1 / 30

Cyber Security and Resiliency in the Financial Sector

August 2009. Cyber Security and Resiliency in the Financial Sector. Major Themes. Globalization of the Financial Services Sector Primary Dependencies on Telecommunications Infrastructure and Information Technology Cyber Threats and Vulnerabilities

gala
Download Presentation

Cyber Security and Resiliency in the Financial Sector

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. August 2009 Cyber Security and Resiliency in the Financial Sector

  2. Major Themes • Globalization of the Financial Services Sector • Primary Dependencies on Telecommunications Infrastructure and Information Technology • Cyber Threats and Vulnerabilities • U.S. Financial Sector Public/Private Partnerships • Federal Government Initiatives • FBIIC & FSSCC Cyber Security Committee Activities • Emerging Challenges

  3. Globalization of Financial Sector • Information is one of a financial institution’s most important assets • Financial market operations are increasingly becoming electronically connected and interdependent around the world. A major U.S. bank operates in more than 100 countries. • The financial services industry plays a key role in protecting a nation’s financial services infrastructure. • Increasing globalization provides expanded market opportunities and efficiencies and poses new challenges.

  4. Globalization of Financial Sector(cont) • International Basel II Accord identifies for the first time operations risk. Like traditional credit and market risk, operations risk must be managed and capital must be held against potential losses. • Operations risks from cyber/operational incidents in a globalized sector may include: • cascading impacts that cannot be contained regionally • jurisdictions may have to work together to address the impacts and restore operations, and • the international framework to address global financial disruptions relies on arrangements among Central Banks, Financial Market Authorities and Treasuries.

  5. Globalization of Financial Sector (cont) • Global information infrastructure and the data that reside within these systems is critical to the economies of countries • Cyber exploitation has grown more sophisticated, targeted, and serious over the past several years and we expect the trend to continue. • Nation-states and criminals target government and private sector information networks to gain competitive advantage in the commercial sector.

  6. Critical Dependencies

  7. An Example of How Information Technology is Utilized in a Commercial Bank Online Links External Links to Financial Services Firms, Payment Systems & Utilities Security Monitoring Company Customers Environmental Systems Branch Platform and Teller Systems Phone Switches and Voice Response Systems Security, and Vault Control Systems Correspondent and Clearing Systems Correspondent Banks, Clearing Houses, etc. Financial Markets: NYSE, CME, NASDAQ, CBT, etc. Backup Data Centers Trading Systems Call Centers Home & Telephone Banking Systems Retail Customers Fedwire, SWIFT, CHIPS, ACH, etc. Payments Systems Computer & Communications Systems Wholesale Customers ATM, Credit & Debit Card Networks Treasury, Money Market & Trade Fin. Systems, etc. ATM & Credit Card Systems Management Information Systems: reports for executives, risk mgt., boards of directors, etc. Regulatory Agencies DDA, Loans, CIS General Ledger, MIS,etc. External Service Providers Back Office Systems Regulatory Reporting Currency Sorters Payroll Service Bureau Item Processing, Check Sorters & Image Systems External Information Providers: Dun & Bradstreet, Credit Bureaus, etc. Software Libraries Trust Services Company Example of IT systems and internal data flows supporting the lending process Records Systems LAN Loan Funding Loan Servicer Loan Underwriting and Review Loan Documentation Loan Administration Note: FBO transactions are often performed on IT Systems located in home countries Source: Steve Malphrus, Chair, Financial Sector Group, Presidents Council on Year 2000 Conversion

  8. Cyber Threats and Vulnerabilities • Widely publicized events include: • Denial of Service • Phishing and other social engineering attacks • Identity theft • Telecom congestion issues • People within institutions who commit fraud or steal information for personal financial gain • The overall impact is growing both in terms of the amount of money lost as well as an erosion in public confidence in online financial services.

  9. Financial Sector Framework for Security and Resilience • The Financial Sector framework for security and resiliency is based on a foundation of strong public/private sector partnerships • Participation is voluntary • Represents all facets of the sector – credit, debt and equity, exchange-traded derivatives, and insurance • s Seen as the model for public/private partnerships in other sectors • Built on the foundation of Y2K efforts

  10. US Financial Sector Public/Private Partnership Financial and Banking Information Infrastructure Committee (FBIIC) • Established in 2002 by the President’s Working Group on Financial Markets. The President’s Working Group and the U.K. Tripartite have worked closely together on many issues. • Chaired by the U.S. Department of the Treasury • Brings together federal and state financial authorities • Improves coordination and communication among financial regulators • Promotes the public/private partnerships

  11. FBIIC Members • U.S. Department of the Treasury (chair) • Federal Reserve Board • American Council of State Savings Supervisors • Farm Credit Administration • Federal Deposit Insurance Corporation • Federal Housing Finance Agency • Federal Reserve Bank of New York • National Association of Insurance Commissioners • National Association of State Credit Union Supervisors • National Credit Union Administration • North American Securities Administrators Association • Securities & Exchange Commission • Commodity Futures Trading Commission • Office of the Comptroller of the Currency • Office of Thrift Supervision • Securities Investor Protection Corporation

