Upload
brent-siegel
View
22
Download
0
Tags:
Embed Size (px)
Citation preview
Cyber Security and Vendor Management Examinations from
the Regulators and Auditors Perspective
Rory Guenther, CISASenior Examiner, Operational Risk Specialist,
Federal Reserve Bank of Mpls
Brent Siegel, CSOP, CRFS, MBA, eBCStrategic Executive Consultant, Broken Sales
Consulting
THIRD PARTY SERVICE PROVIDERS
Vendor Management
What is a Third-Party?
“Third Party” is broadly defined to include all entities that have entered into a business relationship with the institution…”
3
Third Party Vendor Management as a Priority
FI must establish and maintain a compliant vendor management program
Examiners are giving more attention to vendor management
Bank’s exposure to violations committed by a third party service provider
Civil money penalties
4
Civil Money Penalties
Bank assessed $7,800,000 in part due to Bank’s oversight of affiliate and third-party service providers.
Bank required to refund approximately $140 million to customers and pay $25 million penalty for deceptive marketing tactics used by their vendors.
Bank pays $175 million to settle accusation that its independent brokers discriminated against black and Hispanic borrowers.
Focus of settlement was failure to police the behavior of independent loan brokers.
5
Civil Money Penalties, cont.
Bank assessed $21 million for insufficient oversight which allowed bank loan officers and outside brokers to adjust rates and fees without regard to borrower risk which resulted in brokers extracting larger overpayments. (Fair Lending)
Bank assessed $112.5 million for insufficient oversight of affiliate and third party service providers. (UDAP)
Bank assessed $200 million for insufficient oversight of third party telemarketers (Deceptive Marketing)
Bank assessed $11.2 million for insufficient oversight and control of TPSP system integration challenges and insufficient due diligence to note prior consumer complaints against TP. (UDAP)
Bank assessed $210 million for insufficient oversight of third parties to insure they followed the bank provided scripts. (Unfair and deceptive sale of credit card add-on product.)
6
What Is the Guidance?
Consists of SR 13-19/CA 13-21 letter (Guidance on Managing Outsourcing Risk) and an attached policy statement on managing outsourcing risk
Supplements existing guidance for technology service providers
Refer to the FFIEC Outsourcing Technology Services Booklet (June 2004) at http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services.aspx
Applies to all financial institutions supervised by the Federal Reserve but other regulators have issued similar guidance
7
What’s New?
Applicability of guidance to outsourced activities beyond core bank processing and information technology-related services
Enhanced risk management that institutions should have for better oversight and management of outsourcing risk
Additional guidance pertaining to key aspects (attributes, governance, and operational effectiveness) of an institution’s service provider risk management program
8
Areas of Emphasis
Types of risk exposure
Board of directors and senior management responsibilities
Service provider risk management programs
Additional risk considerations
9
Third Party Risk Types
10
Adverse business impact – Includes Sales AgentsStrategic:
Negative public opinionReputation:
Failed internal processes, people or systemsOperational
Problems with service or product delivery
Unable to meet contractual arrangements
Violations of laws, regulations or internal policies
Country, culture, or geopolitical
Transactional:
Financial:
Compliance:
Foreign:
Board and Senior Management Responsibilities
Ensuring outsourced activities are conducted in a safe and sound manner and in compliance with appropriate laws and regulations
Approving institution-wide vendor management policies that mitigate outsourcing risk
Reporting to the board of directors on adherence to policies governing outsourcing arrangements
11
Elements of the Service Provider Risk Management Program
Risk assessment
Due diligence for the selection of service providers
Contract provisions and considerations
Incentive compensation review
Oversight and monitoring of service providers
Business continuity and contingency plans
12
What Constitutes Significant TP Relationship?
Relationship is new – or involves new FI activities Has material effect on FI’s revenues or expenses TP performs critical functions TP stores, access, transmits, or performs transactions with sensitive
customer information Increases FI’s geographic market Performs a service involving lending or card payment transactions Poses risks that could affect earnings, capital, or reputation Provides product or service that covers large number of consumers Provides product or service that implicates higher risk consumer
protection regulations Involves deposit taking arrangements Markets products directly to FI customers that could pose risk of
financial loss to individual
13
Risk Tiers Based on Inherent Risk
Some integration Some reliance Interruption leads to
moderate operational impact
High transition cost/effort
No integration Cost & performance
drives relationship Interruption leads to
limited operational impact
Moderate transition cost/effort
Define Risk Severity Levels
Inherent Risk is a function of Organizational and Profile risk
Highly integrated High reliance Interruption leads to
significant operational impact
High transition cost/effort
Customer Facing?
