cybersecurity regulation for thai capital market ดร.กำพล ศรธนะรัตน์...
TRANSCRIPT
Cybersecurity Regulation for Thai Capital Market.
The First NIDA Business Analytics and Data Sciences Contest/Conferenceวันที่ 1-2 กันยายน 2559 ณ อาคารนวมินทราธิราช สถาบันบัณฑิตพัฒนบริหารศาสตร์
https://businessanalyticsnida.wordpress.comhttps://www.facebook.com/BusinessAnalyticsNIDA/
ดร.ก าพล ศรธนะรัตน์ วทม. (NIDA) Ph.D.ผู้อ านวยการฝ่ายเทคโนโลยีสารสนเทศ
ส านักงานคณะกรรมการก ากับหลักทรัพย์และตลาดหลกัทรัพย์
นวมินทราธิราช 4002 วันที่ 1 กันยายน 2559 10.15-11.15 น.
Cybersecurity Regulation for Thai Capital Market
ก ำพล ศรธนะรัตน์
Kumpol Sontanarat
ICT Department Director, Thailand SEC
Board Member of Electronic Transaction Commission
Chairman of CIO16 Association
Chairman of Thailand IT Architect Association
IT GRC Framework
3
Time LineInitial: IT , Intermediaries Policy and Development Dept, Investment Management Supervision and Inspection Dept,Market Supervision Dept, Broker-Dealer Supervision and Inspection Dept
AUG 2014
MAR 2015
MAR 2015
Conduct 1st public hearing on on website
Conduct public hearing :1st Focus group ->Intermediaries , SET
Publish FAQ
Conduct GAP survey : Governance , Security and Fintech issuesJUN 2016
SEP 2016 Issue new regulation with 1 year grace period
Develop guideline for examinerQ3 2016
Conduct audit program through RBA AUG 2017
4
Knowledge Background
• Risk Framework and IT Best Practices
• IOSCO Principles
• Lessons Learned
5
Knowledge Background
Risk Framework and IT Best Practices
6
Current IT Risk Framework
• Time to review?
7
8
Current IT Risk Framework
• All of risks associated with authorization, completeness and accuracy of transactionsIntegrity risk
• Risks associated with data restriction both overly restrictive and not adequately restrictedAccess risk
• The risk that SI does not have the IT infrastructure to run its business efficiently or cost-effective fashion
Infrastructure risk
• Unavailability of important information when needed threatens the continuity of critical SI’s critical operations
Availability risk
IT Risk : Turning Business Threats into Competitive Advantage
• Analysis of 134 surveys
• Empirical study
• IT risk pyramid
9
IT Risk Pyramid
Agility
Accuracy
Access
Availability
Future capability
Present capability
Hard to quantify
Easy to quantify
Source: IT Risk – Turning business threats into competitive advantage – George Westerman, Richard Hunter, Harvard Business School Press
10
11
IT Risk Pyramid (Cont.)
• Poor IT-business relations
• Poor project deliveryAgility
• Applications do not meet business requirements
• Manual data integration required
• Significant implementation under way or recently completedAccuracy
• Data not compartmentalized
• Applications need standardization
• Lack of internal controls in applications
• Network not reliable at all locations
Access
• High IT staff turnover
• Poor backup/recovery
• Infrastructure not standardized
• Poorly understood processes and applications
Availability
IT Risk : View of IT Risk in business term + GRC
• Emphasized on core principles
– Well-structured (Technology)
– Well-designed (Process)
– Risk-aware culture (People)
Agility
Accuracy
Access
Availability
Governance of Enterprise ITHaving integrated view of IT risks in business term
12
What part is missing?
Integrity
Infrastructure
Access
Availability
Agility
Accuracy
Access
Availability
13
Intended Outcome
Next Step
- Develop audit checklist for SEC’s auditor
- Build up sector-based Incidence Response Plan
Industry-wide cyberdrill test
To 4A’s IT Risk Framework (Focus more on Business-IT Alignment)
Access Availability Accuracy Agility
Change from Current IT Risk Framework (Focus on IT Risk)
Access Availability Integrity Infrastructure
14
IT Best Practices Adoption
» COBIT 5 : Control Objectives for Information and related Technology - mainly contributed by:-
• ITIL – Information Technology Infrastructure Library
• ISO/IEC 27001 (Major contributor for our new regulation)
15
Knowledge Background (Cont.)
