In a two hour live webcast, a panel of thought leaders and practitioners assembled by The Knowledge Group will discuss the significant and latest issues with respect to Hot Topics in Dealing with Banking Cyber Security.
Key topics include:
Digital Crime
Threat Overload
Case Studies
Heightened Regulatory Oversight
Threat Detection
Cyber-Attack Triage
Recent regulatory issues and updates
To view the webcast go to this link: http://youtu.be/Igr7zAcKndE
To learn more about the webcast please visit our website: http://theknowledgegroup.org
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Hot Topics in Dealing with Banking Cyber Security LIVE Webcast
1. Speaker Firms and Organization:
United States Department of Homeland Security
Carlos P. Kizzee
Deputy Director, Stakeholder Engagement & Cyber
Infrastructure Resilience
Thank you for logging into today’s event. Please note we are in standby mode. All Microphones will be muted until the event
starts. We will be back with speaker instructions @ 11:55am. Any Questions? Please email: Info@knowledgecongress.org
Group Registration Policy
Please note ALL participants must be registered or they will not be able to access the event.
If you have more than one person from your company attending, you must fill out the group registration form.
We reserve the right to disconnect any unauthorized users from this event and to deny violators admission to future events.
To obtain a group registration please send a note to info@knowledgecongress.org or call 646.202.9344.
Presented By:
June 19, 2014
1
Partner Firms:
Kane Russell Coleman & Logan PC
Kenneth Johnston
Shareholder
BAE Systems
Paul Henninger
Global Product Director
Bryan Cave LLP
Maria Z. Vathis
Of Counsel
United States Department of Homeland
Security
2. June 19, 2014
2
Follow us on Twitter, that’s @Know_Group to receive updates for this event as well as other news and pertinent info.
If you experience any technical difficulties during today’s WebEx session, please contact our Technical Support @ 866-779-3239.
You may ask a question at anytime throughout the presentation today via the chat window on the lower right hand side of your
screen. Questions will be aggregated and addressed during the Q&A segment.
Please note, this call is being recorded for playback purposes.
If anyone was unable to log in to the online webcast and needs to download a copy of the PowerPoint presentation for today’s
event, please send an email to: info@knowledgecongress.org. If you’re already logged in to the online webcast, we will post a link
to download the files shortly.
If you are listening on a laptop, you may need to use headphones as some laptops speakers are not sufficiently amplified enough to
hear the presentations. If you do not have headphones and cannot hear the webcast send an email to info@knowledgecongress.org
and we will send you the dial in phone number.
3. June 19, 2014
3
About an hour or so after the event, you'll be sent a survey via email asking you for your feedback on your experience with this event
today - it's designed to take less than two minutes to complete, and it helps us to understand how to wisely invest your time in future
events. Your feedback is greatly appreciated. If you are applying for continuing education credit, completions of the surveys are
mandatory as per your state boards and bars. 6 secret words (3 for each credit hour) will be given throughout the presentation. We
will ask you to fill these words into the survey as proof of your attendance. Please stay tuned for the secret word.
Speakers, I will be giving out the secret words at randomly selected times. I may have to break into your presentation briefly to read
the secret word. Pardon the interruption.
4. June 19, 2014
4
Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You:
FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:
Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts.
Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.
50% discount for purchase of all Live webcasts and downloaded recordings.
PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:
Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a
client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.
Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each
event without a subscription).
Free CLE/CPE/CE Processing (Normally $49 Per Course without a subscription).
Access to over 15,000 pages of course material from Knowledge Group Webcasts.
Ability to invite a guest of your choice to attend any live webcast Free of charge (Exclusive benefit only available for PAID
UNLIMITED subscribers).
6 Month Subscription is $299 with No Additional Fees Other options are available.
Special Offer: Sign up today and add 2 of your colleagues to your plan for free Check the “Triple Play” box on the sign-up
sheet contained in the link below.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
5. June 19, 2014
5
Knowledge Group UNLIMITED PAID Subscription Programs Pricing:
Individual Subscription Fees: (2 Options)
Semi-Annual: $299 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials.
Annual: $499 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.
Group plans are available. See the registration form for details.
Best ways to sign up:
1. Fill out the sign up form attached to the post conference survey email.
2. Sign up online by clicking the link contained in the post conference survey email.
3. Click the link below or the one we just posted in the chat window to the right.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
Discounts:
Enroll today and you will be eligible for the “Triple Play” program and 3% off if you pay by credit card. Also we will waive the $49
CLE/CPE processing fee for today’s conference. See the form attached to the post conference survey email for details.
Questions: Send an email to: info@knowledgecongress.org with “Unlimited” in the subject.
6. Partner Firms:
June 19, 2014
6
BAE Systems Applied Intelligence delivers solutions, which help
clients to protect and enhance their critical assets in the intelligence age.
