2021 Cyber and Technology Risk Management Forum

2021 Cyber & Technology Risk Management Forum October 13-14 , 2021

@ www.csbs.org � @csbsnews

CONFERENCE OF STATE BANK SUPERVISORS

1129 20th Street NW / 9th Floor / Washington, DC 20036 / (202) 296-2840

2021 Cyber & Technology Risk Management Forum October 13-14, 2021| All Times Eastern Standard Virtual Meeting via Remo

Day 1 | Wednesday, October 13th

Welcome and Introduction Sebastien Monnet, CSBS

1:00PM

Presentation: Current Cybersecurity Threat Landscape Brian L. Sanders, Network Intrusion Forensic Analyst, US Secret Service

1:05PM

BREAK

2:00PM

Protecting CSBS Systems and Data for States Todd Scharf, Chief Security Information Officer, CSBS

2:15PM

BREAK

3:15PM

Cloud Webservices & Auditing Techniques Jason Claycomb, Senior Instructor, ACI Learning

3:30PM

Adjourn

4:30PM

Day 2 | Thursday, October 14th

Introduction and Day 1 Reflection Sebastien Monnet, CSBS

1:00PM

The Future of State-Federal Collaboration Mark Buethe, Supervisory Examiner Banking Supervision & Regulation, Federal Reserve Bank of St. Louis Christine Hutchinson, Senior IT Project Manager, Federal Reserve Bank of Kansas City Jonathan Trunfio, Senior Financial Institution Policy Analyst, Federal Reserve Board Angela Knight-Davis, Manager, CBS-Supervision Technology, Federal Reserve Board

1:05PM

BREAK

2:00PM

Continuous Monitoring of Cyber Vulnerabilities Charlie Moskowitz and Lou Burgess, Security Scorecard

2:15PM

BREAK

3:15PM

CSBS & State Jam Session Sebastien Monnet and Mary Beth Quist, CSBS

3:30PM

Adjourn

4:30PM

Business Electronic Compromise

U.S.Departmentof Homeland Security United States Secret Service

U.S. Secret Service Mission

Protection •President •Vice-President

Investigations •Counterfeit Currency

•Former Presidents •Foreign Dignitaries •Others as designated •Large Events

Treasury Obligations

•Financial Crimes

Identity Crime Mortgage Fraud Access Device Fraud Bank Fraud Computer Crimes Network Intrusions Internet Fraud

•Electronic Crimes

U.S.Departmentof Homeland Security United States Secret Service

Jurisdictional History  1865 - U.S. Secret Service created to fight counterfeit currency  1901 - Assigned Presidential Protection duties  1948 - Title 18 USC Section 470-474 (Counterfeiting and Forgery)  1984 - Title 18 USC Section 1029 (Access Device Fraud)  1986 - Title 18 USC Section 1030 (Computer Fraud)  1990 - Title 18 USC Section 1344 (Bank Fraud)  1996 - Title 18 USC Section 514 (Fictitious Obligations)  1998 - Title 18 USC Section 1028 (Identity Theft)  2001 - PATRIOT Act (Expanded Cyber Crime Responsibilities)

U.S.Departmentof Homeland Security United States Secret Service

USA PATRIOT ACT OF 2001 HR–3162, 107th Congress, First Session October 26, 2001 Public Law 107-56 Sec. 105 Expansion of National Electronic Crime Task Force Initiative

The Director of the United States Secret Service shall take appropriate actions to develop a national network of electronic crime task forces, based on the New York Electronic Crimes Task Force model, throughout the United States for the purpose of preventing, detecting, and investigating various forms of electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment systems.

