Too Big To Breach? The cybersecurity posture of the financial sector is an important factor in its overall health and stability.

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Too Big To Breach? The cybersecurity posture of the financial sector is an important factor in its overall health and stability."

Transcription

1 Too Big To Breach? Examining the Cybersecurity Risk of the Largest US Banks and Thrifts November 2015 The cybersecurity posture of the financial sector is an important factor in its overall health and stability.

2 Financial institutions are under a constant barrage of cyber attacks. Most of Summary Methodology Methodology them have been able to operate effectively in the face of these constant threats, although there hasn t been a shortage of large data breaches in this sector. Within this context, we observe that organizations are often better at utilizing short-term solutions than adopting a longer-term and more strategic view of their cybersecurity posture: How well is an organization performing? Are things improving or getting worse? What is a good yardstick by which to measure one s cybersecurity posture? In order to manage the risks that organizations face, it is necessary to be able to measure those risks. Using large-scale data collection and advanced analytics, we have developed proven predictive models that enable us to not only determine the probability of a cyber breach for a given organization, but also identify measurable key cybersecurity risk indicators that map directly to policies and practices that organizations can manage, thereby making it possible for organizations to observably and measurably reduce and manage their cyber risk effectively. This report contains an examination of the cybersecurity risk faced by U.S. banks and thrifts with assets greater than $25 billion, as identified by American Banker. Our study, conducted in October 2015, looked at the network assets of these banks, their subsidiaries and in some cases their Quantifying Cybersecurity Risk All financial institutions are 1 subject to some risk simply because of the nature of their business profile. However, not all banks represent an equal amount of cybersecurity risk. Risk is both a function of the threats an organization faces and, the part we focus on here, the preparedness or security posture of the organization. Using a consistent measurement 2 methodology, it is possible to perform a comparative study to identify organizations that are at higher risk. The key is to look for telltale behaviors over time, rather than specific vulnerabilities, many of which come and go. international parents, and examined the cybersecurity risk profiles of these institutions. This allows us to rank these institutions on the basis of the magnitude of their cybersecurity risk profiles. While we do not include the risk due to vendors and partners in the reported risk profile for a given organization, we did examine one of the most common vendors in this sector, who turns out to have a fairly high probability of experiencing a breach. For obvious reasons we do not disclose organizations with higher cybersecurity risks; we do however list those with the best risk profiles. Some of the important results of our analysis are summarized below: All institutions face some degree of cyber risk. Signature Bank (New York) was the top rated bank with the lowest cyber risk profile. The average probability of a security incident over the next 12 months for the profiled banks is 39.94% with a median of 34.06%. The worst 10% of institutions profiled have an average of 86.37% probability of a security incident within the next year compared to the 8.92% at the top. There is no correlation between the size of an organizations Internet footprint or its financial assets and the risk of breach. Third party or vendor risk is a concern for financial institutions as it creates systemic underlying risk. 2 Examining the Cybersecurity Risk Posture of the Largest Banks and Thrifts QuadMetrics, Inc.

3 Methodology QuadMetrics uses large-scale Internet measurements and advanced machine learning techniques to develop predictive models of data breaches and cybersecurity incidents. This peer-reviewed and patent-pending technology has a demonstrated accuracy of greater than 90% when forecasting historical cybersecurity incidents, and is built upon research from the University of Michigan in partnership with the U.S. Department of Homeland Security. The risk models look at many factors, ranging from the quality of the visible infrastructure of an organization to malicious botnet activity and compromised hosts. All Banks based in the United States with over $25B in overall assets were profiled for their cybersecurity posture. Although our models apply to all organizations with some Internet presence, for the purposes of this report we focus on the largest financial institutions in the US (with assets greater than $25 billion). According to data published by American Banker in August 2015, 58 banks met this criterion. As might be expected, almost all of these were household names. Conventional wisdom would indicate that we might expect these to have the best cybersecurity posture on the basis of their ability to invest in the policies, the people, and the technology required to build an effective cybersecurity program. It is interesting to note that this is not always the case. For each organization, we construct profiles that are evaluated against our trained models. It is important to highlight that our models do not rely on discovering vulnerabilities at an institution; instead we look for cybersecurity characteristics and organizational behaviors that share similarities with organizations that have historically reported incidents. In order to profile these institutions, our models first determine the global Internet assets that belong to each organization, including their subsidiaries and parent companies. By analyzing these assets profiles were developed that capture both the current and past security posture of each organization. This information is then used to compute a security posture score known as the QuadMetrics Security Rating (QMSR), as well as a Security Breach Prediction Index (SBPI), an estimated probability of cybersecurity incident within the next year. A higher SBPI would indicate a higher probability of a data breach, on the basis of shared characteristics with other organizations that have historically experienced data breaches. The profiled institutions are ranked first by their SBPI and then by their QMSR. An SBPI of 51% or greater indicates a network that is more likely than not to have a security incident. Additionally, our risk models indicate that this is the case for only the worst 5% of all organizations globally. Unfortunately, over 30% of the institutions examined for this report fell into this category. 3 Examining the Cybersecurity Risk Posture of the Largest Banks and Thrifts QuadMetrics, Inc.