Its intelligent protection solutions combine large-scale data exploitation,
‘intelligence-grade’ security and complex services and solutions
integration. The company operates in four key domains of expertise:
cyber security, financial crime, communications intelligence and digital
transformation.
Leading enterprises and government departments use the solutions to
protect and enhance physical infrastructure, mission-critical systems,
valuable intellectual property, corporate information, reputation and
customer relationships, competitive advantage and financial success.
For more information, please visit www.baesystems.com/ai.
United States Department of Homeland
Security
7. Partner Firms:
June 19, 2014
7
Kane Russell Coleman & Logan PC is a full service law firm with
offices in Dallas and Houston. Formed in 1992 with five lawyers, today
KRCL has more than 80 attorneys. The firm provides professional
services for clients ranging from Fortune 500 companies to medium-
sized public and private companies to entrepreneurs. KRCL handles
transactional, litigation and bankruptcy matters throughout the U.S. and
China.
8. Brief Speaker Bios:
Carlos P. Kizzee
Carlos P. Kizzee is the Deputy Director of the Department of Homeland Security’s Stakeholder Engagement
and Cyber Infrastructure Resilience Division within the U.S. Department of Homeland Security’s Office of Cyber
Security and Communications. Mr. Kizzee has extensive experience in advising and conducting operational
coordination, information sharing, and collaboration among government and private sector. In his position as
Deputy Director, he oversees four branches of public-private cyber engagement encompassing Cyber
Education and Outreach Awareness, Federal and State Government Engagement, Industry Cyber
Engagement, and Critical Infrastructure Stakeholder Risk Assessments and Mitigations.
June 19, 2014
8
Paul Henninger
Paul has worked with a wide range of public sector, global financial and commercial institutions to manage the
fraud, compliance and security risks that have evolved rapidly over the last 10 years. He specializes in
practical, innovative approaches to building and using technology to solve the real challenges faced by these
organizations who are dealing with systematic attacks on their customers, data assets, and infrastructure. Paul
specializes in digital crime and financial crime threats and is a frequent media and analyst commentator on
digital criminality, security, technology and risk management. He advises financial institutions and government
agencies around the world.
9. Brief Speaker Bios:
June 19, 2014
9
► For more information about the speakers, you can visit: http://theknowledgegroup.org/event_name/hot-topics-in-dealing-with-banking-cyber-security-live-webcast/
Kenneth Johnston
Kenneth Johnston, a shareholder of Kane Russell Coleman & Logan PC, focuses his practice on class-action
and general commercial litigation with an emphasis on financial services, insolvency and creditor rights. He
routinely represents financial institutions in a variety of matters including data breach issues, general bank
operations, insolvency, material defensive litigation, and credit risk management. Kenneth was recently named
as one of the Best Lawyers in Dallas in Banking and Finance by D Magazine and has been ranked as one of
the top banking attorneys in Texas by Super Lawyers magazine since 2006.
Maria Z. Vathis
Maria Z. Vathis has a broad range of experience defending corporate clients in complex business litigation
matters, insurance coverage, and class actions involving alleged violations of federal statutes, including the
Telephone Consumer Protection Act. Ms. Vathis has represented financial institutions, loan servicers,
investment firms, law firms, brokers, attorneys and other professionals. She handles matters nationwide in
federal and state courts. Her practice also includes monitoring litigation for international insurers, advising on
risk management, evaluating existing insurance coverage, drafting insurance policy language and analyzing
insurance coverage under professional liability, cyber and first-party property insurance policies.
10. In a two hour live webcast, a panel of thought leaders and practitioners assembled by The Knowledge
Group will discuss the significant and latest issues with respect to Hot Topics in Dealing with Banking
Cyber Security.
Key topics include:
• Digital Crime
• Threat Overload
• Case Studies
• Heightened Regulatory Oversight
• Threat Detection
• Cyber-Attack Triage
• Recent regulatory issues and updates
June 19, 2014
10
11. Featured Speakers:
June 19, 2014
11
Paul Henninger
Global Product Director
BAE Systems Applied Intelligence
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
Maria Z. Vathis
Of Counsel
Bryan Cave LLP
Carlos P. Kizzee
Deputy Director, Stakeholder Engagement & Cyber
Infrastructure Resilience
United States Department of Homeland Security
12. Introduction
Paul has worked with a wide range of public sector, global financial and commercial institutions to manage
the fraud, compliance and security risks that have evolved rapidly over the last 10 years. He specializes in
practical, innovative approaches to building and using technology to solve the real challenges faced by
these organizations who are dealing with systematic attacks on their customers, data assets, and
infrastructure. Paul specializes in digital crime and financial crime threats and is a frequent media and
analyst commentator on digital criminality, security, technology and risk management. He advises financial
institutions and government agencies around the world.
