PRMIA Intelligent Risk - May, 2017

INTELLIGENT RISK knowledge for the PRMIA community

May 2017 ©2017 - All Rights Reserved Professional Risk Managers’ International Association

PROFESSIONAL RISK MANAGERS` INTERNATIONAL ASSOCIATION CONTENT EDITOR

INSIDE THIS ISSUE

Steve Lindo Principal, SRL Advisory Services and Lecturer at Columbia University

SPECIAL THANKS Thanks to our sponsors, the exclusive content of Intelligent Risk is freely distributed worldwide. If you would like more information about sponsorship opportunities contact cheryl.buck@prmia.org.

At S&P Global Market Intelligence, we integrate financial and industry data, research and news into tools that help track performance, generate alpha, identify investment ideas, understand competitive and industry dynamics, perform valuation and assess credit risk. S&P Global Market Intelligence helps clients manage the full spectrum of their credit risk exposure, meet regulatory requirements, and make informed decisions through the use of end-to-end solutions, including risk data products, analytical models, research and services. S&P Global Market Intelligence is a division of S&P Global (NYSE: SPGI), which provides essential intelligence for individuals, companies and governments to make decisions with confidence. For more information, visit www.spglobal.com/ marketintelligence.

FIND US ON

prmia.org/irisk

002

@prmia

prmia

Intelligent Risk - May 2017

003

A letter from leadership

005

Editor’s introduction - by Steve Lindo

006

Technical (r)evolution: Managing the risk reward/ balance of innovation - by Marc Barrachin

008

Closing the cyber security risk door by Mark Trembacki

012

Data science for cyber risk management by Scott Mongeau

017

Cyber risk prevention: A three pillar approach by Vivek Seth

020

Sanitize for cyber security sanity - by Alex Woda

024

Simplifying cyber risk management - by Doug Blakey

027

Chapter profile - PRMIA Poland

028

A study of the PRM™ Designation Program by Mary Rehm

030

Meet the PRMIA education committee

032

Clicker happy syndrome - by Cecilia Anastos

036

Careers in risk panel event

037

PRMIA member profile - Mariya Toryniak by Adam Lindquist

040

Transatlantic collaboration - A unique CRO opportunity

042

Calendar of events

a letter from leadership

Justin M. McCarthy Chair, PRMIA

Kraig Conrad CEO, PRMIA

Your Board of Directors recently met as part of the strategy process for our mission-focused, memberdriven PRMIA, and we are delighted by our progress toward our shared goals. This work flows up from and down to all our members via our various committees and chapters, so thank you to all members for tremendous dedication and passion to our success.

PRMIA risk management challenge Congratulations to Team CLPS from McGill University, Montreal, the winning team in this year’s Risk Management Challenge case competition. The champions took home $10,000 in prize money for the team, along with a PRM™ Scholarship and a PRMIA Sustaining membership for each team member. After the local, regional, and international rounds of competition they were selected as the top team among 104 teams from nine PRMIA chapters around the world. The Risk Management Challenge continues to grow in its size and success and we invite you to tell your contacts – be they teaching or learning – about this great opportunity we have each year.

learning & development in our global network PRMIA has a full selection of learning and development programs scheduled for the next several months, culminating with four regional events taking place in October and November in London, Montreal, Atlanta, and Washington DC. The 2nd Annual PRMIA EMEA Risk Leader Summit will be held November 13-14 in London. Event Co-Chairs, Kathryn Kerle, Head of Enterprise Risk Reporting, RBS and Sven Ludwig, Managing Director, FIS, along with Oleg Lebedev, Managing Director, Ten Diffusions Limited, are hard at work leveraging the tremendous success from the 2016 event. This will be a practitioner-focused event designed for risk leaders.

Intelligent Risk - May 2017

003

The agenda will focus on developing talent, current practice, and on-the-horizon risks. We are pleased to welcome Keynote speaker, Dr. Marcus Chromik, Member of the Board of Managing Directors, Commerzbank AG. Other confirmed speakers include: • Kanwardeep Ahluwalia - Head of EMEA Markets Risk & Deputy CRO for EMEA, Bank of America Merrill Lynch • Barbara Frohn - Director of Risk & Compliance Oversight Division, Financial Conduct Authority • Christine Palmer - Chief Risk Officer, Aldermore Bank PLC • Petra van Hoeken – CRO, Rabobank The Canadian Risk Forum will be held November 13 – 15 in Montreal. The development committee consists of representatives across PRMIA Chapters in Canada and is led by Montreal Regional Director Kabil Jaa, Senior Analyst, Credit and Liquidity Risk, PSP Investments. The program will focus on emerging risks. Watch the PRMIA website for more detailed information on the agenda and speaker list as it develops. Watch your email for more information on the Atlanta and Washington DC events. View our schedule of training courses, webinars, and self-study programs by selecting the “Learning” tab at www.prmia.org. And, be sure to check the schedule for events at our 45 Chapters around the world. Visit prmia.org/chapters to learn more and join practitioners in your local community. As we do with each edition of iRisk, we invite you to be join us on our journey to serve the global risk profession. You are why the organization exists. Please raise your hand to volunteer, if you are not already serving, to add your voice to dialogue on the future of PRMIA. And finally, a special thank you to Steve Lindo for his editorial direction for this issue.

Justin McCarthy Chair, PRMIA

004

Intelligent Risk - May 2017

Kraig Conrad Chief Executive Officer, PRMIA

editor’s introduction

Steve Lindo Editor, PRMIA

It’s been my privilege to edit the articles submitted by PRMIA members for publication in this issue of Intelligent Risk, on the topic of cyber risk. Like PRMIA members as a whole, the six authors have differing backgrounds and areas of expertise, in this case representing data science, systems security, criminal intelligence, computer science, private banking, consulting and academia. In spite of this diversity, there are several common themes among the articles which are noteworthy. The first is that the adoption of advanced technology in many areas of business and government, for the purposes of improving speed, cost and/or data analytics, has far outstripped the implementation of equivalent measures to prevent data theft and protect system continuity. The second is that criminals are capitalizing on these same technological advances to devise increasingly sophisticated methods of attack and disruption. The third is that the vulnerability of advanced computational methods and systems to cyberattack can be significantly reduced by good, old-fashioned, work-force education. The fourth is that cyber risk is far more dynamic than traditional categories of risk, demanding not just continuous activity monitoring, but also constant attention to new and mutating threat vectors. As I suspect many of you have already observed, cyber risk does not fall neatly into any traditional risk management discipline. It therefore requires adaptive treatment within established risk frameworks, something which comes most easily to companies with agile and forward-looking ERM programs. I hope you enjoy and learn from these thoughtful articles by your peers.

Steve Lindo Editor, PRMIA

Intelligent Risk - May 2017

005

technical (r)evolution: managing the risk reward/balance of innovation

by Marc Barrachin It’s difficult nowadays to avoid the subject of rapid technical (r)evolution. Innovation impacts both consumers and companies (financial and non-financial) alike. Buzz words like “fintech”, “insuretech” and “regtech” have become part of our common language. The way consumers and businesses interact is evolving fast: Mobile is the new communication tool (both touch and voice), blockchain offers many long-term promises, robo-advisors are changing how one saves for retirement, and alternative lending is challenging the traditional methods. This trend of constant technology innovation and evolution of human interaction is changing and unlikely to slow down. Long-term trends in demographics also impact how businesses operate. A combination of an aging workforce and millennials – each with very different technological sophistication -- offer an interesting challenge for businesses both for managing their workforce and for interacting with customers. With these new opportunities also come new risks. It’s personal (who knows about your personal digital identity?). It’s business (What is the impact to my business if it gets hacked – or that of my clients or suppliers?). It’s political. It’s global. Regulators are paying attention. Many of them, including CPMI- IOSCO (The Committee on Payments and Market Infrastructures and the Board of the International Organization of Securities Commissions), the Office of Financial Research, or the NY Department of Financial Supervision, have identified technology and cyber risks in particular as key threats to financial markets, with potentially systemic consequences. This means that the role of risk management in financial institutions is evolving. It is becoming ever increasingly complex. No longer is the role of risk management focused on market and credit risk. It includes monitoring and managing global macro risks and, of course, technology risk (which introduces ‘unknown unknowns’). Technology risk, although understood by technology teams, should go beyond the IT structure of the business – it expands to risks of service providers as outsourcing non-core tasks becomes more prevalent, to potential investments (what would happen if an investment company suffers losses from a cyber-attack?), to suppliers (is their technology up to date?). With an ever increasing number of potential disruptors, companies are stuck between the anvil of doing nothing, or the hammer of adopting untested technologies.

