SlideShare a Scribd company logo

JPMorgan Chase & Co. -Risk Assessment Report

D
Divya Kothari
1 of 28
Download to read offline
JPMorgan Chase & Co. Risk Assessment Report Based on the 2014 Data Breach University of Washington IMT 552 (For educational purposes only) Team Members: Akshay Ajgaonkar Daniel Kapellmann Divya Kothari Dustin Chiang Manasa Chitiprolu Sandeep T. Maregowda
Table of Content I. Executive Summary II. Information Security in the Financial Industry III. JPMorgan Chase Data Breach IV. Stakeholders V. Identification of Main Assets VI. Risks Identification VII. Risk Assessment VIII. Risk Normalization IX. Control Planning and Risk Treatment X. Recovery and Incident Response XI. Communication and Monitoring XII. Strategic Recommendations XIII. Annexes XIV. References
Executive Summary The summer of 2014 saw the biggest data breach in American banking history which resulted in the loss of 83 million records from one of the leading banks in the world, JPMorgan Chase. In the light of this cyberattack, we as a part of this special assessment team guided by the Chief Cyber Security Officer, performed an overall assessment. The objective of this assessment was to identify, assess and evaluate potential risks in order to provide the senior management with recommendations for actions to prevent future similar breaches. The exercise, based on the ISO 31000 framework, started with the categorization of the overall risks in four clusters: Operational, Strategic, Financial and Legal Risk. Then, the main six risks were assessed, normalized and provided with consistent mitigation strategies. Finally, controls were planned and strategic recommendations were written to involve the senior management into effectively handling future management of information assets. Through this paper we have evaluated and assessed this large scale data breach and made effective recommendations to ensure the safety of bank’s data. (Please not that for purposes of this assignment various assumptions have been taken into consideration wherever data was not available.)
Information Security in the Financial Industry Information security is currently one of the main challenges faced by firms in the financial sector due to the significant losses that may occur due to any breach. Establishing a secure environment for information assets is a topic of utmost relevance, yet highly convoluted when considering the diversity of the threats, actors involved and the difficulties of being one step ahead of new potential scenarios. According to the Cost of Data Breach Study: Global Analysis study by the Ponemon Institute, the average cost of an incident in 2015 achieved an amount of $3.8 million dollars, representing an increase of 23% during only the last two years. This sum accounts for an average of $145 to $154 dollars for each stolen record. (Ponemon Institute, 2015) In case of the financial industry, the constant increase in the frequency of breaches and negative impacts over the last few years has led to the creation of the largest non-government cybersecurity market. Its overall estimated value reached $9.5 billion dollars in 2015 with the highest estimated growth rate for the 2015-2020 period. In 2014, PwC calculated that financial organizations spent $4.1 billion dollars collectively in cybersecurity and would spend another $2 billion dollars during the next two years. (Morgan, 2015) JPMorgan Chase Data Breach The 2014 cyberattack on the biggest bank in the USA, JPMorgan Chase & Co., was by far the most serious intrusion in the history of American corporations. This breach resulted in JPMorgan Chase & Co. losing data associated with approximately 83 million accounts (CNBC, 2015). The stolen records consisted primarily, names of the account holders, addresses, phone numbers and email addresses which were compromised by unknown hackers (Kurane & Wills, 2014). Fortunately for the bank, the hackers were not able to retrieve information on sensitive personal information about customers, such as social security numbers or account balances. As a consequence, the firm did not suffer any irreparable harm. According to The New York Times, the bank’s weak spot was a rather basic one. The breach could have been stopped had the bank installed a second security authentication measure to one of its servers in the vast network. It was found that some Eastern European Internet addresses were used for the attack, but the bank refused to share any further details on the incident (Perlroth, 2014). Bearing in mind the significant amount of money that giant firms such as JPMorgan invest on security, the recent breach represented an enormous danger for the company in terms of reputation, economic losses and customer trust. To make matters worse, the breach was discovered by the bank somewhat accidentally. In the month of July, security employees of the bank learned that the website for the JPMorgan Corporate Challenge, a charitable race organized by the bank, had been hacked and compromised. The website being run by an outside vendor pointed back to a bigger problem with
the bank's own network. (Goldstein, 2015) Had this not been discovered, 90 servers of the Bank being hacked would have gone unnoticed for another extended period of time. Right after the news of the breach was made public, JPMorgan shares went down by 0.4% during the after-hours trading (Sam Ro, 2014). A few months later, in June 2015, the executive who was in charge of protecting JPMorgan Chase’s computer network from hackers was reassigned. Instead of hundreds of personnel that he managed in the cyber-security unit, he has now been asked to build relationships with the government, law enforcement and the remaining big U.S. banks to mitigate the possibilities of future risks. (Robertson & Riley, 2015) Find a detailed assessment of the former case attached in Annex # 2. It may also be pertinent to note that despite the immediate thought of capturing this data would have been for financial fraud or identity theft, the Manhattan court has observed that the breach may have been caused due to Russian gangs. As alleged by a United States attorney “The defendants manipulated trading in U.S. securities from overseas, using fake identities to funnel millions of dollars in unlawful proceeds through a web of international shell companies. Using false and misleading spam emails sent to millions of people, these defendants allegedly directed their pump-and-dump scheme from their computers halfway around the world” (Goldstein, 2015). This may be a key factor in determining the true perpetrator given that being one of the largest US banks, JPMorgan has played a major role implementing sanctions against Russian institutions and officials imposed as a result of the conflict in Ukraine. (Robertson & Riley, 2015) Based on the various sources of information available and further risk/security assumptions, this paper will seek to identify, assess and evaluate further data breach risks following the Risk Management framework provided by ISO 31000. The framework also encourages that we recognize solutions and recommendations for future prevention and recovery. It is important to mention that the text will mostly analyze the protection of information assets and will be addressed with publicly available information. Stakeholders Main stakeholders related to the JPMorgan Chase breach will be divided in two categories: internal and external. The first group consists on parties that either collaborate with the risk assessment process or must get acquainted with it in order to make further related decisions. The second one involves parties that are not affiliated to the company, but are ultimately interested in the security of the organization’s information assets. Internal According to JPMorgan Chase’s corporate site, the Chief Risk Officer is mainly held accountable for elaborating detailed assessments. With the support of Chief Cybersecurity Officer, this executive has to eventually present his findings to the Risk Policy Committee, group organized to evaluate the findings, make decisions and ultimately collaborate with other parties such as the Audit and Corporate Governance Committees. (JPMorgan Chase & Co., 2015) It is mainly
important to recall that besides from performing an accurate assessment, communication plays a primary role in the process thus enabling different stakeholders to correctly perform their duties. The accountability model is shown in the following diagram. Internal Accountability Model External Some additional stakeholders that may be considered are both the government of the United States of America and the customers. In the first place, the public sector has supported powerful financial institutions to recover against breaches and other additional crises due to their importance for the overall economy. Besides, it is of the nation’s best interest to keep attracting customers by maintaining a good reputation for the security and good practices of private institutions. External Stakeholder Matrix In the second place, the customers are interested in being able to trust the institution in order to safely invest or save money without being damaged by security breaches. Other possible interpretations may consider other banks or competitors trying to learn from the breach and probably even making an emphasis on security as their competitive advantage. Finally, external service providers hired by the bank should also be considered as potential stakeholders with high influence and interest in the bank’s security performance.
Identification of Main Assets As a first step for the assessment, the primary assets of the organization that could either be in danger or play a role in data breaches, were grouped in four different categories: ● Physical Assets - Infrastructure and technology used to share, analyze or produce information. Some examples are servers, networks, computers and other technology devices either organizational or personal. ● Informational Assets - Refers to software and information stored in different formats. Some examples are databases, Customer Sensitive Information such as Personal Identifiable Information and further financial data. ● Human Assets - Personnel and human factors involved in the processes implemented by the organization as well as external users and stakeholders. Some examples are vendors, managers/employees and customers. ● Reputational Assets - Those factors that allow JPMorgan Chase & Co. to maintain or increase its brand presence as well as the goodwill and demand by external parties. Some examples are the share’s value, customer trust and credibility. Assets Categorization Diagram The above diagram shows the four different categories that enclose the organization’s main assets that maintain a direct or indirect relationship with data breaches. Even though this assessment is mostly centered on protecting the informational assets from data breaches, it is important to recall that the four categories are deeply interrelated into the different processes and
procedures implemented by the institute`on. For this reason, protection of informational assets will generate an impact on the safety of the other additional categories. Risk Identification The current exercise is mostly focused on the protection of informational assets in order to ensure the safety of additional primary physical, human and reputational factors. Based on this premise and public data related to the JPMorgan Chase breach 2014, the following main risks were identified and categorized: Operational 1) Inadequate controls and procedures (such as not implementing double authentication in servers or not implementing secure network configurations) may lead to the exposure of restricted data and systems to external malicious parties. 2) Failure to contemplate potential impact of human error when utilizing the informational assets of the company could generate unintended disclosure of data and delude currently implemented security controls. 3) Lack of substantial training for employees to protect informational assets of the company may generate unintended disclosure of data and lower the effectiveness of currently implemented security measures. 4) Failure to implement correct software flags to inform when an unauthorized party is attempting to access the system may lead to the lack of adequate and timely incident response against attacks. 5) Failure to implement adequate physical protection to the infrastructure of the company may enable possible direct intrusions from external malicious entities. 6) Carelessness of employees may affect the company by enabling external access to its information assets with the support of lost or stolen equipment, devices or credentials. 7) Impossibility to separate the protection of internal networks from that of external providers hosting the websites of the company may lead to potential further data breaches and external inclusion to the main systems of the organization. 8) Lack of regular monitoring of customer's information databases slows the bank’s actions to respond against attacks, find and fix vulnerabilities thus enabling intrusions to last for long periods of time. Strategic 1) Failure to protect the bank’s information systems may generate the disclosure of private data from users and customers thus damaging the reputation of the institution and its overall financial performance. 2) Slow adaptation to technology advances from potential malicious actors leaves the company vulnerable to diverse external threats from different origins.
