1. Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September 10, 2003 Hugh Kelly Special Advisor for Global Banking Office of the Comptroller of the Currency

2. Comptroller of the Currency Administrator of National Banks What is Electronic Security?  Any tool, technique, or process that protects a system’s information assets from threats to confidentiality, integrity, or availability  E-security is composed of:  Soft infrastructure – policies, procedures, processes & protocols that protect the system & data from compromise  Hard Infrastructure – hardware & software used to protect the system & data from threats to security from inside & outside

3. Comptroller of the Currency Administrator of National Banks Why is E-Security Important?  Greater reliance on technology increases potential for & likely impact of e-security threats  By 2005, online banking will be over 50% in industrial countries & 10% in emerging markets  Growing global connectivity through distributed networks, broadband & wireless connections  Most types of e-crimes are not new  New dimensions of security threats due to networks & e-banking

4. Comptroller of the Currency Administrator of National Banks Changing Nature of E-Threats  External:  Speed & sophistication of cyber-attacks  Hackers are smarter & better organized  Blended threats & hybrid attacks  Critical infrastructure reliance on Internet  Cross-border nature of cyber-attacks  Internal:  Security not well understood by Board & management nor a high priority  Misconfigured or outdated systems, mail programs or web sites lead to vulnerabilities  Security holes in mobile & wireless networks  Use of generic off-the-shelf software  Just one naïve user with easy-to-guess password increases risk

6. Comptroller of the Currency Administrator of National Banks Possible Effects of a Cyber Attack  Denial-of-service  Unauthorized use or misuse of computing systems  Loss/alteration/compromise of data or software  Monetary/financial loss  Loss or endangerment of human life  Loss of trust in computer/network system  Loss of public confidence

7. Comptroller of the Currency Administrator of National Banks Proactive & Multi-Layered Risk Mitigation Framework  Need for broader adoption of proactive e-security risk mitigation processes  Help identify & manage threats  Meet business & customer expectations  Preserve public trust  Caveat -- E-security framework must be multi-layered & dynamic  Changing risk profiles  People, processes & technology issues

8. Comptroller of the Currency Administrator of National Banks E-Security Risk Control Progam  Need awareness at Boardroom level  Direct business impact  Linkage to standards demanded by regulators, shareholders & customers  Apply Basel EBG e-banking risk management principles:  Active oversight by Board & management  Robust e-security risk control policy/program  Authentication & authorization  Data access controls, encryption & recovery  Intrusion detection, integrity checking & incident response procedures  Consider operational risk impact

9. Comptroller of the Currency Administrator of National Banks Supervisory Actions  Need more focus globally on enhancing e-security supervision & examination  Many individual bank supervisors are developing:  Modern e-security risk management standards for their banks  Integrated IT/safety & soundness examination procedures  Better incident reporting & analysis  Business continuity/disaster recovery plans (public/private sector scope)

10. Comptroller of the Currency Administrator of National Banks Conclusion: What Can We Do Together?  Enhance global supervisory cooperation on e-security issues  Promote e-security risk management principles & best practices  Information exchange on incidents, threat vulnerability assessments & risk mitigation needs  Supervisory policy development, including examination approaches to cyber & IT risks  Examiner training  Public alerts & education