Cyber and Technology Risk Management Forum, Park City, UT
This is the student handbook for the September 10-13, 2018 Cyber and Technology Risk Management Forum held in Park City, UT.
Cyber & Technology Risk Management Forum Park City, UT
Monday 9/10 11:00am – 1:00pm Registration 1:00pm 1:15pm Welcome Remarks G. Edward Leary
Commissioner of Financial Institutions Utah Department of Financial Institutions Mary Beth Quist Senior Vice President, Supervisory Processes Tom McVey Director of Learning Services Conference of State Bank Supervisors
1:15pm 2:45pm Cyber Threat Landscape David Thompson
Resident Agent in Charge – Salt Lake City US Secret Service
2:45pm 3:00pm Break 3:00pm 4:30pm Federal Technology Update
Federal Deposit Insurance Corporation Aaron Demory BA Section Chief Federal Deposit Insurance Corporation
5:30pm 7:30pm Networking Reception
Tuesday 9/11 8:30 9:30
CSBS Technology Roadmap & More Tom Bayer Chief Information Officer Todd Scharf Chief Information Security Officer
Charles Hill IT Security Engineering & Operations Senior Director Conference of State Bank Supervisors
9:30
9:45
Break
Cyber & Technology Risk Management Forum Park City, UT
CSBS Technology Roadmap Conference of State Bank Supervisors State of State Information Technology Doug Robinson Director National Association of State CIOs
9:45
10:30
10:30
12:00
Lunch – on your own
12:00 1:15
1:15 2:00
Accelerating Threats & The Future of State IT Supervision Phillip Hinkle,
Director of IT Examinations, Texas Department of Banking
Break
2:15 2:30
2:30 3:30
State Examination System Platform Demo & Update Kyle Thomas Vice President, Supervisory Processes & Accreditation Conference of State Bank Supervisors
Break
3:30 3:45
3:45 4:30
State Examination System Platform Demo & Update Kyle Thomas
4:30pm 5:30pm Technology Committee Meeting (Committee members only)
Wednesday 9/12
Prospector 4
Prospector 1‐2
10:00 Cybersecurity Metrics Mary Siero MIS Training Institute
10:00 Data – Strategy & Structure Tom Bayer
8:30
8:30
Chief Information Officer Conference of State Bank Supervisors
10:00 10:15 Break
10:15 Break
10:00 10:15
11:45 Cybersecurity Metrics
10:15 11:45 Sheltered Harbor Overview Trey Maust CEO, Sheltered Harbor Executive Vice Chairman, Lewis & Clark Bank
Lunch – on your own
11:45 1:00
Cyber & Technology Risk Management Forum Park City, UT
Federal Technology Update Federal Reserve Dustyn DeSpain
1:00
2:00
Brandon Howell Supervisory Financial Analyst Federal Reserve Board
Manager, Business Solutions Delivery Federal Reserve Bank of Kansas City
Break
2:00 2:15
2:15 3:45
Cloud Services Foundational Overview & More Dave Dadoun Global Head of Legal and Regulatory Affairs ‐ Financial Services Industry
Jeffrey Gallucci Principal PM Manager
Susan Linnstaedter Lead US Attorney for Financial Services Microsoft Corporation The Game of Click ‐ Phishing Risks Lauren Lamp Professional Services COFENSE
3:45
5:00
Adjourn
5:00
Thursday 9/13 8:30
10:00 Strengthening Our Defenses Against Ransomware Chad Knutson President / Co‐founder SBS Cybersecurity
10:15 Break
10:00 10:15
11:30 ETS Update & More Tim Rayborn
Alabama State Banking Department
Jami Flynn Director, Supervisory Processes Conference of State Bank Supervisors
11:45 Wrap up & Adjourn
11:30
Cyber and Technology Risk Management Forum Park City, Utah September 10 ‐ 13, 2018
Attendees Arkansas State Bank Department Darren Barry
dbarry@banking.state.ar.us jcameron@banking.state.ar.us ddodge@banking.state.ar.us mgreen@banking.state.ar.us jhouseholder@banking.state.ar.us
501‐324‐9019 501‐324‐9019 501‐324‐9019 501‐324‐9019 501‐324‐9019
Jeffrey Cameron Donna Dodge Michael Green John Householder
California Department of Business Oversight Rafael Dominguez
rafael.dominguez@dbo.ca.gov phatthason.manisouk@dbo.ca.gov
619‐952‐2030 619‐952‐0926
Phatthason Manisouk
Delaware Office of the State Bank Commissioner Carrie Garey
carrie.garey@state.de.us
302‐744‐2102
Federal Deposit Insurance Corporation Jane Slattery
jaslattery@fdic.gov
972‐761‐8696
Georgia Department of Banking and Finance David Baranko
dbaranko@dbf.state.ga.us ccook@dbf.state.ga.us hherndon@dbf.state.ga.us bhouston@dbf.state.ga.us jjackson@dbf.state.ga.us jmcelheney@dbf.state.ga.us smosley@dbf.state.ga.us tsturrup@dbf.state.ga.us stan@dbf.state.ga.us cward@dbf.state.ga.us jwerner@dbf.state.ga.us
770‐986‐1633 770‐986‐1633 770‐986‐1633 770‐986‐1633 770‐986‐1633 770‐986‐1633 770‐986‐1633 770‐986‐1633 770‐986‐1633 770‐986‐1633 770‐986‐1633
Casey Cook
Hersha Herndon
Billy Houston Jack Jackson
Justin McElheney Spencer Mosley Theon Sturrup
Stan Tan
Chris Ward Josh Werner
Hawaii Division of Financial Institutions Marjorie Bragado
mbragado@dcca.hawaii.gov
808‐586‐2820 808‐586‐2820
Joanne Hara
dfi@dcca.hawaii.gov
Idaho Department of Finance Blake Wickham
blake.wickham@finance.idaho.gov
208‐332‐8026
Iowa Division of Banking Gretchen Chamberlain
gretchen.chamberlain@idob.state.ia.us
515‐281‐4014
Kansas Office of the State Bank Commissioner Amy Baccus
amy.baccus@osbckansas.org elizabeth.haase@osbckansas.org matt.hodges@osbckansas.org matt.jones@osbckansas.org
785‐296‐1687 785‐296‐1687 785‐296‐1884 785‐296‐1871 785‐296‐1880
Elizabeth Haase Matt Hodges
Matt Jones
Joe Tosh
joe.tosh@osbckansas.org
Kentucky Department of Financial Institutions Benjamin Grawe