3) Failure to protect sensitive information from the bank may lead to the disclosure of confidential data about its customers and employees thus enhancing the competition’s appeal in the market. 4) Inability to efficiently integrate the members from the security team may lead to cultural conflict thus generating potential loss of productivity. 5) Failure to protect the information of customers and employees (such as contact details, home addresses and further private information) may affect the company by losing the trust and support of their human factors. 6) Inefficient communication strategies to include security in the overall culture of the firm could increase the probability of threats impacting the informational assets of the company. Financial 1) Failure to implement efficient organizational policies to correctly manage information may lead open the doors for further attacks or even encourage unintended disclosure thus generating financial and reputational losses to the company. 2) Failure to protect the personal information of customers may lead to theft and incorrect use of their resources through impersonation and other malicious methods. 3) Losing reputation as a consequence of information unsafety affects the company by decreasing the demand of the users and inviting new entrants to reconsider working with competing organizations. Legal/Compliance 1) Failure to comply with government regulation related to data protection and unauthorized disclosure could generate lawsuits against the bank and even strengthen government intervention. 2) Lack of regular and thorough auditing may lead the company to experience further breaches and/or get involved in legal disputes. 3) Failure to correctly protect information of customers and employee affects the company by engaging them in legal disputes with further possible financial and reputational negative impacts. 4) Lack of awareness of employees driving the destruction or deletion of documents related to data breaches affects the company by exposing it to further legal discussions. The following diagram summarizes the identified risks and categorize them according to their nature:
ERM Risk Universe
Risk Assessment and Mitigation Based on the list of risks identified in the former section, the following assessment will include the six most relevant findings as well as an analysis of their probability and potential impact. At the same time, risk drivers and mitigation strategies will be defined for each one of them: Risk: # 1 Inadequate controls and procedures may lead to the exposure of restricted data and systems to external malicious parties. Risk Dimension: Operational Risk Drivers/ Contributing Factors Probability Impact Current and Planned Mitigations Overlooking security controls for SDLC processes on data systems. L H - Implementation of security controls quarterly monitoring. - Implementing the use of Flags to alert the department lead executives of system breaches and or non-compliance to main security processes. Lack of communication with third party service providers on compliance with risk mitigation controls. M H - Establishment of regular meetings to coordinate security measures with third party service providers. - Provide shared training sessions to share information about compliance procedures between both organizations. Lack of sufficient education and training on controls and procedures for restricting data and systems usage. M M - Regular training sessions are required to be conducted to make all employees aware about the controls and policies in place in the organization. - Elaboration of the Data Management and Control Procedures Manual to foster equal practices between different departments. Risk: # 2 Lack of periodic monitoring of customer's information slows the bank’s actions to respond against attacks, find and fix vulnerabilities thus enabling intrusions to last for long periods of time. Risk Dimension: Operational Risk Drivers/ Contributing Factors Probability Impact Current and Planned Mitigations Insufficient robustness of AAA (Authentication, Authorization, and Auditing) process for customers. M H - Implementation of robust AAA processes for customer data with reviewed by the Risk Management and Audit Committees. - AAA quarterly functional reports to ensure about the efficiency and efficacy of currently implemented mechanisms.
Reports on vulnerabilities are slowly processed. L M - Forming a sub-unit to perform regular and planned processing of vulnerabilities reports to be performed by the Risk Management Team. Exceptions against systematic security warnings are consistently made. L M - Strengthen the mechanisms required to validate exceptions so that they take place only under critical necessity. - Case by case assessment of security exceptions to supervise the correct management of this resource. Risk: # 3 Slow adaptation to technology advances from potential malicious actors leaves the company vulnerable to diverse external threats from different origins. Risk Dimension: Strategic Risk Drivers/ Contributing Factors Probability Impact Current and Planned Mitigations Costs to migrating data to new technology can deter adaptation H M - Promote the adoption of interoperable systems that allow easily moving data from one to another location. - Hiring external agencies or consultancies that can assist in migrating to new technologies. Technology adaption is delegated to external consultants rather than in-house experts. M M - Hiring in-house experts that may supervise and collaborate with external parties in order to manage information. - Promoting internal management of information whenever it is possible. Company culture may not encourage effective adaptation with technology. M L - Implement communication mechanisms to embed technology adoption into the company’s culture. Risk: # 4 Inefficient communication strategies to include security in the overall culture of the firm could increase the probability of threats impacting the informational assets of the company. Risk Dimension: Strategic Risk Drivers/ Contributing Factors Probability Impact Current and Planned Mitigations Lack of efficient senior leadership in security. L H - Foster and reward efficient leaders related to security positions thus promoting long lasting work relations with expert managers. - Hiring an expert for the role of a chief information security officer can be highly useful.
Marginalization of senior leadership in security. M H - Incorporate senior security leadership in general meetings with high executives. - Promote strong communication security strategies to get high executives involved in the overall information risk management process. Risk assessment team may not be fully funded and supported by senior leadership. M M - Enable transparency mechanisms between the Risk assessment team and the senior leadership by means of regular meetings or presentations. - Enforce minimum security budget requirements for senior leadership. Risk: # 5 Failure to comply with government regulation related to data protection and unauthorized disclosure could generate lawsuits against the bank and even strengthen government intervention. Risk Dimension: Legal Risk Drivers/ Contributing Factors Probability Impact Current and Planned Mitigations Noncompliance with audit requirements due to time or funding. M M - Enforce internal auditing mechanisms to ensure adequate compliance. - Establish minimum time and budget requirements to comply with external audits. Reliance on external audit relationships rather than an internal auditing team. L H - Forming an internal audit team that performs quarterly, half yearly and yearly assessments. - Promote coordination between internal and external auditing teams. Internal processes and audits do not align well with government regulation. L M - Collaboration between legal department and internal audit teams to ensure compliance with government regulation. Risk: # 6 Failure to implement efficient organizational policies to correctly manage information may lead open the doors for further attacks or even encourage unintended disclosure thus generating financial and reputational losses to the company. Risk Dimension: Financial Risk Drivers/ Contributing Factors Probability Impact Current and Planned Mitigations Organizational policies do not align well with business objectives. L H - Coordinating organizational policies and business objectives by analyzing through the lens of information security and risk management. - Establish strong monitoring mechanisms to keep organizational security policies aligned with the main business objectives.
Organizational policies hinder employee performance with everyday tasks. M M - Elaborate a report based on employees consultation regarding the flow of organizational policies and how the facilitate or complicate their daily tasks. - Increase awareness about the necessity of following organizational policies for the good functioning of the firm. Insufficient performance tracking and management for organizational policies. M H - Keep track on the performance of organizational policies, where they fail and how to make them better. - Maintain constant communication with employees to understand the impact of organizational policies on their daily jobs and how they follow these procedures.
Risks Normalization After meeting with the main stakeholders and analyzing their interests, the following chart was prepared. Based on the assessment, each of the below risk is identified with the likelihood of the occurrence of the threat and the impact of the threat. Main Risks Evaluation ID Risk Stakeholders Involved Impact Likelihood 1 Inadequate controls and procedures Business Team, Government Regulatory Body, IT Team 5 2.7 2 Lack of periodic monitoring External and Internal Audit Committee, Governance Committee 4.8 2.5 3 Slow adaptation to technology IT Team, Business 2.6 4.1 4 Inefficient Communication Strategies CEO, Key business stakeholders, External Vendors 4 2.2 5 Failure to implement organizational policies Key Business Stakeholders, IT Team 3.9 1.7 6 Non-compliance with government regulation Legal Team, Technical Team, External Vendors, Government 4.7 2
As part of Risk Normalization process, the below impact and likelihood have been accepted by the stakeholders and a heat map visualizing the below information is presented. Risk Heat Map
Control Planning and Risk Treatment According to the results presented by the risk normalization process, risks 3, 4 and 5 may be tolerated and managed by the team on a regular basis. In order to address them, the cybersecurity and risk managers will be informed so that better communication, alignment with business objectives and fast adaptation to technology will be addressed for the mediate future. However, risks 1, 2 and 6 must be prioritized and immediately addressed based on the matrix of probability- impact that shows the stakes are high enough to require the implementation of immediate controls. The following activities will be implemented to resolve each of these problems: Risk Title: Inadequate controls and procedures Risk Description: Failure to implement efficient controls and procedures to protect customer and bank’s information Associated Business Objectives: Customer trust and support, Information assurance, Adaptation to changes in the industry Risk Type: Operational Risk Category: Information Security, Policies and Procedures, Incident Response Impact Rating: 5 Likelihood Rating: 2.7 Management Activity and Controls Rating: 1. Implementation of alert Flags to inform department lead executives about system breaches and or non-compliance to main security processes 2. Security controls quarterly monitoring and regular meetings to coordinate with internal and external service providers 3. Shared compliance and policy training sessions involving main internal stakeholders and external service providers 4. Elaboration of Data Management and Control Procedures Manual (DMCP) to foster equal practices between different departments Suggested Owners: Chief Risk Officer, Chief Cybersecurity Officer, Audit Committee Metrics: Amount and duration of successful minor/major data breaches, Number of employees with access and approved evaluation in DMCP Manual, Quarterly monitoring reports, Number of employees attending to training sessions, Number of alert flags informing of non- compliance with security processes
Risk Title: Lack of periodic monitoring Risk Description: Thorough evaluation and periodic monitoring of security policies, controls and procedures Associated Business Objectives: Information Assurance, Operational Optimization, Risk Mitigation and Critical Assets Management Risk Type: Operational Risk Category: Information Security, Audit and Monitoring Impact Rating: 4.8 Likelihood Rating: 2.5 Management Activity and Controls Rating: 1. Implementation and revision of robust AAA processes and procedures to protect customer data 2. Conformation of a separate monitoring sub-unit to perform regular reports over control efficiency and effectivity as well as to track, report and fix vulnerabilities 3. Strengthen requirements to validate exceptions and assess case by case petitions in order to supervise correct management of this resource Suggested Owners: Chief Cybersecurity Officer, Audit Committee Metrics: Half yearly AAA processes and procedures revision report, Conformation of security monitoring sub- unit and deriving performance metrics, Number of approved exceptions, Number of petitions to perform exceptions
