Digital Age Fraud and Crime Nadia Brannon, CFE Executive Director Fraud Investigation & Dispute Services Ernst and Young 415-894-8297 [email protected] October 2014 The views expressed in the following material are the author’s and do not necessarily represent the views of the Global Association of Risk Professionals (GARP), its Membership or its Management. 2 Cost of Cyber Crime A real and present threat to credibility, operations and profitability Some sobering cyber crime statistics for 2014  $12.7 Million - Average cost of cyber crime per company  $3.5 Million - Average cost of a data breach event.  $145 - Cost paid per lost of stolen record  $213,542 - Average cost of a data breach incident caused due to malicious insider attacks  $639,462 and 31 days - Duration and cost of a typical attack in 2014 Cyber crime is on the rise  15% - Increase in cost of a data breach event from 2013  6% - Increase in cost paid of lost or stolen record with sensitive information since 2013  95% - Increase in cost of hacks since 2010  4 days (96 hours) - Increase in duration of attack since 2013  25% ($129,797) - Increase in cost incurred due to a cyber attack since 2013 3 | © 2014 Global Association of Risk Professionals. All rights reserved. $ 60.5 Million Most Expensive Data Breach in 2014 to date… Annualized Costs of Cybercrime in the United States in 2013 by Industry Financial services 23.6 Defense 23.2 Utilities and Energy 21 Technology 10.8 Communications 10.2 Education and Research 9.9 Transportation 7.8 Services 7.8 Industrial 7.6 Public sector 7.4 Healthcare 6.8 Consumer products 5.9 Retail 4.5 0 5 10 15 Average annualized costs in million U.S. dollars 4 | © 2014 Global Association of Risk Professionals. All rights reserved. 20 25 Current Trends  A large market in selling corporate data / dark web  Information trading has led to the formation of what is know as the “cyber mafia” – a world spanning network that strikes from multiple locations INTERNATIONAL CYBER CRIMINALS  Increased reliance on social media as a driver of business creates opportunity to exploit vulnerabilities and target attacks.  High profits with low risk of detection and capture  Recent incidents at Target and Home Depot highlight associated risk SOCIAL MEDIA  Attacks that steal data, but do not destroy the data  Can take a long time to detect so overall monetary damages can be very high ADVANCED  PERSISTENT THREAT Non-detection can allow hackers to infiltrate a company’s system for longer periods of time 5 | © 2014 Global Association of Risk Professionals. All rights reserved. POINT-OF-SALE SYSTEMS Common Forms of Cyber Attacks Phishing •Watering Hole •Pharming and Credit Card Redirection Malware based attacks •Man in the Browser •Mobile Exploits DDoS Attacks •Volume Based Attack : Saturate the bandwidth by flooding it with a huge quantity of data •Protocol Attacks : Saturate the target by exploiting network protocol flaws •Application Layer Attack : Saturate resources by target specific web applications, flooding them with HTTP requests Zero Day Exploits •Attack that exploits a previously unknown vulnerability in the system •Harder to defend against 6 | © 2014 Global Association of Risk Professionals. All rights reserved. Recent Cyber Crime Incidents  76 million people affected  Information compromised INCIDENT TYPE: DATA BREACH DATE: OCTOBER 2014     Names Addresses Phone numbers Email addresses  JPMC plans to spend $250 million on digital security annually  110 million people affected  Information compromised  Credit and debit cards  Customer details – Name, Address, etc.  Data breach cost Target $148 million INCIDENT TYPE: POINT OF SALE ATTACK DATE: DECEMBER 2013 7 | © 2014 Global Association of Risk Professionals. All rights reserved. Recent Cyber Crime Incidents  56 million credit and debit cards stolen  Malware used to raid computer system  Company struggling with high turnover among information security personnel INCIDENT TYPE: POINT OF SALE ATTACK DATE: SEPTEMBER 2014 INCIDENT TYPE: MALWARE ATTACK DATE: JULY 2014 8 | © 2014 Global Association of Risk Professionals. All rights reserved.  Scamming customers accounts to steal large sums of money  Funds transfers are affecting 34 institutions  Crimes trace back to Romania and Russia  Amount of money stolen is in the millions Combating Cyber Attacks Requires Leadership and Accountability Organizations are making good progress in improving how they manage the risks they already know, but they need to place more emphasis on:  Improving employee awareness  Increasing IS budgets  Devoting more resources to innovating security solutions  Threat Intelligence: Collect intelligence information that is relevant to the business in order to establish a threat level and drive appropriate strategic and tactical countermeasures  Vulnerability Identification: Assess the organization’s vulnerability to cybersecurity attacks  Remediation: Track, validate and provide metrics on the remediation of vulnerabilities  Detect: Monitor environment for threat indicators to identify attacks before critical company services are disrupted or high value/sensitive assets are compromised  Respond: Lead organized investigations to determine cause and scope of security incidents, drive containment and recovery activities  Countermeasure Planning: Design countermeasures to mitigate identified risks inclusive of business, compliance or other security requirements mediation of vulnerabilities 9 | © 2014 Global Association of Risk Professionals. All rights reserved. Sources 2013 EY Cyber Security Survey http://www.ey.com/Publication/vwLUAssets/EY__2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf 