This document summarizes three cybersecurity incidents: 1) The theft of $81 million from Bangladesh's central bank account at the NY Federal Reserve due to weak security practices at SWIFT and the bank. 2) A mental health clinic preparing to implement an electronic medical records system was advised to have an outside expert test its security controls, but the board did not understand the reputational, financial, and legal risks. 3) Hackers breached servers at the NY State Psychiatric Institute, accessing information on 22,000 people including 13,000 coded records and 9,000 with personally identifiable information, highlighting the value of medical records data on the black market.

1. Boston Global Forum
Cybersecurity Incidents
September 23, 2016
Rodman K. Reef
Reef Karson Consulting, LLC
Rodman.Reef@ReefKarsonConsulting.com

2. • SWIFT
• Mental Health Clinic
• N.Y. State Psychiatric Institute
Agenda

3. SWIFT
• $81 million removed from Bangladesh Central Bank’s account at the
N.Y. Federal Reserve Bank
• Likely causes include:
• Leaving a door open
• Access to passwords
• Old and/or weak security equipment
• SWIFT responded by asking participants to:
• Install latest version of security software
• Adopt stronger processes for authenticating transactions
• Managing passwords
• SWIFT hardened its security processes but remained heavily dependent
on end-points’ (its participants’) security procedures

4. Mental Health Clinic
• Installing its first electronic medical records system
• Recommended to CEO and Board to be proactive in testing security
• Including having an outside expert test security controls (“ethical hack”)
• Board and senior management did not understand risks including
• Reputational
• Financial
• Legal
• Responded by asking the lawyer to add more security language to the
contract

5. N.Y. State Psychiatric Institute
• Servers with information about 22,000 people hacked
• 13,000 coded records
• 9,000 records with personally identifiable information (“PII”)
• Columbia’s Professor Eben Moglen: “Medical records are among the
most valuable forms of personal information in the market and are
therefore frequently stolen and heavily trafficked.”
• Professor Moglen continued: “Both the platform companies and we
ourselves become active agents in the creation of conditions which are
then exploited by criminals. But our refusal to take our own and others
privacy seriously – even when we have Hippocratic or legal duties to
avoid doing harm – enables the criminality.”