Will the next systemic crisis be cyber?

322 vues

Publié le

2014 laure molinier euroclear
Conférences Arrow institute par conferences institute
http://conferences-institute.eu/

0 commentaire
0 j’aime
Statistiques
Remarques
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Aucun téléchargement
Vues
Nombre de vues
322
Sur SlideShare
0
Issues des intégrations
0
Intégrations
33
Actions
Partages
0
Téléchargements
0
Commentaires
0
J’aime
0
Intégrations 0
Aucune incorporation

Aucune remarque pour cette diapositive

Will the next systemic crisis be cyber?

  1. 1. 1 Will the next systemic crisis be cyber? Arrow Institute conference 25th September 2014 Laure Molinier Yannic Dulieu
  2. 2. 2 Agenda • Why could a cyber attack cause the next systemic crisis? • How can Operational Risk management cover cyber risks? ► Enterprise Risk Management (ERM) framework and cyber risks management ► Risks identification ► Assessment and reporting ► Monitoring ► Response strategies • Main learnings and conclusions
  3. 3. A constantly evolving threats landscape Cyber « Hacktivism » Cyber War (Governments, army) Cyber Espionage “Script kiddies” Cyber Crime Script kiddies are sometimes portrayed in media as bored, lonely teenagers seeking recognition from their peers. Criminals Activists / Hacktivists 3 Disgruntle employees 3
  4. 4. 4 Cyber threats are diverse and continually evolving… • Cyber-protests, or “hacktivism”, have become popular and continue to grow in frequency. ► Anonymous group, Operation Payback ► End-users with limited technical know-how ► Distributed denial of service attacks (DDoS) attacks or spam campaigns on selected companies and/or organisations • Social Engineers will get confidential information by manipulation or deceit. • Advanced Persistent Threats: sophisticated and clandestine means to gain continual intelligence/data on an individual, or group of individuals, companies or governments. • Highly targeted, thoroughly researched, amply funded, and tailored to a particular organisation using multiple attack vectors and using “low and slow” techniques to evade detection.
  5. 5. Companies are evolving… • Less control on the provider (no penetration-test allowed,…); • Centralization of data from multiple companies; • Privacy & Commercial issue (Patriot act…); • Business continuity concerns… 55
  6. 6. How much does it cost? We don’t know exactly but… Costs of cyber-crime to society are substantial. Some studies cite figures as high as $400 billion or $ 1 trillion! 0 100 200 300 400 500 600 700 800 900 1000 2011 2012 2013 2014 Impact on society Based on reported impacts only… ? x10 x10 66
  7. 7. 7 How can Operational Risk manage cyber risks? • Euroclear case study • Enterprise Risk Management (ERM) framework and cyber risks management ► Risks identification ► Assessment and reporting ► Monitoring ► Response strategies 7
  8. 8. 88 A growingly interconnected world • Euroclear is the world’s largest provider of settlement and related services for domestic and cross-border financial transactions. • Settle over 170 million transactions a year in 53 currencies. • We have links with 44 markets across the globe • > € 780 billion of collateral outstanding every day • > € 573 trillion transactions settled • > 2,000 financial institution clients from 90 countries • Hold client assets valued at €24 trillion. • 3,300 employees in 12 locations worldwide.
  9. 9. 9 Market Infrastructure: Multicurrency settlement and asset servicing International CSDCentral Securities Depository (CSD) Settlement of a trade: – local buyer and local seller – in a domestic security – payment in the domestic currency Seller Settlement of a trade: – Wherever the counterparties are present – in any international security – payment in any currency Belgian Buyer Japanese Seller International Securities Euroclear UK & Ireland, France, Netherlands, Belgium, Nordics Euroclear Bank National Securities Buyer
  10. 10. 10 Enterprise Risk Management (ERM) What is the goal? Organise the chaos to ensure continuity Regulation Competition Industry Eurozone New products Technology evolution Staff Natural threats ……. Client demand Technology issues Crisis Credit Liquidity Operational Market Business Strategic
  11. 11. 11 The Euroclear Enterprise Risk Management (ERM) framework covers these areas of focus and ensures: • the right ownership and governance • a holistic approach • a dynamic approach • alignment with established market standards and regulations • coverage of business-as-usual and crisis management up to recovery and disaster Enterprise Risk Management Key principles 11
  12. 12. • What are the relevant potential threats? • Horizon scanning • Business engagement • Risk and scenario-based assessments on cyber • Government and peer information sharing fora. • Post-mortem assessment • How effective are our controls? • What is our maturity level? • Report Group Risk Profile and entity risk reports • Security programmes • Incident responses and crisis management • Simulation exercises Enterprise Risk Management in practice How does it apply to cyber threats? 12
  13. 13. BOARD Management Committee Group Risk Committee Local MC/ Division Heads/Risk Mgt Business Continuity Personnel Security Physical Security Logical Security Group Domain Security Manager Local Domain Security Manager Employees Line Management (1st Line of Defence) Audit and Compliance Governance framework • Chief Security officer oversees the implementation of the Security framework covering the 4 security domains and ensures: ► Clarity of accountability ► Same level of control across the group •Risk specialists provide: • Support to first line of defence (framework and tools) • Assurance to senior management on adequacy and effectiveness of controls. Supported by control functions in second and third lines of defence Supported by policies, procedures, control frameworks, tools, expert advice Risk management Governance & strategy 13
  14. 14. 14 Awareness is key… • Global security awareness programme • « One Minute Security Managers » • E-learning modules and tests: ► Phishing, Smishing, Vishing… ► Mobile devices, working outside of the office ► Social engineering… Culture 14
