Fraud and Cybersecurity: Top Issues for the CPA

Fraud and Cybersecurity: Top Issues for the CPA

Publication Date: November 2019


Copyright © 2019 by

DELTACPE LLC

All rights reserved. No part of this course may be reproduced in any form or by any means, without permission in

writing from the publisher.

The author is not engaged by this text or any accompanying lecture or electronic media in the rendering of legal,

tax, accounting, or similar professional services. While the legal, tax and accounting issues discussed in this

material have been reviewed with sources believed to be reliable, concepts discussed can be affected by changes

in the law or in the interpretation of such laws since this text was printed. For that reason, the accuracy and

completeness of this information and the author's opinions based thereon cannot be guaranteed. In addition,

state or local tax laws and procedural rules may have a material impact on the general discussion. As a result, the

strategies suggested may not be suitable for every individual. Before taking any action, all references and citations

should be checked and updated accordingly.

This publication is designed to provide accurate and authoritative information in regard to the subject matter

covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other

professional service. If legal advice or other expert advice is required, the services of a competent professional

person should be sought.

—From a Declaration of Principles jointly adopted by a committee of the American Bar Association and a

Committee of Publishers and Associations.

Course Description

Cybercrime continues to escalate, ranking as one of the most reported economic crimes. The interconnectivity of

people, devices and organizations in today’s digital world, opens up a whole new playing field of vulnerabilities

and access points where the cybercriminals can get in. Cyberattacks are becoming more destructive globally. In

today’s cybercrime environment, the issue is not whether a business will be compromised, but rather how

successful an attack will be.

This course covers digital technology as it continues to transform and disrupt the world of business, exposing

organizations to both opportunities and threats. Key elements of effective cybersecurity risk management include

threats and vulnerabilities awareness, understanding of cyber risks, implementation of an effective framework,

as well as the detection of and response to cyberattacks. The challenges, such as leadership engagement and

approach to managing cyber risks, are discussed along with the government’s efforts to address potential

cybersecurity risks threatening the nation, businesses, and individuals.

Field of Study Auditing – Fraud

Level of Knowledge Overview

Prerequisite None

Advanced Preparation None

Table of Contents

Learning Objectives ................................................................................................................ 1

Course Introduction ................................................................................................................ 2

I. The Basis of Fraud ............................................................................................................ 4

Definition of Fraud ............................................................................................................................ 4

Conditions of Fraud ........................................................................................................................... 5

The Fraud Triangle ......................................................................................................................................5

The Fraud Diamond .................................................................................................................................. 10

Computer and Internet Fraud .......................................................................................................... 11

Overview ................................................................................................................................................. 11

The Concept of the Cyber World ............................................................................................................... 12

Types of Cyber Fraud ................................................................................................................................ 16

Impact of Security Breaches ...................................................................................................................... 29

Review Questions - Section 1 .......................................................................................................... 34

II. Trends in the Cyber World ......................................................................................... 35

The Internet of Things ..................................................................................................................... 35

Cybersecurity Framework Adoption ................................................................................................ 37

The Adaption to the New Reality .............................................................................................................. 37

New Approaches for a Changing Business Environment ............................................................................. 38

The Rising Threats of Corporate Cybercrime .................................................................................... 40

III. Challenges in the Cyber World ............................................................................... 45

Overview ........................................................................................................................................ 45

Engagement of Leadership .............................................................................................................. 46

Managing Cyber Risks ..................................................................................................................... 48

Internet of Things - Security Concerns ............................................................................................. 50

IV. Government Acts to Enhance Cybersecurity ..................................................... 52

An Overview of Key Legislations ...................................................................................................... 52

Cybersecurity Strategy and Implementation Plan ............................................................................ 54

Executive Order - Critical Infrastructure Cybersecurity ..................................................................... 55

Background .............................................................................................................................................. 55

Summary of the Key Provisions ................................................................................................................. 56

Cybersecurity Systems and Risk Reporting Act ................................................................................. 58

V. Cybersecurity Standards ............................................................................................. 62

ISO/IEC 27001:2013......................................................................................................................... 62

NIST Cybersecurity Framework ........................................................................................................ 64

CIS Critical Security Controls ............................................................................................................ 64

ETSI − ICT Standards ........................................................................................................................ 65


VI. SEC Enforcement Action ........................................................................................... 68

SEC Cybersecurity Initiative ............................................................................................................. 69

Background .............................................................................................................................................. 69