benjamina.grawe@ky.gov bradley.johnson@ky.gov
502‐514‐6498 502‐545‐2755
Brad Johnson
Louisiana Office of Financial Institutions Danny Ragan
dragan@ofi.la.gov
225‐925‐4308
Michigan Department of Insurance and Financial Services Eric Faust fauste1@michigan.gov Mississippi Department of Banking & Consumer Finance Paul Parrish paul.parrish@dbcf.ms.gov
517‐284‐8834
601‐321‐6940 601‐321‐6901
Erik Smith
erik.smith@dbcf.ms.gov
Missouri Division of Finance Rob Fritchey
rob.fritchey@dof.mo.gov
573‐751‐3395
Nebraska Department of Banking and Finance Mike Fabry
mike.fabry@nebraska.gov rachel.newell@nebraska.gov
402‐430‐8905 308‐708‐9162
Rachel Newell
New Jersey Department of Banking and Insurance Vijay Sukheja North Carolina Office of Commissioner of Banks Kenneth Biser kbiser@nccob.gov
vijay.sukheja@dobi.nj.gov
609‐292‐7272
919‐733‐3016 919‐733‐3016
Stephen Snively
ssnively@nccob.gov
North Dakota Department of Financial Institutions Doug Hoselton dghoselton@nd.gov
701‐746‐9493
Oklahoma State Banking Department Deron Brubaker
deron.brubaker@banking.ok.gov kenneth.fisher@banking.ok.gov mike.kellum@banking.ok.gov carter.mathews@banking.ok.gov ashley.wilson@banking.ok.gov
405‐521‐2782 405‐521‐2782 405‐521‐2782 405‐521‐2782 405‐521‐2782
Kenneth Fisher Mike Kellum Carter Mathews Ashley Wilson
Pennsylvania Department of Banking and Securities Mark Goffredo mgoffredo@pa.gov
717‐579‐6766 717‐783‐4242 717‐783‐4242 717‐783‐8241
Charles Jones Charles Martier
chajones@pa.gov cmartier@pa.gov wotto@pa.gov
Will Otto
Tennessee Department of Financial Institutions Josh Robertson
josh.robertson@tn.gov
865‐806‐7615
Texas Department of Banking Mario Crosthwait
mario.crosthwait@dob.texas.gov michelle.hodge@dob.texas.gov brett.howard@dob.texas.gov michelle.wilson@dob.texas.gov
512‐475‐1300 512‐475‐1300 512‐475‐1300 512‐475‐1300 512‐475‐1300 801‐538‐8830 801‐538‐8830 801‐538‐8830 801‐538‐8830
Michelle Hodge Brett Howard Michelle Wilson
Kevin Wu
kevin.wu@dob.texas.gov
Utah Department of Financial Institutions Daniel Gardiner
dgardiner@utah.gov doldroyd@utah.gov bstewart@utah.gov lstillman@utah.gov
Donald Oldroyd Bruce Stewart Lonny Stillman
Virginia Bureau of Financial Institutions Ronald Prillaman
ron.prillaman@scc.virginia.gov
804‐371‐9704 804‐371‐9704
Mark Trenor
mark.trenor@scc.virginia
West Virginia Division of Financial Institutions John France jfrance@wvdob.org
304‐558‐2294 304‐558‐2294 304‐558‐2294
Martin Grimm Dawn Holstein
mgrimm@wvdob.org dholstein@wvdob.org
Speakers Alabama State Banking Department Tim Rayborn
timothy.rayborn@banking.alabama.gov
COFENSE Lauren Lamp
lauren.lamp@cofense.com
Federal Deposit Insurance Corporation Aaron Demory
ademory@fdic.gov
Federal Reserve Bank of Kansas City Dustyn DeSpain
dustyn.despain@kc.frb.org
Federal Reserve Board Brandon Howell
brandon.r.howell@frb.gov
Microsoft Corporation Susan Linnstaedter
susan.linnstaedter@microsoft.com jeffrey.gallucci@microsoft.com
Jeffrey Gallucci Dave Dadoun
ddadoun@microsoft.com
MIS Training Institute Mary Siero
msiero@iitconsulting.org
National Association of State CIOs Doug Robinson
drobinson@nascio.org
SBS CyberSecurity, LLC Chad Knutson
chad.knutson@sbscyber.com
Sheltered Harbor Trey Maust
tmaust@lewisandclarkbank.com
Texas Department of Banking Phillip Hinkle
phillip.hinkle@dob.texas.gov
U.S. Secret Service David Thompson
david.thompson@usss.dhs.gov
Utah Department of Financial Institutions G. Edward Leary
eleary@utah.gov
CSBS Staff Tom Bayer Jami Flynn Charles Hill Tom McVey
tbayer@csbs.org jflynn@csbs.org chill@csbs.org tmcvey@csbs.org mbquist@csbs.org tscharf@csbs.org mstevens@csbs.org kthomas@csbs.org
202‐306‐6161 202‐728‐5718 304‐919‐6875 304‐549‐9584 202‐728‐5722 304‐620‐5716 202‐728‐5701 202‐407‐7131
Mary Beth Quist
Todd Scharf
Michael Stevens
Kyle Thomas
…and The Future of State IT Supervision? Phillip Hinkle – Texas Department of Banking
y Threat Sources y Accelerating Technology & Threats y Status of Cybersecurity y Regulator Gap: Federal vs State y Risk to States & Banking Departments y Steps to Consider for State IT Supervision y Options for State IT Supervision y Summary Action Items
Categories of Threats Actors
ORGANIZED CRIME
Theft of Money
Disruption and Theft of Secrets
NATION-STATES
HACKTIVIST
DDoS Attacks
Stolen Customer Databases and Secrets
INSIDER
Internet of Things
iPhone 2007
Internet Commercialized
“Internet” Banking 2006 – ‘09
Cloud Computing
Virtual Servers
Widespread Use of ATMs
Mobile Payments
Search Engines Mature
Mobile Banking
Internet Birth (TCP/IP)
AI
2015
2007
1980
2000
2010
1990
25 years
10 Years
United Nations Office on Drugs and Crime: “By the year 2020, the number of networked devices (the ‘Internet of Things’ … IoT) will out number the people by six to one...”
5
Accelerating Threats
CryptoLocker Ransomware
2009 DDoS Attacks
Ping-Pong (Bouncing Ball)
Mirai Botnet
Love Bug
SWIFT Thefts
Stuxnet t
Robbery while ATM is loaded
Zeus
ATM Blackbox
Melissa
2017
2007
1980
2000
2010
1990
25 years
10 Years
Prior to 2007, viruses were primarily written for mischief
FromMischievous to Criminal
ATM Cash Out Thefts 2016
DDoS - IoT Attack 2016
Large Dollar Thefts 2015
Destructive Malware 2014
Cosmos Bank, Pune, India 2018
SPEI - Large Dollar Thefts 2018
Global Ransomware 2017
ATM Jackpotting 2017
FromMischievous to Criminal (cont.)
