Re) @ Fs4sac 3 Capacity-Building Tool Box for Cybersecurity and Financial Organizations Tim Maurer and Kathryn TaylorCapacity-Building Tool Box for Cybersecurity and Financial Organizations Tim Maurer and Kathryn Taylor©2019 Camegie Endowment for International Peace. All sights reserved. Carnegie does not take insticutional positions on public policy issues; the views represented herein are che author’ own and do noc necessary reflec the views of Carnegie, is sal, or its estes. No par ofthis publication may be reproduced or transmitted in any form or by any means without permission in writing from the Carnegie Endovement for lncernational Peace, Please diet inguitis to: (Carnegie Endowment for International Peace Publications Department 179 Massachuseas Avenue NW Washington, DC 20036 Ps + 1202 483 7600 1.202.483 1840 CarnegieEndowmentorg “This publication can he downloaded ac no cost at Carnegic:ndowment.org.* CONTENTS About the Authors: Acknowledgments Glossary Executive Summary Project's Approach and Methodology Tool Box: Overview Supplementary Report Overview One Pager: One Pager: One Pager: One Pager: One Pager: One Pager: : Board-Level Guide: Cybersecurity Leadership : CEO-Level Guide: Cybersecurity Leadership : CISO-Level Guide: Protecting Your Organization : CISO-Level Guide: Protecting Your Customers ; CISO-Level Guide: Protecting Connections to Third Parties : Incident Response Guide 16 18 19* CONTENTS CONT. Board Checklist: Cybersecurity Leadership CEO Checklist: Cybersecurity Leadership CISO Checklist: Protecting Your Organization CISO Checklist: Protecting Your Customers CISO Checklist: Protecting Connections To Third Parties Incident Response Checklist Supplementary Report 1. IN DETAIL: “Board-Level Guide: Cybersecurity Leadership” 2. IN DETAIL: "CEO-Level Guide: Cybersecurity Leadership” 3. IN DETAIL: "CISO-Level Guide: Protecting the Organization" 4. IN DETAIL: “CISO-Level Guide: Protecting Customers” 5, IN DETAIL: “CISO-Level Guide: Protecting Connections ‘to Third Parties” 6. IN DETAIL: “Incident Response Guide” 20 2 24 25 28 30 a 32 4 48 64 73 81* CONTENTS Appendix References Notes 89 90 904About the Authors ‘Tim Maurer is co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace and author of the book Cyber Mercenaries: The State, Hackers, and Power published by Cambridge University Press in 2018. He is an internationally recognized expert on cybersecurity and geopolitics in the digital age and leads Carnegic’s FinCyber project dedicated co cybersecurity and the financial system. Kathryn Taylor is a nonresident expert with the Cyber Policy Initiative at the Carnegie Endowment for International Peace, where she focuses on capacity-building, measures to improve cyber resiliency in the financial sector. She is a graduate of Emory University with degrees in computer science and international studies. Acknowledgments A priority throughout this project was the integration of an iterative feedback loop. We are therefore particularly grateful tothe several dozen experts in central banks, ministries of finance, cybersecurity agencies, international bodies and industry that provided input during the easly stages as well as feedback on advanced drafts of this work, namely Anil Kuril, Union Bank of India; Asadullah Fayzi, Afghanistan International Banks Boston Banda, Reserve Bank of Malawi; Curtis Dukes and Tony Sager, CIS (Center for Internet Security}; Juan Carlos Crisanto, Denise Garcia Ocampo, and Johannes Ehsentraud at the Bank for International Settlements; Petra Hielkema and Raymond Klejjmees, De Nederlandsche Bank; Phil Venables, Aimée Lassen Kirkpatrick and Alejandro Fernandea-Cernuda, Global Cyber Alliance, Shafique Ibrahim, Al Fardan Groups Silvia Baur-Yazbeck and David Medine, Consultative Group to Assist the Poor; the experts at the FS-ISAC; the experts at the UK Financial Conduct Authority; the experts at the IMF; and the experts at the SWIFT Institute. Several experts from other institutions who shared feedback preferred to remain anonymous. CARNEGIE ENDOWMENT FOR INTERNATIONAL PEACE | 1Official Partners Cc CARNEGIE ENDOWMENT FOR _d INTERNATIONAL PEACE ey ay ‘SWIFT INSTITUTE GLOBAL CYBER ALLIANCE. si @Fs-isac Stance SsGlossary CPML-IOSCO ‘Committee on Payments and Market Infrastructures — International Organization of Securities EU European Union Fcc USS. Fedetal Communications Commission FFIEC USS. Federal Financial Institutions Examination Council FSB Financial Stability Board FS-ISAC Financial Services — Information Sharing and Analysis Center FTC US. Federal Trade Commission GDPR EU General Data Protection Regulation IME International Monetary Fund Ncsc UK National Cyber Security Centre NIS Directive EU Directive on the security of network and information systems NIST. U.S. National Institute of Standards and Technology SWIFT Society for Worldwide Interbank Financial Telecommunication (CARNEGIE ENDOWMENT FOR INTERNATIONAL EACE | IExecutive Summary The global financial system is facing growing cyber threats and increased risk. In 2017, the G20 Finance Ministers and Central Bank Governors warned that “[t]he malicious use of Information and Communication Technologies could ... undermine security and confidence and endanger financial bility." These concerns have led to a flurry of regulatory and policy activity in recent years at both the international and national levels from the Financial Stability Board to the IMF, CPML, and 1OSCO as well as the EU, India, China, Singapore, and the U.S. and, on the industry side, from SWIFT’s Customer Security Program to FS-ISAC and Sheltered Harbor? ‘There is a clear need for financial institutions to be vigilant to avoid potentially large losses or reputational damage. In fact, the year 2016 was a wake-up call for the Financial sector when malicious hackers tried to steal $1 billion from the Bank of Bangladesh. They ultimately succeeded at stealing $81 million by sending fraudulent instructions and exploiting multiple systemic vulnerabilities The incident’s headlines became an urgent warning of systemic risk, and financial organizations worldwide sprang into action. Less eyber-macuze and smaller financial organizations deserve special attention but have been neglected so far. Many of the latter are particularly vulnerable, constrained by fewer resources, smaller staff, and often less experience. In 2018, 58 percent of overall vi small businesses.’ Some reports suggest credit unions and banks with less than $35 mi account for the majority of hacking and malware breaches in the financial sector.’ Moreover, incidents dating back to 2016 suggest that some threat actors specifically target financial organizations in the Global South and low-income countries ims of cyberattacks were in assets Minimizing overall cyber risk to the financial sector depends upon the protection and participation of smaller organizations such as credit unions, savings banks, building societies, trust companies, account servicers, and even end customers. A system’s cybersecurity is only as strong as its weakest links. In addition, smaller financial organizations aze more lil vulnerable, low-income communities and thus are often key providers of financial inclusion programs. Cyber incidents involving smaller financial organizations could therefore hamper efforts to enhance financial inclusion, undermine consumer trust, and curb the use of needed. financial resources. ly to serve more To enhance the cybersecurity of less cyber-mature and smaller financial institutions, this project offers a package of easy-to-use, action-oriented, practical one-page guides detailing how institutions can enhance their own security as well as that of their customers and third parties; information about eyber incidents; and a comprehensi , supplementary report ‘CARNEGIE ENDOWMENT FOR INTERNATIONAL PEACProject's Approach and Methodology Governments, businesses, and international bodies have been increasing their efforts to increase the cybersecurity of financial institutions. For cxample, starting in 2016, central banks around the world established new units dedicated co cybersecurity, which simply did not exist before.” Even the G7 countries decided to launch a new process asa catalyse to tackle this growing risk.