370 likes | 379 Views
Discover the importance of cybersecurity for GSBA lenders in Western Pennsylvania. Learn the risks and best practices in protecting sensitive data. Uncover recent examples and sobering statistics for small businesses. Understand the consequences of cyber threats and how to navigate uncharted territory. Start with basic blocking and tackling, and focus on risk management and incident response programs. Prepare your clients, colleagues, and assets from data breaches with strong cybersecurity foundations and breakthrough innovation. Be proactive in safeguarding against malicious attacks. Stay informed and secure against cyber threats in the SBA lending marketplace.
E N D
Western Pennsylvania Association of Guaranteed SBA Lenders March 14, 2019 Quality Circle Seven Springs Resort Cyber & Data Security In the SBA Lending Marketplace
Our Age of Insecurity • Couple steals millions from USC church • Treasury specialist steals 13M from Pgh Co. • Beaver County based health system attacked in worldwide attack • Western PA gas pipeline system attacked by malicious software via vendor • Target Data breach from swpa vendor • Fancy Bear Hacking Team targeted Pgh based Westinghouse Electric Company Risk Advisory Services
Why are We Here Today When We Have Anti-Virus? • Because it looks good • Because I already have SBA loan basics down • Where else can I go • Because more likely than not my borrower represents the best opportunity for a hacker to gain entry into a larger business • Those stories about the theft from western PA businesses have me scared • Feds or not, our bank has the most skin in the game ANSWER: All of the above • America’s small businesses create about 66% of all new jobs • More than 50% of Americans either own or work for a small business. • Small businesses play a key role in the economy and in the nation’s supply chain, and they are increasingly reliant on information technology to store, process and communicate data. • Protecting this information against increasing cyberthreats is critical. Source Risk Advisory Services
Cybersecurity for GSBA Lenders • What is cyber security? • Why does it matter to you? • When does it matter? • What can you and your clients do? • How do you act upon what should be done? • Where do we begin? • Who is in charge? • What are the consequences of failure? Risk Advisory Services
What is Cybersecurity? The Pennsylvania Department of Banking defines Cybersecurity as the: I. Body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. • See here https://www.dobs.pa.gov/Businesses/cybersecurity/Pages/default.aspx Risk Advisory Services
NIST Cybersecurity Framework Risk Advisory Services
It’s about the “Data” • Structured Data • Unstructured data • Data storage • Data access • Data format • Data sharing • Data hosting • Data infiltration Risk Advisory Services
Neither Need Apply Eternal Optimist Eternal Pessimist Risk Advisory Services
Let’s Get Real Risk Advisory Services
Navigating Uncharted Territory Risk Advisory Services
Where to Go? What to do? Which to follow? • Laws, regulations and suggested best practices • Laws: NYDFS, CCPA, Ohio Cybersecurity Law, HIPAA, • Regulations • Best Practices • HHS, DOS, FTC, ETC The bevy of rules, regulations, best practices and policies confuses most. The key is to identify your industry guides. Risk Advisory Services
Start with Basic Blocking and Tackling Risk Advisory Services
Common Denominators for Cyber and Data Standards, Regulations and Rules • Create a Cybersecurity Policy • Third Party Security: Safe Cyber Partners • Post Breach notification • CISO • Incident Response Plan • Insurance terms and conditions • Endpoint detection • Right to be forgotten**** Risk Advisory Services
Cybersecurity: Recent Examples • Mergers and Acquisitions • The Marriott Breach • Seek assurance that the target company has taken appropriate measures to protect its data and electronic assets. • Data management risk • Technical risk • Corporate risk • Employee risk • Track record Risk Advisory Services
Sobering Stats for Small Businesses • Hackers & criminal insiders cause the most data breaches. • 48%of breaches in this year’s study were caused by malicious or criminal attacks. • Average cost per record to resolve an attack is $157: system glitches cost $131 per record and human error or negligence is $128 per record. Ponemon Institute 2017 Cost of Cyber Crime Study • Create strong cybersecurity foundations: Invest in the basics while innovating to stay ahead of the hackers. • Undertake extreme pressure testing: Don’t rely on compliance alone. • Invest in breakthrough innovation: Balance spend on new technologies, such as analytics and artificial intelligence, to scale value. Risk Advisory Services
Cybersecurity - Focus on These Practices • Focus on Cybersecurity and Risk Management • Incident Response Program Development: Given enough time, effort, and resources, attackers will always find a way to break into a system. Your clients must be able to systematically identify, protect, detect, respond, and recover from these incidents. • Protecting your Clients, Colleagues, & Assets Risk Advisory Services
CalOhYorkEuSetts Risk Advisory Services
Reality (Recovery) Tends to Be More Harsh for Small Businesses • The loss of customer trust has serious financial consequences. • PCWorld in August 2013 reported that of the small businesses who suffered a breach, roughly 60 percent go out of business within six months after the attack. Risk Advisory Services