4 Results and Discussion Even though all financial institutions face some risk, we are able to clearly identify specific organizations that are better positioned from a cybersecurity perspective than others. The average SBPI for the profiled banks was 39.94%, with a median of 34.06%. The worst 10% of institutions profiled had an average SBPI of 86.37%, compared to an average SBPI of 8.92% for the best 10%. There was no clear correlation between the cybersecurity risk and either the size of the bank s network assets or the financial assets. The graph below shows the distribution of the SBPI across our entire set of organizations. As can be seen, while the majority of the organizations studied exhibit a relatively low level of cyber risk, the graph also shows that nearly a third of these financial institutions had an SBPI of 50% or greater, and three had SBPIs greater than 90%, which places them at an extremely high risk of a security incident in the next 12 months. The QMSR ratings for these organizations were also considerably lower than that for the top 10 organizations, indicating a significant and recurring pattern of of oversight in the maintenance of their public infrastructure. All organizations toward the bottom (higher risk portion) of our list exhibited a wide range of measurable issues, such as misconfiguration of their infrastructure, malware activity, and even misconfigured software services and SSL certificates. The best-rated organizations by contrast showed very few negative data elements in our observations. These organizations have succeeded in minimizing their Internet footprint and therefore their external threat surface. One important aspect of our profiles is that we measure risk using a comprehensive network asset view of each organization. Even for the bestrated organizations there were often specific small segments of their publicfacing network footprint that represented a markedly higher risk than others. Therefore, by the weakest link principle, even these organizations have the potential of a significant cybersecurity incident. This is in spite of the fact that the overall healthy security posture indicates an organization that is generally well positioned to handle such incidents effectively. 4 Examining the Cybersecurity Risk Posture of the Largest Banks and Thrifts QuadMetrics, Inc.

5 As networks strive to become more secure, going through a third party has emerged as an easier path into a network. Some of the most prominent breaches have been the result of third parties. Unfortunately, this situation will only worsen with the growth in cloud computing and cloud storage, as well as the outsourcing of specialized IT functions. Therefore it is increasingly important for organizations to examine and monitor the cybersecurity risk of their vendors. While our reported risk for each organization shown earlier did not explicitly take into account the condition of their vendors or partners and was only based on an organization s own infrastructure and assets, we did examine one vendor who stood out in our analysis of the financial sector. This vendor is a provider of key services used by a large number of institutions, and is one of the most common vendors for a wide array of banking solutions. It has an SBPI of 65.18%, which indicates high exposure to cyber risk. Risks such as this imposed by the underlying shared service vendors in turn pose systemic risk to the financial sector and therefore deserve heightened attention. Our analysis and technology utilizes observations that signal the extent to which an organization is vigilant against all networkbased threats to its IT infrastructure and services. A wellmanaged cybersecurity posture requires constant awareness and careful management of the very minute and often mundane aspects of an organization s IT systems. QuadMetrics risk assessment tools help organizations of all sizes, from large financial institutions, such as the ones in this report, to small and medium enterprises, to more clearly understand their security posture and the risks their network and IT infrastructure face. Our systems require no training, no installed hardware or software, and do not require the redirection of logs, while delivering the visibility and research-backed, patentpending risk predictions needed to secure a network in minutes. Contact QuadMetrics for more information. Media Inquiries: For more information: 1327 Jones Drive, Suite 106 Ann Arbor, MI Third party or vendor risk is a serious concern for financial institutions due to its potential in inducing widespread systemic risk. Institutions Examined: Ally Financial Inc., American Express Co., Associated Banc-Corp, BancWest Corp., Bank of America Corp., Bank of New York Mellon Corp., Barclays Delaware Holdings LLC, BB&T Corp., BBVA Compass Bancshares Inc., BMO Financial Corp., BOK Financial Corp., Capital One Financial Corp., Charles Schwab Corp., CIT Group Inc., Citigroup Inc., Citizens Financial Group Inc., City National Corp., Comerica Inc., Cullen/Frost Bankers Inc., Deutsche Bank Trust Corp., Discover Financial Services, E-Trade Financial Corp., East West Bancorp Inc., Fifth Third Bancorp, First Citizens BancShares Inc., First Horizon National Corp., First Niagara Financial Group Inc., First Republic Bank, FirstMerit Corp., General Electric Capital Corp., Goldman Sachs Group Inc., HSBC North America Holdings Inc., Huntington Bancshares Inc., John Deere Capital Corp., JPMorgan Chase & Co., KeyCorp, M&T Bank Corp./Hudson City Bank Corp., Morgan Stanley, MUFG Americas Holdings Corp., New York Community Bancorp Inc., Northern Trust Corp., People's United Financial Inc., PNC Financial Services Group Inc., Popular Inc., Regions Financial Corp., Santander Holdings USA Inc., Signature Bank, State Street Corp., SunTrust Banks Inc., SVB Financial Group, Synovus Financial Corp., TD Bank US Holding Co., U.S. Bancorp, UBS Bank USA, United Services Automobile Association, Utrecht-America Holdings Inc., Wells Fargo & Co., Zions Bancorp. 5 Examining the Cybersecurity Risk Posture of the Largest Banks and Thrifts QuadMetrics, Inc.

