Cyber Security and Resiliency in the Financial Sector August 2009

Major Themes Globalization of the Financial Services Sector Primary Dependencies on Telecommunications Infrastructure and Information Technology Cyber Threats and Vulnerabilities U.S. Financial Sector Public/Private Partnerships Federal Government Initiatives FBIIC & FSSCC Cyber Security Committee Activities Emerging Challenges 2

Globalization of Financial Sector Information is one of a financial institution’s most important assets Financial market operations are increasingly becoming electronically connected and interdependent around the world. A major U.S. bank operates in more than 100 countries. The financial services industry plays a key role in protecting a nation’s financial services infrastructure. Increasing globalization provides expanded market opportunities and efficiencies and poses new challenges. 3

Globalization of Financial Sector(cont) International Basel II Accord identifies for the first time operations risk. Like traditional credit and market risk, operations risk must be managed and capital must be held against potential losses. Operations risks from cyber/operational incidents in a globalized sector may include: 1)cascading impacts that cannot be contained regionally 2)jurisdictions may have to work together to address the impacts and restore operations, and 3)the international framework to address global financial disruptions relies on arrangements among Central Banks, Financial Market Authorities and Treasuries. 4

Globalization of Financial Sector (cont) Global information infrastructure and the data that reside within these systems is critical to the economies of countries Cyber exploitation has grown more sophisticated, targeted, and serious over the past several years and we expect the trend to continue. Nation-states and criminals target government and private sector information networks to gain competitive advantage in the commercial sector. 5

Critical Dependencies 6

Regulatory Reporting Trading Systems Payments Systems ATM & Credit Card Systems Financial Markets: NYSE, CME, NASDAQ, CBT, etc. Fedwire, SWIFT, CHIPS, ACH, etc. ATM, Credit & Debit Card Networks External Links to Financial Services Firms, Payment Systems & Utilities Correspondent and Clearing Systems Correspondent Banks, Clearing Houses, etc. Note: FBO transactions are often performed on IT Systems located in home countries Records Systems Loan Funding LAN Loan Underwriting and Review Loan Documentation Loan Servicer Loan Administration Example of IT systems and internal data flows supporting the lending process Payroll Service Bureau Trust Services Company External Service Providers External Information Providers: Dun & Bradstreet, Credit Bureaus, etc. Source: Steve Malphrus, Chair, Financial Sector Group, Presidents Council on Year 2000 Conversion Software Libraries Currency Sorters DDA, Loans, CIS General Ledger, MIS,etc. Back Office Systems Item Processing, Check Sorters & Image Systems An Example of How Information Technology is Utilized in a Commercial Bank Security, and Vault Control Systems Phone Switches and Voice Response Systems Call Centers Customers Environmental Systems Security Monitoring Company Computer & Communications Systems Treasury, Money Market & Trade Fin. Systems, etc. Branch Platform and Teller Systems Home & Telephone Banking Systems Retail Customers Wholesale Customers Online Links Management Information Systems: reports for executives, risk mgt., boards of directors, etc. Backup Data Centers Regulatory Agencies

Cyber Threats and Vulnerabilities Widely publicized events include: o Denial of Service o Phishing and other social engineering attacks o Identity theft o Telecom congestion issues o People within institutions who commit fraud or steal information for personal financial gain The overall impact is growing both in terms of the amount of money lost as well as an erosion in public confidence in online financial services. 8

Financial Sector Framework for Security and Resilience The Financial Sector framework for security and resiliency is based on a foundation of strong public/private sector partnerships Participation is voluntary Represents all facets of the sector – credit, debt and equity, exchange-traded derivatives, and insurance s Seen as the model for public/private partnerships in other sectors Built on the foundation of Y2K efforts 9

US Financial Sector Public/Private Partnership Financial and Banking Information Infrastructure Committee (FBIIC) Established in 2002 by the President’s Working Group on Financial Markets. The President’s Working Group and the U.K. Tripartite have worked closely together on many issues. Chaired by the U.S. Department of the Treasury Brings together federal and state financial authorities Improves coordination and communication among financial regulators Promotes the public/private partnerships 10

FBIIC Members U.S. Department of the Treasury (chair) Federal Reserve Board American Council of State Savings Supervisors Farm Credit Administration Federal Deposit Insurance Corporation Federal Housing Finance Agency Federal Reserve Bank of New York National Association of Insurance Commissioners National Association of State Credit Union Supervisors National Credit Union Administration North American Securities Administrators Association Securities & Exchange Commission Commodity Futures Trading Commission Office of the Comptroller of the Currency Office of Thrift Supervision Securities Investor Protection Corporation 11