TIER 1
TIER 2
TIER 3
No integration Cost & performance
drives relationship Interruption has no
operational impact Minimal transition
cost/effort
TIER 4
TOP 10 REGULATOR EXPECTATIONS
15© 2014 EastPay. All Rights Reserved
1. Due Diligence Prior to Vendor Selection
Review of all available information about a potential third party, focusing on the entity's financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls
16© 2014 EastPay. All Rights Reserved
1. Due Diligence Prior to Vendor Selection(cont’d)
Evaluation of a third party may include the following items:
Audited financial statements, annual reports, SEC filings, and other available financial indicators
Significance of the proposed contract on the third party's financial condition
Experience and ability in implementing and monitoring proposed activity
Business reputation
17© 2014 EastPay. All Rights Reserved
1. Due Diligence Prior to Vendor Selection (cont’d)
Qualifications and experience of the company's principals
Strategies and goals, including service philosophies, quality initiatives, efficiency improvements, and employment policies
Existence of any significant complaints or litigation, or regulatory actions against the company
Ability to perform the proposed functions using current systems or the need to make additional investment
18© 2014 EastPay. All Rights Reserved
1. Due Diligence Prior to Vendor Selection (cont’d)
Use of other parties or subcontractors by the third party
Scope of internal controls, systems and data security, privacy protections, and audit coverage
Business resumption strategy and contingency plans
Knowledge of relevant consumer protection and civil rights laws and regulations
Adequacy of management information systems
Insurance coverage
19© 2014 EastPay. All Rights Reserved
2. Vendor Selection
Audit Requirements
Identify regulation requirements of FI
Resources and Technology
Support System
Policies, procedures, and service organization control reports
Disaster recovery plan
Reputation
20© 2014 EastPay. All Rights Reserved
3. Contract Negotiation
Audit rights, self assessments, monthly compliance reviews, obtain vendor’s annual SOC report on its control compliance
Service level agreements and financial penalties
© 2014 EastPay. All Rights Reserved 21
4. Contract Scope
Timeframe covered by the contract
Frequency, format, and specifications of the service or product to be provided
Other services to be provided by the third party, such as software support and maintenance, training of employees, and customer service
© 2014 EastPay. All Rights Reserved 22
4. Contract Scope (cont’d)
Requirement that the third party comply with all applicable laws, regulations, and regulatory guidance
Authorization for the institution and the appropriate federal and state regulatory agency to have access to records of the third party as are necessary or appropriate to evaluate compliance with laws, rules, and regulations
© 2014 EastPay. All Rights Reserved 23
4. Contract Scope (cont’d)
Identification of which party will be responsible for delivering any required customer disclosures
Insurance coverage to be maintained by the third party
Terms relating to any use of bank premises, equipment, or employees
© 2014 EastPay. All Rights Reserved 24
4. Contract Scope (cont’d)
Permissibility/prohibition of the third party to subcontract or use another party to meet its obligations with respect to the contract, and any notice/approval requirements
Authorization for the institution to monitor and periodically review the third party for compliance with its agreement
Indemnification
© 2014 EastPay. All Rights Reserved 25
5. Implementation
Access management
Review system access reports at least monthly to ensure users of outsourced service are authorized
Transaction monitoring
Change management
FI should approve any changes made by vendor
System backup
26© 2014 EastPay. All Rights Reserved
6. Monitoring
Audits
Service Organization Control (SOC) Reports –Vendor’s compliance with their own policies
IT Controls
Statement on Standards for Attestation Engagements No. 16 (SSAE 16), formerly known as Statement on Auditing Standards No. 70 (SAS 70)
© 2014 EastPay. All Rights Reserved 27
7. Ensure Proposed Relationship is consistent with FI’s Strategic Plan and Overall Strategy Step one in Risk Assessment Process
Management should analyze benefits, costs, legal aspects, and potential risks associated with Third-Party
Expanded analysis should be conducted if product or service is new for FI
FI personnel conducting analysis should have appropriate knowledge and skills to conduct
28© 2014 EastPay. All Rights Reserved
8. Ensure vendor management program risk-ranks vendors based on:
Access to other confidential (i.e. proprietary) information?
Criticality of the product/service they provide?
Complexity of the product/service?
29© 2014 EastPay. All Rights Reserved
9. Adherence to Service Level Agreements and Contract Provisions
Formal Policy that defines SLA program
SLA monitoring process
Recourse process for non-performance
Escalation process
Dispute resolution process
Termination process
© 2014 EastPay. All Rights Reserved 30
10. File Bank Service Company Act when Required
Section 7 of Bank Service Company Act (12 U.S.C. 1867) requires insured financial institutions to notify their appropriate federal banking agency in writing of contracts or relationships with third parties that provide certain services to the institution
31© 2014 EastPay. All Rights Reserved
10. File Bank Service Company Act when Required (cont’d)
Section 7(c)(2) of the Bank Service Company Act states that any FDIC-supervised institution that has services performed by a third party "shall notify such agency of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first."