* Unsurprisingly, these efforts have been uneven and remain nascent. Therefore, capacity-building efforts focusing on low-income countries, less eyber-mature and smaller organizations across the world remain in their infancy. Guidance on basic eyber hygiene and best practices that form a baseline for cybersecurity generally have yer to reach these organizations. Theory of Change: I proper information and quality security practices are promulgate actionable forms — as this project seeks to achieve — financia organizations can quickly improve their basic eyber hygiene. Smaller financial institutions, in particularly, can use their size to their advantage in terms of ease and speed of adoption of cybersecurity measures. With fewer staff members and less institutional red tape, they can approve, implement, and streamline policies and practices with agility. Along the way, crucial support and guidance can be found through digestible, Our Too! Box Contains: © Board-Level Guide: Cybersecurity Leadership © CEO-Level Guide: Cybersecurity Leadership © CISO-Level Guides: : re © Protecting Your Organization collaboration and exchanges with industry partners, B reat © Protecting Your Customers regulators, and supervisors, and public and private - Protecting Connections to Third Parties # Incident Response Guide cybersecurity organizations, Building on Existing Best Practices: This report presents @ new ilored approach with best practices that have been carefully curated to meet the most pressing cybersecurity needs of less cyber-mature and smaller financial organi ing achievable within their resources and capabilities. What is contained herein is nota new invention, though. Seeking to build on existing best practices, we began the development process with substa areas of existing guidance: first, cybersecurity guidance for small businesses generally (not focused on financial institutions) and, second, cybersccurity guidance for financial institutions (usually not focused on small entities). Together, they provide highly valuable frameworks with risk-based approaches, recommendations for widely achievable cyber hygiene improvements, and measures tailored to small businesses and specific sectors? \s while re desk research into the two Multiple Feedback Loops: Upon reviewing existing material, we shared drafts with experts from a variety of national and international institutions co gauge the relative utilicy and practicability of the various strategies and measures. Engaging, with experss from several central banks and commercial banks as well as other institutions including the IMF, FS-ISAC, and SWIFT enabled us to synthesizethe patchwork of existing guidance into a package of targeted, high-yield recommendations for less cyber-mature and smaller financial organizations. Key Findings: Taking inspiration from a guide for small businesses created by the UK’s NCSC (see Appendix), we have presented the best practices as groups of tangible activities aimed at building capacity and provecting against specific treats.” Yer, a this research progressed, it became clear that effective cybersecurity guidance must inform behavior not only at the technical level but at many other decision points, from executive strategy to employee awareness (o third party interactions. This led us to develop mucually reinforcing sets of best practices for CEOs and chief information security officers (CISOs) thar, altogether, cover governance, IT measures, employee taining and behavior, customer data security, vendor management, and organization-wide incident response. Figure 1: Goal - Developing Practical and Actionable One-Page Guides with Best Practices Cee tr ener) ee Whee's is the Package: Our series of six one-page guides starts at the board and executive levels to ensure comprehensive risk management, organized governance, and continuous organizational thinking on cybersecurity. From there, it outlines practical measures for C1SOs and other personnel to follow to protect critical assets, customers, and connections and to handle incident response, Many of the measues are organization-wide and actionable on an individual level and as such can be made part of employce training and gencral cybersecuity culture. An additional resource worth highlighting is the GCA Cybersecurity Toolkit for Small Business published by the Global Cyber Alliance in the spring of 2019. This Toolkit offers additional resources complementing the guides and are therefore specifically referenced in the Footnotes of this report as well a in hyperlinks embedded in che one-page guides and checklists. Living Documents: These guides, the report, and the best practices detailed therein must be viewed as living documents and regularly reviewed and updated. The technology continues to evolve and s0 CARNEGIE ENDOWM TERNATIONAL PEACEmust these guides when necessary. Any users of this document should feel free to expand, revise, discuss, and share the recommendations to ensure that they continue to meet their needs in the face of new information and challenges. commendations reach their Dissemination: A final and crucial consideration is to ensure that these te intended audience of less cyber-mature and smaller financial organizations across the world. For this reason, the gnides are now available in seven languages: English, French, Spanish, Portuguese, Arabic, Dutch, and Russian. In addition, based on engagements that have developed throughout this project, we will leverage existing networks of industry groups, governments, and other organizations to make this work as widely publicly available as possible, especially in developing ‘The following sections briefly describe the guidance put forth in this report. ‘We welcome any additional support to help disseminate these resources and to help maximize their impact. Also, f you would like to translate the material into an additional language, please do not hesitate to contact us. Contact details: im Maurer tmaurer @ceip.orgTool Box: Overview Guidance for Boards and CEOs: Cybersecurity Leadership An organization’s cybersecurity begins and ends with its highest level of management. When a cyber incident occurs — whether money is lost, data is compromised, consumer trust is damaged, or something else happens ~ the CEO and board are on the front lines dealing with the fallout, both publicly and privately. As such, executives must be involved in developing awareness of their organizations’ cyber tis, setting organizational priorities and policies to deal with that risk, and acting as the head of their oxganization’s body of eybersecutity personnel, in particular by having, clear and regular communication with technical staf such as their CISO, They also set the tone for the organization wric large and can ensure that the mindsct ofall employces and mitigating potential risks including through continuous education and taini focused on ident ONE-PAGER #1: Board-Level Guide ‘The board of directors finds itself at the top of its organization's pyramid of accountability for cyber preparedness and response. Its level of savviness, engagement, and visible leadership are therefore cal to the organization's cyber resilience. This section offers recommendations for boards to take an active role in their organizations’ cybersecurity, to gain the up-to-date information they need to do so, and to self-reflect on their leadership: © Fundamentals of Cyber Risk Governance — Providing a list of questions from a report by ‘TheCityUK and Marsh for boards to ask themselves to gauge whether they are meeting essential cybersecurity baselines. © Oversight — Outlining the core leadership functions boards must undertake co effectively govern their organizations’ cybersecurity policies and practices © Staying Informed — Advising, boards on how they can ensure individual members and the group as a whole are appropriately knowledgeable about both internal and external cybersecurity trends and challenges. © Setting che Tone— Helping boards understand what it means to lead their organizations’ cybersecurity by example, including promoting appropriate risk culture and setting staff expectations. ‘CARNEGIE ENDOWMENTFOR INTERNATIONALPEACE |. 