Cybersecurity Examination Sweep Summary ............................................................................................. 70

Areas of Focus for Cybersecurity Examinations .......................................................................................... 72

Cybersecurity Guidance No. 2015-02 ............................................................................................... 74

Risk Mitigation ......................................................................................................................................... 74

Prevention, Detection, and Response to Threats ....................................................................................... 75

Policies and Procedures and Training ........................................................................................................ 75

Cybersecurity Disclosure Obligations ............................................................................................... 76

Background .............................................................................................................................................. 76

An Overview of CF Disclosure Guidance − Topic No. 2................................................................................ 76


VII. Cybersecurity Risk Management........................................................................... 82

Recognize Threats and Vulnerabilities ............................................................................................. 83

The Cyber Criminal Profile ........................................................................................................................ 83

The Cybersecurity Threats ........................................................................................................................ 89

Understand Cyber Risks .................................................................................................................. 92


Define Cyber Risk Roles and Responsibilities ................................................................................... 95

Detect and Respond to Cyberattacks ............................................................................................... 95

Detection ................................................................................................................................................. 95

Response ................................................................................................................................................. 98

Recover from Cyberattacks ............................................................................................................. 99

Review Questions - Section 5 ........................................................................................................ 103

VIII. Changes to Internal Audit ...................................................................................... 104

Maximize the Internal Audit Values ............................................................................................... 104

Identify IIA Standards Related to Cybersecurity ............................................................................. 107

Review Questions - Section 6 ........................................................................................................ 111

Appendix A: Disclosing Risk Factors ............................................................................ 112

Appendix B: Data Breach Disclosure ............................................................................ 114

Appendix C: Financial Statement Disclosure ............................................................. 115

Appendix D: Forward Looking Statements Disclosure .......................................... 117

Glossary .................................................................................................................................. 118

Index ........................................................................................................................................ 120

Solutions to Review Questions ....................................................................................... 122

Section 1 ....................................................................................................................................... 122

Section 2 ....................................................................................................................................... 124

Section 3 ....................................................................................................................................... 125

Section 4 ....................................................................................................................................... 127

Section 5 ....................................................................................................................................... 129

Section 6 ....................................................................................................................................... 130


1

Learning Objectives Upon completion of this course, students will be able to:

• Recognize concepts used in the cybersecurity world

• Identify trends such as cyber threats and their evolution

• Identify cyber challenges, including issues related to cyber engagement

• Recognize government acts to address potential cybersecurity risks threatening the nation, businesses, and

individuals

• Recognize cybersecurity standards, including ISO/IEC 27001 and other standards

• Identify SEC regulatory cybersecurity expectations, including public companies’ disclosure requirements

• Recognize elements of effective cybersecurity risk management, such as threats and vulnerability awareness,

and the understanding of cyber risks

• Identify the leading practices in the fight against cyber threats

• Recognize the evolution of the internal audit function


2

Course Introduction This course includes the following sections:

I. The Basis of Fraud

II. Trends in the Cyber World

III. Challenges in the Cyber World

IV. Government Acts to Enhance Cybersecurity

V. Cybersecurity Standards

VI. SEC Enforcement Action

VII. Cybersecurity Risk Management

VIII. Change to Internal Audit

Cybercrime continues to escalate, ranking as one of the most reported economic crimes in the U.S. The

interconnectivity of people, devices and organizations in today’s digital world opens up a whole new playing field

of vulnerabilities and access points where cybercriminals can enter. The actual and potential threats organizations

consider in their risk analyses are generally only a subset of the risks that can impact them. All too often events

occur that come from completely unexpected and unforeseen threat factors, which can have a significant effect.

The origin of the word “cyber”, the meaning of a cyber environment, and the impact of increased connectivity are

discussed in the “The Basis of Fraud” section.

Industry 4.0 is no longer a “future” trend - for many companies, it is now at the heart of their strategic and research

agenda. Companies are combining advanced connectivity and automation, cloud computing, sensors, and 3D

printing, connected capability, computer-powered processes, intelligent algorithms, and services to transform

their businesses. Digital technology continues to transform and disrupt the world of business, exposing

organizations to both opportunities and threats. Cyber trends, such as the Internet of Things, the cybersecurity

framework adoption, the cybersecurity job market, and the evolution of threats, are discussed in the “Trends in

the Cyber World” section.