Hot Areas of Cybersecurity • Mergers and Acquisitions • Supply Chain • Governmental Agency Contracts • Employee Data • Trade Secrets • Financial Information • Trade Secrets & Business Practices Risk Advisory Services
Cybersecurity Creed Data is our most treasured commodity. Storage, transfer, manipulation and massaging of data makes cyber theft the easiest way to steal. Cybersecurity best practices are an integrated combination of software, control systems, data access, data use and data storage best practices. We pledge that Cybersecurity is a top down commitment to the protection and integrity of data. We promise to react quickly and responsibly to attacks and restore business as quickly and safely as possible. We value the concerns of our customers and business partners and we realize that no business is immune nor impenetrable. We will assure our business partners that our constant vigilance provides the safest environment for data protection and we vow vigilance in adhering to safe cyber practices. Risk Advisory Services
3rd Parties Want Assurances of Cybersecurity, Not Empty Promises • The SOC 1 report report focuses on a service organization’s controls that are relevant to an audit of a user entity’s (customer’s) financial statements. A SOC 1– Type I report focuses on a description of a service organization’s control and the suitability of how those controls are designed to achieve the control objectives. A SOC 1 –Type II report is identical to a Type I, and opines on the operating effectiveness to achieve related control objectives throughout a specified period. SOC 1 audit reports are restricted to the management of the services organization, user entities and user auditors. • The SOC 2 report addresses an organization’s controls relating to operations and compliance in relation to availability, security, processing integrity, confidentiality and privacy . A SOC 2 report includes a detailed description of the service auditor’s test of controls and results and use of this report is generally restricted. he SOC 2 report was created because of the rise in cloud computing and the outsourcing by businesses or core services. Risk Advisory Services
History of CPA Involvement in Auditing IT Controls Risk Advisory Services
AICPA Framework Application ADVISORY • Design and implement a cybersecurity program • Conduct a readiness assessment/ gap analysis ATTESTATION • Perform an examination to assess cybersecurity programs design and operating effectiveness Risk Advisory Services
AICPA Framework Application ADVISORY • Design and implement a cybersecurity program • Common criteria • Scalable • Flexible • Evolving • Conduct a readiness assessment/ gap analysis • Identify gaps • Remediate through corrective action plans Risk Advisory Services
AICPA Framework Application ATTESTATION • Ensuring the controls continue to operate effectively and promoting accountability • Maintaining and updating those controls. Ensuring they meet best practices. • Communicating your cybersecurity proficiency to stakeholders Risk Advisory Services
Introduction… • What is a SOC Report? • A third-party attestation report demonstrating that the organization’s internal control environment is: • Suitably designed • Operating effectively • What purpose do they serve? • Provide assurance to internal and external stakeholders… • Vendor Risk Management! Risk Advisory Services
Utility of Attestation Risk Advisory Services
Utility of Attestation Risk Advisory Services
Value Proposition • Save time, save money… • Reducing audits of your organization and of your customers • Meet demands of marketplace • Increasing scrutiny of service providers and vendors • Comply with industry best practices, regulations, and contracting obligations • Enhance marketability • Convey confidence and trust to business partners and customers • Distinguish yourself in marketplace Risk Advisory Services
Value Proposition Security Framework Comparison Risk Advisory Services
Achieving Attestation • Define system or service for attestation • Select control criteria. • Identify applicable controls and map to matrices. • Identify gaps or insufficiencies • Remediate identified gaps or insufficiencies • Test controls (Type 1 vs. Type 2) • Issue Report Risk Advisory Services
Scoping • Attestation over system, service, or organization-wide • Selection of Trust Service Criteria • Security (Required) • Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information. • Availability • The system is available for operation and use as committed or agreed-upon. • Confidentiality • Information designated as confidential is protected to meet the entity's objectives. • Processing Integrity • System processing is complete, accurate, timely, and authorized. • Privacy • Personal information is collected, used, retained, and disclosed in conformance with commitments. Risk Advisory Services
Subservice Organizations • Must identify and examine for reporting. • Controls are likely to be necessary to meet the objectives or criteria. • Example: Data Center • Subservice Organizations with SOC Attestation can be “carved-out” (service auditor relies on work of other service auditor). Risk Advisory Services
Timeline to Attestation Type 1: Report on the suitability of the design of the controls. Type 2: Report on the suitability of the design of the controls AND the operating effectiveness of the controls throughout the reporting period. Risk Advisory Services
Composition of the Attestation Report Risk Advisory Services
Contact Us Steven Franckhauser, JD 614-228-4000 sfranckhauser@hbkcpa.com Matthew Schiavone, CPA, CISA 724-934-5300 mschiavone@hbkcpa.com Risk Advisory Services