IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Cyber Risks: A Practical Guide and Update for Financial Professionals
Session 602
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Not If… but When???
Recent Headlines
“Millions of Children Exposed to ID Theft Through Anthem Breach”
“Target hit with breach of 70-110 million customers”
“JP Morgan says 76 million client accounts hacked”
“SONY hacking scandal expands”
“Home Depot reports 56 million accounts compromised”
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
US National Security Mandate
“No foreign nation, no hacker, should be able to shut down
our networks, steal our trade secrets or invade the privacy of
American families, especially our kids.”
President Barack Obama, 2015 State of the Union address
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
New Cybersecurity Legislation
Cybersecurity Enhancement Act of 2014
Signed into law December 18, 2014, this act provides for ongoing, voluntary
public-private partnership to improve cybersecurity and strengthen research and
development, workforce development, education, public awareness and
preparedness.
National Cybersecurity Protection Act of 2014
Signed into law December 18, 2014, this act codifies an existing operations center
for cybersecurity.
Cybersecurity Workforce Assessment Act
Signed into law December 18, 2014, the act directs the Secretary of Homeland
Security, within 180 days and annually thereafter, to conduct an assessment of
the cybersecurity workforce of the Department of Homeland Security (DHS).
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
SEC Alerts
Office of Compliance Inspections and Examinations – February 2015 Alert
Addressing Brokerage and Advisory Firms
Examined 57 Broker-Dealers and 49 Registered Investment Advisors
Most have been subject of an attack
Majority have adopted written information security policies
Majority conduct periodic risk assessments
Office of Investor Education and Advocacy – Security Tips Pick a “strong” password
Use two-step verification
Different passwords for different accounts
Avoid using public computers
Caution with wireless connections
Be careful clicking links sent to you
Secure mobile devices
Check account statements and trade confirmations
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Cybersecurity for Insurance Industry
New York State Department of Financial Services:
Report on Cybersecurity for Insurance
Cyber attacks against financial services institutions, including insurance
companies, are becoming increasingly frequent and sophisticated.
Insurance firms often possess large amounts of personally identifiable
information (“PII”) and protected health information (“PHI”).
Safeguarding such information in digital format is technologically challenging
and expensive.
PII and PHI are becoming more valuable on the black market, which increases
incentives for cyber attacks.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Anthem Health Insurance
Cyber-thieves gained access to the addresses, employment information and
Social Security numbers of 80 million customers and employees.
Encryption is currently not required by law. However, experts say that even if
data encrypted, the breach could have still occurred.
A data set containing health information can fetch $40 to $50 per record on the
black market.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Cybersecurity as critical component of Enterprise Risk Management (ERM)
Need to understand and approach cybersecurity as an enterprise-
wide risk management issue, not just an IT issue
Sarbanes-Oxley compliance provides little assurance of an effective security
program to manage cyber threats.
Companies must provide an annual “health check” report of the organization’s
cybersecurity program.
This comprehensive report must cover all domains of the cybersecurity and be
conducted by either the internal audit staff or an outside vendor that specializes
in cybersecurity.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Board Responsibility
Less than 15% of Internal Audit Executives surveyed said their boards are actively involved in cybersecurity preparedness
Source: IIA Audit Executive Center Pulse of the Profession - 2014
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Is Target a case of Fiduciary Failure?
Target Data Breach
Did Target’s board breach its fiduciary duty by failing to maintain proper
internal controls related to data security?
A recommendation was made for the ouster of 7 of 10 board members for
failing to provide sufficient risk oversight.
However, due to insufficient evidence of director oversight failure, the
board members were reelected, but boards should take notice to treat
cybersecurity risk seriously.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Emerging Technology
Technology Trends
Data Analytics
Social Media
Collaborative
Applications
In Memory Computing
Mobile Devices
Cloud Computing
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
ERM & Cybersecurity
Effective ERM leveraging Cybersecurity Principles
Understand and approach cybersecurity as an enterprise-wide risk
management issue, not just an IT issue.
Adequate access to cybersecurity expertise, and discussions about cyber-risk
management to be given regular and adequate time on the board agenda.
Directors should set the expectation that management will establish an
enterprise-wide risk management framework with adequate staffing and budget.
Ensure that Cyber risk discussions include identification of which risks to avoid,
accept, mitigate, or transfer through insurance, and plans associated with each
approach. source: National Association of Corporate Directors (NACD)
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
ERM Framework
Leverage a Security Risk Management Framework
ISO 27005 provides guidelines for information security risk management.
