1 / 44

Protecting Financial Data: Cyber & Fraud Risk Identification

Learn about effective methods to protect financial data through cyber and fraud risk identification. Gain insights from experts in enterprise risk management.

ronaldv
Télécharger la présentation

Protecting Financial Data: Cyber & Fraud Risk Identification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session #28 Protecting Financial Data through Cyber and Fraud Risk Identification Dr. Michael Dean, Dr. Linda Wilbanks, and Ms. Linda Hall U.S. Department of Education 2018 FSA Training Conference for Financial Aid Professionals November 2018

  2. Presenters Dr. Michael Dean is Chief Enterprise Risk Officer and Senior Executive Head of Enterprise Portfolio, Risk & Data at the U.S. Department of Education, Federal Student Aid (FSA).  Dr. Dean is responsible for an operation overseeing the management of enterprise-wide risks including FSA’s $1.5 trillion portfolio, major operating units, cybersecurity, fraud, and transformation, and for leading a transformative effort to deliver commercial, best-in-business practices in portfolio management to achieve the best possible results for students and taxpayers.  Dr. Dean has a passion for driving innovation and change in the higher education finance and has over 25 years of experience in leadership positions at both public and private universities, financial services, and financial technology enterprises.  He received his BS in Accounting, MBA in Enterprise Systems and Brand Management, and PhD in Educational Administration and Higher Education with emphasis in quantitative research methods from Southern Illinois University Carbondale.  He has completed Harvard University’s graduate program in Management and Leadership in Education. Dr. Michael Dean Dr. Wilbanks serves as the Sr. Cyber Risk Management Advisor at Federal Student Aid within the Department of Education. She is responsible for the cyber risk appetite and risk portfolio, ensuring all cyber security risks are identified and mitigations are developed and implemented. Prior to this position she served as the FSA Chief Information Security Officer (CISO). Dr. Wilbanks has also served as the Command Information Officer (CIO) at the Naval Criminal Investigative Service (NCIS), the CIO at the National Nuclear Security Administration (NNSA) and the Chief Information Officer (CIO) at NASA Goddard Space Flight Center (GSFC). Prior to joining federal service, Dr. Wilbanks was a professor of mathematics and computer science. Dr. Wilbanks hold a Bachelor’s degree in mathematics and secondary education, a Masters of Engineering Science and a Doctorate in Computer Science. She has published over 125 articles in referred journals in software metrics, quality assurance, cyber security and risk management. Dr. Linda Wilbanks

  3. Presenters Ms. Hall serves as the Senior Fraud Risk Advisor in the Enterprise Risk Management Office of Federal Student Aid (FSA). She is responsible for ensuring compliance with federal statutes and directives governing management of enterprise-wide fraud risk activities. She also ensures the integrity of FSA programs by identifying fraud risks and mitigation processes. As a member of the Senior Executive Service at the Department of Education (ED), Ms. Hall has served in a variety of managerial roles. Prior to this position, Ms. Hall was FSA’s Internal Review Officer, responsible for the analytical and advisory work supporting audits and internal reviews. She has served as ED’s Director of Rural Outreach and Executive Director of the former Rural Education Task Force. A former White House Fellow, Ms. Hall holds a Bachelor of Science in Commerce from the McIntire School of Commerce of the University of Virginia. She holds a Masters of Business Administration from the Wharton Graduate Division of the University of Pennsylvania. She is a certified Project Management Professional (PMP) and a certified mediator. Linda Hall Linda Hall

  4. Agenda Objectives 1 Introduction to Enterprise Risk Management and Institutional Leadership Context 2 Cyber Security Risk Management 3 Fraud Risk Management 4

  5. Objectives To introduce Enterprise Risk Management and the Increasing Complexity of Institutional Leadership To improve cybersecurity risk knowledge and discuss management of cybersecurity risks To improve fraud risk knowledge and discuss management of fraud risks

  6. Enterprise Risk Management and Institutional Leadership Context Complexity and the Presidential Role College presidents find themselves in a setting that is unprecedented in its complexity. American Council on Education (2018) Complexity Accountability Visibility 2018 1995

  7. Enterprise Risk Management and Institutional Leadership Context Complexity and the Presidential Role As complexity, accountability, and visibility of institutional leadership has grown, so has the urgency to proactively manage risks across the enterprise.

