In December 2013, Target Corporation, a discount retailer, announced that the company suffered a data breach. The hackers who orchestrated the crime obtained the confidential credit and debit card information of more than 40 million customers. As investigations ensued, Target continued to adjust its estimate of the number of records accessed, ultimately reporting that hackers captured the personal data of as many as 110 million customers. In 2014, in a data breach involving a similar method of deception, hackers invaded home improvement retailer Home Depot’s records and acquired 56 million customers’ credit and debit account information and 53 million customers’ email addresses.
Shocking examples of cybersecurity breaches at financial institutions have also occurred. In 2013, hackers penetrated both Citigroup and JP Morgan Chase banks’ networks. Consequently, hackers accessed the data related to tens of thousands of customer accounts.
In late 2013, the Carbanak cybergang unleashed a cyberattack on more than 100 financial institutions across thirty different countries. Over a period of several months, Chinese and European hackers remotely programmed automatic teller machines (ATMs) to dispense cash and transfer millions of dollars in funds from customers’ accounts in Europe, the United States, and Japan. Hackers gained control over the internal operational systems of the individual financial institutions by baiting bank employees with e‐mails that appeared to be from colleagues, urging the employees to download malicious software (malware). For nearly two years, the hackers monitored employees’ daily routines, captured videos and screenshots, and reviewed and recorded video feeds. Hackers later used the intelligence they gathered to access the banking institutions’ systems and impersonate employees while the malware remotely triggered ATMs to dispense cash and to transfer funds.
You are the Chief Risk Officer of a large bank. Draft a three page memo to the board of directors explaining the significance of cyber‐security breaches and outlining best practices that you suggest the board adopt to protect the bank from cyberattacks. Your proposal should include the following sections:
Risk Assessment – Identifying and Predicting Reasonably Foreseeable Internal and External Threats
Assessing the Sufficiency of Existing Policies and Procedures
Hiring an Outside Consultant to Conduct a Risk Assessment
Designing Security Controls
Development of a Response Program
Training Staff
Testing Controls
Monitoring Systems