Cyberattacks are becoming more destructive globally. In today’s cybercrime environment, the issue is not

whether a business will be compromised, but rather how successful an attack will be. According to International

Data Group’s (IDG’s) 2017 US State of Cybercrime Survey, over half (61%) of all company boards view cybersecurity

as an IT risk, while 43% see cybersecurity through the lens of corporate governance. Too many organizations

have assigned the responsibility for first response to cyberattacks to their IT teams, ignoring the need for adequate

support from senior management and other key players. However, even with so much at risk, C-level executives

and boards are still reluctant to tackle cybersecurity issues. Cybersecurity has graduated from an IT risk to a

strategic business risk. As such, it should be addressed regularly by organizations’ boards of directors. Boards and

audit committees must, therefore, be kept up to date on the state of technologies used in their organizations.

Related challenges, such as promoting effective leadership engagement and the approach to managing cyber risks,

are discussed in the “Challenges in the Cyber World” section.

The nation increasingly relies on the internet to conduct business with all levels of government, from applying for

student loans to running systems that provide power to homes and ensuring that water is safe to drink. The


3

security of the nation’s critical infrastructures has become a top priority for the government. Cybersecurity

legislation has been a topic of interest on Capitol Hill for a number of years, as Congress has spent the last decade

addressing our nation’s cybersecurity posture. Examples of government’s efforts to address potential

cybersecurity risks threatening the nation, businesses, and individuals are discussed in the “Government Acts to

Enhance Cybersecurity” section.

Cybersecurity standards are published materials that attempt to protect the operating environment of a user or

organization by reducing risk and preventing or mitigating cyberattacks. The published materials consist of tools,

policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best

practices, and technologies. Highlights of widely recognized cybersecurity standards, such as ISO/IEC 27001:2013,

NIST Framework, and Critical Security Controls, are discussed in the “Cybersecurity Standards” section.

As the financial industry is increasingly targeted by cyberattacks, the ability to prevent, detect, respond and

recover from cyberattacks has become a growing concern to consumers and regulators. The Securities and

Exchange Commission (SEC) demonstrated an escalating focus on cybersecurity issues by releasing cybersecurity

guidelines, enforcing public companies’ disclosure obligations, conducting a series of examinations of broker-

dealers and investment advisers, and placing cybersecurity as the top concern on its examination priorities list.

Companies must disclose the risks associated with cyberattacks that may have a material effect on their financials

in their public filings. Critical areas to meet SEC’s expectations as well as an overview of SEC cybersecurity

guidance are discussed in the “SEC Enforcement Action” section.

Cyber risks must be identified, understood, quantified and planned for in the same way as any other potential

business threat or disruption. They should be viewed as one might view a natural disaster, with a response plan,

roles, and responsibilities, monitoring and scenario planning. Key elements of an effective cybersecurity risk

management strategy, including threats and vulnerabilities awareness, understanding of cyber risks,

implementation of an effective framework, detection of and response to cyberattacks, are discussed in the

“Cybersecurity Risk Management” section.

An effective internal audit function has an enterprise-wide perspective to help businesses anticipate, withstand,

and recover from a cyberattack. It also functions as an independent assurance provider, analyzing and testing to

identify the organization’s cybersecurity strengths and weaknesses and improve capabilities. Therefore, a

knowledgeable and effective internal audit function is critical to address the risks associated with digital

transformation, mobile technology, and ongoing regulatory changes. An overview of internal audit’s evolution is

included in the “Change to Internal Audit” section.


4

I. The Basis of Fraud

Definition of Fraud

Fraud is a broad term that refers to a variety of offenses involving dishonest or fraudulent acts. The purpose of

fraud may be monetary or other gain. Consequently, fraud includes any intentional or deliberate act to deprive

another of property or money by deception or other unfair means. Many professional organizations have defined

fraud (see examples below). It is important to adopt the most appropriate definition when performing a fraud

risk assessment.

Definition of Fraud Source Description

Generally Accepted Government

Auditing Standards (GAGAS)

Fraud involves obtaining something of value through willful misrepresentation. (Whether an act is in fact fraud, is a determination to be made through the judicial or other adjudicative system and is beyond an auditors’ professional responsibility.)

Generally Accepted Auditing Standards

(GAAS)

• Fraud: An intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception that results in a material misstatement in financial statements that are the subject to an audit.

o Fraud Risk Factors: Events or conditions that indicate an incentive or pressure to perpetrate fraud, provide an opportunity to commit fraud, or indicate attitudes or rationalizations to justify a fraudulent action.

