august 2009 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cyber Security and Resiliency in the Financial Sector PowerPoint Presentation
Download Presentation
Cyber Security and Resiliency in the Financial Sector

Loading in 2 Seconds...

play fullscreen
1 / 30

Cyber Security and Resiliency in the Financial Sector - PowerPoint PPT Presentation


  • 114 Views
  • Uploaded on

August 2009. Cyber Security and Resiliency in the Financial Sector. Major Themes. Globalization of the Financial Services Sector Primary Dependencies on Telecommunications Infrastructure and Information Technology Cyber Threats and Vulnerabilities

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Cyber Security and Resiliency in the Financial Sector' - gala


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
major themes
Major Themes
  • Globalization of the Financial Services Sector
  • Primary Dependencies on Telecommunications Infrastructure and Information Technology
  • Cyber Threats and Vulnerabilities
  • U.S. Financial Sector Public/Private Partnerships
  • Federal Government Initiatives
  • FBIIC & FSSCC Cyber Security Committee Activities
  • Emerging Challenges
globalization of financial sector
Globalization of Financial Sector
  • Information is one of a financial institution’s most important assets
  • Financial market operations are increasingly becoming electronically connected and interdependent around the world. A major U.S. bank operates in more than 100 countries.
  • The financial services industry plays a key role in protecting a nation’s financial services infrastructure.
  • Increasing globalization provides expanded market opportunities and efficiencies and poses new challenges.
globalization of financial sector cont
Globalization of Financial Sector(cont)
  • International Basel II Accord identifies for the first time operations risk. Like traditional credit and market risk, operations risk must be managed and capital must be held against potential losses.
  • Operations risks from cyber/operational incidents in a globalized sector may include:
    • cascading impacts that cannot be contained regionally
    • jurisdictions may have to work together to address the impacts and restore operations, and
    • the international framework to address global financial disruptions relies on arrangements among Central Banks, Financial Market Authorities and Treasuries.
globalization of financial sector cont1
Globalization of Financial Sector (cont)
  • Global information infrastructure and the data that reside within these systems is critical to the economies of countries
  • Cyber exploitation has grown more sophisticated, targeted, and serious over the past several years and we expect the trend to continue.
  • Nation-states and criminals target government and private sector information networks to gain competitive advantage in the commercial sector.
slide7

An Example of How Information Technology is Utilized in a Commercial Bank

Online Links

External Links to

Financial Services Firms,

Payment Systems & Utilities

Security Monitoring Company

Customers

Environmental Systems

Branch Platform

and

Teller Systems

Phone Switches

and Voice

Response Systems

Security,

and Vault

Control Systems

Correspondent

and

Clearing Systems

Correspondent Banks,

Clearing Houses, etc.

Financial

Markets: NYSE, CME, NASDAQ, CBT, etc.

Backup

Data Centers

Trading

Systems

Call Centers

Home &

Telephone

Banking

Systems

Retail Customers

Fedwire, SWIFT,

CHIPS, ACH, etc.

Payments

Systems

Computer &

Communications

Systems

Wholesale Customers

ATM, Credit & Debit

Card Networks

Treasury,

Money Market

& Trade Fin.

Systems, etc.

ATM &

Credit Card

Systems

Management Information Systems: reports for executives, risk mgt., boards of directors, etc.

Regulatory

Agencies

DDA, Loans, CIS

General Ledger, MIS,etc.

External Service

Providers

Back Office Systems

Regulatory

Reporting

Currency Sorters

Payroll Service

Bureau

Item Processing,

Check Sorters &

Image Systems

External

Information Providers:

Dun & Bradstreet,

Credit Bureaus, etc.