Merge Databases for Whaling Attacks
21.5 Million Records
80 million accounts
145 million accounts
Accelerating Threats
The Future of State IT Supervision?
Status of Cybersecurity (Our Communities are the Target)
• The persistent threat of attacks is a societal issue • The national dialog needs to increase • Bankers are community leaders • Action Items: • Speak up to your managers with new ideas • Encourage bankers to speak on cyber threats • Encourage promotion of Cyber Security Awareness Month (October)
Status of Cybersecurity (Cont.) • Cyber threats continue to advance (Mirai botnet, Ransomware, ATM Jackpotting, SWIFT thefts).
• Cyber Initiatives Have Stalled • No significant FFIEC initiative • since the CAT in June 2015 • Banks, especially smaller ones, have reverted to a compliance thinking. • State bank regulators, with a few exceptions, are focused on credit quality.
• The OCC called for the creation of the CCIWG, • OCC led develop of the CAT • The FDIC lead revamping of IT exam procedures • The federal agencies lead FFIEC IT Examination Handbooks, • The FRB Chicago operated a Technology training. • The Federal agencies have formal IT training programs. (For both commercial and IT SME, and IT Specialists) • Most states have IT generalists or no one trained for IT risks. But, there are exceptions.
• As threats accelerate, bank’s protective measures must change faster • Adversaries may attack a dozen smaller banks than attempt breaching a mega-bank. • Potential media coverage of a dozen community banks could have devastating impact on community banking. • A loss of confidence in community banks could result in large shift to mega-banks.
• Examinations: To protect banking system • Community Banking: Crucial to economy • As threats accelerate, banks must change faster than they have historically
• More bank failures due to IT risks will occur. • SWIFT thefts should be a wakeup call. • Waiting for a failure is a poor approach to managing risk. • Will commissioners be called before state congressional panels or governor’s office after a major breach / bank failure? • Are you prepared to explain your efforts to protect local economies? • Are you evaluating if a bank is safe and sound or if it is simply making good loans?
Transformational change needed due to accelerating risks • Add cyber talking points to every speaking event. Shift thinking from compliance. • Require EIC to discuss cybers at each intro and exit meeting. • Strengthen IT training – include all non-IT examiners. • Share the “Best Practice” documents with every bank’s CEO. • Review/strengthen the state’s IT/ Cyber examination procedures. • Ask for additional resources – or reallocate resources to cyber.
Steps SBDs should Consider: (Cont.)
• Action Items: • Evaluate if your banking department has the right focus on cyber. • Put cyber in every kick-off and board meeting • Talk to bankers about security thinking (NIST - use CSBS Cybersecurity 101) • Direct bankers to CIS Top 20 (fka SANS Top 20) • Share Bankers ECTF Best Practices
Equifax Multi-State Examination
NIST Cybersecurity Framework
Identify Protect Detect
Respond Recover
y Identify (Identify what to protect and threats to them) y Protect (How do you protect those assets) y Detect (How do you monitor for attacks in progress) y Respond (What actions do you take during an attack) y Recover (How do you return to normal operations)
( http://www.csbs.org/CyberSecurity/Pages/default.aspx )
The Critical Security Controls www.cisecurity.org
1: Inventory and Control of Hardware Assets 2: Inventory and Control of Software Assets 3: Continuous Vulnerability Management 4: Controlled Use of Administrative Privileges 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 6: Maintenance, Monitoring, and Analysis of Audit Logs
y FFIEC IT Handbooks y InTREX y FFIEC CAT y Bankers ECTF Best Practices
Most Common Cyber Threats (New fraud patterns will evolve as technology evolves) • Business email Compromise (BEC) • Corporate Account Takeover (CATO) attacks Best Practices of Bankers ECTF 1. Large Funds-Transfers (SWIFT like thefts but thru non-SWIFT network) 2. Ransomware 3. DDoS 4. ATM Jackpotting ABA and ICBA have the Best Practices on the secure / private section of their websites.
High Risk Task Force
• Community bank CEOs identified four threats of concern • Developed mitigation practices to share
• Orrstown Bank, Shippensburg, Penn. • Berkshire Bank, Pittsfield, Mass. • PeoplesBank, Holyoke, Mass. • First Savings Bank, Clarksville, Ind. • Bank of Oak Ridge, Oak Ridge, N.C. • Texas Bank & Trust, Longview, Texas • Happy State Bank, Happy, Texas • First Northern Bank, Dixon, Calif.
• Bank of Utah, Ogden, Utah • Mainstreet Bank, Cook, Neb. • RCB Bank, Claremore, Okla. • Lewis & Clark Bank, Oregon City, Ore. • Farmers Bank & Trust Company, Magnolia, Ark. • Community Bancshares of Mississippi, Brandon, Miss. • The Commercial and Savings Bank of Millersburg, Ohio
Large Funds-Transfer
(SWIFT Like) Thefts
• $81 million - Bangladesh central bank - Feb 2016 – Community banks don’t use SWIFT, but… • SWIFT like thefts thru non-SWIFT networks – FedWire, CHIPS, and regional correspondents can become targets. • FBI Fraud Alert - Sept 2012 – Thefts were basically CATOs. ( o ) to the attackers in order to decrypt and recover their files.
FBI Fraud Alert – Target Small FIs -
Option 1 – Fullest Commitment– InTREx – 1 Examiner – 4 Weeks Option 2 – Implementation of InTREx “Lite” – 1 Examiner – 2 Weeks (A scaled down version of Option 4 (InTREx) used at smaller / lower risk institutions.) Option 3 – Review of FFIEC CAT (Completed by the Bank) - 1 Examiner – 2 days Option 4 – Discuss Bankers ECTF Best Practices – 1 Examiner – 1 day
Supplemental Options (NIST, CIS Critical Security Controls)
• Put cyber in every kick-off and board meetings • Talk about Security Thinking (NIST) • Encourage Bankers to Speak on Cyber Threats • Encourage promotion of Cybersecurity Awareness month (October) • Direct them to CIS Top 20 (fka SANS Top 20) • Direct them to Bankers ECTF High Risk Threats • Promote the need to evaluate if your banking department has the right focus on cyber.
Questions
7+( $57 2) &<%(56(&85,7< 0(75,&6
THE ART OF CYBERSECURITY METRICS
Mary G. Siero, CISSP, CISM, CRISC
0,6 7UDLQLQJ ,QVWLWXWH ,QF
3DJH
,7*=
LL7 &RQVXOWLQJ
7+( $57 2) &<%(56(&85,7< 0(75,&6
Copyright
Copyright 2018 iiT Consulting Reprinted by MIS Training Institute, Inc. with permission of owner.