• IOSCO Principles
16
Require risk control from
ourselves
Regulator
Require risk control from
regulated entity
POC
Law & RegulationLaw & Regulation
IT governance toolIT governance toolCOBIT (IT GRC)COBIT (IT GRC)
IT best practiceIT best practiceITIL
(service)ITIL
(service)ISO27001 (security)ISO27001 (security)
……
Enterprise risk management standardEnterprise risk management standardCOSOCOSO Thai OAGThai OAG IOSCO PrinciplesIOSCO Principles
Peer RegulatorsPeer RegulatorsOrganization
Conduct Gap Analysis in compliance with IOSCO Principles
SEC FrameworkSEC Framework IOSCO / Other RegulatorsIOSCO / Other Regulators
17
List of IOSCO Principles
Principles for Intermediaries
• IOSCO : Report on securities activity on the internet III, Oct 2003
• IOSCO : High-level principles for business continuity, Aug, 2006
• IOSCO : Principles for direct electronic access to markets, Aug 2010
• IOSCO : Cyber-Crime, Securities Markets and Systemic Risk, Jul 2013
• IOSCO : Report on social media and automation of advice tools survey, Jul 2014
• IOSCO : Market intermediary business continuity and recovery planning, consultation paper, April, 2015
Principles for Exchange
• IOSCO : High-Level Principles for Business Continuity, Aug 2006
• IOSCO : Regulatory Issues Raised by the Impact of Technological Changes on Market
Integrity and Efficiency, Oct 2011
• IOSCO : Principles of Securities Regulation, Aug 2013 (revised)
• IOSCO : Principles for Financial Market Infrastructures (PFMI), Apr 2012 + Guidance
on Cyber Resilience for FMI (2015)
• IOSCO : Mechanisms for Trading Venues to Effectively Manage Electronic Trading
Risks and Plans for Business Continuity, Apr 2015
Legally binding agreement
Cyber governance
18
Samples: IOSCO Principles’ gap assessmentitem Regulators should do Regulated entities should do
Principles for direct electronic access to markets, Aug 2010
Principle 1 : minimum customer standards - บล. ควรก ำหนดให้ลูกค้ำที่จะใช้บริกำร DEA ต้องผ่ำนมำตรฐำนขั้นต่ ำ โดยมีฐำนะทำงกำรเงินที่แข็งแกรง่ พร้อมทั้งมีกระบวนกำรให้มั่นใจว่ำลูกค้ำมบีุคลำกรที่เชี่ยวชำญและคุ้นเคยกบั market rules + มีควำมรู้อย่ำงเพียงพอที่จะใช้ระบบ DEA - market authority ควรมีเกณฑ์ก ำหนดให้ บล. ต้องจัดให้มี min. customer standard
Principle 2 : legally binding agreementควรมีสัญญำระหว่ำง บล. กับลูกค้ำ ซึ่งก ำหนดข้อตกลงในกำรใช้บริกำร รวมถึงเชื่อมโยงควำมรับผิดชอบจำก บล. ไปสู่ลูกค้ำโดยตรง ท ำให้ market authority สำมำรถเอำผิดลูกคำ้โดยตรงได้
Principle 3 : Intermediary's responsibility for trades บล. ยังคงไว้ซึ่งควำมรับผิดทั้งหมดส ำหรับทุกค ำสั่งที่เกิดขึ้น (ซึ่งรวมถึงกรณีที่อนุญำตให้ sub delegate) โดย บล. ควรให้ ultimate customers ปฎิบัติตำมมำตรฐำนที่ บล. ก ำหนดเช่นเดียวกับลูกค้ำรำยอื่น ๆ ของบริษัท และควรจัดให้ DEA customers ต้องจัดท ำ legally binding agreements กับ ultimate customers ด้วยเช่นกัน
Principle 4 : Customer Identification : บล. ควรเปิดเผย identity ของลูกค้ำต่อ market authority เมื่อได้รับกำรร้องขอ (เพื่อ facilitate งำน market surveillance) ซึ่งกำรเปิดเผยดังกล่ำวรวมถึงกรณี sub delegate ด้วย
Principle 5 : Pre- and Post-Trade Information : บล. ต้องสำมำรถเข้ำถงึข้อมูล pre / post trade info. แบบ real time เพื่อให้สำมำรถน ำขอ้มูลดังกล่ำวไปใช้ในกำรติดตำม + ควบคุมกำรบริหำรควำมเสี่ยงได้อย่ำงเพียงพอเหมำะสม
19
รายการ Regulators ควรท า Regulated entities ควรท า
Principles for direct electronic access to markets, Aug 2010
