1. Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc. 2015

2. Cyber Risk Management  Examiners are raising the bar on Cyber Security compliance  Result of the rapidly changing technological environment  IT exams getting tougher because there is more technology risk than ever before  Agencies independent authority conducts audits of examiner’s audit programs  Agencies making many changes to its exam procedures pursuant to recommendations

3. Cyber Risk Management  The FFIEC realizes most banks rely on independent vendors for all or part of cyber risk management efforts  Not all third party vendors are regulated  All vendors are not the same in terms of appropriate security controls  Agencies see advantages in standardizing expectations for Cyber Risk Management

4. Cybersecurity Assessment Tool  Released by the FFIEC on June 30, 2015  Expectations are the Board of Directors will use this tool to assess cybersecurity risk  The Board is responsible for recognizing the cyber risks you are accepting and what mitigating controls are in place.  Assessment Tool has two parts o Part 1 - Inherent Risk Profile o Part 2 - Cybersecurity Maturity (mitigating controls)

5. Cybersecurity Assessment Tool Part 1 - Inherent Risk Profile  Relies greatly on your ability to identify where sensitive customer data resides throughout your organization.  Early stages indicate examiners will “take your word for it” provided you have documented that you have made a reasonable effort.  Software is now available which can identify all NCI (nonpublic Customer Information) wherever it resides on your various systems.

6. Cybersecurity Assessment Tool Part 1 - Inherent Risk Profile  Examiners will quickly evolve and require you to be able to demonstrate, not guess, that you know the location of sensitive data.  Also expect that when you get hacked (not if you get hacked) you know what information was stolen.

7. Cybersecurity Assessment Tool Part 2 - Cybersecurity Maturity Analyzes several factors to determine the controls and risk mitigating practices that are already being practiced Cybersecurity Preparedness includes:  Risk Management and Oversight  Threat Intelligence and Collaboration  Cybersecurity controls  External dependency management  Cyber incident management and resilience

8. Cybersecurity Preparedness Risk Management and Oversight  Governance, allocation off resources and training and awareness of employees Threat Intelligence and Collaboration  Gathering, monitoring, analyzing and sharing information from multiple sources on cyber threats and vulnerabilities

9. Cybersecurity Preparedness Cybersecurity controls  A combination of preventive, detective or preventative External dependency management  Includes connectivity to third party providers, business partners, customers or others and your institution’s expectations and practices to oversee these relationships Cyber incident management and resilience  Detection, response, mitigation, escalation, reporting and resilience

10. Cybersecurity – Preparing for the Next IT Examination  Board should be prepared to answer questions about information security during next IT exam  Document the Board’s participation in training; use available FFIEC resources

11. Cybersecurity – Preparing for the Next IT Examination  Be able to exhibit that the Board and Management understand supervisory expectations and have a high awareness of cybersecurity risks (threats and vulnerabilities) and how that risk is mitigated  IT Officer should have completed Cybersecurity Assessment Tool  Documented, reasonable approach  InfoGPS puts you half a step ahead of your examiners

12. Cybersecurity and My Bank Are you plugged into the Cloud?

13.  Google, Bing, Yahoo Search  Social Media  Lexis Nexus  FinCEN  Core Vendor Services  Local IT Outsourcing

14. Cybersecurity and My Bank Are you plugged into the Cloud? So are the Cyber Criminals

15. How do Banks Address this Risk ?

16. Cybersecurity and My Bank TCA addresses Cybersecurity in its IT Audit Program IT Audit is a Method of Measuring and Managing Risk

17. IT Audit Fundamental Components  Risk Assessments  Asset Management  Confidential Data

18. IT Audit Examiners Now View the Enterprise Through a Cybersecurity Lens

19. Examiner IT Audit Requirements  Show me your IT Risk Assessment  Show me your Enterprise Assets  Show me where your Sensitive Information Resides

20.  Show me your IT Risk Assessment  Show me your Enterprise Assets  Show me where your Sensitive Information Resides Can Your Bank Respond to These Examiner Requirements?

21.  Completes much of your IT Risk Assessment Cyber- security Assessment Tool  Inventories your Enterprise Assets (HW, SW, Applications)  Identifies where your Customer Information Reside  Monitors and Reports on the Creation and Movement of Sensitive Data There is a Product that Addresses these Compliance Mandates!!!

22. Back to the Future, an Old Requirement Gramm Leach Bliley Act 1999 (GLBA) Joint Release “Safeguarding of Customer Information” FFIEC IT Handbook Institutions may establish an information data classification program to identify and rank data, systems, and applications in order of importance. Classifying data allows the institution to ensure consistent protection of information and other critical data throughout the system. Classifying systems allows the institution to focus its controls and efforts in an efficient and structured manner.

23. 2015 Cybersecurity Assessment Requirement Page 22: IT Asset Management - Baseline An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained. Organizational assets (e.g., hardware, systems, data, and applications) are prioritized for protection based on the data classification and business value.

24. Cybersecurity Assessment Tool Underscores Fundamentals. Cyber incident management and resilience External dependency management Cybersecurity controls Threat Intelligence and Collaboration Risk Management and Oversight

28. Do the Fundamental First: Know your IS Assets An accurate knowledge of your IS Assets, specifically your data assets, is critical to perform ALL of the following: Compliance & Audit IS Risk Assessment Craft the Information Security Program Prepare for Business Resiliency Prepare for Incident Response Obtain favorably priced Cyber Security Insurance Properly educate your board Properly apply controls to protect your Data.

34. Cybersecurity Summary FI’s are critically dependent on IT to conduct business operations – There is increasing interconnectedness between different business sectors. Cyber threats are very rapidly evolving and it is no longer a matter of those who have been hacked and those who haven’t

35. Cybersecurity Summary  Examiners now acknowledge all FI’s have been or will be hacked – let that sink in for a minute!  The difference will be those who know what data was compromised and those who do not  Those who do not will be required to devote significant resources to determine what was lost, who was affected and how to resolve enforcement actions and manage significant reputation risks. As a result you will see examiners establishing new standards for identification and management of Non Public Personal Information

36. Cybersecurity Summary Bottom Line  The OCC (and all of the Regulatory Agencies) are reviewing and updating current guidance and examination procedures to align with changing cybersecurity risk  Your choice of vendor for IT Audit is critical and you must ensure the vendor is adjusting their audit approach to be consistent with the significant changes being made by examiners  Your next IT examination will be tougher than any IT examination before it – your ability to exhibit an understanding of your risk and how you manage it is paramount

37. Questions? Please use the Chat feature to submit questions now!

38. TCA, Inc. 1-800-934-REGS www.tcaregs.com ©2015 TCA, INC.