5ONE-PAGER #2: CEO-Level Guide CEOs play a crucial leadership role when it comes to cybersecurity, simultaneously advising the board and external stakeholders and managing internal personnel and policies. To navigate these dual skillsets and responsibilities, this section offers recommendations for CEOs in the following categories: Governance — Positioning executives as the leaders of their organizations’ cybersecurity by advising them to appoint and articulate roles and responsibilities for cybersecurity staff and to direct efforts to establish organization-wide cybersecurity policies and practices applicable to every member of staf. Risk Awessment and Management — Dixecting executives to call for and oversee cyber risk assessment, to digest the results and operationalize them in organizational decision-making, and to ensure ongoing monitoring of cyber risk. Organizational Culture — Advising executives to include cybersecurity considerations in overall organizational thinking and decision-making and to foster an organization-wide culture of cybersecurity by instituting regular trainings and reviews and making cybersecurity a normal part of communication ac all levels.Guidance for CISOs and Other Personnel: Technical Improvements Ac first glance, it may appear that a CISO should only focus on protecting his/her financial institution itself. However, an important lesson learned in recent years has been that a CISO must ensure cybersecurity across the institution's ecosystem and therefore foens not only on (a) the institution itself but also (b) its customers and (¢) its third parties ‘The remainder of the recommendations in this report therefore outlines best practices for CISOs or other technical personnel to protect their organization, as well as essential cyber hygiene practices that all staff and customers should follow. These tips have been extracted from existing cybersecurity guidance — for the financial sector, for small businesses, and for others more generally ~ and adapted to be as practical and valuable as possible for less cyber-mature and smaller financial organizations ap consideration and protection in the financial sector. ically. They are broken dawn into categories covering the key areas for cybersecurity ONE-PAGER #3: CISO-Level Guide rotecting the Organization ‘These recommendations are the core building blocks of cybersecurity for organizations and individual employees — practices to secure networks, monitor accounts and activity, protect data, and prevent attacks, ‘This section begins with foundational guidance for CISOs or equivalent technical personnel to build a risk-based information security program for their organization if they have not yet established one. This information can also be used to review an existing program for all necessary components, Next, the organization-level guidance identifies important categories of best practices co improve cybersecurity, then describes numerous action steps for each, The categories are: © Preventing Mahvare Damage — Describing essential cybersecurity practices that CISOs should engage in to secure their organizations’ systems such as using firewalls, an pen-testing, red-teaming, and physical security measures. ‘us software, © Training Employees — Advising CISOs to make regular, comprchensive staff cybersecurity education a key priority. © Protecting Dara — Advising CISOs to keep updated and segmented backups and to take other data protection measures. * Securing Devices — Advising CISOs on how to configure, secure, and handle the life cycle of their organizations’ computers, laptops, mobile phones, and other devices. ‘CARNEGIE ENDOWMENT FOR INTERNATIONAL PEACE | 7* Using Passwords — Detailing, how CISOs should set up password use across their organization and advise employees on how to use secure authentication, © Controlling Permissions ~ Advising CISOs on how co manage administrative and general employee privileges on their organizations’ systems and data © Securing Wi-Fi — Advising CISOs on how to securely configure theie organizations’ wireless Internet networks. © Avoiding Phishing Actacks— Identifying the most common indicators of phishing, advising CSOs on preventive steps to take, and advising all employees to stay alert ‘ONE-PAGER #4: CISO-Level Guide: Protecting Customers Customer data is one of the most crucial assets for which financial institutions ate responsible. Alongside monetary gain, stealing information about customers’ identities, financial accounts, and other personal details is a top motivator for cyber criminals to target financial institutions. When such data is breached, 11 harm customers through fraud, theft, and privacy violation, Banks and other organizations in the financial ecosystem are not just keepers and movers of moncy but also data stewards and as such must make customer information security a key priority and core competency. This report recommends improving customer security in the following areas: © Administering Accounts — Advising CISOs on how to create and manage customer accounts so that a high level of security is offered by default. © Protecting Data — Advising CISOs to securely handle and store customer information with strong data pol and measures such as encryption, © Securing Public Web Applications — Providing steps for CISOs to take to secure all public- facing channels with which customers may interact and provide data, © Training Employees ~ Ad and responsibly. ing CISOs 1o train employees to handle customer data carefully © Notifjing Customers — Describing how CISOs should handle customer notification as part of, incident response. Securing the “long tail” in the financial sector reaches beyond organization-level practices all the way down to the security practices of individual employees and customers. No matter how robust a practices, compromises may still occur if these individuals fail to follow cyberhygiene practices and unwittingly surrender account credentials or other sensitive data to cyber criminals. In light of this, in addition to the above organization-level best practices for protecting customer data, this section recommends tips that organizations shonld give to customers and use to train employees so they can improve their cyber hygiene, protect sensitive data, and avoid falling victim to common attacks such as phishing, ONE-PAGER #5: CISO-Level Guide: Protecting Connections to Third Parties A key characteristic of financial organizations is their interconnectivity. The financial system works through transac: institutions. Further, financial organizations depend on vendors and third-party technologies to deliver theit services in an increasingly digital world. Such pervasive dependency opens sensitive new cyber threat vectors thar often prove difficult to identify and secure, 1s and flows of financial and personal data among a network of connected Setting and maintaining an organizational standard of cybersecurity cannot succeed if sensitive data or other assets are exposed to third parties that do not adhere to the same level of security. A good start is to develop awareness across financial organizations that their cyber risk assessment and ‘management must always consider their relationships to vendors and thied parties and that their contracting and acquisition processes must always consider cybersecurity. To guide this process, this section makes recommendations in the following categories: © Choosing Vendors — Providing CISOs with a lise of questions to use to evaluate potential vendors according to their data and cybersecurity practices © Identifying Risk Through Third Parties ~ Advising CISOs to maintain up-to-date understanding of their exposure to risk through their third-party relationships. © Managing Third Party Security — Advising CISOs on how to approach eybersecurity as part of service level agreements, technology acquisitions, and other third party relationships, ensuring responsibilities and liabilities are clearly defined. © Sharing Information ~ Encouraging C1SOs to both shate and solicit information about the sccurity of their vendor and third party ecosystems. ‘CARNEGIE ENDOWMENT FOR INTERNATIONAL PEACE | 9ONE-PAGER #6: Incident Response Guide An onganization’s cybersecurity is tested when incidents actually occur and their preparation must ‘urn into action. Studies show that many firms do not invest sufficiently in response and recovery. Organizations should be prepared that an incident will occur eventually and need to have a plan for response and recovery. Unfortunately, the question is noc one of “if” but of “when” such an incident will occur, Having holistic, well-documented incident response plans in place is therefore so crucial to cybersecurity in practice that it merits its own section in this report. It is helpful ro understand incident response through the pillars of the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover (see Appendix). These pillars describe the lifecycle of incident response and have informed the organization of best practices in this section, which focus on: © Preparing — Providing recommendations