6 QuadMetrics is a large-scale Internet measurement and cyber risk analysis company. QuadMetrics has developed predictive analytics that help organizations measure their cyber risk, identify and understand their cyber security posture and track its evolution over time. These metrics are used by enterprises for understanding their own security posture and their exposure due to third parties (partners and vendor); it is also used in underwriting cyber-insurance policies. 6 Examining the Cybersecurity Risk Posture of the Largest Banks and Thrifts QuadMetrics, Inc.

The Importance of Data Quality to Compliance with the Dodd-Frank Act William Henley Senior Vice President, Regulation

The Importance of Data Quality to Compliance with the Dodd-Frank Act William Henley Senior Vice President, Regulation The Importance of Data Quality to Compliance with the Dodd-Frank Act William Henley Senior Vice President, Regulation Data Governance and Quality Why the focus now? Has always been an important pre-requisite

More information

Commercial lines dominate at Top 10 Banks in Insurance

Commercial lines dominate at Top 10 Banks in Insurance RELEASE: CONTACT: Immediate Bank Insurance Market Research Group 914-381-7475 a.singer@singerpubs.com Commercial lines dominate at Top 10 Banks in Insurance MAMARONECK, NY-October 31, 2005: Commercial

More information

Bank Loan Portfolios Grew by 7% Last Year

Bank Loan Portfolios Grew by 7% Last Year Bank Loan Portfolios Grew by 7% Last Year Big U.S. banks increased their holdings of commercial real estate loans at a stepped-up but still moderate rate last year. The banking companies with the 100 largest

More information

A report from. April 2014. Checks and Balances. 2014 Update

A report from. April 2014. Checks and Balances. 2014 Update A report from Checks and Balances 2014 Update April 2014 The Pew Charitable Trusts Susan K. Urahn, executive vice president Travis Plunkett, senior director Team members Andrew Blevins, associate Clinton

More information

A report from May 2015. Checks And Balances. 2015 update

A report from May 2015. Checks And Balances. 2015 update A report from May 215 Checks And Balances 215 update The Pew Charitable Trusts Susan K. Urahn, executive vice president Travis Plunkett, senior director Team members Andrew Blevins, associate Joy Hackenbracht,

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

Are the Federal Reserve s Stress Test Results Predictable?

Are the Federal Reserve s Stress Test Results Predictable? -2 March 3, 2 Are the Federal Reserve s Stress Test Results Predictable? Paul Glasserman Office of Financial Research and Columbia University* paul.glasserman@treasury.gov Gowtham Tangirala Columbia University

More information

Information Technology Solutions

Information Technology Solutions THE THREAT Organizations are making large investment in cyber defense, but are still in the dark in terms of how they would fare up against one of the simplest attacks that Cyber-criminals use to take

More information

Estimating Commercial Real Estate (CRE) Stressed Loss Measures Under Federal Reserve 2015 Comprehensive Capital Analysis and Review (CCAR) Scenarios

Estimating Commercial Real Estate (CRE) Stressed Loss Measures Under Federal Reserve 2015 Comprehensive Capital Analysis and Review (CCAR) Scenarios DECEMBER 2014 QUANTITATIVE RESEARCH GROUP MODELING METHODOLOGY Estimating Commercial Real Estate (CRE) Stressed Loss Measures Under Federal Reserve 2015 Comprehensive Capital Analysis and Review (CCAR)

More information

RESPONSES TO THE REQUEST FOR ADDITIONAL INFORMATION. DATED NOVEMBER 24, 2014. FROM THE BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM

RESPONSES TO THE REQUEST FOR ADDITIONAL INFORMATION. DATED NOVEMBER 24, 2014. FROM THE BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM PUBLIC REDACTED VERSION. RESPONSES TO THE REQUEST FOR ADDITIONAL INFORMATION. DATED NOVEMBER 24, 2014. FROM THE BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM IN CONNECTION WITH THE APPLICATION TO THE

