DHG Financial Services Strategic Planning and Cybersecurity Presentation
1. 1
Plan for Your Institution’s
Strategic Growth
5/19/2016
MAY 19, 2016
2. 2
Our Discussion Topics
1. Why Strategic Planning
2. A Process That Works
3. Walking Through That Process
4. Minimizing Execution Risk
3. 3
Converting Opportunities to Performance
Strategic Options
External
Factors
Changes emerging in the
external environment
Internal
Factors
Capabilities to execute
the strategy
Strategic Options: What is the best path to long-term value?
Growth
Long Term
Value
Organic
Acquired
Customer
Base
Share of
wallet
Profits
Geographic
footprint
New
customers
New or
better
products
Product
Mix
Efficiency
Invest to
Innovate
Invest to
reduce
costs
4. 4
• Has done a critical, data-driven evaluation of internal
capabilities
• Effectively links operating and capital budgets to strategy;
strategic objectives with performance evaluation and rewards
DescriptionComponents
• Has done a critical, data-driven evaluation of
marketplace opportunities and needs
• Has strong mechanism for monitoring results on strategic
initiatives; actual performance versus expectations
Strategic Planning Components
4
Customers and Markets
Understood
Internal Capabilities
Understood
Effective Linkages
Progress is Known,
Tangible
Agreed Upon, Shared
Vision
Clearly Communicated
Future Direction
• Has done an effective job of involving key stakeholders
(owners, directors, leadership, senior management)
• Strategy statement/document clearly delineates the future
path and performance objectives; strategic initiatives to get
there
5. 5
2 431
A Process That Works
5
5
Link to operating and
capital budgets;
management
objectives,
compensation
Execute the
Strategy
Agree and
communicate the
strategy, objectives,
and road map
Develop the
Strategy
Discuss performance,
strategic options; drive
to common
understanding
Conduct Planning
Sessions
Compile
comprehensive
information for
planning sessions
Establish a Common
Fact Base
Focus the organization on a course of action to achieve its objectives
1. Where are we now?
2. Where do we want to be?
Structured, logical path to build a well-thought out and agreed upon
strategy
3. How do we get there?
4. How do we measure our progress?
Simple Question Set
6. 6
Changes Emerging in External Environment
Internet of things,
delivery channel
evolution or revolution,
cybersecurity − threats
to information assets
Economy
Political,
Regulatory
Technology
Customers
Industry
Competition
External
Factors
Analysis
Margin compression,
increased capital
requirements, lower
returns to owners,
acquire or be acquired
Prosperity trends, lackluster
GDP growth trends, monetary
policy, interest rates, capital
market directional trends
National elections and
business orientation,
regulatory compliance
and rising cost
Saturated markets,
scale and cost
advantages, new
entrants
Emerging segments;
changing preferences,
habits, and attributes;
brand loyalty
The ability of an organization to sense the changes emerging in its external environment
and to develop decisions and actions to mitigate risks and take advantage of
opportunities – and doing this better than the competition
1
7. 7
Business Segment Assessment
7
Fact base established at business segment level
7
• What are our major
opportunities to
improve
operational
performance?
• What are the
internal strengths
and weaknesses of
the business –
people, process,
and technology?
• How do they help
or constrain the
business?
• What customer
segments,
products, and
markets offer the
greatest potential?
• What is the
strategy to most
profitably serve
those customer
segments and
markets?
• Who are the
competitors?
• What is the basis
of competition?
• How do we perform
versus those
companies?
Operating
Model
Internal
Capabilities
Opportunities
& Strategy
Competitive
Position
1
9. 9
Strategy − Focus on Course of Action to Achieve
Goals
3
Plan should capture and summarize
• Strategy statement
• Characterizes the products-to-target markets and segments,
channels to reach those targets; specifies explicit profit and
performance objectives; states distinguishing operational
philosophies
• Assumptions under which the plan was prepared
• Financial projections
• Desired future state
• Primary Strategic Initiatives to reach that desired future state
• Accountability, action steps and timelines, specific milestones,
success clearly defined
10. 10
Citizens Business Bank (CBB)
The segment: small to middle size businesses, de novo in 1975
3 Top Performers Convert Opportunities Better
Than Others
Source: Winning Strategies in Community Banking, Project Excellence, 1998 KPMG Peat Marwick LLP
Winning Strategies in Community Banking
(KPMG 1998)
• Top Performing Community Bank − $1.3 billion in
assets
• Clear vision of strategy and market from beginning.
Business and professional market is where CBB can
make the difference and have the greatest
competitive advantage.
• CBB put in place a customer-focused sales driven
strategy with unparalleled customer service as a
cornerstone. Sales is a top priority. “If you are good
at sales, then good business will come to you,” per
CEO D. Linn Wiley.