U.S.Departmentof Homeland Security United States Secret Service

Secret Service Approach to Combat Electronic Crime and Identity Theft  Electronic Crimes Special Agent Program (ECSAP)

 Network Intrusion Response (NITRO)  Electronic Crimes Task Forces (ECTF)  Financial Crimes Task Forces (FCTF)

Cyber Fraud Task Force (CFTF)

 Cyber Intelligence Section (CIS)  Secret Service Offices overseas  Cell Phone Forensic Facility (Tulsa, OK)  Computer Emergency Response Team (CERT)  National Computer Forensic Institute (NCFI – Hoover, AL)

U.S.Departmentof Homeland Security United States Secret Service

Globalization of Electronic Crimes  Increased involvement of organized transnational criminal groups  Proceeds from these crimes are being used to fund/engage offenses including: narcotics trafficking, extortion and additional electronic crimes  Threatens the U.S./Global critical and financial infrastructure  Lessen our confidence in the processing of everyday business transactions

U.S.Departmentof Homeland Security United States Secret Service

Cyber Threat Landscape Number of Forums in 2002 Approx Number of Criminal Forums Today Languages Represented Internet Monikers Roles/Specializations

U.S.Departmentof Homeland Security United States Secret Service

Verizon DBIR 2019

U.S.Departmentof Homeland Security United States Secret Service

Business Email Compromise (BEC) Statistics  Internet Crime Complaint Center (IC3)  October 2013 – July 2019  $10 Billion +  Most Common Victim  Real Estate  Payroll  ***No Malware Needed***

U.S.Departmentof Homeland Security United States Secret Service

BEC

 Employee Education  Wire Transfer Policies  Multi-factor authentication for wire authority  Good relationships with banks  Contact law enforcement ASAP if a fraudulent wire transfer has occurred

U.S.Departmentof Homeland Security United States Secret Service

BEC – Financial Fraud Killchain

 FinCEN – Financial Crimes Enforcement Network (Treas)  Conditions 1. Wire Must go overseas 2. Wire Must be $25,000 or more 3. Wire Must have been sent less than 72 hours prior

U.S.Departmentof Homeland Security United States Secret Service

Ransomware

U.S.Departmentof Homeland Security United States Secret Service

Ransomware Statistics/Info  50% RDP Compromise from credentials/passwords

 25% Email Phishing  Ransom Averages  2017 - $5,000

 2019 - $288,000  2021 - $570,000  Baltimore - $18,000,000 +; New Orleans - $7,000,000 +  36% Pay the Ransom (AVG)  Third Party Negotiators; Cyber Insurance (Risk Transfer)

U.S.Departmentof Homeland Security United States Secret Service

U.S.Departmentof Homeland Security United States Secret Service

Department of Treasury Announcement

 October 1, 2020 – Office of Foreign Assets Control (OFAC)  Bans Payments to “Sanctioned Entities” or “Embargoed Regions”  Civil Penalties or Fines  Mitigating Factors  Report/Cooperate with Law Enforcement  Prevention Training  Ransom Risk Analysis in Incident Response Plan  https://home.treasury.gov/system/files/126/ofac_ransomware_adviso ry_10012020_1.pdf

U.S.Departmentof Homeland Security United States Secret Service

Ransomware

 Preventive Measures

Incident Response Plan/Testing Protected Back Ups Employee Awareness and Training

Approved Application List File Integrity Monitoring Block IP Addresses Network Segmentation Software Updates Scheduled AV/AM Scans Configure Access Control (Least Privilege) Disable/Configure Remote Access

U.S.Departmentof Homeland Security United States Secret Service

Ransomware

 Business Continuity Back Up Data

Secure Backups Test Restoration Process Annual Penetration Testing

 What To Do If Infected

Isolate Infected Computers Immediately Power Off Computers Not Yet Completely Infected Secure Backup Data Contact Law Enforcement

 Ransomware Guide: https://www.cisa.gov/sites/default/files/publications/CISA_MS- ISAC_Ransomware%20Guide_S508C_.pdf

U.S.Departmentof Homeland Security United States Secret Service

Vendors/Contractors

 Same Security Policy as YOUR COMPANY USES

 Contracts

 Service Level Agreement (SLA)

U.S.Departmentof Homeland Security United States Secret Service

IoT/BYOD*

U.S.Departmentof Homeland Security United States Secret Service

N-TEC Task Force

 Email: Dallas.CFTF@usss.dhs.gov  Quarterly Meetings  Regular advisories and informational publications Partner with FBI, US-CERT, HSI among others

