CONFIDENTIAL
WASHINGTON, D.C. ATLANTA BRUSSELS DENVER
DUBAI HONG KONG LONDON MILAN NEW YORK PARIS SAN FRANCISCO SINGAPORE SYDNEY TOKYO TORONTO
How Cyber Threats Are Changing
The Risk Profiles of Banks
AIBA Quarterly Meeting
December 5, 2013
© 2013 Promontory Financial Group, LLC. All rights reserved.
Changing risk profiles
I.
Interesting trends
II. Possible solutions
© 2013 Promontory Financial Group, LLC. All rights reserved.
CONFIDENTIAL
2
I. Interesting trends
© 2013 Promontory Financial Group, LLC. All rights reserved.
CONFIDENTIAL
Interesting trends
New
. technology has changed how consumers approach banking.
• “Banking is something I do, not a place I go.”
• Selecting a bank based on usability, not on products and
services
Risks:
o Keeping up with technology: the “Red queen” problem
o Constant new technology constantly introduces risks
© 2013 Promontory Financial Group, LLC. All rights reserved.
CONFIDENTIAL
4
Interesting trends, continued
Regulators, firms and courts are shifting risk around.
• Regulators have pushed third-party
risk back to banks
o New OCC third-party
guidelines
• Courts have pushed customer risk to
banks
Regulators?
Cyber
Insurers?
o Patco Construction v
Ocean Bank
Cyber
Risk
Banks?
Consumers
• Entrepreneurs have developed a
“cyber insurance” market
© 2013 Promontory Financial Group, LLC. All rights reserved.
CONFIDENTIAL
5
Interesting trends, continued
Cyber attackers have new motives.
New reasons to target banks:
• Grievances against an entire industry, e.g. Occupy
• Grievances with specific banks, e.g. OP Avenge Assange
DDoS
o PayPal, Visa and MasterCard targeted for blocking
payments to Wikileaks.org
New reasons to use banks to gain access to other targets:
• Media attention, e.g. OPUSA DDoS
• Customer data
o Offshore tax-haven leaks
© 2013 Promontory Financial Group, LLC. All rights reserved.
CONFIDENTIAL
6
II. Possible solutions
© 2013 Promontory Financial Group, LLC. All rights reserved.
CONFIDENTIAL
Possible Solutions
Banks need
industry-wide
cooperation and sharing.
• Common
set of standards
• Pressure for vendors and banks to meet best practices
o Do not wait for regulators
• Effective information sharing
o Threats, responses and outcomes
© 2013 Promontory Financial Group, LLC. All rights reserved.
CONFIDENTIAL
8
Possible Solutions
IT/IS strategies
must
shift
reaction
to anticipation.
– Increase
focus
onfrom
predicting
threats
• Fighting fires is still important, but leads to burnout, for staff
and customers
• Encourage IT/IS staff to look further afield
What is the bank’s response when:
o A competitor gets hit
o When the bank receives negative press
o When the bank’s name shows up in Pastebin, or
other hacker-friendly space
© 2013 Promontory Financial Group, LLC. All rights reserved.
CONFIDENTIAL
9
Alex Muentz, principal
Prior to joining Promontory, Alex was a senior associate at Picciotti and Schoenberg,
where he facilitated internal and external investigations by assessing physical security,
networks, systems, computers, smartphones, and other technologies for medium to large
companies. Alex frequently advises in litigation matters relating to the information
security community, including teaching about computer crime at the Temple University
Department of Criminal Justice, where he is an adjunct professor.
As an experienced network and system engineer, and white-hat hacker, he is an expert at
reverse engineering, penetration testing, electronic discovery, and network intrusion.
Alex previously was a contract attorney and team lead at several Philadelphia law firms,
where his work included investigations, due diligence, database and connection
diagnostics, and review of privilege logs in relation to litigations and subpoenas.
Prior to his career in law, Alex was a senior technician at Springboard Media, where he
collaborated with customers to perform technical support and design IT solutions. Prior
to working at Springboard Media, Alex tested systems for information security and
reliability at Vertex Pharmaceuticals where he specialized in data breaches and audits.
Alex earned a J.D. at Temple University and a B.S. in economics at Northeastern
University.
© 2013 Promontory Financial Group, LLC. All rights reserved.
CONFIDENTIAL
10