Cyber Resilience Simon Onyons Financial Stability – Resilience Team.

Slides:



Advertisements
Similar presentations
World Bank Financial Management Sector September 2010.
Advertisements

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.
UNCLASSIFIED Cybercrime: The Australian Experience Australian Cybercrime Online Reporting Network (ACORN) Conference Assistant Commissioner Tim Morris.
Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.
“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”
David A. Brown Chief Information Security Officer State of Ohio
IOR Scottish Chapter Annual Conference Glasgow Caledonian University – 1 st November 2013 Relevance of Operational Risk to the FCA Jill Savager Manager,
1. The PRA Approach to Supervision for Smaller Insurers
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
Common recommendations and next steps for improving local delivery of climate finance Bangkok, October 31, 2012.
Information Technology Audit
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
OECD Guidelines on Insurer Governance
Presentation title SUB TITLE HERE Intelligent 21st Century Strategies for Broadband and Cyber Infrastructures Security By Dr. Emmanuel Hooper, PhD, PhD,
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Consolidated Supervision: Managing the Risks in a Diversified Financial Services Industry Barbara Baldwin June 2001.
IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
International Cyber Warfare and Security Conference Cyber Defence Germany's Analysis of Global Threats 19th November 2013, Ankara.
Critical Infrastructure Protection: Program Overview
Australia Cybercrime Capacity Building Conference April 2010 Brunei Darussalam Ms Marcella Hawkes Director, Cyber Security Policy Australian Government.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
6. Problem Bank Resolution 1. Some basic terms  Resolution;  reorganization;  administration;  insolvency;  liquidation  problem bank 2.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
A Global Approach to Protecting the Global Critical Infrastructure Dr. Stephen D. Bryen.
FinCoNet Annual General Meeting Workshop I: Strategic Priorities 15 th October 2015, Cape Town Bernard Sheridan, Director of Consumer Protection, Central.
Ewan Donald Cyber Security FEEL FREE A NEW APPROACH TO CYBER SECURITY.
Tax Administration Diagnostic Assessment Tool MODULE 11 “POA 9: ACCOUNTABILITY AND TRANSPARENCY”
NHS Education & Training Operating Model from April 2013 Liberating the NHS: Developing the Healthcare Workforce From Design to Delivery.
Cyber Security Architecture of Georgia Giorgi Tielidze 0 Current Challenges and Future Perspectives Tbilisi 2015.
AUSTRALIA. A National Strategy for Enhancing the Safety and Security of our Food Supply ที่มา : We pride ourselves on our high safety and security standards.
© Project One Consulting Limited All rights reserved. 0 Introduction to Project One Slides.
Latest Strategies for IT Security Margaret Myers Principal Director, Deputy CIO United States Department of Defense North American Day 2006.
PROTECTING THE INTERESTS OF CONSUMERS OF FINANCIAL SERVICES Role of Supervisory Authorities Keynote Address to the FinCoNet Open Meeting 22 April 2016.
Protect Association Meeting FCA s166 Skilled Person Reviews 4 March 2016 Mark Davies Associate Director Financial Services Group T: E:
FFIEC Cybersecurity Assessment Tool Maine Credit Union League September 23, 2015 Patrick Truett, Information Systems Officer National Credit Union Administration.
External Threats Internal Threats Nation States Cyber Terrorists Hacktivists Organised criminal networks Independent insider Insider planted by external.
EUROPEAN SECURITY POLICY A SNAPSHOT ON SURVEILLANCE AND PRIVACY DESSI WORKSHOP, CPH 24 JUNE 2014 Birgitte Kofod Olsen, Chair Danish Council for Digital.
CLOSE THE SECURITY GAP WITH IT SOLUTIONS FROM COMPUTACENTER AND CISCO AUGUST 2014.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Business Continuity Management Business Continuity Management (BCM) is a holistic management process that identifies potential impacts that threaten an.
Cyber Security – Client View Peter Gibbons | Head of Cyber Security, Group Business Services Suppliers’ Summer Conference 15/07/2015.
Digital Security Focus Area & Critical Infrastructure Protection in H2020 SC7 WP Aristotelis Tzafalias Trust and Security Unit DG Communications.
Principles Identified - UK DfT -
Cybersecurity as a Business Differentiator
Cyber in Financial Services
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
Information Security – Current Challenges
Cybersecurity, competence and preparedness
Cybersecurity - What’s Next? June 2017
Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab.
CISI – Financial Products, Markets & Services
Approaches to Defining Risk
ENTERPRISE RISK MANAGEMENT IN THE CASE OF THE FINANCIAL SERVICE SECTOR
IIASA Governance Review
Cyber Security: State of the Nation
ArR720S: applied regional and RURAL economic development
Cyber Security coordination in Europe CERT-EU’s perspective
Legislations in the UK and EUwhich is aimed at inspiring consumers confidence in the financial sector Nadia Tarik.
National Cyber Security Programme Local : Building Resilience Together
Cyber Security in Ports Business as Usual?
John Carlson Senior Director, BITS
The European Union response to cyber threats
Elements of Corporate Resilience
Strategic threat assessment
Managing IT Risk in a digital Transformation AGE
Cyber Security in a Risk Management Framework
CYBER RISKS IN SECURITIES SERVICES
Thames Valley Chamber / Claire Logic
Presentation transcript:

Cyber Resilience Simon Onyons Financial Stability – Resilience Team

What is Cyber Risk? What are cyber risks? The risk of attacks carried out on firms’ IT infrastructure to defraud or disrupt their operations through the exploitation of weakness and/or the transmission of viruses and malicious software (MalWare) via the internet or e-mails. The majority of attacks target the external-facing technology infrastructure which makes regulated entities internet-facing IT systems at higher risk of cyber attacks. There remains a significant risk from the ‘insider attack’. The FCA recognise that the growing cyber risk presents a significant threat to our strategic and operational objectives and we are working to leverage the work being undertaken in response to a recommendation from the UK Financial Policy Committee to discharge our own regulatory obligations. Background 2 2

Conduct Regulation and Cyber Consumer Impact – Service Availability Market Integrity - Data corruption or manipulation Competition - Theft of data; M&A, new products, personal data

Cyber – Coordination with other bodies UK Government and Cyber Agencies BIS Cabinet Office GCHQ National Crime Agency CERT UK CPNI Government cyber initiatives: UK Cyber Strategy, BIS 10 Steps to Cyber Security, Cyber Essentials Scheme Her Majesty's Treasury (HMT) Recommendations BoE FPC (Bank of England Committee) FCA MID Recommendations Recommendations CMORG* Directors Sub Group PRA PSR Resilience and Cyber Sub Groups * Cross Markets Operational Resilience Group

UK regulatory cyber work to date “HM Treasury, working with the relevant Government agencies, the PRA, the Bank’s financial market infrastructure supervisors and the FCA should work with the core UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber attack.” 36 in-scope firms identified as the “core of the UK financial system”. Predominantly Critical National Infrastructures including Retail Banking, Investment Banking, Insurance, Exchanges and Clearing Houses Objectives: Enhance understanding of finance sector threat Improve the sharing of information Strengthen work to assess the sector’s current resilience to cyber attack Develop plans to test sector resilience

Develop Testing Plans- “CBEST” Diagnostic tool developed by the Bank of England, FCA and wider industry to support the FPC’s cyber recommendation CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber security tests The tests replicate behaviors of threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to financial institutions Requires interaction with the regulators from the outset – it aims to provide a transparent testing and reporting mechanism so that the regulators and regulated can collectively improve their understanding of the threats the system faces and the extent to which the UK financial sector is vulnerable to those threats CBEST is VOLUNTARY – not mandated. Currently available only to the 36 firms in scope under the FPC recommendation

Develop Testing Plans- “CBEST” Leverage official sector and commercial intelligence on most likely systemic threats e.g. state sponsored Going beyond the BIS 10 steps to include sophisticated and persistent attack types Testing of cyber resilience in key firms and FMIs Will provide a holistic assessment of people, process and technology Will mimic tactics, techniques and procedures of threat actors identified through intelligence gathering Deliver a sector-wide assessment of resilience (and vulnerability) in the face of these threats

Understanding the Threat Out-of-scope e.g. acts of war Neg-day Nation state / Sponsored actor Corporate staff information and PC compromise 1 10 Data deletion Data corruption System unavailability 2 FPC in scope 1 3 Very high Organised Crime / Hacktivists 1 Nation state / Sponsored actor Network unavailability 1 Source: Bank of England 0-day BIS 10 Steps High Organised Crime Online banking fraud 8 9 Nation state / Espionage Data exfiltration & Espionage Nation state / Hacktivists 4 5 Attack Complexity Medium 7 Espionage / Organised Crime / Hacktivists Application layer volumetric attacks Data exfiltration 6 Nation state / Hacktivists Hacktivists Website defacement 9 Low Volumetric network attacks 7 Defence maturity Impacts Customer impact 4 Loss of IP 7 Web services unavailable 10 Disclosed staff credentials and data theft 1 Operational disruption 5 Market sensitive data System impact 2 Loss of data 8 Financial loss 3 Lower confidence in accuracy of information 6 Disclosure of customer data 9 Brand impact

What have UK Authorities found? High level findings, following a comprehensive thematic assessment by the FCA and the Bank of England, are: Cyber undermines existing operational resilience arrangements. Testing of cyber for people, processes and technology is still immature. Business Engagement and Strategic Planning & influencing for cyber varies widely. Firm scale and resources impact effective risk management.

What have UK Authorities found? Articulating target states of cyber maturity is a challenge. Cyber investment is technology centric. There is generally a low capability to effectively detect cyber attacks and identify threats. Oversight of third party suppliers and the supply-chain is immature. Challenge from the third line of defence is limited.

What do the UK regulators want to see? Cyber Governance arrangements (Mission, Vision, Strategy, Leadership) Understanding of dependence on technology systems and communication networks Identification, assessment and mitigation of relevant cyber-security risks Threat intelligence capabilities Cyber-security incident management capabilities Resilience measures to ensure availability of critical processes Measures to prevent, detect and minimise social engineering attacks Independent assurance to assess adequacy of cyber-security measures LEAD IDENTIFY PROTECT DETECT RESPOND RECOVER LEARN

QUESTIONS?