Risk Title: Non-compliance with government regulation Risk Description: Failure to enforce the compliance with government regulation while performing daily processes and procedures Associated Business Objectives: Operational Compliance, Business Continuity, Information Assurance and Critical Assets Protection Risk Type: Legal/Compliance Risk Category: Regulatory and Legal, Information Assurance, Policy and Compliance Impact Rating: 4.7 Likelihood Rating: 2.0 Management Activity and Controls Rating: 1. Evaluating complementarity between business objectives and risk/security organizational policies and establish monitoring mechanisms to keep them aligned 2. Elaborate yearly reports based on employees consultation regarding the flow of security policies and how they generate an influence on their daily tasks 3. Keep track on the performance of security organizational policies and implement mechanisms to integrate them among main business processes Suggested Owners: Policy and Compliance Department, Chief Risk Officer, Chief Cybersecurity Officer Metrics: Yearly security operations report, Business Objectives and Security Assessment, Security policies’ performance monitoring, Increase in time consumption to comply with security procedures Most impactful risks were selected in spite of the low probability. As proven by the 2014 data breach, it is of utmost importance to be prepared for this sort of events that are not only related with daily tasks, but rather with unexpected crisis. For further information about the impact and probability metrics, refer to the annex number 2.
Incident Response and Recovery Incident management and recovery is a critical part of business continuity planning. In order to effectively respond to the data breach at hand, we assume/propose the following key steps to combat the same: ● Perform Disaster Recovery and Root Cause Analysis ● Segregating internal networks into separate segments to prevent further hacking ● Providing restricted access to critical assets by providing lesser privilege controls ● Quarantining the system that was breached ● Internal communication to create awareness ● Implementing proper training to cyber security personnel Communication and Monitoring As suggested by the ISO 31000 framework, the former analysis must continuously work next to a robust strategy of communication and monitoring that evaluates the process and increases awareness among the stakeholders. The previous risk assessment based on the 2014 data breach shows that it is of significant importance to strengthen monitoring activities and enhance the training of key employees in order to increase the security of the organization’s informational assets. As well, these two actions will play an important role in engaging lead managers into investing efforts and resources for further protecting the information of the institution. However, internal communication should not be the only concern. Considering that the 2014 data breach was covered through diverse media channels, the reputation of the bank was damaged and it is now important to reinforce the conception of strong security actions implemented to protect the information possessed by the organization. It is expected that by enhancing the security-oriented image of the bank, less government intervention will happen and trust will increase among both corporate and individual customers.
The main components of the communication plan should be: Objectives Audience Strategy Evaluation Criteria Increase customer’s demand of the organization’s services Customers Increasing trust on the organization’s safety standards and promoting JPMorgan Chase & Co. as a security champion institution - Number of corporate customers - Number of individual customers - Customer’s security perception Educate employees to effectively follow security related policies and procedures Employees Promote major security awareness among employees by generating communication campaigns and training that show them the impact of information security in their daily lives - Reported incidents caused by unintended employees’ actions - Average time increase in procedures due to non-compliance with procedures and human error Engage lead managers into the information security process Lead Managers Offer lead managers clear and regular reporting mechanisms in order to increase awareness and enhance the amount of resources/efforts they utilize to secure informational assets - Total expenditure destined to information security by department - Amount of hired employees dedicated to information assurance - Information security practices yearly survey Gain authorities’ goodwill and support by sharing the company’s achievements related to the protection of their informational assets Official Authorities Inform key government stakeholders about the success of the bank’s information security measures - Number of addressed key government stakeholders - Elaboration of collaborative workshops, events and initiatives The communication plan will address different stakeholders using diverse methods. While government institutions will be invited to know more about information security achievements, the customers will only know about the bank’s leading position as a safe institution. It must be taken into consideration that the tone of the campaign must show that resources are being allocated to protect information, however it should not show excessive confidence that may invite outsiders to try and breach into the institution’s data assets as a challenge. Employees and risk managers will
both be submitted to awareness campaigns and training, and the only differentiation will be related to the sort of sensitive information that each of them may receive. In general terms, the former plan will be launched with the support of an initial campaign that shares the message: JPMorgan Chase & Co. cares about data security and has learned from previous lessons. For this reason the company is now preparing to become a leader in mechanisms and procedures for enhancing information assurance. Information stored in the bank’s servers will now be more secure than ever before.” In order fully comply with the message, success stories and good practices will be shared among the stakeholders thus promoting general awareness about the relevance of the field. Besides from the communication strategy, it will be of utmost importance to continue implementing continuous monitoring initiatives defined by the risk management and security teams. Both of these actions should closely watch over the entire process of managing risks in order to allow JPMorgan Chase & and Co. to be sure about the efficiency of it policies and to enhance the impact among the most relevant stakeholders. Strategic Recommendations Considering expected increase of cybersecurity spending to $500 million dollars in 2016, JPMorgan and Chase is preparing for addressing further information security challenges. Planning how the money can be appropriately distributed for the most important security challenges is another issue. In the context of the aforementioned analysis, there are three clusters of strategic improvements that can serve as the basis for recommendations that JPMorgan Chase can move forward with. The three clusters of strategic improvements are improvements to controls and procedures to technology adaptation, communication strategies for external groups, and alignment between corporate and government policies for effective risk compliance. Throughout our analysis, evidence suggests that technology adaptation is relatively slow throughout the JPMorgan & Chase’s business operations. Three key risk drivers affecting this process could be forced haste in proposing and implementing IT projects and leaving out crucial monitoring functions, ineffective change management for the organization on new technologies, and reliance on external consultancy without sustained internal experts. Based on these drivers, there are top three recommendations for JPMorgan Chase to consider when improving upon streamlined technology adaptation with effective controls and procedures: 1. Increase monitoring and detection of unauthorized access in information systems holding sensitive data. 2. Provide consistent IT training sessions on technology use throughout JPMorgan Chase internally and with third party providers on risk areas such as policies and compliance. 3. Promote internal information management through developing and enhancing in-house experts’ proficiency with processing data and information systems.
In addition to ineffective technology adaptation, communication strategies with external groups throughout JPMorgan Chase’s business operations may have affected the company’s response to dealing with data breaches. Three key risk drivers affecting this process could be based on isolating senior leadership from external affairs, having inadequate processing and response measures for external groups, and encouraging loopholes on external access to information. Based on these drivers, the top three recommendations to improve upon communication strategies with external groups are outlined as: 1. Encourage inclusiveness of senior security leadership in the organization to discuss security issues with external groups. 2. Promote better transparency of data and information usage by JPMorgan Chase for external groups. 3. Reevaluate and develop policies enforcing unauthorized access to data and bolster robustness of case-by-case evaluations. Finally, evidence also suggests that JPMorgan Chase’s corporate policies for risk assessment and compliance may not have fully aligned with government policies to protect stakeholder and customer data. Three key risk drivers affecting this process could be constraints on time and money to handle auditing internally, insufficient performance management for organizational policies, and having organizational policies that hinder day-to-day operations for individual branches. Based on these drivers, the top three recommendations to target these risk drivers could be 1. Have a comprehensive and inclusive internal auditing program through auditing and legal teams at individual company branches. 2. Have a program for encouraging cyclical compliance and feedback on organizational policies and their changes. 3. Re-evaluate policies on balancing data and information access and security with employees such as associates and managers.
Annex # 1 Main survey questions: 1. What controls were in place before the breach and what are currently in place at JPMorgan Chase? 2. How often are your webpages/systems monitored in order to be sure that there are no security breaches taking place? Which mechanisms do you use for this? 3. Which are the most valuable assets that you would deem necessary to protect from information security breaches? 4. According to publicly available information, the breach happened because of the lack of a second authentication step in one of the servers. How are the rest of the servers protected? Has anything been done yet in order to address this vulnerability? How is relevant data from the users protected? 5. Any other potential vulnerabilities you would like to point out before we start with our external assessment? 6. Has there been any history of non-adherence to any sort of information security related compliances? (Such as PCI)
Annex # 2
Annex # 3 1. Impact Rating Criteria
2. Likelihood/Probability Rating Criteria
References JPMorgan Chase & Co. (2015, March). Risk Policy Committee. Retrieved from: https://www.jpmorganchase.com/corporate/About-JPMC/ab-risk-committee.htm Kurane, S., & Wills, K. (2014, Dec 22). JPMorgan data breach entry point identified: NYT. Retrieved from Reuters: http://www.reuters.com/article/us-jpmorgan-cybersecurity- idUSKBN0K105R20141223 Morgan, Steven C. (2015). Cybersecurity for Banks Report. Retrieved from Cybersecurity Ventures: http://cybersecurityventures.com/cybersecurity-for-banks-report-q3-2015/ Three charged for largest-ever bank data breach. (2015, November 10). Retrieved from CBS News: http://www.cbsnews.com/news/three-charged-for-jpmorgan-data-breach-the-largest-ever/ Perlroth, M. G. (2014, October 31). Luck Played Role in Discovery of Data Breach at JPMorgan Affecting Millions. Retrieved from Deal Book: http://dealbook.nytimes.com/2014/10/31/discovery-of-jpmorgan-cyberattack-aided-by-company- that-runs-race-website-for-bank/?_r=0 Ponemon Institute, Ponemon Institute’s 2015 Global Cost of Data Breach Study Reveals Average Cost of Data Breach Reaches Record Levels ( 2015, May 17). Retrieved from IBM: https://www-03.ibm.com/press/us/en/pressrelease/47022.wss Robertson, Jordan and Michael Riley, PMorgan Reassigns Security Team Leader a Year After Data Breach (2015, June 30). Retrieved from Bloomberg: http://www.bloomberg.com/news/articles/2015-06-30/jpmorgan-reassigns-security-team-leader- a-year-after-data-breach Goldstein M, “Arrested in schemes said to be tied to JPMorgan Chase Breach” CNBC. July, 2015 Retrived from: http://www.cnbc.com/2015/07/22/4-arrested-in-schemes-said-to-be-tied-to- jpmorgan-chase-breach.html Ro S, “JPMorgan Reveals Gigantic Data Breach Possibly Affecting 76 Million Households” Business Insider (2014, October) Retrieved from BI: http://www.businessinsider.com/jp-morgan- data-breach-2014-10 Robertson & Riley, “JPMorgan Reassigns Security Team Leader A Year After Data Breach” Bloomberg Business (2015, June) Retrieved from:http://www.bloomberg.com/news/articles/2015-06-30/jpmorgan-reassigns-security-team- leader-a-year-after-data-breach “A Structures Approach to Enterprise Risk Management and the Requirements of ISO 31000” by airmic, alarm, irm; https://www.theirm.org/media/886062/ISO3100_doc.pdf