006

Intelligent Risk - May 2017

This implies an evolution of the risk culture recognizing the interplay of different types of risks. This requires a clear framework, which includes coordination amongst stakeholders, clear accountability, education, and communication. One should systematically run extreme but plausible scenario analysis, not just about market movements, but about technology and macro risks – what would happen if my cloud provider went down? Do I know how many of my third party services or customers rely on that same cloud provider? Technology is moving faster than ever. It comes with significant advantages but also risks that should be identified and managed proactively. How confident are you that your risk framework takes into account ever changing technology risks? Marc Barrachin, CFA, is Head of Product Research and Innovation within the Risk Services team of S&P Global Market Intelligence. Marc’s responsibilities include strategy and partnerships, exploring new trends and their potential impact on the business and looking for collaboration opportunities across the different S&P Global divisions. Prior to S&P Global Market Intelligence, Marc Barrachin was Managing Director at IHS Markit where he ran the index business and overviewed the rapid evolution of the credit business through the credit crisis and subsequent CDS market evolution; he was also at Interactive Data in a variety of roles from managing relationships with significant third party partners to fixed income product development. He holds the CFA Charter, has a MSF from Boston College, and a Bachelor’s degree from Northeastern University.

author Marc Barrachin

Copyright © 2017 by S&P Global Market Intelligence, a division of S&P Global Inc. These materials have been prepared solely for information purposes based upon information generally available to the public and from sources believed to be reliable. S&P Global Market Intelligence, its affiliates, and third party providers (together, “S&P Global”) do not guarantee the accuracy, completeness or timeliness of any content provided, including model, software or application, and are not responsible for errors or omissions, or for results obtained in connection with use of content. S&P Global disclaims all express or implied warranties, including (but not limited to) any warranties of merchantability or fitness for a particular purpose or use. S&P Global Market Intelligence’s opinions, quotes and credit-related and other analyses are statements of opinion as of the date they are expressed and not statements of fact or a recommendation to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P Global keeps certain activities of its divisions separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain divisions of S&P Global may have information that is not available to other S&P Global divisions. S&P Global Ratings does not contribute to or participate in the creation of credit scores generated by S&P Global Market Intelligence. Lowercase nomenclature is used to differentiate S&P Global Market Intelligence PD credit model scores from the credit ratings issued by S&P Global Ratings. S&P Global provides a wide range of services to, or relating to, many organizations. It may receive fees or other economic benefits from organizations whose securities or services it may recommend, analyze, rate, include in model portfolios, evaluate, price or otherwise address.

Intelligent Risk - May 2017

007

closing the cyber security risk door

by Mark Trembacki Many current approaches to managing cyber security risk embody the idiom, “shutting the barn door after the horses are gone.” The implications of such short-sighted cyber security risk management practices are significant, with 60% of small companies estimated to be unable to sustain their business within six months of a cyber-attack,1 and a prediction that a Fortune 1000 company will fail in 2017 as a result of a cyberbreach.2 This article describes three practical steps to close the cyber security risk door before it’s too late. 1. Heed the basics to avoid cyber incidents, by deploying existing tools and proven practices. 2. Build resilience as well as prevention for a swift response and successful recovery. 3. Leverage enterprise risk management practices to enhance cyber security management. This three-fold approach is not intended to shortchange the need for a strong technological defense, which is an essential ingredient to combat the ever-increasing sophistication of threats. However, technology alone is not the answer.

heed the basics

‘‘

The Commission on Enhancing National Cybersecurity, formed by executive order of President Obama in 2016, recently reported: “Many organizations and individuals still fail to do the basics. Malicious actors continue to benefit from organizations’ and individuals’ reluctance to prioritize basic cybersecurity activities . . . . . these failures to mitigate risk . . . . . allow malicious actors of any skill level to exploit some systems at will.” 3

Training employees, managing vendor environments, and securing physical assets figure prominently among implementation basics to achieve strong cybersecurity practices.

1 / House Small Business Subcommittee on Health and Technology March 2013 Hearing. 2 / Forrester 2017 Predictions October 2016 Report. 3 / Commission on Enhancing National Cybersecurity December 2016 Report.

008

Intelligent Risk - May 2017

Engaging employees

The first line of defense

Wombat Security Technologies and the Aberdeen Group found that “an investment in user awareness and training effectively changes behavior and quantifiably reduces security-related risks by 45% to 70%.”4 Employee education topics should include authentication (passwords), e-mail practices, social media, social engineering and phishing, network connections, and restricted user installation of applications. Managing vendors and external partners Companies manage hundreds of vendor, third-party service providers, and outsourcing arrangements. These external partners represent a primary source of incremental risk by creating entry points into a company’s technology environment. Through widespread use of vendors, data management is no longer fully in control of the organization, adding complexity and risk. Legal and other practical considerations should be employed to partition and mitigate the risk. However, a strong third-party vendor management program is essential to manage cyber security risk. Beyond strengthening cyber security risk management, a robust program helps achieve core business objectives by supporting spending decisions, contracting strategies, service levels, and other critical operational activities. Securing the physical world Stolen laptops remain an issue. Bitglass, a data protection company, noted an organization is more likely to be robbed than hacked.5 Company policies and employee training should cover physical protection of mobile devices (laptops and smartphones), USB drives and other portable storage devices, as well as device access. Physical security should also be incorporated into policies and employee awareness building. Limiting and monitoring access (particularly to high risk areas), discouraging tailgating, securing desktop computers, and implementing clean-desk practices enhance data security.

building resilience and prevention The detection and prevention of a cyber attack remains a critical and ever-present activity. However, resiliency – the ability to anticipate, prepare for, and recover from – a cyber attack should also be a point of focus. Many believe a cyber incident is a matter of “when” not “if”. Planning for a wide variety of threats and outcomes will support faster recovery from cyber incidents.

4 / Wombat Security Technologies and the Aberdeen Group January 2015 Report. 5 / Bitglass 2014 Healthcare Breach Report.

Intelligent Risk - May 2017

009

Compared to other risks, cyber risk can be instantaneous, impact a large number of users, be highly visible and difficult to remediate. Social media and instant news feeds accelerate the spread of the news, increasing the need for quicker response times. Establishing relationships with external experts and firms can also support a more decisive response to a data breach.

leveraging enterprise risk management practices The use of digital technology, and therefore the vulnerability to cyber disruption, is present in most business activities. Utilizing existing practices to assess, manage, and oversee cyber security risk will be more effective than implementing standalone processes solely designed to cover cyber security risk. Organizational processes that should be reviewed for cyber awareness include: strategic planning, M&A, product development, capital allocation and budgeting, vendor management, business continuity planning, and talent management. Incorporating a “cyber filter” into organizational processes enhances cultural awareness as well as facilitates a cross-functional, enterprise-wide approach to yield a holistic, “birds-eye” view of this highly complex risk.

conclusion Creating value means taking risk. The classic risk and return paradigm applies to cyber security risk, notwithstanding its unique characteristics and pervasive nature. Cyber security risk can’t be avoided, but it can be managed. Developing a cost-effective strategy based on a consistent and comprehensive information security framework will go a long way to support a company’s security, resilience, and overall cyber security confidence.

references 1. Bitglass. 2014 Healthcare Breach Report. “Healthcare Breach Report.” 2. Commission on Enhancing National Cybersecurity. December 2016 Report. “Report on Securing and Growing the Digital Economy.” 3. Forrester 2017 Predictions. October 2016 Report. “2017 Predictions.” Forrester.com. October. 4. House Small Business Subcommittee on Health and Technology. March 2013 Hearing. “Protecting Small Businesses Against Emerging and Complex Cyber-Attacks.” Hearing Findings, Washington, D.C. 5. Wombat Security Technologies and the Aberdeen Group. January 2015 Report. “The Last Mile in IT Security: Changing User Behavior.”

