1. 1
Will the next systemic crisis be cyber?
Arrow Institute conference
25th
September 2014
Laure Molinier
Yannic Dulieu
2. 2
Agenda
• Why could a cyber attack cause the next systemic crisis?
• How can Operational Risk management cover cyber risks?
► Enterprise Risk Management (ERM) framework and cyber risks
management
► Risks identification
► Assessment and reporting
► Monitoring
► Response strategies
• Main learnings and conclusions
3. A constantly evolving
threats landscape
Cyber « Hacktivism »
Cyber War
(Governments, army)
Cyber Espionage
“Script kiddies”
Cyber Crime
Script kiddies are sometimes
portrayed in media as bored,
lonely teenagers seeking
recognition from their peers. Criminals
Activists / Hacktivists
3
Disgruntle employees
3
4. 4
Cyber threats are diverse and continually evolving…
• Cyber-protests, or “hacktivism”, have become popular and continue
to grow in frequency.
► Anonymous group, Operation Payback
► End-users with limited technical know-how
► Distributed denial of service attacks (DDoS) attacks or spam
campaigns on selected companies and/or organisations
• Social Engineers will get confidential information by
manipulation or deceit.
• Advanced Persistent Threats: sophisticated and clandestine means to gain continual
intelligence/data on an individual, or group of individuals, companies or governments.
• Highly targeted, thoroughly researched, amply funded, and tailored to a particular
organisation using multiple attack vectors and using “low and slow” techniques to
evade detection.
5. Companies are evolving…
• Less control on the provider (no penetration-test allowed,…);
• Centralization of data from multiple companies;
• Privacy & Commercial issue (Patriot act…);
• Business continuity concerns…
55
6. How much does it cost? We don’t know exactly
but…
Costs of cyber-crime to society are substantial.
Some studies cite figures as high as $400 billion or $ 1 trillion!
0
100
200
300
400
500
600
700
800
900
1000
2011 2012 2013 2014
Impact on
society
Based on reported impacts only…
?
x10
x10
66
7. 7
How can Operational Risk manage cyber risks?
• Euroclear case study
• Enterprise Risk Management (ERM) framework and cyber risks
management
► Risks identification
► Assessment and reporting
► Monitoring
► Response strategies
7
8. 88
A growingly interconnected world
• Euroclear is the world’s largest provider of
settlement and related services for domestic
and cross-border financial transactions.
• Settle over 170 million transactions a year in 53
currencies.
• We have links with 44 markets across the globe
• > € 780 billion of collateral outstanding every
day
• > € 573 trillion transactions settled
• > 2,000 financial institution clients from 90
countries
• Hold client assets valued at €24 trillion.
• 3,300 employees in 12 locations worldwide.
9. 9
Market Infrastructure:
Multicurrency settlement and asset servicing
International CSDCentral Securities Depository
(CSD)
Settlement of a trade:
– local buyer and local seller
– in a domestic security
– payment in the domestic
currency
Seller
Settlement of a trade:
– Wherever the counterparties are
present
– in any international security
– payment in any currency
Belgian
Buyer
Japanese
Seller
International
Securities
Euroclear UK & Ireland, France, Netherlands, Belgium, Nordics Euroclear Bank
National Securities
Buyer
10. 10
Enterprise Risk Management (ERM)
What is the goal? Organise the chaos to ensure continuity
Regulation
Competition
Industry
Eurozone
New products
Technology evolution
Staff
Natural threats
…….
Client demand
Technology issues
Crisis
Credit
Liquidity
Operational
Market
Business
Strategic
11. 11
The Euroclear Enterprise Risk Management (ERM) framework
covers these areas of focus and ensures:
• the right ownership and governance
• a holistic approach
• a dynamic approach
• alignment with established market standards and regulations
• coverage of business-as-usual and crisis management up to
recovery and disaster
Enterprise Risk Management
Key principles
11
12. • What are the relevant
potential threats?
• Horizon scanning
• Business
engagement
• Risk and scenario-based
assessments on cyber
• Government and peer
information sharing fora.
• Post-mortem assessment
• How effective are our
controls?
• What is our maturity
level?
• Report Group Risk Profile
and entity risk reports
• Security programmes
• Incident responses and
crisis management
• Simulation exercises
Enterprise Risk Management in practice
How does it apply to cyber threats?
12
13. BOARD
Management Committee
Group Risk Committee
Local MC/ Division Heads/Risk Mgt
Business
Continuity
Personnel
Security
Physical
Security
Logical
Security
Group Domain Security
Manager
Local Domain Security
Manager
Employees
Line Management
(1st
Line of Defence)
Audit and Compliance
Governance framework
• Chief Security officer oversees the implementation of the Security
framework covering the 4 security domains and ensures:
► Clarity of accountability
► Same level of control across the group
•Risk specialists provide:
• Support to first line of defence (framework and tools)
• Assurance to senior management on adequacy and
effectiveness of controls.
Supported by control functions
in second and third lines of defence
Supported by policies, procedures,
control frameworks, tools, expert advice
Risk management
Governance
& strategy
13
14. 14
Awareness is key…
• Global security awareness programme
• « One Minute Security Managers »
• E-learning modules and tests:
► Phishing, Smishing, Vishing…
► Mobile devices, working outside of the office
► Social engineering…
Culture
14
15. Understanding the cyber threats
Information Security risks
(Reporting in Risk Management - Risk Universe)
Logical security risks
(Reported via the Corporate Risk analysis)
“Cyber” related risks
(Cyber Risk analysis)
Identify &
assess
15
16. Finding your way through many
information sources…
Establishing a cyber threat list
Mitigation factors reference source is:
The SANS TOP 20 critical controls for effective cyber defence.