U.S.Departmentof Homeland Security United States Secret Service

Useful Online Sites

United States Secret Service / Electronic Crimes Task Force www.secretservice.gov/investigation/#field Local Field Offices www.secretservice.gov/contact/ Mitigation Department of Homeland Security United States Computer Emergency Readiness Team (US-CERT) www.us-cert.gov NIST Cybersecurity Framework http://www.nist.gov/cyberframework/

U.S.Departmentof Homeland Security United States Secret Service

Cybersecurity and Infrastructure Security Agency (CISA) cisa.gov NSA/IAD Top 10 Information Assurance Mitigations Strategies: https://www.iad.gov/ International Organization for Standardization (ISO) www.iso.org/iso/home.html National Cybersecurity and Communications Integration Center (NCCIC) www.us-cert.gov/nccic Useful Online Sites, cntd.

U.S.Departmentof Homeland Security United States Secret Service

Questions? Brian Sanders brian.l.sanders@usss.dhs.gov 214-471-7645

U.S. Department of Homeland Security United States Secret Service

CSBS Cyber Defense Practices Todd Scharf Chief Security Information Officer CSBS

Internal Use Only

CSBS Cyber Defenses Sharing Approach

Frameworks

Practices

Architecture

Questions

Frameworks

NIST CSF

 Designed for managing and reducing cyber risk in critical industries, the NIST Cybersecurity Framework (CSF) is the overarching guidance CSBS uses for all systems.  Organized into five key Functions – flexible and can be adapted to accommodate more prescriptive frameworks, like FISMA, CJIS, and SOC.

Frameworks FISMA & CJIS

The Federal Information Security Modernization Act (FISMA) mandates following the current version of NIST SP800 ‐ 53, currently Rev 5, for Federal Systems. FISMA is much more detailed and prescriptive than CSF and includes Privacy ‐ specific controls. It is applied by CSBS to NMLS, SES, and CRM. The Criminal Justice Information Service (CJIS) Security Policy is similar to FISMA in prescriptive controls but applies to Criminal History Record Information (CHRI) and is overseen by the FBI. CJIS is applicable to NMLS and the Background Check Automation System (BCAS) subsystem managed by Fieldprint.

Frameworks SOC for Cybersecurity

Created by the AICPA to provide a more information security risk ‐ centric assessment for organizations who were finding the SOC 1/2/3 assessments not suitable. An overall assessment of information security and risk management, focused on CSBS as an organization and not specific systems.

Flexible on Framework

Assessments & Audits

Our Practices  Annual Penetration Testing

 Real-time Vulnerability and Compliance Monitoring  Monthly Phishing Tests with Remedial Training  Annual Classification, Security, and Privacy Training  Quarterly Topical Awareness Training  Security Integration into Development Lifecycle  CIS Benchmarks  AWS Config

 Multi-factor Authentication  Mobile Device Management  Policy Statement Library  Security Reviews Every Contract

The Team

Cloud

Risk Management

Policy, Compliance & Training

Operations & Engineering

Operations & Event Monitoring

Engineering

Internal Use Only

Questions

Audit and Security for Cloud-Based Services

Risks at provider

§ Physical / environmental § Networks § Firewalls? § IDS? § Hardware maintenance – CSP (networks) ♦ What about servers § Change management § They go out of business § Change in ownership that impact controls

ACI Learning

Slide 29

ASN305011420

© INARMA, Jason Claycomb

• 29

Platform as a Service PaaS

• 30

MIS Training Institute, Inc. © INARMA, Jason Claycomb

Introduction - Page 15

ASN305011420

Audit and Security for Cloud-Based Services

Platform Overview § Platform as a Service (PaaS) is a way to rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones. (Techtarget.com) § Let internal IT focus on the business (applications). § Let service provider handle the “commodity work”.

§ Smallest market when compared to IaaS and SaaS (Gartner)

ACI Learning

Slide 31

ASN305011420

© INARMA, Jason Claycomb

• 31

Application PaaS § Application platform as a service (aPaaS) is a form of PaaS that provides a platform to support application development, deployment and execution in the cloud. It is a suite of cloud services designed to meet the prevailing application design requirements of the time, and includes mobile, cloud, the Internet of Things (IoT) and big data analytics innovations.