Current FBIIC Activities Assess and prioritize sector vulnerabilities o Including identifying and analyzing emerging risks Encourage participation in the public/private partnerships o Including membership in the Financial Services Sector Coordinating Council (FSSCC), the Financial Sector – Information Sharing and Analysis Center (FS ISAC) and both initiating new coalitions or joining existing regional coalitions Sponsor exercises with public and private partners o Including financial sector participants, regulatory authorities, homeland security officials and members of the law enforcement and intelligence communities. Example, last year’s marketwide pandemic exercise and this year’s Cyber Fire Exercise scheduled for mid-September Manage and update the sector’s crisis response o Test and validate emergency protocols for both resource needs/requests and situational awareness across the region(s) o Identify and lead projects to improve sector-wide risk management, crisis response, and resilience Meets formally on a quarterly basis and includes many ongoing workstreams. 12

US Financial Sector Public/Private Partnership Financial Services Sector Coordinating Council (FSSCC) Established in 2002 as the private sector arm for the Banking and Finance Sector Brings together the largest financial institutions, exchanges, core clearing & settlement organizations, and trade associations 13

FSSCC Members State Street Global Advisors (Chair) Morgan Stanley (Vice Chair) American Bankers Association American Council of Life Insurers American Insurance Association American Society for Industrial Security (ASIS) Bank Administration Institute Bank of America Bank of New York Mellon Barclays BITS/The Financial Services Roundtable ChicagoFIRST Citigroup Continuous Linked Settlement Bank (Foreign Exchange) Consumer Bankers Association Credit Union National Association Depository Trust & Clearing Corporation Fannie Mae Financial Industry Regulatory Authority Financial Information Forum FS-ISAC Goldman Sachs ICE Futures Independent Community Bankers of America Investment Company Institute JP Morgan Chase Managed Funds Association NACHA – The Electronic Payments Association National Armored Car Association National Association of Federal Credit Unions Navy Federal Credit Union NASDAQ NYSE Options Clearing Corporation Securities Industry Automation Corporation Securities Industry and Financial Markets Association State Farm Insurance Company Travelers The New York Clearing House VISA USA Inc. 14

Current FSSCC Activities Encourage participation in the public/private partnerships o Major expansion took place in 2008 to include more of the largest financial institutions and insurance providers Work with other private sector coordinating councils and the Partnership for Critical Infrastructure Security (PCIS) o Focus on interdependencies Participate in the development of exercises with public and private partners o Including financial sector participants, regulatory authorities, homeland security officials and members of the law enforcement and intelligence communities Manage and update the sector’s crisis response o Organize sector calls and participate in DHS Infrastructure Protection calls to provide update on sector needs and response Identify and lead projects to improve sector-wide risk management, crisis response, and resilience Meets formally on a quarterly basis and includes many ongoing workstreams. 15

FBIIC/FSSCC Cyber Security Mission Work with the financial services sector to strengthen cyber security and resilience of the sector’s current and future IT operations 16

FBIIC/FSSCC Cyber Security Objectives Understand the current level of resilience within the sector, and develop recommendations for policy, education, best practices, and exercises to strengthen the sector’s resiliency to cyber threats Develop a common operating perspective by improving the sector’s awareness of potential cyber threats and vulnerabilities Strengthen the public/private partnerships on cyber security issues Develop a single voice within the sector to interact with and respond to government and to other sectors’ requests, inquiries, projects and overall policy efforts (This would not include lobbying or compliance and regulatory matters) 17

Cyber Security Committee Working Group: Research and Development Objective: Identify top priorities for research, promote development initiatives 1)Advance the State of the Art in Designing and Testing Secure Applications 2)Develop more Secure and Resilient Financial Transaction Systems 3)Improve Enrollment and Identity Credential Management to make it less susceptible to social engineering attacks 4)Understand the Human Insider Threat by developing deterrence and detection solutions to reduce risks posed by insiders 5)Develop Data Centric Protection Strategies to better classify and protect sensitive information 6)Develop better Measures of the Value of Security Investments 7)Develop Practical Standards to reduce risk and enhance resiliency 18

Cyber Security Committee Working Group: Long Range Vision Project: The proposed objective of the WG is to produce a “Long Range Vision” document that will identify: Global business drivers for future sector growth New technology principles & processes that must be in place for the sector to operate in a fully globalized marketplace in 5 years Geopolitical and IT vulnerabilities that will arise or be exacerbated because of this new paradigm. 19

