B12 Glen Siriano - Continuity Insights

Cyber Security
From The Front
Lines
Glenn A Siriano
October 2015
Agenda
Setting the Context
Business Considerations
The Path Forward
Q&A
Cyber Security
Context
Cyber Has Become a Boardroom
Conversation
June 2011 – Electronic transaction processing company
target of Cyber attack.
Global Payments reported that its servers housing
personal information collected from merchants were
attacked impacting between 1.5 million and 7 million
customers.
The company confirmed that expenses associated with
the breach totaled more than $92 million including
professional services fees, credit monitoring, identity
protection insurance, fraud charges, and fines.
Source: Bank Info Security
July 2013 – Hackers use malware over several year
period to steal more than 160 million credit card
numbers.
Cyber attackers from Russia and Ukraine collaborated in
a scheme to target major corporate networks including
NASDAQ, Dow Jones, and Heartland Payment Systems
and were able to steal more than 160 million credit card
numbers between 2005 and 2012. In total, the separate
and devious operations spanned the globe, resulting in
at least $300 million in losses to companies and
individuals.
Source: NY Daily News
January 2015 – Anthem breach thought to impact
between 69 – 80 million customer records.
The second-largest health-insurer reported that hackers
compromised its network using a stolen password to
access a database containing personal information from
current and former customers. Initial estimates indicate
the breach could result in more than $100 million in
financial consequences.
Source: C-Net
Cyber Risk “Perfect Storm”
Growing Threat Level
’Bad Actors’ have evolved, Retail is 5th worst sector and 75% of
data loss incidents in Retail are hacking related (2012)*
Changing Technology Landscape
Consumerization of IT, Cloud and ‘eroding perimeter’
Compliance Pressure
Compliant does not necessarily mean sustainably (cyber) resilient
* KPMG’s 2012 Data Loss Barometer; a global insight into lost and stolen information.
Major market forces for Cyber in 2015 and Beyond
Every day increasingly sophisticated and intelligent attackers are targeting the crown jewel information
assets of organizations. Business impacts include lost revenues, operational disruption, remediation
costs, claims and fines.
EVOLVING
THREAT
ACTORS
Smarter attackers with more resources, better
tooling, and advanced goals.
Drumbeat of fear, uncertainty, and doubt –
especially about embedded systems / industrial
control systems.
Total information security spending is expected
to reach $76.9bn in 2015 (source: Gartner).
Marketing departments have taken note.
New IT capabilities – from BYOD to cloud to big
data – have serious impact on the security
controls we need and can use.
Our top security risk: misallocation of
scarce resources – both time and money.
CHANGING IT
DELIVERY MODELS
TOP CYBER RISKS
IN 2015
INCREDIBLE
VENDOR
CLAIMS
!
HEIGHTENED
MEDIA
COVERAGE
2015 Cyber by the Numbers:
Audit Committee Research and KPMG
AC Focus
Area

55% of Audit Committee respondents feel that they should devote “more time” or
“significantly more time” on Cyber for their agenda

50% of Boards have assigned Cyber oversight responsibilities to the Full Board or Audit
Committee

Organizations with structured leadership and strategy reduce average per record cost of a
breach by $6.59/record lost)
Brand Damage

Loss of customer data can result in reputational risk and organizational brand damage
(Companies average $3.32 million in brand damage per breach)
Training &
Awareness