Gartner Magic Quadrant for Enterprise Application Platform as a Service, Worldwide, March 2015

§ APaaS is often used by tech companies

ACI Learning

Slide 32

ASN305011420

© INARMA, Jason Claycomb

• 32

MIS Training Institute, Inc. © INARMA, Jason Claycomb

Introduction - Page 16

ASN305011420

Audit and Security for Cloud-Based Services

Risks

§ Infrastructure owned by CSP § Who owns & manages the applications?

ACI Learning

Slide 33

ASN305011420

© INARMA, Jason Claycomb

• 33

SaaS Providers

• 34

MIS Training Institute, Inc. © INARMA, Jason Claycomb

Introduction - Page 17

ASN305011420

Audit and Security for Cloud-Based Services

Why SaaS?

§ "Cloud is the new style of elastically scalable, self-service computing and both internal applications and external applications will be built on this new style.” Gartner

ACI Learning

Slide 35

ASN305011420

© INARMA, Jason Claycomb

• 35

Provider Does Everything

§ Data center § Networking & all infrastructure § Servers § IT operations § Application implementation & support

§ Change management § Patch management

ACI Learning

Slide 36

ASN305011420

© INARMA, Jason Claycomb

• 36

MIS Training Institute, Inc. © INARMA, Jason Claycomb

Introduction - Page 18

ASN305011420

Audit and Security for Cloud-Based Services

User Does a Few Things

§ Configure the application § User administration

§ Use the application ;-) ♦ Input ♦ Output reconciliation

§ Perform vendor due diligence

ACI Learning

Slide 37

ASN305011420

© INARMA, Jason Claycomb

• 37

Security as a Service

• 38

MIS Training Institute, Inc. © INARMA, Jason Claycomb

Introduction - Page 19

ASN305011420

Audit and Security for Cloud-Based Services

Security as a Service § An managed security service provider (MSSP) provides outsourced monitoring and management of security devices and systems. Common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning and anti-viral services. MSSPs use high-availability security operation centers (either from their own facilities or from other data center providers) to provide 24/7 services designed to reduce the number of operational security personnel an enterprise needs to hire, train and retain to maintain an acceptable security posture.

Source: Gartner

ACI Learning

Slide 39

ASN305011420

© INARMA, Jason Claycomb

• 39

CASBs

§ Cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.

ACI Learning

Slide 40

ASN305011420

© INARMA, Jason Claycomb

• 40

MIS Training Institute, Inc. © INARMA, Jason Claycomb

Introduction - Page 20

ASN305011420

Audit and Security for Cloud-Based Services

Services

§ Firewall / IDS / IPS § Distributed denial of service (DDoS) protection § Secure messaging / web gateways § Data loss prevention § Security information and event management (SIEM) § Managed vulnerability scanning of networks, servers, databases or applications § Security vulnerability or threat notification services § Incident response

ACI Learning

Slide 41

ASN305011420

© INARMA, Jason Claycomb

• 41

Providers

§ IBM, Dell SecureWorks § Telecomm: Verizon, AT&T, BT § A/V vendors: Symantec, McAfee, Trend

§ NTT § CSC § Trustwave § CenturyLink

ACI Learning

Slide 42

ASN305011420

© INARMA, Jason Claycomb

• 42

MIS Training Institute, Inc. © INARMA, Jason Claycomb

Introduction - Page 21

ASN305011420

Audit and Security for Cloud-Based Services

ACI Learning

Slide 43

ASN305011420

© INARMA, Jason Claycomb

• 43

Reference Materials

§ AICPA http://www.aicpa.org/INTERESTAREAS/INFORMATIONTECHNOLOGY/R ESOURCES/TRUSTSERVICES/Pages/default.aspx § PCI DSS Cloud Guidelines https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines .pdf § Cloud Security Alliance https://cloudsecurityalliance.org/ § ISO 27001 http://www.iso27001standard.com/blog/2014/10/13/how-to-define-the- isms-scope/