June 19, 2014
12
Paul Henninger
Global Product Director
BAE Systems Applied Intelligence
13. June 19, 2014
13
Digital Crime Threats and Responses
Paul Henninger
Global Product Director
BAE Systems Applied Intelligence
14. Simple Digital Crime
June 19, 2014
14
Paul Henninger
Global Product Director
BAE Systems Applied Intelligence
15. Simple Digital Crime
June 19, 2014
15
Once installed
1) Configuration-driven – attacks different banks in different ways
2) Enables tailored attacks which are aware of withdrawal limits and other
factors
3) Can perform internal transfers and external payments
4) Downloadable mule IBAN – evade IBAN blacklists
5) Hijacks one-time tokens
6) Delay customer recognition of fraud – fake balance screens
Paul Henninger
Global Product Director
BAE Systems Applied Intelligence
16. The New Digital Crime
June 19, 2014
16
Fraud Challenge Cyber Challenge
Fraud attacks are attacks
against a business
process
Cyber attacks are against
information technology
infrastructure
Comms Challenge
Comms attacks are
unauthorized or illegal use
of communications
technology
Criminals seek to create
or manipulate
transactions.
Criminals seek to steal
data or control/disrupt
systems.
Criminals seek to use or
manipulate comms
systems to plan or
facilitate crime.
Financial Gain
Information Theft
Political / Economic
Espionage
Denial of Service / Sabotage
Facilitate Crime
Promote Ideology
National Security Advantage
DefinitionMethod
Threat
ActorGoal
Paul Henninger
Global Product Director
BAE Systems Applied Intelligence
17. Common Defences
June 19, 2014
17
Common Defenses
Fraud Defences Cyber Defences Comms Defences
Risk management and security can be enhanced by combining cyber, fraud and comms
intelligence and correlating sources of threats to enable better detection and faster, more efficient
investigation
Shared intelligence on the
threat
Shared intelligence on the
threat
Shared intelligence on the
threat
Augmentation with other risk
sources
Augmentation with other risk
sources
Augmentation with other risk
sources
Intel.
Sharing
X-function
enrichment
Integrated investigation tools Integrated investigation tools Integrated investigation tools
Operations
Paul Henninger
Global Product Director
BAE Systems Applied Intelligence
18. June 19, 2014
18
Paul Henninger
Global Product Director
BAE Systems Applied Intelligence
19. Potential Impact – More Than Theft Of Funds
June 19, 2014
19
Paul Henninger
Global Product Director
BAE Systems Applied Intelligence
20. Organizational Impact of Digital Crime
June 19, 2014
20
Detection Level
Investigation-level
Organisation-level
Information sharing; incident logging;
multi-skilled operations teams;
Org structure changes; risk management
framework
Automated integration of intelligence data;
device reputation; endpoint hardening;
Detection systems integration
Paul Henninger
Global Product Director
BAE Systems Applied Intelligence
21. Case Study: Retail Bank
June 19, 2014
21
Network
penetration
and
surveillance
Identify high value
customer targets, profile
their behaviour and
formulate attack plan
Surveillance - Identify
security procedures &
protocols by attacking
attack email accounts of
staff who work in fraud,
risk & security
Attack the existing control
systems e.g. change or
remove limits on debit
cards or for international
funds transfer
Exfiltration of account
data to enable account
compromise
Account
Compromise
Quietly compromise
accounts – set up mules
to receive transactions
from compromised
accounts
Massive DDOS attack on
website and phone
systems - distraction
Cash Out
Rapid movement of funds
from target accounts to
mule accounts
Mule accounts move
money offshore to
multiple locations
Funds withdrawn as cash
at ATMs in multiple
offshore locations
Crypto/Ransomware left
as threat to stop any
legal pursuit / theft of
sensitive data / blackmail
of senior staff
Paul Henninger
Global Product Director
BAE Systems Applied Intelligence
22. Case Study: Insurance
June 19, 2014
22
Network
penetration
and
surveillance
Identify high value
customer targets, long
standing customers with
no claims, high value
vehicles, property
Surveillance - Identify
security procedures &
protocols by attacking
email accounts of staff
who work in fraud, risk &
security
Attack the existing control
systems e.g. change or
remove limits on payouts
Exfiltration of policy
holder data for account
takeover
Account
Compromise
Cash Out
Claim against high value
policies
Funnel money through
mule accounts to
offshore locations and
extract as ATM
withdrawals
Crypto/Ransomware left
as threat to stop any
legal pursuit / theft of
sensitive data / blackmail
of senior staff
Massive DDOS attack on
website and phone
systems - distraction
Paul Henninger
Global Product Director
BAE Systems Applied Intelligence
23. Introduction
Carlos P. Kizzee is the Deputy Director of the Department of Homeland Security’s Stakeholder Engagement and
Cyber Infrastructure Resilience Division within the U.S. Department of Homeland Security’s Office of Cyber
Security and Communications. Mr. Kizzee has extensive experience in advising and conducting operational
coordination, information sharing, and collaboration among government and private sector. In his position as
Deputy Director, he oversees four branches of public-private cyber engagement encompassing Cyber Education
and Outreach Awareness, Federal and State Government Engagement, Industry Cyber Engagement, and Critical
Infrastructure Stakeholder Risk Assessments and Mitigations.