Organizations must invest in Cyber training and awareness for All employees, including
C-Level Executives. It only takes One employee opening an email attachment to open the
door for cyber criminals
Cyber
Oversight
Improving Oversight of Cyber is No Longer Leading Practice…It’s
Required
Over recent years many global organizations have been victims of cybercrime.
Investors, governments, and global
regulators are increasingly challenging
board members to actively demonstrate
diligence in this area. Regulators expect
personal information to be protected
and systems to be resilient to both
accidents and deliberate attacks.
Potential impacts and possible implications for the board
Intellectual property losses including
patented and trademarked material, client
lists and commercially sensitive data
Reputational losses causing your market value
to decline; loss of goodwill and confidence by
customers and suppliers
Penalties, w hich may be legal or regulatory
fines such as regulatory fines, e.g., for data privacy
breaches, and customer and contractual
compensation, for delays
Time lost due to investigating the losses, keeping
shareholders advised and supporting regulatory
authorities (financial, fiscal, and legal)
Property losses of stock or information leading
to delays or failure to deliver
Administrative resource to correct the impact such
as restoring client confidence, communications to
authorities, replacing property, and restoring the
organization business to its previous levels
Typical Key Drivers of Cyber
Mergers and acquisitions
Launch of new services
Complex regulatory requirements
Big Data
Technology automation
Consumer trust and brand protection
Third party management
Cyber Defined
Confusion in the Market…
Business Issue
Data
People
Theft
Criticality
Threats
Board-Level Issue
Compliance
Security
Insecurity
Reporting & Metrics
Confidentiality
Global
Competitive Advantage
Transformation
Technology
Availability
Top of Mind
Security
Information
Financial Loss
Integrity
Data Loss
Approach
Complexity
Value
Breach
Dynamic
Process
Disaster
Threat Intelligence
Governance
Forensic
Privacy Challenge
Evolving
Compliance
Personal
Technology
KPMG Cyber Services…
Risk-based
protection of
information in
alignment with its
value to the
organization
Information that is
available to the
business in the
right way, at the
right time, and to
the right people
Risk
Business Resilience
Cybersecurity
…Complexity
Strategic Cyber Security and Information
Protection Services
Breach Response & Investigation Services
Vulnerability
…A streamlined approach to accessible, protected
Information
Business
Considerations
Top Industry Issues/Challenges
Market trends
■ Continued increase in regulations and
regulatory enforcement (with greater global
cooperation) across all industries
■ Increased expectations of technology and
offshore resources to increase the efficiency
and effectiveness of delivery
■ Cost pressures coupled with regulatory pressure
to standardize technology and processes across
disparate parts of the organization.
■ The rising external threat is demanding a
proactive intelligence based approach to
anticipating and reacting to the external threat.
■ Regulator focus and recent media attention on
insider based incidents have increased attention
on insider threat.
■ Regulators and Boards have demanded
accountability across all lines of defense with
the need for centralized ownership of Cyber
within the second line of defense
Market trends
■ The explosion of data across the organization,
especially in unstructured data stores has
demanded a refined approach to identification
and protection of critical data across the
enterprise.
■ Managing identity across the enterprise
continues to be a common regulatory and audit
finding. Risk is increased with the influx of
temporary and contingent work-force. Some,
with elevated or privileged levels of access.
Emerging Cyber Risks
Insider Threats: Data loss caused by negligent or malicious actions of authorized internal users.
Data security incidents can be caused by employees or contingent workers with data access as a result of negligent
behavior or malicious acts. Additionally, given the transient nature of the contingent workforce, it also presents challenges
to help ensure the data stays within the organization upon individual’s departure.
Data Proliferation: An expanding data footprint increases the risk of data loss or disclosure.
As we have seen in most of financial services institutions unstructured data represents a large percentage of the total data
within the environment. Because of the heavy business reliance on data analytics and the mobilization of data across
various devices and platforms, multiple copies of data are being generated. Since there are limited options to control
unstructured data access, unstructured data represents serious risks to data confidentiality, integrity, and availability.
New & Emerging Technology: Adopting new technology introduces potential vulnerabilities.
As more business is conducted online to improve customer experience, and IT plans to leverage cloud services, mobile
technologies and technology outsourcing to provide services that offer flexibility, scalability, and achieve cost savings,
these initiatives can lead to new risks to organization’s overall information security posture.
Cyber Attacks & Malware: Business operations and connectivity opens infrastructure to risks.
As the business seek to provide customers with more timely and accurate data, expanded offerings and programs, more
interfaces, and more opportunities for access to information, perimeter and access control standards should be in line with
the level of data criticality and confidentiality.
Regulatory Developments and Priorities

In April 2015, the PCI Security Standards Council released v3.1 of it Data Security
Standard (DSS) in response to several high-profile vulnerabilities related to the
Secure Sockets Layer (SSL) protocol (i.e., POODLE, Heartbleed, BERserk, FREAK,
Logjam, RC4, etc.).

As a result, SSL and early versions of the Transport Layer Security (TLS)
protocol are no longer considered to be strong cryptography and cannot
be used as a security control after June 30, 2016.

Comptroller of the Currency Thomas J. Curry recently referred to cyber threats
as “the foremost risk facing banks today” and “one of the major, if not the major,
risk facing businesses of all sorts.”1

In the OCC’s 2015 Semiannual Risk Perspective, cyber threats and operational
risk (i.e., information security, data protection, and third-party risk
management) were listed as top supervisory priorities for community and
midsize banks over the next 12 months.