ACI Learning

Slide 44

ASN305011420

© INARMA, Jason Claycomb

• 44

MIS Training Institute, Inc. © INARMA, Jason Claycomb

Introduction - Page 22

ASN305011420

Audit and Security for Cloud-Based Services

Reference Materials

§ Data Centers ANSI/TIA-942 Telecommunications Infrastructure Standard for Data Centers http://www.ieee802.org/3/hssg/public/nov06/diminico_01_1106.pdf

ACI Learning

Slide 45

ASN305011420

© INARMA, Jason Claycomb

• 45

MIS Training Institute, Inc. © INARMA, Jason Claycomb

Introduction - Page 23

ASN305011420

Confidential– ForInteragencyUseOnly

The Future of State-Federal Collaboration Federal Reserve System Supervision Technology

CSBS Cyber & Technology Risk Management Forum October 14, 2021 12:00 PM – 1:00 PM CT

Jonathan Trunfio Federal Reserve Board

Mark Buethe Federal Reserve Bank of St. Louis

Christine Hutchison Federal Reserve Bank of Kansas City

Angela Knight-Davis Federal Reserve Board

Confidential– ForInteragencyUseOnly

What is Supervision Central?

Foundational Product Community – Regional – Consumer

Future Phases

Supervision Central uses early-adopter cloud technology to create new intake, exchange, and collaboration capabilities that support examiners, bankers, and other agencies on examination events and ongoing supervision- continuous monitoring supporting LT100 supervision. The first release of Supervision Central focused on delivering foundational

Expanded Banker and Agency Capabilities

Supervisory Events

Continuous Monitoring

Ad Hoc

Artificial Intelligence

Document Intake and Organization

External Sharing & Collaboration

Authentication & Authorization

End-to-End Processes

Record Retention & Archival

Advanced Search

Approval W orkflow

Strategic Pivot Low Code

Office 365 Experience

capabilities, while future releases will include new functionalities and value- oriented business enhancements.

Replacing: CBO ExamSpace RBO ExamSpace RBO TeamSites CA ExamSpace Intralinks

2

Confidential– ForInteragencyUseOnly

Interagency Technology

“How can we reduce regulatory burden?”

“How can we improve examination processes and simplify the technology landscape?” “How can we improve data accessibility,sharing, and transparency?”

Business Case for a Shared Solution

Shared Interagency Objectives

“How can we improve interagency collaboration?”

“How can we reduce IT costs?”

3

Confidential– ForInteragencyUseOnly

Interagency Magic Quadrant: Commonality vs. Value

Assessing Business Value  Where would shared technology relieve regulatory burden for supervised organizations and make it easier to work with other agencies on joint events?  Where would shared technology improve the efficiency and effectiveness of processes for supervisory staff?  Where would shared

All Other Processes

technology provide the greatest value for the largest number of stakeholders?

Assessing Commonality  Hypothesis – CBO S&S supervision across the Fed, FDIC, and States is similar for 80% of business processes. Interagency efforts get bogged down in the 20% in differences.  The team evaluated Processes, Activities and Steps across S&S supervision to look for commonalities. Conclusion: Basic business processes across CBO supervision are fundamentally similar.  WHAT we do is common, but HOW we do it is different.

4

Interagency Alignment: Guiding Principles

Confidential– ForInteragencyUseOnly

Interagency alignment is both practical and aspirational • A single, shared platform is aspirational; however, not the only solution to achieve higher efficiency, effectiveness, and collaboration. • Technology leaders will provide business leaders guidance on potential solutions. • Parties will share best practices, leverage common coding, and strive to provide a consistent interface and experience for users.

Interagency alignment emphasizes joint decision making

• Each party is an equal partner, with ample representation during all alignment activities. • Representatives should participate in conversations to the best of their ability. Interagency alignment has a bias toward compromise

• Parties should work toward compromise whenever possible or be able to respectfully articulate clear business reasons for differences.