$OO ULJKWV UHVHUYHG 3ULQWHG LQ WKH 8QLWHG 6WDWHV RI $PHULFD 1R SDUW RI WKLV SXEOLFDWLRQ PD\ EH UHSURGXFHG SKRWRFRSLHG VWRUHG LQ D UHWULHYDO V\VWHP RU WUDQVPLWWHG E\ HOHFWURQLF
PHFKDQLFDO RU DQ\ RWKHU PHDQV ZLWKRXW WKH SULRU ZULWWHQ SHUPLVVLRQ RI 0,6 7UDLQLQJ ,QVWLWXWH DQG WKH UHVSHFWLYH RZQHU RI WKH FRS\ULJKW
7UDGHPDUNHG SURGXFW DQG FRPSDQ\ QDPHV PHQWLRQHG LQ WKLV SXEOLFDWLRQ DUH WKH SURSHUW\ RI WKHLU UHVSHFWLYH RZQHUV
,7*=
0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//&
6OLGH
,7*=
0,6 7UDLQLQJ ,QVWLWXWH ,QF
3DJH
,7*=
LL7 &RQVXOWLQJ
7+( $57 2) &<%(56(&85,7< 0(75,&6
'HDU 3DUWLFLSDQW 7KDQN \RX IRU VHOHFWLQJ 0,6 7UDLQLQJ ,QVWLWXWH WR SURYLGH \RX ZLWK D WDLORUHG WUDLQLQJ SURJUDP 0,6 7UDLQLQJ ,QVWLWXWH KDV FDUHIXOO\ GHVLJQHG WKH VHPLQDU LQ ZKLFK \RX DUH DERXW WR SDUWLFLSDWH WR SURYLGH \RX ZLWK WKH PD[LPXP DPRXQW RI SUDFWLFDO DQG XVHIXO LQIRUPDWLRQ 0,6 7UDLQLQJ ,QVWLWXWH VHPLQDUV DUH EDVHG RQ WZR IXQGDPHQWDO FRQFHSWV RI DGXOW OHDUQLQJ WKHRU\ $GXOW OHDUQHUV HQWHU WUDLQLQJ SURJUDPV ZLWK WZR FRPPRQ FKDUDFWHULVWLFV WKH\ EULQJ D ZHDOWK RI H[SHULHQFH DQG NQRZOHGJH WR WKH WUDLQLQJ SURJUDP DQG WKH\ H[SHFW WKHLU WUDLQLQJ WR SURYLGH VNLOOV DQG NQRZOHGJH WR DSSO\ WR WKH UHDO OLIH SUREOHPV WKH\ IDFH 8VLQJ WKHVH WZR FKDUDFWHULVWLFV DV RXU SUHPLVH 0,6 7UDLQLQJ ,QVWLWXWH GHVLJQV VHPLQDUV WR HQDEOH \RX WR XVH \RXU NQRZOHGJH DQG H[SHUWLVH DV WKH IRXQGDWLRQ XSRQ ZKLFK WR EXLOG QHZ VNLOOV DQG NQRZOHGJH WR KHOS \RX WR IXOILOO \RXU DXGLWLQJ DQG VHFXULW\ UHVSRQVLELOLWLHV 2XU VHPLQDU ZRUNERRNV DUH GHVLJQHG WR HQKDQFH WKH VHPLQDU H[SHULHQFH EXW ZH VWURQJO\ HQFRXUDJH QRWH WDNLQJ 1RWH WDNLQJ LV YLWDO WR WKH OHDUQLQJ SURFHVV :KHQ \RX MRW GRZQ D QRWH DERXW D SRLQW WKDW WKH VHPLQDU LQVWUXFWRU KDV LQWURGXFHG \RX DUH SHUVRQDOL]LQJ DQG HQULFKLQJ WKH OHDUQLQJ H[SHULHQFH IRU \RXUVHOI :H HQFRXUDJH \RX WR DVN TXHVWLRQV WR LPSURYH \RXU XQGHUVWDQGLQJ RI WKH VXEMHFW PDWWHU DQG ZH LQYLWH \RX WR VKDUH H[DPSOHV IURP \RXU RZQ H[SHULHQFH WR HQULFK WKH VHPLQDU DV DSSURSULDWH 2Q EHKDOI RI 0,6 7UDLQLQJ ,QVWLWXWH DQG \RXU LQVWUXFWRU ZH KRSH WKDW WKLV VHPLQDU ZLOO EH D EHQHILFLDO DQG HQMR\DEOH OHDUQLQJ H[SHULHQFH ,I ZH FDQ KHOS LQ DQ\ ZD\ WR DVVXUH WKLV SOHDVH OHW XV NQRZ 6LQFHUHO\
0,6 7UDLQLQJ ,QVWLWXWH +ROGLQJV ,QF 'LDQH 7RELQ 9LFH 3UHVLGHQW ,Q +RXVH 7UDLQLQJ ( PDLO ' GWRELQ#PLVWL FRP
0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//&
6OLGH
,7*=
0,6 7UDLQLQJ ,QVWLWXWH ,QF
3DJH
,7*=
LL7 &RQVXOWLQJ
7+( $57 2) &<%(56(&85,7< 0(75,&6
How to Get More Out of This Seminar
6HW JRDOV 'HYHORS D OLVW RI WKUHH WR VL[ RYHUDOO JRDOV 7KLQN DERXW VSHFLILF TXHVWLRQV \RX ZDQW DQVZHUHG 'HYHORS D OLVW RI TXHVWLRQV DQG NHHS LW KDQG\ VR \RX FDQ LQWHUMHFW WKHP DW WKH DSSURSULDWH SRLQWV LQ WKH VHPLQDU ,I TXHVWLRQV GR QRW JHW DGGUHVVHG PDNH LW D SRLQW WR VSHDN WR WKH LQVWUXFWRU GXULQJ EUHDNV RU OXQFK 'HYHORS DQ DFWLRQ SODQ 0DNH D OLVW RI WKLQJV WR FRQVLGHU GRLQJ GLIIHUHQWO\ ZKHQ \RX JHW EDFN RQ WKH MRE 7KLV ZLOO IRFXV \RXU WKLQNLQJ RQ VSHFLILF WDQJLEOH EHQHILWV 3DUWLFLSDWH $VN TXHVWLRQV 0DNH FRQWULEXWLRQV &RPPHQW %H YLVLEOH 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 About the Instructor - Mary G. Siero 0DU\ 6LHUR LV D 6HQLRU ,QVWUXFWRU IRU 0,67, 6KH LV DQ H[HFXWLYH OHYHO ,QIRUPDWLRQ 7HFKQRORJ\ &RQVXOWDQW DQG WKH 3UHVLGHQW RI ,QQRYDWLYH ,7 D OHDGLQJ 1RUWK &DUROLQD EDVHG LQIRUPDWLRQ WHFKQRORJ\ FRQVXOWLQJ ILUP WKDW VSHFLDOL]HV LQ ,7 RSHUDWLRQDO FRPSOLDQFH DQG VHFXULW\ FRQVXOWLQJ 0V 6LHUR¶V FDUHHU LQFOXGHV WHQ \HDUV LQ KHDOWKFDUH DV D &KLHI ,QIRUPDWLRQ 2IILFHU DQG ILYH \HDUV LQ WKH JDPLQJ LQGXVWU\ DV 9LFH 3UHVLGHQW RI ,7 2SHUDWLRQV ERWK KHDYLO\ UHJXODWHG LQGXVWULHV 6KH KDV RYHU \HDUV¶ H[SHULHQFH LQ HQJLQHHULQJ DQG WHFKQRORJ\ IURP LQGXVWULHV VXFK DV +HDOWKFDUH *RYHUQPHQW (GXFDWLRQ *DPLQJ DQG +RVSLWDOLW\ &RQVXPHU 3URGXFWV DQG 0DQXIDFWXULQJ 0V 6LHUR LV DFWLYH LQ WKH LQIRUPDWLRQ V\VWHP VHFXULW\ FRPPXQLW\ DQG KDV SURYLGHG WHVWLPRQ\ RQ WKH UHFRUG IRU WKH 6WDWH RI 1HYDGD ,QIRUPDWLRQ 7HFKQRORJ\ %RDUG UHJDUGLQJ 7KH &XUUHQW DQG )XWXUH &\EHU 7KUHDW 6KH URXWLQHO\ SUHVHQWV DW QDWLRQDO FRQIHUHQFHV RQ LQIRUPDWLRQ WHFKQRORJ\ WRSLFV KROGV VHYHUDO SURIHVVLRQDO ,7 VHFXULW\ FHUWLILFDWLRQV LQFOXGLQJ &,663 &,60 DQG &5,6& DQG LV WKH DXWKRU RI Safeguarding Your Organizations Data: A Call to Action 6KH LV D &KDUWHU 0HPEHU RI WKH )%, &LWL]HQ¶V $FDGHP\ $OXPQL $VVRFLDWLRQ LQ /DV 9HJDV DQG LV D PHPEHU LQ JRRG VWDQGLQJ RI WKH ,QWHUQDWLRQDO ,QIRUPDWLRQ 6\VWHPV 6HFXULW\ &HUWLILFDWLRQ &RQVRUWLXP ,6& WKH ,QIRUPDWLRQ 6\VWHPV 6HFXULW\ $VVRFLDWLRQ ,66$ WKH ,QIRUPDWLRQ 6\VWHPV $XGLW DQG &RQWURO $VVRFLDWLRQ ,6$&$ DQG WKH 1RUWK &DUROLQD 7HFKQRORJ\ $VVRFLDWLRQ 6KH LV D JUDGXDWH RI WKH 8QLYHUVLW\ RI 'HWURLW ZLWK D 0DVWHU¶V 'HJUHH LQ 3RO\PHU &KHPLVWU\ DQG D JUDGXDWH RI 0LFKLJDQ 6WDWH 8QLYHUVLW\ ZKHUH VKH REWDLQHG KHU %DFKHORU¶V 'HJUHH LQ &KHPLVWU\ 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Seminar Logistics Logistics PLQXWH EUHDN DP )LQLVK DW QRRQ 5HVWURRP ORFDWLRQ 4XHVWLRQV «DQ\WLPH 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 &\EHUVHFXULW\ LQ WKH %RDUGURRP 9DOXH RI PHWULFV 'HYHORSLQJ 0HWULFV &\EHUVHFXULW\ 0HWULFV $XGLW RU &RPSOLDQFH 2SHUDWLRQDO 0DQDJHPHQW Table of Contents 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 CYBERSECURITY IN THE BOARDROOM 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 ³,W WDNHV WZHQW\ \HDUV WR EXLOG D UHSXWDWLRQ DQG ILYH PLQXWHV WR UXLQ LW ,I \RX WKLQN DERXW WKDW \RX¶OO GR WKLQJV GLIIHUHQWO\ ´ :DUUHQ %XIIHW 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Breaches Are Now “White Noise” 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Wake-up Call 7DUJHW /DZVXLWV DQG VHWWOHPHQWV UHYHDOHG VFDOH RI ILQDQFLDO LPSDFW +LJKOLJKWHG ILGXFLDU\ UHVSRQVLELOLW\ RI %RDUGV ZLWK UHVSHFW WR F\EHU VHFXULW\ &RXUWV QRZ KROGLQJ EXVLQHVVHV DFFRXQWDEOH IRU LPSOHPHQWDWLRQ DSSURSULDWH VHFXULW\ SUDFWLFHV 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Lessons from Target 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Target Data Breach Costs )LQDO FRVW FORVH WR PLOOLRQ PLOOLRQ FODVV DFWLRQ MXGJHPHQW VXUYLYHG DSSHDOV DQG UH DIILUPHG -XQH PLOOLRQ SDLG WR 0DVWHUFDUG $SULO PLOOLRQ SDLG WR 9LVD $XJXVW PLOOLRQ SDLG WR EDQNV DQG FUHGLW XQLRQV IRU ORVVHV DQG FRVWV UHODWHG WR WKH EUHDFK 'HFHPEHU VHWWOHPHQW PLOOLRQ VHWWOHPHQW ZLWK VWDWHV DWWRUQH\V JHQHUDO /RVVHV 0 0 0 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Target … The Aftermath &(2 &,2 GHSDUWHG WKH FRPSDQ\ )LUVW FRQVXPHU FODVV DFWLRQ ODZVXLW 5HTXLUHG DFWLRQV 5HTXLUHG WR DGRSW DGYDQFHG PHDVXUHV WR VHFXUH LQIRUPDWLRQ +LUH D TXDOLILHG WKLUG SDUW\ WR FRQGXFW FRPSUHKHQVLYH VHFXULW\ DVVHVVPHQW DQG ³HQFU\SW RU RWKHUZLVH SURWHFW LQIRUPDWLRQ´ 2WKHUV 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Target: Change in Emphasis $QQXDO 5HSRUW $QQXDO 5HSRUW ³,I RXU HIIRUWV WR SURWHFW WKH VHFXULW\ LQIRUPDWLRQ DERXW RXU JXHVWV DQG WHDP PHPEHUV DUH XQVXFFHVVIXO IXWXUH LVVXHV PD\ UHVXOW LQ DGGLWLRQDO FRVWO\ JRYHUQPHQW HQIRUFHPHQW DFWLRQV DQG SULYDWH OLWLJDWLRQ DQG RXU VDOHV DQG UHSXWDWLRQ FRXOG VXIIHU ´ ³:H KDYH UHFRUGHG VLJQLILFDQW H[SHQVHV UHODWHG WR WKH 'DWD %UHDFK 2XU ORVVHV FRXOG H[FHHG WKH DPRXQWV ZH KDYH UHFRUGHG E\ PDWHULDO DPRXQWV DQG WKHVH PDWWHUV FRXOG KDYH D PDWHULDO DGYHUVH LPSDFW RQ RXU UHVXOWV RI RSHUDWLRQV ´ ZH KDYH LQFXUUHG PLOOLRQ RI FXPXODWLYH 'DWD %UHDFK UHODWHG H[SHQVHV SDUWLDOO\ RIIVHW E\ PLOOLRQ RI H[SHFWHG LQVXUDQFH UHFRYHULHV IRU QHW FXPXODWLYH H[SHQVHV RI PLOOLRQ ´ ³$V RI -DQXDU\ ³7KH GDWD EUHDFK ZH H[SHULHQFHG LQ KDV UHVXOWHG LQ JRYHUQPHQW LQTXLULHV DQG SULYDWH OLWLJDWLRQ DQG LI RXU HIIRUWV WR SURWHFW WKH VHFXULW\ LQIRUPDWLRQ DERXW RXU JXHVWV DQG WHDP PHPEHUV DUH XQVXFFHVVIXO IXWXUH LVVXHV PD\ UHVXOW LQ DGGLWLRQDO FRVWO\ JRYHUQPHQW HQIRUFHPHQW DFWLRQV DQG SULYDWH OLWLJDWLRQ DQG RXU VDOHV DQG UHSXWDWLRQ FRXOG VXIIHU ´ 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 5HSRUWHGO\ 7DUJHW RQO\ UHFRYHUHG RI WKH PLOOLRQ RI H[SHFWHG LQVXUDQFH GROODUV $W WKH WLPH RI WKH EUHDFK LWV V\VWHP ZHUH QRQ FRPSOLDQW ZLWK