Recommended

IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05Daniel Kapellmann Zafra
 
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentUW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentAkshay Ajgaonkar
 
How Big Data and Predictive Analytics are revolutionizing AML and Financial C...
How Big Data and Predictive Analytics are revolutionizing AML and Financial C...How Big Data and Predictive Analytics are revolutionizing AML and Financial C...
How Big Data and Predictive Analytics are revolutionizing AML and Financial C...DataWorks Summit
 
Cyber security and current trends
Cyber security and current trendsCyber security and current trends
Cyber security and current trendsShreedeep Rayamajhi
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanControlScan, Inc.
 
Bank Fraud & Data Forensics
Bank Fraud & Data ForensicsBank Fraud & Data Forensics
Bank Fraud & Data Forensicswhbrown5
 
Bank risk management
Bank risk managementBank risk management
Bank risk managementAshima Thakur
 
Financial Frauds In Indian Banking System: A Case Study Analysis
Financial Frauds In Indian Banking System: A Case Study Analysis Financial Frauds In Indian Banking System: A Case Study Analysis
Financial Frauds In Indian Banking System: A Case Study Analysis Rubeena Shaik
 

Recommended

IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05Daniel Kapellmann Zafra
 
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentUW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentAkshay Ajgaonkar
 
How Big Data and Predictive Analytics are revolutionizing AML and Financial C...
How Big Data and Predictive Analytics are revolutionizing AML and Financial C...How Big Data and Predictive Analytics are revolutionizing AML and Financial C...
How Big Data and Predictive Analytics are revolutionizing AML and Financial C...DataWorks Summit
 
Cyber security and current trends
Cyber security and current trendsCyber security and current trends
Cyber security and current trendsShreedeep Rayamajhi
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanControlScan, Inc.
 
Bank Fraud & Data Forensics
Bank Fraud & Data ForensicsBank Fraud & Data Forensics
Bank Fraud & Data Forensicswhbrown5
 
Bank risk management
Bank risk managementBank risk management
Bank risk managementAshima Thakur
 
Financial Frauds In Indian Banking System: A Case Study Analysis
Financial Frauds In Indian Banking System: A Case Study Analysis Financial Frauds In Indian Banking System: A Case Study Analysis
Financial Frauds In Indian Banking System: A Case Study Analysis Rubeena Shaik
 
Lehman brothers
Lehman brothersLehman brothers
Lehman brotherskunalavs
 
Cyber security and Cyber Crime
Cyber security and Cyber CrimeCyber security and Cyber Crime
Cyber security and Cyber CrimeDeepak Kumar
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2Semir Ibrahimovic
 
Bangladesh bank heist case study!
Bangladesh bank heist case study!Bangladesh bank heist case study!
Bangladesh bank heist case study!Mohammed Jaseem Tp
 
Cyber fraud in banks
Cyber fraud in banksCyber fraud in banks
Cyber fraud in banksNetwork Intelligence India
 
Credit Risk Management Presentation
Credit Risk Management PresentationCredit Risk Management Presentation
Credit Risk Management PresentationSumant Palwankar
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)Network Intelligence India
 
Aml & kyc
Aml & kyc Aml & kyc
Aml & kyc Satyajit Dutta
 
Introduction to cyber security
Introduction to cyber security Introduction to cyber security
Introduction to cyber security RaviPrashant5
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeyazad dumasia
 
JP Morgan & Chase: IT Strategy and Key Success factors
JP Morgan & Chase: IT Strategy and Key Success factorsJP Morgan & Chase: IT Strategy and Key Success factors
JP Morgan & Chase: IT Strategy and Key Success factorsAbhiJeet Singh
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxvdgtkhdh
 
Risk mangement
Risk mangementRisk mangement
Risk mangementcollege
 
Report on Hacking
Report on HackingReport on Hacking
Report on HackingSharique Masood
 
SVB collapse F1.pptx
SVB collapse F1.pptxSVB collapse F1.pptx
SVB collapse F1.pptxkritiprasad5
 
Phishing Attacks
Phishing AttacksPhishing Attacks
Phishing AttacksJagan Mohan
 
Types of Risks and its Management in Banking
Types of Risks and its Management in BankingTypes of Risks and its Management in Banking
Types of Risks and its Management in BankingMohit Chhabra
 
Global financial crisis
Global financial crisisGlobal financial crisis
Global financial crisisnabila km
 
Risk Assessment Report
Risk Assessment ReportRisk Assessment Report
Risk Assessment ReportSlideKraft Studio LLP
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoVictor Oluwajuwon Badejo
 
J.P Morgan Chase & Company Case study
J.P Morgan Chase & Company Case studyJ.P Morgan Chase & Company Case study
J.P Morgan Chase & Company Case studyAnnapurna Sinha
 

More Related Content

What's hot

Lehman brothers
Lehman brothersLehman brothers
Lehman brotherskunalavs
 
Cyber security and Cyber Crime
Cyber security and Cyber CrimeCyber security and Cyber Crime
Cyber security and Cyber CrimeDeepak Kumar
 
Bangladesh bank heist case study!
Bangladesh bank heist case study!Bangladesh bank heist case study!
Bangladesh bank heist case study!Mohammed Jaseem Tp
 
Credit Risk Management Presentation
Credit Risk Management PresentationCredit Risk Management Presentation
Credit Risk Management PresentationSumant Palwankar
 
Introduction to cyber security
Introduction to cyber security Introduction to cyber security
Introduction to cyber security RaviPrashant5
 
JP Morgan & Chase: IT Strategy and Key Success factors
JP Morgan & Chase: IT Strategy and Key Success factorsJP Morgan & Chase: IT Strategy and Key Success factors
JP Morgan & Chase: IT Strategy and Key Success factorsAbhiJeet Singh
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxvdgtkhdh
 
Risk mangement
Risk mangementRisk mangement
Risk mangementcollege
 
SVB collapse F1.pptx
SVB collapse F1.pptxSVB collapse F1.pptx
SVB collapse F1.pptxkritiprasad5
 
Phishing Attacks
Phishing AttacksPhishing Attacks
Phishing AttacksJagan Mohan
 
Types of Risks and its Management in Banking
Types of Risks and its Management in BankingTypes of Risks and its Management in Banking
Types of Risks and its Management in BankingMohit Chhabra
 
Global financial crisis
Global financial crisisGlobal financial crisis
Global financial crisisnabila km
 

What's hot (20)

Lehman brothers
Lehman brothersLehman brothers
Lehman brothers
 
Cyber security and Cyber Crime
Cyber security and Cyber CrimeCyber security and Cyber Crime
Cyber security and Cyber Crime
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2
 
Bangladesh bank heist case study!
Bangladesh bank heist case study!Bangladesh bank heist case study!
Bangladesh bank heist case study!
 
Cyber fraud in banks
Cyber fraud in banksCyber fraud in banks
Cyber fraud in banks
 
Credit Risk Management Presentation
Credit Risk Management PresentationCredit Risk Management Presentation
Credit Risk Management Presentation
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
Aml & kyc
Aml & kyc Aml & kyc
Aml & kyc
 
Introduction to cyber security
Introduction to cyber security Introduction to cyber security
Introduction to cyber security
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
JP Morgan & Chase: IT Strategy and Key Success factors
JP Morgan & Chase: IT Strategy and Key Success factorsJP Morgan & Chase: IT Strategy and Key Success factors
JP Morgan & Chase: IT Strategy and Key Success factors
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentation
 
phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptx
 
Risk mangement
Risk mangementRisk mangement
Risk mangement
 
Report on Hacking
Report on HackingReport on Hacking
Report on Hacking
 
SVB collapse F1.pptx
SVB collapse F1.pptxSVB collapse F1.pptx
SVB collapse F1.pptx
 
Phishing Attacks
Phishing AttacksPhishing Attacks
Phishing Attacks
 
Types of Risks and its Management in Banking
Types of Risks and its Management in BankingTypes of Risks and its Management in Banking
Types of Risks and its Management in Banking
 
Global financial crisis
Global financial crisisGlobal financial crisis
Global financial crisis
 
Risk Assessment Report
Risk Assessment ReportRisk Assessment Report
Risk Assessment Report
 

Viewers also liked

J.P Morgan Chase & Company Case study
J.P Morgan Chase & Company Case studyJ.P Morgan Chase & Company Case study
J.P Morgan Chase & Company Case studyAnnapurna Sinha
 
Jp Morgan Case Study Final
Jp Morgan Case Study FinalJp Morgan Case Study Final
Jp Morgan Case Study FinalBERHMANI Samuel
 
J. p morgan project PPT
J. p morgan project PPTJ. p morgan project PPT
J. p morgan project PPTVijay Mehta
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentFaheem Ul Hasan
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentationmmagario
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk AssessmentSteve Bishop
 