The Association of Certified Fraud

Examiners (ACFE)

• Fraud: Any intentional act or omission designed to deceive others and resulting in the victim suffering a loss and/or perpetrator achieving a gain.

• Occupational Fraud: The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.

International Professional

Practices Framework (IPPF)

Any illegal acts characterized by deceit, concealment, or violation of trust. These acts are not dependent on the threat of violence or physical force. Fraud is perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure a personal or business advantage.


5

Conditions of Fraud

The Fraud Triangle

In 1950, Donald R. Cressey, a criminologist, examined why people commit fraud. This resulted in the development

of the ‘Fraud Triangle’, which is the most widely accepted model used to explain why people commit fraud. For

fraud to occur, three elements must be present, according to Cressey: opportunity, pressure, and rationalization.

Although organizations have limited control over a fraudster’s pressure and rationalization, proactive steps can

be taken to significantly reduce the opportunities to commit fraud.

According to the PricewaterhouseCoopers (PwC) Global Economic Crime Survey 2018, nearly six in ten

organizations believe that ‘opportunity’ is the main driver of internal economic crime. This far outweighs ‘pressure

to perform’ and ‘rationalization to justify the crime’. The survey also indicated that a large majority favor stronger

control environments as a means of reducing the opportunity.

Source: PwC Global Economic Crime and Fraud Survey 2018

11%

14%

69%

11%

21%

59%

0% 10% 20% 30% 40% 50% 60% 70% 80%

RATIONALIZATION TO JUSTIFY THE CRIME

PRESSURE TO PERFORM

OPPORTUNITY/ABILITY TO COMMIT THE CRIME

What makes an employee conmmit fraud?

2018 2016

The Fraud

Triangle

Pressure/Incentive The Motive to Commit Fraud

Developed by Donald R. Cressey

Opportunity The Ability to Commit Fraud

Rationalization The Justification to Commit Fraud


6

Each element is discussed in the following sections.

Pressure (Incentive)

Pressure (incentive) is what causes a person to commit fraud. In simpler terms, motivation is typically based on

greed or need. Although many people are faced with the opportunity to commit fraud, only a minority of greedy

or needy individuals seize this opportunity. According to the Chartered Institute of Management Accountants

(CIMA), greed is the number one cause of fraud, along with problems with debt and gambling. Personality and

temperament, including the tendency to be risk-averse, also influence people’s decisions. In some cases, honest

individuals fall into negative behavior patterns and develop expensive tastes, which in turn tempt them to commit

fraud. Others are motivated when faced with personal and/or professional obstacles. The Association of Certified

Fraud Examiners (ACFE) lists the following examples of pressures that commonly lead to fraud:

• Living beyond one’s means

• High bills or personal debt

• Personal financial losses

• Family or peer pressure

• Unexpected financial needs

• Substance abuse or addictions

• Need to meet productivity targets at work

The Public Company Accounting Oversight Board (PCAOB) specifies that an individual may have incentives to

manipulate earnings when any of the following four conditions occur:

1. Financial stability or profitability is threatened by economic, industry, or company operating conditions

(e.g. high degree of competition, operating losses, and significant declines in demand)

2. Excessive pressure exists for management to meet the requirements or expectations of third parties (e.g.

shareholders, analysts)

3. The information available indicates that management or the board of directors' personal financial

situation is threatened by the company’s financial performance

4. There is excessive pressure on management or operating personnel to meet financial targets set up by

the board of directors or management, including sales or profitability incentive goals

Opportunity

Opportunity is the ability to commit fraud or to conceal it. Thus, fraud is more likely in an organization where the

following factors are present:

1. Weak internal controls;

2. Poor security over assets;

3. Weak ethical culture;

4. Little fear of exposure and likelihood of detection;

5. Lack of consequences for perpetrators;


7

6. Ineffective anti-fraud programs;

7. Poor supervision and lack of training;

8. Unclear policies regarding acceptable behavior;

9. Lack of financial expertise (e.g. insufficient knowledge or lack of ability);

Various surveys conclude that deficiency in internal control is usually a significant factor for organizations

victimized by fraud. A failure to establish adequate controls to detect fraudulent activity will increase the

opportunities for, and the likelihood of, fraud. As demonstrated by KPMG International’s Global Profiles of the

Fraudster 2016, a weak internal control system is a significant issue for organizations victimized by fraud.

