Jack Henry & Associates, Inc. Dealing with Risks in the ...© 2016 Jack Henry & Associates, Inc.®...

© 2016 Jack Henry & Associates, Inc.®1 © 2016 Jack Henry & Associates, Inc.®

Dealing with Risks in the Financial IndustryTom Williams

June 15, 2016

Jack Henry & Associates, Inc.®

© 2016 Jack Henry & Associates, Inc.®2

Banking is a Risky Business

RISK

INTERNAL

EXTERNAL


Risks impacting the Banking Industry

EconomicFinancial

Performance

Natural Disasters

Cyber Attacks

TerrorismVendor

Management

Internal

Fraud

Card Fraud

Payments

Skills


JHA Risk Forum Survey Results

1. Cyber Threats

2. Card Fraud

3. Disaster Recovery

4. Data Security

5. Vendor Management

6. Regulatory Scrutiny

7. Insider Fraud


What is Your FI’s Risk Profile for each Risk?

Disaster

Recovery

Internal

Fraud

LOW

RISK

HIGH

RISK

Vendor

Management

Cyber

Security

PaymentsCard

Fraud

Moderate

RISK

Each organization should continually

strive to move toward the Low Risk area


What is Your FI’s Risk Profile for each Risk?

Disaster

RecoveryVendor

Management

Cyber

Security

Internal

FraudPaymentsCard

Fraud

Holistic Enterprise

Risk


What is Your FI’s Risk Enterprise Risk Profile?

Internal

Fraud

Holistic

Enterprise

Risk

LOW

RISK

HIGH

RISKModerate

RISK


Triggers Causing TransformationPayment

Regulation1

• Durbin Amendment to Wall Street Reform and Consumer Protection Act

• Decline in free accounts from 76% in 2009 to 38% in 2013

• Higher bank charges, an effort to replace fee revenue, banks charged households $1-3 Billion

• Led to 1M customers pushed out of the formal financial system

• Durbin Cost - $6.6–8 Billion

Faster Payments 3

• Limited faster payments today, 95% of the largest FIs will offer same day ACH origination services by year end

• 100% to offer same-day payroll by year end

• 95% to offer same-day B2B payments plus expedited bill pay, P2P by year end

• Real time payment providers forming: The Clearing House, Early Warning/clearXchangeetc.

EMV Requirements 2

• Risk allocation to the merchant or bank that does not comply with EMV regulations

• EMV at POS when fully implemented has already begun to cause CNP fraud to increase dramatically

Rise of Mobile Payments 4

• Weekly mobile banking usage (28% consumers) has matched weekly branch visits (27% consumers)

• Research in 2015 suggested more than half of mobile phone owners (119M adults) banked via mobile

• Mobile payment volume is growing faster than ever before

Millennial Growth 5

• Student loans are increasing - more than 54% with a student loan say it impacts their ability to save

• Financial independence is delayed –experiencing delays in buying their own home, owning automobiles and making other large services

• Delayed experience in managing assets - will lead to need for FI assistance, $30T will be transferred from baby boomers during the next 20-30 years

SOURCE: 1 - International Center for Law and Economics Paper, Electronic Payments Coalition; 2- How Ready Are U.S. Merchants for EMV?, The Strawhecker Group (TSG); 3- Nation's Financial Institutions On Target To Offer Same Day ACH Payments In 2016, NACHA; 4-2014 MOBILE BANKING

FINANCIAL INSTITUTION SCORECARD, Javelin, April 2014; 5 - BofA Better Money Habits Millennial Report, Fall 2015

Payment Triggers

• As of Dec. ’15, only 44% U.S. merchants will be EMV-ready by the Oct. 1st liability shift

• EMV-readiness will not reach 90% until 2017

5


What are the Risks or Issues

of Real-Time Payments for

Financial Institutions?