Quadrant 2 Processes

Technology Solution Strategy

Governance Structure

CIO Appointed workgroup to develop a recommendation for delivering shared technology, considering multiple options: • interoperable and/or interconnected systems to be used across agencies • a shared infrastructure; and • a common platform

As governance and technology solution recommendations are in process, the interagency Supervision Process Committee has initiated work to align quadrant 2 processes: Report of Exam and Issues Terminology

The business workgroup to propose an inclusive and equitable governance structure.

Current

Workstreams

5

SecurityScorecard (“SSC”) Partnership with State Regulators

HIGHLY CONFIDENTIAL

October 14, 2021

About SecurityScorecard

Mission: Make the World a Safer Place

Global leader in security ratings (investors include Fitch and Moody’s ‐ former S&P CEO is advisor)

11+ million entities currently rated (20M by end of December)

Operates one of the largest DNS malware sinkholes 700M+ hits a day, 27B vulnerabilities per week Rates (“A” through “F”) across 10 categories, such as:

● Network security ● Patching cadence ● Endpoint security ● Web app security

Overall “A” through “F” scores are correlated to breach ‐ “C” or “D” or “F” are statistically 4.3 ‐ 7.7x more likely to be breached

Scores new entities in 5 minutes or less

Multiple Regulatory/Oversight Use Cases

360 View Regulators leverage SSC’s data via an API pull for its own internal purposes, and SSC’s platform will allow regulators to privately store examiners’ notes. Historical Data With 7 years of SSC’s historical data , examiners (and investigators) can see a covered entity’s security posture over time (e.g., S S C recently conducted a data analytic investigation of a major bank after a breach for 2018 and 2019 .) Self ‐ Monitoring and Third ‐ Party Risk Management Working with regulatory agency CISOs to provide valuable data for the agency to monitor the safety of its own network and assist creation of its own third ‐ party vendor risk management program.

Cyber Intelligence Powering Regulators’ Cyber Intelligence Units with intel collection and supplementing regulators’ threat intelligence and threat hunting capability with SSC’s threat intelligence group; brief regulators on major breaches (including SolarWinds, MS Exchange, and Pulse Secure) and support regulators’ investigations teams. Exam Scoping and Risk ‐ Based Oversight S S C continuously monitors covered entities at scale with ML and AI helping regulators identify and properly scope examinations based on state cyber rules and regs. S S C allows examiners to take a risk ‐ based approach to exams and audits (i.e., start with audits/exams of ‘F’ rated companies, move on to ‘D’ rated companies, etc.), raising the fl oor on cybersecurity for the entire industry

Summary of SSC’ s Current Work with State Regulators

● Understanding that regulators cannot audit/investigate the thousands of covered entities they regulate every year, regulators use S S C to select and scope annual exams. S S C helps regulators identify entities falling behind and triage issues to focus on ● S S C ratings are used to verify accuracy of questionnaires and regulatory fi lings ● S S C can provide historical data for speci fi c research projects and analysis ● S S C maps state compliance regimes to our data to provide continuous monitoring of regulatory compliance Exams

Additional Initiatives

● Weekly meetings with regulators to address questions, discuss exam ‐ related issues, and review progress for ongoing work ‐‐ spanning exam, intelligence, and investigation ‐ related matters ● S S C has conducted periodic intelligence brie fi ngs to provide further color on its originally published research ● S S C provides trainings for audit and investigations sta ff

SSC ’ s Platform Is Highly Customized to Each Regulator’s Portfolio of Regulated Entities

Companies Grouped According to Regulator’s Preferences

All Data is Dynamic and Updated Daily

Redacte d

Redacte d

Redacted

Ability to Map state regulatory regimes To

SSC ’s 77 Findings

SSC’ s Partnership with Bank Regulators Is Responsive to Increased Attention on Greater Public/Private Information Sharing ● DHS Secretary Alejandro Mayorkas testi fi ed as follows on March 17, 2021 before the House Committee on Homeland Security: “The public/private partnership is especially important in enhancing our nation's cybersecurity.” ● On its Critical Infrastructure Partnerships and Information Sharing webpage, CISA states that “[p]ublic-private partnerships are the foundation for effective critical infrastructure security and resilience strategies, and ... is essential to the security of the nation’s critical infrastructure.”

