cybersecurity
the process of protecting information by preventing, detecting, and responding to attacks
cybersecurity attackers
countries
terrorists
criminals
insiders
cybersecurity motivations
espionage
money
disruption/destruction
political/social statement
notoriety
cybersecurity disruption
ransomware - kidnapping information for a ransom
zero day exploit - hacker exploits weaknesses on the day it is discovered and before it is resolved, hacker can be told by insider or by the FI itself.
goal of disruption = disrupt the business of the FI, s
cybersecurity degredation
still allow the FI to operate, but at a slower pace
distributed denial of service - to allow the hacker to upload the virus that they want to
malware - virus/trojan/freeze frame/ erase info
cybersecurity unauthorized alterations
man in the middle - hacker intermediates to get information, ex keystroke
phishing - hacker pretends to be the FI information system
corporate account takeover - steal the cash from a corporation, from one account in the FI
atm cash out - hack the ATM, th
cybersecurity insiders (unauthorized, authorized access)
stolen cash or other financial assets, stolen intellectual property
ex: you dont always change your pin/password
G-7 Fundamental Elements for Cybersecurity
Cybersecurity Strategy and Framework
Governance
Risk and Control Assessment
Monitoring
Cybersecurity Incident and Response
Recovery
Information Sharing
Continuous Learning
Cybersecurity Strategy and Framework
how the CS risk management will be implemented
proportional to nature of activities, size of entity, complexity of risk and operations, risk profile, and organizational culture
tailor CS to the specific FI, ex: Capital One is an online bank, so they need
CS Governance
policies and documented risk management strategies
specifies roles of Board and Management, Internal and External Audit and Risk Management Functions
CS Risk and Control Assessment
enterprise wide cs risk management must be applied to organizational functions, activities, products and services
evaluate contagion effect on the rest of the system
concentration risk = risk happens in one area, but can have effect on the entire system
CS Monitoring
establish monitoring systems to timely detect cyber incidents
evaluate effectiveness of networks by monitoring, conducting exercises, independent testing and audits
maintain IT records, help detect unusual activities
CS Incident Response
asses the nature, scope, impact of an incident
contain the incident and prevent further impact
report the incident as needed
CS Recovery
resume operations while continuing remediation
remove residual vulnerabilities
implement measures to prevent incident reoccurence
communicate recovery efforts to stakeholders as needed
CS information sharing
information on threats, vulnerabilities, incidents, and responses should be shared to create awareness, enhance learning, limit damage, and strenghthen defenses
too much sharing can create bank panic, but we are lacking in this department because banks ar
CS Continuous learning
review and update the cs strategy and framework periodically or as the need arises
FFIEC
Federal Financial Institutions Examination Council
FFEIC Inherent Cybersecurity Risk Rating
Least Inherent Risk
Minimal Inherent Risk
Moderate Inherent Risk
Significant Inherent Risk
Most Inherent Risk
Least Inherent Risk
limited use of tech
few computers, applications, systems, and no connections
small geographic footprint and few employees
common category for community banks
Minimal Inherent Risk
uses established tech
major systems are outsourced
few connections to customers and third parties
Auburn University Credit Union
Moderate Inherent Risk
uses somewhat complex tech
major systems outsourced and internal support provided
products and services are offered through diverse channels
Significant Inherent Risk
uses complex tech
offers high risk products and services including emerging tech
allows the use of personal devices
hosts connections with customers and third parties
Most Inherent Risk
uses extremely complex tech
offers many high risk products and services
delivery channels use new and emerging tech
maintain connections to transfer data with customers and third parties
Banking Channels
less risky to most risky:
branches
ATM/POS
telebanking
online banking
mobile banking app
FFIEC Maturity of CS Framework Levels
Baseline - minimized expectations required by law
Evolving
Intermediate
Advanced
Innovative - driving innovation, everyone involved in CS, test the strength of the system
FFIEC CS Risk Matrix
proportionality: more risky activities should have more controls
most inherent risk and innovative maturity
maturity and inherent risk levels should match up, otherwise the institution is exposed to significant CS risk
Tools to Minimize CS Risk
workforce and consumer education
CS risk and vulnerability assessments
penetration testing
multifactor authentication systems
antimalware software
cyber insurance
CS resource development
Stress Testing Components
capital risk - does the FI hold enough capital to absorb losses that could stem from its risk exposures
liquidity risk - does the FI hold enough liquid assets to meet its obligations
capital risk is the most important risk to an FI
Prompt Corrective Action (PCA) Categories
Well capitalized
adequately capitalized
undercapitalized
significantly undercapitalized
critically undercapitalized
Which risk is the only risk in law?
