Cyber Security From The Front Lines

Glenn A Siriano

October 2015

Cyber Security

From The Front

Lines

Agenda

Setting the Context

Business Considerations

The Path Forward

Cyber Security

Context

July 2013 – Hackers use malware over several year period to steal more than 160 million credit card numbers.

Cyber attackers from Russia and Ukraine collaborated in a scheme to target major corporate networks including NASDAQ, Dow Jones, and Heartland Payment Systems and were able to steal more than 160 million credit card numbers between 2005 and 2012. In total, the separate and devious operations spanned the globe, resulting in at least $300 million in losses to companies and individuals.

Source: NY Daily News

June 2011 – Electronic transaction processing company target of Cyber attack.

Global Payments reported that its servers housing personal information collected from merchants were attacked impacting between 1.5 million and 7 million customers.

The company confirmed that expenses associated with the breach totaled more than $92 million including professional services fees, credit monitoring, identity protection insurance, fraud charges, and fines. Source: Bank Info Security

January 2015 – Anthem breach thought to impact between 69 – 80 million customer records.

The second-largest health-insurer reported that hackers compromised its network using a stolen password to access a database containing personal information from current and former customers. Initial estimates indicate the breach could result in more than $100 million in financial consequences.

Source: C-Net

Cyber Has Become a Boardroom

Conversation

Cyber Risk “Perfect Storm”

Growing Threat Level

’Bad Actors’ have evolved, Retail is 5

worst sector and 75% of

data loss incidents in Retail are hacking related (2012)*

Changing Technology Landscape

Consumerization of IT, Cloud and ‘eroding perimeter’

Compliance Pressure

Compliant does not necessarily mean sustainably (cyber) resilient

TOP CYBER RISKS

IN 2015

!

Our top security risk: misallocation of scarce resources – both time and money.

New IT capabilities – from BYOD to cloud to big data – have serious impact on the security controls we need and can use.

Total information security spending is expected to reach $76.9bn in 2015 (source: Gartner). Marketing departments have taken note.

Drumbeat of fear, uncertainty, and doubt – especially about embedded systems / industrial control systems.

Smarter attackers with more resources, better tooling, and advanced goals.

Every day increasingly sophisticated and intelligent attackers are targeting the crown jewel information assets of organizations. Business impacts include lost revenues, operational disruption, remediation costs, claims and fines.

2015 Cyber by the Numbers:

Audit Committee Research and KPMG

AC Focus

Area  55% _{“significantly more time”}of Audit Committee respondents feel that they should devote _{on Cyber for their agenda} “more time” or

Cyber Oversight

 50%of Boards have assigned Cyber oversight responsibilities to the Full Board or Audit Committee

 Organizations with structured leadership and strategy reduce average per record cost of a breach by $6.59/record lost)

Brand Damage  Loss of customer data can result in reputational risk and organizational brand damage

(Companies average $3.32 millionin brand damage per breach)

Training & Awareness

 Organizations must invest in Cyber training and awareness for All employees, including C-Level Executives. It only takes One employee opening an email attachment to open the door for cyber criminals

Improving Oversight of Cyber is No Longer Leading Practice…It’s

Required

Intellectual property lossesincluding

patented and trademarked material, client lists and commercially sensitive data

Time lost due to investigating the losses, keeping

shareholders advised and supporting regulatory authorities (financial, fiscal, and legal)

Propertylosses of stock or information leading

to delays or failure to deliver

Penalties, w hich may be legal or regulatory

finessuch as regulatory fines, e.g., for data privacy

breaches, and customer and contractual compensation, for delays

Administrative resourceto correct the impact such

as restoring client confidence, communications to authorities, replacing property, and restoring the organization business to its previous levels

Reputational lossescausing your market value

to decline; loss of goodwill and confidence by customers and suppliers

Potential impacts and possible implications for the board

Over recent years many global organizations have been victims of cybercrime.

Investors, governments, and global

regulators are increasingly challenging

board members to actively demonstrate

diligence in this area. Regulators expect

personal information to be protected

and systems to be resilient to both

accidents and deliberate attacks.