2013 Internet Crime Report from the Federal Bureau of Investigation http://www.ic3.gov/media/annualreport/2013_IC3Report.pdf 2013 Online Fraud Report – Cybersource http://forms.cybersource.com/forms/fraudreport2013?cid=1-51697651&lsr=vanity 2014 Global Report on the Cost of Cyber Crime - Ponemon Institute http://www.ponemon.org/ 2014 Global Report on the Cost of Data Breaches - Ponemon Institute http://www.ponemon.org/ 10 | © 2014 Global Association of Risk Professionals. All rights reserved. Quantification Methods for Operational Risk Losses Sonia Jarvis Financial Economist Risk Analysis Division Office of the Comptroller of the Currency October 2014 The views expressed in the following material are the author’s and do not necessarily represent the views of the Office of the Comptroller of the Currency (OCC) or Global Association of Risk Professionals (GARP), its Membership or its Management. 12 Key Challenges to Cyber Crime Loss Quantification Timing •When events occur •How long events last Identify Root Cause(s) •Key drivers of loss: internal, external, or combination? Impact Projection •Lines of Business •Internal operations vs. external fallout •Regulatory actions Limited Experience •Little, if any, historical experience •External losses may or may not be relevant 13 | © 2014 Global Association of Risk Professionals. All rights reserved. Quantification Methods: RCSAs and BEICFs (Qualitative Assessment) People  Subject matter experts  Key stakeholders and management  Risk Officers  Modelers Process  Assess risk drivers or exposures  Quantify potential losses based on expert judgment or experience Pros and Cons  Easy to understand  Involve many or few participants  Quantification by humans (subjective) 14 | © 2014 Global Association of Risk Professionals. All rights reserved. Quantification Methods: Scenario Analysis (Qualitative Assessment) People  Subject matter experts  Key stakeholders and management  Risk Officers  Modelers Process  Identify candidate scenarios  Identify involvement of interested and relevant parties  Identify quantification methodology(ies)  Updates Pros and Cons  Easy to understand  Involve many or few participants  Limited to risk drivers identified  Quantification by humans (subjective) 15 | © 2014 Global Association of Risk Professionals. All rights reserved. Quantification Methods: Loss Distribution Approach (LDA) (Quantitative Assessment) Data  Internal  External  Qualitative Process  Determine severity distribution  Determine frequency distribution  Select relevant percentiles and compute aggregate loss Pros and Cons  No risk driver identification needed  Objective method with subjective overlay  Reliable and consistent models can be difficult to generate  Highly dependent on data choices  Not intuitive 16 | © 2014 Global Association of Risk Professionals. All rights reserved. Quantification Methods: Factor-based Approaches (Quantitative Assessment) Data  Internal  External  Qualitative Process  Determine key risk drivers  Determine mathematical relationship between losses and risk drivers  Compute aggregate loss based on projected risk driver levels Pros and Cons  Intuitive methodology  Similar to quantification in other financial risk areas (credit or market risk)  Subjective mathematical models  Limited to risk drivers identified (quantified)  Highly dependent on data choices 𝒚 = 𝒂 + 𝒃𝒙𝟏 + 𝒄𝒙𝟐 + 𝒅𝒙𝟑 + ⋯ 𝒚=𝒆 17 | © 2014 Global Association of Risk Professionals. All rights reserved. − 𝒂+𝒃𝒙𝒊 𝒂+𝒃𝒙𝒋 Quantification Methods: LDA-FB Mixture Approaches (Quantitative Assessment) Data  Internal  External  Qualitative Process  Determine key risk drivers  Determine loss distributions  Determine mathematical relationship between losses and risk drivers  Compute aggregate loss based on projected risk driver levels and quantiles of loss distribution Pros and Cons  Combines subjective and objective methodologies  Retain elements similar to other financial risk areas  Highly dependent on data choices 18 | © 2014 Global Association of Risk Professionals. All rights reserved. 𝒚 = 𝒂 + 𝒃𝒙𝟏 + 𝒄𝒙𝟐 + 𝒅𝒙𝟑 + ⋯ − 𝒚=𝒆 𝒂+𝒃𝒙𝒊 𝒂+𝒃𝒙𝒋 Best Practices Transparent •Clear, concise documentation •All processes and modeling decisions recorded •Minimize “black boxes” Credible •Qualified participants •Reasonable, validated results •Reflective of actual risks and exposures •Reflective of current situations (periodic refresh) Verifiable •Benchmarks or backtesting •Reasonable results Systematic •Repeatable process •Reduce or eliminate key-man risk 19 | © 2014 Global Association of Risk Professionals. All rights reserved. C r e a t i n g a c u l t u r e r i s k a w a r e n e s s ® o f Global Association of Risk Professionals 111 Town Square Place 14th Floor Jersey City, New Jersey 07310 U.S.A. + 1 201.719.7210 2nd Floor Bengal Wing 9A Devonshire Square London, EC2M 4YN U.K. + 44 (0) 20 7397 9630 www.garp.org About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing professionals and organizations to make better informed risk decisions. Membership represents over 150,000 risk management practitioners and researchers from banks, investment management firms, government agencies, academic institutions, and corporations from more than 195 countries and territories. GARP administers the Financial Risk Manager (FRM®) and the Energy Risk Professional (ERP®) Exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of risk management via comprehensive professional education and training for professionals of all levels. www.garp.org. 20 | © 2014 Global Association of Risk Professionals. All rights reserved.