Cyber Security Trends

Cyber Security for the future of financial services

Thio Tse Gan May 2016

of incidents of incidents $400B+ involve abuse still take days of privileged 15% to discover [2] 55% is the annual cost to a c c e s s [2] the global economy from cybercrime [1]

Numbers denote industry wise breakup of 2014 data breach incidents Healthcare Financial Services Educational Government

50% 99.9% 18% 229 recipients open emails and click of the exploited on phishing links within the first 27.5% vulnerabilities were 11% hour of receiving them [2] Average compromised more than a increase in the number of year after CVE* was data breaches in days published [2] various industries 63% attackers 8% from 2013 [5] maintained presence after 90% infiltration and before chance that at least one person Per capita cost of data breach was detection [3] will fall prey to a phishing highest in US in 2015 [4] campaign with just Global 10 $154 Average $201 2014 emails [2] $217 $217 2015 [1] Net Losses: Estimating the Global Cost of Cybercrime by Center for Strategic and International Studies; [2] Verizon 2015 Data Breach Investigations Report; [3] Mandiant -Trends® 2014: Beyond the Breach, published April 10, 2014; [4] Ponemon 2015 Cost of Data Breach Study: Global Analysis ; [5] ITRC Breach Statistics 2005-2014; * CVE (Common Vulnerabilities and Exposures) is a dictionary of publically known information security vulnerabilities and exposures -http://cve.mitre.org

80 million 5 million personal records exposed details leaked in attack launched on in data breach in VTech Anthem Inc.

19.7 million people’s personal details stolen in attack launched on National pension U.S. Office of Personnel Management system hacked in Japan and 1.25 million people’s 10.4 million personal data was records exposed exposed in 3 attacks launched U.S. IRS hacked on TalkTalk Group $81 million 100,000 personal details stolen from stolen and used to generate PINS for Social Central Bank Security numbers in 2 of Bangladesh in a separate attacks bank heist

© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 5 Complex regulatory requirements created to curb rise of cyber crime US Federal HIPPA 1996, GLBA 1999, European Union COPPA 1998, CAN-SPAM 2003. EU Data Protection Directive 1995, EU Do Not Call Improvement Act Privacy and Electronic Communications 2007, Safe Harbor Principles Directive (as amended in 2011), Data 2000, FCRA (as amended in Retention Directive 2006. Member states Russia Federal Law No. 152-FZ 2003) Patriot Act 2001 implement Directives as their own national Canada on personal data 2006 laws. Regulation of Investigatory Powers PIPEDA 2004. Act 2000 Privacy Act 1988 and Provincial privacy Laws

Switzerland Federal Data Protection Act 1992 on personal data 2006 California California Online Privacy Protection Act 2003, Japan China Security Breach Notice Personal Information Decision on (Civil Code 1798 Formerly Protection Act 2003 strengthening Internet SB 1386) 2003 information protection, guideline for personal information protection Mexico Philippines Federal Law on the Data Privacy Protection of Personal South Africa Singapore Act 2011 Data Held by Private Electronic Personal Data Parties 2010 Communications Act Protection Act 2013 New Zealand Privacy Act Dubai 1993 Data Protection Act 2007 Argentina Protection of Personal Australia Data Law 2001 Australian Federal Costa Rica Privacy Act 1988. Law No. 7975 – Undisclosed Anti-Spam Act 2004 Information Law. Law No. 8968 – Protection in the Handling of the Personal Data of Individuals

© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 6 Technology regulatory landscape Financial Services Vietnam • Circular no. 01/2011/TT-NHNN Safety, secrecy guidelines of the information technology systems in banking operation • Circular no. 12/2011/TT-NHNN Management and utilization of digital signatures, sigital certificates and SBV digital signature verification services • Circular no. 29/2011/TT-NHNN Security and Secrecy of internet banking services

