective Controls • Corrective Controls • Connections • Relationships Management
Question 2
Question 3
Where is our data
• Which Servers and workstations
• Which Databases
• Which Applications
Question 4
• Have we inventoried all of the third party vendors that have access to our systems and have we
Question 5
Annual Security Reviews
• External Vulnerability Scans • External Penetration Testing
Question 6
• What procedures have we implemented to protect our sensitive information that is stored and
Question 7
Question 8
Cyber Insurance - Do I Need a Policy?
• Need to evaluate the information that you collect, process and store to determine the marketability of this data, if it was to fall
into the hands of thieves.
• Need to evaluate your social profile. Are you a target of social activist?
First Party Coverage
• Theft and fraud. Covers destruction or loss of the
policyholder’s data, as the result of a criminal or
fraudulent cyber event, including theft and transfer of funds.
• Forensic investigation. Covers the legal, technical or
forensic services necessary to assess whether a cyber attack has occurred, to assess the impact of the attack and to stop an attack.
• Business interruption. Covers lost income and related
First Party Coverage (continued)
• Extortion. Provides coverage for the costs associated
with the investigation of threats to commit cyber attacks against the policyholder’s systems and for payments to extortionists who threaten to obtain and disclose sensitive information.
• Computer data loss and restoration. Covers physical
Third Party Coverage
• Litigation and regulatory. Covers the costs associated
with civil lawsuits, judgments, settlements or penalties resulting from a cyber event.
• Regulatory response. Covers the legal, technical or
forensic services necessary to assist the policyholder in responding to governmental inquiries relating to a
cyber attack, and provides coverage for fines,
penalties, investigations or other regulatory actions.
• Notification costs. Covers the costs to notify customers,
Third Party Coverage (continued)
• Crisis management. Covers crisis management and public relations expenses incurred to educate customers
concerning a cyber event and the policyholder’s response, including the cost of advertising for this purpose.
• Credit monitoring. Covers the costs of credit monitoring, fraud monitoring or other related services to customers or employees affected by a cyber event.
• Media liability. Provides coverage for media liability,
including coverage for copyright, trademark or service mark infringement resulting from online publication by the
insured.
What is Not Covered by Cyber Insurance?
• Reputational harm• Loss of future revenue
• Cost to improve internal technology safe guards
• Lost value of intellectual property
Question 9
• Do we have a formal incident response
Question 10
What Actions Should I be Taking?
• Accept that security is an enterprise-wide risk, not just an IT issue. Create an awareness from the mailroom to the boardroom.
– Stakeholders include, but are not limited to, the Boardroom, HR, Audit, IT and Legal
• Establish awareness that controls and processes have been specifically designed to prevent
attacks.
– New hire orientation
– Ongoing awareness and communication
What Actions Should I be Taking?
• Integrate cyber risk strategy into the organization’s strategic plan
• Have a team dedicated to managing cyber threats and your incident response plan • Identify your organization’s most critical
data assets
What Actions Should I be Taking?
• Implement a layered defense
• Assess your cyber security maturity • Identify vendors used for business
functions involving critical data assets – Make sure you understand their security
policies and procedures
Your Role in Combatting Threats
• Be diligent – Always Assume the Worst
• Understand and Follow Policies and
Procedures
• Report Suspicious Activity
• Avoid Malicious Web Sites
• Don’t Click on Suspicious E-mails
• Ask for Identification
• Require Authorization for Access
• Safeguard Social Media Content
• Educate/Inform Customers