Compared to 2013, 2016 showed a large increase (from 18% to 27%) in the number of fraudsters who committed

their acts because an opportunity presented itself due to lacking or weak controls. Specifically, the majority (62%)

of fraudsters surveyed by KPMG indicated that weak internal controls were a contributing factor in allowing the

fraud to occur and go undetected. The 2018 PwC Global Economic Crime Survey is consistent with KPMG’s findings

which indicate that opportunity or ability to commit fraud is the factor that contributed the most (at a rate of

59%) to economic crime in public sector entities.

Source: KPMG International Global Profiles of the Fraudster 2016

Although it is often a challenge to spot, opportunity is fairly easy to control through improvements to internal

controls and adequate changes to policies and procedures. It is essential that organizations establish processes,

procedures, and controls that do not give employees access that allows them to commit fraud. For example, an

employee may see an opportunity to write a check payable to himself/herself if he/she has access to blank checks.

However, the fraudulent check would likely be identified during the bank statement reconciliation process,

resulting in the employee being caught. If the control environment is weak, and adequate segregation of duties

is not in place (e.g. the same employee has access to blank checks and reconciles the company’s bank statements),

the employee has an increased opportunity to commit fraud.

Although financial audits serve a key role in corporate governance, the Association of Certified Fraud Examiners

(ACFE) advises that “they should not be relied upon as organizations’ primary anti-fraud mechanism.” Many

people mistakenly assume that their annual financial statement audits provide sufficient coverage to detect and

deter fraud among their employees. It is important to understand that opportunity often occurs when the

fraudster knows the timing, nature, and extent of the auditor’s procedures. For example, if an employee knows

62%22%

11%5%

Factors Contributing to the Facilitation of the Fraud

Weak internal controls

Reckless dishonesty regardlessof controls

Collusion circumventing goodcontrols

Other


8

that the auditor always tests large transactions occurring in June, he/she can commit fraud on smaller transactions

in other months. By comparison, a surprise audit more closely examines the company’s internal controls that are

intended to prevent and detect fraud. According to the ACFE study, data monitoring and analysis and surprise

audits were correlated with the most significant reductions in fraud duration; as these two controls were also

associated with some of the largest loss reductions.

Rationalization

Rationalization is the process of justifying a crime in order to make the crime acceptable. It must occur before the

crime takes place. Rationalization is usually detected by observing the fraudster’s comments or attitudes. In

general, people rationalize fraudulent actions as:

• Necessary − especially when it is done for the business

• Harmless − because the victim is large enough to absorb the impact

• Justified − because the victim deserved it or because the perpetrator or someone they knew was mistreated

According to the Naval Sea Systems Command Office of Inspector General, there are two aspects of

rationalization:

1. The fraudster concludes that the gain to be realized from fraudulent activities outweighs the possibility of

detection, and

2. The fraudster needs to justify committing the fraud. Justification usually relates to job dissatisfaction or

perceived entitlement or saving one’s family, possessions, or status.

The ACFE identified the following common excuses given by fraudsters to explain their corrupt conduct:

• Everyone else does it.

• We have always done it.

• It was the only way we could compete.

• We thought our anti-corruption programs were sufficient, so it must have been OK.

• We did not know the conduct would be considered a bribe.

• It was not a bribe; it was part of conducting business.

• Bribery is part of the culture in the country.

The PCAOB identifies the following risk factors related to attitudes and rationalization that justify fraudulent

behavior:

• Inappropriate ethical standards

• Excessive participation by nonfinancial management in the selection of accounting standards

• A history of legal and regulatory violations by management on board members

• Obsessive attention to the stock price or earnings trend

• Aggressive commitments to third parties

• Failure to correct known compliance problems

• Minimizing earnings inappropriately for tax reporting


9

• Continued use of materiality to justify inappropriate accounting

• A strained relationship with the current or previous auditor

However, management may reduce rationalization through its actions by implementing fair work and pay

practices, as well as equitable and consistent treatment of employees, and the right tone at the top.

The following case studies from the Department of Defense (DoD) highlight the presence of motivation,

opportunity, and rationalization in each fraud scheme.

Case Study

Case Study #1: Disclosure of Information

Case Facts − A DoD employee responsible for assisting the contracting officer with funding, performance, and technical issues relating to a DoD program admitted to Federal investigators that he disclosed contractor bid and source selection information to a company bidding on a new contract. The employee gave the company this information so they would have a competitive advantage during contract bidding.

Motivation − In exchange for the information, the company provided the employee with a new car.