Based on the ISO 27000(X) series, it is designed to assist the implementation
of information security based on a risk management approach.
Organizations can align their internal security policies to ISO 27005 and map IT
risks at the business process level.
Specifies a structured, systematic and rigorous process from analyzing risks to
creating a risk treatment plan by leveraging a risk based approach.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk Based Approach
Develop a security strategy focused on business
drivers and protecting high-value data
Define the organization’s overall risk appetite
Identify the most important information and
applications, where they reside and who has/needs
access
Assess the threat landscape and your security
program maturity – model your real exposures
Get governance right – security is a board-level priority
Allow good security to drive compliance – not vice versa
Measure leading indicators to catch problems while they are still small
Accept manageable risks that improve performance
Know your weaknesses – and address them!
Assume breaches will occur – improve processes that complicate, detect and respond
Balance the fundamentals with emerging threat and vulnerability management
Establish and rationalize access control models for applications and information
Protect key identities and roles because they have access to the crown jewels
Identify the real risks: Protect what matters most:
Sustain your security program:
Make security everyone's responsibility — it's a business problem, not just an IT problem
Align all aspects of security (information, privacy, physical and business continuity) with the business
Spend wisely in controls and technology – invest more in people and process
Selectively consider outsourcing or co-sourcing operational security program areas
Embed security in the business:
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Cybersecurity Framework
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Foundational Components
Component What are the issues? Implications
Executive
buy-in
• Leadership on cybersecurity strategy, plan and execution
comes from lower organizational levels or is seen as an IT
issue.
• There is not a consistent threat management system in
place; threats are not regularly discussed in the
boardroom.
• Organizations need to involve senior leadership in
cybersecurity.
• Lack of executive buy-in opens the doors to
mistakes and cyber criminals; cybersecurity will
miss the necessary direction and investments
Resources • Cybersecurity tasks are not adequately resourced and/or
performed by skilled people.
• Cybersecurity teams do not have visibility and knowledge
about attacks
• Cyber threats are overlooked or the response is
too late.
• Cyber criminals successful using phishing are a
result of a lack of security awareness.
Performance • Many organizations are spread too thin: they maintain too
many cyber capabilities and — as a result — with
moderate effectiveness.
• The effectiveness of cybersecurity is not measured.
• Foundational cybersecurity processes are not
working properly, leaving a broad range of options
for those performing an advanced persistent
threat (APT).
Access to
data
• Employees are a risk to cybersecurity, and their Identity
and Access management (IAM) program is weak
• Excessive manual processing and irregular reviews or
reports make it too easy for employees to have
inappropriate access to data.
• Movers, leavers and joiners are a key cyber risk area.
• We have seen that employees are seen as a huge
threat for cybersecurity; while organizations are
looking for hackers coming in from the outside,
fraud is already happening from the inside.
Cost vs.
value
• Too many organizations view the costs of cybersecurity as
considerable
• Organizations do not appreciate the benefits of the
measures they already have.
• Organizations significantly underestimate the potential cost
of a cyber attack.
• Organizations must understand they are under
daily attack, the attackers show no signs of giving
up, they are getting smarter and more targeted.
The next breach could be fatal.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Incident Response Process Flow
Preparation
Monitoring & Detection
Breach Investigation
Data Flow Containment
Notification & Remediation
Lessons Learned
• Prep: Process Definition, Data Classification, Table Top Exercise
• Detect: Receive Notification from Business Unit, IT
• Investigate: Determine if a Data Breach has Occurred
• Contain: Ensure that Data Leakage is Stopped
• Remediate: External Notifications & Remediation
• Learn: Varies with Incident * Program phases are based on SANS security incident handling
model
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Cybersecurity Checkup
Management needs to ask the following questions
1. Does your organization use a security framework?
2. What are the top 5 organizational risks related to cybersecurity that your
company is faced with?
3. How are your employees made aware of their role related to cybersecurity?
4. Are external and internal threats considered when planning your
cybersecurity program?
5. How is security governance managed within your organization?
6. In the event of a serious breach, has management developed an effective
response protocol and educated your organization?
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Do you know this guy?
F_L_U_F_F_Y
Yes! – I’m in…
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Internal Controls
Control employee access to systems and information
Terminations Majority of data breaches occur immediately after employees
leave the company. Maintaining strong control over access rights is critical to
enterprise security.
Segregation of Duties - Many companies provide access to employees to
perform job functions but fail to review / remove access when they move to new
role / functions.
Governance – Rotate IT and Data security individuals and assign oversight of
these roles and individuals to an independent IT governance entity.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Vendor Risk Management
Control vendor access to systems and information
Clients, vendors and business partners (e.g. outsourcing) have various reasons
for access to systems and information.
