Cyber Security for the future of financial services Thio Tse Gan May 2016 © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 1 Global trends & outlook © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 2 Cyber-attacks are on the rise of incidents of incidents $400B+ involve abuse still take days of privileged 15% to discover [2] 55% is the annual cost to a c c e s s [2] the global economy from cybercrime [1] Numbers denote industry wise breakup of 2014 data breach incidents Healthcare Financial Services Educational Government 50% 99.9% 18% 229 recipients open emails and click of the exploited on phishing links within the first 27.5% vulnerabilities were 11% hour of receiving them [2] Average compromised more than a increase in the number of year after CVE* was data breaches in days published [2] various industries 63% attackers 8% from 2013 [5] maintained presence after 90% infiltration and before chance that at least one person Per capita cost of data breach was detection [3] will fall prey to a phishing highest in US in 2015 [4] campaign with just Global 10 $154 Average $201 2014 emails [2] $217 $217 2015 [1] Net Losses: Estimating the Global Cost of Cybercrime by Center for Strategic and International Studies; [2] Verizon 2015 Data Breach Investigations Report; [3] Mandiant -Trends® 2014: Beyond the Breach, published April 10, 2014; [4] Ponemon 2015 Cost of Data Breach Study: Global Analysis ; [5] ITRC Breach Statistics 2005-2014; * CVE (Common Vulnerabilities and Exposures) is a dictionary of publically known information security vulnerabilities and exposures -http://cve.mitre.org © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 3 © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 4 Rampant cyber attacks observed around the world in 2015 and 2016 80 million 5 million personal records exposed details leaked in attack launched on in data breach in VTech Anthem Inc. 19.7 million people’s personal details stolen in attack launched on National pension U.S. Office of Personnel Management system hacked in Japan and 1.25 million people’s 10.4 million personal data was records exposed exposed in 3 attacks launched U.S. IRS hacked on TalkTalk Group $81 million 100,000 personal details stolen from stolen and used to generate PINS for Social Central Bank Security numbers in 2 of Bangladesh in a separate attacks bank heist © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 5 Complex regulatory requirements created to curb rise of cyber crime US Federal HIPPA 1996, GLBA 1999, European Union COPPA 1998, CAN-SPAM 2003. EU Data Protection Directive 1995, EU Do Not Call Improvement Act Privacy and Electronic Communications 2007, Safe Harbor Principles Directive (as amended in 2011), Data 2000, FCRA (as amended in Retention Directive 2006. Member states Russia Federal Law No. 152-FZ 2003) Patriot Act 2001 implement Directives as their own national Canada on personal data 2006 laws. Regulation of Investigatory Powers PIPEDA 2004. Act 2000 Privacy Act 1988 and Provincial privacy Laws Switzerland Federal Data Protection Act 1992 on personal data 2006 California California Online Privacy Protection Act 2003, Japan China Security Breach Notice Personal Information Decision on (Civil Code 1798 Formerly Protection Act 2003 strengthening Internet SB 1386) 2003 information protection, guideline for personal information protection Mexico Philippines Federal Law on the Data Privacy Protection of Personal South Africa Singapore Act 2011 Data Held by Private Electronic Personal Data Parties 2010 Communications Act Protection Act 2013 New Zealand Privacy Act Dubai 1993 Data Protection Act 2007 Argentina Protection of Personal Australia Data Law 2001 Australian Federal Costa Rica Privacy Act 1988. Law No. 7975 – Undisclosed Anti-Spam Act 2004 Information Law. Law No. 8968 – Protection in the Handling of the Personal Data of Individuals © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 6 Technology regulatory landscape Financial Services Vietnam • Circular no. 01/2011/TT-NHNN Safety, secrecy guidelines of the information technology systems in banking operation • Circular no. 12/2011/TT-NHNN Management and utilization of digital signatures, sigital certificates and SBV digital signature verification services • Circular no. 29/2011/TT-NHNN Security and Secrecy of internet banking services Thailand • BOT Notification No. 1953-2548 Guideline for the Singapore Preparation of IT Contingency Plan – 2008 • Personal Data and Privacy Act - 2013 • BOT Notification No. SorNorSor. 26/2552 Guidelines • MAS Notice 644 on Technology Risk Management - 2013 for Development of IT Contingency Plan – 2008 • SRD TR 01/2014 – System vulnerability assessments and • BOT Notification No. SorNorSor.6/2557 Supervisory penetration testing Guidelines on IT Outsourcing - 2014 • SRD TR 02/2014 – IT security risk posed by personal • BOT Notification No. SorNorSor. 