Opportunity − The contracting officer was overwhelmed with his workload and paid little attention to contract awards less than $3 million.

Rationalization − The employee had been passed over for promotion several times and believed he was mistreated and not valued by DoD.

Outcome − The employee was prosecuted in Federal court and received a maximum sentence of 20 years in prison and a fine of $250,000.

Case Study #2: Trafficking Counterfeit Parts and Money Laundering

Case Facts − During a 5-year period, a DoD parts supplier purchased counterfeit semiconductors from sources in Hong Kong and China. The individual went to great lengths to conceal the true origin of the parts and sold them as legitimate and reliable components for use in submarines and other complex machinery.

Motivation − The supplier was motivated by money. Through the sale of about 14,000 counterfeit parts, they were paid several million dollars.

Opportunity − Counterfeit parts are difficult to detect once they enter the DoD supply chain. Globalization of the supply chain has resulted in many suppliers receiving goods from second- and third-tier suppliers. Quality assurance tests may not detect all counterfeit parts because manufacturers are skilled at making parts appear authentic.

Rationalization − Because the scheme was successful over time, the fraudsters believed their chances of getting caught were minimal or nonexistent.

Outcome − The fraudsters were indicted on eight counts that included conspiring to traffic in counterfeit military goods, trafficking in counterfeit goods, and conspiring to commit wire fraud and money laundering. When convicted, they were sentenced to 75 years in federal prison.

Source: Department of Defense Inspector General − Approach for Establishing Fraud Risk Assessment Programs and Conducting Fraud Audit Risk Assessment within the Department of Defense


10

The Fraud Diamond

Although Cressey’s classic Fraud Triangle applies to most fraud cases, it does not explain all situations. There have

been significant social changes since Cressey’s study in the 1950s. For example, corporations have evolved to rely

heavily on global partnerships and outsourcing. The corporate ladder structure, common in the 1950s, has been

replaced with matrix organizations where individuals have the authority across the organization. CFOs are under

more pressure to deliver fast and reliable reporting to management and stakeholders. This shift might have

prompted the CFOs and their financial teams to use aggressive accounting and reporting practices.

Social Changes: Then & Now

1950s 2000s

• Straight-line reporting authority

• Manual processes

• Dual responsibility

• Single suppliers

• Local or regional service area

• Step-up salary structure

• Matrixed organizations

• Automation

• Autonomous authority

• Multiple vendors and global trading partners

• Global reach

• Performance-based pay

Source: Crowe Horwath LLP

Inevitably, the Fraud Triangle had to be enhanced to help organizations better understand and respond to fraud

risks. Many anti-fraud experts have changed it by incorporating the element of “capability” because personal traits

and abilities play a major role in whether fraud will actually occur. This fourth element transforms Cressey’s model

from a triangle into a diamond:

According to David Wolfe and Dana Hermanson, The Fraud Diamond: Considering the Four Elements of Fraud,

“Opportunity opens the doorway to fraud, and incentive and rationalization can draw the person toward it. But

the person must have the capability to recognize the open doorway as an opportunity and to take advantage of it

by walking through, not just once, but time and time again. Accordingly, the critical question is, who could turn

an opportunity for fraud into reality?” Wolf and Hermanson observed the following six common traits for

committing fraud, especially those that involve large sums of money or last a long time:

The Fraud Diamond

Pressure/Incentive Opportunity

Capability Rationalization

Developed by Wolfe and Hermanson


11

Common Traits Associated with the Capability Element Trait Description

Functional Authority within the Organization

The person’s position or function might provide the ability to create or exploit an opportunity to commit fraud. For example, a person in a position of authority has more influence over particular situations and has greater capability to commit fraud.

Sufficient intelligence to Understand and Exploit a

Situation

The person has the capacity to understand and exploit control weaknesses and to use position or authorized access to their greatest advantage.

Strong Ego and Personal Confidence

The person is confident that he will not be caught or believes that if he is caught, he can talk his way out of trouble. Common personality types include someone who is driven to succeed at all costs, self-absorbed, and often narcissistic. According to the Diagnostic and Statistical Manual of Mental Disorders, people with such personality disorders believe they are superior or unique and are likely to have inflated views of their own accomplishments and abilities.

Strong Coercive Skills The person is persuasive and can coerce others to commit or conceal fraud. An individual with a persuasive personality can successfully convince others to go along with the fraud or look the other way.

