Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

1

JOIN. ENGAGE. LEAD.

CYBER SECURITY TIPS AND RESOURCES FOR FINANCIAL INSTITUTIONS Managing Risk

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

2

JOIN. ENGAGE. LEAD.

CYBER SECURITY RISK

• Both preparing for and responding to cyber attacks increase the cost of doing business.

• Attacks are increasingly more sophisticated.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

3

JOIN. ENGAGE. LEAD.

CYBER SECURITY RISK (CONT.)

Risks come directly through banking operations and

through third-party providers. Impacts individual bank and

entire payments system.

Attacks come from criminals, politically hostile

sources, and insiders.

Data risks are difficult to control (legacy systems and

manual points in any process compound the

difficulty of threats).

Cyber Threats

Smaller institutions at most risk.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

4

JOIN. ENGAGE. LEAD.

MANAGING CYBER SECURITY RISKS

Governance

Vendor management

Threat intelligence

Incident response

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

5

JOIN. ENGAGE. LEAD.

MANAGING CYBER SECURITY RISK: GOVERNANCE

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

6

JOIN. ENGAGE. LEAD.

GOVERNANCE

Policies, Procedures, & Controls

Assess risks

Identify gaps

Update

Test

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

7

JOIN. ENGAGE. LEAD.

MANAGING CYBER SECURITY RISK: VENDOR MANAGEMENT

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

8

JOIN. ENGAGE. LEAD.

COMPLIANCE RESPONSIBILITY

Even if your vendor is responsible for day-to-day

management of certain products or services, the responsibility

for all compliance requirements resides with

your institution.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

9

JOIN. ENGAGE. LEAD.

MONITOR YOUR VENDORS

Monitor your vendors’ performances to help ensure that your company meets

its long-term strategic goals.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

10

JOIN. ENGAGE. LEAD.

MULTIPLE FACETS

Be aware that vendor risk management is part of many operational risk activities, including:

Scenario analysis.

Risk control self-assessments (RCSAs).

Key risk indicators (KRIs).

Information security.

Business continuity planning.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

11

JOIN. ENGAGE. LEAD.

Regulators have consistently advised banks to oversee vendors just as they would any division of the bank and will hold the bank

accountable for any vendor-related risk management lapses.

ACCOUNTABILITY

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

12

JOIN. ENGAGE. LEAD.

MANAGING CYBER SECURITY RISK: THREAT INTELLIGENCE

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

13

JOIN. ENGAGE. LEAD.

SOURCES OF INTELLIGENCE

Audit reports. Fraud detection analysis tools.

BSA/AML monitoring tools.

Cyber security services.

U.S. Treasury, Office of Foreign Assets Control.

Financial Services Information and Sharing Analysis

Center (FS-ISAC).

InfraGard (a partnership

between the FBI and the private

sector).

United States Secret Service:

Electronic Crimes Task Forces.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

14

JOIN. ENGAGE. LEAD.

MANAGING CYBER SECURITY RISK: INCIDENT RESPONSE

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

15

JOIN. ENGAGE. LEAD.

INCIDENT RESPONSE: PLAN, PREPARE, AND TEST

Plan & Prepare • Response policy and plan

prior to incident. • Quick response guides for

likely incidents. • Response team leader:

– Designate executive as plan and response point person and ensure redundancy.

• Response team: – Escalates internally

– Notifies externally.

Test • Train. • Run simulations routinely. • Include key stakeholders. • Fine-tune response

capabilities.

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

16

JOIN. ENGAGE. LEAD.

MANAGING CYBER SECURITY RISK: IT RESOURCES

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

17

JOIN. ENGAGE. LEAD.

IT RESOURCES

FFIEC IT Examination HandBook InfoBase

Introduction to the FFIEC’s Cybersecurity Assessment

Framework for Improving Critical Infrastructure

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

18

JOIN. ENGAGE. LEAD.

Learn more about cyber security through RMA’s premier publication, The RMA Journal: http://ebiz.rmahq.org/eBusPPRO/CustomerProfile/RMAJournalArticleSearch/tabid/393/Default.aspx

Subscribe to The RMA Journal today!

LEARN MORE

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

19

JOIN. ENGAGE. LEAD.

SHARE THIS PRESENTATION

Visit http://www.rmahq.org for information on risk management.

Visit our blog at http://rmablog.rmahq.org/ RMA is a member-driven professional association whose sole purpose is to advance sound risk principles in the financial services industry.

RMA helps its members use sound risk principles to improve institutional performance and financial stability, and enhance the risk competency of individuals through information, education, peer sharing, and networking.

Become a member today.