for CISOs to develop an incident response plan that will allow their organization to respond to and recover from cyber incidents © Exercising — Advising organizations to actively prepare and improve incident response by organizing and/or participating in practice exercises, © Responding — Focusing specifically on the crucial steps that must be taken to deal swiftly and responsibly with cyber incidents, from executing damage control 10 communicating to recording information. * Recovering — Advising CISOs on how to restore systems using backups. © Reviewing — Highlighting that incident response is an iterative process in which each ceccurrence should be carefully reviewed so that it can be an opportunity to improve cybersecurity procedures and awarenessSupplementary Report Overview ‘The supplementary comprehensive report consists of five chapters each beginning with brief guides outlining cybersecurity best practices for less cyber-mature and smaller financial organizations in the categories described above. Following each guide are descriptions, elaborations, and resources to clarify concepts that are mentioned in the guides and to provide information to ease implementation. Each recommendation is heavily footnoted for the purpose of directly linking to additional processes that cannot be fully described here. Many references are made to an organization’s CISO and their responsibilities ~ however, the guides were developed with an understanding that not all organizations may have such an officer and as such contain measures (and implementation details and tips) to allow other IT or operational personnel to carry out those CARNEGIE ENDOWMENT FOR INTERNATIONALPEACE | 11ee aoe Fundamentals of Cyber Risk Governance Conf tm that you can affrmat ve y answer the fo owng quest ons: 1. Has your organ zat on met relevant statutory and regulatory requirements? 2. Has your organ zat on quantified its ‘cyber exposures and tested its financial resilience? ‘3. Does your organ zat on have an improvement plan n pace to ensure ‘exposures are wthn your agreed-upon r sk appet te? 4. Does the board reguary discuss concise, clear, and actionable information regarding the organization's cyber resilience supplied by management? '5. Does your organ zat on have Incident response plans in place that have been recently dry-run exercised, noud ng at board-eve? 6. Are the roles of key people responsible for managing cyber risk c ear and a gned wih the three nes of defense? 7. Have you obta ned independent validation and assurance of your ‘organ zat on s cyber r sk posture? Discs) AA INTERRATIONAS Peace As the highest level of your organization's leadership the board assumes ultimate accountability for governing cyber risk and therefore ‘must oversee the organization's strategy policies and activities in this area. Specticaly the board should: ‘= Take ut mate respons b ty for overs ght of cyberr'sk and res ence, whether as the fu board or through de egat on of overs ght to 8 ‘spec fc board comm tee. ‘= Ass gn one corporate off cer, usua y the CISO, to be accountab e for report ng on your organ zat on s capab ty to manage cyber res ence and progress n mp ementng cyber res. ence goa s. Ensure that ths off cer has regu ar board access, suff cent author ty, ‘command ofthe subject matter, exper ence, and resources to fuf these dutes. = Annua y def ne your organ zat on s rsk to erance; ensure cons stency w th your corporate strategy and rsk appet te. => Ensure that a forma , ndependent cyber res. ence rev ew of your organ zat on s carr ed out annua y. ‘= Oversee the creat on, mp ementat on, test ng, and ongong mprovement of cyber res_ence pans, ensurng @ gned across your ‘organ zat on and that your CISO or other accountab e off cer regu ar y reports on them to the board. = Integrate cyber res. ence and rsk assessment nto your organ zat ons overa bus ness strategy, rsk management, budget ng, and resource a ocat on, wth the goa of fu y ntegrat ng cyber r'sk nto overa operatona rk. = Per oda y rev ew your performance of the above and cons der ndependent adv ce for cont nuous mprovement. Staying Informed ‘The board's effective cyber risk oversight depends on members’ command of the subject and up to date information. ‘= Ensure that a_ndv dua s jong the board have appropr ate and up-to-date sk s and know edge to understand and manage the 1 sks posed by cyber threats. ‘= So ct regu ar adv ce from management on your organ zat on ¢ current and future r sk exposure, re evant regu atory requ rements, ‘and ndustty and soc eta benchmarks for rk appette. Further, engage n regu ar bref ngs on atest deve opments w th respect to the threat andscape and regu atory env ronment, jont p ann ng and v's ts to best pract ce peers and eaders n cybersecurty, and board- ‘eve exchanges on governance and report ng, = Hod management accountab e for report ng a quant fed and understandab e assessment of cyber rsks, threats, and events as a sland ng agenda tem dur ng board meet ngs. ‘= Mantan awareness of ongong system ¢ cha enges such as suppy chan vinerab tes, common dependences, and the gap n ‘nformat on shar ng between boars on cyber r sk governance, Setting the Tone ‘Alongside senior management the board must set end exemplify your organization's core values risk culture and expectations with regard to cyber resiience. = Promote a cuture nwh ch staff at a eves recognze the r mportant respons b tes n ensurng your organ zat on s cyber res ence. Lead by examp e. = Oversee managements roe n foster ng and ma ntan ng your organ zat on s r sk cuture. Promote, mon tor, and assess the rsk ‘cuture, cons derng the mpact of cu ture on safety and soundness and makng changes where necessary. ‘= Make cear that you expect a staff to act wh ntegr ty and to prompt y esca ate observed non-comp ance wthn or outs de your ‘organ zat on © Fs-ISAC Chartered RitiaNce Standard SS evhaneannness Gp segaSOS cee) bl tetcdtur ue ker cae Governance Your organization's cybersecurity starts and ends at the highest level of management. The CEO together with the board raust maintain understanding of the risks and assume Luimate accountabity and responsibity for the organization's cybersocurty acivtios and personnel. You should: = Hre a chef nformaton secur ty off cer (CISO) f none exsts or, f resources are too _mted, appo nt somebody wth n your organ zat on tofut the funct on of a CISO. = Work wth the CISO or other techn ca personne to estab sh and mantan a ‘cybersecur ty strategy and framework ta ored to the organ zat on s spec fc cyber r sks uusng ntemat ona , nat ona , and ndustry standards and gu de nes. = Artcuate c ear r0.@s and respons b tes for personne _mpementng and managng the organ zat on s cybersecur ty. ‘+ Work wth the CiSO to dentfy proper cybersecurty ro es and access r ght for a evesof staf ‘+ Oversee commun cat on and co aborat on to ensure that cybersecur ty ‘management s ho stc especa y f cybersecur ty respons b tes are shared by ‘mute personne or dvs ons wth the organ zat on (such as hav ng separate ‘format on secur ty, rsk, and techno ogy vert cas). = Ensure that the CISO has 2 cear, drect_ne of commun cat on to re ate threats na ‘tme y manner to you and to the board, = Invte the CISO or other techn ca personne to rout ne y bref sen or management. = Ensure that the organ zat on s securty po ces, standards, enforcement mechan sms, land procedures are un form across a teams and nes of busness. Risk Assessment and Management Ensuring strong cybersecurity awareness and preparedness depends on continuous risk-based analysis. To improve your organtzaion’s cybersecurty. = Estab sh cybersecurty r sk assessment and management as a prorty w thn your ‘organ zat on s broader r sk management and governance processes. Work wth your CCISO or other techn ca personne on a pan to conduct a rsk assessment that nvo ves: ‘= Descr bng your organ zat on s assets and ther var ous eve s of techno ogy dependency, ‘= Assess ng your organ zat on s maturty and the nherent rsks assoc ated wth ts ‘assets techno ogy dependences, Determ n ng your organ zat on s des red state of maturty, Understand ng where cybersecur ty threats stn your organ zat on ¢rsk prorty st, ‘= Ident fy ng gaps between your current state of cybersecurty and the des red target state, TRB | CEO-Level Guide: Cybersecurity ‘+ Imp ement ng pans to attan and sustan maturty, ‘= Continuous y reeva uat ng your organ zat on s cybersecur ty maturty, rsks, and (goa, and © Cons der ng using thd party penetrat on-test ng or red-team ng, ‘© Cons der