010

Intelligent Risk - May 2017

author Mark Trembacki Mark Trembacki teaches Enterprise Risk Management in the Masters of Finance program at the University of Illinois, Urbana-Champaign. In 2015 he founded Risk Management Levers, Inc., a consulting firm focused on risk management (including cybersecurity, enterprise risk management and reputation risk) and acquisition integration. Mark previously enjoyed a diverse career at BMO Financial Group, holding a variety of executive risk management and business leadership roles. Mark graduated from the University of Illinois, earned an MBA in Finance from The University of Chicago Booth School of Business, and is a CPA. He is currently earning his Cyber Security Management Graduate Certificate from the University of Virginia and was recently recognized as a National Association of Corporate Directors (NACD) Governance Fellow

Intelligent Risk - May 2017

011

data science for cyber risk management The Challenge of Unknown Unknowns

by Scott Mongeau Cyber threat actors exploit increasingly interconnected networks to infiltrate infrastructure and compromise digital assets. While prolific networks and digitization drive interactivity, thereby opening new opportunities for collaboration, open channels also increase the scope and scale of potential cyber risks. Beyond compromised intellectual property and regulatory strictures, reputational damage can result in customer and partner attrition, as well as credit and equity losses. Risk management and cyber security professionals struggle to manage unknown unknowns, both unseen vulnerabilities and the threat of complex, evolving cyberattacks. As a result, data and system stewards are burdened with a persistent unease that their network has already been compromised. In order to stay a step ahead of potential intruders, data science brings powerful tools and methods with which to reclaim the informational advantage. Data science empowers the discovery of hidden patterns and the detection of evolving threats. Forward-thinking risk and cyber professionals therefore need to understand the basics of cyber data science: the virtuous cycle of data-driven discovery and detection.

digital agility: a double-edged sword Organizations are under mounting pressure to pursue digital innovation. Pursuing competitive agility and a ‘rapidity over stability’ mindset leads to the precarious circumstance in which network and cyber security professionals lose track not only of where sensitive data and assets are stored, but also basic knowledge of who generates and owns digital assets, and how those assets are being utilized. With the proliferation of bring-your-own devices and smart devices, many IT security professionals are faced with the reality of not being certain what or who is on their network at any given time. In addition, the growth of big data, cloud computing, SSAS1, and virtualization are creating environments in which it is difficult to discretely identify where and how key informational assets are stored and managed. From the perspective of risk management, opportunities create risks and vice versa. Digital agility and innovation has a tangible opportunity value, which offsets associated risks. This principle implies an optimal inflection point, beyond which agility and access assume outsized risks. The challenge in an environment rife with unknown unknowns is that this inflection point is difficult to identify. Data science, as a discipline dedicated to transforming unknowns to knowns, brings new hope to this dilemma.

1 / Sequel Server Analysis Services

012

Intelligent Risk - May 2017

Wombat Security Technologies and the Aberdeen Group found that “an investment in user awareness and training effectively changes behavior and quantifiably reduces security-related risks by 45% to 70%.”4 Employee education topics should include authentication (passwords), e-mail practices, social media, social engineering and phishing, network connections, and restricted user installation of applications.

Cyber data science: Reclaiming the informational advantage Data science offers a set of established methods to quantify the key elements associated with digital infrastructure and assets, in order to establish appropriate cyber risk management practices. These methods provide approaches to not only identify when too much cyber risk has been assumed, but also to dial back the agility-versus-risk threshold, by providing a foundation for improved protection.

Data analytics methods Data science is a fast-emerging practitioner discipline which applies statistical and analytics methods, processes, and technologies to gain value-creating insights from data. This discipline offers a rich and growing toolkit to gain insights from an increasingly prolific resource: data, particularly in the form of ‘big data’ - data in large volumes, varieties, and streaming at velocity. The advent of data science for cyber security creates opportunities to gain focused insights, and potentially to identify cyber intrusions, not only in near-real-time, but potentially to predict which users, systems, and assets are most at risk.

Intelligent Risk - May 2017

013

the analytics process: discovery and detection For practical purposes, it is useful to consider cyber data science as operating in two main modes: discovery and detection, self-reinforcing in a virtuous cycle. Value creating insights for cyber security start with the discovery of user, network, device, and digital assets, in particular where key network devices and resources are located.

Cyber analytics process Data science methods can be applied to discover patterns regarding network assets and usage, including the nature of hidden assets, and to profile patterns in associated user behavior. By establishing a baseline concerning categories of assets and user behavior, a foundation is set for anomaly detection. When asset access, device behavior, and/or user behavior fall out of categorized ranges, anomalies indicative of potential incursions, misuse, or abuse become apparent. Discovery approaches are useful when an analyst has no idea how to categorize a sample (i.e. customers, users, devices, assets) in relation to a phenomenon of interest (i.e. utilization, vulnerability). Utilizing a discovery method such as cluster analysis is a good first step to see how the elements in a dataset relate to one another in unique groups. Such techniques are used regularly in marketing analysis to extrapolate meaningful categories of customers, which then can be targeted independently for engagement. The same techniques can be used to segment at-risk users and/or devices on a network. To the degree a map of the network, devices, interactions, digital assets, and user behavior becomes clearer, uncertainty is reduced. Establishing statistically supportable segments is the first step to tracking and quantifying these categories. The next step is for a data scientist to apply detection techniques. Ideally, should there be a record of known compromises, a data scientist can build an automated analytics detection model. However, given the rarity and the evolving nature of such attacks, a data scientist can also boot-strap an understanding of anomalies based on the statistical baselines identified during the discovery phase.

014

Intelligent Risk - May 2017

With a set of observed patterns substantiated through diagnostics, an analytics anomaly detection model with demonstrable predictive power can act as an initial foundation. The resulting model allows for targeted alerts when anomalous signals suggest at-risk users and assets are potentially being compromised. Over time, the underlying anomaly detection model can be refined and improved, as cases are confirmed or rejected through subsequent investigation.

The virtuous cycle: Self-improving cyber risk analytics The combination of analytics-based discovery and detection techniques iterates in a cyclical fashion, allowing a progressive understanding to be developed which leads to optimized actions. Pattern discovery is refined over time, incorporating feedback from earlier cycles which improve the detection models. As evolving attacks and intrusions are detected through anomaly alerts, they will suggest new types of data and measures indicative of related occurrences. The understanding of the risk likelihood of cyber intrusion can be steadily improved for each category, along with details concerning optimal proactive security treatments. For categories which evidence a high level of risk, an organization can pilot a different approach and experimentally measure whether the observed response reduces expected levels of intrusion. Continuing to follow this experimental process over multiple cycles, an “optimized� strategy emerges where each segment is targeted with the prescribed treatment (i.e. increased monitoring, proactive patches, outreach on risks, thresholds for risk alerts) most likely to yield positive results within that category.

Intelligent Risk - May 2017

015

bringing it all together: cyber risk analytics as a program and platform Whether insourcing or outsourcing a cyber data science initiative, framing goals in terms of optimal outcomes is crucial. It is also essential to ensure a platform for conducting data science investigations is in place. This means both access to the required data, and the availability of data analytics tools. Taken together, the foundation for a successful cyber data science initiative is a program that brings together people, methods, and technology, with data being the key raw material. A good starting point is to conduct a maturity assessment, to identify what gaps exist and how they can be addressed. From here, resourcing and developing a roadmap can lead an organization towards the virtuous cycle of cyber data science discovery and detection. When implemented successfully, unknown unknowns are resolved to quantifiable phenomenon, allowing the point at which digital opportunity and risk are optimized to be accurately pinpointed and advanced.

author Scott Mongeau Scott Mongeau is a Data Scientist in the Cybersecurity group at SAS Institute. Scott has more than 20 years of data analytics experience in a range of industries, including financial services, insurance, management consulting, IT, bio-pharma, materials, law enforcement and start-ups. Scott is a PhD (ABD) researcher on analytics model management at Nyenrode Business University and an INFORMS Certified Analytics Professional. He holds an MBA and Masters in Financial Management from Erasmus Rotterdam School of Management. He also has a Master in Communication Technology (MA) from the University of Texas at Austin and a Graduate Degree (GD) in Applied Information Systems Management from the Royal Melbourne Institute of Technology (RMIT).