More information

Acquisition of Charter One

Acquisition of Charter One Acquisition of Charter One Acquisition of Charter One Strategic Rationale Slide 3 Second Largest Bank in New England 2000 Maine Michigan VT NH New York Boston MA RI CT Pennsylvania NJ New York New Hampshire

More information

Cybersecurity Awareness for Executives

Cybersecurity Awareness for Executives SESSION ID: SOP-R04 Cybersecurity Awareness for Executives Rob Sloan Head of Cyber Content and Data Dow Jones @_rob_sloan Session Overview Aim: Provide a high level overview of an effective cybersecurity

More information

DEVELOPING A KRI PROGRAM: GUIDANCE FOR THE OPERATIONAL RISK MANAGER SEPTEMBER 2004. Mayowa BabatolaMayowa BabatolaBITS 2004 September 2

DEVELOPING A KRI PROGRAM: GUIDANCE FOR THE OPERATIONAL RISK MANAGER SEPTEMBER 2004. Mayowa BabatolaMayowa BabatolaBITS 2004 September 2 DEVELOPING A KRI PROGRAM: GUIDANCE FOR THE OPERATIONAL RISK MANAGER SEPTEMBER 2004 Mayowa BabatolaMayowa BabatolaBITS 2004 September 2 DEVELOPING A KRI PROGRAM: GUIDANCE FOR THE OPERATIONAL RISK MANAGER

More information

White Paper on Financial Industry Regulatory Climate

White Paper on Financial Industry Regulatory Climate White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during

More information

Rating Action: Moody's concludes reviews on 63 US banks' ratings

Rating Action: Moody's concludes reviews on 63 US banks' ratings Rating Action: Moody's concludes reviews on 63 US banks' ratings Global Credit Research - 14 May 2015 Actions conclude methodology-related reviews New York, May 14, 2015 -- Moody's Investors Service has

More information

CDM Vulnerability Management (VUL) Capability

CDM Vulnerability Management (VUL) Capability CDM Vulnerability Management (VUL) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Vulnerability Management Continuous Diagnostics and Mitigation

More information

Building a Global Network Reputation System: Metrics, Data Analysis, and Risk Prediction

Building a Global Network Reputation System: Metrics, Data Analysis, and Risk Prediction Building a Global Network Reputation System: Metrics, Data Analysis, and Risk Prediction Manish Karir CTO QuadMetrics Background To what extent can we quantify and assess the security posture of a network/organization?

More information

The Bank Information Report by Sageworks U.S. banks seeing higher earnings, lending more, showing less risk

The Bank Information Report by Sageworks U.S. banks seeing higher earnings, lending more, showing less risk Sageworks Bank Information 5565 Centerview Drive Raleigh, NC 27606 P 919.851.7474 F 919.851.6718 www.sageworks.com The Bank Information Report by Sageworks U.S. banks seeing higher earnings, lending more,

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement Copyright Elevate Consult LLC. All Rights Reserved 1 Presenter Ray Guzman MBA, CISSP, CGEIT, CRISC, CISA Over 25

More information

Cybersecurity. Are you prepared?

Cybersecurity. Are you prepared? Cybersecurity Are you prepared? First Cash, then your customer, now YOU! What is Cybersecurity? The body of technologies, processes, practices designed to protect networks, computers, programs, and data

More information

J.D. Power Reports: Gen Z Has Arrived. Is Your Bank Ready? Overall Retail Banking Satisfaction is Up, Mobile and ATM Satisfaction Declines

J.D. Power Reports: Gen Z Has Arrived. Is Your Bank Ready? Overall Retail Banking Satisfaction is Up, Mobile and ATM Satisfaction Declines Reports: Gen Z Has Arrived. Is Your Bank Ready? Overall Retail Banking Satisfaction is Up, Mobile and ATM Satisfaction Declines WESTLAKE VILLAGE, Calif.: 30 April 2015 Gen Z, 1 which comprises about one-fourth

More information

Cloudy With a Chance of Breach Forecasting Cyber Security Incidents

Cloudy With a Chance of Breach Forecasting Cyber Security Incidents Cloudy With a Chance of Breach Forecasting Cyber Security Incidents Manish Karir Yang Liu, Armin Sarabi, Jing Zhang, Parinaz Nagzadeh, Michael Bailey, Mingyan Liu Background Reputation Matters Security

More information

Improving Cyber Security Risk Management through Collaboration

Improving Cyber Security Risk Management through Collaboration CTO Corner April 2014 Improving Cyber Security Risk Management through Collaboration Dan Schutzer, Senior Technology Consultant, BITS Back in March 2013, I wrote a CTO Corner on Operational and Cyber Risk

More information

DO MAINSTREAM BANKS AUGMENT CHILDREN'S CAPACITY TO SAVE?