capital risk
How? Through maintaining PCA benchmarks
benefits of stress testing
early warning system to assess the likely impact of an unexpected adverse scenario
exposes the readiness of the FI to withstand the effects of an adverse scenario
shows whether the FI has adequate capital and liquidity in the event of an adverse scenario
Stress Testing Framework
1. scenario development and approval
- an adverse plausible scenario supported by assumptions and limitations
- low prob of occurance
2. model development and validation
-estimate impact on borrowers, creditors, on capital and liquidity risk
3. report, re
Types of Stress Tests
regulatory ST
- CCAR
- Dodd Frank Act Stress Test DFAST
internal
- ICAAP
CCAR
Comprehensive Capital Analysis and Review
only for large BHC, 34 of them with assets > 100 B
purpose = to ensure enough capital in tough times, to ensure capital is risk based and forward looking
conducted annually by Fed, considers 3 scenarios, baseline,
DFAST
supports the CCAr
Banks cannot fail
Hypothetical Stress Scenario
Severe global recession (28 variables)
stress on corporate debt markets
stress on commercial real estate
pressure on leverage loans and collateralized loan obligations
unemployment increases to 10 percent
GDp
interest rates
stock market prices
Capital Plan
assessment of the uses and sources of capital
estimates of revenues, losses, capital levels, and capital ratios under baseline and supervisory stress scenarios
how the BHC will maintain all minimum regulatory capital under baseline and stressed scenarios
Stress Stimulants NOT considered under the regulatory ST
competition (FINTECH)
Third party service providers
climate change (physical risk and transitional risk)
ICAAP may take these into consideration if the FI considers them to be material
Stress Testing Principles
ST framework should be clearly articulated and formally adopted
ST framework should include an effective governance structure
STF should be used as a risk management tool
STF should capture material and relevant risk
STF should have adequate resources
STF
credit loss
difference (or cash shortfalls) between all contractual cash flows to entity in accordance with the contact, and all the cash flows that the entity actually receives
expected credit loss
difference (or cash shortfalls) between all contractual cash flows due to entity in accordance with the contract, and the CFs that the entity expects to receive
CECL considerations
past events
current conditions
future economic conditions (which are reasonable and supportable)
from acquistion/origination to disposal/expirations
Accounting Standard Update 201 6-13, Financial Instruments - Credit Losses
on balance sheet credit exposures (loans held for investment, debt securities held to maturity)
off balance sheet credit exposures (loan commitments, standby letters of credit, financial guarentees
CECL Estimation methods
WARM - weighted average remaining maturity
Discounted cash flows
PD/LGD
backtesting
comparing what we predicted to what we actually realized, then making adjustments to the model as needed
facilitates the conduct of various analyses: estimate vs actual (confidence intervals)
the variance is explained by renewing model assumptions and mod
backtesting requirements
conducted frequently (at least annually)
does not require independence (versus validation) to perform
allows for tracking model performance
CECL Model Management Override
justified: must be well documented and justified, and subject to approval
frequency: override frequency must be documented and evaluated by the supervisor
impact: determine the likely impact on model output
CECL Model Validation Process
assumptions
inputs
design
output
CECL Model Management
Qualitative: documentation, methodologies, governance, data intensity and quality, model assumptions, inputs, designs, and controls
Quantitative: output and model statistics measure model performance
other: regulation and validation, independent validatio
CECL Technical Capacity
diversity of knowledge
competent and well trained
Principle 9: CRM Assessment
Credit Risk management assessment
banking supervisors should periodically evaluate the effectiveness of a bank's credit risk practices
robustness of the credit risk review function
quality of CRM system
ECT includes current and FLI
CRM process ad ECL allo
Principle 10: ECL Measurement Assessment
banking superviosrs should be satisfied that the methods employed by a bank to determine accounting allowances leads to an appropriate measurement of expected credit losses in accordance with the applicable accounting framework
robustness and timeliness o
Principle 11: Capital Adequacy Assessment
Banking supervisors should consider a bank's credit risk practices when assesing a bank's capital adequacy
robustness of the ECL measurement framework and methodology
supervisory actions: ratings, capital requirements
Which of the following is not a component of managing CS risk?
