Digital Age Fraud and Crime Nadia Brannon, CFE

Digital Age Fraud
and Crime
Nadia Brannon, CFE
Executive Director
Fraud Investigation & Dispute Services
Ernst and Young
415-894-8297
Nadia.Brannon@ey.com
October 2014
The views expressed in the following material are the
author’s and do not necessarily represent the views of
the Global Association of Risk Professionals (GARP),
its Membership or its Management.
2
Cost of Cyber Crime
A real and present threat to credibility, operations and profitability
Some sobering cyber crime statistics for 2014
 $12.7 Million - Average cost of cyber crime per company
 $3.5 Million - Average cost of a data breach event.
 $145 - Cost paid per lost of stolen record
 $213,542 - Average cost of a data breach incident caused due to
malicious insider attacks
 $639,462 and 31 days - Duration and cost of a typical attack in
2014
Cyber crime is on the rise
 15% - Increase in cost of a data breach event from 2013
 6% - Increase in cost paid of lost or stolen record with sensitive
information since 2013
 95% - Increase in cost of hacks since 2010
 4 days (96 hours) - Increase in duration of attack since 2013
 25% ($129,797) - Increase in cost incurred due to a cyber attack
since 2013
3 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
$ 60.5 Million
Most Expensive
Data Breach in
2014 to date…
Annualized Costs of Cybercrime in the United States in
2013 by Industry
Financial services
23.6
Defense
23.2
Utilities and Energy
21
Technology
10.8
Communications
10.2
Education and Research
9.9
Transportation
7.8
Services
7.8
Industrial
7.6
Public sector
7.4
Healthcare
6.8
Consumer products
5.9
Retail
4.5
0
5
10
15
Average annualized costs in million U.S. dollars
4 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
20
25
Current Trends

A large market in selling
corporate data / dark web

Information trading has led to
the formation of what is know
as the “cyber mafia” – a world
spanning network that strikes
from multiple locations
INTERNATIONAL
CYBER CRIMINALS

Increased reliance
on social media as
a driver of
business creates
opportunity to
exploit
vulnerabilities and
target attacks.

High profits with
low risk of
detection and
capture

Recent incidents
at Target and
Home Depot
highlight
associated risk
SOCIAL MEDIA

Attacks that steal data, but do
not destroy the data

Can take a long time to detect
so overall monetary damages
can be very high
ADVANCED

PERSISTENT THREAT
Non-detection can allow
hackers to infiltrate a
company’s system for longer
periods of time
5 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
POINT-OF-SALE
SYSTEMS
Common Forms of Cyber Attacks
Phishing
•Watering Hole
•Pharming and Credit Card Redirection
Malware
based
attacks
•Man in the Browser
•Mobile Exploits
DDoS
Attacks
•Volume Based Attack : Saturate the bandwidth by flooding it with a huge quantity of data
•Protocol Attacks : Saturate the target by exploiting network protocol flaws
•Application Layer Attack : Saturate resources by target specific web applications, flooding
them with HTTP requests
Zero Day
Exploits
•Attack that exploits a previously unknown vulnerability in the system
•Harder to defend against
6 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
Recent Cyber Crime Incidents
 76 million people affected
 Information compromised
INCIDENT TYPE: DATA BREACH
DATE: OCTOBER 2014