Principle 7 : Intermediaries บล. ควรจัดให้มีกำรควบคุม ซึ่งรวมถึงกำรมี automated pre trade control ที่สำมำรถ
ป้องกันลูกค้ำส่งค ำสั่งที่เกิน existing position / credit limit อย่ำงมีนัยส ำคัญ (โดยเฉพำะพวก algo หรือ HFT)
Principle 8 : Adequacy of systems : บล. + market infra ทั้งหมด ควรมี operational and technical capability ที่จะบริหำรจัดกำรควำมเสี่ยงที่อำจเกิดจำก DEA ได้ โดยต้องมั่นใจได้ว่ำทุกอย่ำงท ำงำน properly / มี capacity เพียงพอ + scalable to volumeทั้งนี้ market authority อำจก ำหนดให้ บล. • จัดให้มี capability estimates ส ำหรับระบบ automated order routing and
execution / market info. / trade comparison• จัดท ำ capacity stress test ตำมโอกำส เพื่อให้ทรำบถึงรูปแบบ / พฤติกรรม
ของระบบภำยใต้สภำวะที่แตกต่ำงกัน• จัดให้มี independent review ระบบทั้งหมดว่ำ perform ได้อย่ำงเพียงพอ
และมีควำมมั่นคงปลอดภัย• จัดให้มีนโยบำยที่จะจัดจ้ำงหรือฝึกฝนพนักงำนที่มี technical skills
Samples: IOSCO Principles’ gap assessment
20
รายการ Regulators ควรท า Regulated entities ควรท า
Cyber-Crime, Securities Markets and Systemic Risk, Jul 2013
• ปรับปรุง / ใช้บังคับหลักเกณฑ์เกี่ยวกับ cyber crime โดยร่วมมือกับ authorities อื่น ๆ (เพื่อป้องกัน regulation gap)
• สนับสนุนให้เกิดเครือข่ำย information sharing ในประเด็นดังกล่ำว• ท ำหน้ำที่เสมือนเป็นศูนย์ควำมรู้แก่อุตสำหกรรม / ตอบปัญหำข้อซักถำม
/ น ำเสนอ best practice เช่น cyber security / resilience / รวบรวมเคสที่เกิดขึ้น เพื่อวิเครำะห์หำจุดอ่อนของอุตสำหกรรม
Samples: IOSCO Principles’ gap assessment
21
Summary Matrix for Conducting GAP Analysis from IOSCO Principles and Lessons Learned
IOSCO Principles IT-related areas Address by
High-Level Principles for Business Continuity, Aug 2006
-Principle 1-7 Issue notification about
BCP
Regulatory Issues Raised by the Impact of Technological Changes on Market Integrity and Efficiency, Oct 2011
-Recommendation 1-5 Issue notification about
IT security
Principles for Financial Market Infrastructures (PFMI), Apr2012 + Guidance on CyberResilience for FMI (2015)
-Principle 2 : Governance -Principle 3 : Managing Risk-Principle 8 : Settlement-Principle 17 : Operational risk-Principle 20 : FMI Link
Add governance issues in
new regulation
Notification about
BCP+IT Security
Principles of Securities Regulation, Aug 2013 (revised)
-Principle 33 Notification about
BCP+IT Security
Mechanisms for Trading Venues to Effectively Manage Electronic Trading Risks and Plans for Business Continuity, Apr 2015
-Recommendation for Managing Technology to Mitigate Risk-Recommendation for How to Plan for Disruptions: Business Continuity Plans
Add governance issues in
new regulation Notification about BCP
22
Conduct Gap Analysis through COBIT
EDM02 Ensure Benefits Delivery EDM03 Ensure Risk OptimizationEDM04 Ensure Resource OptimizationEDM05 Ensure Stakeholder Transparency
APO04 Manage Innovation BAI04 Manage Availability and Capacity
BAI08 Manage Knowledge
MEA01 Monitor, Evaluate and Assess Performance and ConformanceMEA02 Monitor, Evaluate and Assess the System of Internal Control
(5 processes)
(13 processes) (10 processes) (6 processes) (3 processes)
Room for improvement
23
Cybersecurity Regulation for Thai Capital Market
24
Contents of Regulation
Ensure Risk OptimisationEnsure Resource Optimisation,Ensure Stakeholder Transparency The System of Internal Control
Ensure Risk OptimisationEnsure Resource Optimisation,Ensure Stakeholder Transparency The System of Internal Control