ng protect ve measures such as buy ng cyber nsurance. ‘= Lead emp oyee efforts during the rsk assessment process to fac tate tmey responses from across the nsttut on. = Anayze and present the resutts of the rsk assessment for execut ve overs ght, ncudng key stakeho ders and the board. = Oversee any changes to manta n or norease your organ zaton s des red ‘oybersecur ty preparedness, ensur ng that any steps taken fo mprove cybersecurty are proport onate to rsks and affordab e for your organ zat on. => Oversee the performance of ongo1ng mon torng to remannmbe and ag en address ng evo vng cyber rsk Organizational Culture ‘Your organization's cybersecurity is not a one-time process or the job of a few employoos: tsa factor to considor in al bsinass deoisions and operations and @ practice that must be maintained by all employees. To encourage continuous holistic cybersecurity within your organization: => Begn cybersecurty dscuss ons wth the eadershp team and commun cate reguar y wth the personne accountab e for manag ng cyber r sks. = Make cyberseourty ranng a part of a emp oyee onboardng, ensurng that a. staff are up to date on — and have s gned documents agree ng to adhere to ~ your ‘organ zat on s cybersecurty po ces and that your IT department or other techn ca personne have br efed them on best pract ces. = Inst tute recurr ng cybersecurty traning fora. staff wth regard to ther short- and ong- term securty respons b tes. ‘= Ensure that cybersecurty s aways cons dered when your organ zat on eva uates potenta vendors and shares data wth thrd part es. = Annua y rev ew your organ zat on s cybersecur ty po ces, ‘= Encourage vo untary nformat on sharng about cybersecurty threats and ne dents with your organ zat on and wth trusted counterparts. ws @rs-isac Standard MemnemanGAnNES Gp Bh8Fe"CE keel Tool Box for Financial Organizations ClSO-Level Guide: Protecting Your Organiza’ Developing a Risk-Based Information Security Program 1. Identify the types of information your business stores and uses = Lsta_of the types of nformat on your bus ness stores or uses (0.9. ‘customer names and ema ). 2. Define the value of your information = Ask key quest ons for each format on type: ‘+ What woud happen {ths nformat on wes made pub ©? ‘+ What woud happen to my business f ths nformat on was noorrect, e.g, the ntegrty of the data had been man pu ated? ‘+ What woud happen to my business f limy customers cou dnt access ths nformat on? 3. Develop_an inventory = Ident fy what techno ogy comes nto contact wth the nformat on you have dentfed. Th can ncude hardware (e.g. computers) and software ‘app cat ons (e.g. browser ema ). Inc ude the make, mode, sera numbers, and other dent fers. Track where each product s ocated. For Software, dent fy what mach ne(s) the software has been oaded onto, = Where app cabe, ncude techno og es outs de of your bus ness (2.9. "the coud") and any protect on techno og es you have n pace such as frewa s. 4. Understand your threats and vulnerabilities = Regu ary rev ew what threats and vunerab tes the {nance sector may face and est mate the ke hood that you w be affected. (Informat on can be found va your natona CERT, FS-ISAC, and other oca and reg ona groups.) => Conducta vunerad ty scan or anays s at east once a year. 5. Create a cybersecurity policy = Work w th your organ zat on s sen or management to estab sh and manta n a cybersecurty strategy that s ta ored to the above r sks and nformed by ‘nternat ona, nat ona, and ndustry standards and gu de nes. Gude nes such as the NIST Framework, the FFIEC s Cybersecur ty Assessment Too, and ISO 27001 prov de foundat ons for such po ces. = Trana_empoyees on the deta s of the po cy and have them sgn documents acknow edg ng the r roe n cont nuous y upho d ng your ‘organ zat on s cybersecur ly by adherng to the po cy. Protecting Your Data Preventing Malware Damage = Actvate your frewa and set access contro sts (ACLs) to create a buffer zone between your network and the Intemet. Resict access by us ng @ whe stng sett ng, not b ack stng carta n IP addresses or = Use antvrus software and ant spyware on a computers and aptops. = Patch a software and f mware by prompt y app yng the atest software updates prov ded by ‘manufacturers and vendors. Automata Y update Where ava abe. = Rest ct nsta at on of new programs to IT staff wth adm rghts. => Manta n and mon tor actvty ogs generated by protect on / detect on hardware or sofware. Protect og. wth password protect on and encrypt on. = Keep a host cocks synchron zed. If your organ zat on dev ces have eons stent cock settngs, event Corre aton w_ be much more difcut when ne ents occu = Contro access to removab e med. such as SD cards and USB st cks. Encourage staff to transfer f es Vaema or coud storage nsteed. Educate staff onthe r sks of usng USBs from externa sources oF hand ng over the r own USBs to others. = Setup ema_securty and spam ters on your ema serv ces. => Protect a_ pages on your pub c-fac ng webs tes wth encrypt on and other ava abe too s. = Cons der hrg a penstrat on test ng serv co to assess the securty of your assets and systems. Training Employees = Run mandatory cybersecurty a ngs dur ng new emp oyee onboard ng and at reguar nterva for a Caurrent emp oyees, at east once annua y. Regu re emp oyees to: + Use strong passwords on a profess ona dev ces and accounts and encourage them to do the same for porsona dev cos and to use a password manager, Keep a operating systems, software, and app cat ons upto date across @ dev ces, Use two-factor authent caton on a accounts, Keep account deta s and access cards secure and ock dev ces when unattended, Refran from shat ng account deta or other sens ve data va unencrypted ema or other cpen commun cet ons, ‘Avod mmedate y open ng attachments or ¢ ck ng nks n unso oted or susp cous ema s, + Very the va diy ofa susp.cous ookng ema or a pop-up box before prov dng persona format on, and pay cose attenton to the ema aderess, and ‘+ Report any potenta tema or externa securly nedents,tiveats, orm shand ng of data or dev ces to your organ zat ons techn ca personne and/or h gher management. = Roguar y test emp oyee awareness through s mu ated ssuos such as by sending ph sh ng-stye oma s from fake accounts. Use anya ures @s opportun ts for eam ng rather than pun shment. = Take reguar backups of your mportant data (@.9. documents, ema , ca endars) and test that they can be restored. Cons der backng up to the ¢ oud, = Ensure the dev ce conta ning your backup s not permanent y connected tothe dev ce hoding the org na copy, ne ther phys ca y nor over a oca network, = Insta. surge protectors, use generators, and ensure a. of your computers and or toa network dev ces are p ugged nto unnterrupt be power supp es. = Use @ mob @ dev ce management (MDM) so uton.Keeping Your Devices Safe = Suwtch on PIN and password protect on for mab e dev ces, Conf gure dev ces so that whan ost or sto an they can be tacked, ramotayy w pad or ramcte y ocked = Keep your dav ces (and a_nsta ed apps) upto date, usng the automat ca y update opton Tava abe = When sending senstve data, dont connect to pub ¢ WF hotspots — use ce ua connect ons (ncuidng ttherng and wre ass dongs) or use VPNs = Repace deves that are no enger supported by manufacturers w th upto-date atermat ves = Sel report ng procedures for ost or sto en equ pment Using Passwords = Make sure a. computers tse encrypt on products tha raqure a passinord to boot. Swvtch on password or PIN protec on for mob e dav cas. = Use strong passwords, avo dng pred cab e passwords ( ke passwOrd) and pereona enters (sich as fam y andpet nares) Instruct a emp oyees to do tha sam = Use two factor authent cat on (2FA) wherever poss be. 3 Change the manufacture ssued defaut passwords on a dev ces, nc uding network and|oT dey ces, before they are dstr buted to tat = Ensure staff can reset ther ow passwords eas y, You may a 80 wan! a raqure stata change ther password at raguar nlerva s (a, quarry, af yeary, of annua y) = Cons der us ng a password manager. you de use one, make sure that the master password (that prov des access to a your ofier passwords) © a strong one Controlling Permissions = Ensure that a personne have unquey dent {abe accounts that are auhent cated each tme they access your systems. 