Less time to detect and react to possible fraud – manual detection is not viable

Authentication challenges in real-time payments

Increased potential for fraud

FI Actions

Real-time behavior analytics

Enrollment

Multi-factor authentication

Login

Service-use (pattern and velocity checks)

Device identity

Tokenization

Operating rules: prevent pull debit trans

Individual FI policies: transaction ceiling

Payment Innovations: Real Time Payments


80% of U.S.

consumers would

prefer to use a

credit card with a

dynamic CVV

when shopping

online

Dynamic CVV Coming to Fruition

SOURCE: Report: Consumers Prefer Dynamic CVV, CardNotPresent.com, March 2016

Enhancements in Payment Services

https://cardnotpresent.com/news/cnp-news-mar16/Report__Consumers_Prefer_Dynamic_CVV_-_March_17,_2016/

© 2016 Jack Henry & Associates, Inc.®11© 2016 Jack Henry & Associates, Inc.®

Cyber Security


2014 2015 Difference

CARDS

Number of

breaches138 160 16%

Number of records 64M .8M 98%

SSNs

Number of

breaches325 338 4%

Number of records 16M 164M 148%

Data Breaches Continue - Fraud Behavior Shifts to

CNP and Application Fraud

SOURCE: 2015 DATA BREACH FRAUD IMPACT REPORT, Javelin Strategy & Research, February 2016

2. Payment Warnings


Attack Vectors

Phone

Elicitation

Physical

Phishing Removable Drives


Making Security a PriorityCyberSecurity requires a multi-layered defense involving perimeter protection as well as

effective internal protection against malware and data exfiltration, plus user education.

Web based training w/ quiz & reporting

Content updated regularly

Separate module for Board members

Monthly Security Timely Tips email newsletter

eSAT – Employee Security AwarenessTraining

Advanced Malware Protection

Hosted DNS Anomaly Detection Service

Effectively blocks malware downloads, unsafe web

redirects, data exfiltration, command & control activity and

malicious phishing links

Server Management-Host Intrusion Monitoring

Event log monitoring

Vulnerability security scanning

Intrusion Prevention Monitor all incoming and outgoing traffic

Looking for virus and hacker signatures

Provided by Cisco IDS, Fortinet, SonicWall, SourceFire

Firewall Monitoring & Management

First layer of defense

Protect ports of entry to the financial institution

Raw traffic analysis

Cloud Services DDOS Mitigation


Risk & Fraud Protection - Digital Channels Space• Login authentication

– (MFA, Tokens, Out-of-Band Challenges, Bio-Metrics/ Touch ID)

• High Risk Transaction monitoring

– (ACH, Wires, External Transfers, Bill Payments)

• Real-time activity alerts

– (TXT, Native Push, Email)

• Self-service Debit Card controls

– (turn on/off, report lost or stolen, limits, location and transaction

type rules)

• Malware & Phishing attack prevention


Gladiator Incident Alert (IA) – Powered by

Lastline

• Superior Detection– Detects unknown threats (APTs, ATAs,

zero-days, etc.)

– Specifically designed to evade first-generation APT sandbox appliances.

• Advanced Threat Intelligence– Contains active command and control

(C&C) servers with zero-day exploits

– Toxic web sites

– Malware distribution points identified as having breach intent


Gladiator Incident Alert


Solutions must focus on behavior and threat

intelligence


Incident Response Procedures

Incident Documentation

Incident Recovery

Incident Eradication

Incident Response & Containment

Incident Assessment

Incident Notification

Incident Determination


FFIEC Cybersecurity Assessment Tool

© 2016 Jack Henry & Associates, Inc.®22© 2016 Jack Henry & Associates, Inc.®

Business Continuity / Disaster Recovery


For our discussion today: Your bank after the

disaster event.


Comparison - Customer Expectations vs

Executive Perception

No

Servic

e

Same as

Normal

Service

Customer

Expectations

Delayed

Service

1

Hour24

Hours

48+

Hours12

Hours

36

Hours

Severely

Delayed

Service

Slightly

Delayed

Service

Actual

Recovery

Level

Recovery

Gap

Executive’s

Perceived

Recovery

Level

Service Level after Disaster – Recovery Timeline


The Gap: Customer Expectations vs Actual Recovery Time?

• Lack of an Enterprise Wide Business Continuity Plan that

has been tested at multiple levels

• The technology recovery strategy for systems and

applications not adequate to meet shorter Recovery Time

Objectives (RTO) and Recovery Point Objectives (RPO).

• Key personnel not available.

• Availability of skilled personnel.

• Plan out of date.

• Alternate work locations not identified and equipped.