016

Intelligent Risk - May 2017

cyber risk prevention: a three pillar approach

by Vivek Seth exposed to cyber threats Cyberattacks against industrial corporations or institutions can be motivated not only by a desire for immediate financial gain, but also by a desire to access sensitive company and customer information, which can be utilized for further attacks. Additionally, perpetrators may intend to damage their target’s reputation and brand, increase its litigation exposure, and weaken customer confidence and trust. In an age of increasing digitalization, all sectors of the economy are exposed to cyberthreats, whether financial, retail, manufacturing, or less-expected sectors such as education, politics and defense. Cybercriminals are often anonymous attackers, hiding behind internet veils and located in a different and remote jurisdiction with weaker regulation. A recent case which illustrates the need for both public and private sectors to stay constantly vigilant is that of the cyberattacks in February 2016 targeted at Bangladesh’s Central Bank1. Cyber thieves used stolen credentials to make SWIFT transfer requests amounting to USD $ 1 billion. The cyber criminals succeeded in transferring USD $ 80 million that ended up in accounts in Sri Lanka and Philippines. Bangladesh’s Central Bank has started proceedings to recover the cash. Unfortunately, this is not an isolated incident, and many similar cyber attacks continue to be reported worldwide across different sectors. Against this background, the author proposes as an effective cyber risk management strategy, a Three Pillar Approach to Cyber Risk Prevention. The three components which comprise these pillars essential to fighting against cybercrime are described below.

1. Heed the basics to avoid cyber incidents, by deploying existing tools and proven practices. Police and law enforcement agencies play a crucial role in minimizing cyber threats. Institutions that are located in regulatory frameworks known for high ethical standards, transparency and influential in the global fight against cybercrime offer a much stronger deterrent to cyber criminals. Governments in these jurisdictions support the development of cyber defenses through research and innovation. For example, Singapore has a dedicated Cyber Security Agency to oversee cyber security strategy and conduct cyber security outreach2.

1 / Source: BBC News “Bangladesh bank hackers fail in bid to net $1bn”, 10 March 2016 (link). 2 / Source: Cyber Security Agency Singapore (link).

Intelligent Risk - May 2017

017

Having a robust regulatory and supervisory regime ensures that cybercrimes perpetrated have a high likelihood of being subjected to disciplinary actions. Taking another example from Singapore, PDPC Singapore implements personal data protection policies and advisory guidelines, thus creating a sturdy environment for protection against cyber risk3. 2. Robust IT Infrastructure Organizations that embed cyber risk management in operations and technology platforms are much better prepared against cyber ambushes. This involves ongoing investing in IT infrastructure, both inhouse and outsourced, ensuring adequate safety nets are in place to protect firms against DDoS attacks, data sabotage, corporate extortion hacks, intellectual property thefts as well as hacks involving physical impacts. Yahoo, once one of the biggest names in internet, announced in 2016 that more than one billion user accounts were affected in a hacking attack dating back to 20134. This incident evidently had an impact on the negotiation process of Yahoo’s core business sale. Establishments that don’t timely update their IT infrastructure or adapt to newer technology without proper risk impact assessments are vulnerable to attacks by cyber criminals who do evolve their technology in timely fashion. 3. Effective controls against insider threat It is crucial for corporations to have adequate checks against cyber attacks perpetrated by internal staff, as technology alone can’t address such risks. In an age where job retrenchments and reorganization are becoming standard work phenomenon, and with the presence of newer technology such as small flash drives, smartphones etc., the risk of a disgruntled employee deliberately compromising the institution has become more probable than ever. A recent news bulletin of insider cyberattack detected too late was at HSBC Swiss Private Bank, where a former IT employee downloaded the details of about 130,000 holders of secret Swiss accounts5. The information was handed to French investigators in December 2008, in breach of Swiss secrecy laws. Employees who have authorized access to company’s information systems, electronic and physical assets can pose serious financial and reputational impact to institutions.

bringing it all together: cyber risk analytics as a program and platform Combating cyber threat is akin to guerrilla warfare, where hidden enemies, operating behind the scenes, are extraordinarily difficult to detect and may have allies inside the organization. Overcoming cyber risk involves a three-pronged approach, of operating in a robust regulatory and supervisory framework, investing in strong IT infrastructure and having sound controls on insider threats. With this Three Pillar Approach, corporations and institutions can be well prepared to winning the battle against cybercriminals.

3 / Source: Personal Data Protection Commission Singapore (link). 4 / Source: BBC News “One billion’ affected by Yahoo hack”, 15 December 2016 (link). 5 / Source: The Guardian News: “ HSBC whistleblower given five years’ jail over biggest leak in banking history”, 27 November 2015 (link).

018

Intelligent Risk - May 2017

author Vivek Seth Vivek Seth is a Singapore citizen who has been working primarily in the Risk Management area for about 13 years, He currently works as Risk Manager in the Singapore office of a Swiss Private Bank. His work experience extends across Singapore, Australia and India, along with business assignments carried out in Hong Kong and Switzerland. He holds an M.B.A. and also the PRM and CAMS professional certifications. This article is written as part of author’s pursuit in the literary field.

Intelligent Risk - May 2017

019

sanitize for cyber security sanity

by Alex Woda increasing vulnerability of personal computers A colleague of mine once told me that he uses three separate personal computers to do client work and access the Internet. One computer is dedicated to work on client material, one for his online banking and financial management and one to do emails and browse the Web. I said, “Wow, do you think that gives you better security?“ His reply was a smile and a nod of the head. We cannot be too casual about security when we access important systems, check our email and browse the Internet. Cyber risks are increasing, and the methods that are used by criminals to penetrate an organization or a personal domain are increasingly sophisticated. Phishing is still the most popular “bulk” method of getting malware to be installed on a personal computer. Thousands of emails are sent to harvested email addresses with URL links that, when clicked, direct the user to a site containing malicious code. Spear Phishing is a technique that targets specific users and tends to focus on business accounts. Attackers will research their subjects carefully through social media sites and LinkedIn profiles, then customize email messages to entice the user to click. Once the user has clicked on the malicious link, malware is downloaded to their business computer.

corporate defense techniques Organizations have been trying for years to reduce the risk of malware infection on company computers used by employees. Techniques such as Whitelisting approved web sites, URL restrictions, and content inspection, are good, but they can be expensive, cumbersome and may cause employee frustration. For those of you not familiar with these techniques, the following is an explanation of how they function, and what benefits they bring. Whitelisting is a security technique which explicitly lists the web sites that an employee can visit from his or her work computer. This technique can work for a small percentage of employees who are restricted to only industry-type approved sites, and it’s typically difficult to circumvent. URL restrictions is a technique similar to whitelisting, but it uses a blacklist method to control access. Wild card characters such as ‘*’ can block domains such as Yahoo or adult and gambling sites. This is quite a popular technique to place controls on what type of sites employees can visit.

020

Intelligent Risk - May 2017

Content filtering is a more effective method of restricting access, since it involves installing an application that inspects the content that the user is browsing or downloading. Even if the user is using a secure TLS session, the application can decrypt the session and inspect the payload. Do these methods work? Not always. For example, there are industry reports that Banking Regulator web sites have been attacked and compromised, and malicious code installed on the Regulators’ web sites. The malware is then downloaded to your computer when you visit the site, and the malware is specifically designed to attack wire payment systems! Dedicated systems, used for different tasks according to their sensitivity, is another available technique. Accessing and administering cryptographic equipment, such as hardware security modules and payment system terminals, have always required the use of a dedicated and sanitized personal computer that is locked under dual control, inspected and regularly tested for surveillance equipment, malicious code or methods that could compromise the confidentiality of secret encryption keys. These sanitized devices are never used for email or to browse the Internet. Any updates are strictly controlled through administrator accounts to enable USB ports. These devices are locked away when not in use. However, it is not practical to have multiple desktop computers for each employee. Virtual desktop infrastructure (VDI) is virtualization technology that hosts a desktop operating system on a centralized server in a data center. There is a separate customized desktop for each user. The user is able to access VDI with their own personal computer or a tablet or mobile device. The VDI creates a desktop for a specific business function that is freshly built and has up to date security patches. The virtual environment is torn down when the user logs off. This method is gaining popularity, not just for security benefits but also for enterprise cost savings, which are realized through a reduction in system administration and patching. Technical support is much easier, since there are standard operating system and application images, and upgrades to desktops do not have to be done as often. Users can bring their own devices. Security benefits include centralized data storage and data leak protection, reduction in malware risk since the user desktop does not integrate with the VDI desktop, and special purpose desktops can be built to customize what software is loaded and what security tools are installed. The VDI can be sanitized and provide more resistance to malware attacks. Since all computing activity occurs in the data center and not at the end point, email messages entering the organization can be inspected and tested before the message is allowed to be opened. Malicious web sites can be blacklisted through cloud threat intelligence methods and monitoring for unusual behaviour, such as calling the mother ship from an infected desktop, is much easier to implement and control if it’s all in the data center.