Software

Libraries

Trust Services

Company

Example of IT systems

and internal data flows

supporting

the lending process

Records

Systems

LAN

Loan

Funding

Loan

Servicer

Loan Underwriting

and Review

Loan

Documentation

Loan Administration

Note: FBO transactions are often performed on IT Systems located in home countries

Source: Steve Malphrus, Chair, Financial Sector Group, Presidents Council on Year 2000 Conversion

cyber threats and vulnerabilities
Cyber Threats and Vulnerabilities
  • Widely publicized events include:
    • Denial of Service
    • Phishing and other social engineering attacks
    • Identity theft
    • Telecom congestion issues
    • People within institutions who commit fraud or steal information for personal financial gain
  • The overall impact is growing both in terms of the amount of money lost as well as an erosion in public confidence in online financial services.
financial sector framework for security and resilience
Financial Sector Framework for Security and Resilience
  • The Financial Sector framework for security and resiliency is based on a foundation of strong public/private sector partnerships
  • Participation is voluntary
  • Represents all facets of the sector – credit, debt and equity, exchange-traded derivatives, and insurance
  • s Seen as the model for public/private partnerships in other sectors
  • Built on the foundation of Y2K efforts
us financial sector public private partnership
US Financial Sector Public/Private Partnership

Financial and Banking Information Infrastructure Committee (FBIIC)

  • Established in 2002 by the President’s Working Group on Financial Markets. The President’s Working Group and the U.K. Tripartite have worked closely together on many issues.
  • Chaired by the U.S. Department of the Treasury
  • Brings together federal and state financial authorities
  • Improves coordination and communication among financial regulators
  • Promotes the public/private partnerships
fbiic members
FBIIC Members
  • U.S. Department of the Treasury (chair)
  • Federal Reserve Board
  • American Council of State Savings Supervisors
  • Farm Credit Administration
  • Federal Deposit Insurance Corporation
  • Federal Housing Finance Agency
  • Federal Reserve Bank of New York
  • National Association of Insurance Commissioners
  • National Association of State Credit Union Supervisors
  • National Credit Union Administration
  • North American Securities Administrators Association
  • Securities & Exchange Commission
  • Commodity Futures Trading Commission
  • Office of the Comptroller of the Currency
  • Office of Thrift Supervision
  • Securities Investor Protection Corporation
current fbiic activities
Current FBIIC Activities
  • Assess and prioritize sector vulnerabilities
    • Including identifying and analyzing emerging risks
  • Encourage participation in the public/private partnerships
    • Including membership in the Financial Services Sector Coordinating Council (FSSCC), the Financial Sector – Information Sharing and Analysis Center (FS ISAC) and both initiating new coalitions or joining existing regional coalitions
  • Sponsor exercises with public and private partners
    • Including financial sector participants, regulatory authorities, homeland security officials and members of the law enforcement and intelligence communities. Example, last year’s marketwide pandemic exercise and this year’s Cyber Fire Exercise scheduled for mid-September 2009.
  • Manage and update the sector’s crisis response
    • Test and validate emergency protocols for both resource needs/requests and situational awareness across the region(s)
    • Identify and lead projects to improve sector-wide risk management, crisis response, and resilience
  • Meets formally on a quarterly basis and includes many ongoing workstreams.
us financial sector public private partnership1
US Financial Sector Public/Private Partnership

Financial Services Sector Coordinating Council (FSSCC)

  • Established in 2002 as the private sector arm for the Banking and Finance Sector
  • Brings together the largest financial institutions, exchanges, core clearing & settlement organizations, and trade associations
fsscc members
FSSCC Members
  • State Street Global Advisors (Chair)
  • Morgan Stanley (Vice Chair)
  • American Bankers Association
  • American Council of Life Insurers
  • American Insurance Association
  • American Society for Industrial Security (ASIS)
  • Bank Administration Institute
  • Bank of America
  • Bank of New York Mellon
  • Barclays
  • BITS/The Financial Services Roundtable
  • ChicagoFIRST
  • Citigroup
  • Continuous Linked Settlement Bank (Foreign Exchange)
  • Consumer Bankers Association
  • Credit Union National Association
  • Depository Trust & Clearing Corporation
  • Fannie Mae
  • Financial Industry Regulatory Authority
  • Financial Information Forum
  • FS-ISAC
  • Goldman Sachs
  • ICE Futures
  • Independent Community Bankers of America
  • Investment Company Institute
  • JP Morgan Chase
  • Managed Funds Association
  • NACHA – The Electronic Payments Association
  • National Armored Car Association
  • National Association of Federal Credit Unions
  • Navy Federal Credit Union
  • NASDAQ
  • NYSE
  • Options Clearing Corporation
  • Securities Industry Automation Corporation
  • Securities Industry and Financial Markets Association
  • State Farm Insurance Company
  • Travelers
  • The New York Clearing House
  • VISA USA Inc.
current fsscc activities
Current FSSCC Activities
  • Encourage participation in the public/private partnerships
    • Major expansion took place in 2008 to include more of the largest financial institutions and insurance providers
  • Work with other private sector coordinating councils and the Partnership for Critical Infrastructure Security (PCIS)
    • Focus on interdependencies
  • Participate in the development of exercises with public and private partners
    • Including financial sector participants, regulatory authorities, homeland security officials and members of the law enforcement and intelligence communities
  • Manage and update the sector’s crisis response
    • Organize sector calls and participate in DHS Infrastructure Protection calls to provide update on sector needs and response
  • Identify and lead projects to improve sector-wide risk management, crisis response, and resilience
  • Meets formally on a quarterly basis and includes many ongoing workstreams.
fbiic fsscc cyber security mission
FBIIC/FSSCC Cyber Security Mission