Mr. Kizzee also serves as the Program Manager of a Joint Program Office implementing key operational
information sharing and information sharing support program activities associated with Public-Private Threat
Information Sharing, Enhanced Cyber Security Services for Critical Infrastructure, and Implementing Trusted and
Secure Automation among public-private cyber data sharing. A graduate of the United States Naval Academy, Mr.
Kizzee has a Bachelor of Science degree in Mathematics, a Juris Doctor degree from the Georgetown University
Law Center, and a Master of Laws from the Judge Advocate General’s School of the Army at the University of
Virginia’s School of Law. In addition to being a retired Marine Corps Judge Advocate, Mr. Kizzee is a career
Federal civil servant with over ten years of Federal service.
June 19, 2014
23
Carlos P. Kizzee
Deputy Director, Stakeholder Engagement & Cyber
Infrastructure Resilience
United States Department of Homeland Security
24. What is a “Best Case” Information Sharing Scenario?
The appropriate recipient timely receives actionable information of sufficient relevancy and in the most
optimal and manageable form and quantity of ingest required to inform their necessary decision or action;
with no resulting harm to the source, the recipient, or any reasonably foreseeable third party as a result of the
transaction.
Character of Data
• Relevant to Recipient interests
• No “noise”
• No redundancy
• Actionable by Recipient
• Informs/defines decision/action of value to the Recipient (including additional analysis)
• Timely transmitted to Recipient
• Recipient decision/action can be taken in time to be of maximum value to the Recipient
• Trustworthy
• Data and/or Source is of suitable credibility for decision/action
Nature of Impacts
• Recipient’s capture of data causes no harm to Source
Nature of transaction
• Transmission and capture involves minimal resource and delay (automated)
June 19, 2014
24
Carlos P. Kizzee
Deputy Director, Stakeholder Engagement & Cyber
Infrastructure Resilience
United States Department of Homeland Security
25. Common Barriers to “Best Case” Information Sharing
The appropriate recipient timely receives actionable information of sufficient relevancy and in the most
optimal and manageable form and quantity of ingest required to inform their necessary decision or
action; with no resulting harm to the source, the recipient, or any reasonably foreseeable third party as a
result of the transaction.
Data Insufficiency
• Insufficient data to inform decision/action
• Lack of awareness or appreciation of relevance of data
Poor data flow mapping
• Right data goes to the wrong Recipient
• Wrong data goes to the right Recipient
Trust
• Fear of harm chills Source sharing
• Recipient actions cause Source or others harm
“Threat Overload”
June 19, 2014
25
Carlos P. Kizzee
Deputy Director, Stakeholder Engagement & Cyber
Infrastructure Resilience
United States Department of Homeland Security
26. Threat Overload
Threat information timely shared in a volume that frustrates or impedes the Recipient’s ability to
successfully ingest, parse, and inform their necessary decision or action.
1. Too much data
2. Too much relevant data
June 19, 2014
26
Carlos P. Kizzee
Deputy Director, Stakeholder Engagement & Cyber
Infrastructure Resilience
United States Department of Homeland Security
27. Threat Overload
Threat information timely shared in a volume that frustrates or impedes the Recipient’s ability to
successfully ingest, parse, and inform their necessary decision or action.
Too much shared data
• “One-size” threat data does not “fit-all” of a non-uniform Recipient base
• Segmentation of recipients by their data requirements
• Map generated data against the relevant segmented requirements of recipients
• “I out source all of my IT.”
• “I conduct basic system administration of my network.”
• “I research, analyze, and develop mitigations for threats to my enterprise infrastructure.”
• “I develop and provide services and products to mitigate threats to networks and systems.”
• Data flow follows the map of generated data to the relevant recipient
• “Information Sharing” defined by recipient requirements segmentation and data flow mapping.
June 19, 2014
27
Carlos P. Kizzee
Deputy Director, Stakeholder Engagement & Cyber
Infrastructure Resilience
United States Department of Homeland Security
28. Threat Overload
Threat information timely shared in a volume that frustrates or impedes the Recipient’s ability to
successfully ingest, parse, and inform their necessary decision or action.
Too much relevant shared data
• A good problem to have is still a problem
• Enhance the quality of analysis
• Tools
• Tradecraft and skills
• Enhance capacity
• Analytical collaboration
• Tailored analytics
• Trust, credibility, and scoring of data and source
• Standard, structured data sharing profiles to enable auto ingest and parsing
• “Information Sharing” made scalable and sustainable by partnership, process, and coordination.