  8. Enterprise Risk Management and Institutional Leadership Context Seven Critical Issues Facing Higher Education Risk and Insurance (2018) Rising college costs and stagnant or declining pecuniary benefits have led more persons to ask: “is college worth it?” or, “do I get a good return on my college investment?” Forbes Magazine (2017) • Fiscal Solvency • Athletic Concussion Injury • Sexual Assault • Gender Equality Issues • Erosion of Public Trust in Higher Education • Campus Crisis Readiness • Cybersecurity

  9. Enterprise Risk Management and Institutional Leadership Context • Cost is turning off potential customers, alienating public • Increase in federal financial aid linked to increase in regulation • Less expensive approaches to certifying competence, disruption of traditional higher ed • Traditional role of colleges as a place for divergent ideas continually under attack • Slow economic growth and aging population reducing resources • The value of a college degree as a device to signal knowledge, intelligence, and skills is fraying • At large campuses intercollegiate athletics has become too costly, exploitive, and heightened public awareness of scandals Seven Challenges Facing Higher Education Forbes Magazine (2017)

  10. Enterprise Risk Management and Institutional Leadership Context Critical risks across the institution have interdependencies and cannot be managed effectively in silos.

  11. Enterprise Risk Management and Institutional Leadership Context Risk: The possibility that events will occur and affect the achievement of strategy and business objectives What does ERM seek to do? An organization-wide approach to addressing the full spectrum of the organization’s significant risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos Risk Management: A series of coordinated activities to direct and control challenges or threats to achieving an organizations goals Enterprise Risk Management: The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value

  12. Enterprise Risk Management and Institutional Leadership Context Types of Risk Financial Regulatory Strategic Cyber Reputation • Compromise of networks allowing unauthorized access to information • Failure to protect personally identifiable information from unauthorized disclosure • Inaccurate, unreliable and/or incomplete financial statements and/or records • Inadequate, ineffective and/or inappropriate internal controls • Inconsistent, inaccurate and/or inefficient administration, disbursement, and servicing of student aid • Ineffective oversight and monitoring of Title IV programs and participants • Failure to adhere to and/or implement requirements associated with Title IX/Clery Act • Failure to resolve key control deficiencies identified during the audit process • Failure to achieve program targets • Failure to achieve enrollment and retention targets • Inability to perform significant academic or scientific research

  13. Enterprise Risk Management and Institutional Leadership Context Enterprise Risk Management 5 Questions CEOs/Presidents Should Ask About Cyber Risks Executives are responsible for managing and overseeing enterprise risk management. Cyber oversight activities include the regular evaluation of cybersecurity budgets, IT acquisition plans, IT outsourcing, cloud services, incident reports, risk assessment results, and top-level policies. • What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks? • How is our executive leadership informed about the current level and business impact of cyber risks to our company? • How does our cybersecurity program apply industry standards and best practices? • How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership? • How comprehensive is our cyber incident response plan? How often is the plan tested? Cyber Risk Management Primer for CEOs, Department of Homeland Security (2017)

  14. Enterprise Risk Management and Institutional Leadership Context Constructive Elements of Enterprise Risk Management Investment Strategic Plan Board & Executive Level Focus Organization Wide Enterprise Cyber Risk

  15. Moving Your Institution Forward with ERM Leading ERM and Strategy Realization: Questions for Consideration While the Board of Trustees and President have ultimate accountability for managing risks and for achieving strategic objectives, risk management is everyone’s responsibility. • Does your institution have an ERM program? • Do you focus on solving issues or managing critical risks? • Are your key executives engaged in conversations about their units’ risks and interdependencies? • Are you engaged in risk conversations with your senior administrators and do those conversations involve risks tied to strategic objectives? • Does your institution provide tools and training for risk management? • Does your unit have a risk register and/or risk portfolio that feeds an institution-wide process? • Has your institution assigned responsibility to a key executive to drive your institution-wide risk management process? • Do you involve your entire organization in disciplined risk management?

