View
215
Download
1
Embed Size (px)
Cyber Security for the future
of financial services
Thio Tse Gan
May 2016
1 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd
Global trends & outlook
2 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd
Cyber-attacks are on the rise
$400B+
50%
90%63%8%
11%
18%
Healthcare Financial Services Educational Government
22999.9%
27.5%increase in the
data breaches in
various industries
from 2013 [5]
15%o f i n c i d e n t s
s t i l l t a k e d a y s
t o d i s c o v e r [ 2 ]
Average
number of
days
attackers
maintained
presence after
infiltration
and before
detection [3]chance that at least one person
will fall prey to a phishing
campaign with just
10emails [2]
recipients open emails and click
on phishing links within the first
hour of receiving them [2]
$154
$201
$217
GlobalAverage
2014
2015
Per capita cost of data breach was
highest in US in 2015 [4]
$217
of the exploited
vulnerabilities were
compromised more than a
year after CVE* was
published [2]
Numbers denote industry wise breakup of 2014 data breach incidents
is the annual cost to
the global economy
from cybercrime [1]
o f i n c i d e n t s
i n v o l v e a b u s e
o f p r i v i l e g e d
a c c e s s [ 2 ]55%
[1] Net Losses: Estimating the Global Cost of Cybercrime by Center for Strategic and International Studies; [2] Verizon 2015 Data Breach Investigations Report; [3] Mandiant -Trends 2014: Beyond the Breach, published April 10, 2014; [4] Ponemon 2015 Cost
of Data Breach Study: Global Analysis ; [5] ITRC Breach Statistics 2005-2014; * CVE (Common Vulnerabilities and Exposures) is a dictionary of publically known information security vulnerabilities and exposures -http://cve.mitre.org
2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 3
2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 4
Rampant cyber attacks observed around the
world in 2015 and 2016
5 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd
80 million
records exposed in attack launched on
Anthem Inc.
19.7 million
peoples personal
details stolenin attack launched on
U.S. Office of Personnel
ManagementNational pension
system hackedin Japan and 1.25
million peoples
personal data was
exposed
10.4 million
records exposed in 3 attacks launched
on TalkTalk Group
5 million personal
details leaked in data breach in VTech
$81 million
stolen from
Central Bank of Bangladesh in a
bank heist
U.S. IRS hacked100,000 personal details
stolen and used to
generate PINS for Social
Security numbers in 2
separate attacks
Complex regulatory requirements created to curb
rise of cyber crime
2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 6
European Union
EU Data Protection Directive 1995, EU
Privacy and Electronic Communications
Directive (as amended in 2011), Data
Retention Directive 2006. Member states
implement Directives as their own national
laws. Regulation of Investigatory Powers
Act 2000
Russia
Federal Law No. 152-FZ
on personal data 2006
Switzerland
Federal Data
Protection Act 1992 on
personal data 2006
Japan
Personal Information
Protection Act 2003
China
Decision on
strengthening Internet
information protection,
guideline for personal
information protection
South Africa
Electronic
Communications Act
Dubai
Data Protection Act 2007
Singapore
Personal Data
Protection Act
2013
Philippines
Data Privacy
Act 2011
New Zealand
Privacy Act
1993
Australia
Australian Federal
Privacy Act 1988.
Anti-Spam Act 2004
Argentina
Protection of Personal
Data Law 2001Costa Rica
Law No. 7975 Undisclosed
Information Law. Law No. 8968
Protection in the Handling of the
Personal Data of Individuals
Mexico
Federal Law on the
Protection of Personal
Data Held by Private
Parties 2010
California
California Online Privacy
Protection Act 2003,
Security Breach Notice
(Civil Code 1798 Formerly
SB 1386) 2003
US Federal
HIPPA 1996, GLBA 1999,
COPPA 1998, CAN-SPAM 2003.
Do Not Call Improvement Act
2007, Safe Harbor Principles
2000, FCRA (as amended in
2003) Patriot Act 2001Canada
PIPEDA 2004.
Privacy Act 1988
and Provincial
privacy Laws
Financial Services
Technology regulatory landscape
2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 7
Singapore
Personal Data and Privacy Act - 2013
MAS Notice 644 on Technology Risk Management - 2013
SRD TR 01/2014 System vulnerability assessments and
penetration testing
SRD TR 02/2014 IT security risk posed by personal
mobile devices
SRD TR 01/2015 Early detection of cyber intrusions
SRD TR 03/2015 Technology risk and cyber security
training for Board
MAS Notice 634 Bankig Secrecy Conditions for
Outsourcing - 2004
Guidelines on Outsourcing - 2004
Consultation Paper on Notice on Outsourcing - 2014
Consultation Paper on Guidelines on Outsourcing 2014
Business Continuity Management guidelines 2013
SRD TR 01/2011 Information technology outsourcing
Vietnam
Circular no. 01/2011/TT-NHNN Safety, secrecy guidelines of
the information technology systems in banking operation
Circular no. 12/2011/TT-NHNN Management and utilization
of digital signatures, sigital certificates and SBV digital
signature verification services
Circular no. 29/2011/TT-NHNN Security and Secrecy of
internet banking services
Thailand
BOT Notification No. 1953-2548 Guideline for the
Preparation of IT Contingency Plan 2008
BOT Notification No. SorNorSor. 26/2552 Guidelines
for Development of IT Contingency Plan 2008
BOT Notification No. SorNorSor.6/2557 Supervisory
Guidelines on IT Outsourcing - 2014
BOT Notification No. SorNorSor. 26/551 Supervisory
Guidelines for Security of E-Banking Services 2008
Malaysia
BNM Guidelines on Data Management and
Management information Systems 2011
Guidelines on management of IT Environment (GPIS 1)
2004
Indonesia
Law of The Republic of Indonesia No. 11 of 2008
Concerning Electronic Information And Transactions
OJK No. 1/POJK.05/2015 Risk Management in Non-
Bank Financial Services
No. 9/15/PBI/2007 Implementation of Risk Management
in the Use of Information Technology by Commercial
Banks
Organizations are
spending more
money and paying
more attention than
they ever have
but for many
the problem
seems to be
getting worse.
$75.4 billionOrganizations spent
on information security in
2015according to Gartner
2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 8
Moving into digitization
World Economic Forum report
Glimpsing the future
The Future of Financial Services: How
disruptive innovations are reshaping
the way financial services are
structured, provisioned and consumed
An Industry Project of the Financial
Services Community | Prepared in
collaboration with Deloitte
2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 10
Is cyber security a consideration in your plans
innovate?
Whats the deal?
2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 11
Failures & challenges
12 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd
Failure & challenges
2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 13
Failure to include security as part of the design principles Businesses demand features, function and time to market
Addressing the incident and failing to detect the campaignsPerpetrators strategise and take a longer term view
Dont miss the forest for the trees.
Shortage of competent cyber security professionalsDemand is outstripping supply.
Willingness to accept non security IT professionals as replacements.
Ineffective threat analytics Use of technology with limited data sets and arcade rules sets.
Limited value owing to the rush to implement and lacking integration.
Cyber Security 3.0
14 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd
Are controls in place to guard
against known and emerging
threats?
Can we detect malicious or
unauthorized activity, including
the unknown?
Can we act and recover quickly to
minimize impact?
Building a resilient cyber security organization
This means having the agility to prevent, detect and respond quickly and
effectively, not just to incidents, but also to the consequences of the incidents
Cyber governance
Cyber threat mitigation