26/551 Supervisory mobile devices Guidelines for Security of E-Banking Services – 2008 • SRD TR 01/2015 – Early detection of cyber intrusions • SRD TR 03/2015 – Technology risk and cyber security training for Board Malaysia • MAS Notice 634 Bankig Secrecy – Conditions for • BNM Guidelines on Data Management and Outsourcing - 2004 Management information Systems – 2011 • Guidelines on Outsourcing - 2004 • Guidelines on management of IT Environment (GPIS 1) • Consultation Paper on Notice on Outsourcing - 2014 – 2004 • Consultation Paper on Guidelines on Outsourcing – 2014 • Business Continuity Management guidelines – 2013 • SRD TR 01/2011 – Information technology outsourcing Indonesia • Law of The Republic of Indonesia No. 11 of 2008 Concerning Electronic Information And Transactions • OJK No. 1/POJK.05/2015 Risk Management in Non- Bank Financial Services • No. 9/15/PBI/2007 Implementation of Risk Management in the Use of Information Technology by Commercial Banks © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 7 Organizations are spending more money and paying Organizations spent more attention than $75.4 billion they ever have … on information security in … but for many 2015 the problem according to Gartner seems to be getting worse. © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 8 Moving into digitization World Economic Forum report Glimpsing the future The Future of Financial Services: How disruptive innovations are reshaping the way financial services are structured, provisioned and consumed An Industry Project of the Financial Services Community | Prepared in collaboration with Deloitte © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 10 What’s the deal? Is cyber security a consideration in your plans innovate? © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 11 Failures & challenges © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 12 Failure & challenges Failure to include security as part of the design principles Businesses demand features, function and time to market Addressing the incident and failing to detect the campaigns Perpetrators strategise and take a longer term view Dont miss the forest for the trees. Shortage of competent cyber security professionals Demand is outstripping supply. Willingness to accept non security IT professionals as ‘replacements’. Ineffective threat analytics Use of technology with limited data sets and arcade rules sets. Limited value owing to the rush to implement and lacking integration. © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 13 Cyber Security 3.0 © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 14 Building a resilient cyber security organization This means having the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents Secure Vigilant Resilient Are controls in place to guard Can we detect malicious or Can we act and recover quickly to against known and emerging unauthorized activity, including minimize impact? threats? the unknown? Cyber governance Cyber threat Cyber threat Cyber incident intelligence mitigation response © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 15 Cyber security design 5 design principles Design principles: everything is a potential threat Build the requirement of security as a core. Actionable intelligence: threat-centric defense Correlation and inductive technique required. Look beyond just security data. Revamp information sharing Pepetrators share intelligence to effectively compromise organisation. Why aren’t organisations sharing information about pepetrators? There is a need for situation awareness. Automation: what and how The shortage will continue. Tools and automation exist to create accuracy. 里应外合 – Combating the issue together Internal cyber security, external cyber security providers, vendors. © 2016 Deloitte & Touche Enterprise Risk Services Pte Ltd 16 Cyber Security Trends The Integrity Conundrum Business Security Integrity is the forgotten security Establishing security researchers domain. Maintaining the integrity of across the business units that data, business process, and people handle sensitive data (seen in big is going to be increasingly critical. Tech companies to increase agility). Live-Fire Exercises People Are Key Conducting sophisticated APT style Embedding the psychology of attacks, emulation and cyber range security in the business and finding testing against critical systems and the right SecOps analysts will be people assets. key for on-going management of cyber risk. Defining Normal Collaborative Security Establishing