In the summer of 2014, the FFIEC piloted a cybersecurity examination work
program that focused on cybersecurity inherent risk and preparedness and
emphasized the need for information sharing.

Drawing on the results of this pilot, the FFIEC released a Cybersecurity
Assessment Tool in June 2015 to help banks evaluate their cybersecurity
inherent risk profile and determine their level of cybersecurity maturity.
Payment Card Industry
(PCI) Standard Updates
Increasing Supervision
by the Office of the
Comptroller of the
Currency (OCC)
Federal Financial
Institutions
Examination Council
(FFIEC) Cybersecurity
Assessment
1Remarks
by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts July 24, 2015
Regulatory Focus Areas and Industry Activities
Regulatory Focus Areas
Industry Activities
■
Evaluation of Cybersecurity Inherent Risk
■
Top-Down Enterprise Risk Assessments
■
Enterprise Risk Management and Oversight
■
Cybersecurity Assessments and Benchmarking
■
Threat Intelligence and Collaboration
■
Refresh Information Governance Model
■
Data Classification and Risk-Based Controls
■
■
External Dependency and Vendor Risk
Management
Revamp Identity Management and Access
Control
■
Cyber Incident Management and Resilience
(BCP/DR)
Review Impact of Emerging Technology (Cloud,
Social Media, etc.) and Products
■
Enhance Application Security/SDLC Integration
■
Data and Network Protection Practices
■
Enhance Data & Information Protection
■
Payment System and Data Hardening
■
■
Information Sharing
Improve Security Monitoring and Incident
Management
■
Cloud Security
■
Participate in the Financial Services Information
Sharing and Analysis Center (FS-ISAC)
■
Social Engineering and Insider Threats
■
Infrastructure Obsolescence Management
■
Application Security
■
Develop and Revise Policy & Standards
■
Data Loss Prevention (DLP)
■
■
Privileged Access Management
Maintain an Effective End-User Awareness
Program
■
Change Management
■
Improve Third-Party Vendor Security
Assessment Program
■
The Path Forward
Cyber as Cost-Efficient Risk Management
At the heart of KPMG’s approach to Cyber Security is the objective of helping clients
maximize the value of their cyber security investment.
Information Risk
becomes
Security as an IT Cost
Business Advantage
Security as a Business Investment

Technology platform centric

Target operating model–centric

Bottom-line focused

Strategically aligned with business objectives

Driven by IT

Business led

Automation focused

Process focused

Success measured by timely deployment of technology

Value added service delivery

Technology is always the answer

Success measured by achieving business value

Poor ROI from many programs

Technology is one enabler of transformation

Starts with data (report on what I have, not what I need)

Considers the security needs within the larger technology
portfolio

Analytics enabled

Reduce time to value
Six Key Aspects of Cyber
Key domain layers
Leadership and Governance Layer
Describes how Boards and Executive Management demonstrate due diligence,
ownership, and effective management of risk.
People Layer
Describes the level and integration of a security culture that empowers and helps
ensure the right people, skills, culture, and knowledge.
Business Continuity Layer
Describes preparations for a security event and ability to prevent or lessen the impact
through successful crisis and stakeholder management.
Operations and Technology Layer
The level of control measures implemented to address identified risks and reduce the
impact of compromise.
Information Risk Management Layer
Details the approach to achieve thorough and effective risk management of
information throughout the organization and its delivery and supply partners.
Legal and Compliance Layer
Meeting regulatory and compliance obligations as relevant.
Comprehensive View to Cyber Maturity
Cyber maturity address the following:
The Result – End-to-End Cyber Protection
PREVENT
•
DETECT
RESPOND
IMPROVE
The approach is designed to be simple and effective, and most importantly, aligned with business needs. KPMG has aligned how we deliver our
core cyber services accordingly:
Helps the company
understand how to align
their cyber agenda with their
dynamic business and
compliance priorities.
Helps the business maintain
their cyber agenda as
business and technology
programs evolve, providing
greater visibility and
understanding of changing
risks.
Helps the company
effectively and efficiently
respond to cyber Incidents
and conduct forensic
analysis and detailed
investigations.
Helps the company build
and improve their programs
and processes, supported
by the right organization and
technology, to improve their
cyber agenda.
CYBER DEFENSE
DIGITAL RESPONSE SERVICES
TRANSFORMATION
STRATEGY AND
GOVERNANCE
Attributes:
 Prevention
 Comprehensive in breadth
(Target Operating Model)
 Benefits driven from
strategy through execution
 Information driven approach
Attributes:

Detection

End-to-end configuration

Security Operations and
Monitoring

Security analytics
Attributes:
 Response
 Digital evidence preservation and
cyber investigations services
 Post-Breach analysis and mitigation
Aligned with business priorities and compliance needs
Attributes:
 Improvement
 Informed by technology strategy
 Long-term engagement delivery
 Business Outcome Focused
High-level board oversight questions
Based on our board outreach and education
programs, these are the three most common
questions at the executive management and board
levels today:
KPMG’s Global Cyber Maturity
Framework Domains
1. What are the new cybersecurity threats and risks
and how do they affect our organization?
2. Is our organization’s cybersecurity program ready
to meet the challenges of today’s (and
tomorrow ’s) cyber threat landscape?
Board
Engagement
& Oversight
3. What key risk indicators should I be review ing at
the executive management and board levels to
perform effective risk management in this area?
We designed a Global Cyber M aturity Framework specifically to assist organizations in
addressing these critical questions by combining the most relevant aspects of international
cybersecurity frameworks (e.g., NIST, ISO, AU35, ANSI, SANS, etc.).
Cyber risk management
A framework for exercising oversight responsibility
LEGAL AND COM PLIANCE
LEADERSHIP AND
GOVERNANCE
Regulatory and international
certification standards as
relevant
OPERATIONS AND
TECHNOLOGY
The level of control measures
implemented to address
identified risks and reduce the
impact of compromise
M anagement demonstrating
due diligence, ow nership, and
effective management of risk
Board
Engagement
& Oversight
HUM AN FACTORS
The level and integration of a
security culture that empowers
and helps to ensure the right
people, skills, culture,
and know ledge
BUSINESS CONTINUITY AND
CRISIS M ANAGEM ENT
INFORM ATION RISK
M ANAGEM ENT
Preparations for a security
event and ability to prevent or
reduce the impact through
successful crisis and
stakeholder management
The approach to achieve
thorough and effective risk
management of information
throughout the organization and
its delivery and supply partners
Board oversight and engagement summary –
Key performance indicators
Leadership and Governance
 Understand governance structure and meet
team
 Review output of capability assessment
 Review and approve strategy and funding
 Participate in general board education
 Request periodic updates of program




Human Factors
How Does the Board Gain Comfort? (Key Performance Indicators)
 Set the tone for the culture
 Review patterns/trends of personnel issues
 Understand training & awareness protocols
 Percentage of employee/contractors attending training
 Trends related to cyber from w histleblower or ethics
Information Risk M gmt
How Should the Board Engage?
 Understand risk management approach and
risk
 Review and approve risk tolerance
 Understand third-party supplier program
 Review and question program metrics




Security spend as a percent of overall IT budget
Capability maturity review output
Certifications w ithin key leadership positions
Number of board education sessions (frequency)
Risk Assessment output / linkage to ERM program
Risk tolerance measures and metrics
Number of “ high risk” third-party suppliers and review
Review metric output (see other sections)
Board oversight and engagement summary –
Key performance indicators
Legal & Compliance
Operations &
Business Continuity
How Should the Board Engage?
How Does the Board Gain Comfort? (Key Performance Indicators)




Understand current response capability
Review status of overall plan maturity
M eet w ith communications personnel
Participate in table-top exercises
 Number of mission critical business processes w ith
 Number of table top exercises (frequency) and results




Understand current maturity of control
Review relevancy of selected control
Review relevant incident trend metrics
M eet w ith CIO or equivalent to understand
and information technology trends
 Percentage of “ crow n-jewel” assets included in
 Risk rating of security vulnerabilities (considering asset
 Cyber incident trends metrics




Understand regulatory landscape impacting
Clarify audit committee requirements for
Review litigating inventory trends
Review and approve cyber insurance
 Open regulatory and/or litigation matters
 Cyber insurance policy benchmarking w ith peer
Thank you
•
Presentation by Glenn Siriano
•
KPMG LLP
•
[email protected]
•
203-521-8129
•
© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member
firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved.
•
The KPMG name, logo and “cutting through complexity” are registered
trademarks or trademarks of KPMG International.