© BITS 2009.© BITS 2009.

BITS and FSSCC R&D Efforts

John CarlsonSenior Vice President of BITS

Panel on Data Breaches in Payments Systems-- Roles and Best Practices for the Public and Private Sector Response

Emerging Retail Payments Risks ConferenceFederal Reserve Bank of Atlanta

November 5, 2009

22© BITS 2009.© BITS 2009.

Agenda

BITS Efforts– Fraud– Security– Vendor Management & Shared Assessments– Regulation

FSSCC R&D Committee Efforts

33© BITS 2009.© BITS 2009.

Fraud

ACH Fraud Risk Information Sharing Calls (e.g., ACH fraud trends, implementation of IAT codes)

Credit Bust Out Project– Bust Out and Credit Abuse Activities (July 2009)– Development of USSS information sharing portal

Mortgage Fraud Reduction– White Paper: Residential Mortgage Fraud Prevention

Strategies for Financial Institutions– Fraud Advisory: Servicing Frauds (June 2009)– Preparing and Presenting Your Mortgage Fraud Case to Law

Enforcement (May 2009) Payment Card Fraud Information Sharing Calls (e.g.,

pre-paid fraud trends, card data security)

44© BITS 2009.© BITS 2009.

Fraud

Remote Channel Fraud– Information Sharing Calls (e.g., attacks on commercial

account customers , SMS attacks)– Recommendations for Detecting and Communicating with

Customers whose Computers are Infected with Malware (October 2009)

Financial Exploitation of Elderly and Vulnerable– Updating 2005 paper on BITS Fraud Protection Guide:

Protecting the Elderly and Vulnerable from Financial Fraud and Exploitation

Fraud Working Group Information Sharing Calls– Examples: employment scams, outsourcing fraud

processes

55© BITS 2009.© BITS 2009.

Fraud

Third Party Payment System Access – Focusing on:

− Information security and PCI − Registration, underwriting, and high risk

Developing recommendations for:– PCI Council– NACHA– Card networks– “Regional” EFT networks– Others

66© BITS 2009.© BITS 2009.

Security

Web-Business– ICANN and gTLD– Secure Web Browser Project

Email Security– Implementation of email authentication protocols– Collaboration with FS-ISAC on repository of key information– ISP outreach to build support for authenticated email

Authentication– Surveys on current practices of customer, employee and

business partner authentication

77© BITS 2009.© BITS 2009.

Security

Software Assurance– Developing best practices for software development

contract terms and vendor management– Working with FSTC’s Software Assurance Project to focus

on secure development and metrics

Security Awareness & Education – Developing quarterly Security Awareness Newsletter– Planning 4th Annual Meeting

Future focus: – Cloud computing– Social networking

88© BITS 2009.© BITS 2009.

Vendor Management/Shared Assessments

Vendor Management– Updating “Ongoing Monitoring” section of BITS Framework– Surveys on oversight of line of business vendor managers– Other focus areas

− Financial condition of service providers− Oversight of vendors for ID theft red flags rule and BCP

Shared Assessments – Promote adoption by US FIs and service providers– Explore synergies with industry organizations (e.g., IAPP,

SIFMA)– Expand awareness/adoption by other sectors (e.g.,

healthcare)– Expand foreign outreach through NASSCOM– Enhancing privacy

99© BITS 2009.© BITS 2009.

Regulation

Two-way dialog with regulatory agencies and other government agencies

Comment letters– Example: ICANN governance

Monitoring legislative proposals – Example: Senate & House Homeland Security hearings on

Heartland breach and Cybersecurity Act proposal

Studies – Example: Reducing the Delta Between New Regulations and

Cost-Effective Practices Within the Financial Services Industry (with Deloitte)

1010© BITS 2009.© BITS 2009.

FSSCC R&D

FSSCC R&D Committee Objectives: – Identify top priorities (and gaps) for research

1. Application security2. More secure and resilient financial transaction systems3. ID management4. Understanding the human insider threat5. Data centric protection strategies 6. Better measures of the value of security investments7. Best practices and standards

– Engage stakeholders (including academic institutions, government agencies, Internet Corporation for Assigned Names and Numbers)

– Promote development initiatives to improve the resiliency of the FS Sector

– Manage Subject Matter Advisory Response Team (SMART) Program

1111© BITS 2009.© BITS 2009.

FSSCC R&D

Outreach to academic, technology and government communities: – National Cyber Leap Year – Workshop on National Cyber Defense Initiative on Oct 28-29

SMART Program – Goal: assist R&D organizations by providing subject matter

experts from financial institutions– Endorsed DECIDE Project:

− Simulation model − Enables FIs and others to test the impact of disruptive

events on the banking and finance sector (e.g., cyber attacks, natural disasters, policy decisions)

− Funded by DHS via consortium of universities

1212© BITS 2009.© BITS 2009.

FSSCC R&D

Identity Management Discussions– June: FSSCC meeting with new White House CTO

− CTO asks FSSCC for top, “actionable” R&D priority that the Federal government should promote − FSSCC R&D Committee recommends identity

management – July-Oct: Additional discussions with White House CTO and

other government agencies: − Identity management aligns with Administration’s goals− CTO requests FSSCC issue RFP on identity

management for government to leverage− FSSCC & FBIIC establishes ID management committee

chaired by VISA exec and FDIC official

1313© BITS 2009.© BITS 2009.

FSSCC R&D

Financial Communications and Authentication Pilot– August: Proposed to OSTP the idea to create a

financial sub-net within a government-controlled domain to pilot:

− Strong B2B and B2G authentication options− Recommendations to ICANN for financial

domains− Harvest data and lessons-learned for industry

government, and academic use

1414© BITS 2009.© BITS 2009.

Contact Info

John Carlson

Senior Vice President

BITS/Financial Services Roundtable

202.589.2442

John@fsround.org