The Four Major

Components of Recovery

PeopleEmployees

Customers

BCP / DR Teams

Vendors

Support organizations

Fire / Police

Utilities

Regulators

FacilitiesAlternate work areas

Repaired facilities

Recovery centers

Hospitals

Shelter areas

Mobile Recovery Units

Off-site storage facilities

TechnologySystems

Servers

Applications

Data

Telecommunications

Routers

Firewalls

An Enterprise Wide Plan that ties the above components together


Four Possible Environments & JHA Solutions

Scenario 1

• Core: In House

• Servers: In House

Scenario 2

• Core: In House

• Servers: Outsourced

Scenario 3

• Core: Outsourced

• Servers: In House

Scenario 4

• Core: Outsourced

• Servers: Outsourced

JHA Solution

•Hosted High Availability (HHA)

•Enterprise Level Recovery (CELR)

•Colocation in Branson Mountain

•Hosted Network Service (HNS)

JHA Solution

•Hosted High Availability (HHA)


•Co-location in Branson Mountain


JHA Solution

•Remote Data Entry (RDE)


•Colocation in Branson Mountain


JHA Solution

•Remote Data Entry (RDE)


•Colocation at Branson Mountain


In-House Processing Considerations

• Responsible for the restoration of the

following:– Recovery of Core System

– Recovery of Server / Network Recovery

• Exchange Servers - Domain Controllers

• JHA & 3rd Party Applications

– Telecommunications - Voice Recovery

– Equipment setup & Reconfiguration

– Facilities


Cost Vs. Level of Commitment Technology Infrastructure

RPO=near zero, RTO <1min, Automatic

Server/Workload/Network/Data SYSPLEX

RPO=Near zero, RTO <1Hr. to 4 hours, Automatic

Server/Workload/Network/Data Automatic Site Switch

RPO=Near Zero, RTO <1Hr. to 4 hours, Manual

Disk or Tape Data Mirroring

RPO > 15 min. RTO= 4+ hours, Manual

PiT or SW Data Replication.

RPO=4+ hours, RTO=8 to 24 hours, Manual

Data Base Log Replication & Host Log Apply at Remote

RTO=Days, RPO>24 hours

Tape, HW ATODPoint-in-Time Backup

to Tape / Disk

RPO<24 hours RTO = 8-24 hours

Electronic Tape Vaulting

Co

st

Low

er

Hig

he

r

HoursMinutes Days

TraditionalRecovery

Multi-Site

Failover /

Fallback

Continuous

Availability-

Disaster Avoidance


RPO = Last Transaction

RTO = ~15 min.

RTO = ~30 min.

Branson DR Center

High Availability Recovery Solution

Customer

Primary Site

Tape

Yellow Hammer

4|Sight

Core

IVR

SAN

Switch

Riverbed

Switch

4|Sight

SANIVR

Riverbed Core

CENTURION HOSTED HIGH AVAILABILITY FOR CORE

Switch

SAN

Network

Branch 1, 2, or 3

MPLS


RPO = Last Transaction

RTO = ~15 min.

RTO = ~30 min.

Branson DR Site

High Availability Recovery Solution

Customer

Primary Site

Tape

Yellow Hammer

4|Sight

Core

IVR

SAN

Switch

Riverbed

Switch

4|Sight

SANIVR

Riverbed Core

Switch

SAN

Network

Branch 1, 2, or 3

MPLS

HIGHER AVAILABILITY FOR CORE


Benefits of Hosted Network Services (HNS)


Out-Sourced Processing Considerations

• Responsible for the restoration of the

following:– Connectivity back to the Core Processing Site

• (jConnect Backup Router)

– Server / Network Recovery

• Exchange Servers - Domain Controllers

• JHA & 3rd Party Applications

– Telecommunications - Voice Recovery

– Equipment setup & Reconfiguration

– Facilities

• A plan to deal with a disaster that strikes the facility


Branson, MO – Mountain Host Site


The Disaster Avoidance Concept


Disaster Avoidance Concept

TIME

Recovery of Business still

Required

Disaster Avoidance Decision

Disaster Avoidance

Period

Recovery of TechnologyAvoided

(RTO)

PotentialDisaster

Event

Disaster

Switch to Secondary

System


Data Replication

Outlink Processing Center Disaster Avoidance

DP DR

DP

1

DP

2

DP DA

DP 1

Branson

Core Director

DP

3

DP 2 CIF 20/20 DP 3 SilverLake

37


Centurion Suite of Services


Contact Information

• Tom Williams

– Business Continuity Strategy Manager

– Jack Henry & Associates

– Centurion Disaster Recovery®

Services

– 800-299-4411

– [email protected]

mailto:[email protected]

Jack Henry & Associates, Inc. Dealing with Risks in the ...© 2016 Jack Henry & Associates, Inc.®...

Documents

Transcript of Jack Henry & Associates, Inc. Dealing with Risks in the ...© 2016 Jack Henry & Associates, Inc.®...