● In a February 2021 press release, CISA announced a formal partnership with Viasat, a private company, and wrote, “[t]his partnership …further improves CISA’s support to public and private sector partners.”

2021 Cyber & Technology Risk Management Forum CSBS Jam Session

Let’s talk about training

Poll Question

All things considered, what is your agency’s biggest challenge for cyber/IT supervision? • Training availability

• Staff capability • Time limitations • Capacity

Developing the Workforce of Tomorrow

Critical areas of focus: • Cyber & IT • Data analytics • Leadership development

Cyber & IT Training

Inventory of current CSBS training resources • On ‐ demand • Live virtual • In ‐ person

Cyber & IT Training

• Development of cyber and IT examiner learning pathways • Training content gap analysis

Poll Question

All things considered, what is your preferred cyber/IT training delivery channel?

• On ‐ demand • Live virtual • In ‐ person • Blended

Cyber & IT Training

What to expect for 2022 and beyond: • IT Examiner Schools • Cyber & Technology Risk Management Forum • Day One Cyber/IT Examiner Training • Partnerships

Poll Question

In 2022 and beyond, for this CyTech event, would you prefer? • Just live virtual once a year • Just in ‐ person once a year • Live virtual in the spring, in ‐ person in the fall • None of the above. I am out!

State Supervision of Cyber and IT Areas Discussion topics: • Aligning Bank and Nonbank • What’s next? • Where is the Risk ‐ Banks vs Nonbanks • InTREX Updates Coming SOON • Ransomware Self ‐ Assessment Tool (R ‐ SAT)

Poll Question

Has your agency issued the R ‐ SAT to your supervised institutions? • Yes • No • What’s R ‐ SAT

Poll Question

Is your agency mandating completion of the R ‐ SAT for your supervised institutions?

• Yes • No • Again, what’s R ‐ SAT?

Service Provider Supervision How to get involved: 1. Agency Authority 2. Guiding Principles Document 3. Regional SPs – coordinated out of regions – FDIC/FRB/OCC 4. Significant Service Providers –coordinated out of DC Current State CPCs ‐ NY (2), MO and CA

Word Cloud

What Keeps you Up at Night on the Cyber front? Type in one word to create word cloud – you can submit up to three times

Security Scorecard • Are any of you already using?

• Could this benefit your department?

• Could this tool benefit your examinations?

Comments & Questions?

All things considered, what is your agency's biggest challenge for cvber/lT supervision?

1.4 Mentimeter

19

9

6

6

Capacity

Training availability

Staff capability

Time limitations

All things considered, what is vour preferred cvber/lT training delivery channel?

1.4 Mentimeter

On-demand

Live virtual

Blended

16

In-person

- • m

In 2022 and bevond, for thisCvTech event, would vou prefer?

l4 Mentimeter

23

18

9

0 None of

Just live virtual once a year

Just in- person once a year

Live virtual in the spri • ng,1 • n- person 1 • n the fall

the above. I am out!

- • tE

Has vour agencv issued the R-SAT to vour supervised institutions?

1.4 Mentimeter

• •• . • 6 What's R-SAT

Yes

- • m

Is vour agencv mandating completion of the R-SAT for vour supervised institutions?

1.4 Mentimeter

• 1 Again, what's R-SAT?

••• 3 Yes

- • ID

hat Keeps vou Up at Night on the Cvber

l4 Mentimeter

front?

ransome ware U"'ercomplianc

federal overr"ach

zero day exploits

human error

losing the arms race

service provider attack

support from other examin

ph1shing d t b h 0 0 reClC ransomware humanelement

+-' E 0)

e

lack of inventories data breeach c.;overage pushback supervisor support

@ §

E ,._

.Q E

0 0 ransomeware

0 \J

e

C

§

_0$ - - E (l) cato

ꞏ ꞏ d t QC ers lnCI en response

h k

financial fraud

ssphit

staff knowledge iot user access

examinerstatting bank failure board buyin

- o g e data breaches E patch management adequate time for exams vulnerabilities cybersecurity as a whole

randsomware

(/)

hacker -

_

-g (l) \J

identity theft

- •