A strategy framework for the risk assessment and mitigation for large e-Gover...
A strategy framework for the risk assessment and mitigation for large e-Gover...A strategy framework for the risk assessment and mitigation for large e-Gover...
A strategy framework for the risk assessment and mitigation for large e-Gover...Arab Federation for Digital Economy
 
Area wide risk assessment – a best practice example in the Province of the Tyrol
Area wide risk assessment – a best practice example in the Province of the TyrolArea wide risk assessment – a best practice example in the Province of the Tyrol
Area wide risk assessment – a best practice example in the Province of the TyrolGlobal Risk Forum GRFDavos
 
Blending risk analysis with executive protection
Blending risk analysis with executive protectionBlending risk analysis with executive protection
Blending risk analysis with executive protectionDavid Sweigert
 
Adult jokes 6 may
Adult jokes 6 mayAdult jokes 6 may
Adult jokes 6 mayMaahi Behl
 
Nickel Background EU Risk Assessment Report March 2008 Final Draft
Nickel Background EU Risk Assessment Report March 2008 Final DraftNickel Background EU Risk Assessment Report March 2008 Final Draft
Nickel Background EU Risk Assessment Report March 2008 Final DraftNo to mining in Palawan
 
Brm swr- risk assessment report (michael mazogi)
Brm swr- risk assessment report (michael mazogi)Brm swr- risk assessment report (michael mazogi)
Brm swr- risk assessment report (michael mazogi)Michael Mazogi
 
Uspto – us patent cases weekly update - april 2nd - april 9th, 2013
Uspto – us patent cases weekly update - april 2nd - april 9th, 2013Uspto – us patent cases weekly update - april 2nd - april 9th, 2013
Uspto – us patent cases weekly update - april 2nd - april 9th, 2013InvnTree IP Services Pvt. Ltd.
 
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...Shawn Tuma
 
Example security risk assessment tool july 2010
Example security risk assessment tool july 2010Example security risk assessment tool july 2010
Example security risk assessment tool july 2010WarrenGreen
 
Design Advisory Service (Canada)
Design Advisory Service (Canada)Design Advisory Service (Canada)
Design Advisory Service (Canada)DUCO
 

Viewers also liked (20)

Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & Co
 
J.P Morgan Chase & Company Case study
J.P Morgan Chase & Company Case studyJ.P Morgan Chase & Company Case study
J.P Morgan Chase & Company Case study
 
Jp Morgan Case Study Final
Jp Morgan Case Study FinalJp Morgan Case Study Final
Jp Morgan Case Study Final
 
Jp morgan final ppt
Jp morgan final pptJp morgan final ppt
Jp morgan final ppt
 
J. p morgan project PPT
J. p morgan project PPTJ. p morgan project PPT
J. p morgan project PPT
 
Jp morgan chase
Jp morgan chaseJp morgan chase
Jp morgan chase
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
Risk assessment presentation
Risk assessment presentationRisk assessment presentation
Risk assessment presentation
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
 
A strategy framework for the risk assessment and mitigation for large e-Gover...
A strategy framework for the risk assessment and mitigation for large e-Gover...A strategy framework for the risk assessment and mitigation for large e-Gover...
A strategy framework for the risk assessment and mitigation for large e-Gover...
 
Area wide risk assessment – a best practice example in the Province of the Tyrol
Area wide risk assessment – a best practice example in the Province of the TyrolArea wide risk assessment – a best practice example in the Province of the Tyrol
Area wide risk assessment – a best practice example in the Province of the Tyrol
 
Blending risk analysis with executive protection
Blending risk analysis with executive protectionBlending risk analysis with executive protection
Blending risk analysis with executive protection
 
Adult jokes 6 may
Adult jokes 6 mayAdult jokes 6 may
Adult jokes 6 may
 
Nickel Background EU Risk Assessment Report March 2008 Final Draft
Nickel Background EU Risk Assessment Report March 2008 Final DraftNickel Background EU Risk Assessment Report March 2008 Final Draft
Nickel Background EU Risk Assessment Report March 2008 Final Draft
 
Brm swr- risk assessment report (michael mazogi)
Brm swr- risk assessment report (michael mazogi)Brm swr- risk assessment report (michael mazogi)
Brm swr- risk assessment report (michael mazogi)
 
Uspto – us patent cases weekly update - april 2nd - april 9th, 2013
Uspto – us patent cases weekly update - april 2nd - april 9th, 2013Uspto – us patent cases weekly update - april 2nd - april 9th, 2013
Uspto – us patent cases weekly update - april 2nd - april 9th, 2013
 
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
 
Example security risk assessment tool july 2010
Example security risk assessment tool july 2010Example security risk assessment tool july 2010
Example security risk assessment tool july 2010
 
Design Advisory Service (Canada)
Design Advisory Service (Canada)Design Advisory Service (Canada)
Design Advisory Service (Canada)
 

Similar to JPMorgan Chase & Co. -Risk Assessment Report

Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)PwC France
 
Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015James Sheehan
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterPatricia M Watson
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
www.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docxwww.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docxericbrooks84875
 
Not Prepared for Hacks .docx
Not Prepared for Hacks .docx Not Prepared for Hacks .docx
Not Prepared for Hacks .docxhallettfaustina
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industryNumaan Huq
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 
Whitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_enWhitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_enBankir_Ru
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdframsetl
 
Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016jennyhollingworth
 
Identity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaIdentity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaLizbethQuinonez813
 
IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016thinkASG
 

Similar to JPMorgan Chase & Co. -Risk Assessment Report (20)

Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
 
Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
 
www.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docxwww.pwc.comgsiss2015Managing cyber risks in an intercon.docx
www.pwc.comgsiss2015Managing cyber risks in an intercon.docx
 
Accounting
AccountingAccounting
Accounting
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
 
Not Prepared for Hacks .docx
Not Prepared for Hacks .docx Not Prepared for Hacks .docx
Not Prepared for Hacks .docx
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
 
Whitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_enWhitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_en
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
 
Sel03129 usen
Sel03129 usenSel03129 usen
Sel03129 usen
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimension
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdf
 
Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016
 
Identity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaIdentity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expa
 
IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016
 
2015 cost of data breach study
2015 cost of data breach study2015 cost of data breach study
2015 cost of data breach study
 

More from Divya Kothari

The American Health Care System - Long Paper
The American Health Care System - Long PaperThe American Health Care System - Long Paper
The American Health Care System - Long PaperDivya Kothari
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkDivya Kothari
 
Effect of Multitasking on GPA - Research Paper
Effect of Multitasking on GPA - Research PaperEffect of Multitasking on GPA - Research Paper
Effect of Multitasking on GPA - Research PaperDivya Kothari
 
Intelligence Intelligence (Uber)
Intelligence Intelligence (Uber)Intelligence Intelligence (Uber)
Intelligence Intelligence (Uber)Divya Kothari
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliantDivya Kothari
 
Homer Pithawala_Referral
Homer Pithawala_ReferralHomer Pithawala_Referral
Homer Pithawala_ReferralDivya Kothari
 
Umesh Aswar_Referral
Umesh Aswar_ReferralUmesh Aswar_Referral
Umesh Aswar_ReferralDivya Kothari
 
1986_Chernobyl_Meltdown.pptx
1986_Chernobyl_Meltdown.pptx1986_Chernobyl_Meltdown.pptx
1986_Chernobyl_Meltdown.pptxDivya Kothari
 

More from Divya Kothari (11)

The American Health Care System - Long Paper
The American Health Care System - Long PaperThe American Health Care System - Long Paper
The American Health Care System - Long Paper
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. Framework
 
Effect of Multitasking on GPA - Research Paper
Effect of Multitasking on GPA - Research PaperEffect of Multitasking on GPA - Research Paper
Effect of Multitasking on GPA - Research Paper
 
Intelligence Intelligence (Uber)
Intelligence Intelligence (Uber)Intelligence Intelligence (Uber)
Intelligence Intelligence (Uber)
 
Incident Response
Incident ResponseIncident Response
Incident Response
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
 
Homer Pithawala_Referral
Homer Pithawala_ReferralHomer Pithawala_Referral
Homer Pithawala_Referral
 
Umesh Aswar_Referral
Umesh Aswar_ReferralUmesh Aswar_Referral
Umesh Aswar_Referral
 
Recognition_Letter
Recognition_LetterRecognition_Letter
Recognition_Letter
 
The Vyapam Case
The Vyapam CaseThe Vyapam Case
The Vyapam Case
 
1986_Chernobyl_Meltdown.pptx
1986_Chernobyl_Meltdown.pptx1986_Chernobyl_Meltdown.pptx
1986_Chernobyl_Meltdown.pptx
 