Intelligent Risk - May 2017

021

no silver bullet Of course, there is no silver bullet for total cyber security. Nevertheless, we have to start thinking about how to keep up with user demands for online access to everything and still have security hygiene to protect our sanity. Dedicated and customized desktops in an organization are trends that definitely merit a closer look.

author Alex Woda Alex Woda is an independent information security expert, specializing in architecture, security and audit for payment systems, VISA PIN security, enterprise architecture and risk management. Alex’s career includes positions at Toronto Dominion, Rogers Communications, the City of Toronto, Avient Solutions Group and Dyntek Canada. He has also provided information security services for PWC, KPMG and Canadian Tire Corporation. Alex has a bachelor’s degree in computer Science from York University, an MBA from Schulich School of Business, and is a Certified Information Systems Auditor.

022

Intelligent Risk - May 2017

INVEST IN AMBITION EXCLUSIVELY FOR PRMIA SUSTAINING AND C-SUITE MEMBERS. Keep up to date in your industry with a complimentary, year-long digital membership to The Wall Street Journal for PRMIA Sustaining and C-Suite members. The Wall Street Journal is the world’s leading business news source bringing you unparalleled markets coverage and industry scoops. From international trade to central bank decisions—our award-winning journalism provides you with the trusted insights you need on the stories impacting global business.

GAIN THE VALUE OF PRMIA MEMBERSHIP. JOIN NOW. JOIN NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW

2017 Dow Jones & Co. Inc. All rights reserved. © 2016

simplifying cyber risk management How Canadian organizations are implementing a practical international standard for more effective cyber risk management.

by Doug Blakey introduction Cyber breaches continue to garner much media attention. They involve companies from every business sector and do not play favorites in terms of business size. Clearly every business is now a target. Even though breaches are constantly being reported in the media, information overload involving this misunderstood business risk is being taken too lightly. In the race to do more with less in an everincreasingly competitive global economy, companies are unnecessarily leaving themselves exposed to even the most basic of cyber risks. In response to this growing problem, the Cyber Essentials standard was developed.

what is cyber essentials? In mid-2015, the U. K. government introduced a certification program based on a practical set of cybersecurity controls applicable to, and attainable by, every business, large and small. They called this new standard Cyber Essentials.

“Cyber Essentials defines a set of controls which, when properly implemented, will provide organisations with basic protection from the most prevalent forms of threats coming from the Internet. In particular, it focuses on threats which require low levels of attacker skill, and which are widely available online1.”

‘‘

The Cyber Essentials standards address security in five critical technology control areas (boundary firewalls, secure configuration, access control, malware protection, and patch management). These are foundational components which every organization using the public Internet must address, in order to maintain effective control over all personal and confidential information in its custody.

1 / Cyber Essentials Scheme, page 3, PDF

024

Intelligent Risk - May 2017

In addition, Cyber Essentials involves two implementation levels, self-assessed (CE), and independentlyaudited (CE+). The self-assessed CE level involves an internal review of the technical control areas, the completion of an online attestation, submission of supporting documentation such as copies of security policies, and concludes with a formal signoff by an authorized executive of the organization. CE+ involves the same level of rigor as CE, but is formally audited by an independent, accredited Certification Body. Besides the U.K. and Canada, a form of Cyber Essentials has also been formally endorsed in Australia.

how is the cyber essentials standard being adopted in Canada? Large, well-known Canadian companies, well-respected Canadian non-profit organizations, and Canadian government entities have joined forces to bring the program to Canada. The organization overseeing the implementation and application of the standard is called an Accreditation Body (AB). This role has been undertaken by CyberNB, a province of New Brunswick government institution based in Fredericton. CyberNB accredits Certification Bodies (CBs) across Canada. These CBs, once formally audited and accredited by the AB, are essentially cyber risk auditors that have been granted the authority to review submissions for CE certification on behalf of CyberNB. CyberNB also ensures that the Canadian application of the Cyber Essentials standard meets the international standard set by the U.K. government. A second organization, Cyber Fundamentals, was also established to implement and maintain the online portal used by all organizations to manage and then submit their applications for CE certification. Cyber Fundamentals has, among other things, ensured that both official Canadian languages, French and English, are properly implemented. The resulting online portal, which requires two-factor authentication to access, is called the Cyber Highway. This tool also finds its roots in the U.K.

how will cyber essentials simplify cyber risk management practices in Canada? The CE initiative brings two significant benefits to Canadian companies. Firstly, the Cyber Essentials program has considered best practices from well-known international industry standards, then established an achievable baseline cybersecurity program which every Canadian company can readily achieve. By requiring companies to state how they are currently implementing five critical cybersecurity controls, following clear, step by step instructions and guidance provided by the Cyber Highway portal, and leveraging CyberNB’s call centre, organizations now have a practical and consistent path to a stronger security posture and formal CE certification. Secondly, by embracing this concise international standard, the insurance industry in Canada is seizing the opportunity to leverage a practical baseline standard which can be applied to commercial applications for cybersecurity insurance. Thus, by requesting whether a Canadian company is CE certified, the insurer can underwrite the applicant’s cyber risk from a clear understanding of its present security posture.

Intelligent Risk - May 2017

025

Consequently, there is a greater level of confidence that effective cyber risk due diligence is being practiced by the company. This means better risk underwriting is readily accomplished, using a much easier to complete insurance application, since critical aspects of technology risk are addressed by a basic Yes/No question: Is the applicant Cyber Essentials certified?

which companies have the most to gain by implementing the CE standard? Small and medium-sized organizations with limited resources have a tremendous amount to gain from the implementation of Cyber Essentials. They use the same public Internet as large enterprises, and thus are exposed to the same risks. However, most do not know where or how best to start the process, at least until now. On the other hand, large enterprises also have a lot to gain by both implementing Cyber Essentials themselves, and introducing their value-chain suppliers to the standard. By requesting or requiring business partners to verify that they are implementing reasonable baseline cybersecurity measures, both business partners and large enterprises win.

conclusion Cybersecurity risk exposures continue to grow incessantly, thus complicating and delaying the appropriate protective action every business must take. Recent developments surrounding this problem have taken shape in the U.K. and are now being refined and adopted in Canada. Cyber Essentials was developed with the small to mid-sized company in mind. It is practical and is directed at the heart of five critical control areas every organization must address. Industry and government have joined forces to introduce a baseline cybersecurity certification program, suitable for any size/type of organization, to Canada. A formal cybersecurity risk auditing program is now readily available to all Canadian companies. Companies are now able to show all stakeholders that they are following basic cyber security and privacy protection mechanisms, something Canadians are now expecting from their leaders.

author Doug Blakey Doug Blakey is President of Watsec Cyber Risk Management. Doug has more than 25 years’ experience in the IT industry. Currently, he specializes in improving organizational cyber security posture, combining cyber risk assessment and cyber risk insurance to help organizations invest in complete cyber risk protection. At C3RM, a not-for-profit organization, he champions cyber risk awareness for Canadians and the organizations they rely on. During his career, which includes positions with IBM and Prudential Assurance, he has worked with Fortune 500 companies in banking, insurance and public utilities. He holds a Bachelor’s Degree in Mathematics with a double major in Computer Science and Psychology from the University of Waterloo. 026

Intelligent Risk - May 2017

Chapter profile - PRMIA Poland Since the fall of 2016 the Poland Chapter of PRMIA has hosted six events focused on the general conception of risk management, as well as dedicated to a specific subject. The audience was drawn from a cross-section of members working in the finance industry.

the role of central banks and alternative ways of organizing micro and macro-prudential supervision in developing and developed economies seeking to adapt to the post-crisis “new normality” was presented to the audience.

