1 / 37

Cyber & Data Security In the SBA Lending Marketplace

Western Pennsylvania Association of Guaranteed SBA Lenders March 14, 2019 Quality Circle Seven Springs Resort. Cyber & Data Security In the SBA Lending Marketplace. Our Age of Insecurity. Couple steals millions from USC church Treasury specialist steals 13M from Pgh Co.

iveys
Télécharger la présentation

Cyber & Data Security In the SBA Lending Marketplace

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Western Pennsylvania Association of Guaranteed SBA Lenders March 14, 2019 Quality Circle Seven Springs Resort Cyber & Data Security In the SBA Lending Marketplace

  2. Our Age of Insecurity • Couple steals millions from USC church • Treasury specialist steals 13M from Pgh Co. • Beaver County based health system attacked in worldwide attack • Western PA gas pipeline system attacked by malicious software via vendor • Target Data breach from swpa vendor • Fancy Bear Hacking Team targeted Pgh based Westinghouse Electric Company Risk Advisory Services

  3. Why are We Here Today When We Have Anti-Virus? • Because it looks good • Because I already have SBA loan basics down • Where else can I go • Because more likely than not my borrower represents the best opportunity for a hacker to gain entry into a larger business • Those stories about the theft from western PA businesses have me scared • Feds or not, our bank has the most skin in the game ANSWER: All of the above • America’s small businesses create about 66% of all new jobs • More than 50% of Americans either own or work for a small business. • Small businesses play a key role in the economy and in the nation’s supply chain, and they are increasingly reliant on information technology to store, process and communicate data. • Protecting this information against increasing cyberthreats is critical. Source Risk Advisory Services

  4. Cybersecurity for GSBA Lenders • What is cyber security? • Why does it matter to you? • When does it matter? • What can you and your clients do? • How do you act upon what should be done? • Where do we begin? • Who is in charge? • What are the consequences of failure? Risk Advisory Services

  5. What is Cybersecurity? The Pennsylvania Department of Banking defines Cybersecurity as the: I. Body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. • See here https://www.dobs.pa.gov/Businesses/cybersecurity/Pages/default.aspx Risk Advisory Services

  6. NIST Cybersecurity Framework Risk Advisory Services

  7. It’s about the “Data” • Structured Data • Unstructured data • Data storage • Data access • Data format • Data sharing • Data hosting • Data infiltration Risk Advisory Services

  8. Neither Need Apply Eternal Optimist Eternal Pessimist Risk Advisory Services

  9. Let’s Get Real Risk Advisory Services

  10. Navigating Uncharted Territory Risk Advisory Services

  11. Where to Go? What to do? Which to follow? • Laws, regulations and suggested best practices • Laws: NYDFS, CCPA, Ohio Cybersecurity Law, HIPAA, • Regulations • Best Practices • HHS, DOS, FTC, ETC The bevy of rules, regulations, best practices and policies confuses most. The key is to identify your industry guides. Risk Advisory Services

  12. Start with Basic Blocking and Tackling Risk Advisory Services

  13. Common Denominators for Cyber and Data Standards, Regulations and Rules • Create a Cybersecurity Policy • Third Party Security: Safe Cyber Partners • Post Breach notification • CISO • Incident Response Plan • Insurance terms and conditions • Endpoint detection • Right to be forgotten**** Risk Advisory Services

  14. Cybersecurity: Recent Examples • Mergers and Acquisitions • The Marriott Breach • Seek assurance that the target company has taken appropriate measures to protect its data and electronic assets. • Data management risk • Technical risk • Corporate risk • Employee risk • Track record Risk Advisory Services

  15. Sobering Stats for Small Businesses • Hackers & criminal insiders cause the most data breaches. • 48%of breaches in this year’s study were caused by malicious or criminal attacks. • Average cost per record to resolve an attack is $157: system glitches cost $131 per record and human error or negligence is $128 per record. Ponemon Institute 2017 Cost of Cyber Crime Study • Create strong cybersecurity foundations: Invest in the basics while innovating to stay ahead of the hackers. • Undertake extreme pressure testing: Don’t rely on compliance alone. • Invest in breakthrough innovation: Balance spend on new technologies, such as analytics and artificial intelligence, to scale value. Risk Advisory Services

  16. Cybersecurity - Focus on These Practices • Focus on Cybersecurity and Risk Management • Incident Response Program Development: Given enough time, effort, and resources, attackers will always find a way to break into a system. Your clients must be able to systematically identify, protect, detect, respond, and recover from these incidents. • Protecting your Clients, Colleagues, & Assets Risk Advisory Services

  17. CalOhYorkEuSetts Risk Advisory Services

  18. Reality (Recovery) Tends to Be More Harsh for Small Businesses • The loss of customer trust has serious financial consequences. • PCWorld in August 2013 reported that of the small businesses who suffered a breach, roughly 60 percent go out of business within six months after the attack. Risk Advisory Services