Names
Addresses
Phone numbers
Email addresses
 JPMC plans to spend $250 million on
digital security annually
 110 million people affected
 Information compromised
 Credit and debit cards
 Customer details – Name, Address, etc.
 Data breach cost Target $148 million
INCIDENT TYPE: POINT OF SALE
ATTACK
DATE: DECEMBER 2013
7 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
Recent Cyber Crime Incidents
 56 million credit and debit cards stolen
 Malware used to raid computer system
 Company struggling with high turnover
among information security personnel
INCIDENT TYPE: POINT OF SALE
ATTACK
DATE: SEPTEMBER 2014
INCIDENT TYPE: MALWARE
ATTACK
DATE: JULY 2014
8 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
 Scamming customers accounts to
steal large sums of money
 Funds transfers are affecting 34
institutions
 Crimes trace back to Romania and
Russia
 Amount of money stolen is in the
millions
Combating Cyber Attacks Requires Leadership and
Accountability
Organizations are making good progress in improving how they manage the risks they
already know, but they need to place more emphasis on:
 Improving employee awareness
 Increasing IS budgets
 Devoting more resources to innovating security solutions
 Threat Intelligence: Collect intelligence information that is relevant to the
business in order to establish a threat level and drive appropriate strategic and
tactical countermeasures
 Vulnerability Identification: Assess the organization’s vulnerability to cybersecurity attacks
 Remediation: Track, validate and provide metrics on the remediation of
vulnerabilities
 Detect: Monitor environment for threat indicators to identify attacks before critical
company services are disrupted or high value/sensitive assets are compromised
 Respond: Lead organized investigations to determine cause and scope of security
incidents, drive containment and recovery activities
 Countermeasure Planning: Design countermeasures to mitigate identified risks
inclusive of business, compliance or other security requirements mediation of
vulnerabilities
9 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
Sources
2013 EY Cyber Security Survey
http://www.ey.com/Publication/vwLUAssets/EY__2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf
2013 Internet Crime Report from the Federal Bureau of Investigation
http://www.ic3.gov/media/annualreport/2013_IC3Report.pdf
2013 Online Fraud Report – Cybersource
http://forms.cybersource.com/forms/fraudreport2013?cid=1-51697651&lsr=vanity
2014 Global Report on the Cost of Cyber Crime - Ponemon Institute
http://www.ponemon.org/
2014 Global Report on the Cost of Data Breaches - Ponemon Institute
http://www.ponemon.org/
10 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
Quantification Methods for Operational
Risk Losses
Sonia Jarvis
Financial Economist
Risk Analysis Division
Office of the Comptroller of the Currency
October 2014
The views expressed in the following material are the
author’s and do not necessarily represent the views of
the Office of the Comptroller of the Currency (OCC) or
Global Association of Risk Professionals (GARP), its
Membership or its Management.
12
Key Challenges to Cyber Crime Loss Quantification
Timing
•When events occur
•How long events last
Identify
Root
Cause(s)
•Key drivers of loss: internal, external, or combination?
Impact
Projection
•Lines of Business
•Internal operations vs. external fallout
•Regulatory actions
Limited
Experience
•Little, if any, historical experience
•External losses may or may not be relevant
13 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
Quantification Methods: RCSAs and BEICFs
(Qualitative Assessment)
People
 Subject matter experts
 Key stakeholders and management
 Risk Officers
 Modelers
Process
 Assess risk drivers or exposures
 Quantify potential losses based on expert judgment or experience
Pros and Cons
 Easy to understand
 Involve many or few participants
 Quantification by humans (subjective)
14 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
Quantification Methods: Scenario Analysis
(Qualitative Assessment)
People
 Subject matter experts
 Key stakeholders and management
 Risk Officers
 Modelers
Process
 Identify candidate scenarios
 Identify involvement of interested and relevant parties
 Identify quantification methodology(ies)
 Updates
Pros and Cons
 Easy to understand
 Involve many or few participants
 Limited to risk drivers identified
 Quantification by humans (subjective)
15 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
Quantification Methods: Loss Distribution Approach (LDA)
(Quantitative Assessment)
Data
 Internal
 External
 Qualitative
Process
 Determine severity distribution
 Determine frequency distribution
 Select relevant percentiles and compute aggregate loss
Pros and Cons
 No risk driver identification needed
 Objective method with subjective overlay
 Reliable and consistent models can be difficult to generate
 Highly dependent on data choices
 Not intuitive
16 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
Quantification Methods: Factor-based Approaches
(Quantitative Assessment)
Data
 Internal
 External
 Qualitative
Process
 Determine key risk drivers
 Determine mathematical relationship between losses and risk drivers
 Compute aggregate loss based on projected risk driver levels
Pros and Cons
 Intuitive methodology
 Similar to quantification in other financial risk areas (credit or market risk)
 Subjective mathematical models
 Limited to risk drivers identified (quantified)
 Highly dependent on data choices
𝒚 = 𝒂 + 𝒃𝒙𝟏 + 𝒄𝒙𝟐 + 𝒅𝒙𝟑 + ⋯
𝒚=𝒆
17 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
−
𝒂+𝒃𝒙𝒊
𝒂+𝒃𝒙𝒋
Quantification Methods: LDA-FB Mixture Approaches
(Quantitative Assessment)
Data
 Internal
 External
 Qualitative
Process
 Determine key risk drivers
 Determine loss distributions
 Determine mathematical relationship between losses and risk drivers
 Compute aggregate loss based on projected risk driver levels and quantiles of loss distribution
Pros and Cons
 Combines subjective and objective methodologies
 Retain elements similar to other financial risk areas
 Highly dependent on data choices
18 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
𝒚 = 𝒂 + 𝒃𝒙𝟏 + 𝒄𝒙𝟐 + 𝒅𝒙𝟑 + ⋯
−
𝒚=𝒆
𝒂+𝒃𝒙𝒊
𝒂+𝒃𝒙𝒋
Best Practices
Transparent
•Clear, concise documentation
•All processes and modeling decisions recorded
•Minimize “black boxes”
Credible
•Qualified participants
•Reasonable, validated results
•Reflective of actual risks and exposures
•Reflective of current situations (periodic refresh)
Verifiable
•Benchmarks or backtesting
•Reasonable results
Systematic
•Repeatable process
•Reduce or eliminate key-man risk
19 | 
© 2014 Global Association of Risk Professionals. All rights reserved.
C r e a t i n g a c u l t u r e
r i s k a w a r e n e s s ®
o f
Global Association of
Risk Professionals
111 Town Square Place
14th Floor
Jersey City, New Jersey 07310
U.S.A.
+ 1 201.719.7210
2nd Floor
Bengal Wing
9A Devonshire Square
London, EC2M 4YN
U.K.
+ 44 (0) 20 7397 9630
www.garp.org
About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing professionals and organizations to make
better informed risk decisions. Membership represents over 150,000 risk management practitioners and researchers from banks, investment management firms, government agencies,
academic institutions, and corporations from more than 195 countries and territories. GARP administers the Financial Risk Manager (FRM®) and the Energy Risk Professional (ERP®)
Exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of risk management via comprehensive professional education and training for
professionals of all levels. www.garp.org.
20 | 
© 2014 Global Association of Risk Professionals. All rights reserved.