The lecture presented at the of 2016 by Dr. hab. Marcin Łupiński, PRM from National Polish Bank was about the role of central bank in prudential supervisory activity. The process of evolving

On June 9, 2017 PRMIA Poland, along with UBS, will host a one-day conference, the industry event for Quants Professionals in Risk Management. The conference will bring together speakers from industry and academia, including Dr. Manfred Plank - Risk COO at UBS, Dr. Andrzej S. Kulik, CFA, PRM - Head of Internal Audit at mBank, Dr. hab. Łukasz Delong - Associate professor, Warsaw School of Economics, and Dr. Diana Kapsa - Head of Credit Methodology Retail, UBS. The idea of the event is to create a space that promotes the activity of specialists, the exchange of knowledge and experiences between business and Academia. However, Quants Connect is much more than just prelection. It is also a great opportunity to step outside the professional zone and meet with world class specialists and enthusiasts of the Quant world in a more flexible atmosphere. Our goal will be achieved by the introduction of a poster session and panel discussion with experts. For registration and event details please visit the PRMIA website.

Regional Directors

Steering Committee

• Izabela Rutkowska, Coordinator of Credit Risk Management, SKOK Stefczyka • Jadwiga Żarna, Deputy Head of Risk Manager Department, CAN-PACK S.A.

• Andrzej Kulik , Head of BKF, BRE Bank • Krzysztof Jajuga, Professor , Wroclaw University of Economics • Artur Mojecki, Country Manager, Finalyse Poland • Elżbieta Perlińska, Risk Expert , Sygnity • Jakub Bochynski, Manager, Accenture • Romana Kawiak, Director of the Internal Audit Department, BOŚ Bank

2016 began with a meeting led by Mr. Wieslaw Thor, the former Vice President of mBank and currently a member of the Supervisory Board at mBank. The lecture titled “Reflections on Risk Management” led to an interesting discussion about trends in risk management and the potential of big data analysis. The events led by speakers from Finalyse were focused on regulatory changes in financial services, including banking, insurance, asset management other business. Regulations in the process of legislation and those under the preparation were discussed during the meetings. The presentations covered regulatory overview as well as practical aspects of threats and possible gains.

Intelligent Risk - May 2017

027

a study of the PRM™ Designation Program

by Mary Rehm, PRMIA Director of Learning and Development The top reason PRM™ Designation holders seek the credential is to enhance their professional image1. For many members, the top reasons for seeking the certification or one of the PRMIA certificates is to improve their credibility or heighten their recognition among their peers in the profession2. PRM Holders can be found in 113 countries around the world and are recognized leaders for implementing risk management best practices and standards for their organizations. PRMIA has long recognized the value that Members and Holders place in the PRM Designation and works diligently to remain one of the most recognized professional level certifications around the globe. In 2016, the PRMIA Board of Directors placed even more value into the PRM Designation credentialing program by devoting resources to conduct a job analysis study for the PRM program.

why a job analysis study? The job analysis study is a formal study that focuses on the validation of the current framework of the PRM program while ensuring that any new content that is included in the syllabus is relevant and important for all professional risk managers. The job analysis study will form the basis for setting a consistent performance standard for all PRM Holders. This process has already begun by using the input from those who responded to the pre-survey administered in January 2017. The Education Committee’s Review Function analyzed the input to craft a full job analysis survey. The survey will ask PRM Holders to share the importance and frequency of application of each topic in the current syllabus as they relate to the risk manager role, as well as new topics that have become more relevant in the last few years. This data, cross-analyzed with specific demographic data, will help the PRMIA Education Committee and its sub-committees to study the framework of the PRM, and recommend updates to its syllabus and the initial and maintenance requirements.

what does the job analysis study mean to me, the PRM Designation Holder? While the development process PRMIA has employed over the years for the PRM has a proven track record for keeping the PRM syllabus valid and relevant, the study will ensure a rigorous standard of performance is maintained for those in your field. 1 / Based on the results from the 2017 PRM Job Analysis Study Pre-Survey, administered to all PRM Holders in January 2017. 2 / Based on the results from the 2015 PRMIA Member Survey, administered to all PRMIA Members in September 2015.

028

Intelligent Risk - May 2017

This means you will continue to stand out among your peers as a PRM Designation holder, and employers will have more reason to seek out PRM certified professionals to fill key roles within their organization.

what impact can current PRM Designation candidates expect for their path to certification?

Your Education Committee Leadership thanks PRM™ holders for their input and the Committee for their dedication to advance our mission.

Those of you currently working to achieve certification should continue. Any revisions to the PRM Designation program resulting from this study will be announced once any updates are approved. There will be a transition plan to bridge any gap between the current program and any version of the future program. PRMIA will not allow those currently on their certification paths to experience any disruption in that process.

Ron D’Vari Chair, Education Committee CEO and Co-Founder New Oak Capital, LLC

what comes next? If you are a current PRM Designation Holder, you will be invited to respond to the job analysis survey. I encourage you to take the time to respond to the survey and provide the thoughtful and important input into the program that will help it remain the gold standard in the industry. After the job analysis study is complete, the PRMIA Learning and Development team will work closely with the Education Committee to implement updated test content, a process that will take until 2018 to complete.

Kalyan Sunderam, CRM Vice-Chair, Education Committee Oversight Leader: Review Subcommittee Advisor to the CEO, Executive Management First Energy Bank

The outcomes from this job analysis study and the activities that follow will be a PRM Designation that continues to be transportable and a global standard for professionals in risk management. This is a very important aspect for the professional who seeks new opportunities, and for the employer who seeks risk management leaders who are competent and well respected. We look forward to receiving your input into the PRM Designation certification program.

Sanjay Sharma Board representative Founder and Chairman GreenPoint Global

Intelligent Risk - May 2017

029

meet the PRMIA education committee The Professional Risk Manager (PRM™) Certification program and the PRMIA Certificate programs are supported by the PRMIA Education Committee and its various sub-functions. PRMIA is committed to investing in and developing these programs to ensure that the PRM Designation is always a world-class and globally recognized credential and the certificates continue to help professionals gain new skills. The following members of the 2017 PRMIA Education Committee are devoted to continuing this investment: • Elena Goldman, Associate Professor of Finance and Economics Lubin School of Business, Pace University • Gurundham Alampalli (PRM), Head of Risk Data and Reporting TD Securities • J ohn Paul Broussard (PRM), Oversight Leader: Curriculum Development Subcommittee, Associate Professor Rutgers School of Business Camden • *Jonathan Howitt, Head of Operational Risk HSBC Asia Pacific • *Kalyan Sunderam (PRM), Vice-Chair, Oversight Leader: Review Subcommittee, Advisor to the CEO, Executive Management First Energy Bank • Leonce Komguem (PRM), Professor of Mathematics and Physics University of Ontario Institute of Technology / Durham College • Lourenco Miranda, Managing Director – Head of Comprehensive Capital Assessment and Review Societe Generale – Corporate and Investment Banking (SGCIB) • *Marc Groz, Managing Member Right Risk LLC • Penny Cagan, Executive Director Ernst & Young • Robert McDonough, Senior Consulting Manager Angel Oak Companies • *Ron D’Vari, Chair, CEO and Co-Founder New Oak Capital, LLC • Sanjay Sharma, Founder and Chairman GreenPoint Global • *Scott Warner (PRM), Oversight Leader: Exam Certification Subcommittee, Managing Consultant Avantage Reply Limited • Stefan Loesch, CEO Oditorium In support of the Education Committee’s mission to drive the integration of practice and theory through its learning and development offerings, members of the following sub committees will assist in carrying out.