June 19, 2014
28
Carlos P. Kizzee
Deputy Director, Stakeholder Engagement & Cyber
Infrastructure Resilience
United States Department of Homeland Security
29. Threat Overload
The appropriate recipient timely receives actionable information of sufficient relevancy and in the most
optimal and manageable form and quantity of ingest required to inform their necessary decision or
action; with no resulting harm to the source, the recipient, or any reasonably foreseeable third party as a
result of the transaction.
• So what should I do differently?
• “Information Sharing” isn’t just sharing information, it is a data flow:
• defined by recipient requirements segmentation and data flow mapping, and
• made scalable and sustainable by partnership, processes, and coordination in the data flow.
Governance matters:
• What data is required?
• To whom?
• For what purpose(s)?
• Under what conditions?
• What uses will cause harm and are not permitted?
Information sharing arrangements and marriage?
June 19, 2014
29
Carlos P. Kizzee
Deputy Director, Stakeholder Engagement & Cyber
Infrastructure Resilience
United States Department of Homeland Security
30. Introduction
Kenneth Johnston, a shareholder of Kane Russell Coleman & Logan PC, focuses his practice on class-action and general
commercial litigation with an emphasis on financial services, insolvency and creditor rights. He routinely represents financial
institutions in a variety of matters including data breach issues, general bank operations, insolvency, material defensive
litigation, and credit risk management. Kenneth was recently named as one of the Best Lawyers in Dallas in Banking and
Finance by D Magazine and has been ranked as one of the top banking attorneys in Texas by Super Lawyers magazine
since 2006.
June 19, 2014
30
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
31. The Feds are Watching
• OCC’s Semiannual Risk Perspective
• Cyber attacks are more frequent and more
sophisticated
• Increasingly targeting smaller institutions
• Leads banks to implement new technologies, rely on third-party providers
• May adversely affect bank’s ability to identify and control risks
• Agencies have provided guidance focusing on corporate governance tools
June 19, 2014
31
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
32. The Feds are Watching
• FFIEC’s recent webinar: High Level Goals
• Set the tone and build a security culture
• Identify, measure, mitigate, and monitor risks
• Develop risk management processes scaled to risks and complexity of institution
• Align cybersecurity strategy with business strategy
• Create a governance process that ensures ongoing awareness and accountability
• Timely report cyber-vulnerabilities to senior management
• FFIEC will announced vulnerability and risk-mitigation assessments, late 2014
June 19, 2014
32
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
33. The Feds are Watching
• Federal Reserve guidance: managing outsourcing risk
• Outsourcing of processing, information technology services, and operational activities creates
risk
• Carefully evaluate what information to provide to vendor: consider financial information,
customer information, and CSI
• Ensure vendor compliance with privacy laws and regulations
June 19, 2014
33
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
34. The Feds are Watching
• Securities Exchange Commission guidance
• 2011: SEC guidance requires disclosure of material information
regarding cybersecurity risks
• SEC’s Recent Roundtable
• Cybersecurity is SEC’s “number one global threat”
• SEC says it must play a role, but the nature of that role is still emerging
June 19, 2014
34
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
35. The Feds are Watching
• Other Government actors:
• The White House 2013 Executive Order on cybersecurity encourages policy coordination
and information sharing among federal agencies
• FBI says that resources devoted to cyber threats will soon eclipse resources devoted to
terrorism
• FDIC statement: banks must be aware of threats and use government-sponsored resources
June 19, 2014
35
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
36. Detecting the Threats
• We will continue to see cyber threats and material data breaches.
June 19, 2014
36
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
37. Detecting the threats
• What will those threats look like in the financial services arena?
• An event that puts an individual’s name plus social security number, financial record, or debit card
at risk—whether in digital or paper format
• An event that puts a company and its deposits at risk—wire fraud
• Data breaches may occur from malicious criminal attacks, system glitches, or human error
• Breaches may include atypical catastrophic or mega data breaches running into the millions of
records—e.g., TJ MAXX or Target
• A breach may be more typical, ranging from as few as a single compromised record to 100,000
compromised records
June 19, 2014
37
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
38. Detecting the threats
• Who initiates cyber threats?
June 19, 2014
38
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
39. Detecting the threats
• Examples of threats
• Wrongdoers attack larger banks through Distributed Denial of Service (DDoS):
o These attacks interrupt the ability to do business
o Some allege that Iran took an active role in a recent DDoS attack
• Both large and small banks experience phishing and malware attacks targeting consumers
o Criminals install malware on a victim’s computer to access passwords and other critical
information
o They drain deposit accounts
• Corporate accounts provide lucrative opportunities for phishing and malware attacks
o Deposits typically exceed consumer accounts
o Not so much a bank security issue than a customer security issue
o Criminals issue unauthorized wires (not uncommon to see six-figure problems)
• Hactivists unlawfully access systems to make an example or to prove points
June 19, 2014
39
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
40. Detecting the threats
• Understand the evolution of the threat environment—either
follow the technology or hunt the hunter
• 1950s and 60s saw an increase in paper check fraud that
continues today (more reliance on machines)
• ATM Machines (increased access points)
• Internet Banking (increased access points and outsourcing)
• Mobile Banking (continuing to increase access points and
tapping into the unbanked market)
• Mobile Payment Systems (uncharted territory)
June 19, 2014
40
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
41. Cyber-Attack Triage: Process Is Key
June 19, 2014
41
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
This is a fine metaphor, but it’s not the right way to think about cyber
attacks.
