MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2011 Wolf & Company, P.C.
What is Management
Responsible For?
About Wolf & Company, P.C
• Regional firm established in 1911
• Provide Audit, Tax, Business Consulting & Risk
Management services
• PCAOB Registered & Inspected
• Member of AICPA Center for Audit Quality
• Member of PKF North America
• 200 Professionals
• Offices located in:
– Boston, Massachusetts – Springfield, Massachusetts – Albany, NY
– Livingston, NJ
Financial Institution Expertise
• Provide services to over 250 financial institutions
– Approximately 50 FIs with assets > $1 billion – Approximately 30 publicly traded FIs
– Constant regulatory review of our deliverables
• Provide Risk Management Services in 27 states and 2
U.S. territories
– IT Assurance Services Group – Internal Audit Services Group
– Regulatory Compliance Services Group – WolfPAC® Solutions Group
Definitions – Per NIST
• Cybersecurity: The ability to protect or defend the use of cyberspace from cyber attacks.
• Cyberspace: A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.
• Information Security (1): The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide
confidentiality, integrity, and availability.
In the News
What we worry about?
6
7
9
Incident Frequency by Industry
20 15 V eri zon Da ta rea ch Inve stiga tion Re po rt 10What Banks Need to Know
1. Hackers increasingly have more than one motive and method of attack.
2. The use of memory scraping in data breaches has increased. 3. More cyber threat information is being shared, but there is a
need for faster sharing.
4. Too many people still fall for phishing attacks. 5. Old software vulnerabilities are going unpatched.
6. Mobile malware is not statistically significant yet, but it's still a concern.
7. Ongoing Web app attacks point to a need for two-factor authentication.
American Banker Bank Technology News: April 16, 2015
The Regulators…
The Regulators…
FFIEC Wants Banks…
• Setting the tone from the top and building a security culture
• Identifying, measuring, mitigating, and monitoring risks
• Developing risk management processes commensurate
with the risks and complexity of the institutions
• Aligning cybersecurity strategy with business strategy and
accounting for how risks will be managed both now and in
the future
• Creating a governance process to ensure ongoing
awareness and accountability
• Ensuring timely reports to senior management that include
meaningful information addressing the institution’s
vulnerability to cyber risks
Current Guidance Available
• FFIEC IT Booklets
• NIST Framework for Improving Critical Infrastructure
Cybersecurity (Cybersecurity Framework)
• FFIEC Cybersecurity Assessment Tool
Cybersecurity Preparedness
• Risk management and oversight
• Threat intelligence and collaboration
• Cybersecurity connection types
• Cybersecurity controls
• Enhancements to Vendor and BCP programs
Risk Management and Oversight
• Governance
– More frequent Board and Senior management education – Define roles and responsibilities that assign accountability
regarding cyber risks
– Reporting structure of CISO/ISO
– Management of cyber security issues (interaction between information security and core business functions)
• Allocation of resources
– Time and energy
• Training and awareness of employees
– Onboarding and ongoing training – More frequent and relevant training
– Training for information security professionals – Test training effectiveness
Threat Intelligence
• External sources of threat intelligence
– Media reports
– Third party service providers
– Financial Services Information Sharing and Analysis (FS-ISAC) – InfraGard
– Secret Service – US Cert
• Internal sources of threat intelligence
– Fraud detection tools
– Anti-Money Laundering/Office of Foreign Assets Control/Bank Secrecy
– Security information and event management (SIEM)
• Sharing information with law enforcement
Connections…
• Connection types
– From mobile devices (BYOD) – VPNs
– Internet Portals sites, web based applications, telnet, FTP – Wireless networks
– Direct connections to other networks or ISP’s
• Product and services
– Target a specific product or service (i.e. Business Online Banking, Wire Transfer system)
• Technologies Used
– Each type of technology introduces its own set of vulnerabilities
Cybersecurity Controls
• Preventive controls
– Identity and access management systems (includes multifactor authentication)
– Restricting access (i.e. network segmentation, ACL’s, web filtering) – CISO or ISO reporting lines
– Data Classification
– Patch management program
– Secure software development life cycle – Encryption
• Detective controls
– Increased security testing and monitoring, penetration testing – Incident detection and monitoring
• Corrective controls – Incident response
– Cyber security insurance
– BCP/DRP (incorporate security into plan)
Changes to other programs…
• Key Indicators of Compromise
• Vendor Management
• BCP
• Enterprise Risk Management
Important Resources
FFIEC Cybersecurity guidance-http://www.ffiec.gov/cybersecurity.htm
NIST Cybersecurity Framework-http://www.nist.gov/cyberframework/
Executive Order 13636-
http://www.whitehouse.gov/the-press- office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
FBI InfraGard-https://www.infragard.org/
U.S. Computer Emergency Readiness Team-https://www.us-cert.gov/
U.S. Secret Service Electronic Crimes Task
Force-http://www.secretservice.gov/ectf.shtml
Department of Homeland Security- http://www.dhs.gov/about-critical-infrastructure-cyber-community-c%C2%B3-voluntary-program
NY State Department of Financial Services
Memo-https://www.njbankers.com/WCM/njbadocs/Operations%20Technology%2 0Committee/NY%20Cyber%20Security%20Exam%20Process.pdf
