Cyber Security Trends

  • View

  • Download

Embed Size (px)

Text of Cyber Security Trends

  • Cyber Security for the future

    of financial services

    Thio Tse Gan

    May 2016

    1 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd

  • Global trends & outlook

    2 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd

  • Cyber-attacks are on the rise






    Healthcare Financial Services Educational Government


    27.5%increase in the

    data breaches in

    various industries

    from 2013 [5]

    15%o f i n c i d e n t s

    s t i l l t a k e d a y s

    t o d i s c o v e r [ 2 ]


    number of




    presence after


    and before

    detection [3]chance that at least one person

    will fall prey to a phishing

    campaign with just

    10emails [2]

    recipients open emails and click

    on phishing links within the first

    hour of receiving them [2]







    Per capita cost of data breach was

    highest in US in 2015 [4]


    of the exploited

    vulnerabilities were

    compromised more than a

    year after CVE* was

    published [2]

    Numbers denote industry wise breakup of 2014 data breach incidents

    is the annual cost to

    the global economy

    from cybercrime [1]

    o f i n c i d e n t s

    i n v o l v e a b u s e

    o f p r i v i l e g e d

    a c c e s s [ 2 ]55%

    [1] Net Losses: Estimating the Global Cost of Cybercrime by Center for Strategic and International Studies; [2] Verizon 2015 Data Breach Investigations Report; [3] Mandiant -Trends 2014: Beyond the Breach, published April 10, 2014; [4] Ponemon 2015 Cost

    of Data Breach Study: Global Analysis ; [5] ITRC Breach Statistics 2005-2014; * CVE (Common Vulnerabilities and Exposures) is a dictionary of publically known information security vulnerabilities and exposures -

    2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 3

  • 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 4

  • Rampant cyber attacks observed around the

    world in 2015 and 2016

    5 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd

    80 million

    records exposed in attack launched on

    Anthem Inc.

    19.7 million

    peoples personal

    details stolenin attack launched on

    U.S. Office of Personnel

    ManagementNational pension

    system hackedin Japan and 1.25

    million peoples

    personal data was


    10.4 million

    records exposed in 3 attacks launched

    on TalkTalk Group

    5 million personal

    details leaked in data breach in VTech

    $81 million

    stolen from

    Central Bank of Bangladesh in a

    bank heist

    U.S. IRS hacked100,000 personal details

    stolen and used to

    generate PINS for Social

    Security numbers in 2

    separate attacks

  • Complex regulatory requirements created to curb

    rise of cyber crime

    2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 6

    European Union

    EU Data Protection Directive 1995, EU

    Privacy and Electronic Communications

    Directive (as amended in 2011), Data

    Retention Directive 2006. Member states

    implement Directives as their own national

    laws. Regulation of Investigatory Powers

    Act 2000


    Federal Law No. 152-FZ

    on personal data 2006


    Federal Data

    Protection Act 1992 on

    personal data 2006


    Personal Information

    Protection Act 2003


    Decision on

    strengthening Internet

    information protection,

    guideline for personal

    information protection

    South Africa


    Communications Act


    Data Protection Act 2007


    Personal Data

    Protection Act



    Data Privacy

    Act 2011

    New Zealand

    Privacy Act



    Australian Federal

    Privacy Act 1988.

    Anti-Spam Act 2004


    Protection of Personal

    Data Law 2001Costa Rica

    Law No. 7975 Undisclosed

    Information Law. Law No. 8968

    Protection in the Handling of the

    Personal Data of Individuals


    Federal Law on the

    Protection of Personal

    Data Held by Private

    Parties 2010


    California Online Privacy

    Protection Act 2003,

    Security Breach Notice

    (Civil Code 1798 Formerly

    SB 1386) 2003

    US Federal

    HIPPA 1996, GLBA 1999,

    COPPA 1998, CAN-SPAM 2003.

    Do Not Call Improvement Act

    2007, Safe Harbor Principles

    2000, FCRA (as amended in

    2003) Patriot Act 2001Canada

    PIPEDA 2004.

    Privacy Act 1988

    and Provincial

    privacy Laws

  • Financial Services

    Technology regulatory landscape

    2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 7


    Personal Data and Privacy Act - 2013

    MAS Notice 644 on Technology Risk Management - 2013

    SRD TR 01/2014 System vulnerability assessments and

    penetration testing

    SRD TR 02/2014 IT security risk posed by personal

    mobile devices

    SRD TR 01/2015 Early detection of cyber intrusions

    SRD TR 03/2015 Technology risk and cyber security

    training for Board

    MAS Notice 634 Bankig Secrecy Conditions for

    Outsourcing - 2004

    Guidelines on Outsourcing - 2004

    Consultation Paper on Notice on Outsourcing - 2014

    Consultation Paper on Guidelines on Outsourcing 2014

    Business Continuity Management guidelines 2013

    SRD TR 01/2011 Information technology outsourcing


    Circular no. 01/2011/TT-NHNN Safety, secrecy guidelines of

    the information technology systems in banking operation

    Circular no. 12/2011/TT-NHNN Management and utilization

    of digital signatures, sigital certificates and SBV digital

    signature verification services

    Circular no. 29/2011/TT-NHNN Security and Secrecy of

    internet banking services


    BOT Notification No. 1953-2548 Guideline for the

    Preparation of IT Contingency Plan 2008

    BOT Notification No. SorNorSor. 26/2552 Guidelines

    for Development of IT Contingency Plan 2008

    BOT Notification No. SorNorSor.6/2557 Supervisory

    Guidelines on IT Outsourcing - 2014

    BOT Notification No. SorNorSor. 26/551 Supervisory

    Guidelines for Security of E-Banking Services 2008


    BNM Guidelines on Data Management and

    Management information Systems 2011

    Guidelines on management of IT Environment (GPIS 1)



    Law of The Republic of Indonesia No. 11 of 2008

    Concerning Electronic Information And Transactions

    OJK No. 1/POJK.05/2015 Risk Management in Non-

    Bank Financial Services

    No. 9/15/PBI/2007 Implementation of Risk Management

    in the Use of Information Technology by Commercial


  • Organizations are

    spending more

    money and paying

    more attention than

    they ever have

    but for many

    the problem

    seems to be

    getting worse.

    $75.4 billionOrganizations spent

    on information security in

    2015according to Gartner

    2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 8

  • Moving into digitization

  • World Economic Forum report

    Glimpsing the future

    The Future of Financial Services: How

    disruptive innovations are reshaping

    the way financial services are

    structured, provisioned and consumed

    An Industry Project of the Financial

    Services Community | Prepared in

    collaboration with Deloitte

    2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 10

  • Is cyber security a consideration in your plans


    Whats the deal?

    2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 11

  • Failures & challenges

    12 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd

  • Failure & challenges

    2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 13

    Failure to include security as part of the design principles Businesses demand features, function and time to market

    Addressing the incident and failing to detect the campaignsPerpetrators strategise and take a longer term view

    Dont miss the forest for the trees.

    Shortage of competent cyber security professionalsDemand is outstripping supply.

    Willingness to accept non security IT professionals as replacements.

    Ineffective threat analytics Use of technology with limited data sets and arcade rules sets.

    Limited value owing to the rush to implement and lacking integration.

  • Cyber Security 3.0

    14 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd

  • Are controls in place to guard

    against known and emerging


    Can we detect malicious or

    unauthorized activity, including

    the unknown?

    Can we act and recover quickly to

    minimize impact?

    Building a resilient cyber security organization

    This means having the agility to prevent, detect and respond quickly and

    effectively, not just to incidents, but also to the consequences of the incidents

    Cyber governance

    Cyber threat mitigation