Fixing leaks is losing the battle.
42. Cyber-Attack Triage: Process Is Key
June 19, 2014
42
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
43. Cyber-Attack Triage: Process Is Key
• The First 24 Hours Checklist
Panicking won’t get you anywhere once you’ve discovered a data breach. Accept that it’s happened and
immediately contact your legal counsel for guidance on initiating these 10 critical steps:
Record the date and time when the breach was discovered, as well as the current date and time when
response efforts begin, i.e. when someone on the response team is alerted to the breach.
Alert and activate everyone on the response team, including external resources, to begin executing your
preparedness plan.
Secure the premises around the area where the data breach occurred to help preserve evidence.
Stop additional data loss. Take affected machines offline but do not turn them off or start probing into the
computer until your forensics team arrives.
Document everything known thus far about the breach: Who discovered it, who reported it, to whom was it
reported, who else knows about it, what type of breach occurred, what was stolen, how was it stolen, what
systems are affected, what devices are missing, etc.
June 19, 2014
43
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
44. Cyber-Attack Triage: Process Is Key
• The First 24 Hours Checklist (continued)
Interview those involved in discovering the breach and
anyone else who may know about it. Document your
investigation.
Review protocols regarding disseminating information about
the breach for everyone involved in this early stage.
Assess priorities and risks based on what you know about
the breach.
Bring in your forensics firm to begin an in-depth
investigation.
Notify law enforcement, if needed, after consulting with legal
counsel and upper management.
June 19, 2014
44
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
45. Cyber-Attack Triage: Process Is Key
• Notification: When and how should you notify?
• Certain state laws and federal regulations shrink the timeline to 30 or 45 days.
• Some states mandate specific content for you to include in customer notification letters. This can include toll-free
numbers and addresses for the three major credit bureaus, the FTC and a state’s attorney general.
• Contact with law enforcement is important. Notification may be delayed if law enforcement believes it would interfere
with an ongoing investigation.
• Multiple state laws may apply to one data breach.
• If some affected individuals live in a state that mandates notification and others live in a state that doesn’t, you may
need to notify everyone.
• Some recipients will think the notification letter itself is a scam.
June 19, 2014
45
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
46. Cyber-Attack Triage: Process Is Key
What does the financial institution’s in-house legal team need to do before a breach occurs?
• Establish relationships with any necessary external counsel now – not after the breach.
• Review and stay up to date on state and federal laws governing data breaches in the financial institutions sector.
• Direct the creation of a concrete, written, and fully vetted response policy.
Then, when a breach occurs, counsel can quickly determine whether it is necessary
to notify affected individuals, the media, law enforcement, government agencies and
other third parties, such as card holder issuers.
June 19, 2014
46
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
47. Introduction
Maria Z. Vathis has a broad range of experience defending corporate clients in complex business litigation matters,
insurance coverage, and class actions involving alleged violations of federal statutes, including the Telephone Consumer
Protection Act.
Ms. Vathis has represented financial institutions, loan servicers, investment firms, law firms, brokers, attorneys and other
professionals. She handles matters nationwide in federal and state courts. Her practice also includes monitoring litigation
for international insurers, advising on risk management, evaluating existing insurance coverage, drafting insurance policy
language and analyzing insurance coverage under professional liability, cyber and first-party property insurance policies.
Phone: (312) 602-5127
Email: maria.vathis@bryancave.com
June 19, 2014
47
Maria Z. Vathis
Of Counsel
Bryan Cave LLP
48. Trends in Privacy & Security Class Actions
Shifting attack vectors, scanning for vulnerabilities and leveraging zero day exploits – these terms
describe the plaintiffs’ class action bar just as easily as they do hackers. This quarter’s analysis of the
types of complaints filed by the Plaintiffs’ bar, and the ways in which those complaints have been
structured, shows an increase in class action filing and an ongoing evolution by the plaintiffs’ bar to identify
the “right” strategy for obtaining damages or leveraging settlement value.
The following are key findings concerning data-related complaints filed by the plaintiffs’ bar over the most
recently reported quarter (2014 – Q1):
• A total of 178 data-related class action complaints were filed.
• Despite overwhelming media attention on payment card related data security breaches, the majority of
complaints (77%) involve data privacy (collection, use and sharing) as opposed to data security
(safeguarding and breach) (23%). As a result, while data security litigation is on the rise when
compared to previous quarter, it remains a minority of overall litigation.
