Download pdf - Cyber Security Trends

Cyber Security for the future

of financial services

Thio Tse Gan

May 2016

1© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd

Global trends & outlook


Cyber-attacks are on the rise

$400B+

50%

90%63%8%

11%

18%

Healthcare Financial Services Educational Government

22999.9%

27.5%increase in the

data breaches in

various industries

from 2013 [5]

15%o f i n c i d e n t s

s t i l l t a k e d a y s

t o d i s c o v e r [ 2 ]

Average

number of

days

attackers

maintained

presence after

infiltration

and before

detection [3]chance that at least one person

will fall prey to a phishing

campaign with just

10emails [2]

recipients open emails and click

on phishing links within the first

hour of receiving them [2]

$154

$201

$217

GlobalAverage

2014

2015

Per capita cost of data breach was

highest in US in 2015 [4]

$217

of the exploited

vulnerabilities were

compromised more than a

year after CVE* was

published [2]

Numbers denote industry wise breakup of 2014 data breach incidents

is the annual cost to

the global economy

from cybercrime [1]

o f i n c i d e n t s

i n v o l v e a b u s e

o f p r i v i l e g e d

a c c e s s [ 2 ]

55%

[1] Net Losses: Estimating the Global Cost of Cybercrime by Center for Strategic and International Studies; [2] Verizon 2015 Data Breach Investigations Report; [3] Mandiant -Trends® 2014: Beyond the Breach, published April 10, 2014; [4] Ponemon 2015 Cost

of Data Breach Study: Global Analysis ; [5] ITRC Breach Statistics 2005-2014; * CVE (Common Vulnerabilities and Exposures) is a dictionary of publically known information security vulnerabilities and exposures -http://cve.mitre.org

© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 3


Rampant cyber attacks observed around the

world in 2015 and 2016


80 million

records exposed in attack launched on

Anthem Inc.

19.7 million

people’s personal

details stolenin attack launched on

U.S. Office of Personnel

ManagementNational pension

system hackedin Japan and 1.25

million people’s

personal data was

exposed

10.4 million

records exposed in 3 attacks launched

on TalkTalk Group

5 million personal

details leaked in data breach in VTech

$81 million

stolen from

Central Bank of Bangladesh in a

bank heist

U.S. IRS hacked100,000 personal details

stolen and used to

generate PINS for Social

Security numbers in 2

separate attacks

Complex regulatory requirements created to curb

rise of cyber crime


European Union

EU Data Protection Directive 1995, EU

Privacy and Electronic Communications

Directive (as amended in 2011), Data

Retention Directive 2006. Member states

implement Directives as their own national

laws. Regulation of Investigatory Powers

Act 2000

Russia

Federal Law No. 152-FZ

on personal data 2006

Switzerland

Federal Data

Protection Act 1992 on

personal data 2006

Japan

Personal Information

Protection Act 2003

China

Decision on

strengthening Internet

information protection,

guideline for personal

information protection

South Africa

Electronic

Communications Act

Dubai

Data Protection Act 2007

Singapore

Personal Data

Protection Act

2013

Philippines

Data Privacy

Act 2011

New Zealand

Privacy Act

1993

Australia

Australian Federal

Privacy Act 1988.

Anti-Spam Act 2004

Argentina

Protection of Personal

Data Law 2001Costa Rica

Law No. 7975 – Undisclosed

Information Law. Law No. 8968 –

Protection in the Handling of the

Personal Data of Individuals

Mexico

Federal Law on the

Protection of Personal

Data Held by Private

Parties 2010

California

California Online Privacy

Protection Act 2003,

Security Breach Notice

(Civil Code 1798 Formerly

SB 1386) 2003

US Federal

HIPPA 1996, GLBA 1999,

COPPA 1998, CAN-SPAM 2003.

Do Not Call Improvement Act

2007, Safe Harbor Principles

2000, FCRA (as amended in

2003) Patriot Act 2001Canada

PIPEDA 2004.

Privacy Act 1988

and Provincial

privacy Laws

Financial Services

Technology regulatory landscape


Singapore

• Personal Data and Privacy Act - 2013

• MAS Notice 644 on Technology Risk Management - 2013

• SRD TR 01/2014 – System vulnerability assessments and

penetration testing

• SRD TR 02/2014 – IT security risk posed by personal

mobile devices

• SRD TR 01/2015 – Early detection of cyber intrusions

• SRD TR 03/2015 – Technology risk and cyber security

training for Board

• MAS Notice 634 Bankig Secrecy – Conditions for

Outsourcing - 2004

• Guidelines on Outsourcing - 2004

• Consultation Paper on Notice on Outsourcing - 2014

• Consultation Paper on Guidelines on Outsourcing – 2014

• Business Continuity Management guidelines – 2013

• SRD TR 01/2011 – Information technology outsourcing

Vietnam

• Circular no. 01/2011/TT-NHNN Safety, secrecy guidelines of

the information technology systems in banking operation

• Circular no. 12/2011/TT-NHNN Management and utilization

of digital signatures, sigital certificates and SBV digital

signature verification services

• Circular no. 29/2011/TT-NHNN Security and Secrecy of

internet banking services

Thailand

• BOT Notification No. 1953-2548 Guideline for the

Preparation of IT Contingency Plan – 2008

• BOT Notification No. SorNorSor. 26/2552 Guidelines

for Development of IT Contingency Plan – 2008

• BOT Notification No. SorNorSor.6/2557 Supervisory

Guidelines on IT Outsourcing - 2014

• BOT Notification No. SorNorSor. 26/551 Supervisory

Guidelines for Security of E-Banking Services – 2008

Malaysia

• BNM Guidelines on Data Management and

Management information Systems – 2011

• Guidelines on management of IT Environment (GPIS 1)