Work with the financial services sector to strengthen cyber security and resilience of the sector’s current and future IT operations

fbiic fsscc cyber security objectives
FBIIC/FSSCC Cyber Security Objectives
  • Understand the current level of resilience within the sector, and develop recommendations for policy, education, best practices, and exercises to strengthen the sector’s resiliency to cyber threats
  • Develop a common operating perspective by improving the sector’s awareness of potential cyber threats and vulnerabilities
  • Strengthen the public/private partnerships on cyber security issues
  • Develop a single voice within the sector to interact with and respond to government and to other sectors’ requests, inquiries, projects and overall policy efforts (This would not include lobbying or compliance and regulatory matters)
cyber security committee working group research and development
Cyber Security Committee Working Group: Research and Development

Objective:

Identify top priorities for research, promote development initiatives

  • Advance the State of the Art in Designing and Testing Secure Applications
  • Develop more Secure and Resilient Financial Transaction Systems
  • Improve Enrollment and Identity Credential Management to make it less susceptible to social engineering attacks
  • Understand the Human Insider Threat by developing deterrence and detection solutions to reduce risks posed by insiders
  • Develop Data Centric Protection Strategies to better classify and protect sensitive information
  • Develop better Measures of the Value of Security Investments
  • Develop Practical Standards to reduce risk and enhance resiliency
cyber security committee working group long range vision
Cyber Security Committee Working Group: Long Range Vision

Project:

The proposed objective of the WG is to produce a “Long Range Vision” document that will identify:

  • Global business drivers for future sector growth
  • New technology principles & processes that must be in place for the sector to operate in a fully globalized marketplace in 5 years
  • Geopolitical and IT vulnerabilities that will arise or be exacerbated because of this new paradigm.
cyber security committee working group international issues
Cyber Security Committee Working Group: International Issues

Objectives:

  • Risk mitigation related to foreign travel & operations
    • Broadly raise awareness and provide practical guidance to counter increased vulnerabilities and threats.
  • Undersea cables
    • Improve international undersea cable communications resilience practices and capabilities for critical financial services functions by working collectively as an industry with appropriate telecommunications services providers.
  • Supply chain management
    • From both a tactical & strategic perspective, identify the most critical service providers to the financial services sector (and individual financial organizations)
    • Conduct sector surveys to aid in developing best practices
  • International cyber security coordination
cyber security committee working group exercise planning
Cyber Security Committee Working Group:Exercise & Planning

Projects:

  • Conducted a cyber security exercise for members of the FBIIC, the FSSCC, and the FSSCC/FBIIC cyber security committees in early Fall ’08.
  • Update the Financial Services Sector Specific Plan (SSP) to include the current and future cyber security initiatives.
  • Currently planning a week-long cyber security exercise in September 2009
    • Allow participants to test crisis management and incident response protocols
    • Conduct via e-mail
    • Voluntary, no-charge, and maintain the anonymity of the participants
cyber security committee working group information sharing
Cyber Security Committee Working Group:Information Sharing

