The document outlines 11 critical areas of cybersecurity focus for financial institutions based on a cybersecurity roundtable discussion held in February 2015. The areas include: 1) corporate governance; 2) management of cybersecurity issues; 3) security and risk management resources; 4) shared infrastructure risks; 5) intrusion protection; 6) security testing and monitoring; 7) incident detection and response; 8) ongoing training; 9) management of third-party service providers; 10) business continuity and disaster recovery; and 11) cybersecurity insurance. The document emphasizes that cybersecurity should be viewed as an integral part of overall risk management rather than just an IT issue, and financial institutions should conduct thorough evaluations of their unique cyber threat profiles.

1. 11 CRITICAL AREAS OF
CYBERSECURITY FOCUS FOR
FINANCIAL INSTITUTIONS
I N T E L L I S E C P A R T N E R S P R E S E N T :
C Y B E R S E C U R I T Y R O U N D TA B L E / F E B 2 0 1 5

2. A G E N D A
• Cybersecurity Role in Risk
Management
• New Regulatory Guidance
• 11 Areas of Focus
• Next Steps

3. N Y S D E PA R T M E N T O F F I N A N C I A L S E R V I C E S :
“ T H E D E PA R T M E N T E N C O U R A G E S A L L I N S T I T U T I O N S T O
V I E W C Y B E R S E C U R I T Y A S A N I N T E G R A L A S P E C T O F T H E I R
O V E R A L L R I S K M A N A G E M E N T S T R AT E G Y, R AT H E R T H A N
S O L E LY A S A S U B S E T O F I N F O R M AT I O N T E C H N O L O G Y. ”

4. N E W F O C U S
• Frequency and sophistication
of cyberattacks continue to
grow
• Increased focus on
cybersecurity by Federal and
State regulators
• Cybersecurity should be a
top-of-mind strategic concern
• Potential ramifications too
serious to ignore

5. 1 1 C R I T I C A L A R E A S O F
C Y B E R S E C U R I T Y F O C U S

6. 1 . C O R P O R AT E G O V E R N A N C E
Tone At The Top Matters
Cybersecurity No Exception
Cybersecurity Not Just An IT Issue

7. 2 . M A N A G E M E N T O F C Y B E R S E C U R I T Y
I S S U E S
Interaction Between Information Security & Core
Business Functions
Written Information Security Policies & Procedures
Periodic Re-Evaluation

8. 3 . S E C U R I T Y & R I S K M A N A G E M E N T
R E S O U R C E S
The Right People
The Right Processes
The Right Technology

9. 4 . S H A R E D I N F R A S T R U C T U R E R I S K S
Think “Least Privilege”
Segregate Critical Data
Focused Due Diligence

10. 5 . I N T R U S I O N P R O T E C T I O N
Multi-Factor Authentication
Server & Database Configurations
Focus On Critical Data, Not Transaction Type

11. 6 . S E C U R I T Y T E S T I N G & M O N I T O R I N G
Penetration Testing
Annual Tests May Not Longer Be Sufficient
Focus On Critical Data

12. 7 . I N C I D E N T D E T E C T I O N A N D
R E S P O N S E
Sufficient Monitoring
Detection Of Attacks
Speed Of Response

13. 8 . O N G O I N G T R A I N I N G
Cybersecurity Training
For All Staff
Specialized Training

14. 9 . M A N A G E M E N T O F T H I R D - PA RT Y
S E RV I C E P R O V I D E R S
Extended Cybersecurity Boundaries
Identify Risks & Controls
Confirm “Chain Of Trust”

15. 1 0 . B U S I N E S S C O N T I N U I T Y A N D
D I S A S T E R R E C O V E RY
Integrate With Cybersecurity
Policies & Procedures
Testing & Verification

16. 1 1 . C Y B E R S E C U R I T Y I N S U R A N C E
Part Of Risk Control Strategy
Note Exclusions
Evaluate Periodically

17. N E X T S T E P S
• List not exhaustive
• Your cyber threat profile is
unique
• Thorough and proactive
evaluation of cyber risks
necessary

18. W E C A N H E L P
INTELLISECPARTNERS.COM
602.341.3435