Protect information assets by assigning IT security to specifically monitor their
activities when accessing network and hardware (i.e. hard drives).
Consider having an IT Risk Assessment performed that evaluates the controls
and safeguards the vendor has in place to ensure that information assets are
protected from unauthorized access.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Tech-Enabled Framework
ERM Framework
Predictive Analytics
Streaming Social Media
ERM Software
Risk Dashboards
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Leveraging Data Analytics
Data analytics can be used to…
Identify the risks that have resulted from the exponential growth of technology
and the internet, and our increasing reliance on both.
Provide a comprehensive view of internal and external risks by alerting decision
makers about potential fraud, unusual network traffic patterns, hardware
failures, and security breaches.
Convert data into actionable information, helping businesses move their
cybersecurity measures from a reactive state to a proactive state.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Insurance Fraud
Organizations lost an average of 5% of their
revenues to fraud. That computes to a loss
of over $3.5 trillion per year.
The U.S. insurance industry estimated cost
of fraud is approximately $30 billion a year.
Most of this expense is absorbed by policy holders in the form of higher
insurance premiums, to the tune of about $300 a year per family.
Source: National Insurance Crime Bureau.
Transactions can be analyzed to detect data anomalies that may be
indicative of a fraud.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Fighting Fraud with Data Analytics
Transactions can be analyzed to detect data anomalies that may be
indicative of a fraud.
Investigation
Detection
Prevention
Monitoring
Alert
Notification
Fraud
Pattern
Analysis
Claim Process
& Settlement
Inquire &
Analyze Investigation
Inte
gra
tio
n
Con
fig
ura
tio
n
Pla
tfo
rm
Evaluation &
Decision
Fraud Monitoring & Performance Optimization
From Claim Notification to Claim Closure
Rules &
Predictive
Analysis
Fraud
Detection
Strategy
Calibration &
Simulation
Online
Detection
Mass
Detection
Source: SAP
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Board Responsibility
• Target
• ISS recommended the ouster of 7 of 10 board members for failing
to provide sufficient risk oversight.
• Glass Lewis took a different stance, concluding there was
insufficient evidence of director oversight failure.
• The board members were reelected, but boards are on notice to
treat cybersecurity risk more seriously.
• Shareholder derivative law suite alleging Target’s board breached
its fiduciary duty by failing to maintain proper internal controls
related to data security.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
EisnerAmper Risk Survey
• 2014 Board of Directors Survey – Concerns About Risks Confronting Boards
• Opinions of Directors of more than 250 publicly traded, private, not-for-profit,
and private equity owned companies
• Findings
• Reputation remains leading concern; cybersecurity is growing
• Board admits lack of understanding of new media and cyber issues
• Most companies feel they are addressing risk very well, but less than 40% of
respondents have an ERM program fully implemented, 22% don’t have one
• Why is cybersecurity important? • “IT/Cybersecurity is also tough to understand — but could cause severe damage.”
• “IT because much of the vital…work the org does depends on reliability and security of
IT”
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
EisnerAmper Risk Survey
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Three Lines of Defense Drives Governance Structure
Clarity of Roles and Responsibilities Structured into “Three Lines of
Defense”
Senior Management
Board of Directors / Audit Committee
1st
Line of Defense 2nd
Line of Defense 3
rd Line of
Defense
Ad
min
istratio
n
Con
tro
ls
In
te
rn
al C
on
tro
l
Me
asu
re
s
Financial Control
Security
Risk Management
Quality
Compliance
Legal
Assurance
&
Validation
INTERNAL AUDIT
Ex
te
rn
al A
ud
ito
r /
Re
gu
lato
r
Where Internal Audit Can Help in Cyber-Security
Internal audit is equipped to do much of the work
necessary for companies to grasp their cyber-risks.
• 80 percent process-based
• A business process issue as much as it was an IT issue
Cyber-risk assessments need to be a top-down exercise
• Align risks to the business, strategy, and objectives:
• what type of information the company produces and what does the
company want to protect.
Internal audit can play a role in validating a company’s
response plan
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Thank You!
Greg Fritsky, Director
Redwood Software
10 Denise Drive
Allentown, NJ 08501
(609) 468-6994
www.redwood.com
Jerry Ravi, Partner
Eisner Amper LLP
111 Wood Avenue South
Iselin, NJ 08830
(732) 243-7590
www.eisneramper.com
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Please Complete the Session Evaluation Form on the Conference App