030

Intelligent Risk - May 2017

Review Function: govern, advocate for, and promote the PRMIA global training and certification programs. • Josephine Woo, Associate Director KPMG Financial Risk Management • Megah Santio, Internal Audit INPEX Australia • Dr. Ramamurthy, CEO Jaagruti Consulting Services • *Rodrigo de Barros Nabholz (PRM), Senior Manager Accenture do Brasil • Yousef Padganeh (PRM), Head-Enterprise Risk Management Commercial Bank International

Curriculum Development Function: ensure the curriculum for all of the PRMIA training and certification programs products are current and relevant. • Phil Ohana, Risk COO for the Americas, Societe Generale SGCIB • Saurav Mukherjee, Sr Consultant-Banking and Financial Services Cognizant Business Consulting • Vinay Mahajan, Co-Founder and CEO NXTMOV

Exam-Certification Development Function: ensure the content of the PRMIA certification exams are continuously aligned with and reflect the current global practice of risk management. • David Shen (PRM), Visiting Scholar Shanghai University of Finance and Economics • F azrihan Bin Mohamed Duriat, Manager, Shariah Risk Management / Operational Risk Management Maybank • *Petr Chovanec, Director, Business Modeling and Forecasting UBS Bank USA *C-Suite and Sustaining Members

Intelligent Risk - May 2017

031

clicker happy syndrome

by Cecilia Anastos 95% percent of all cyber intrusions take place because someone clicked on a link that was in an email or a text. The most widely-publicized cyber intrusions, such as the Democratic National Convention (DNC), Sony, Target and China’s robbery of the F-35 plans, have one single common denominator: phishing! This article describes some common phishing techniques, and the steps you can take to avoid becoming one of their victims.

what is phishing? Phishing is a fraudulent way of fishing for information, and the consequences stink like rotten sardines! This fraudulent practice consists of sending emails purporting to be from reputable companies or government organizations, asking individuals to reveal personal information, such as passwords or credit card numbers. The emails most often look very legitimate. The photo to the right shows a phishing email that the customers of the National Australian Bank received. The bank lost $1.8 million before they realized the scam was going around.

who can get phished? Everybody can get phished. The goal is to obtain information that can be used to access intellectual property, bank accounts, credit cards, medical records …. anything that can be then sold in the black market. There is a belief that only important people get phished. That’s not at all true. You could be the newest employee hired to watch people go in and out of the building. If the criminal can access your personal information and from there crawl his/her way to the most protected data in the company or government organization, then you are a good candidate for a phishing target.

032

Intelligent Risk - May 2017

In December 2016, Ben DiPietro writing for The Wall Street Journal , reported about a survey conducted by the cybersecurity firm RedSeal resulting in a conclusion that 80% of CEOs operate with such cyber ignorance about these types of threats that they make their companies a cyberattack target.

how do you escape a phishing attack? You might think that if phish stinks like rotten sardines, then maybe a powerful room deodorizer will protect you against cyber intrusions. Not in this type of phish. The ONLY way you can prevent falling victim of a phish is by NEVER clicking on a link sent to you via email or text. If you receive an email from Google asking you to check something on your account (as it was the case in the DNC hack), do not click on the link of that email to go to Google. You must go to your browser and type the domain of the website you need to access directly on your browser. If you receive an email from anyone you know well, or trust, or your boss, the Pope, the Dalai Lama‌ and that email has a link (URL) that will send you to a website, DO NOT click on the link. You must copy the link and paste in the Google search bar (not in the URL bar but the search bar). This way, if the link has a cyber mine, Google will let you know in most cases that you are about to step on a cyber mine. Most people check the news on their phones. The same rules apply. As the images below demonstrate, when you copy a link and bring it to your browser search field, instead of clicking on it in the email message, it gets pasted to the Incognito URL bar of Google Chrome, which does not have a search field separate from the URL bar.

The same principle applies to links received by text.

Intelligent Risk - May 2017

033

how can you read the source or header of an email? When you look at the header of all emails, you can see the return path. This means you can see to whom the email will be sent when you click reply. This is a good thing to look at in emails where the sender is asking you to reply with some personal information. Not all phishing emails have a link. Some phishers are asking you to type information in the body of the email as you send your reply. In Gmail, you can access the “view source” by selecting the arrow to the right of the reply button. Below are examples of a phishing scam, and what the return path address is. This is how the email looks in my inbox:

Note the Click Here button. That has a short url http://bit.ly/2lJ2q6z which will take you to http://bizprofits. go2cloud.org/aff_c?offer_id=1739&aff_id=11903&aff_sub4=6&aff_sub2=402244;1b-402244-37070410373-0-0;;;&aff_sub5=147900367 Now let’s take a look at the header of the email and the return path. This means, if you click reply, where your email will go.

034

Intelligent Risk - May 2017

conclusion No company can insulate itself 100% from phishing. Those that aspire to the greatest level of protection from this insidious form of cybercrime actively promote employee awareness, training and individual responsibility.

author Cecilia Anastos Cecilia Anastos is President of Meta Intelligence LLC. She holds a Master’s Degree in Strategic Intelligence w/specialty in Middle East Issues, a Graduate Certificate in Cybercrime, and a B.A. in Criminal Justice w/specialty in Psychology. In 2005, Ms. Anastos founded Meta Intelligence LLC where she works as Chief Intel Analyst – OSINT (Open Source Information Collection and Analysis), Cybercrime and Instructor. Ms Anastos lectures on the topics of OSINT and cyber security at Michigan State and San Diego State Universities and has designed cyber security programs currently used at the US Navy Special Operation Forces, many police departments, and in the private sector.

Intelligent Risk - May 2017

035

careers in risk panel event On May 15th PRMIA has organized an event in New York called “Careers in Risk” with the aim of providing forum for discussion on risk management career guidance. The event is kindly being hosted by PricewaterhouseCoopers LLP at their offices at 300 Madison Avenue. PRMIA has organized a panel of risk practice leaders from executive search firms who will talk about trends in the market and what their clients are looking for in terms of skills and competencies in today’s risk managers. Panelists include: • Lisa Zonino – Partner, Financial Services Practice Group, Egon Zehnder • Robert M. Iommazzo – Managing Partner, SEBA International • Bryant Yao, Vice President, Quant and Risk Recruitment, GQR Global Markets. The discussion will be moderated by Michael Alix - Financial Services Advisory Risk Leader, PricewaterhouseCoopers LLP. The event begins with a reception at 5:30 p.m. and will be of special interest to anyone interested in risk management as a career – whether considering this profession from University, or already working in risk management and looking for advice on how to further your career. PRMIA hopes to organize a similar event in London later in the month. “Careers in Risk” is open to anyone who is interested in attending. Entrance is free for all PRMIA C-Suite, Sustaining, and Contributing Members, but pre-registration online is required. Affiliate members and nonmembers are invited to register for a fee of $25 which must be paid at time of registration. Register now.

Sharon J. Swan FASAE, CAE, Chief Executive Officer of the American Society for Clinical Pharmacology and Therapeutics and chair of the Power of A Awards Judging Committee.

036

Intelligent Risk - May 2017

PRMIA member profile - Mariya Toryniak

by Adam Lindquist, Director of Membership, PRMIA As risk becomes more visible, shaping the future of the profession requires identifying new talent with fresh perspectives. Mariya Toryanik, PRM™, is an active PRMIA member and volunteer who chairs the Membership Working Group. In this role, she is leading the charge to help define and deliver our membership value to our 50,000 member network. As a PRM holder, Mariya understands the importance of professional development. Her insights, along with other PRM Holders, are essential in helping PRMIA continue to support those coming into the profession and further defining the PRM’s role in the industry. I asked Mariya about her experience and volunteering.

Adam

How did you decide on a career in the risk profession?

: Mariya I started my career in assurance services with a broad range of experiences from validation of environmental figures in sustainability reports to participation in audits of financial statements. However, it was always interesting for me how different clients manage their environmental, reputational and financial risks within such complex business processes and supply chains, so I decided to consolidate my prior experience in this demanding profession.

