CyberThe needfor speedMeetFinTechDay - 26th May, 2016Dennis van Ham Director, KPMG Cybercyber.kpmg.com
Cyber crime trends in FSThreats
Counters
Short term outcome
Criminals respond
Traditional Organised Crime
Crime as a Service – Black Economy
Commoditised Attack Methods
Law Enforcement Disruption Operations
Greater co-operation – banks, police and internet economy
Improved Transaction Fraud Control, EMV & 2FA Security
Decline in Retail Banking Trojans
Reduction in fraud levels on e-banking to below 1 bps
Beginning to close out channels for credit card fraud (e.g. POS)
Extortion attacks against individuals
Bulk compromises of personal data
Shift to targeting corporate accounts & UHNWIs
Direct attacks on bank and payment systems
Greater creativity and use of inside knowledge
Targeting of e-retailers for card not present fraud
Growth in ransomware and commodity DDOS
More sophisticated social engineering
CEO and Business Email Compromise Frauds
CARBANAK style compromises
Secondary market manipulation (e.g. front running)
Banking Trojans repurposed to attack retailers
Where are you on the journey?
Immature Developing Investing Advanced Leading
Cyber security isn’t an issue for us.. It’s
all hype anyway
I am worried… but not sure what to do
I have robust policies /defences…
And… a strong second line compliance
function
I don’t understand how we were breached…
There is no absolute security, we need
to manage risk
We can’t do this alone – we are part
of the community
We need a more agile approach to match the threat
Sec
urity
Cap
abili
ty
Limited awareness
Reliance on basic security technology
No controls or compliance process
Seen as a technology issue
Discussion of what it means for firm
Reaching out for support/advice
Policies in place and basic security processes
Often driven by regulatory concerns
Investing to improve
Still adopting point technical solutions
Strengthening policies and compliance
Initial security architecture
Education and awareness campaigns begin
Boards demand better risk discussion and MI
Move towards structured security programmes
Build out security operations and TVM
Ramp up testing
Early stage supply chain security initiatives
Lead as part of the community
Build a cyber ecosystem with clients/suppliers
Intelligence led approach linked to business
Cyber resilience
Risk quantification and mitigation strategy
Technology enabled and data driven
Here
Here
Or Here!
How your priorities change…
Connecting the issues
Operational Transformation:Help embed a cyber security culture into your organisation going forward,
driving security transformation
Financial Crime:Use the latest Cyber tools and techniques to help you prevent, detect, and respond to the increased complexity of financial crime and
fraud threats
Financial Risk Management:Linking cyber security into your operational and financial risk management systems. Helping you quantify and assess risk
Regulatory:Advise on the impact and requirements of forthcoming Cyber Security regulations from the EU General Data Protection Regulation, to the latest New York regulatory scene
Mergers and Acquisitions:Ensure that cyber security is considered during due diligence – avoiding potential
exposures and compromises
Data Analytics:Helping you get the most from your auditing, logging and monitoring systems – optimising your investment in technology and cyber threat intelligence
Audit:Ensure cyber security is considered during the audit process, from rapid
maturity assessments to in depth control reviews and testing
Technology Strategy & Implementation
Embedding cyber security into the design and implementation of your
technology systems and digital channels
Sneak preview – results annual report analysis
Sneak preview – awareness and privacy
Tools analysis paralysis – what this means for security startups
Eating our own dog food
Thank you9
This proposal is made by KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, a member firm of the KPMG network of independent firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity, and is in all respects subject to the negotiation, agreement, and signing of a specific engagement letter or contract. This proposal is subject to the full and satisfactory completion of KPMG's customary evaluation of prospective engagements. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. The name KPMG and logo are registered trademarks of KPMG International.
© 2016 KPMG Advisory N.V. . All rights reserved. Printed in the Netherlands.