JPMorgan Chase & Co. -Risk Assessment Report

  • 1. JPMorgan Chase & Co. Risk Assessment Report Based on the 2014 Data Breach University of Washington IMT 552 (For educational purposes only) Team Members: Akshay Ajgaonkar Daniel Kapellmann Divya Kothari Dustin Chiang Manasa Chitiprolu Sandeep T. Maregowda
  • 2. Table of Content I. Executive Summary II. Information Security in the Financial Industry III. JPMorgan Chase Data Breach IV. Stakeholders V. Identification of Main Assets VI. Risks Identification VII. Risk Assessment VIII. Risk Normalization IX. Control Planning and Risk Treatment X. Recovery and Incident Response XI. Communication and Monitoring XII. Strategic Recommendations XIII. Annexes XIV. References
  • 3. Executive Summary The summer of 2014 saw the biggest data breach in American banking history which resulted in the loss of 83 million records from one of the leading banks in the world, JPMorgan Chase. In the light of this cyberattack, we as a part of this special assessment team guided by the Chief Cyber Security Officer, performed an overall assessment. The objective of this assessment was to identify, assess and evaluate potential risks in order to provide the senior management with recommendations for actions to prevent future similar breaches. The exercise, based on the ISO 31000 framework, started with the categorization of the overall risks in four clusters: Operational, Strategic, Financial and Legal Risk. Then, the main six risks were assessed, normalized and provided with consistent mitigation strategies. Finally, controls were planned and strategic recommendations were written to involve the senior management into effectively handling future management of information assets. Through this paper we have evaluated and assessed this large scale data breach and made effective recommendations to ensure the safety of bank’s data. (Please not that for purposes of this assignment various assumptions have been taken into consideration wherever data was not available.)
  • 4. Information Security in the Financial Industry Information security is currently one of the main challenges faced by firms in the financial sector due to the significant losses that may occur due to any breach. Establishing a secure environment for information assets is a topic of utmost relevance, yet highly convoluted when considering the diversity of the threats, actors involved and the difficulties of being one step ahead of new potential scenarios. According to the Cost of Data Breach Study: Global Analysis study by the Ponemon Institute, the average cost of an incident in 2015 achieved an amount of $3.8 million dollars, representing an increase of 23% during only the last two years. This sum accounts for an average of $145 to $154 dollars for each stolen record. (Ponemon Institute, 2015) In case of the financial industry, the constant increase in the frequency of breaches and negative impacts over the last few years has led to the creation of the largest non-government cybersecurity market. Its overall estimated value reached $9.5 billion dollars in 2015 with the highest estimated growth rate for the 2015-2020 period. In 2014, PwC calculated that financial organizations spent $4.1 billion dollars collectively in cybersecurity and would spend another $2 billion dollars during the next two years. (Morgan, 2015) JPMorgan Chase Data Breach The 2014 cyberattack on the biggest bank in the USA, JPMorgan Chase & Co., was by far the most serious intrusion in the history of American corporations. This breach resulted in JPMorgan Chase & Co. losing data associated with approximately 83 million accounts (CNBC, 2015). The stolen records consisted primarily, names of the account holders, addresses, phone numbers and email addresses which were compromised by unknown hackers (Kurane & Wills, 2014). Fortunately for the bank, the hackers were not able to retrieve information on sensitive personal information about customers, such as social security numbers or account balances. As a consequence, the firm did not suffer any irreparable harm. According to The New York Times, the bank’s weak spot was a rather basic one. The breach could have been stopped had the bank installed a second security authentication measure to one of its servers in the vast network. It was found that some Eastern European Internet addresses were used for the attack, but the bank refused to share any further details on the incident (Perlroth, 2014). Bearing in mind the significant amount of money that giant firms such as JPMorgan invest on security, the recent breach represented an enormous danger for the company in terms of reputation, economic losses and customer trust. To make matters worse, the breach was discovered by the bank somewhat accidentally. In the month of July, security employees of the bank learned that the website for the JPMorgan Corporate Challenge, a charitable race organized by the bank, had been hacked and compromised. The website being run by an outside vendor pointed back to a bigger problem with
  • 5. the bank's own network. (Goldstein, 2015) Had this not been discovered, 90 servers of the Bank being hacked would have gone unnoticed for another extended period of time. Right after the news of the breach was made public, JPMorgan shares went down by 0.4% during the after-hours trading (Sam Ro, 2014). A few months later, in June 2015, the executive who was in charge of protecting JPMorgan Chase’s computer network from hackers was reassigned. Instead of hundreds of personnel that he managed in the cyber-security unit, he has now been asked to build relationships with the government, law enforcement and the remaining big U.S. banks to mitigate the possibilities of future risks. (Robertson & Riley, 2015) Find a detailed assessment of the former case attached in Annex # 2. It may also be pertinent to note that despite the immediate thought of capturing this data would have been for financial fraud or identity theft, the Manhattan court has observed that the breach may have been caused due to Russian gangs. As alleged by a United States attorney “The defendants manipulated trading in U.S. securities from overseas, using fake identities to funnel millions of dollars in unlawful proceeds through a web of international shell companies. Using false and misleading spam emails sent to millions of people, these defendants allegedly directed their pump-and-dump scheme from their computers halfway around the world” (Goldstein, 2015). This may be a key factor in determining the true perpetrator given that being one of the largest US banks, JPMorgan has played a major role implementing sanctions against Russian institutions and officials imposed as a result of the conflict in Ukraine. (Robertson & Riley, 2015) Based on the various sources of information available and further risk/security assumptions, this paper will seek to identify, assess and evaluate further data breach risks following the Risk Management framework provided by ISO 31000. The framework also encourages that we recognize solutions and recommendations for future prevention and recovery. It is important to mention that the text will mostly analyze the protection of information assets and will be addressed with publicly available information. Stakeholders Main stakeholders related to the JPMorgan Chase breach will be divided in two categories: internal and external. The first group consists on parties that either collaborate with the risk assessment process or must get acquainted with it in order to make further related decisions. The second one involves parties that are not affiliated to the company, but are ultimately interested in the security of the organization’s information assets. Internal According to JPMorgan Chase’s corporate site, the Chief Risk Officer is mainly held accountable for elaborating detailed assessments. With the support of Chief Cybersecurity Officer, this executive has to eventually present his findings to the Risk Policy Committee, group organized to evaluate the findings, make decisions and ultimately collaborate with other parties such as the Audit and Corporate Governance Committees. (JPMorgan Chase & Co., 2015) It is mainly
  • 6. important to recall that besides from performing an accurate assessment, communication plays a primary role in the process thus enabling different stakeholders to correctly perform their duties. The accountability model is shown in the following diagram. Internal Accountability Model External Some additional stakeholders that may be considered are both the government of the United States of America and the customers. In the first place, the public sector has supported powerful financial institutions to recover against breaches and other additional crises due to their importance for the overall economy. Besides, it is of the nation’s best interest to keep attracting customers by maintaining a good reputation for the security and good practices of private institutions. External Stakeholder Matrix In the second place, the customers are interested in being able to trust the institution in order to safely invest or save money without being damaged by security breaches. Other possible interpretations may consider other banks or competitors trying to learn from the breach and probably even making an emphasis on security as their competitive advantage. Finally, external service providers hired by the bank should also be considered as potential stakeholders with high influence and interest in the bank’s security performance.
  • 7. Identification of Main Assets As a first step for the assessment, the primary assets of the organization that could either be in danger or play a role in data breaches, were grouped in four different categories: ● Physical Assets - Infrastructure and technology used to share, analyze or produce information. Some examples are servers, networks, computers and other technology devices either organizational or personal. ● Informational Assets - Refers to software and information stored in different formats. Some examples are databases, Customer Sensitive Information such as Personal Identifiable Information and further financial data. ● Human Assets - Personnel and human factors involved in the processes implemented by the organization as well as external users and stakeholders. Some examples are vendors, managers/employees and customers. ● Reputational Assets - Those factors that allow JPMorgan Chase & Co. to maintain or increase its brand presence as well as the goodwill and demand by external parties. Some examples are the share’s value, customer trust and credibility. Assets Categorization Diagram The above diagram shows the four different categories that enclose the organization’s main assets that maintain a direct or indirect relationship with data breaches. Even though this assessment is mostly centered on protecting the informational assets from data breaches, it is important to recall that the four categories are deeply interrelated into the different processes and
  • 8. procedures implemented by the institute`on. For this reason, protection of informational assets will generate an impact on the safety of the other additional categories. Risk Identification The current exercise is mostly focused on the protection of informational assets in order to ensure the safety of additional primary physical, human and reputational factors. Based on this premise and public data related to the JPMorgan Chase breach 2014, the following main risks were identified and categorized: Operational 1) Inadequate controls and procedures (such as not implementing double authentication in servers or not implementing secure network configurations) may lead to the exposure of restricted data and systems to external malicious parties. 2) Failure to contemplate potential impact of human error when utilizing the informational assets of the company could generate unintended disclosure of data and delude currently implemented security controls. 3) Lack of substantial training for employees to protect informational assets of the company may generate unintended disclosure of data and lower the effectiveness of currently implemented security measures. 4) Failure to implement correct software flags to inform when an unauthorized party is attempting to access the system may lead to the lack of adequate and timely incident response against attacks. 5) Failure to implement adequate physical protection to the infrastructure of the company may enable possible direct intrusions from external malicious entities. 6) Carelessness of employees may affect the company by enabling external access to its information assets with the support of lost or stolen equipment, devices or credentials. 7) Impossibility to separate the protection of internal networks from that of external providers hosting the websites of the company may lead to potential further data breaches and external inclusion to the main systems of the organization. 8) Lack of regular monitoring of customer's information databases slows the bank’s actions to respond against attacks, find and fix vulnerabilities thus enabling intrusions to last for long periods of time. Strategic 1) Failure to protect the bank’s information systems may generate the disclosure of private data from users and customers thus damaging the reputation of the institution and its overall financial performance. 2) Slow adaptation to technology advances from potential malicious actors leaves the company vulnerable to diverse external threats from different origins.