Projects

  • National security clearances for people within the financial services sector
    • Need for the “right” people to be cleared;
    • Develop a roadmap for improved info sharing across the financial services sector that addresses
      • Common operating picture of cyber threats
      • Info sharing by intelligence & law enforcement
      • Talent issues in the public sector
      • Leverages FS-ISAC operational capabilities
      • Improves info sharing with IT & telecom sectors
president s cyber initiative
President’s Cyber Initiative
  • In response to this growing threat to the United States’ information infrastructure, President George W. Bush approved the National Security Presidential Directive – 54 / Homeland Security Presidential Directive – 23, establishing the National Cyber Security Initiative in January 2008.
  • The President's directive established U.S. policy, strategy and guidelines to secure federal government systems, as well as provided an approach that anticipates future cyber threats and technologies and requires that the Federal Government integrate many of its technical and organizational capabilities in order to better address sophisticated threats and vulnerabilities.
the 60 day cyber review
The 60 Day Cyber Review

Discussions throughout the development of the 60 day review were focused on:

  • Public/Private partnerships and their differing degrees of success
  • How critical sectors are currently regulated or not regulated
  • Legal concerns over cyber monitoring
  • Agencies’ jurisdictions and authorities
  • Congressional jurisdiction
  • Efforts to secure Federal government systems
  • Coordination of efforts across public and private sectors
  • Privacy and Civil Liberties
  • Information sharing (current efforts and barriers)
  • Monetizing risk
  • Education of future generations, businesses, and consumers
  • International coordination and development of standards
  • Research and Development – “leap ahead technologies” and incentives for innovation
  • Identity management
federal government priority services
Federal Government Priority Services
  • Government Emergency Telecommunications Service (GETS)
  • Wireless Priority Service (WPS)
  • Telecommunications Service Priority (TSP)
slide26
Congestion at one of many points, can block a call !

Mobile

Switch

AT&T

Verizon

Qwest

Local Exchange

Networks

Local Exchange

Networks

Mobile

Switch

Mobile

Switch

Government Emergency Telecommunications Service addresses wireline congestion

Wireless Priority Service addresses wireless congestion at

call origination

and call termination

5

emerging challenges
Emerging Challenges
  • Financial firms will continue to expand global operations.
  • To realize global market and operational goals, financial firms will increasingly rely on information technology and telecommunications infrastructure throughout the world.
  • The incoming workforce and next generation of consumers will use information technology and telecommunications in ways we have not yet predicted.
  • Interest in exploiting this increased reliance on information technology and telecommunications will continue to grow.
websites
Websites
  • Federal Financial Institutions Examination Council

www.ffiec.gov

  • Financial and Banking Information Infrastructure Committee

www.fbiic.gov

  • Financial Services Sector Coordinating Council

www.fsscc.org

  • Financial Services - Information Sharing and Analysis Center

www.fsisac.com

slide30

Overview of the U.S. Financial System

U.S. Financial System: components,participants, and instruments

Financial system: private-sector controls and trade groups

Financial system:

Applicable laws and regulations

Components: credit, debt & equity, exchange-traded derivatives, and insurance

transactions

transactions

Financial markets

securities, bonds, futures

markets, etc.

Audit,

public disclosure, rating agencies, etc.

Supervision:

Fed, SEC, FDIC,

OCC, CFTC,

OTS, OFHEO,

NCUA, SROs,

State authorities, etc.

Financial instruments

loans, securities,

Futures, annuities,

CP, FX, etc.

Borrowers/Issuers

individuals, firms,

government

Lenders/Investors

individuals, firms,

government

Associations

FSRoundtable/BITS, ABA, ICBA, ACB, SIA, FIA, etc.

Central bank and Treasury functions (Federal Reserve and

the Department of

the Treasury)

Financial intermediaries

banks, savings institutions,

Broker/dealers, FCMs,

insurance companies, etc.

transactions

transactions

Financial utilities: payment, clearing & settlement

Service providers

Critical public utilities and services:telecommunications, power, transportation, public safety, insurance companies as recovery agents

Source: Steve Malphrus, Chair, Financial Sector Vulnerability Assessment Task Force

President’s Working Group on Financial Markets