Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Management Program
- 1. Information Classification: Public COMPLIANCE AND SECURITY: BUILDING A CYBERSECURITY RISK MANAGEMENT PROGRAM Central Ohio Infosec Summit - 2016 Jason Harrell Corporate Senior Information Risk Officer (CSIRO) Investment Management BNY Mellon March 30, 2016
- 2. Information Classification: Public AUDIENCE QUESTIONS • How many of you are Chief Information Security Officers or Chief Information Risk Officers for your organization? • How many of you have regularly scheduled meetings with your Chief Compliance Officers on cybersecurity regulations? • How many of you have regularly scheduled meetings with your Legal Counsel (internal and/or external)? • How many of you have regularly scheduled meeting with your Chief Operating Officer or equivalent? • How many of you subscribe to industry publications for the industry for which you work? • How many of you brief your Board of Directors on cybersecurity risks for your organization? 2
- 3. Information Classification: Public KEY TAKEAWAYS • As a Chief Information Security Officer (CISO) and Chief Information Risk Officer (CIRO), you will be required to understand and articulate the business impacts for cybersecurity risk failures that resonates with your audience • As executives, we will need to balance our compliance obligations for cybersecurity controls with our business’ operational cybersecurity risks to prioritize our risk management efforts (EXHAUSTIVE MEDIOCRITY) • Cybersecurity controls must be embedded into the business processes to be effective (i.e., the business must be involved with the execution of cybersecurity controls) • As an executive, you need to understand your risk posture/maturity relative to your peer group • How your organization responds to a cyber incident is equally as important as the preventative measures taken to prevent an incident 3
- 4. Information Classification: Public WHAT IS CYBERSECURITY RISK MANAGEMENT? THE MANAGEMENT OF THE BUSINESS’ LEGAL, REGULATORY, OPERATIONAL, AND CLIENT RISKS THAT MAY RESULT FROM ITS USE OF INFORMATION, TECHNOLOGY, OR ASSOCIATED BUSINESS PROCESSES IN ORDER TO ALIGN WITH THE BUSINESS’ RISK APPETITE. CYBERSECURITY RISKS EXTEND BEYOND TECHNOLOGY. THE CONTROLS MUST BE EMBEDDED INTO THE BUSINESS PROCESS TO BE EFFECTIVE! 4
- 5. Information Classification: Public CYBERSECURITY RISK MANAGEMENT EXPECTATIONS In general, regulatory authorities want to provide businesses with a principles based risk approach to provide flexibility. Common guidance from the regulatory authorities (financial) is that controls should be appropriate based on The size and complexity of business operations The makeup of the customers and counterparties serviced The products and markets traded Access to trading venues and other industry participants (i.e., market interconnectedness) Depending on your sector and regional presence, your business may have more prescriptive requirements for cybersecurity controls (e.g., OCC Third Party Risk Management) The NIST Framework is recommended by different regulatory authorities but is not a silver bullet. Every organization must understand the risks relative to its business operations and the controls that are used to manage these risks 5
- 6. Information Classification: Public BOARD AND EXECUTIVE MANAGEMENT QUESTIONS • When do I know when I have spent enough on cybersecurity controls? (i.e., When have I spent too much on cybersecurity?) • How does our cybersecurity program stack up against our peers? • Is our business in compliance with our regulatory obligations for managing cybersecurity risks? • What are the legal / client / fiduciary / regulatory impacts for cybersecurity failures AND do we understand those impacts on business operations? • Could an event like Target / Sony / Anthem / Home Depot happen at our organization? • How do we know that we haven’t been hacked already? • Are we prepared to manage a cybersecurity incident and, if not, how long will it take for us to be appropriately prepared? 6
- 7. Information Classification: Public ARE WE SPEAKING THE SAME LANGUAGE AS THOSE WE NEED TO INFLUENCE? 7
- 8. Information Classification: Public LEGAL / REGULATORY OBLIGATIONS Every regulatory agency has a rule requiring the adoption and implementation of written policies and procedures reasonably designed to prevent violation of federal security laws As the CISO or CIRO, do you know the compliance rules relative to internal control requirements for your business? Client Contracts and Addendums As the CISO or CIRO, do you have visibility into client agreements being entered into by your business areas? Enforcement Actions As the CISO or CIRO, do you understand how fines and enforcement actions are being levied in your sector? Regulatory Focus There are a number of areas relative to cybersecurity risk management. Do you know where there regulatory focus is on the required controls? 8
- 9. Information Classification: Public OPERATIONAL IMPACTS Numerous cybersecurity risks are realized due to (1) the lack of demarcation of the business and technology responsibility for controls (2) inappropriate business processes to managing changing risk environment How does your business ensure that cybersecurity controls extend and are embedded into associated business processes? While many business have a technology incident response plan, they do not have an appropriate business incident response plan or crisis communication plan. Does your business have a crisis communication plan that includes engagement of external counsel, regulatory reporting, law enforcement engagement, media relations, client communications? The lack of understanding of how the business operates causes may lead to arduous and/or ineffective implementation of controls How do you train the individuals in your organization to look outside of the technology controls to those controls that are part of the business process? The maturity of your peer’s cybersecurity risk management program will contribute to your definition of reasonable and adequate controls. Do you know where the cybersecurity risk management program stacks up relative to your peer group? 9
- 10. Information Classification: Public Communicating cybersecurity risks and associated impacts through a common vernacular as the individuals you are trying to influence will increase your success with gaining the support required for your cybersecurity risk management program. 11
- 11. Information Classification: Public IMPORTANT POINTS Remember that you are competing for a limited pool of resources (e.g., money, personnel) with other risk and control organizations as well as the business revenue-generating programs You can’t fix everything at once! As an executive, you need to define and defend those risk gaps that you are addressing and demonstrate that you understand those areas that will also need additional focus Technology controls without business adoption will not decrease your business risks. These controls must be embedded into the business operational processes Understanding where your program is relative to your peer group will assist you with gaining executive program support and changes in the risk management posture within your industry 12
- 13. 14 CYBERSECURITY RULES/RULES INTERPRETATION AND GUIDANCE – INVESTMENT ADVISERS REGULATORY LANDSCAPE
- 14. Information Classification: Public Cybersecurity Rules / Rule Interpretations / Guidance Regulation S-P (including Safeguards Rule) Regulation S-ID (Identity Theft Red Flags) IAA Rule 206(4) – 7 and ICA Rule 38a-1 (Compliance Rules) IAA Rule 204-2(g) and ICA Rule 31a-2(f) (Electronic Recordkeeping Rules) ICA Rule 30a-3 (Internal Controls) CFTC Regulations, Part 160.30 FTC enforcement of Section 5 of FTCA OCC Bulletin 2013 – 29 Third Party Risk Management Guidance NFA Compliance Rules 2-9, 2-36 and 2-49 Interpretive Notice 15