3 Ony g ve adranstiat ve prveges fo used IT sta and key personne and revoke adn rate prv eges on workstal ons for standard users = Ony 9 ve emp oyaes acces tothe spac Te data systems that hey need forthe jabs and ensure they cannot nsta any sofware w thout parm ss on = Contre phys.ca access fo your Computers and create user accounts for each emp oye Securing Your Wi-Fi Networks and Devices > Make sure your workp ace W-F_s seoure and encrypted wth WPA2, Routers oten come wth enorypton fumed ff so make sure te tur Lon, Password protect access to the router and make sure thatthe password s updated fom the pre-set defaut Turn of any remote management” features = Setup your w r@ ess access pont or outer so t does not broadcast the network name, known as the Serv o# Set ident Fer (SSID). = Lint access to your W-F network by ony a aw ng dev ces wth cerlan mada access conta addrasses. customers need WF, sal up a separate pub c network = Enab ¢ Dynam ¢ Host Cont gurat en Protsco (DHCP) ogging on your network ng dev ces to a ow'or easy trackng of a dev ces that have been on your network. = Log cut as adm n strato ater you have setup the router. = Keep your route s software up to date, Hear about updates by reg sterng your router w th the manufacturer and s gning up te get updates Avoiding Phishing Attacks = Ensure staff don tbrowse the wab oF chack ama s on servers a ram an account wth Adm n stator pry ages. = Setup web and ama f tes. Cons der bock ng emp oyees fom v stag webs tes corimon y assoc ated wth cybersecur ty threts, ‘= Teach emp oyees to check for obv ous s gns of phsh ng (@.g, poor $pe_ng, grammar, or Gw-qua ty vers ons of egos, Does the senders emia address cok eqt mate? > Scan for mavware and change passwords as soon as pass be you suspect an attack has cecuired. Dont pun sh sta hey become the vctm of a ph shng stack (1 dscourages peop & ‘rom reporting nthe future}. PY SESS RIEe con 4 HIPRMATONAE Bence WS @FSISAC Seat lowmenancanmness: Gp e924Individual Advice for Customers and Employees to Protect Financial Data ‘Adv se your emp oyees and your customers to fo ow the be ow ‘oybersecurty gude nes n ther persona behavorto ncrease ther preparedness and protect ther franca data aganst cyber threats. 1. Implement basic cyber hygiene practices across your devices. = Use strong passwords on a persona and profess ona dev ces, and cons der us ng a password manager. => Keep operating systems and other software and app cat ons Up to date on your computers and mob e dev css. = Insta ant-vrus, ant-ma ware, and ant -ransomware software that prevents, detects and removes ma cous programs. = Use a frewa program to prevent unauthor zed access to your ‘computer. = Ony use securty products from reputab e compan es, Read rev ews from computer and consumer pub cat ons and cons der ‘consu tng w th the manufacturer of your computer or operat ng system. 2. Bo careful with sensitive information. = Do not send bank account passwords or other sens t ve fanca account data over unencrypted ema = Be smart about where and how you connect to the internet for banknng or other commun cat ons vo vng sensttve persona nnformat on. Pub c W-F networks and computers at p aces such ‘as brares or hote bus ness centers can be r sky. 3. Resist phishing. = Dont mmed ate y open ema attachments or ¢ ck on_nks n lunso cted or susp cous- ookng ema s. Stop. Thnk C ck = Be susp cous f someone contacts you unexpected y on ne or va te ephone and asks for your persona _nformat on. Even when ‘commun cat ng w th known addresses, mn m ze shar ng of Persona nfomat onvaema . = Remember that no fnanca nettutonw ema orca you and request conf dent a_nformat on they a ready have about you, = Assume that a request for nformat on from a bank where you have never opened an account s a scam. = Ver y the va dty of a susp. cous ookng ema or a pop-up box before prov dng persona nformat on, Pay c ose attenton to the ‘ema address. Administering Accounts = Roqure that customers use strong user IDs and passwords to og nto your serv oes. Adv se thom not to use the ‘same password as they do for other accounts, = Use nstant verfcaton, rea-tme ver cat on tra depos ver fcaton, dentty ver cat on, andlor out-oF-wa et ‘Quest ons to va date rea customers and reduce the opportunty for fraud = Offer, dea y requ, two-actor authent cat on for customers to og nto your serv ces. = Reguary check user accounts for sgn of fraud Protecting Data = Cons der wh ch customer data your organ zaton must co ect to perform ts serv cee, and be wary of co ectng any ‘cistomer data that goes beyond that = Sot and d str bute data retenton po ces. D spose of customer deta when no onger needed. = Encrypt customer data n trans t and at rast = Put np ace data secur ty po ces to make c ear wh ch data transfer methods are appraved versus rest ted and to ‘spec fy what s acceptab e fora emp oyees when dea ng wth customer data. Ensure that these po ces are documented, commun cated, enforced across a emp oyees, and per od ca y rev ewed and updated. Securing Public Web Applications = Imp ement HTTPS on your organ zat on s pub cacng web app caton(s) and red recta HTTP traf cto HTTPS. content secur y po ey on your webs te(6) 0 prevent cross-s te sor ptng attacks, ¢ ckjackng, and other code = Enab e pub c key pnnng on your webs te(s) to prevent man n the m dd e attacks. = Ensure that your pub c-facng web app cat ons) never use cook es to store h gh y sens tve or crtca customer ‘format on (such as passwords), fo ow conservat ve exp rat on dates for cook es (Sooner rather than ater), and. ‘cons der encryptng the nfoat on stored n the cook es you use. = Cons der hing a penetrat on testing serv ce to assess the securty of your pub cfacng web app cat on(s) at east ‘once a year. Training Employees = Teach your emp oyees accountad ty and stateg es to mm ze human errr that coud expose customer data. Th s means adv sng them to ‘* Mnimze ther access to and ransm ss on of customer data toon y what s necessary to perform ther Jeb funet ons, + Mantan strong secur ty prectces on a_ dev ces and accounts that dea wth customer data by us ng strong passwords, enab ng two-factor authent cat on, keepng software updated, and not ¢ ckng on susp Cous ks, and + Roport any potent ntema or externa socurty no donts, thats, or m shand ng of data to your organ zat ons techn ca personne andor h gher management. => Eneure your emp oyees understand and have s gned documents to adhere to your organ zat ons data protect on ‘and secur ty po ¢es 60 that they do not vo ate them, 60 they are f uent when dea ng wth customers, and so they do ot commun cate wth customers n an unprotected manner.Notifying Customers = Understand your organ za on requ atory env ronment when t comes to hand ng customer data breaches fo ensure you are prepared to comp y when ne dents do occur. “3 Whan your organ 2at on bacamas aware ot an nedant of unaulhor 2ad accass lo sens va austamer nformat on, nvestgata to prompl y deterrvna the ke fod that tha format on has been orw be msused, Fo ow not f cat on best pract ces and not fy the affected customer(s) accord ng y as soon as poss be wth; ‘Agenara descr pton ofthe ne dant and the nformat on that was breached, ‘Ale ephone number for tuthar normat on and ass stance Areninder "to raman vg ant over the next 12 to 2¢ months, A reconmendat on that nedents of suspacied dent ty theft be raported prompt y ‘A genera daser pt on ofthe steps taken by the franca nsttuten to protect the niormaton from futher unauthor zed cass or use, Contact nformaton for cred reportng agen es, and ‘Any ather nformaton thats raqu red by regu a ans wth wh ch your organ zat on must comp 7) Reset cog A TNTERNATIONAE Peace GW @rsisac Se memos GnasSeri) inancial Organizations CISO-Level Guide: Protecting Connections to Third Pai How to Choose Vendors With Cybersecurity in Mind ‘Ask the fo owng quastons of potent a vendors to gauge the r cyber preparedness and awareness and ‘consequenty the mpact they woud have on your ‘organ zat on s r sk prof e: 1 What experience do they have? Fnd out about the vendor s hstory serving c ents. Have they ‘served ¢ ents sm arto your organ zaton beatore? Have they documented their compliance with known cybersecurity standards such as the NIST Framework or ISO 27001, or can they prov de @ SOC2 report? Which of your data andior assets will they need to access to perform their services? Are they request ng any apparent y unnecessary access? How do they plan to protect your ‘organization's assets and data that are in thelr possession? How do they manage thelr own third-party ‘cyber risk? Can they prov de nformat on about ther supp y chan? What is their plan for disaster recovery and business continuity n case of an nc dent ‘mpact ng your organ zat on s assets andor data? How will they keep your