Adam

How long have you been in the risk profession, and what have you done professionally that energized you? Mariya Four years ago I took a position as a business risk & control manager in a globally operating bank. I was in charge of internal controls for a subsidiary, funds investment company. On behalf of the business, I elaborated risk scenarios and coordinated risk assessment workshops. What energizes me the most are the constant interactions with all of the different functions within the organization. Building trusting relationships with department heads gave me an opportunity to work with the subject matter experts regarding urgent issues and effectively streamline certain key processes, putting an emphasis on adherence to internal and external guidelines, strict segregation of duties, and efficient data management and security within the organization. In addition, during these years I also instructed up to 100 employees on current operational risk and compliance topics.

Intelligent Risk - May 2017

037

Adam

What made you decide to pursue the PRM designation?

Mariya From the beginning, I worked hand in hand with market risk and investment compliance monitoring teams. As I learned about their day-to-day operations, I understood that in order to succeed in my role, I need to have a common ground with quantitative specialists and be able to interact with overlay managers as well as operational risk generalists. I saw an advantage in the PRM designation over local educational programs in a wider curriculum. Specifically, I valued that the PRM designation had a focus on self-education and higher flexibility concerning exam dates, so that I didn’t expose myself to additional stress meeting work deadlines and at the same time ensuring I was prepared for the exams. Adam

What advantages do you feel you have professionally because you possess the PRM?

Mariya Possessing the PRM allows me to have much more confidence when I work with outstanding risk professionals with different backgrounds. I think the PRM designation proves that you can develop your career in different dimensions – from a quantitative specialist to a bank-wide manager who can keep complex concepts understandable for other engaged parties.

Adam

You are currently volunteering as the Chairman of the Membership Working Group. What made you want to volunteer? Mariya Since my engagement with sustainability issues, I have seen in volunteering a way to show leadership and passion about my profession as well as about the values that I stand for. Moreover, I’m convinced that “next” generation banking needs people who are led not only by rules but also by ethics, who are mature enough to take the initiative and responsibility necessary to manage the modernization and globalization that the industry faces. So, this volunteer position felt like the right one for me. Also, I only recently relocated from Germany to the US and currently am still open to new professional challenges. In this situation, volunteering provided a great opportunity to stay connected with my peers. Adam

What have you learned from your volunteering experience?

Mariya It is another chance to view a risk management profession from different perspectives, to understand the growing demands of the risk community worldwide, and to learn how to organize virtual teams. Not to forget to mention, Adam, I constantly learn management and networking skills from you. Therefore, I can only encourage my colleagues to join volunteer groups to support PRMIA in this dynamic year.

Adam

What recommendation would you give to someone new to profession?

Mariya Warren Buffet phrased it nearly perfectly when he said, “Risk comes from not knowing what you’re doing.” One can add that risk is still present when you are feeling too comfortable with something you believe to know and stop challenging the status quo.

038

Intelligent Risk - May 2017

Mariya For young professionals who will be in charge of keeping the industry from reaching the next tipping point, I recommend constantly educating yourself to be good enough to understand, challenge, and improve already existed models, concepts and processes, be attentive to details, learn from the past and stay connected with the risk community in order to have an independent, not-biased view on current risk issues. Adam

What do you feel are essential skills to succeed in the risk profession?

Mariya I believe there is not a universal roadmap. It is the right mix of analytical and soft skills, critical thinking and problem solving abilities which definitely contribute to your professional growth.

member Mariya Toryniak

Intelligent Risk - May 2017

039

transatlantic collaboration – a unique CRO opportunity

In March PRMIA partnered with S&P Global Market Intelligence and the European Risk Management Council (ERMC) in London to deliver a unique C-Suite initiative -- “Tech Risk and Cyber Risk - Seeing the Unseen,” a virtual roundtable conference discussion with CROs from London and New York. As operational risk undergoes a significant maturation phase, with specific risks such as Tech risk and Cyber now attracting singular focus from Boards and Regulators alike, this topic commanded great interest from the CRO population. The interplay between Cyber and Tech risk and the need for senior risk practitioners to have greater sight of these new risks and approaches, were the underlying themes of the discussion. This innovative event was moderated simultaneously in London by Michael Imeson, Senior Content Editor, Financial Times Live, and in New York by Marc Barrachin, Managing Director, Product Research and Innovation, Risk Services, S&P Global Market Intelligence. Ten CROs in London and ten in New York were invited to the 90-minute event. These guests represented a cross section of the financial services sector on both sides of the Atlantic, from banks to insurance companies, from asset managers to challenger institutions.

040

Intelligent Risk - May 2017

During the conference introduction by Evgueni Ivanstov, Chair of the ERMC, he shared the startling results from a recent Economist survey of 500 crises indicating that 57% of them were related to cyber-attack. Moreover, the World Economic Forum’s annual report on risks for 2017 now has data fraud and theft in its top 5 global risks. The meeting continued with comments from Dr. Alastair MacWillson, a Senior Advisor on Cyber Security at Parker Fitzgerald. Based on his work with the Bank of England’s CBEST framework and the US government’s Cyber Storm program, Dr. MacWillson was able to give a transatlantic oversight and comparison on where each regulator stands in its cyber oversight of financial institutions. CBEST (cybersecurity best practices), for example, is now used by the 40 most important banks and financial institutions in the UK to test their cyber resilience. The US does not currently have this framework in place. Dr. MacWillson continued with recent report findings that have proven there is an infinite variety of what can go wrong in this technology space and so CROs cannot predict where failures will occur. This is largely due to the massive scale and complexity of IT systems in each bank and the processes that link them. It is also a function of the speed of change from this threat. Cyber is a mutating threat that constantly morphs into the unexpected. And how does a CRO measure this uncertainty, let alone manage it? Further discussion among the CROs focused on this challenge of managing cyber risks while maintaining your institution’s technological competitive advantage. How does a CRO influence the balance of innovation and protection? Does outsourcing technology increase the risk or reduce it? How do we ensure we are meeting our clients’ technology needs without overreaching on our safeguards? After much discussion, the group concluded the following: 1. Cyber risk and technology risks are mutating risks making issues difficult to identify, anticipate or measure. 2. They mutate at speed, globally, and through our networks so making their management very difficult. 3. History provides no real guidelines in predicting what can go wrong. We must run scenarios on what really might go wrong that would seriously impair or kill the business. 4. One CRO challenge is that he/she does not have or own all the data. The CIO or other business areas may own some of it. 5. About 30% of a CRO’s time is currently spent on cyber and tech risk issues. 6. When looking at the enormity of the task of cyber security, it is vital to understand where your organization’s “crown jewels” reside. 7. Just like bank robbers, cyber criminals will go after the money, so payments are the prime target, followed by customer data. 8. In order to protect your most valuable assets, focus on: i) Assurance, and ii) Defensibility.

Intelligent Risk - May 2017

041

calendar of events Please join us for an upcoming training course or chapter event, offered in locations around the world or virtually for your convenience.

ARTIFICIAL INTELLIGENCE (AI) IN BANKING – A MODEL FOR THE FUTURE? May 11 in Budapest

OPERATIONAL RISK MANAGEMENT ONLINE SERIES May 12 - June 30, Fridays This series helps participants prepare for the Operational Risk Manager exam

CAREERS IN RISK May 15 in New York

HOW DO PENSION FUNDS MANAGE RISK AND KEEP CONTROL OVER THEIR ASSET UNDER MANAGEMENT IN TODAY’S CONTINUOUSLY CHANGING ENVIRONMENT? May 16 in Montreal

SEMINAR: MODERN VIEWS OF CREDIT RISK May 17 in Boston

PRMIA CALGARY LUNCH AND LEARN: THE STATE OF BLOCKCHAIN IN 2017 May 17 in Calgary

MARKET, LIQUIDITY, AND ASSET LIABILITY RISK MANAGER CERTIFICATE ONLINE SERIES May 24 - June 21, Wednesdays This series helps participants prepare for the MLARM exam

042

Intelligent Risk - May 2017

BCBS 239 – PRINCIPLES OF EFFECTIVE RISK DATA AGGREGATION AND RISK REPORTING – VIRTUAL TRAINING June 1

QUANTS CONNECT June 9 in Krakow

PRM™ SCHEDULING AND TESTING WINDOW March 18 – June 16

Intelligent Risk - May 2017

043

INTELLIGENT RISK knowledge for the PRMIA community ©2017 - All Rights Reserved Professional Risk Managers’ International Association