Cobit5
ISO27001 + cloud
Endorse Governance of Enterprise IT as regulation
25
Security Requirements in compliance with ISO/IEC 27001:2013
• 1. Information Security Policy and Compliance • 2. Organization of Information Security • 3. Human Resource Security • 4. Asset Management • 5. Access Control • 6. Cryptographic Control • 7. Physical and Environment Security • 8. Operations Security • 9. Communications Security • 10. System Acquisition, Development and Maintenance • 11. Supplier Relationship • 12. Information Security Incident Management • 13. Information Security Aspects of BCM
26
Cloud Computing Regulation
• Cloud policy
• Cloud provider management
• Monitor and review cloud services
27
Cloud policy
• Risk assessment • Define critical services/applications • Define type of services :SaaS, PaaS, IaaS• Conduct due diligence of cloud provider, focus on CIA • Analyze qualifications of provider: financial status,
capability to serve
• Communicate policy effectively with signed letter• Establish data policy – data classification and how to
manage each data category
• Define users responsibilities – access policy i.e. multi-factor authentication for administrator
• Regular audit requirement
28
Cloud Provider Management
• Data is belong to service users (regulated entities)• Define cloud services to be adopted• Define network security requirements i.e
– Implement DDoS, APT– Segregate network zone– Data encryption– Implement defense in depth approach– Hardening and access control– clear SLA and responsibilities of provider
• Monitor / report / incidence handling, problem management, overall performance
• Backup and recovery policy • RTO and RPO (recovery time objectives and recovery point objective)
29
Cloud Provider Management (Cont.)
• Compensation when provider fails to deliver
• Information leak prevention policy from provider
• Provider has no authority to access and disclose information
• Provider has been certified in compliance with latest international standard
• Required report from external auditor at least once a year
30
Cloud Provider Management (Cont.)
• exit plan – retain and permanent destroy policy
• Define sub contract of cloud with full obligation of main provider
31
As Users (regulated Entity)-Monitor and review cloud services
• Monitor to ensure provider can provide qualified services through agreement and inline with standards
• Assess and conduct provider capacity planning regularly
• Review term and condition of agreement when significant changes occur
• Review service provider regularly –financial status, process, efficiency and capability to serve
32
33
Require more from Regulated Entity
• Apart form security requirement, new regulation also requires more on:– Information security incident management
– Cyberdrill test / scenario based testing
– Conduct BIA and report to board member
– Archive report/log for auditing
– Report to regulator when system disruption, system compromised and harm to reputation
– Conduct Penetration Test and Vulnerabilities Assessment
• 1 year grace period from September 2016-Auygust 2017
Require more from Regulator
• Initiate Sector-based Incidence Response Plan with peer regulators and critical infrastructure
– Information sharing
– Public announcement
• Conduct Industry-wide Cyberdrill Test
34
DiscussionQ&A
Thank You
35