“Wiley believes strongly that
today’s banking market demands a
commitment to rigorous
‘professional management.’ He
asserts, ‘We are a planning
oriented company.’ The bank goes
through an annual planning
process in November formulating
specific goals and plans for the
coming year. Wiley then puts in
place the structure and people to
support the plan.”
11. 11
Citizens Business Bank
155 Consecutive Quarters of Profitability
105 of Paying Cash Dividends (2015)
3 Top Performers Convert Opportunities Better
Than Others continued
Source: CVB Financial Corp. Annual Report 2015; 4th Quarter Analyst Briefing
“Our team has worked hard to
execute the long-term strategy of
our bank which is to build and
maintain relationships with the best
small to middle size businesses
and their owners in our geographic
marketplace.”
- Chris Myers, CEO
4th Quarter 2015, Analyst Briefing
The Best Bank in America
(Forbes 2015)
• Top 5 Bank (Bank Director Magazine), SNL Top 100 $1 to
$10B − $7.7 billion in assets
• Vision…Become premier financial services
company...serving the comprehensive financial needs of
successful small to medium-sized businesses and their
owners.
• Mission…Achieve superior financial performance and
rank in the top 10 percent of financial institutions in the
nation in ROE and ROA…Will be achieved by delivering
the finest in financial products and services through
relationship banking commitments with businesses and
professionals…
12. 12
Minimizing Execution Risk
Commit to an
identity
Differentiate and grow by being clear-
minded about what you can do best
1
Translate the
strategic into
every day
Build and connect the cross-functional
capabilities that deliver your strategic
intent
2
Put your
culture
to work
Celebrate and leverage your cultural
strengths
3
Cut costs to
grow stronger
Prune what doesn’t matter to invest more
in what does
4
Shape your
future
Reimagine your capabilities, create
demand, and realign your industry on
your own terms
5
Five Acts of Unconventional Leadership
Source: How Winning Companies Close the Strategy-to-Execution Gap, Paul Leinwand and Cesare Maindari, 2016 Harvard Business
School Publishing
4
• Have the right people on board
• Have a clear strategy and path
to execution
• Be agile in adapting to
changing external factors,
market circumstances
• Be very disciplined in plan
development and execution
13. 13
• Planning Process: “There needs to be a great deal of intentional
discipline – a standard process that is predictable and executed every year.
– February – Executive management team looks out a couple of years; invite
experts of various types to participate in dialog
– May – Have extended meeting with board to look forward; discuss performance
– July – Update the strategy; offsite with board and executive management team
– September – Updated strategy reflected in the budgets
– Monthly and quarterly – Assess how well we are doing.”
• Strategy Execution: “Key to execution is accountability.
– Overall linkage is essential – strategic goals budget goals individual
goals/incentive plans
– Tie compensation to strategy. Some goals/aspects are easy since it’s meeting
the numbers; some are more difficult to establish because they are more
intangible – but they all need to be linked together.”
Source: Interview with CEO, Diversified Financial Services Company (Banking and Specialty Finance), 2016
4 Minimizing Execution Risk continued
14. 14
Closing Comments
• It is essential that:
Leadership has confidence in the strategy
The strategy is understood across the bank
The strategy can be or is being executed.
• Anything less makes dealing with headwinds extremely difficult.
• Q&A
With today’s external regulatory and competitive pressures and uncertain
economic environment, building franchise value requires a well-thought out
and agreed upon strategy.
15. 15
Bill Walton
Partner
DHG Financial Services
bill.walton@dhgllp.com
D 404.575.8902
Suzanne Donner
Director
DHG Financial Services
suzanne.donner@dhgllp.com
D 404.681.8224
17. 2
IT advisory
Why are we talking Cyber? The Numbers
• 4 trillion
• 5%
• 4 minutes
• 100%
18. 3
IT advisory
Agenda
• Brief Look at Data Breach Stats
• Data Breach Causes and Results
• Security Incidents – Common Scenarios
• How can we prepare?
24. 9
IT advisory
Recent Statistics
Breach Root Causes 2015
Malicious or Criminal Attack
System Glitch
Human Error
Source: Ponemon Institute 2015 Cost of Data Breach Study
47%
24%
29%
27. 12
IT advisory
Recent Known Breaches
Kardashian website
- Web application code deficiency
- 663,270 names and email addresses
Excellus Blue Cross Blue Shield - NY
- May have started 2 years ago
- 10 million records (names, DOB, SSN, credit cards)
University of Virginia
- Hack originating from China
www.privacyrights.org
28. 13
IT advisory
Recent Known Breaches
Ashley Madison
- Hack originating from China but possible inside job
- 37 million records (including names posted online)
UCLA Health System
- Did not take “basic” steps to encrypt data
- 4.5 million records (names, DOB, SS#, credit cards)
Office of Personnel Management – D.C.