identifying cyber attacks
responding to cyber incidents
developing new cyber attacks
preventing cyber incidents
all of the above are components of managing CS risk
developing new cyber attacks
Which of the following tools will allow a financial institution to minimize its CS risk?
shredding documents instead of burning them
requiring all documents to be placed under lock and key
requiring employee IDs to have a special code to identify which em
encrypting every confidential document before it is transmitted electronically
Which of the following would be considered a CS breach?
An individual electronically altering his online FI account to inflate the balance
an employee who alters the FI payroll database to see how much his manager is being paid
An employee who steals conf
an individual electronically altering his online FI account to inflate the balance
Which of the following cyber incidences involves a hacker disguising itself as a legit website so as to steal confidential information that users provide?
Man in the middle exploit
ATM cash out
Ransomware
phishing
distributed denial of service
phishing
Which of the following can FIs impose on their customers to assist in minimizing the institutions' CS risk exposures?
I. setting maximum password length
II. requiring passwords to be alphanumeric with special characters
III. limiting the number of log in
II, III, IV
Which of the following cyber incidents will limit user access to the services offered by an FI?
Man in the middle exploit
ATM cash out
ransomware
phishing
distributed denial of service
distributed denial of service
Which of the following is not a fundamental element of CS for FI?
a recovery plan for a cyber incident
CS governance framework
Risk assessment of cyber incidents
employment of ethical hackers to test CS systems
documents CS framework
employment of ethical hackers to test CS systems
Which of the following is a major obstacle limiting the progression of CS?
scarce tech expertise in CS
limited information sharing among FI
hackers are always a step ahead of FI
not every bank has an online presence
cyber insurance is way too expensive fo
limited information sharing among FI
Which of the following CS tools is reactive rather than preventative?
cyber insurance
penetration testing
anti malware software
multi factor authentication systems
consumer education
cyber insurance
Which of the following stress tests is an FI unlikely to fail?
ICAAP
CCAR
DFAST
ILAAP
SSAR
DFAST
Which of the following set of scenarios is considered for stress testing FI?
baseline, stress, and severy adverse scenarios
Stress testing FI is primarily considered with their risk exposure to
interest rate and capital risks
capital and liquidity risks
credit risk and liquidity risks
interest rate and credit risks
operational risk and credit risk
capital and liquidity risks
A financial institution that conducts its own company-run stress test is engaged in a
ICAAP
A FI's CCAR is conducted by the Federal Reserve on a _______ basis.
annual
semi-annual
quarterly
monthly
weekly
annual
Which of the following must be included in a Capital Plan submitted to the Federal Reserve?
a capital policy
a description of how the FI assesses capital adequacy
A description of how changes in the FI's business plan may affect its capital
a description
all of the above must be included in a capital plan
which of the following statements is incorrect regarding a FI's stress testing framework?
ST must be included as a part of the FI's risk management framework
The Board does not need to approve the FI's stress testing framework
The FI's stress testing fram
The board does not need to approve the FI's stress testing framework
Which of the following is NOT a PCA category?
significantly undercapitalized
critically undercapitalized
adversely undercapitalized
adequately capitalized
well capitalized
adversely undercapitalized
Why should FI engage in stress testing?
to ensure their employees do not suffer from high blood pressure on the job
to ensure they have enough assets to pay their creditors when due
to ensure they can generate profits to pay dividends to shareholders
to e
to ensure they have enough capital during economically stressful times
Which stress test uses a standard capital plan?
DFAST