Typical Key Drivers of Cyber

Third party management

Complex regulatory requirements

Big Data

Mergers and acquisitions

Consumer trust and brand protection Launch of new services

Cyber Defined

Confusion in the Market… KPMG Cyber Services…

…A streamlined approach to accessible, protected Information

…Complexity

Risk-based protection of information in alignment with its

value to the organization

Information that is available to the business in the right way, at the right time, and to

the right people Strategic Cyber Security and Information

Protection Services

Breach Response & Investigation Services

Privacy

Cybersecurity

Business Resilience

Forensic

Business Issue

Security

Board-Level Issue

Information

Top of Mind

Complexity

Risk

Security

People

Evolving

Data

Transformation

Theft

Breach

Global

Technology

App

roach

Pe

rs

on

al

Reporting & Metrics

G ov e rn an ce Vulnerability

Criticality

Disaster

Threats

Value

Technology

Pr

oces

s

Compli

an

ce

Compliance

Dynamic

Competitive Advantage

Insecurity

Threat Intelligence

Business

■

Continued increase in regulations and

regulatory enforcement (with greater global

cooperation) across all industries

■

Increased expectations of technology and

offshore resources to increase the efficiency

and effectiveness of delivery

■

Cost pressures coupled with regulatory pressure

to standardize technology and processes across

disparate parts of the organization.

■

The rising external threat is demanding a

proactive intelligence based approach to

anticipating and reacting to the external threat.

■

Regulator focus and recent media attention on

insider based incidents have increased attention

on insider threat.

■

Regulators and Boards have demanded

accountability across all lines of defense with

the need for centralized ownership of Cyber

within the second line of defense

Market trends

■

The explosion of data across the organization,

especially in unstructured data stores has

demanded a refined approach to identification

and protection of critical data across the

enterprise.

■

Managing identity across the enterprise

continues to be a common regulatory and audit

finding. Risk is increased with the influx of

temporary and contingent work-force. Some,

with elevated or privileged levels of access.

Market trends

Top Industry Issues/Challenges

Emerging Cyber Risks

Data security incidents can be caused by employees or contingent workers with data access as a result of negligent behavior or malicious acts. Additionally, given the transient nature of the contingent workforce, it also presents challenges to help ensure the data stays within the organization upon individual’s departure.

Insider Threats: Data loss caused by negligent or malicious actions of authorized internal users.

As more business is conducted online to improve customer experience, and IT plans to leverage cloud services, mobile technologies and technology outsourcing to provide services that offer flexibility, scalability, and achieve cost savings, these initiatives can lead to new risks to organization’s overall information security posture.

New & Emerging Technology: Adopting new technology introduces potential vulnerabilities.

As the business seek to provide customers with more timely and accurate data, expanded offerings and programs, more interfaces, and more opportunities for access to information, perimeter and access control standards should be in line with the level of data criticality and confidentiality.

Cyber Attacks & Malware: Business operations and connectivity opens infrastructure to risks.

As we have seen in most of financial services institutions unstructured data represents a large percentage of the total data within the environment. Because of the heavy business reliance on data analytics and the mobilization of data across various devices and platforms, multiple copies of data are being generated. Since there are limited options to control unstructured data access, unstructured data represents serious risks to data confidentiality, integrity, and availability.

Regulatory Developments and Priorities

Increasing Supervision

by the Office of the

Comptroller of the

Currency (OCC)



Comptroller of the Currency Thomas J. Curry recently referred to cyber threats

as “the foremost risk facing banks today” and “one of the major, if not the major,

risk facing businesses of all sorts.”



In the OCC’s 2015 Semiannual Risk Perspective, cyber threats and operational

risk (i.e., information security, data protection, and third-party risk

management) were listed as top supervisory priorities for community and

midsize banks over the next 12 months.



In April 2015, the PCI Security Standards Council released v3.1 of it Data Security

Standard (DSS) in response to several high-profile vulnerabilities related to the

Secure Sockets Layer (SSL) protocol (i.e., POODLE, Heartbleed, BERserk, FREAK,

Logjam, RC4, etc.).