  • 9. 3) Failure to protect sensitive information from the bank may lead to the disclosure of confidential data about its customers and employees thus enhancing the competition’s appeal in the market. 4) Inability to efficiently integrate the members from the security team may lead to cultural conflict thus generating potential loss of productivity. 5) Failure to protect the information of customers and employees (such as contact details, home addresses and further private information) may affect the company by losing the trust and support of their human factors. 6) Inefficient communication strategies to include security in the overall culture of the firm could increase the probability of threats impacting the informational assets of the company. Financial 1) Failure to implement efficient organizational policies to correctly manage information may lead open the doors for further attacks or even encourage unintended disclosure thus generating financial and reputational losses to the company. 2) Failure to protect the personal information of customers may lead to theft and incorrect use of their resources through impersonation and other malicious methods. 3) Losing reputation as a consequence of information unsafety affects the company by decreasing the demand of the users and inviting new entrants to reconsider working with competing organizations. Legal/Compliance 1) Failure to comply with government regulation related to data protection and unauthorized disclosure could generate lawsuits against the bank and even strengthen government intervention. 2) Lack of regular and thorough auditing may lead the company to experience further breaches and/or get involved in legal disputes. 3) Failure to correctly protect information of customers and employee affects the company by engaging them in legal disputes with further possible financial and reputational negative impacts. 4) Lack of awareness of employees driving the destruction or deletion of documents related to data breaches affects the company by exposing it to further legal discussions. The following diagram summarizes the identified risks and categorize them according to their nature:
  • 11. Risk Assessment and Mitigation Based on the list of risks identified in the former section, the following assessment will include the six most relevant findings as well as an analysis of their probability and potential impact. At the same time, risk drivers and mitigation strategies will be defined for each one of them: Risk: # 1 Inadequate controls and procedures may lead to the exposure of restricted data and systems to external malicious parties. Risk Dimension: Operational Risk Drivers/ Contributing Factors Probability Impact Current and Planned Mitigations Overlooking security controls for SDLC processes on data systems. L H - Implementation of security controls quarterly monitoring. - Implementing the use of Flags to alert the department lead executives of system breaches and or non-compliance to main security processes. Lack of communication with third party service providers on compliance with risk mitigation controls. M H - Establishment of regular meetings to coordinate security measures with third party service providers. - Provide shared training sessions to share information about compliance procedures between both organizations. Lack of sufficient education and training on controls and procedures for restricting data and systems usage. M M - Regular training sessions are required to be conducted to make all employees aware about the controls and policies in place in the organization. - Elaboration of the Data Management and Control Procedures Manual to foster equal practices between different departments. Risk: # 2 Lack of periodic monitoring of customer's information slows the bank’s actions to respond against attacks, find and fix vulnerabilities thus enabling intrusions to last for long periods of time. Risk Dimension: Operational Risk Drivers/ Contributing Factors Probability Impact Current and Planned Mitigations Insufficient robustness of AAA (Authentication, Authorization, and Auditing) process for customers. M H - Implementation of robust AAA processes for customer data with reviewed by the Risk Management and Audit Committees. - AAA quarterly functional reports to ensure about the efficiency and efficacy of currently implemented mechanisms.
  • 12. Reports on vulnerabilities are slowly processed. L M - Forming a sub-unit to perform regular and planned processing of vulnerabilities reports to be performed by the Risk Management Team. Exceptions against systematic security warnings are consistently made. L M - Strengthen the mechanisms required to validate exceptions so that they take place only under critical necessity. - Case by case assessment of security exceptions to supervise the correct management of this resource. Risk: # 3 Slow adaptation to technology advances from potential malicious actors leaves the company vulnerable to diverse external threats from different origins. Risk Dimension: Strategic Risk Drivers/ Contributing Factors Probability Impact Current and Planned Mitigations Costs to migrating data to new technology can deter adaptation H M - Promote the adoption of interoperable systems that allow easily moving data from one to another location. - Hiring external agencies or consultancies that can assist in migrating to new technologies. Technology adaption is delegated to external consultants rather than in-house experts. M M - Hiring in-house experts that may supervise and collaborate with external parties in order to manage information. - Promoting internal management of information whenever it is possible. Company culture may not encourage effective adaptation with technology. M L - Implement communication mechanisms to embed technology adoption into the company’s culture. Risk: # 4 Inefficient communication strategies to include security in the overall culture of the firm could increase the probability of threats impacting the informational assets of the company. Risk Dimension: Strategic Risk Drivers/ Contributing Factors Probability Impact Current and Planned Mitigations Lack of efficient senior leadership in security. L H - Foster and reward efficient leaders related to security positions thus promoting long lasting work relations with expert managers. - Hiring an expert for the role of a chief information security officer can be highly useful.
  • 13. Marginalization of senior leadership in security. M H - Incorporate senior security leadership in general meetings with high executives. - Promote strong communication security strategies to get high executives involved in the overall information risk management process. Risk assessment team may not be fully funded and supported by senior leadership. M M - Enable transparency mechanisms between the Risk assessment team and the senior leadership by means of regular meetings or presentations. - Enforce minimum security budget requirements for senior leadership. Risk: # 5 Failure to comply with government regulation related to data protection and unauthorized disclosure could generate lawsuits against the bank and even strengthen government intervention. Risk Dimension: Legal Risk Drivers/ Contributing Factors Probability Impact Current and Planned Mitigations Noncompliance with audit requirements due to time or funding. M M - Enforce internal auditing mechanisms to ensure adequate compliance. - Establish minimum time and budget requirements to comply with external audits. Reliance on external audit relationships rather than an internal auditing team. L H - Forming an internal audit team that performs quarterly, half yearly and yearly assessments. - Promote coordination between internal and external auditing teams. Internal processes and audits do not align well with government regulation. L M - Collaboration between legal department and internal audit teams to ensure compliance with government regulation. Risk: # 6 Failure to implement efficient organizational policies to correctly manage information may lead open the doors for further attacks or even encourage unintended disclosure thus generating financial and reputational losses to the company. Risk Dimension: Financial Risk Drivers/ Contributing Factors Probability Impact Current and Planned Mitigations Organizational policies do not align well with business objectives. L H - Coordinating organizational policies and business objectives by analyzing through the lens of information security and risk management. - Establish strong monitoring mechanisms to keep organizational security policies aligned with the main business objectives.
  • 14. Organizational policies hinder employee performance with everyday tasks. M M - Elaborate a report based on employees consultation regarding the flow of organizational policies and how the facilitate or complicate their daily tasks. - Increase awareness about the necessity of following organizational policies for the good functioning of the firm. Insufficient performance tracking and management for organizational policies. M H - Keep track on the performance of organizational policies, where they fail and how to make them better. - Maintain constant communication with employees to understand the impact of organizational policies on their daily jobs and how they follow these procedures.
  • 15. Risks Normalization After meeting with the main stakeholders and analyzing their interests, the following chart was prepared. Based on the assessment, each of the below risk is identified with the likelihood of the occurrence of the threat and the impact of the threat. Main Risks Evaluation ID Risk Stakeholders Involved Impact Likelihood 1 Inadequate controls and procedures Business Team, Government Regulatory Body, IT Team 5 2.7 2 Lack of periodic monitoring External and Internal Audit Committee, Governance Committee 4.8 2.5 3 Slow adaptation to technology IT Team, Business 2.6 4.1 4 Inefficient Communication Strategies CEO, Key business stakeholders, External Vendors 4 2.2 5 Failure to implement organizational policies Key Business Stakeholders, IT Team 3.9 1.7 6 Non-compliance with government regulation Legal Team, Technical Team, External Vendors, Government 4.7 2
  • 16. As part of Risk Normalization process, the below impact and likelihood have been accepted by the stakeholders and a heat map visualizing the below information is presented. Risk Heat Map
  • 17. Control Planning and Risk Treatment According to the results presented by the risk normalization process, risks 3, 4 and 5 may be tolerated and managed by the team on a regular basis. In order to address them, the cybersecurity and risk managers will be informed so that better communication, alignment with business objectives and fast adaptation to technology will be addressed for the mediate future. However, risks 1, 2 and 6 must be prioritized and immediately addressed based on the matrix of probability- impact that shows the stakes are high enough to require the implementation of immediate controls. The following activities will be implemented to resolve each of these problems: Risk Title: Inadequate controls and procedures Risk Description: Failure to implement efficient controls and procedures to protect customer and bank’s information Associated Business Objectives: Customer trust and support, Information assurance, Adaptation to changes in the industry Risk Type: Operational Risk Category: Information Security, Policies and Procedures, Incident Response Impact Rating: 5 Likelihood Rating: 2.7 Management Activity and Controls Rating: 1. Implementation of alert Flags to inform department lead executives about system breaches and or non-compliance to main security processes 2. Security controls quarterly monitoring and regular meetings to coordinate with internal and external service providers 3. Shared compliance and policy training sessions involving main internal stakeholders and external service providers 4. Elaboration of Data Management and Control Procedures Manual (DMCP) to foster equal practices between different departments Suggested Owners: Chief Risk Officer, Chief Cybersecurity Officer, Audit Committee Metrics: Amount and duration of successful minor/major data breaches, Number of employees with access and approved evaluation in DMCP Manual, Quarterly monitoring reports, Number of employees attending to training sessions, Number of alert flags informing of non- compliance with security processes
  • 18. Risk Title: Lack of periodic monitoring Risk Description: Thorough evaluation and periodic monitoring of security policies, controls and procedures Associated Business Objectives: Information Assurance, Operational Optimization, Risk Mitigation and Critical Assets Management Risk Type: Operational Risk Category: Information Security, Audit and Monitoring Impact Rating: 4.8 Likelihood Rating: 2.5 Management Activity and Controls Rating: 1. Implementation and revision of robust AAA processes and procedures to protect customer data 2. Conformation of a separate monitoring sub-unit to perform regular reports over control efficiency and effectivity as well as to track, report and fix vulnerabilities 3. Strengthen requirements to validate exceptions and assess case by case petitions in order to supervise correct management of this resource Suggested Owners: Chief Cybersecurity Officer, Audit Committee Metrics: Half yearly AAA processes and procedures revision report, Conformation of security monitoring sub- unit and deriving performance metrics, Number of approved exceptions, Number of petitions to perform exceptions