organization updated? What the rp an for commun cat ng trends, threats, and changes wth n ther ‘organ zat on? picnic a RTERNATIONAL feace S Identifying Risk Through Third Parties => Create and keep an updated st ofa vendor re et onsh ps and the assets and data exposed n each. = Rev ew the data that each vendor orth a party has access to. Ensure that th s eve of access adheres to the prncpe of east prv ege => Rank your vendor and th rd party re at onsh ps (ow, med um, h gh) based on the mpact that a breach of the r systems woud have on your organ zat on. ‘=> Start ng wth the h ghest r sk vendors, eva uate each prov der s cybersecur ty capab tes. Comp ance w th re evant Standards & a good star ng po nt. Deve op a pan for regu ar securty eva vat on. You may want to occas ona y conduct on- Ste assessments of vendors w th the h ghest rk andlor greatest access to customer data Managing Third Party Security = Perform thorough due-d gence. Estab sh cybersecur ty expecta ons n your organ zal ons requests for proposa s Contracts, bus ness cont nuty, ne dent response, and serv ce eve agreements wth vendors. Agree on respons b tes and ab tes n case of a cyber nedent. + Inqu e about the cybersocur ty pract ces of other th rd partes such as fnane a organ zat ons wrth wh ch you transact or share data, Any cybersecur fy requ ements to wh ch your organ zat on must adhere shou d aso be fo owed by your vendors and any other organ zatons you share data wth or expose assets to. = Use estab shed and agreed upon measures to mon tor your vendors comp ance w th cybersecurty standards. => Check w th your vendors that hand e sens t ve data to see f they offer two-factor authent cat on, encrypt on, or other seeurty measures for any accounts you have wt them. = Ensure that a thrd party sofware and hardware you nsta have @ securty handshake so that boot ng processes are secured va authent caton codes and w_ not execute f codes arent recogn Zed. = Ifyou encounter vendor products that are e ther counter tor do not match specfcat ons, work to nego ale a reso uton or ese anext strategy. = Annua y eva uate vendor contracts and ensure that they cont nue to meet your strateg ¢ d rect on and regu atory data ‘secur ty requ rements. Upon contract term nat on, nc.ude st pu at ons about gett ng your assets or data back and ver fy ng that the assets or data are comp ete erased on the vendor ss de, and d senab e any a6oess fo your systems or servers. Sharing Information = Ensure that you have c ear commun cat on channe s and po nts of contact to commun cate about securty ssues wth your ‘organ zat on s vendors and counterparts. = Engage ntmey sharng of re abe, act onab e cybersecurty nformaton wth nterna and externa stakeho ders (ne udng ent es and pub ¢ author tes wth n and outs de the fnanca sector), = Track re evant updates about what other organ zat ons are exper enc ng wth ther thrd partes n terms of threats, VUnerab tes, ncdents, and responses to enhance your organ zat on s defenses, norease s tuat ona awareness, and broaden eam ng. Beng part of nformat on-shar ng organ zat ons, for exampe, the FS1SAC, w fac tate beng up to date. Standort $e “CYBER READINESS: Gat: Chartered SER = QD FS-ISACPreparing = Work w th your organ zaton sen or eadersh p and other re evant personne to deve op ‘an ne dent response and bus ness cont nuty p an based on the most press ng rsks that have been dent fed n your organ zat on s cyber r sk assessment. ‘Deve op threat scenar os fr the knds of nedents that re ate to your ‘organ Zaton s hghest-pror ty cyber rsks. Focus on bu ding capacty to respond to those scenaros. + dentfy, record, and make ava abe wthn your organzaton a stot ponts of contact for ne dent response. + Identfy and record contact nformat on forreevant oca and federa aw ‘enforcement agenc es and offs. ‘+ Estab sh prov sons spec fy ng wh ch knds of ne dents must be reported, when ‘they must be reported, and to whom. ‘+ Estab sh wrtten gude nes that out ne how qu cky personne must respond to an rie dent and whal act ons shou d be performed, based on re evant factors such as the funct ona and nformat on mpact ofthe nocdent, and the ke y recoverab ty from the ne dent ‘= Inform a emp ayes to contact your technca team—most commony ths w be IT personne and/or C:S0/CiO/cther comparab e manager — when an nc dent cours + Depoy soutons to mon tor emp oyee actons and to enabe dentf cat on of ns der threats and nc dents + Incude business cont nuty pans to coord nate how your organ zaton w_ work wth supp ors and prmary customers durng a bus ness emergonoy, neudng hhow you wou d conduct manua or atemat ve bus ness operat ons frequred. Inc ude writen procedures for emergency system shutdown and restart. Deve op and test methods for ret ev ng and restor ng backup data; perodca y test backup data to ver fy ts va dty. ‘+ Have estab shed agreements and procedures for conduct ng bus ness operat ons nan atemate fac ty/ste. + Have n pace aceardssemnaton channe toa customers. Exercising = Organze sma tab etop exercses wth @ staff or representat ves from a_ eve sof staff ‘ne ud ng organ zat ons execut ves, PRcommun cat ons personne, and ega and ‘comp ance teams. = Ident fy and dea y part cpate n ndusty-w de tab etop exerc ses re evant for your ‘organ zaton = Estab sh process to ensure essons eamed from exereses are noorporated and ‘addressed n your company s cybersecurty strategy. TV caanecie 4 HIPERMATONAE Fence Incident Response Gui Responding = Imp ement nc dent response pan actons tom nm.ze the mpact neuding wth respect to reputat ona demage. = Identy mpactedicomprom sed systems and assess the damage. = Reduce damage by removng (d sconnect ng) affected assets. = Start record ng a_nformaton as soon as the team suspects that an_nedent has ‘occurred, Attempt to preserve ev dence ofthe ncdent wh ed sconnect ng/ segregat ng affected dent ed asset e.g. co ect the system conf guraton, network, and nfrus on detect on ogs trom the affected assets. = Notfy appropr ate tera pertes, th c-party vendors, and author tes, and request ass stance f necessary. = Intate customer not fcat on and ass stance act vtes cons stent wth aws, reguaatons, ‘and. nler-agency gu dance. => Use threat sharng patforms such as FS-ISAC or MISP tonoty the ndustry about the threat => Documenta steps thet were taken durng the nedent to revew ater. Recovering = Restore recovered assets to per od c “recovery po nts” fava abe and use backup data torestore systems to ast known “good status. = Create updated “c ean” backups from restored assets and ensure a. backups of ertca assets are stored na physca y and env ronmenta y secured ocat on. = Test and very that nfected systems are fu y restored. Conf that affected systems {are funet onng norma y. Reviewing = Conduct a“ essons eamed” dscusson after the nedent occurred — meet wth sen or staff, trusted adv sors, and the computer support vendor(s) to rev ew poss be winereb tes of recommend new steps to be mpemented => If poss be, dent fy the vunerab tes (whether n software, hardware, bus ness ‘operat ons, or personne: behav or) that ed tothe ncdent and deve op a pan to mt gate thom = Deve op a pan for mon torng to detect sm ar or further nedents re ated to the ssues dent fed = Share essons earned and nformaton about the ne dent on threat shar ng p tforms ‘uch as FSISAC. = Inlegrate essons eamed_n your organ zat ons ne dent response protoco s SS orsisac SSG teenoones Gaze,xg RITY FOR SMALLER FINANCIAL ORGANIZATIONS BOARD CHECKLIST: CYBERSECURITY LEADERSHIP FUNDAMENTALS OF CYBER RISK GOVERNANCE (I Asa group, periodically assess whether the board can affirmatively answer the following questions: ‘© Has your organization met relevant statutory and regulatory requirements. for example, GDPR? © Has your organization quantified its cyber exposures and tested its financial resilience? © Does your organization have an improvement plan in place to ensure exposures are within your agreed-upon risk appetite? © Does the board regularly discuss concise, clear, and actionable information regarding the organizatoin's cyber resilience supplied by management? ‘© Does your organization have incident response plans in place that have been recently dry-run exercised, including at board-level? © Are the roles of key people responsible for managing cyber risk clear and aligned with the three lines of defense? © Have you obtained independent validation and assurance of your organization's cyber tisk posture, for example, via testing, certification, or insurance? C1 Ifyou cannot affirmatively answer one or more of the above, work with your CEO, CISO, relevant organization personnel, andior external resources to correct the issue. OVERSIGHT CI Ensure that the board is aware of its role as the ultimate responsibility-holder for your organization's cyber risk and resilience. Delegate oversight to a specific board committee if deemed necessary (I Assign one corporate officer, usually designated the chief information security officer (CISO), to be accountable for reporting on your organization's capability to manage cyber resilience and progress in implementing cyber resilience goals. 