©2013 Aite Group LLC.Page 1
Cybersecurity and Compliance
How to Keep Pace with Cyber Threats
Presented byJulie Conroy, Aite Group
Dena Hamilton, BAE Systems AI
ACFCS Webinar April 17, 2014
Research DirectorAite GroupLansing, MI
Julie Conroy
Executive Manager, Business Solutions GroupBAE Systems Applied Intelligence
Boston, MA
Dena Hamilton
Certification, Training, Networking, News, Guidance
The Mark of Financial Crime Knowledge and Skill
Agenda
• Threat environment• Compliance implications
– FFIEC Online Fraud guidance– FFIEC guidance for DDoS
• Impact
Hacking
Malware
DDoS
Phishing
Social engineering
The malware “zoo” continues its robust growth curve
24.735.6
58.4
81.8
106.3
138.2
165.8
2011 2012 e2013 e2014 e2015 e2016 e2017
Number of Unique New Online Malware Strains Released Per Year (Millions)
Source: McAfee Labs, Aite Group
Trojans represent the bulk of the new strains
Trojans, 74.5%
Viruses, 12.7%
Worms, 11.8%Other, 1.0%
Type of Malware Deployed, Q1 2013
Source: Panda Security
Many capitalize on the unique properties of mobile
The criminals’ efforts are paying off
Source: Aite Group, 2013
$409.4$454.8
$523
$627
$721.8
$794
2011 e2012 e2013 e2014 e2015 e2016
Global Corporate Account Takeover Losses, 2011 to e2016(In US$ millions)
Congress is jumping on the bandwagon
Bill Date introduced
Senate sponsors
Data Security and Breach Notification Act of 2013
June 20, 2013
Toomey, R-Pa.King, I-MaineThune, R-S.D.
Personal Data Privacy and Security Act
Jan. 8. 2014 Leahy, D-Vt.Franken, D-Minn.Schumer, D-N.Y.Blumenthal, D-Conn.
Data Security Act of 2014 Jan. 15, 2014 Carper, D-Del.Blunt, R-Mo.
Data Security and Breach Notification Act of 2014
Jan. 30, 2014 Rockefeller, D-W.V.Feinstein, D-Ca.Prior, D- Ar.
Source: Aite Group, 2014
Agenda
• Threat environment• Compliance implications
– FFIEC Online Fraud guidance– FFIEC statements regarding DDoS and ATM
cashouts• Impact
June 2011 FFIEC guidance
• Supplemental guidance released June 28, 2011 emphasizes:– Need for layered security– Periodic risk assessments and adjustments– In wholesale banking, requirement for layered security for both login
and electronic transaction initiation• Highlights value of behavior analytics in preventing fraud• Requirement of enhanced controls for users with admin rights
– Simple device authentication and challenge questions are not sufficient.
• Regulators began assessing FIs using new guidance in January 2012– While not explicitly mentioned within the guidance, consider mobile
“within scope”
April 2014 FFIEC statement: ATM cash-out
• Conduct ongoing information security risk assessments;• Perform security monitoring, prevention and risk
mitigation;• Protect against unauthorized access;• Implement and test controls around critical systems
regularly;• Conduct information security awareness and training
programs;• Test incident response plans;• Participate in industry information sharing forums.
April 2014 FFIEC statement: DDoS• Maintain an ongoing program to assess information security risk that
identifies, prioritizes and assesses the risk to critical systems, including threats to external websites and online accounts;
• Monitor Internet traffic to the FI’s websites to detect attacks;• Activate incident response plans and notify service providers as
appropriate if the institution suspects that a DDoS attack is occurring;• Ensure sufficient staffing for the duration of the DDoS attack and consider
hiring pre-contracted third-party servicers that can assist in managing the Internet-based traffic flow;
• Share information about the attack with FS-ISAC and law enforcement;• Evaluate any gaps in the response following attacks and in ongoing risk
assessments.
Agenda
• Threat environment• Compliance implications
– FFIEC Online Fraud guidance– FFIEC statements regarding DDoS and ATM
cashouts• Impact
Cybersecurity and compliance: Impact
• Periodic risk assessments• DDoS and cashouts• BSA• Increased internal and external collaboration
Assume the bad guys will get in
Construct your defenses and compliance programs accordingly
Aite Group: Partner, Advisor, Catalyst
Aite Group (pronounced eye-tay) is an independent research and advisory firm focused on business, technology and regulatory issues and their impact on the financial services industry.
Julie Conroy Research Director [email protected] +1.617.398.5045
22Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc
CYBER SECURITY AND AMLHOW YOU CAN STAY AHEAD OF THEIR GAME
DENA HAMILTONEXECUTIVE MANAGER, TECHNICAL SALES
Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 23
THEY ARE GETTING BETTER, FASTER AND BROADER
8 charged Global Cyber Theft
Bank Heist*
$2.8 million from New York banks in two separate attacks
Pulled off in a matter of hours
The ring used prepaid MasterCard debit cards
The thieves hacked into the banks' systems to drastically increase the amount available on the cards, and then used the information about the cards to withdraw money at banks around the world
$45M
Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 24
KNOW WHO YOUR CUSTOMERS ARE
• DUE DILIGENCE
• INFORMATION AT ACCOUNT OPENING
• APPLY APPROPRIATE RISK SCORE
• CREATE RIGOROUS PROCESS
Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 25
KNOW HOW YOUR PRODUCTS CAN BE PROLIFERATED
• Risk assess all products
• Understand fully how those products can be manipulated (e.g. e-Cash)
• Careful with mobile transactions – they may not be subject to jurisdictional restrictions
Remember … funds gained by illicit means is considered money laundering
Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 26
REPORT CYBERCRIME INCIDENTS
Globally, the Financial Action Task Force (FATF), have not yet addressed money laundering and terrorist financing resulting from cyber crimes.
Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 27
WHAT CAN YOU DO TO PROTECT YOUR CUSTOMER
• Automatically trigger real-time monitoring for unusual transactions
• Block payments if not through due diligence
• Create a process that does proactive customer notification
Copyright © 2014 BAE Systems. All Rights Reserved.BAE Systems is a trade mark of BAE Systems plc 28
WE CAN HELP
XCelent Award - 2013 Breadth of Functionality Watchlist and Sanctions Solutions
Global Managed Security Services Award - 2013
Cyber Security Solution of the Year - 2013
Fraud and Financial Crime Software Award - 2013
Certified, GCHQ & CPNI - 2012 Quality-assured cyber incident response
AML Category leader – 2012RiskTech Quadrant™, Chartis Research
Most Innovative Information Security Company - 2012
“Best-in-class”, AML Technology - 2013Detection Tools and Enterprise Support
Best Financial Crime Product or Service - 2013 Reader’s Choice
THANK YOU.© BAE Systems 2014, unpublished, copyright BAE Systems all rights reserved.
Proprietary: no use, disclosure or reproduction without the written permission of BAE Systems plc.