  12. Current FBIIC Activities • Assess and prioritize sector vulnerabilities • Including identifying and analyzing emerging risks • Encourage participation in the public/private partnerships • Including membership in the Financial Services Sector Coordinating Council (FSSCC), the Financial Sector – Information Sharing and Analysis Center (FS ISAC) and both initiating new coalitions or joining existing regional coalitions • Sponsor exercises with public and private partners • Including financial sector participants, regulatory authorities, homeland security officials and members of the law enforcement and intelligence communities. Example, last year’s marketwide pandemic exercise and this year’s Cyber Fire Exercise scheduled for mid-September 2009. • Manage and update the sector’s crisis response • Test and validate emergency protocols for both resource needs/requests and situational awareness across the region(s) • Identify and lead projects to improve sector-wide risk management, crisis response, and resilience • Meets formally on a quarterly basis and includes many ongoing workstreams.

  13. US Financial Sector Public/Private Partnership Financial Services Sector Coordinating Council (FSSCC) • Established in 2002 as the private sector arm for the Banking and Finance Sector • Brings together the largest financial institutions, exchanges, core clearing & settlement organizations, and trade associations

  14. FSSCC Members • State Street Global Advisors (Chair) • Morgan Stanley (Vice Chair) • American Bankers Association • American Council of Life Insurers • American Insurance Association • American Society for Industrial Security (ASIS) • Bank Administration Institute • Bank of America • Bank of New York Mellon • Barclays • BITS/The Financial Services Roundtable • ChicagoFIRST • Citigroup • Continuous Linked Settlement Bank (Foreign Exchange) • Consumer Bankers Association • Credit Union National Association • Depository Trust & Clearing Corporation • Fannie Mae • Financial Industry Regulatory Authority • Financial Information Forum • FS-ISAC • Goldman Sachs • ICE Futures • Independent Community Bankers of America • Investment Company Institute • JP Morgan Chase • Managed Funds Association • NACHA – The Electronic Payments Association • National Armored Car Association • National Association of Federal Credit Unions • Navy Federal Credit Union • NASDAQ • NYSE • Options Clearing Corporation • Securities Industry Automation Corporation • Securities Industry and Financial Markets Association • State Farm Insurance Company • Travelers • The New York Clearing House • VISA USA Inc.

  15. Current FSSCC Activities • Encourage participation in the public/private partnerships • Major expansion took place in 2008 to include more of the largest financial institutions and insurance providers • Work with other private sector coordinating councils and the Partnership for Critical Infrastructure Security (PCIS) • Focus on interdependencies • Participate in the development of exercises with public and private partners • Including financial sector participants, regulatory authorities, homeland security officials and members of the law enforcement and intelligence communities • Manage and update the sector’s crisis response • Organize sector calls and participate in DHS Infrastructure Protection calls to provide update on sector needs and response • Identify and lead projects to improve sector-wide risk management, crisis response, and resilience • Meets formally on a quarterly basis and includes many ongoing workstreams.

  16. FBIIC/FSSCC Cyber Security Mission Work with the financial services sector to strengthen cyber security and resilience of the sector’s current and future IT operations

  17. FBIIC/FSSCC Cyber Security Objectives • Understand the current level of resilience within the sector, and develop recommendations for policy, education, best practices, and exercises to strengthen the sector’s resiliency to cyber threats • Develop a common operating perspective by improving the sector’s awareness of potential cyber threats and vulnerabilities • Strengthen the public/private partnerships on cyber security issues • Develop a single voice within the sector to interact with and respond to government and to other sectors’ requests, inquiries, projects and overall policy efforts (This would not include lobbying or compliance and regulatory matters)

  18. Cyber Security Committee Working Group: Research and Development Objective: Identify top priorities for research, promote development initiatives • Advance the State of the Art in Designing and Testing Secure Applications • Develop more Secure and Resilient Financial Transaction Systems • Improve Enrollment and Identity Credential Management to make it less susceptible to social engineering attacks • Understand the Human Insider Threat by developing deterrence and detection solutions to reduce risks posed by insiders • Develop Data Centric Protection Strategies to better classify and protect sensitive information • Develop better Measures of the Value of Security Investments • Develop Practical Standards to reduce risk and enhance resiliency

  19. Cyber Security Committee Working Group: Long Range Vision Project: The proposed objective of the WG is to produce a “Long Range Vision” document that will identify: • Global business drivers for future sector growth • New technology principles & processes that must be in place for the sector to operate in a fully globalized marketplace in 5 years • Geopolitical and IT vulnerabilities that will arise or be exacerbated because of this new paradigm.