DO MAINSTREAM BANKS AUGMENT CHILDREN'S CAPACITY TO SAVE? DO MAINSTREAM BANKS AUGMENT CHILDREN'S CAPACITY TO SAVE? Children as Potential Future Investors, Report III of III TERRI FRIEDLINE APRIL 2013 Children as Potential Future Investors is a three-part series

More information

Common Data Breach Threats Facing Financial Institutions

Common Data Breach Threats Facing Financial Institutions Last Updated: February 25, 2015 Common Data Breach Threats Facing Financial s Although exact figures are elusive, there is no question that the number of data security breaches both reported and unreported

More information

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector New York State Department of Financial Services Report on Cyber Security in the Insurance Sector February 2015 Report on Cyber Security in the Insurance Sector I. Introduction Cyber attacks against financial

More information

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response

More information

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...

More information

Finance Sector Background & User Needs

Finance Sector Background & User Needs Finance Sector Background & User Needs Brussels, October 2014 Finance European top 25 Ranking Bank Assets ( bn) Capital ( bn) 1 Deutsche Bank AG, Frankfurt am Main, Germany 2,052 2.43 2 BNP Paribas SA,

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst ESG Brief Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: What do large enterprises need in order to address increasingly

More information

Cyber Security and the Board of Directors

Cyber Security and the Board of Directors Helping clients build operational capability in cyber security. A DELTA RISK VIEWPOINT Cyber Security and the Board of Directors An essential responsibility in financial services About Delta Risk is a

More information

GETTING IN GEAR 2014 SURVEY OF BANK REPUTATIONS >>>>> ENCOURAGING SIGNS ON THE LONG ROAD BACK TO REPUTATIONAL REDEMPTION

GETTING IN GEAR 2014 SURVEY OF BANK REPUTATIONS >>>>> ENCOURAGING SIGNS ON THE LONG ROAD BACK TO REPUTATIONAL REDEMPTION July 2014 AMERICAN BANKER/REPUTATION INSTITUTE 2014 SURVEY OF BANK REPUTATIONS GETTING IN GEAR >>>>> ENCOURAGING SIGNS ON THE LONG ROAD BACK TO REPUTATIONAL REDEMPTION >>> BY HEATHER LANDY WHEN WE BEGAN

More information

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model Stéphane Hurtaud Partner Governance Risk & Compliance Deloitte Laurent De La Vaissière Director Governance Risk & Compliance

More information

Best Practices for an Effective Onboarding Strategy

Best Practices for an Effective Onboarding Strategy Best Practices for an Effective Onboarding Strategy Tiffani Montez, Principal Analyst, Forrester Research Stephen Nikitas, Senior Market Strategist, Harland Clarke February 20, 2013 #HCOnboarding 2013

More information

2015 Mutual Fund Voting on Proxy Access Proposals

2015 Mutual Fund Voting on Proxy Access Proposals 2015 Mutual Fund Voting on Proxy Access Proposals An analysis of the voting records of top U.S. mutual funds The scorecard is issued by the Nathan Cummings Foundation, with data provided by Fund Votes

More information

2015 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE FOURTH ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE

2015 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE FOURTH ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE 2015 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE FOURTH ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE February 2015 2015 Network Security & Cyber Risk Management: The FOURTH

More information

CFO Changing the CFO Mindset on Cybersecurity

CFO Changing the CFO Mindset on Cybersecurity CFO Changing the CFO Mindset on Cybersecurity What CFOs don t know can hurt their bottom line Despite increasing cybersecurity involvement, too many CFOs still lack the cyber-savvy necessary to get ahead

More information

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent

More information

I D C A N A L Y S T C O N N E C T I O N

I D C A N A L Y S T C O N N E C T I O N I D C A N A L Y S T C O N N E C T I O N Robert Westervelt Research Manager, Security Products T h e R o l e a nd Value of Continuous Security M o nitoring August 2015 Continuous security monitoring (CSM)

More information

OCIE CYBERSECURITY INITIATIVE

OCIE CYBERSECURITY INITIATIVE Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.

More information

Logging In: Auditing Cybersecurity in an Unsecure World

Logging In: Auditing Cybersecurity in an Unsecure World About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that

More information

2011 Cyber Security and the Advanced Persistent Threat A Holistic View

2011 Cyber Security and the Advanced Persistent Threat A Holistic View 2011 Cyber and the Advanced Persistent Threat A Holistic View Thomas Varney Cybersecurity & Privacy BM Global Business Services 1 31/10/11 Agenda The Threat We Face A View to Addressing the Four Big Problem

More information

Malware isn t The only Threat on Your Endpoints

Malware isn t The only Threat on Your Endpoints Malware isn t The only Threat on Your Endpoints Key Themes The cyber-threat landscape has Overview Cybersecurity has gained a much higher profile over the changed, and so have the past few years, thanks