WKH WHUPV RI VRPH RI WKH LQVXUDQFH 7DUJHW LQFUHDVHG LWV FRPSXWHU KDUGZDUH DQG VRIWZDUH DVVHW EDVH E\ 0 IURP Target Perspective 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Reliance on Cyber Insurance: Cost of a Data Breach $YHUDJH FRVW LQ 86 0 0RVW FRVWO\ DUH PDOLFLRXV RU FULPLQDO DWWDFN EUHDFKHV 1RWLILFDWLRQ FRVWV DUH WKH KLJKHVW LQ 86 0 86 VSHQGV WKH PRVW RQ SRVW GDWD EUHDFK UHVSRQVH 0 RI DOO 6RXUFH *OREDO &RVW RI D 'DWD %UHDFK E\ 3RQHPRQ ,QVWLWXWH 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Cost of a Data Breach $YHUDJH FRVW SHU UHFRUG RI EUHDFK JOREDOO\ 86 )DFWRUV LQFUHDVH FRVW SHU UHFRUG UG SDUW\ LQYROYHPHQW ([WHQVLYH FORXG PLJUDWLRQ )DFWRUV GHFUHDVH FRVW SHU UHFRUG ,5 WHDPV ([WHQVLYH XVH RI HQFU\SWLRQ 6RXUFH *OREDO &RVW RI D 'DWD %UHDFK E\ 3RQHPRQ ,QVWLWXWH 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Cost by Root Cause 6RXUFH *OREDO &RVW RI D 'DWD %UHDFK E\ 3RQHPRQ ,QVWLWXWH 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Verizon 2018 Data Breach Investigations Report (DBIR) 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Cyber Liability Claims 6RXUFH &\EHU &ODLPV 6WXG\ 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 6RXUFH &\EHU &ODLPV 6WXG\ 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 6RXUFH &\EHU &ODLPV 6WXG\ 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Average Claims Payout 6RXUFH 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Cyber Security Oversight in the Boardroom 1HDUO\ RI DXGLW FRPPLWWHHV LQ 86 KDYH SULPDU\ RYHUVLJKW IRU F\EHU VHFXULW\ ULVN RI DXGLW FRPPLWWHHV UHSRUW WKH\ UHFHLYH JRRG TXDOLW\ RI LQIRUPDWLRQ DERXW F\EHU VHFXULW\ :KDW LV LW WKH\ QHHG WR NQRZ" 6RXUFH .30* 6XUYH\ &RQQHFWLQJ WKH 'RWV 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 “Six days after a ransomware cyberattack, Atlanta officials are filling out forms by hand” CNN Headline ! RI $WODQWD V QHFHVVDU\ SURJUDPV ZHUH NQRFNHG RIIOLQH RU SDUWO\ GLVDEOHG &LW\ $WWRUQH\ V RIILFH ORVW DOO EXW VL[ RI LWV FRPSXWHUV DQG \HDUV ZRUWK RI GRFXPHQWV 3ROLFH ORVW WKHLU GDVK FDP UHFRUGLQJV 5HVLGHQWV XQDEOH WR SD\ ZDWHU ELOOV RU SDUNLQJ WLFNHWV &RXUW SURFHHGLQJV IRU SHRSOH QRW LQ SROLFH FXVWRG\ ZHUH FDQFHOHG XQWLO FRPSXWHU V\VWHPV DUH IXQFWLRQLQJ SURSHUO\ DJDLQ &RXUW GDWHV UHVFKHGXOHG -RE DSSOLFDWLRQV RQ KROG 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Board Responsibility 3UHSDUHGQHVV IRU GDWD UHODWHG LVVXHV &RVW RI LQFLGHQWV %XVLQHVV GLVUXSWLRQ /RVV RI FXVWRPHU WUXVW 1HHGV WR HIIHFWLYHO\ PDQDJH WKHVH VLWXDWLRQV +DFNHUV DUHQ¶W UHVSRQVLEOH IRU HYHU\WKLQJ DFFLGHQWDO PDMRU V\VWHPV RXWDJHV ORVV RI VHQVLWLYH GDWD E\ DQ HPSOR\HH %XVLQHVV OHDGHUV IHHO IXOO\ SUHSDUHG IRU DQ LQFLGHQW 6RXUFH (FRQRPLVW ,QWHOOLJHQFH 8QLW 6XUYH\ 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Role of Internal Audit in Cyber Security 2UJDQL]DWLRQDO /LQHV RI 'HIHQVH 'DLO\ RSHUDWLRQDO GHFLVLRQV PDGH EDVHG RQ ULVN LQIRUPDWLRQ 8QGHUVWDQG DFFHSWDEOH ULVN OHYHOV HVFDODWH ZKHUH QHFHVVDU\ 5LVN 0LWLJDWLRQ ,PSOHPHQW *RYHUQDQFH 5LVN WUDFNLQJ PRQLWRULQJ HWF 5LVN RYHUVLJKW ,QGHSHQGHQW DVVHVVPHQW RI SURJUDP HIIHFWLYHQHVV %RDUG UHSRUWLQJ $XGLW IRU FRPSOLDQFH DQG HQVXUH GLVFORVXUH REOLJDWLRQV DUH PHW UHODWHG WR F\EHU ULVNV %XVLQHVV ,7 )XQFWLRQV 5LVN 0DQDJHPHQW )XQFWLRQ ,QWHUQDO $XGLW 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Official Response…On Cue ³,W ZDV D YHU\ VRSKLVWLFDWHG DWWDFN FRQGXFWHG E\ &KLQHVH KDFNHUV´ 2U« LV LW MXVW D SRRUO\ GHVLJQHG XQPDQDJHG XQPRQLWRUHG VHFXULW\ SURJUDP""" 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 NYSE Governance Series Survey Cybersecurity in the Boardroom 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 NYSE Governance Series 2015 Survey Cybersecurity in the Boardroom 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 What Must the Board Consider? 