Effective at Being Deceptive

Successful fraud requires effective and consistent lies. The individual must be able to lie convincingly and keep track of the story in order to avoid detection.

High Tolerance for Stress The person is good at dealing with the stress that comes from committing fraudulent acts.

Computer and Internet Fraud

Overview

Criminal activity involving the perpetration of fraud through the use of computers or the internet can take many

different forms. One common form includes hacking, in which a perpetrator uses sophisticated technological

tools to remotely access a secure computer or internet location. A second common criminal activity involves

illegally intercepting an electronic transmission not intended for the interceptor. This may result in the capture

of private information such as passwords, credit card information, or other types of so-called identity theft.

Federal law defines computer fraud as “the use of a computer to create a dishonest misrepresentation of fact as

an attempt to induce another to do or refrain from doing something which causes loss.” There are a number of

ways that criminals create fraudulent misrepresentation:

• Alter computer input in an unauthorized way. For example, employees may embezzle company funds by

altering/manipulating input data.

• Alter or delete stored data.


12

• Rewrite software codes and upload them into a bank main system to steal its users’ identities. The

criminals can use this information to make unauthorized credit card purchases.

Violators may be prosecuted under:

✓ 18 U.S.C. § 506: No Electronic Theft Act

✓ 18 U.S.C. § 1028: Identity Theft and Assumption Deterrence Act of 1998

✓ 18 U.S.C. § 1029: Fraud and Related Activity in Connection with Computers

✓ 18 U.S.C. § 1343: Wire Fraud

✓ 18 U.S.C. §1362: Communication Lines, Stations, or Systems

✓ 18 U.S.C. § 2511: Interception and Disclosure of Wire, Oral, or Electronic Communications Prohibited

✓ 18 U.S.C. § 2701: Unlawful Access to Stored Communications

✓ 18 U.S.C. § 2702: Disclosure of Contents

✓ 18 U.S.C. § 2703: Requirements for Government Access

The Concept of the Cyber World

Cyberspace, the globally-interconnected digital information, and the communications infrastructure supports

almost every facet of modern society and provides critical support for the economy, civil infrastructure, public

safety, and national security. The evolution of technology has transformed the global economy and connected

people in ways never imagined. Meanwhile, cybersecurity risks pose some of the most serious economic and

national security challenges of the 21st century.

The word cyber is a prefix used to describe a person, thing, or idea as part of the computer and information age.

It originates from the Greek verb “kybereo”, which means to steer, guide, and control. It was first used in

cybernetics by Norbert Wiener, an American mathematician, to describe computerized control systems in 1948.

Cyber can mean “computer”, “computer network”, or “virtual reality”, and by extension means expressing a vision

of the future. The prefix cyber is often seen in conjunction with computers and robots. Some of the most common

words that use the cyber prefix including cybercrime, cyber fraud, cybersecurity, and cyberattack. Each word is

defined in the following table.

The Cyber World Term Description

Cyberattack

Any type of offensive maneuver employed by individuals or whole organizations that targets computer information systems, infrastructures, computer networks, and/or personal computer devices by various means of malicious acts. It usually originates from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system.

Cybercrime Involves any criminal act dealing with computers and networks, and traditional crimes conducted through the internet, such as hate crimes, telemarketing and internet fraud, and identity theft.

Cyber Forensics

A branch of digital forensic science that pertains to evidence found in computers and digital storage media in order to provide a conclusive description of cybercrime.


13

Cyber Fraud When credit and financial information is stolen online by a hacker and used in a criminal manner.

Cyberlaw A term that encapsulates the legal issues related to the use of the internet and computer offenses, especially fraud or copyright infringement.

Cybersecurity The body of technologies, processes, and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.

Cyberspace

The interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors as well as controllers in critical industries. Common usage of the term also refers to the virtual environment of information and the digital interactions between people.

Cyber Threat The possibility of a malicious attempt to damage or disrupt a computer network or system.

The cyber environment includes users themselves, networks, devices, software, processes, information in storage

or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Cyberspace touches practically everything and everyone. It includes users, networks, devices, software,

processes, data in storage or in transit, applications, services, and systems that can be connected directly or

indirectly to networks. Information and communication technologies are universal. The trend towards digitization

is growing, and virtually all modern services depend on the use of information technologies, including the

electrical grid, transportation, infrastructure, military services, and logistics. Advances in technology and rapid

digitization are fundamentally transforming societies, economies, and individuals’ lifestyles. For example, emails

have displaced traditional letters, online web representation has become more important for businesses than

Cyber Environment

Users

Networks

Devices

Software

ProcessesInformation in Storage or

Transit

Application

Services

Systems


14

printed publicity materials, and internet-based communication and phone services are growing faster than

landline communications.