June 19, 2014
48
Maria Z. Vathis
Of Counsel
Bryan Cave LLP
* Source: Shahin Rothermel and David Zetoony, “Shifting Trends: Privacy & Security Class Action
Litigation,” Bryan Cave Data Privacy & Security Bulletin, June 2014.
49. Additional Litigation Statistics
• Complaints against Target accounted for more than 50% of all data security-related filings.
• Telemarketing remained the most common primary legal theory alleged (64%).
• The U.S. District Court for the Central District of California (25%) replaced the Northern District of
Illinois (15%) as the most popular federal forum for filing.
• In terms of industry sectors, retail (21%), debt collection (16%), financial services (7%), and marketing
(7%) received the largest number of complaints.
• 96% of complaints filed in federal courts in the first quarter alleged putative national classes.
• Consumers’ mobile phone numbers were the leading type of data at issue (44%), followed by credit
and debit card information (18%) and fax numbers (17%).
• Over 100 plaintiffs’ firms were involved in data-related litigation. The vast majority of firms filed less
than four complaints.
June 19, 2014
49
Maria Z. Vathis
Of Counsel
Bryan Cave LLP
50. Bryan Cave Data Breach Hotline
Hackers don't stop working at 5:00... and neither do we. Data breaches can and do occur at any time, day
or night. When a security breach occurs, preventing liability often means analyzing facts, identifying legal
obligations, and taking steps to prevent or mitigate harm within the first minutes and hours of becoming
aware of a breach.
That's why an attorney from our global Bryan Cave Data Privacy and Security Practice is on-call for clients
whenever and wherever a breach occurs: 24 hours a day, 7 days a week.
June 19, 2014
50
Maria Z. Vathis
Of Counsel
Bryan Cave LLP
51. June 19, 2014
51
CLE PROCESSING
The Knowledge Group offers complete CLE processing solutions for your webcasts and land events. This comprehensive service
includes everything you need to offer CLE credit at your conference:
Complete end-to-end CLE credit Solutions
Setting up your marketing collateral properly.
Completing and filing all of the applications to the state bar.
Guidance on how to structure content meet course material requirements for the state Bars.
Sign up forms to be used to check & confirm attendance at your event.
Issuing official Certificates of Attendance for credit to attendees.
Obtaining CLE credit varies from state to state and the rules can be complex. The Knowledge Group will help you navigate the
complexities via complete cost effective CLE solutions for your conferences.
Most CLE processing plans are just $499 plus filing fees and postage.
To learn more email us at info@knowledgecongress.org or CALL 646-202-9344
52. June 19, 2014
52
PRIVATE LABEL PROGRAM & INTERNAL TRAINING
The Knowledge Group provides complete private label webcasts and in-house training solutions. Developing and executing webcasts can
be a huge logistical nightmare. There are a lot of moving parts and devolving a program that is executed smoothly and cost effectively can
prove to be a significant challenge for companies who do not produce events on a regular basis. Live events require a high level of
proficiency in order to execute proficiently. Our producers will plan and develop your webcast for you and our webcast technicians will
execute your live event with expert precision. We have produced over 1000 live webcasts. Put our vast expertise to work for you. Let us
develop a professional webcast for your firm that will impress all your clients and internal stakeholders.
Private Label Programs Include:
Complete Project Management
Topic Development
Recruitment of Speakers (Or you can use your own)
Marketing Material Design
PR Campaign
Marketing Campaign
Event Webpage Design
Slides: Design and Content Development
Speaker coordination: Arranging & Executing Calls, Coordinating Slides & Content
Attendee Registration
Complete LIVE Event Management for Speaker and Attendees including:
o Technical Support
o Event Moderator
o Running the Live event (All Aspects)
o Multiple Technical Back-ups & Redundancies to Ensure a Perfect Live Event
o Webcast Recording (MP3 Audio & MP4 Video)
o Post Webcast Performance Survey
CLE and CPE Processing
Private Label Programs Start at just $999
53. June 19, 2014
53
RESEARCH & BUSINESS PROCESS OUTSOURCING
The Knowledge Group specializes in highly focused and intelligent market and topic research. Outsource your research projects and business processes to our
team of experts. Normally we can run programs for less than 50% of what it would cost you to do it in-house.
Here are some ideal uses for our services:
Market Research and Production
o List Research (Prospects, Clients, Market Evaluation, Sales Lists, Surveys)
o Design of Electronic Marketing Collateral
o Executing Online Marketing Campaigns (Direct Email, PR Campaigns)
o Website Design
o Social Media
Analysis & Research
o Research Companies & Produce Reports
o Research for Cases
o Specialized Research Projects
eSales (Electronic Inside Sales – Email and Online)
o Sales Leads Development
o eSales Campaigns
Inside Sales people will prospect for leased, contact them and coordinate with your sales team to follow up.