'R ZH KDYH WKH UHVRXUFHV ZH QHHG FRPPLWWHG WR F\EHU VHFXULW\ LVVXHV" 6WDII 6NLOOV )XQGV $UH ZH SUHSDUHG WR UHVSRQG WR DQ LQFLGHQW" :KDW WRROV GR ZH QHHG WR EHWWHU XQGHUVWDQG RXU F\EHU VHFXULW\ SRVWXUH" :KDW DUH RXU JDSV DQG ULVNV WRGD\" 'R ZH KDYH D SODQ LQ SODFH WR DGGUHVV WKRVH" 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 NYSE Governance Series 2015 Survey Cybersecurity in the Boardroom 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 National Association of Corporate Directors (NACD Survey) UHVSRQGHQWV QRW VDWLVILHG ZLWK WKH TXDOLW\ RI LQIRUPDWLRQ UHFHLYHG RQ F\EHU VHFXULW\ DQG ,7 5LVN &RQVLGHUDWLRQV IRU HIIHFWLYHQHVV RI FRPPXQLFDWLRQ )UDPHZRUN WR ³FORVH WKH ORRS´ RQ HIIHFWLYH FRPPXQLFDWLRQ $VNLQJ WKH ³ULJKW´ TXHVWLRQV 6KDULQJ WKH ³ULJKW´ LQIRUPDWLRQ 5HOLDEOH LQIRUPDWLRQ IORZ 5HSRUWV 7UDQVSDUHQF\ ZLWK VWDNHKROGHUV 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Assurance Over Readiness and Response 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Cyber Security on the Boardroom Agenda 1$&' 'LUHFWRUV EHOLHYH %RDUG¶V XQGHUVWDQGLQJ RI F\EHU VHFXULW\ QHHGV WR LPSURYH 1HZ (8 'DWD 3URWHFWLRQ 'LUHFWLYH VWLSXODWHV ILQHV RI XS WR RI JOREDO UHYHQXH 5HFHQWO\ SURSRVHG ELOO LQ 86 6HQDWH ZRXOG UHTXLUH SXEOLF FRPSDQLHV WR GHVFULEH 7KH F\EHU VHFXULW\ H[SHUWLVH WKHLU ERDUGV KDYH 25 :KDW VWHSV WKH\ DUH WDNLQJ WR DFTXLUH H[SHUWLVH RQ WKH %RDUG 6RXUFH 1DWLRQDO $VVRFLDWLRQ RI &RUSRUDWH 'LUHFWRUV 1$&' 6WXG\ 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 %RDUGV VKRXOG FRQVLGHU LPSOHPHQWLQJ ,QFUHDVHG IUHTXHQF\ RI F\EHU VHFXULW\ UHODWHG SUHVHQWDWLRQV $OORZLQJ &62V DQG &,62V WR SUHVHQW WKHLU ILQGLQJV GLUHFWO\ WR WKH ERDUG UDWKHU WKDQ WKURXJK D & OHYHO UHSUHVHQWDWLYH 7UHDWLQJ F\EHU VHFXULW\ DV SDUW RI HQWHUSULVH ULVN QRW DV D IXQFWLRQ RI ,7 PDQDJHPHQW $ PRGHO WKDW HVWDEOLVKHV D TXDQWLWDWLYH HVWLPDWH IRU F\EHU ULVNV H[SRVXUHV DQG SRWHQWLDO GDPDJHV WR EHWWHU DOLJQ EXVLQHVV REMHFWLYHV DQG VHFXULW\ JRDOV National Association of Corporate Directors (NACD) Study 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Where Should Audit Executives Focus Efforts? 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Obstacles That Impact IA’s Ability to Deal with Cyber Risk 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Verizon 2018 Data Breach Investigations Report (DBIR) 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Verizon 2018 Data Breach Investigations Report (DBIR) 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Ideal vs. Actual Level of Effort Concerning Cyber security 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 3URYLGH DVVXUDQFH RYHU UHDGLQHVV DQG UHVSRQVH &RPPXQLFDWH WR WKH ERDUG DQG H[HFXWLYH PDQDJHPHQW /HYHO RI ULVN (IIRUWV WR DGGUHVV ULVNV :RUN FROODERUDWLYHO\ ZLWK ,7 DQG RWKHU SDUWLHV WR EXLOG HIIHFWLYH GHIHQVHV DQG UHVSRQVHV (QVXUH FRPPXQLFDWLRQ DQG FRRUGLQDWLRQ Internal Audit Role 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Steps Internal Audit Can Take (QVXUH GHYHORSPHQW RI F\EHU VHFXULW\ VWUDWHJ\ DQG SROLF\ ,GHQWLI\ RSSRUWXQLWLHV WR LPSURYH RUJDQL]DWLRQDO DELOLW\ WR LGHQWLI\ DVVHVV DQG PLWLJDWH F\EHU VHFXULW\ ULVN ,QWHUQDO H[WHUQDO EXVLQHVV SDUWQHU HPHUJLQJ WHFKQRORJLHV HWF (QVXUH WKH ERDUG UHPDLQV KLJKO\ HQJDJHG ZLWK F\EHU VHFXULW\ PDWWHUV DQG UHPDLQV FXUUHQW RQ WKUHDWV (QVXUH WKDW F\EHU VHFXULW\ ULVN LV LQWHJUDWHG IRUPDOO\ LQWR WKH DXGLW SODQ (QVXUH DSSURSULDWH IUDPHZRUN LV LPSOHPHQWHG (PSKDVL]H F\EHU VHFXULW\ PRQLWRULQJ DQG F\EHU LQFLGHQW UHVSRQVH +LJKOLJKW ,7 DXGLW VWDIILQJ DQG UHVRXUFH VKRUWDJHV DQG DQ\ GHILFLHQFLHV UHODWHG WR D ODFN RI VXSSRUWLQJ WHFKQRORJ\ WRROV 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 3URWHFWLRQ 3URYLGHV D KROLVWLF DSSURDFK WR ,7 JRYHUQDQFH DQG LGHQWLI\ ZKHUH DQ RUJDQL]DWLRQ PD\ EH YXOQHUDEOH 'HWHFWLRQ ,QFRUSRUDWH GDWD DQDO\WLFV LQ DVVHVVPHQWV %XVLQHVV &RQWLQXLW\ 3URSHU SODQQLQJ IRU ULVN VFHQDULRV &ULVLV 0DQDJHPHQW &RPPXQLFDWLRQV $XGLW IRU SUHSDUHGQHVV LQ FULVLV PDQDJHPHQW DQG FULVLV FRPPXQLFDWLRQV &RQWLQXRXV ,PSURYHPHQW &RQWULEXWLQJ LQVLJKW WR HQDEOH HYROXWLRQ DQG LPSURYHPHQW RI VWUDWHJLHV DQG SURWRFROV Internal Audit Focus Areas 