More information

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave

More information

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper A BUSINESS CASE FOR BEHAVIORAL ANALYTICS White Paper Introduction What is Behavioral 1 In a world in which web applications and websites are becoming ever more diverse and complicated, running them effectively

More information

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation Combatting the Biggest Cyber Threats to the Financial Services Industry A White Paper Presented by: Lockheed Martin Corporation Combatting the Biggest Cyber Threats to the Financial Services Industry Combatting

More information

SOCIAL MEDIA MOBILE DEVICES CLOUD SERVICES INTERNET OF THINGS (IOT)

SOCIAL MEDIA MOBILE DEVICES CLOUD SERVICES INTERNET OF THINGS (IOT) INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT THE FIFTH ANNUAL SURVEY ON THE CURRENT STATE OF AND TRENDS IN INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT Sponsored by October 2015

More information

The Days of Feeling Vulnerable Are Over: Best Practices in Vulnerability Management

The Days of Feeling Vulnerable Are Over: Best Practices in Vulnerability Management The Days of Feeling Vulnerable Are Over: Best Practices in Vulnerability Management An EiQ Networks White Paper The Need for Vulnerability Management Vulnerabilities are potential holes introduced by flaws

More information

DISCLAIMER AND NOTICES

DISCLAIMER AND NOTICES DISCLAIMER AND NOTICES The opinions expressed in this presentation are those of the author and presenter alone. They do not represent the views of any other entity. Nothing in this presentation should

More information

Managing Security Risks in Modern IT Networks

Managing Security Risks in Modern IT Networks Managing Security Risks in Modern IT Networks White Paper Table of Contents Executive summary... 3 Introduction: networks under siege... 3 How great is the problem?... 3 Spyware: a growing issue... 3 Feeling

More information

White. Paper. Rethinking Endpoint Security. February 2015

White. Paper. Rethinking Endpoint Security. February 2015 White Paper Rethinking Endpoint Security By Jon OItsik, Senior Principal Analyst With Kyle Prigmore, Associate Analyst February 2015 This ESG White Paper was commissioned by RSA Security and is distributed

More information

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Solution Brief Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Finding

More information

BitSight Insights Global View. Revealing Security Performance Metrics Across Major World Economies

BitSight Insights Global View. Revealing Security Performance Metrics Across Major World Economies BitSight Insights Global View Revealing Security Performance Metrics Across Major World Economies Introduction There is no denying the global nature of 21st century business. The export and import of goods

More information

Scott Powell Country Head USA

Scott Powell Country Head USA Scott Powell Country Head USA Santander Holdings USA, Inc. ( Santander USA ) and Banco Santander, S.A. ("Santander") both caution that this presentation contains forward-looking statements. These forwardlooking

More information

Statement of. MATTHEW P. McCABE. Senior Vice President. Marsh, LLC. Before the Advisory Council on Employee Welfare and Pension Benefit Plans

Statement of. MATTHEW P. McCABE. Senior Vice President. Marsh, LLC. Before the Advisory Council on Employee Welfare and Pension Benefit Plans Marsh & McLennan Companies, Inc. 1166 Avenue of the Americas New York, NY 10036 212 345 5000 Fax 212 345 4808 Statement of MATTHEW P. McCABE Senior Vice President Marsh, LLC Before the Advisory Council

More information

Procyclicality and Compensation

Procyclicality and Compensation Procyclicality and Compensation Étienne Bordeleau and Walter Engert* The design of compensation arrangements is typically aimed at aligning the interests of a firm s decision makers with those of shareholders

More information

Comprehensive Capital Analysis and Review 2015 Summary Instructions and Guidance

Comprehensive Capital Analysis and Review 2015 Summary Instructions and Guidance Comprehensive Capital Analysis and Review 2015 Summary Instructions and Guidance October 2014 BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM Comprehensive Capital Analysis and Review 2015 Summary Instructions

More information

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations

More information

Managing For Growth. Fred Goodwin Group Chief Executive

Managing For Growth. Fred Goodwin Group Chief Executive Managing For Growth Fred Goodwin Group Chief Executive Certain statements made in this presentation are forward looking statements. Such statements are based on current expectations and are subject to

More information

IBM Security X-Force Threat Intelligence

IBM Security X-Force Threat Intelligence IBM Security X-Force Threat Intelligence Use dynamic IBM X-Force data with IBM Security QRadar to detect the latest Internet threats Highlights Automatically feed IBM X-Force data into IBM QRadar Security

More information

Cyber-Security. FAS Annual Conference September 12, 2014

Cyber-Security. FAS Annual Conference September 12, 2014 Cyber-Security FAS Annual Conference September 12, 2014 Maysar Al-Samadi Vice President, Professional Standards IIROC Cyber-Security IIROC Rule 17.16 BCP The regulatory landscape Canadian Government policy