Our Inside eSales reps specialize in developing leads for big-ticket enterprise level products and services.
o Electronic Database Building – Comprehensive service which includes development of sales leads, contacting clients, scoring leads, adding notes
and transferring the entire data set to you for your internal sales reps.
eCustomer Service (Electronic Inside Sales – Email and Online)
o Real-Time Customer Service for Your clients
Online Chat
Email
o Follow-Up Customer Service
Responds to emails
Conducts Research
Replies Back to Your Customer
Please note these are just a few ways our experts can help with your Business Process Outsourcing needs. If you have a project not specifically listed
above please contact us to see if we can help.
54. ► You may ask a question at anytime throughout the presentation today. Simply click on the question mark icon located on the floating tool bar on the bottom right side of your screen. Type
your question in the box that appears and click send.
► Questions will be answered in the order they are received.
Q&A:
June 19, 2014
54
Paul Henninger
Global Product Director
BAE Systems Applied Intelligence
paul.henninger@baesystems.com
Kenneth Johnston
Shareholder
Kane Russell Coleman & Logan PC
kjohnston@krcl.com
Maria Z. Vathis
Of Counsel
Bryan Cave LLP
maria.vathis@bryancave.com
Carlos P. Kizzee
Deputy Director, Stakeholder Engagement & Cyber Infrastructure
Resilience
United States Department of Homeland Security
carlos.kizzee@HQ.DHS.GOV
55. June 19, 2014
55
Welcome to the Knowledge Group Unlimited Subscription Programs. We have Two Options Available for You:
FREE UNLIMITED: This program is free of charge with no further costs or obligations. It includes:
Unlimited access to over 15,000 pages of course material from all Knowledge Group Webcasts.
Subscribers to this program can download any slides, white papers, or supplemental material covered during all live webcasts.
50% discount for purchase of all Live webcasts and downloaded recordings.
PAID UNLIMITED: Our most comprehensive and cost-effective plan, for a one-time fee:
Access to all LIVE Webcasts (Normally $199 to $349 for each event without a subscription). Including: Bring-a-Friend – Invite a
client or associate outside your firm to attend for FREE. Sign up for as many webcasts as you wish.
Access to all of Recorded/Archived Events & Course Material includes 1,500+ hours of audio material (Normally $299 for each
event without a subscription).
Free CLE/CPE/CE Processing3 (Normally $49 Per Course without a subscription).
Access to over 15,000 pages of course material from Knowledge Group Webcasts.
Ability to invite a guest of your choice to attend any live webcast Free of charge. (Exclusive benefit only available for PAID
UNLIMITED subscribers.)
6 Month Subscription is $299 with No Additional Fees. Other options are available.
Special Offer: Sign up today and add 2 of your colleagues to your plan for free. Check the “Triple Play” box on the sign-
up sheet contained in the link below.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
56. June 19, 2014
56
Knowledge Group UNLIMITED PAID Subscription Programs Pricing:
Individual Subscription Fees: (2 Options)
Semi-Annual: $299 one-time fee for a 6 month subscription with unlimited access to all webcasts, recordings, and materials.
Annual: $499 one-time fee for a 12 month unlimited subscription with unlimited access to all webcasts, recordings, and materials.
Group plans are available. See the registration form for details.
Best ways to sign up:
1. Fill out the sign up form attached to the post conference survey email.
2. Sign up online by clicking the link contained in the post conference survey email.
3. Click the link below or the one we just posted in the chat window to the right.
https://gkc.memberclicks.net/index.php?option=com_mc&view=mc&mcid=form_157964
Discounts:
Enroll today and you will be eligible for the “Triple Play” program and 3% off if you pay by credit card. Also we will waive the $49
CLE/CPE processing fee for today’s conference. See the form attached to the post conference survey email for details.
Questions: Send an email to: info@knowledgecongress.org with “Unlimited” in the subject.
57. June 19, 2014
57
ABOUT THE KNOWLEDGE GROUP, LLC.
The Knowledge Group, LLC is an organization that produces live webcasts which examine regulatory
changes and their impacts across a variety of industries. “We bring together the world's leading
authorities and industry participants through informative two-hour webcasts to study the impact of
changing regulations.”
If you would like to be informed of other upcoming events, please click here.
Disclaimer:
The Knowledge Group, LLC is producing this event for information purposes only. We do not intend to
provide or offer business advice.
The contents of this event are based upon the opinions of our speakers. The Knowledge Congress
does not warrant their accuracy and completeness. The statements made by them are based on their
independent opinions and does not necessarily reflect that of The Knowledge Congress' views.
In no event shall The Knowledge Congress be liable to any person or business entity for any special,
direct, indirect, punitive, incidental or consequential damages as a result of any information gathered
from this webcast.
Certain images and/or photos on this page are the copyrighted property of 123RF Limited, their
Contributors or Licensed Partners and are being used with permission under license. These images
and/or photos may not be copied or downloaded without permission from 123RF Limited