As a result, SSL and early versions of the Transport Layer Security (TLS)

protocol are no longer considered to be strong cryptography and cannot

be used as a security control after June 30, 2016.

Payment Card Industry

(PCI) Standard Updates

1_{Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts July 24, 2015}



In the summer of 2014, the FFIEC piloted a cybersecurity examination work

program that focused on cybersecurity inherent risk and preparedness and

emphasized the need for information sharing.



Drawing on the results of this pilot, the FFIEC released a Cybersecurity

Assessment Tool in June 2015 to help banks evaluate their cybersecurity

inherent risk profile and determine their level of cybersecurity maturity.

Federal Financial

Institutions

Examination Council

(FFIEC) Cybersecurity

Assessment

Regulatory Focus Areas and Industry Activities

Regulatory Focus Areas

■ Evaluation of Cybersecurity Inherent Risk ■ Enterprise Risk Management and Oversight ■ Threat Intelligence and Collaboration

■ Data Classification and Risk-Based Controls ■ External Dependency and Vendor Risk

Management

■ Cyber Incident Management and Resilience (BCP/DR)

■ Data and Network Protection Practices ■ Payment System and Data Hardening ■ Information Sharing

■ Cloud Security

■ Social Engineering and Insider Threats ■ Application Security

■ Data Loss Prevention (DLP) ■ Privileged Access Management ■ Change Management

Industry Activities

■ Top-Down Enterprise Risk Assessments

■ Cybersecurity Assessments and Benchmarking ■ Refresh Information Governance Model

■ Revamp Identity Management and Access Control

■ Review Impact of Emerging Technology (Cloud, Social Media, etc.) and Products

■ Enhance Application Security/SDLC Integration ■ Enhance Data & Information Protection

■ Improve Security Monitoring and Incident Management

■ Participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)

■ Infrastructure Obsolescence Management ■ Develop and Revise Policy & Standards ■ Maintain an Effective End-User Awareness

Program

■ Improve Third-Party Vendor Security Assessment Program

Cyber as Cost-Efficient Risk Management

Information Risk becomes Business Advantage

Security as an IT Cost Security as a Business Investment

 Technology platform centric

 Bottom-line focused

 Driven by IT

 Automation focused

 Success measured by timely deployment of technology

 Technology is alwaysthe answer

 Poor ROI from many programs

 Starts with data (report on what I have, not what I need)

 Target operating model–centric

 Strategically aligned with business objectives

 Business led

 Process focused

 Value added service delivery

 Success measured by achieving business value

 Technology is oneenabler of transformation

 Considers the security needs within the larger technology portfolio

 Analytics enabled

 Reduce time to value

At the heart of KPMG’s approach to Cyber Security is the objective of helping clients

maximize the value of their cyber security investment.

Six Key Aspects of Cyber

Cyber maturity address the following:

Legal and Compliance Layer

Meeting regulatory and compliance obligations as relevant.

People Layer

Describes the level and integration of a security culture that empowers and helps ensure the right people, skills, culture, and knowledge.

Business Continuity Layer

Describes preparations for a security event and ability to prevent or lessen the impact through successful crisis and stakeholder management.

Operations and Technology Layer

The level of control measures implemented to address identified risks and reduce the impact of compromise.

Information Risk Management Layer

Details the approach to achieve thorough and effective risk management of information throughout the organization and its delivery and supply partners.

Leadership and Governance Layer

Describes how Boards and Executive Management demonstrate due diligence, ownership, and effective management of risk.

Co mp rehen siv e V iew t o Cy b er M atu rit y

The Result – End-to-End Cyber Protection

• The approach is designed to be simple and effective, and most importantly, aligned with business needs. KPMG has aligned how we deliver our core cyber services accordingly:

Attributes:

 Prevention

 Comprehensive in breadth (Target Operating Model)

 Benefits driven from strategy through execution

 Information driven approach

Attributes:

 Detection

 End-to-end configuration

 Security Operations and Monitoring

 Security analytics

Attributes:

 Response

 Digital evidence preservation and cyber investigations services

 Post-Breach analysis and mitigation

Aligned with business priorities and compliance needs PREVENT

Helps the company understand how to align their cyber agenda with their

dynamic business and compliance priorities.