More information

Information Security Incident Management Guidelines

Information Security Incident Management Guidelines Information Security Incident Management Guidelines INFORMATION TECHNOLOGY SECURITY SERVICES http://safecomputing.umich.edu Version #1.0, June 21, 2006 Copyright 2006 by The Regents of The University of

More information

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

Why a Network-based Security Solution is Better than Using Point Solutions Architectures Why a Network-based Security Solution is Better than Using Point Solutions Architectures In This Paper Many threats today rely on newly discovered vulnerabilities or exploits CPE-based solutions alone

More information

The Importance of Cyber Threat Intelligence to a Strong Security Posture

The Importance of Cyber Threat Intelligence to a Strong Security Posture The Importance of Cyber Threat Intelligence to a Strong Security Posture Sponsored by Webroot Independently conducted by Ponemon Institute LLC Publication Date: March 2015 Ponemon Institute Research Report

More information

Cyber-Insurance Metrics and Impact on Cyber-Security

Cyber-Insurance Metrics and Impact on Cyber-Security Cyber-Insurance Metrics and Impact on Cyber-Security Sometimes we can... be a little bit more vigorous in using market-based incentives, working with the insurance industry, for example... DHS Secretary

More information

The Cyber Threat Profiler

The Cyber Threat Profiler Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are

More information

Data Breaches Today: An Overview. Donald J. Rebovich, PhD Professor of Criminal Justice

Data Breaches Today: An Overview. Donald J. Rebovich, PhD Professor of Criminal Justice Data Breaches Today: An Overview Donald J. Rebovich, PhD Professor of Criminal Justice Security Breaches Any incident that results in unauthorized access of data, applications, services, networks and/or

More information

Assumption Busters Workshop - Cloud Computing

Assumption Busters Workshop - Cloud Computing Assumption Busters Workshop - Cloud Computing Background: In 2011, the U.S. Federal Cyber Research Community conducted a series of four workshops designed to examine key assumptions that underlie current

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department

More information

Is Your IT Environment Secure? November 18, 2015. Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

Is Your IT Environment Secure? November 18, 2015. Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting Is Your IT Environment Secure? November 18, 2015 Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting Clark Schaefer Consulting Serving elite and emerging companies with practical solutions

More information

The Four-Step Guide to Understanding Cyber Risk

The Four-Step Guide to Understanding Cyber Risk Lifecycle Solutions & Services The Four-Step Guide to Understanding Cyber Risk Identifying Cyber Risks and Addressing the Cyber Security Gap TABLE OF CONTENTS Introduction: A Real Danger It is estimated

More information

Management (CSM) Capability

Management (CSM) Capability CDM Configuration Settings Management (CSM) Capability Department of Homeland Security National Cyber Security Division Federal Network Security Network & Infrastructure Security Table of Contents 1 PURPOSE

More information

1 Introduction... 2 2 Product Description... 3 3 Strengths and Challenges... 5 4 Copyright... 5

1 Introduction... 2 2 Product Description... 3 3 Strengths and Challenges... 5 4 Copyright... 5 KuppingerCole Report EXECUTIVE VIEW by Alexei Balaganski May 2015 is a business-critical application security solution for SAP environments. It provides a context-aware, secure and cloud-ready platform

More information

REPORT. 2015 State of Vulnerability Risk Management

REPORT. 2015 State of Vulnerability Risk Management REPORT 2015 State of Vulnerability Risk Management Table of Contents Introduction: A Very Vulnerable Landscape... 3 Security Vulnerabilities by Industry... 4 Remediation Trends: A Cross-Industry Perspective...

More information

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations

More information

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity; NGA Paper Act and Adjust: A Call to Action for Governors for Cybersecurity challenges facing the nation. Although implementing policies and practices that will make state systems and data more secure will

More information

Morgan Stanley 2Q14 Fixed Income Investor Conference Call. August 1, 2014

Morgan Stanley 2Q14 Fixed Income Investor Conference Call. August 1, 2014 Morgan Stanley 2Q14 Fixed Income Investor Conference Call August 1, 2014 Notice The information provided herein may include certain non-gaap financial measures. The reconciliation of such measures to the

More information

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers. Employee Security Awareness Survey Trenton Bond trent.bond@gmail.com Admin - Version 1.3 Security Awareness One of the most significant security risks that organizations and corporations face today is

More information

Accountability for a data breach

Accountability for a data breach Accountability for a data breach /operational-risk-and-regulation/feature/2275384/accountability-for-a-data-breach 17 Jun 2013, Jessica Meek, Operational Risk & Regulation In March 2013 the US Senate Select

More information

OCC s Quarterly Report on Bank Trading and Derivatives Activities Third Quarter 2009

