CONFIDENTIAL WASHINGTON, D.C. ATLANTA BRUSSELS DENVER DUBAI HONG KONG LONDON MILAN NEW YORK PARIS SAN FRANCISCO SINGAPORE SYDNEY TOKYO TORONTO How Cyber Threats Are Changing The Risk Profiles of Banks AIBA Quarterly Meeting December 5, 2013 © 2013 Promontory Financial Group, LLC. All rights reserved. Changing risk profiles I. Interesting trends II. Possible solutions © 2013 Promontory Financial Group, LLC. All rights reserved. CONFIDENTIAL 2 I. Interesting trends © 2013 Promontory Financial Group, LLC. All rights reserved. CONFIDENTIAL Interesting trends New . technology has changed how consumers approach banking. • “Banking is something I do, not a place I go.” • Selecting a bank based on usability, not on products and services Risks: o Keeping up with technology: the “Red queen” problem o Constant new technology constantly introduces risks © 2013 Promontory Financial Group, LLC. All rights reserved. CONFIDENTIAL 4 Interesting trends, continued Regulators, firms and courts are shifting risk around. • Regulators have pushed third-party risk back to banks o New OCC third-party guidelines • Courts have pushed customer risk to banks Regulators? Cyber Insurers? o Patco Construction v Ocean Bank Cyber Risk Banks? Consumers • Entrepreneurs have developed a “cyber insurance” market © 2013 Promontory Financial Group, LLC. All rights reserved. CONFIDENTIAL 5 Interesting trends, continued Cyber attackers have new motives. New reasons to target banks: • Grievances against an entire industry, e.g. Occupy • Grievances with specific banks, e.g. OP Avenge Assange DDoS o PayPal, Visa and MasterCard targeted for blocking payments to Wikileaks.org New reasons to use banks to gain access to other targets: • Media attention, e.g. OPUSA DDoS • Customer data o Offshore tax-haven leaks © 2013 Promontory Financial Group, LLC. All rights reserved. CONFIDENTIAL 6 II. Possible solutions © 2013 Promontory Financial Group, LLC. All rights reserved. CONFIDENTIAL Possible Solutions Banks need industry-wide cooperation and sharing. • Common set of standards • Pressure for vendors and banks to meet best practices o Do not wait for regulators • Effective information sharing o Threats, responses and outcomes © 2013 Promontory Financial Group, LLC. All rights reserved. CONFIDENTIAL 8 Possible Solutions IT/IS strategies must shift reaction to anticipation. – Increase focus onfrom predicting threats • Fighting fires is still important, but leads to burnout, for staff and customers • Encourage IT/IS staff to look further afield What is the bank’s response when: o A competitor gets hit o When the bank receives negative press o When the bank’s name shows up in Pastebin, or other hacker-friendly space © 2013 Promontory Financial Group, LLC. All rights reserved. CONFIDENTIAL 9 Alex Muentz, principal Prior to joining Promontory, Alex was a senior associate at Picciotti and Schoenberg, where he facilitated internal and external investigations by assessing physical security, networks, systems, computers, smartphones, and other technologies for medium to large companies. Alex frequently advises in litigation matters relating to the information security community, including teaching about computer crime at the Temple University Department of Criminal Justice, where he is an adjunct professor. As an experienced network and system engineer, and white-hat hacker, he is an expert at reverse engineering, penetration testing, electronic discovery, and network intrusion. Alex previously was a contract attorney and team lead at several Philadelphia law firms, where his work included investigations, due diligence, database and connection diagnostics, and review of privilege logs in relation to litigations and subpoenas. Prior to his career in law, Alex was a senior technician at Springboard Media, where he collaborated with customers to perform technical support and design IT solutions. Prior to working at Springboard Media, Alex tested systems for information security and reliability at Vertex Pharmaceuticals where he specialized in data breaches and audits. Alex earned a J.D. at Temple University and a B.S. in economics at Northeastern University. © 2013 Promontory Financial Group, LLC. All rights reserved. CONFIDENTIAL 10