  15. 15. Understanding the cyber threats Information Security risks (Reporting in Risk Management - Risk Universe) Logical security risks (Reported via the Corporate Risk analysis) “Cyber” related risks (Cyber Risk analysis) Identify & assess 15
  16. 16. Finding your way through many information sources… Establishing a cyber threat list Mitigation factors reference source is: The SANS TOP 20 critical controls for effective cyber defence. Many sources of external Information sources •US Department of Homeland Security (DHS) •Deloitte cyber threats list •Australian DoD •Information Security Forum (ISF) •SANS TOP 20 (controls) •ENISA cyber threats list •Febelfin threat list regarding mobile computing (used by the NBB) •BSI threat catalogue (German Gov.) Identify & assess 16
  17. 17. About 100 cyber threats grouped in 10 families: 1. Threats to building infrastructure (including SCADA) & personnel 2. Threats to IT networks 3. Threats to IT systems / servers 4. Threats to fixed end-points (such as workstations & thin clients) 5. Threats related to mobile computing (corporate laptops/iPads, mobiles, BYOD,...) 6. Threats to electronic communications / data in transit. 7. Threats to business applications 8. Social Media & Social Engineering threats 9. Threats related to removable medias 10. Threats related to web hosting, together with SaaS Building a manageable threats ListIdentify & assess 17
  18. 18. Perform the risk assessment • Measure coverage and effectiveness of controls • Determine maturity levels • Combine self assessment (HSA, RCSA) with second / third lines • Identify gaps and potential improvements Cyber Threats 1 2 3 4 5 6 7 8 9 10 Residual risk H, M, L 18 Identify & assess Inherent risk H H H M L C M H … N Mitigation Controls* 2,3,6,8,16 2,8,14 3,12,18 1,7,20 … … … … … … Asset … N * SANS TOP 20 Controls for effective cyber defence, Internal Control framework, ISO 27002, etc. Identified gaps and potential improvements
  19. 19. Complement with scenario based analysis Developing realistic scenarios around key business services and measuring readiness. Identify & assess Data theft or copying Data corruption / manipulation Denial of service attack Malware impacting services availablity Key business services 1 2 3 4 5 Financial gain Intelligence Markets destabilisation Business disruption Make a point RESULTS (reflected in framework and response plans) IMPACT ANALYSIS
  20. 20. Measure & report • Merge results from both approaches (technical assessment + scenarios) • Measure company’s readiness to cyber attacks • Report Group Risk Profile and entity risk reports Measure & report Risk based priorities Exception based reporting 0 10 20 30 40 50 60 70 80 90 1st Qtr 2nd Qtr 3rd Qtr 4th Qtr DDoS protection Awareness Zoning Security programmes •Prevention: IPS, Patching, zoning, Data leakage prevention; awareness •Detection: IPS, .. •Response: incident response, DDoS protection, testing 20 Residual risks Identified control gaps & potential improvements Results from scenario based analysis
  21. 21. Security incidents’ response • Escalation structure integrated into crisis management • Managing « potential » risks Respond 21
  22. 22. 22 Integration into company’s crisis management structureRespond
  23. 23. 23 Corporate response plans •Company’s corporate response plans covering ►Situation assessment ►Strategic intent! ►Technical response and ►Business response ►Communication to all audiences & stakeholders (clients, business counterparties, internal staff, regulators, board, press) • Security incidents simulation and testing Respond Task Monitoring and incident management Assess criticality, escalate and appoint coordinator Convene X-Silver or local Silver Team and inform GOLD Activate the crisis meeting (follow CM guidelines) - Assign chair/Review team composition. - Start log of actions. Perform situation briefing INITIAL IMPACT ASSESSMENT Get initial situational appraisal from IT: • (1) What has happened? • (2) Where? What are the entities / business services (potentially) impacted? • (3) When was it discovered? • (4) What is the impact? Will it get worse and how? • (5) What have we done to deal with it? Who is involved? • (6) What decisions / actions need to be taken? • Reference: crisis report format • Dependent on initial appraisal, what is the strategic intent: “Take such actions as to protect staff, business operations and safeguard our reputation” • Assess (potential) business impact: services unavailability, • Identify upcoming deadlines • What are the available BCPs? • Notify the insurer? Emergency number of the ‘CyberEdge’ policy • Activate X-Silver team (if not yet done) and ensure that other local Silver teams are activated Cyber response plan (extract)
  24. 24. 24 A few challenges •Monitoring the threats to adapt strategies to their rapid evolution: ► Finding your way through multiple information sources ► Prioritising investments (defensive vs reactive) •Capturing potential impacts and activating responses in time •Adapting business continuity & recovery plans to manage conflicting objectives: ► Demanding Recovery Time Objectives (restart as soon as possible) sometimes in contradiction with the technical response and the time needed to resolve cyber incident ► Minimising the business impact will potentially conflict the objective to protect the company’s business and reputation (eg: isolating, closing communication channels) ► Maintaining channels of communication with key stakeholders •Finally, cyber threats also present many challenges for national and international regulators (adapting their framework, legislation, cross border cooperation…)
  25. 25. 25 Conclusions •The risk framework needs to be adapted to better capture and report on cyber related risks (threats, controls and measurement) •Operational Risk Managers have an important role to play in cyber risks management. •Business engagement is essential! ► To understand the business impact of the threats and prioritise your security investments ► To support your awareness campaign (tone of the top) •Monitor threats as they are constantly moving and re-assess your protection regularly and your business continuity strategy. •Your turn will come whatever the strength of your defences, so getting ready and testing is crucial.
  26. 26. 26

×