© 2014 EastPay. All Rights Reserved 32
10. File Bank Service Company Act when Required (cont’d)
As defined in Section 3 of the Act, these services include "check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution."
33© 2014 EastPay. All Rights Reserved
Cybercrime & Cybersecurity
DDoS, Account Takeover, Fraud!
Cybersecurity
The process for managing cyber threats and vulnerabilities and for protecting information and information systems by identifying, defending against, responding to, and recovering from attacks.
35
Cybersecurity Conundrum
“You have to be right all of the time, those exploiting you only have to be right once.”
- Ancient cybersecurity proverb
Cybercrime – Where & Why?
Where do cyber attacks come from?
What is the Motivation?
Ideology – making a political statement
Extortion – demand for payment to avoid website attack
Competition – disrupt a competitors online services
Fraud – used as a tool to aid in unauthorized financial gain
37
Trends
How do Cyber Criminals gain Access?
Deception via DDoS
Spam
Phishing Attempts
Spoofed Web Pages
Popup Ads & Warnings
Malware (Trojans, worms, etc.)
Theft (Laptops, thumb drives, etc.)
Email Attachments
Downloads
Social mediums
39
What is a denial of service attack?
Objective(s):
Render a service unavailable
Cripple the infrastructure
Typical targets:
Bank
Credit card payment servicers
Mode of attack: Saturate the target with external requests for connectivity or communication
Distributed DoS (DDoS)
A DDoS attack is performed when hundreds, or possibly thousands, of computers simultaneously request services or bandwidth from the same target computer.
The attack is executed with networks of computers which are controlled by malicious software which has been installed on a user’s computer.
The antivirus detection rate for botnet malware is less than 40 percent. For additional information, visit: https://zeustracker.abuse.ch/index.php.
41
Financial Institution Mitigating Actions
Targeted banks have been very successful in employing numerous means of thwarting the DDoS attacks.
There has been unprecedented sharing of information amongst the targeted banks as well as with their regulators and other government agencies.
Banks are working with service providers to address the problems and to scrub/reduce the attack volumes.
Leading DDoS protection providers (Prolexic, VeriSign, Akamai, etc.)
Internet Service Providers - AT&T, Verizon, etc.
42
Adhere to these best practices
Don’t assign all resources to DDoS mitigation.
Dedicate at least some staff to watching entry systems during attacks.
Make sure everything is patched.
Keep your security up to date.
Have dedicated DDoS protection.
Scrambling to find a solution in the midst of an emergency only adds to the chaos—and any intended diversion.
43
Technology Enabling Fraud
As payments have evolved significantly, largely due to technological advancements, so has the sophistication of EFT fraud. Expertly crafted emails, malicious links on legitimate websites (such as social networking sites), and other methods are used to place malware within the networks of corporate customers. The malware then harvests security information, including login credentials, subsequently allowing the criminals to initiate electronic payments through hijacked accounts.
44
WHO
Law enforcement agencies are reporting a significant increase in funds transfer fraud involving the exploitation of valid online banking credentials belonging to small and medium sized businesses.
Eastern European organized crimes groups are believed to be predominantly responsible for the activities that are also employing witting and unwitting accomplices in the United States (money mules) to receive, cash and forward payments from thousands to millions of dollars to overseas locations via popular money and wire transfer services.
45
The FFIEC Guidance Supplement
Effective 1/1/2012:
On June 28th, 2011 the Federal Financial Institutions Examination Council FFIEC) released a supplement to the 2005 “Authentication in an Internet Banking Environment” guidance that describes the measures financial institutions should take to protect Internet banking customers from online fraud.
46
Three Primary Requirements
Risk Assessments
Layered Security
Customer Education & Awareness
47
Fundamentals of Cyber Security Risk Management
Senior Management Buy-in/Corporate Governance
Defense-in-Depth (Gap Analysis and
External Resources/Relationships, Feeds, and Awareness
Robust Monitoring/Oversight
Respond
Test Monitoring and Incident Response Plans
48
Note
Similar to the 2005 guidance, the June 2011 supplement applies to all electronic banking delivery channels, including the mobile banking channel.
Whether financial institutions provide all or part of their electronic banking activities to customers through in-house systems or outsourced, service-provider arrangements, the institutions are responsible and accountable for conformance with the 2005 guidance and the 2011 supplement. (VENDOR MANAGEMENT)
49
IT/Cybersecurity Controls Cheat sheet
Where is your data?
What is normal?
How do you know?
Questions?
© 2014 EastPay. All Rights Reserved 51
Contact The Presenter(s)
Rory Guenther, CISASenior Examiner, Operational Risk Specialist
Brent SiegelVice [email protected] x216
Pam Rodriguez, AAP, CIA, CISAEVP, Risk Management & [email protected], ext 305