  16. Cyber Security Risk Management Dr. Linda Wilbanks

  17. IT / Cyber Security Risk: • The risk associated with computers, e-commerce, and online technology; applications, systems, data • Cyber security risk exposes Schools to exploitation of vulnerabilities to compromise confidentiality, integrity or availability of information processed, stored, or transmitted. • Cannot focus on cyber security risks in a silo to be effective, the entire Enterprise must participate!

  18. Cyber Risk – Are you Prepared? Virginia Are your Financial networks and data secure? North Carolina Texas California

  19. Are Your Networks Secure? Where will your School’s Financial networks and data transfer in the event of a natural disaster?

  20. Are You Addressing Your Cyber Risks? Is your Financial data protected?

  21. Who is Responsible for Cyber Risk? Cyber Risk Management IT Operations Enterprise Risk Officer EVERYONE

  22. Cyber Risk + IT Operations = Partners Cyber Risk Team Provides strategic basis by identifying risks Works with IT Operations on risk mitigations Validations mitigations have reduced the risks IT Operations Team Works with Cyber Risk on mitigations Implements mitigations Continuously monitors mitigations REQUIRED PARTNERSHIP FOR SUCCESSFUL CYBER RISK MANAGEMENT

  23. Cyber Risk Management Framework YOU have a role in Cyber Risk Management

  24. Who is Responsible for Cyber Risk? • School: • Administration • Financial Aid • Teachers Students EVERYONE! Parents

  25. Cyber Risks to Financial Data are Everywhere • Internal / external • Natural or man-made • Intentional or accidental Do YOU Have mitigations in place to protect Financial Data? Everyone has a role In ENTERPRISE Risk Management!

  26. There’s No Such Thing as Worthless Data RISK = The Bad Guys Gather Seemingly Worthless Bits of Data to Launch Social Engineering Attacks or Use a Small Piece of Information to Complete the Attack Puzzle. Student financial data needs to be protected YOU need to ensure Enterprise Risk Mitigations are in place!

  27. Identify Risks - Protection Standards is CRITICAL Recent survey: 64% of users do not want elaborate passwords - 16 character, mix of numbers, letters, symbols However – Data needs to be protected to the appropriate level! Identify your cyber risks and work with IT to mitigate them.

  28. Conclusion • Cyber Security risk management strategy and implementation comes from the leaders, especially FINANCIAL Leadership! • Cyber risks need to be identified and mitigations developed in coordination with IT Operations • Student data is currency to hackers, it has value, the associated risks need to be identified and mitigated • Verify Disaster and Contingency risks are identified and mitigated to ensure continuity of operations in the event of an emergency • EVERY SCHOOL NEEDS TO HAVE AN ENTERPRISE CYBER RISK TEAM

  29. Fraud Risk Management Linda Hall

  30. Benjamin Franklin “There is no kind of dishonesty into which otherwise good people more easily and frequently fall than that of defrauding the government.”

  31. Is Fraud Risk Management required? 34 CFR 668.16 - Standards of administrative capability. (g) Refers to the Office of Inspector General of the Department of Education for investigation – (1) After conducting the review of an application provided for under paragraph (f) of this section, any credible information indicating that an applicant for Title IV, HEA program assistance may have engaged in fraud or other criminal misconduct in connection with his or her application. The type of information that an institution must refer is that which is relevant to the eligibility of the applicant for Title IV, HEA program assistance, or the amount of the assistance. Examples of this type of information are - (i) False claims of independent student status; (ii) False claims of citizenship; (iii) Use of false identities; (iv) Forgery of signatures or certifications; and (v) False statements of income; and (2) Any credible information indicating that any employee, third-party servicer, or other agent of the institution that acts in a capacity that involves the administration of the Title IV, HEA programs, or the receipt of funds under those programs, may have engaged in fraud, misrepresentation, conversion or breach of fiduciary responsibility, or other illegal conduct involving the Title IV, HEA programs. The type of information that an institution must refer is that which is relevant to the eligibility and funding of the institution and its students through the Title IV, HEA programs;