– 2004

Indonesia

• Law of The Republic of Indonesia No. 11 of 2008

Concerning Electronic Information And Transactions

• OJK No. 1/POJK.05/2015 Risk Management in Non-

Bank Financial Services

• No. 9/15/PBI/2007 Implementation of Risk Management

in the Use of Information Technology by Commercial

Banks

Organizations are

spending more

money and paying

more attention than

they ever have …

… but for many

the problem

seems to be

getting worse.

$75.4 billionOrganizations spent

on information security in

2015according to Gartner


Moving into digitization

World Economic Forum report

Glimpsing the future

The Future of Financial Services: How

disruptive innovations are reshaping

the way financial services are

structured, provisioned and consumed

An Industry Project of the Financial

Services Community | Prepared in

collaboration with Deloitte


Is cyber security a consideration in your plans

innovate?

What’s the deal?


Failures & challenges


Failure & challenges


Failure to include security as part of the design principles Businesses demand features, function and time to market

Addressing the incident and failing to detect the campaignsPerpetrators strategise and take a longer term view

Dont miss the forest for the trees.

Shortage of competent cyber security professionalsDemand is outstripping supply.

Willingness to accept non security IT professionals as ‘replacements’.

Ineffective threat analytics Use of technology with limited data sets and arcade rules sets.

Limited value owing to the rush to implement and lacking integration.

Cyber Security 3.0


Are controls in place to guard

against known and emerging

threats?

Can we detect malicious or

unauthorized activity, including

the unknown?

Can we act and recover quickly to

minimize impact?

Building a resilient cyber security organization

This means having the agility to prevent, detect and respond quickly and

effectively, not just to incidents, but also to the consequences of the incidents

Cyber governance

Cyber threat mitigation

Cyber threat intelligence

Cyber incident response

Secure Vigilant Resilient


5 design principles

Cyber security design


里应外合 – Combating the issue together

Internal cyber security, external cyber security providers, vendors.

Revamp information sharing

Pepetrators share intelligence to effectively compromise organisation.

Why aren’t organisations sharing information about pepetrators?

There is a need for situation awareness.

Automation: what and how

The shortage will continue. Tools and automation exist to create

accuracy.

Design principles: everything is a potential threat

Build the requirement of security as a core.

Actionable intelligence: threat-centric defense

Correlation and inductive technique required. Look beyond just

security data.

Cyber Security Trends

Recognising that new technologies like wearable's, 3D printing and in-memory computing all have security implications and planning for this.

The Integrity Conundrum

Integrity is the forgotten security

domain. Maintaining the integrity of

data, business process, and people

is going to be increasingly critical.

Business Security

Establishing security researchers

across the business units that

handle sensitive data (seen in big

Tech companies to increase agility).

People Are Key

Embedding the psychology of

security in the business and finding

the right SecOps analysts will be

key for on-going management of

cyber risk.

Collaborative Security

Recognising that this “cyber” can’t

be solved alone and developing and

promoting a collaborative security

environment across the business.

Disruptive Technology Risks

Live-Fire Exercises

Conducting sophisticated APT style

attacks, emulation and cyber range

testing against critical systems and

people assets.

Defining Normal

Establishing accurate baselines in

order to identify anomalous activity

and behaviour for investigation.

Real-Time Security Ops

Developing the next generation of

SOC and reducing the time taken to

detect and respond to an ever

increasing threat landscape.

Auto-Corrective Security

Automating security processes and

tools using the latest security

technology to free up people and

time.


No such thing as hacker-proof ….

…. if you build it they will come

Deloitte principles

Cyber Security 3.0


ResilientSecure Vigilant

Cyber Security 3.0 Model

Design principles

Design security into

core IT infrastructure

Actionable intelligence

Develop a threat-

centric defence

Intelligence sharing

Create situational

awareness

Automation

Increase accuracy in

operational security

Integration

Eliminate

vulnerabilities by

working together

Are controls in place to guard

against known and emerging

threats?

Can we detect malicious or

unauthorized activity, including the

unknown?

Can we act and recover quickly to

minimize impact?

Cyber Governance

© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and

their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not

provide services to clients. Please see www.deloitte.com/sg/about for a more detailed description of DTTL and its member firms.

Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With

a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering

the insights they need to address their most complex business challenges. Deloitte’s more than 225,000 professionals are comm itted to making an impact that

matters. Deloitte serves 4 out of 5 Fortune Global 500® companies.

This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the

“Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect

your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss

whatsoever sustained by any person who relies on this publication.

20