- 21.5 million social security numbers
30. 15
IT advisory
Social Engineering
Attention User:
Your email quota is almost exceeded. Starting
from December 8th, we are migrating to new email
interface. So we are currently doing maintenance
on our server. Please visit page below to update
your account and avoid losing your inbox.
http://xxxxxxxxxxxx.com/data/allow.html
Thank you.
Technical Team
32. 17
IT advisory
Top 5 Assessment Findings - Technical
Internet Service Provider connections
Outdated security patches
Voice over IP (telephone) lack of encryption
Weak and default passwords
Weak secondary device configurations
33. 18
IT advisory
Top 5 Assessment Findings - Social
Weak physical site controls
Response to phishing email
- Provide logon credentials
- Click on a bad link or attachment
Response to vishing (accounting departments)
Response to fake website
34. 19
IT advisory
Social Engineering - Physical Site Scenario
- Printer vendor who is taking over toner
cartridge supplies needs an inventory – behind
teller line
- General contracting company who won the bid
to fix anything visible to the public – got access
to bank vault
- From AT&T looking at access issues
- Fake letter if challenged - -
35. 20
IT advisory
Social Engineering – Vishing Scenarios
- Known third party lender inquiring of the
Accounting department for missing wire
- Fictitious company starting a grant program,
has “had discussions with the CFO” and
needing a last minute wire transfer
- Utility company on behalf of their customer
regarding an “overdrafted account”
- Third party IT support vendor - -
36. 21
IT advisory
Security Incident vs Data Breach
Perception is Important
– People use “breach” too frequently
– You don’t want your customers or regulators to think
you are subject to numerous breaches
– “Breach” suggests something bad happened or is
going to happen
– “Breach” has legal significance
• Incident Response Team should use “Security
Incident” not “Breach” on internal communications
38. 23
IT advisory
Typical Security Incident Scenario
“Houston we have a problem …”
Ransomware message
Malware incident that escalates
Network performance
Increase in suspicious emails
Notification from employees’ banks of
suspicious account login activity
39. 24
IT advisory
Typical Security Incident Scenario
“Time for action …”
Performs initial analysis and triage
Notifies IT service providers
Determines assistance is needed,
scrambles to find an outside security
specialist
“Tick, tock, tick, tock …” or “$, $, $, $...”
40. 25
IT advisory
Unanticipated Costs
• Investigation Costs
• Regulatory / Industry Fines or Penalties
• Remediation / Infrastructure Change Costs
• Mandatory Notification to Customers
• Brand Damage
42. 27
IT advisory
How Can We Prepare?
Question – If someone was trying to breach
your systems today …
WHO WOULD BE THE FIRST TO NOTICE IT?
Reducing risk will require investment …
Skillsets / resources
Software / hardware solutions
Third party relationships for monitoring
User Awareness
43. 28
IT advisory
How Can We Prepare?
Assign Responsibility for Data Protection
• CISO, CPO, CRO
• Responsible for overseeing ongoing data
protection program
• Must Maintain Awareness of New
Technologies and Their Risks
44. 29
IT advisory
How Can We Prepare?
IT Risk Management
• Management should understand what data
they process and store
• IT threats should be considered as part of the
organizational risk management process
• Consider mitigation, transfer, or elimination of
risks
45. 30
IT advisory
How Can We Prepare?
Strong Vendor Management Program
• Include Security as Part of Vendor Evaluation
Procedures
• Conduct Ongoing Evaluation of Vendor
Relationship
• Disgruntled Employees
• Remember Target’s Scenario
46. 31
IT advisory
How Can We Prepare?
Strong Incident Response Program
“Not if, but when …”
Roles and Responsibilities
Who owns the program?
Include PR and Legal Counsel as Part of Response
Team
Ensure forensic skillset is available
Continued regulatory focus
47. 32
IT advisory
FFIEC Cybersecurity Assessment Tool (CAT)
• New guidance finalized earlier this year
– www.ffiec.gov/cyberassessmenttool.htm
• “Repeatable and Measureable”
• Incorporates principles from the FFIEC IT
Examination Handbook
• Two Parts:
1. Inherent Risk Profile
2. Cybersecurity Maturity
48. 33
IT advisory
FFIEC CAT – Role of Management & Board
• Develop the plan to conduct the
Assessment
• Define the target state of cybersecurity
preparedness
• Oversee performance of monitoring and risk
mitigation
• Oversee changes to maintain or enhance
targeted state of preparedness
49. 34
IT advisory
FFIEC CAT – 2. Cybersecurity Maturity
Innovative
Advanced
Intermediate
Evolving
Baseline
• 5 maturity
levels are
based upon
sophistication,
design, and
effectiveness of
controls
• Critical controls
include
detective,
preventative,
and responsive