Cyber Security Committee Working Group: International Issues Objectives: Risk mitigation related to foreign travel & operations o Broadly raise awareness and provide practical guidance to counter increased vulnerabilities and threats. Undersea cables o Improve international undersea cable communications resilience practices and capabilities for critical financial services functions by working collectively as an industry with appropriate telecommunications services providers. Supply chain management o From both a tactical & strategic perspective, identify the most critical service providers to the financial services sector (and individual financial organizations) o Conduct sector surveys to aid in developing best practices International cyber security coordination 20

Cyber Security Committee Working Group: Exercise & Planning Projects: Conducted a cyber security exercise for members of the FBIIC, the FSSCC, and the FSSCC/FBIIC cyber security committees in early Fall ’08. Update the Financial Services Sector Specific Plan (SSP) to include the current and future cyber security initiatives. Currently planning a week-long cyber security exercise in September 2009 – Allow participants to test crisis management and incident response protocols – Conduct via – Voluntary, no-charge, and maintain the anonymity of the participants 21

Cyber Security Committee Working Group: Information Sharing Projects National security clearances for people within the financial services sector o Need for the “right” people to be cleared; o Develop a roadmap for improved info sharing across the financial services sector that addresses 1)Common operating picture of cyber threats 2)Info sharing by intelligence & law enforcement 3)Talent issues in the public sector 4)Leverages FS-ISAC operational capabilities 5)Improves info sharing with IT & telecom sectors 22

President’s Cyber Initiative In response to this growing threat to the United States’ information infrastructure, President George W. Bush approved the National Security Presidential Directive – 54 / Homeland Security Presidential Directive – 23, establishing the National Cyber Security Initiative in January The President's directive established U.S. policy, strategy and guidelines to secure federal government systems, as well as provided an approach that anticipates future cyber threats and technologies and requires that the Federal Government integrate many of its technical and organizational capabilities in order to better address sophisticated threats and vulnerabilities. 23

The 60 Day Cyber Review Discussions throughout the development of the 60 day review were focused on: Public/Private partnerships and their differing degrees of success How critical sectors are currently regulated or not regulated Legal concerns over cyber monitoring Agencies’ jurisdictions and authorities Congressional jurisdiction Efforts to secure Federal government systems Coordination of efforts across public and private sectors Privacy and Civil Liberties Information sharing (current efforts and barriers) Monetizing risk Education of future generations, businesses, and consumers International coordination and development of standards Research and Development – “leap ahead technologies” and incentives for innovation Identity management 24

Federal Government Priority Services Government Emergency Telecommunications Service (GETS) Wireless Priority Service (WPS) Telecommunications Service Priority (TSP) 25

Congestion at one of many points, can block a call ! AT&T Verizon Qwest Local Exchange Networks Mobile Switch Wireless Priority Service addresses wireless congestion at Government Emergency Telecommunications Service addresses wireline congestion Local Exchange Networks Mobile Switch Mobile Switch call origination and call termination 5

Emerging Challenges Financial firms will continue to expand global operations. To realize global market and operational goals, financial firms will increasingly rely on information technology and telecommunications infrastructure throughout the world. The incoming workforce and next generation of consumers will use information technology and telecommunications in ways we have not yet predicted. Interest in exploiting this increased reliance on information technology and telecommunications will continue to grow. 27

QUESTIONS 28 ?

Websites Federal Financial Institutions Examination Council Financial and Banking Information Infrastructure Committee Financial Services Sector Coordinating Council Financial Services - Information Sharing and Analysis Center

Overview of the U.S. Financial System Financial markets securities, bonds, futures markets, etc. Financial intermediaries banks, savings institutions, Broker/dealers, FCMs, insurance companies, etc. Lenders/Investors individuals, firms, government Borrowers/Issuers individuals, firms, government Supervision: Fed, SEC, FDIC, OCC, CFTC, OTS, OFHEO, NCUA, SROs, State authorities, etc. Financial utilities: payment, clearing & settlement Service providers Critical public utilities and services: telecommunications, power, transportation, public safety, insurance companies as recovery agents transactions Financial instruments loans, securities, Futures, annuities, CP, FX, etc. Financial system: private- sector controls and trade groups Audit, public disclosure, rating agencies, etc. U.S. Financial System: components, participants, and instruments Financial system: Applicable laws and regulations Central bank and Treasury functions (Federal Reserve and the Department of the Treasury) Components: credit, debt & equity, exchange-traded derivatives, and insurance Source: Steve Malphrus, Chair, Financial Sector Vulnerability Assessment Task Force President’s Working Group on Financial Markets Associations FSRoundtable/BITS, ABA, ICBA, ACB, SIA, FIA, etc.