1D Ensure that this officer has regular board access, sufficient authority, command of the subject mailer, experience, and resources to fulfil these duties, 1 Annually define your organization's risk tolerance, ensuring itis consistent with your corporate strategy and risk appetite. CI_Ensure that a formal, independent cyber resilience review of your organization is carried out annually. (1. Work to integrate cyber resilience and risk assessment into your organization’s overall business strategy, risk management, budgeting, and resource allocation Cl Oversee the creation, implementation, testing and ongoing improvement of eyber resilience plans, ensuring they are harmonized across your organization and that your CISO or other accountable officer regularly reports on them to the board. Cl Periodically review your performance of the above and consider seeking independent advice for continuous improvement.STAYING INFORMED . When an individual joins the board, ensure that they have appropriate and up-to-date skills and knowledge to understand and manage the risks posed by cyber threats. Solicit regular advice from management on your organization's current and future risk exposure, relevant regulatory requirements, and industry and societal benchmarks for risk appetite. Plan to engage in: © Regular briefings on duties created by new regulations and legislation, © Board and executive committee joint planning and visits to best practice peers and leaders in cybersecurity, ‘© Security briefings on the threat environment, and © Board-level exchanges of information on governance and reporting 1 Make clear to management that they are accountable for reporting a quantified and understandable assessment of cyber risks, threats, and events as a standing agenda item during board meetings. C1 Regularly check in with management and other relevant personnel about developments related to ‘ongoing systemic challenges such as supply chain vulnerabilities, common dependencies, and the gap in information sharing between boards on cyber risk governance. SETTING THE TONE Ensure that staff at all levels recognize that they each have important responsibilities to ensure your organization's cyber resilience C_Oversee management's role in fostering and maintaining your organization's risk culture. Regularly assess the effectiveness of your organization's risk culture, considering the impact of culture on safety and soundness and making changes where necessary. Make clear that you expect all staff to act with integrity and to promptly escalate observed non- ‘compliance within or outside your organization WH @Fssac Sates SS sineminess G5CYBERSECURITY FOR SMALLER FINANCIAL ORGANIZATIONS CEO CHECKLIST: CYBERSECURITY LEADERSHIP GOVERNANCE Appoint a Chief Information Security Officer (CISO) if none exists. Establish and maintain an organization-wide cybersecurity policy that is risk-based and informed by international, national, and industry standards and guidelines. Define roles and responsibilities for all personnel involved in cybersecurity. Work with your CISO to identify proper cybersecurity roles and access rights for all levels of staff Establish or identify clear communication channels between any separate units or personnel that deal with different aspects of cybersecurity. Ensure your CISO has a clear, direct line of communication to relate threats in a timely manner to you and to the board Maintain a regular invitation for your CISO or other technical personnel to brief senior management. ‘Check that cybersecurity policies, standards, and mechanisms are uniform across the entire organization o00 oo 0 of RISK ASSESSMENT AND MANAGEMENT C Conduct a cybersecurity risk assessment in collaboration with your CISO or other technical personnel, which should include: © Describing your organization's assets and their various levels of technology dependency, © Assessing your organization's maturity and the inherent risks associated with its assets’ technology dependencies, © Determining your organization's desired state of maturity, © Understanding where cybersecurity threats sit in your organization's risk priority list, © Identifying gaps between your current state of cybersecurity and the desired target state, © Implementing plans to attain and sustain maturity, © Continuously reevaluating your organization's cybersecurity maturity, risks, and goals, and ‘© Considering protective measures such as buying cyber insurance. C1 Analyze and present results to key stakeholders and the board Plan to oversee any steps to increase cyber preparedness and monitor progress. ORGANIZATIONAL CULTURE 1D _Regularly discuss cyber risk and security at the leadership level C1 Ensure that cybersecurity training is part of all employee onboarding and have all employees sign documents agreeing to adhere to the organization's cybersecurity policies. Establish recurring cybersecurity training for all staff Ensure that cybersecurity is always considered when the organization evaluates potential vendors and shares data with third parties. Institute an annual review of the organization's cybersecurity policies. Encourage technical personnel to engage in voluntary information sharing about cybersecurity threats and incidents. oo oa Di BLM rsasac Sunes SS aminmtinmess, Ge seenYBERSECURITY FOR SMALLER FINANCIAL ORGANIZATIONS CISO CHECKLIST: PROTECTING YOUR ORGANIZATION DEVELOPING A RISK-BASED INFORMATION SECURITY PROGRAM C_dentify and list all the types of information your business stores and uses (e.g. customer names and G_ Ask and record answers for each information type: ‘© What would happen if this information was made public? © What would happen to my business if this information was incorrect? © What would happen to my business if limy customers couldn't access this information? G_ Record what technology comes into contact with the information you have identified. This can include hardware (e.g. computers) and software applications (e.g. browser email). ‘© Where applicable, include technologies outside of your business (e.g. “the cloud”) and any protection technologies you have in place such as firewalls. © Include the make, model, serial numbers, and other identifiers. © Track where each product is located. For software, identify what machine(s) the software has been loaded onto. Regularly review information from your national CERT, FS-ISAC, your local InfraGard chapter, and others about what threats and vulnerabilities the financial sector may face and estimate the likelihood you will be affected. Conduct a vuinerability scan or analysis at least once a year. Create a cybersecurity policy for your organization. Train all employees on the details of the policy and have them sign documents acknowledging their role in continuously upholding your organization's cybersecurity by adhering to the policy. ooo PREVENTING MALWARE DAMAGE Cl Activate your firewall and set access control lists (ACLs. Restrict access by using a whitelisting setting, © Use antivirus software and antispyware on all computers and laptops. C._Apply the latest software updates provided by manufacturers and vendors. ‘Automatically update’ where available. C_ Restrict installation of new programs to IT staff with admin rights. Maintain and monitor activity logs generated by protection / detection hardware or software. Protect logs with password protection and encryption. Ensure all host clocks are synchronized. © Control access to removable media such as SD cards and USB sticks. Encourage staff to transfer files via email or cloud storage instead. Educate staff on the risks of using USBs from external sources or handing over their USBs to others. Setup email security and spam filers on your email services. Protect all pages on your public-facing websites with encryption and other available tools. Consider hiring a penetration testing service to assess the security your organization's assets and systems,