Thailand • BOT Notification No. 1953-2548 Guideline for the Singapore Preparation of IT Contingency Plan – 2008 • Personal Data and Privacy Act - 2013 • BOT Notification No. SorNorSor. 26/2552 Guidelines • MAS Notice 644 on Technology Risk Management - 2013 for Development of IT Contingency Plan – 2008 • SRD TR 01/2014 – System vulnerability assessments and • BOT Notification No. SorNorSor.6/2557 Supervisory penetration testing Guidelines on IT Outsourcing - 2014 • SRD TR 02/2014 – IT security risk posed by personal • BOT Notification No. SorNorSor. 26/551 Supervisory mobile devices Guidelines for Security of E-Banking Services – 2008 • SRD TR 01/2015 – Early detection of cyber intrusions • SRD TR 03/2015 – Technology risk and cyber security training for Board Malaysia • MAS Notice 634 Bankig Secrecy – Conditions for • BNM Guidelines on Data Management and Outsourcing - 2004 Management information Systems – 2011 • Guidelines on Outsourcing - 2004 • Guidelines on management of IT Environment (GPIS 1) • Consultation Paper on Notice on Outsourcing - 2014 – 2004 • Consultation Paper on Guidelines on Outsourcing – 2014 • Business Continuity Management guidelines – 2013 • SRD TR 01/2011 – Information technology outsourcing

Indonesia • Law of The Republic of Indonesia No. 11 of 2008 Concerning Electronic Information And Transactions • OJK No. 1/POJK.05/2015 Risk Management in Non- Bank Financial Services • No. 9/15/PBI/2007 Implementation of Risk Management in the Use of Information Technology by Commercial Banks

© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 7 Organizations are spending more money and paying Organizations spent more attention than $75.4 billion they ever have … on information security in … but for many 2015 the problem according to Gartner seems to be getting worse.

The Future of Financial Services: How disruptive innovations are reshaping the way financial services are structured, provisioned and consumed An Industry Project of the Financial Services Community | Prepared in collaboration with Deloitte

Failure to include security as part of the design principles Businesses demand features, function and time to market

Addressing the incident and failing to detect the campaigns Perpetrators strategise and take a longer term view Dont miss the forest for the trees.

Shortage of competent cyber security professionals Demand is outstripping supply. Willingness to accept non security IT professionals as ‘replacements’.

Ineffective threat analytics Use of technology with limited data sets and arcade rules sets. Limited value owing to the rush to implement and lacking integration.

This means having the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents

Secure Vigilant Resilient Are controls in place to guard Can we detect malicious or Can we act and recover quickly to against known and emerging unauthorized activity, including minimize impact? threats? the unknown?

Cyber governance

Cyber threat Cyber threat Cyber incident intelligence mitigation response

Design principles: everything is a potential threat Build the requirement of security as a core.

Actionable intelligence: threat-centric defense Correlation and inductive technique required. Look beyond just security data.

Revamp information sharing Pepetrators share intelligence to effectively compromise organisation. Why aren’t organisations sharing information about pepetrators? There is a need for situation awareness. Automation: what and how The shortage will continue. Tools and automation exist to create accuracy. 里应外合 – Combating the issue together Internal cyber security, external cyber security providers, vendors.

The Integrity Conundrum Business Security Integrity is the forgotten security Establishing security researchers domain. Maintaining the integrity of across the business units that data, business process, and people handle sensitive data (seen in big is going to be increasingly critical. Tech companies to increase agility).

Live-Fire Exercises People Are Key Conducting sophisticated APT style Embedding the psychology of attacks, emulation and cyber range security in the business and finding testing against critical systems and the right SecOps analysts will be people assets. key for on-going management of cyber risk. Defining Normal Collaborative Security Establishing accurate baselines in Recognising that this “cyber” can’t order to identify anomalous activity be solved alone and developing and and behaviour for investigation. promoting a collaborative security environment across the business.

Real-Time Security Ops Auto-Corrective Security Developing the next generation of Disruptive Technology Risks Automating security processes and SOC and reducing the time taken to tools using the latest security detect and respond to an ever Recognising that new technologies technology to free up people and increasing threat landscape. like wearable's, 3D printing and in- time. memory computing all have security implications and planning for this.

Cyber Security 3.0 Model

Secure Vigilant Resilient

Are controls in place to guard Can we detect malicious or Can we act and recover quickly to against known and emerging unauthorized activity, including the minimize impact? threats? unknown? Cyber Governance

Design principles Actionable intelligence Intelligence sharing Automation Integration Design security into Develop a threat- Create situational Increase accuracy in Eliminate core IT infrastructure centric defence awareness operational security vulnerabilities by working together

© 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 19 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/sg/about for a more detailed description of DTTL and its member firms.

Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s more than 225,000 professionals are committed to making an impact that matters. Deloitte serves 4 out of 5 Fortune Global 500® companies.

This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.