  20. Cyber Security Committee Working Group: International Issues Objectives: • Risk mitigation related to foreign travel & operations • Broadly raise awareness and provide practical guidance to counter increased vulnerabilities and threats. • Undersea cables • Improve international undersea cable communications resilience practices and capabilities for critical financial services functions by working collectively as an industry with appropriate telecommunications services providers. • Supply chain management • From both a tactical & strategic perspective, identify the most critical service providers to the financial services sector (and individual financial organizations) • Conduct sector surveys to aid in developing best practices • International cyber security coordination

  21. Cyber Security Committee Working Group:Exercise & Planning Projects: • Conducted a cyber security exercise for members of the FBIIC, the FSSCC, and the FSSCC/FBIIC cyber security committees in early Fall ’08. • Update the Financial Services Sector Specific Plan (SSP) to include the current and future cyber security initiatives. • Currently planning a week-long cyber security exercise in September 2009 • Allow participants to test crisis management and incident response protocols • Conduct via e-mail • Voluntary, no-charge, and maintain the anonymity of the participants

  22. Cyber Security Committee Working Group:Information Sharing Projects • National security clearances for people within the financial services sector • Need for the “right” people to be cleared; • Develop a roadmap for improved info sharing across the financial services sector that addresses • Common operating picture of cyber threats • Info sharing by intelligence & law enforcement • Talent issues in the public sector • Leverages FS-ISAC operational capabilities • Improves info sharing with IT & telecom sectors

  23. President’s Cyber Initiative • In response to this growing threat to the United States’ information infrastructure, President George W. Bush approved the National Security Presidential Directive – 54 / Homeland Security Presidential Directive – 23, establishing the National Cyber Security Initiative in January 2008. • The President's directive established U.S. policy, strategy and guidelines to secure federal government systems, as well as provided an approach that anticipates future cyber threats and technologies and requires that the Federal Government integrate many of its technical and organizational capabilities in order to better address sophisticated threats and vulnerabilities.

  24. The 60 Day Cyber Review Discussions throughout the development of the 60 day review were focused on: • Public/Private partnerships and their differing degrees of success • How critical sectors are currently regulated or not regulated • Legal concerns over cyber monitoring • Agencies’ jurisdictions and authorities • Congressional jurisdiction • Efforts to secure Federal government systems • Coordination of efforts across public and private sectors • Privacy and Civil Liberties • Information sharing (current efforts and barriers) • Monetizing risk • Education of future generations, businesses, and consumers • International coordination and development of standards • Research and Development – “leap ahead technologies” and incentives for innovation • Identity management

  25. Federal Government Priority Services • Government Emergency Telecommunications Service (GETS) • Wireless Priority Service (WPS) • Telecommunications Service Priority (TSP)

  26. Congestion at one of many points, can block a call ! Mobile Switch AT&T Verizon Qwest Local Exchange Networks Local Exchange Networks Mobile Switch Mobile Switch Government Emergency Telecommunications Service addresses wireline congestion Wireless Priority Service addresses wireless congestion at call origination and call termination 5

  27. Emerging Challenges • Financial firms will continue to expand global operations. • To realize global market and operational goals, financial firms will increasingly rely on information technology and telecommunications infrastructure throughout the world. • The incoming workforce and next generation of consumers will use information technology and telecommunications in ways we have not yet predicted. • Interest in exploiting this increased reliance on information technology and telecommunications will continue to grow.

  28. QUESTIONS ?

  29. Websites • Federal Financial Institutions Examination Council www.ffiec.gov • Financial and Banking Information Infrastructure Committee www.fbiic.gov • Financial Services Sector Coordinating Council www.fsscc.org • Financial Services - Information Sharing and Analysis Center www.fsisac.com

  30. Overview of the U.S. Financial System U.S. Financial System: components,participants, and instruments Financial system: private-sector controls and trade groups Financial system: Applicable laws and regulations Components: credit, debt & equity, exchange-traded derivatives, and insurance transactions transactions Financial markets securities, bonds, futures markets, etc. Audit, public disclosure, rating agencies, etc. Supervision: Fed, SEC, FDIC, OCC, CFTC, OTS, OFHEO, NCUA, SROs, State authorities, etc. Financial instruments loans, securities, Futures, annuities, CP, FX, etc. Borrowers/Issuers individuals, firms, government Lenders/Investors individuals, firms, government Associations FSRoundtable/BITS, ABA, ICBA, ACB, SIA, FIA, etc. Central bank and Treasury functions (Federal Reserve and the Department of the Treasury) Financial intermediaries banks, savings institutions, Broker/dealers, FCMs, insurance companies, etc. transactions transactions Financial utilities: payment, clearing & settlement Service providers Critical public utilities and services:telecommunications, power, transportation, public safety, insurance companies as recovery agents Source: Steve Malphrus, Chair, Financial Sector Vulnerability Assessment Task Force President’s Working Group on Financial Markets

More Related