  32. WHAT RISK FACTORS MAY LEAD TO FRAUD? THE FRAUD TRIANGLE • Weak or ineffective controls • Little or no oversight • Lax rules • Management Override • Personal Financial Obligations/Debt • Addictions • Expectations of third parties/Status • Greed OPPORTUNITY MOTIVATION/ PRESSURE RATIONALIZATION/ATTITUDE • Changes in lifestyle • Everyone does it • I was only borrowing the money • I was underpaid and deserve it

  33. Where are your Fraud Risks? • School Employees, Officials, Financial Managers, and Instructors • Lenders and Lender Servicers • Guarantee Agencies • Award Recipients • Contractors • Students • Others

  34. What is Fraud Risk Management? PREVENTION – Controls designed to keep fraud and abuse from occurring in the first place. DETECTION – Controls designed to detect fraud and abuse that may have occurred.

  35. Fraud Risk Management Program • Internal Controls are a strong Deterrent • What is an internal control? • A process effected by management to ensure: • Financial reporting is reliable • Operations are effective and efficient • Compliance with laws and regulations

  36. What indicators may lead to (potential) Fraud Risk? • One person in control • No separation of duties • Lack of internal controls/ignoring controls • No prior audits • High turnover of personnel • Unexplained entries in records • Unusually large amounts of payments for cash

  37. What indicators may lead to (potential) Fraud Risk? • Inadequate or missing documentation • Altered records • Non-serial number transactions • Inventories and financial records not reconciled • Unauthorized transactions • Related Party Transaction • Repeat audit findings

  38. Tips for FAA’s Use your experience and common sense Look for things that jump out at you… • FWS students turning in timecards that seem to exceed their ‘free time’ • Documentation from questionable sources or many from the same source • “Students” being coached on what to say • Inability to respond quickly to challenge questions • Limited classroom activity • Plagiarized and/or meaningless academic effort • Just enough academic activity to generate a refund • Multiple students with the same: Physical and/or email address Street and/or neighborhood/zip code Home and/or cell phone number IP address Similar FAFSA/ISIR information Address change prior to disbursement

  39. What can you do to detect or prevent Fraud? • Properly handle documents • Shred sensitive information • Use key identifiers instead of the SSN • Password protect sensitive information • Audit access • Review access privileges • Verify who you are talking to • Ensure staff receive necessary training

  40. How You Can Help? • Ensure that staff receive necessary Title IV training • Review documents thoroughly • Question documents/verify authenticity • Request additional information from students or their parents • Compare information on different documents • Contact the OIG if you suspect fraud • Cooperate with the OIG in connection with an audit or investigation

  41. What happens when you detect fraud? • Call the professionals!! Anyone suspecting fraud, waste, or abuse involving Department of Education funds or programs should call or write the Inspector General’s Hotline. • 1.800.MIS.USED • www.ed.gov/misused • Office of Inspector General • U.S. Department of Education • 400 Maryland Avenue, SW • Washington, DC 20202-1510

  42. Differences Between OIG’s Investigation Services and FSA’s Program Compliance and Enforcement Offices OIG INVESTIGATION SERVICES Investigates any fraud impacting ED programs or operations Works with federal and state prosecutors to take criminal and civil actions Criminal investigators have statutory law enforcement authority to carry firearms and execute search and arrest warrants Is independent of ED in exercising its investigative authority FSA (PC AND EO) Conducts compliance reviews, administrative investigations of violations of HEA Takes administrative actions authorized by the HEA and program regulations Reviewers and Investigators have administrative authority only Has program operating responsibilities Is required to send allegations of fraud to OIG

  43. Moving Your Institution Forward with ERM Contact Us Dr. Michael Dean, michael.dean@ed.gov Chief Enterprise Risk Officer Senior Executive Head of Enterprise Portfolio, Risk & Data Dr. Linda Wilbanks, linda.wilbanks@ed.gov Senior Cyber Security Risk Advisor Linda Hall, linda.hall@ed.gov Senior Advisor for Fraud Risk

  44. Questions and Answers

More Related