DETECT

Helps the business maintain their cyber agenda as business and technology programs evolve, providing

greater visibility and understanding of changing

risks.

RESPOND

Helps the company effectively and efficiently respond to cyber Incidents

and conduct forensic analysis and detailed

investigations.

STRATEGY AND

GOVERNANCE CYBER DEFENSE DIGITAL RESPONSE SERVICES

Attributes:

 Improvement

 Informed by technology strategy

 Long-term engagement delivery

 Business Outcome Focused IMPROVE

Helps the company build and improve their programs

and processes, supported by the right organization and

technology, to improve their cyber agenda.

High-level board oversight questions

Based on our board outreach and education

programs, these are the three most common

questions at the executive management and board

levels today:

1. What are the new cybersecurity threats and risks

and how do they affect our organization?

2.

Is our organization’s cybersecurity program ready

to meet the challenges of today’s (and

tomorrow ’s) cyber threat landscape?

3. What key risk indicators should I be review ing at

the executive management and board levels to

perform effective risk management in this area?

KPMG’s Global Cyber Maturity Framework Domains

We designed a Global Cyber M aturity Framework specifically to assist organizations in

addressing these critical questions by combining the most relevant aspects of international

cybersecurity frameworks (e.g., NIST, ISO, AU35, ANSI, SANS, etc.).

Board Engagement

Cyber risk management

A framework for exercising oversight responsibility

LEGAL AND COM PLIANCE

Regulatory and international certification standards as relevant

OPERATIONS AND TECHNOLOGY

The level of control measures implemented to address

identified risks and reduce the impact of compromise

BUSINESS CONTINUITY AND CRISIS M ANAGEM ENT

Preparations for a security event and ability to prevent or reduce the impact through successful crisis and stakeholder management

INFORM ATION RISK M ANAGEM ENT

The approach to achieve thorough and effective risk management of information throughout the organization and its delivery and supply partners

HUM AN FACTORS

The level and integration of a security culture that empowers and helps to ensure the right people, skills, culture,

and know ledge

LEADERSHIP AND GOVERNANCE

M anagement demonstrating due diligence, ow nership, and effective management of risk

Board

Engagement

Board oversight and engagement summary –

Key performance indicators

L ea de rs hip an d G ov erna nc e

 Understand governance structure and meet team

 Review output of capability assessment  Review and approve strategy and funding  Participate in general board education  Request periodic updates of program

 Security spend as a percent of overall IT budget  Capability maturity review output

 Certifications w ithin key leadership positions  Number of board education sessions (frequency)

H

um

an

F

ac

tors _{ Set the tone for the culture}

 Review patterns/trends of personnel issues  Understand training & awareness protocols

 Percentage of employee/contractors attending training  Trends related to cyber from w histleblower or ethics

Inform at ion R is k M gm t

 Understand risk management approach and risk

 Review and approve risk tolerance  Understand third-party supplier program  Review and question program metrics

 Risk Assessment output / linkage to ERM program  Risk tolerance measures and metrics

 Number of “ high risk” third-party suppliers and review  Review metric output (see other sections)

Board oversight and engagement summary –

Key performance indicators

B us ine s s C on ti nu it y

 Understand current response capability  Review status of overall plan maturity  M eet w ith communications personnel  Participate in table-top exercises

 Number of mission critical business processes w ith  Number of table top exercises (frequency) and results

O

pe

rat

ion

s

&  Understand current maturity of control

 Review relevancy of selected control  Review relevant incident trend metrics  M eet w ith CIO or equivalent to understand

and information technology trends

 Percentage of “ crown-jewel” assets included in

 Risk rating of security vulnerabilities (considering asset  Cyber incident trends metrics

L egal & C om pl ianc e

 Understand regulatory landscape impacting  Clarify audit committee requirements for  Review litigating inventory trends

 Review and approve cyber insurance

 Open regulatory and/or litigation matters

 Cyber insurance policy benchmarking w ith peer

Thank you

• Presentation by Glenn Siriano

• KPMG LLP

• [email protected]

• © 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

• The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.