  19. Hot Areas of Cybersecurity • Mergers and Acquisitions • Supply Chain • Governmental Agency Contracts • Employee Data • Trade Secrets • Financial Information • Trade Secrets & Business Practices Risk Advisory Services

  20. Cybersecurity Creed Data is our most treasured commodity. Storage, transfer, manipulation and massaging of data makes cyber theft the easiest way to steal. Cybersecurity best practices are an integrated combination of software, control systems, data access, data use and data storage best practices. We pledge that Cybersecurity is a top down commitment to the protection and integrity of data. We promise to react quickly and responsibly to attacks and restore business as quickly and safely as possible. We value the concerns of our customers and business partners and we realize that no business is immune nor impenetrable. We will assure our business partners that our constant vigilance provides the safest environment for data protection and we vow vigilance in adhering to safe cyber practices. Risk Advisory Services

  21. 3rd Parties Want Assurances of Cybersecurity, Not Empty Promises • The SOC 1 report report focuses on a service organization’s controls that are relevant to an audit of a user entity’s (customer’s) financial statements. A SOC 1– Type I report focuses on a description of a service organization’s control and the suitability of how those controls are designed to achieve the control objectives. A SOC 1 –Type II report is identical to a Type I, and opines on the operating effectiveness to achieve related control objectives throughout a specified period. SOC 1 audit reports are restricted to the management of the services organization, user entities and user auditors. • The SOC 2 report addresses an organization’s controls relating to operations and compliance in relation to availability, security, processing integrity, confidentiality and privacy . A SOC 2 report includes a detailed description of the service auditor’s test of controls and results and use of this report is generally restricted. he SOC 2 report was created because of the rise in cloud computing and the outsourcing by businesses or core services. Risk Advisory Services

  22. History of CPA Involvement in Auditing IT Controls Risk Advisory Services

  23. AICPA Framework Application ADVISORY • Design and implement a cybersecurity program • Conduct a readiness assessment/ gap analysis ATTESTATION • Perform an examination to assess cybersecurity programs design and operating effectiveness Risk Advisory Services

  24. AICPA Framework Application ADVISORY • Design and implement a cybersecurity program • Common criteria • Scalable • Flexible • Evolving • Conduct a readiness assessment/ gap analysis • Identify gaps • Remediate through corrective action plans Risk Advisory Services

  25. AICPA Framework Application ATTESTATION • Ensuring the controls continue to operate effectively and promoting accountability • Maintaining and updating those controls. Ensuring they meet best practices. • Communicating your cybersecurity proficiency to stakeholders Risk Advisory Services

  26. Introduction… • What is a SOC Report? • A third-party attestation report demonstrating that the organization’s internal control environment is: • Suitably designed • Operating effectively • What purpose do they serve? • Provide assurance to internal and external stakeholders… • Vendor Risk Management! Risk Advisory Services

  27. Utility of Attestation Risk Advisory Services

  28. Utility of Attestation Risk Advisory Services

  29. Value Proposition • Save time, save money… • Reducing audits of your organization and of your customers • Meet demands of marketplace • Increasing scrutiny of service providers and vendors • Comply with industry best practices, regulations, and contracting obligations • Enhance marketability • Convey confidence and trust to business partners and customers • Distinguish yourself in marketplace Risk Advisory Services

  30. Value Proposition Security Framework Comparison Risk Advisory Services

  31. Achieving Attestation • Define system or service for attestation • Select control criteria. • Identify applicable controls and map to matrices. • Identify gaps or insufficiencies • Remediate identified gaps or insufficiencies • Test controls (Type 1 vs. Type 2) • Issue Report Risk Advisory Services

  32. Scoping • Attestation over system, service, or organization-wide • Selection of Trust Service Criteria • Security (Required) • Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information. • Availability • The system is available for operation and use as committed or agreed-upon. • Confidentiality • Information designated as confidential is protected to meet the entity's objectives. • Processing Integrity • System processing is complete, accurate, timely, and authorized. • Privacy • Personal information is collected, used, retained, and disclosed in conformance with commitments. Risk Advisory Services

  33. Subservice Organizations • Must identify and examine for reporting. • Controls are likely to be necessary to meet the objectives or criteria. • Example: Data Center • Subservice Organizations with SOC Attestation can be “carved-out” (service auditor relies on work of other service auditor). Risk Advisory Services

  34. Timeline to Attestation Type 1: Report on the suitability of the design of the controls. Type 2: Report on the suitability of the design of the controls AND the operating effectiveness of the controls throughout the reporting period. Risk Advisory Services

  35. Composition of the Attestation Report Risk Advisory Services

  36. Risk Advisory Services

  37. Contact Us Steven Franckhauser, JD 614-228-4000 sfranckhauser@hbkcpa.com Matthew Schiavone, CPA, CISA 724-934-5300 mschiavone@hbkcpa.com Risk Advisory Services

More Related