OCC s Quarterly Report on Bank Trading and Derivatives Activities Third Quarter 2009 O Comptroller of the Currency Administrator of National Banks Washington, DC 20219 OCC s Quarterly Report on Bank Trading and Derivatives Activities Third Quarter 2009 Executive Summary The notional value

More information

Financial Sector Cybersecurity: who s in charge? Aquiles A. Almansi Lead Financial Sector Specialist WBG-Finance & Markets

Financial Sector Cybersecurity: who s in charge? Aquiles A. Almansi Lead Financial Sector Specialist WBG-Finance & Markets Financial Sector Cybersecurity: who s in charge? Aquiles A. Almansi Lead Financial Sector Specialist WBG-Finance & Markets Issues in the Governance of Central Banks (BIS 2009) Financial Sector Cybersecurity:

More information

Zak Khan Director, Advanced Cyber Defence

Zak Khan Director, Advanced Cyber Defence Securing your data, intellectual property and intangible assets from cybercrime Zak Khan Director, Advanced Cyber Defence Agenda (16 + optional video) Introduction (2) Context Global Trends Strategic Impacts

More information

LexisNexis Emerging Issues Analysis

LexisNexis Emerging Issues Analysis 2012 Emerging Issues 6204 Research Solutions February 2012 Click here for more Emerging Issues Analyses related to this Area of Law. On October 13, 2011, the Division of Corporate Finance of the Securities

More information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.

More information

Banking Valuation Quarterly Update

Banking Valuation Quarterly Update www.pwc.com Banking Valuation Quarterly Update Q1 2016 A publication from PwC s Deals practice Key Quarterly Trends: Trading multiples exhibited by the largest 20 banks have decreased over the course of

More information

Vendor Risk Management Financial Organizations

Vendor Risk Management Financial Organizations Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current

More information

Fostering Incident Response and Digital Forensics Research

Fostering Incident Response and Digital Forensics Research Fostering Incident Response and Digital Forensics Research Bruce J. Nikkel bruce.nikkel@ubs.com September 8, 2014 Abstract This article highlights different incident response topics with a focus on digital

More information

CYBER SECURITY, A GROWING CIO PRIORITY

CYBER SECURITY, A GROWING CIO PRIORITY www.wipro.com CYBER SECURITY, A GROWING CIO PRIORITY Bivin John Verghese, Practitioner - Managed Security Services, Wipro Ltd. Contents 03 ------------------------------------- Abstract 03 -------------------------------------

More information

The Importance of Cybersecurity Monitoring for Utilities

The Importance of Cybersecurity Monitoring for Utilities The Importance of Cybersecurity Monitoring for Utilities www.n-dimension.com Cybersecurity threats against energy companies, including utilities, have been increasing at an alarming rate. A comprehensive

More information

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS? HEALTH WEALTH CAREER DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS? FREEMAN WOOD HEAD OF MERCER SENTINEL NORTH AMERICA GREGG SOMMER HEAD OF OPERATIONAL RISK ASSESSMENTS MERCER

More information

Healthcare Security: Improving Network Defenses While Serving Patients

Healthcare Security: Improving Network Defenses While Serving Patients White Paper Healthcare Security: Improving Network Defenses While Serving Patients What You Will Learn Safeguarding the privacy of patient information is critical for healthcare providers. However, Cisco

More information

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Exercising Your Enterprise Cyber Response Crisis Management Capabilities Exercising Your Enterprise Cyber Response Crisis Management Capabilities Ray Abide, PricewaterhouseCoopers, LLP 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved.

More information

The 5 Cybersecurity Concerns You Can t Overlook

The 5 Cybersecurity Concerns You Can t Overlook The 5 Cybersecurity Concerns You Can t Overlook and how to address them 2014 SimSpace Corporation The 5 Cybersecurity Concerns You Can t Overlook CONCERN 1 You don t know how good your cybersecurity team

More information

74% 2014 SIEM Efficiency Survey Report. Hunting out IT changes with SIEM

74% 2014 SIEM Efficiency Survey Report. Hunting out IT changes with SIEM 2014 SIEM Efficiency Survey Report Hunting out IT changes with SIEM 74% OF USERS ADMITTED THAT DEPLOYING A SIEM SOLUTION DIDN T PREVENT SECURITY BREACHES FROM HAPPENING Contents Introduction 4 Survey Highlights

More information

Standing together for financial industry cyber resilience Quantum Dawn 3 after-action report. November 23, 2015

Standing together for financial industry cyber resilience Quantum Dawn 3 after-action report. November 23, 2015 Standing together for financial industry cyber resilience Quantum Dawn 3 after-action report November 23, 2015 Table of contents Background Exercise objectives Quantum Dawn 3 (QD3) cyberattack scenario

More information