  • 19. Risk Title: Non-compliance with government regulation Risk Description: Failure to enforce the compliance with government regulation while performing daily processes and procedures Associated Business Objectives: Operational Compliance, Business Continuity, Information Assurance and Critical Assets Protection Risk Type: Legal/Compliance Risk Category: Regulatory and Legal, Information Assurance, Policy and Compliance Impact Rating: 4.7 Likelihood Rating: 2.0 Management Activity and Controls Rating: 1. Evaluating complementarity between business objectives and risk/security organizational policies and establish monitoring mechanisms to keep them aligned 2. Elaborate yearly reports based on employees consultation regarding the flow of security policies and how they generate an influence on their daily tasks 3. Keep track on the performance of security organizational policies and implement mechanisms to integrate them among main business processes Suggested Owners: Policy and Compliance Department, Chief Risk Officer, Chief Cybersecurity Officer Metrics: Yearly security operations report, Business Objectives and Security Assessment, Security policies’ performance monitoring, Increase in time consumption to comply with security procedures Most impactful risks were selected in spite of the low probability. As proven by the 2014 data breach, it is of utmost importance to be prepared for this sort of events that are not only related with daily tasks, but rather with unexpected crisis. For further information about the impact and probability metrics, refer to the annex number 2.
  • 20. Incident Response and Recovery Incident management and recovery is a critical part of business continuity planning. In order to effectively respond to the data breach at hand, we assume/propose the following key steps to combat the same: ● Perform Disaster Recovery and Root Cause Analysis ● Segregating internal networks into separate segments to prevent further hacking ● Providing restricted access to critical assets by providing lesser privilege controls ● Quarantining the system that was breached ● Internal communication to create awareness ● Implementing proper training to cyber security personnel Communication and Monitoring As suggested by the ISO 31000 framework, the former analysis must continuously work next to a robust strategy of communication and monitoring that evaluates the process and increases awareness among the stakeholders. The previous risk assessment based on the 2014 data breach shows that it is of significant importance to strengthen monitoring activities and enhance the training of key employees in order to increase the security of the organization’s informational assets. As well, these two actions will play an important role in engaging lead managers into investing efforts and resources for further protecting the information of the institution. However, internal communication should not be the only concern. Considering that the 2014 data breach was covered through diverse media channels, the reputation of the bank was damaged and it is now important to reinforce the conception of strong security actions implemented to protect the information possessed by the organization. It is expected that by enhancing the security-oriented image of the bank, less government intervention will happen and trust will increase among both corporate and individual customers.
  • 21. The main components of the communication plan should be: Objectives Audience Strategy Evaluation Criteria Increase customer’s demand of the organization’s services Customers Increasing trust on the organization’s safety standards and promoting JPMorgan Chase & Co. as a security champion institution - Number of corporate customers - Number of individual customers - Customer’s security perception Educate employees to effectively follow security related policies and procedures Employees Promote major security awareness among employees by generating communication campaigns and training that show them the impact of information security in their daily lives - Reported incidents caused by unintended employees’ actions - Average time increase in procedures due to non-compliance with procedures and human error Engage lead managers into the information security process Lead Managers Offer lead managers clear and regular reporting mechanisms in order to increase awareness and enhance the amount of resources/efforts they utilize to secure informational assets - Total expenditure destined to information security by department - Amount of hired employees dedicated to information assurance - Information security practices yearly survey Gain authorities’ goodwill and support by sharing the company’s achievements related to the protection of their informational assets Official Authorities Inform key government stakeholders about the success of the bank’s information security measures - Number of addressed key government stakeholders - Elaboration of collaborative workshops, events and initiatives The communication plan will address different stakeholders using diverse methods. While government institutions will be invited to know more about information security achievements, the customers will only know about the bank’s leading position as a safe institution. It must be taken into consideration that the tone of the campaign must show that resources are being allocated to protect information, however it should not show excessive confidence that may invite outsiders to try and breach into the institution’s data assets as a challenge. Employees and risk managers will
  • 22. both be submitted to awareness campaigns and training, and the only differentiation will be related to the sort of sensitive information that each of them may receive. In general terms, the former plan will be launched with the support of an initial campaign that shares the message: JPMorgan Chase & Co. cares about data security and has learned from previous lessons. For this reason the company is now preparing to become a leader in mechanisms and procedures for enhancing information assurance. Information stored in the bank’s servers will now be more secure than ever before.” In order fully comply with the message, success stories and good practices will be shared among the stakeholders thus promoting general awareness about the relevance of the field. Besides from the communication strategy, it will be of utmost importance to continue implementing continuous monitoring initiatives defined by the risk management and security teams. Both of these actions should closely watch over the entire process of managing risks in order to allow JPMorgan Chase & and Co. to be sure about the efficiency of it policies and to enhance the impact among the most relevant stakeholders. Strategic Recommendations Considering expected increase of cybersecurity spending to $500 million dollars in 2016, JPMorgan and Chase is preparing for addressing further information security challenges. Planning how the money can be appropriately distributed for the most important security challenges is another issue. In the context of the aforementioned analysis, there are three clusters of strategic improvements that can serve as the basis for recommendations that JPMorgan Chase can move forward with. The three clusters of strategic improvements are improvements to controls and procedures to technology adaptation, communication strategies for external groups, and alignment between corporate and government policies for effective risk compliance. Throughout our analysis, evidence suggests that technology adaptation is relatively slow throughout the JPMorgan & Chase’s business operations. Three key risk drivers affecting this process could be forced haste in proposing and implementing IT projects and leaving out crucial monitoring functions, ineffective change management for the organization on new technologies, and reliance on external consultancy without sustained internal experts. Based on these drivers, there are top three recommendations for JPMorgan Chase to consider when improving upon streamlined technology adaptation with effective controls and procedures: 1. Increase monitoring and detection of unauthorized access in information systems holding sensitive data. 2. Provide consistent IT training sessions on technology use throughout JPMorgan Chase internally and with third party providers on risk areas such as policies and compliance. 3. Promote internal information management through developing and enhancing in-house experts’ proficiency with processing data and information systems.
  • 23. In addition to ineffective technology adaptation, communication strategies with external groups throughout JPMorgan Chase’s business operations may have affected the company’s response to dealing with data breaches. Three key risk drivers affecting this process could be based on isolating senior leadership from external affairs, having inadequate processing and response measures for external groups, and encouraging loopholes on external access to information. Based on these drivers, the top three recommendations to improve upon communication strategies with external groups are outlined as: 1. Encourage inclusiveness of senior security leadership in the organization to discuss security issues with external groups. 2. Promote better transparency of data and information usage by JPMorgan Chase for external groups. 3. Reevaluate and develop policies enforcing unauthorized access to data and bolster robustness of case-by-case evaluations. Finally, evidence also suggests that JPMorgan Chase’s corporate policies for risk assessment and compliance may not have fully aligned with government policies to protect stakeholder and customer data. Three key risk drivers affecting this process could be constraints on time and money to handle auditing internally, insufficient performance management for organizational policies, and having organizational policies that hinder day-to-day operations for individual branches. Based on these drivers, the top three recommendations to target these risk drivers could be 1. Have a comprehensive and inclusive internal auditing program through auditing and legal teams at individual company branches. 2. Have a program for encouraging cyclical compliance and feedback on organizational policies and their changes. 3. Re-evaluate policies on balancing data and information access and security with employees such as associates and managers.
  • 24. Annex # 1 Main survey questions: 1. What controls were in place before the breach and what are currently in place at JPMorgan Chase? 2. How often are your webpages/systems monitored in order to be sure that there are no security breaches taking place? Which mechanisms do you use for this? 3. Which are the most valuable assets that you would deem necessary to protect from information security breaches? 4. According to publicly available information, the breach happened because of the lack of a second authentication step in one of the servers. How are the rest of the servers protected? Has anything been done yet in order to address this vulnerability? How is relevant data from the users protected? 5. Any other potential vulnerabilities you would like to point out before we start with our external assessment? 6. Has there been any history of non-adherence to any sort of information security related compliances? (Such as PCI)
  • 26. Annex # 3 1. Impact Rating Criteria
  • 28. References JPMorgan Chase & Co. (2015, March). Risk Policy Committee. Retrieved from: https://www.jpmorganchase.com/corporate/About-JPMC/ab-risk-committee.htm Kurane, S., & Wills, K. (2014, Dec 22). JPMorgan data breach entry point identified: NYT. Retrieved from Reuters: http://www.reuters.com/article/us-jpmorgan-cybersecurity- idUSKBN0K105R20141223 Morgan, Steven C. (2015). Cybersecurity for Banks Report. Retrieved from Cybersecurity Ventures: http://cybersecurityventures.com/cybersecurity-for-banks-report-q3-2015/ Three charged for largest-ever bank data breach. (2015, November 10). Retrieved from CBS News: http://www.cbsnews.com/news/three-charged-for-jpmorgan-data-breach-the-largest-ever/ Perlroth, M. G. (2014, October 31). Luck Played Role in Discovery of Data Breach at JPMorgan Affecting Millions. Retrieved from Deal Book: http://dealbook.nytimes.com/2014/10/31/discovery-of-jpmorgan-cyberattack-aided-by-company- that-runs-race-website-for-bank/?_r=0 Ponemon Institute, Ponemon Institute’s 2015 Global Cost of Data Breach Study Reveals Average Cost of Data Breach Reaches Record Levels ( 2015, May 17). Retrieved from IBM: https://www-03.ibm.com/press/us/en/pressrelease/47022.wss Robertson, Jordan and Michael Riley, PMorgan Reassigns Security Team Leader a Year After Data Breach (2015, June 30). Retrieved from Bloomberg: http://www.bloomberg.com/news/articles/2015-06-30/jpmorgan-reassigns-security-team-leader- a-year-after-data-breach Goldstein M, “Arrested in schemes said to be tied to JPMorgan Chase Breach” CNBC. July, 2015 Retrived from: http://www.cnbc.com/2015/07/22/4-arrested-in-schemes-said-to-be-tied-to- jpmorgan-chase-breach.html Ro S, “JPMorgan Reveals Gigantic Data Breach Possibly Affecting 76 Million Households” Business Insider (2014, October) Retrieved from BI: http://www.businessinsider.com/jp-morgan- data-breach-2014-10 Robertson & Riley, “JPMorgan Reassigns Security Team Leader A Year After Data Breach” Bloomberg Business (2015, June) Retrieved from:http://www.bloomberg.com/news/articles/2015-06-30/jpmorgan-reassigns-security-team- leader-a-year-after-data-breach “A Structures Approach to Enterprise Risk Management and the Requirements of ISO 31000” by airmic, alarm, irm; https://www.theirm.org/media/886062/ISO3100_doc.pdf