Many sources of external Information sources
•US Department of Homeland
Security (DHS)
•Deloitte cyber threats list
•Australian DoD
•Information Security Forum (ISF)
•SANS TOP 20 (controls)
•ENISA cyber threats list
•Febelfin threat list regarding
mobile computing (used by
the NBB)
•BSI threat catalogue
(German Gov.)
Identify &
assess
16
17. About 100 cyber threats grouped in 10 families:
1. Threats to building infrastructure (including SCADA) & personnel
2. Threats to IT networks
3. Threats to IT systems / servers
4. Threats to fixed end-points (such as workstations & thin clients)
5. Threats related to mobile computing (corporate laptops/iPads, mobiles,
BYOD,...)
6. Threats to electronic communications / data in transit.
7. Threats to business applications
8. Social Media & Social Engineering threats
9. Threats related to removable medias
10. Threats related to web hosting, together with SaaS
Building a manageable threats ListIdentify &
assess
17
18. Perform the risk assessment
• Measure coverage and effectiveness of controls
• Determine maturity levels
• Combine self assessment (HSA, RCSA) with second / third lines
• Identify gaps and potential improvements
Cyber
Threats
1
2
3
4
5
6
7
8
9
10
Residual risk
H, M, L
18
Identify &
assess
Inherent
risk
H
H
H
M
L
C
M
H
…
N
Mitigation
Controls*
2,3,6,8,16
2,8,14
3,12,18
1,7,20
…
…
…
…
…
…
Asset
…
N
* SANS TOP 20 Controls for effective cyber defence,
Internal Control framework, ISO 27002, etc.
Identified gaps and
potential improvements
19. Complement with scenario based
analysis
Developing realistic scenarios around key business services and
measuring readiness.
Identify &
assess
Data theft or
copying
Data
corruption /
manipulation
Denial of
service
attack
Malware
impacting
services
availablity
Key
business
services
1
2
3
4
5
Financial
gain
Intelligence
Markets
destabilisation
Business
disruption
Make a
point
RESULTS
(reflected in
framework
and response
plans)
IMPACT ANALYSIS
20. Measure & report
• Merge results from both approaches (technical assessment + scenarios)
• Measure company’s readiness to cyber attacks
• Report Group Risk Profile and entity risk reports
Measure &
report
Risk
based
priorities
Exception based
reporting
0
10
20
30
40
50
60
70
80
90
1st Qtr 2nd Qtr 3rd Qtr 4th Qtr
DDoS protection
Awareness
Zoning
Security
programmes
•Prevention: IPS,
Patching, zoning, Data
leakage prevention;
awareness
•Detection: IPS, ..
•Response: incident
response, DDoS
protection, testing
20
Residual risks
Identified control
gaps & potential
improvements
Results from
scenario based
analysis
23. 23
Corporate response
plans
•Company’s corporate response plans
covering
►Situation assessment
►Strategic intent!
►Technical response and
►Business response
►Communication to all audiences &
stakeholders (clients, business
counterparties, internal staff, regulators,
board, press)
• Security incidents simulation and testing
Respond
Task
Monitoring and incident management
Assess criticality, escalate and appoint coordinator
Convene X-Silver or local Silver Team and inform GOLD
Activate the crisis meeting (follow CM guidelines)
- Assign chair/Review team composition.
- Start log of actions.
Perform situation briefing
INITIAL IMPACT ASSESSMENT
Get initial situational appraisal from IT:
• (1) What has happened?
• (2) Where? What are the entities / business services (potentially) impacted?
• (3) When was it discovered?
• (4) What is the impact? Will it get worse and how?
• (5) What have we done to deal with it? Who is involved?
• (6) What decisions / actions need to be taken?
• Reference: crisis report format
• Dependent on initial appraisal, what is the strategic intent: “Take such actions as to protect staff, business
operations and safeguard our reputation”
• Assess (potential) business impact: services unavailability,
• Identify upcoming deadlines
• What are the available BCPs?
• Notify the insurer? Emergency number of the ‘CyberEdge’ policy
• Activate X-Silver team (if not yet done) and ensure that other local Silver teams are activated
Cyber response plan (extract)
24. 24
A few challenges
•Monitoring the threats to adapt strategies to their rapid evolution:
► Finding your way through multiple information sources
► Prioritising investments (defensive vs reactive)
•Capturing potential impacts and activating responses in time
•Adapting business continuity & recovery plans to manage conflicting objectives:
► Demanding Recovery Time Objectives (restart as soon as possible) sometimes
in contradiction with the technical response and the time needed to resolve
cyber incident
► Minimising the business impact will potentially conflict the objective to protect
the company’s business and reputation (eg: isolating, closing communication
channels)
► Maintaining channels of communication with key stakeholders
•Finally, cyber threats also present many challenges for national and international
regulators (adapting their framework, legislation, cross border cooperation…)
25. 25
Conclusions
•The risk framework needs to be adapted to better capture and report on
cyber related risks (threats, controls and measurement)
•Operational Risk Managers have an important role to play in cyber risks
management.
•Business engagement is essential!
► To understand the business impact of the threats and prioritise your
security investments
► To support your awareness campaign (tone of the top)
•Monitor threats as they are constantly moving and re-assess your
protection regularly and your business continuity strategy.
•Your turn will come whatever the strength of your defences, so getting
ready and testing is crucial.