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Why is Cyber Security Not Prioritized by Senior Management? /DFN RI 3HUFHLYHG ,PPLQHQW 7KUHDW &RVW %HOLHI 2UJDQL]DWLRQDO ,QIR 1RW RI 9DOXH 1RW 5HJXODWHG /DFN RI 8QGHUVWDQGLQJ 2WKHU %XVLQHVV 0RUH ,PSRUWDQW 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Today’s Environment /HDGHUVKLS FDQ QR ORQJHU FODLP ³ZH GLGQ W NQRZ´ ,QFUHDVLQJ OHYHOV RI OLDELOLW\ ULVN %XVLQHVV UHVLOLHQFH LV DQ HVWDEOLVKHG QHHG ([HFXWLYHV QHHG WR WDNH RZQHUVKLS DQG DFFRXQWDELOLW\ (IIHFWLYH EXVLQHVV FRQWLQXLW\ PDQDJHPHQW SURYLGHV D VDIH KDUERU 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 VALUE OF METRICS 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 :KHUH KDV \RXU RUJDQL]DWLRQ EHHQ" :KHUH LV LW JRLQJ" ,V DQ\WKLQJ JRLQJ ZURQJ RU DERXW WR JR ZURQJ" :KHQ LV WKH RUJDQL]DWLRQ DW D VWDWH ZKHUH WKH\ DUH GRLQJ HQRXJK" Why Do We Need Metrics? 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 &RPPXQLFDWLRQ 0HWKRG WR WXUQ ³GDWD´ LQWR LQIRUPDWLRQ ,PSURYHPHQWV 'ULYH VWUDWHJ\ DQG GLUHFWLRQ 'ULYH SHUIRUPDQFH 3URYLGH IRFXV +HOS PDNH GHFLVLRQV 3URGXFH ³SXEOLF´ UHODWLRQV Metrics - Purposes 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 6DOHV &XVWRPHU OR\DOW\ DQG UHWHQWLRQ &RVW RI FXVWRPHU DFTXLVLWLRQ *URVV PDUJLQ Examples of Good Business Metrics 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Discover Qualitatively…Prove Quantitatively Qualitative Quantitative 8QVWUXFWXUHG DQHFGRWDO VXEMHFWLYH KDUG WR DJJUHJDWH 1XPEHUV VWDWLVWLFV IDFWXDO vs 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Meaningful? Vanity Actionable 'RHVQ¶W FKDQJH \RX KRZ DFW PDNHV \RX IHHO JRRG &KDQJHV EHKDYLRU KHOSV SLFN D GLUHFWLRQ vs 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Example of Vanity Metric- My Own PC 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Looking or Knowing? Exploratory Reporting /RRNLQJ IRU LQVLJKWV VSHFXODWLYH WULHV WR ILQG XQH[SHFWHG 3UHGLFWDEOH NHHSV FXUUHQW ZLWK GD\ WR GD\ RSHUDWLRQV vs Based on business goals 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Reporting or Making the News? Lagging Leading 1XPEHU WRGD\ WKDW VKRZV D PHWULF WRPRUURZ PDNHV WKH QHZV +LVWRULFDO PHWULF VKRZV KRZ \RX¶UH GRLQJ UHSRUWV WKH QHZV vs Start here Helps change outcomes 'RHV ZKDW \RX¶UH WUDFNLQJ KHOS \RX PDNH EHWWHU GHFLVLRQV VRRQHU" 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Coincidence or Related? Correlated Causal ,QGHSHQGHQW IDFWRU WKDW GLUHFWO\ LPSDFWV D GHSHQGHQW RQH 7ZR YDULDEOHV WKDW FKDQJH LQ VLPLODU ZD\V vs /HW¶V \RX predict WKH IXWXUH /HW¶V \RX change WKH IXWXUH 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 DEVELOPING METRICS 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Metrics – Keep Them Simple 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Steps 'HILQH 60$57 o 6SHFLILF o 0HDVXUDEOH o $FKLHYDEOH o 5HOHYDQW o 7LPH EDVHG %X\ LQ 8QGHUVWDQG ZKDW GDWD LV QHHGHG DQG KRZ WR FROOHFW LW 0HDVXUH DQG VKDUH UHVXOWV &RQWLQXRXVO\ LPSURYH 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 Metrics Lifecycle ,' &ULWLFDO 3URFHVVHV ,GHQWLI\ 0HWULFV $QDO\]H ,PSURYH 6HW 7KUHVKROGV 5HSRUW &ROOHFW 0HDVXUH 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 $XGLHQFH *RDOV ,QIRUPDWLRQ LQSXW 2XWSXW Developing Metrics 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 %HQFKPDUNLQJ $XGLW RU &RPSOLDQFH 2SHUDWLRQDO 0DQDJHPHQW Types of Metrics 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ 7+( $57 2) &<%(56(&85,7< 0(75,&6 -XVW EHFDXVH \RX ³FDQ´ FROOHFW VRPHWKLQJ«GRHVQ¶W PHDQ \RX ³VKRXOG 1RW NQRZLQJ ZKDW QRUPDO LV FDQ FDXVH \RX WR PDNH EDG GHFLVLRQV *RRG VHFXULW\ PHWULFV ZLOO 6XSSRUW WKH EXVLQHVV %H VRPHWKLQJ \RX FDQ FRQWURO %H VRPHWKLQJ \RX ZLOO DFW XSRQ WR HIIHFW LPSURYHPHQWV %H TXDQWLWDWLYH %H ³HDV\´ WR FROOHFW %H ³WUHQG DEOH´ Important Considerations 0,67UDLQLQJ,QVWLWXWH ,QF ,QQRYDWLYH,7//& 6OLGH ,7*= 0,6 7UDLQLQJ ,QVWLWXWH ,QF 3DJH ,7*= LL7 &RQVXOWLQJ
Made with FlippingBook - Online Brochure Maker