CyberThe needfor speedMeetFinTechDay - 26th May, 2016Dennis van Ham Director, KPMG Cybercyber.kpmg.com

Cyber crime trends in FSThreats

Counters

Short term outcome

Criminals respond

Traditional Organised Crime

Crime as a Service – Black Economy

Commoditised Attack Methods

Law Enforcement Disruption Operations

Greater co-operation – banks, police and internet economy

Improved Transaction Fraud Control, EMV & 2FA Security

Decline in Retail Banking Trojans

Reduction in fraud levels on e-banking to below 1 bps

Beginning to close out channels for credit card fraud (e.g. POS)

Extortion attacks against individuals

Bulk compromises of personal data

Shift to targeting corporate accounts & UHNWIs

Direct attacks on bank and payment systems

Greater creativity and use of inside knowledge

Targeting of e-retailers for card not present fraud

Growth in ransomware and commodity DDOS

More sophisticated social engineering

CEO and Business Email Compromise Frauds

CARBANAK style compromises

Secondary market manipulation (e.g. front running)

Banking Trojans repurposed to attack retailers

Where are you on the journey?

Immature Developing Investing Advanced Leading

Cyber security isn’t an issue for us.. It’s

all hype anyway

I am worried… but not sure what to do

I have robust policies /defences…

And… a strong second line compliance

function

I don’t understand how we were breached…

There is no absolute security, we need

to manage risk

We can’t do this alone – we are part

of the community

We need a more agile approach to match the threat

Sec

urity

Cap

abili

ty

Limited awareness

Reliance on basic security technology

No controls or compliance process

Seen as a technology issue

Discussion of what it means for firm

Reaching out for support/advice

Policies in place and basic security processes

Often driven by regulatory concerns

Investing to improve

Still adopting point technical solutions

Strengthening policies and compliance

Initial security architecture

Education and awareness campaigns begin

Boards demand better risk discussion and MI

Move towards structured security programmes

Build out security operations and TVM

Ramp up testing

Early stage supply chain security initiatives

Lead as part of the community

Build a cyber ecosystem with clients/suppliers

Intelligence led approach linked to business

Cyber resilience

Risk quantification and mitigation strategy

Technology enabled and data driven

Here

Here

Or Here!

How your priorities change…

Connecting the issues

Operational Transformation:Help embed a cyber security culture into your organisation going forward,

driving security transformation

Financial Crime:Use the latest Cyber tools and techniques to help you prevent, detect, and respond to the increased complexity of financial crime and

fraud threats

Financial Risk Management:Linking cyber security into your operational and financial risk management systems. Helping you quantify and assess risk

Regulatory:Advise on the impact and requirements of forthcoming Cyber Security regulations from the EU General Data Protection Regulation, to the latest New York regulatory scene

Mergers and Acquisitions:Ensure that cyber security is considered during due diligence – avoiding potential

exposures and compromises

Data Analytics:Helping you get the most from your auditing, logging and monitoring systems – optimising your investment in technology and cyber threat intelligence

Audit:Ensure cyber security is considered during the audit process, from rapid

maturity assessments to in depth control reviews and testing

Technology Strategy & Implementation

Embedding cyber security into the design and implementation of your

technology systems and digital channels

Sneak preview – results annual report analysis

Sneak preview – awareness and privacy

Tools analysis paralysis – what this means for security startups

Eating our own dog food

Thank you9

This proposal is made by KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, a member firm of the KPMG network of independent firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity, and is in all respects subject to the negotiation, agreement, and signing of a specific engagement letter or contract. This proposal is subject to the full and satisfactory completion of KPMG's customary evaluation of prospective engagements. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. The name KPMG and logo are registered trademarks of KPMG International.

© 2016 KPMG Advisory N.V. . All rights reserved. Printed in the Netherlands.