Exhibit A highlights the market forces, the changing threat landscape, and the impact of growing connected

technology in cyberspace.


15

Exhibit A: Cyber World at Glance

Cyber World at a Glance

Market Force

➢ According to Statista, worldwide mobile payment revenue will $1 trillion in 2019

➢ By the year 2020, 85% of business relationships will be managed without human interaction

➢ By the year 2020, 44 zettabytes of data will be created by 7 billion people and more than 50 billion devices

will be connected to the internet

➢ Mobile phones will be used for 80% of all internet access in 2019, as reported by Zenith, a media agency

➢ The cyber insurance market is currently estimated to be worth around $2 billion in premiums worldwide,

with US business accounting for approximately 90%. The cyber insurance market is expected to grow by

double-digit figures year-on-year and could reach more than $20 billion in the next 10 years

The Ever-Changing Threat Landscape

➢ The increasing interconnectivity (e.g., the Internet of Things) and “commercialization” of cybercrime drive greater frequency and severity of incidents, including data breaches

➢ The pressure to disclose breaches and threat responses in a timely manner will intensify

➢ Business interruption, intellectual property theft, cyber extortion attacks, and ransomware attempts will increase

➢ Organizations put more data in the cloud and with third parties; attractive, but dangerous, with the loss of control, increased threats and unexpected connectivity

The Impact of Widespread Use of Connected Technology

➢ Any system’s security almost certainly will be breached, and attention is shifting to the issue of how to recover from the intrusion and limit both the financial fallout and reputation damage that follow

➢ A recent study indicates that almost three in ten organizations are unlikely to detect a sophisticated cyberattack

➢ Cybersecurity Ventures projected that cybercrime is expected to cause damage of over $6 trillion annually by 2021

➢ Data protection legislation will toughen globally. More notifications and significant fines for data breaches in the future can be expected

➢ BYOD (Bring Your Own Device), the practice of allowing the employees of an organization to use their own computers, smartphones, or other devices for work purposes, is having a fundamental impact on IT security framework

➢ Organizations must adopt cybersecurity framework either as a best practices initiative or to fulfill a contractual or regulatory requirement

➢ The evolution of internal audit functions is critical to address the risks associated with digital transformation, mobile technology, and ongoing regulatory changes


16

Types of Cyber Fraud

Instances of cyber fraud have become a real threat in modern society because they can be single-handedly

committed and do not require the physical presence of the criminals. These instances of fraud can be committed

from a remote location, and the criminals may not worry about the law enforcement agencies in the country

where they are committing the crimes. Wherever the rate of return on investment is high and the risk is low, we

can always find people willing to take advantage of the situation. This is exactly what happens with cyber fraud.

Catching cybercriminals is difficult. As a result, cyber fraud across the world has continued to rise. The most

common types of cyber fraud are explained below:

Business Email Compromise

The evolving nature of cybercrime presents a unique set of challenges because crimes often overlap jurisdictional

boundaries and perpetrators can attack from anywhere. Business email compromise (BEC) is a sophisticated scam

targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer

payments. BEC involves taking over an email account or spoofing an email address in order to initiate theft via

unauthorized ACH or wire transfers. In 2018, the FBI received 20,373 BEC/E-mail Account Compromise (EAC)

complaints with adjusted losses of about $1.3 billion. EAC is a sophisticated scam targeting individuals performing

wire transfer payments. The following table summarizes crime types by victim loss reported to the FBI in 2018.

2018 Crime Types by Victim Loss

Crime Type Loss Crime Type Loss

BEC/EAC $1,297,803,489 Tech Support $38,697,026

Confidence Fraud/Romance $362,500,761 Harassment/Threats of Violence $21,903,829

Investment $252,955,320 Misrepresentation $20,000,713

Non-Payment/Non-Delivery $183,826,809 IPR/Copyright and Counterfeit $15,802,011

Real Estate/Rental $149,458,114 Civil Matter $15,172,692

Personal Data Breach $148,892,403 Malware/Scareware/ Virus $7,411,651

Corporate Data Breach $117,711,989 Health Care Related $4,474,792

Identity Theft $100,429,691 Ransomware $3,621,857

Advanced Fee $92,271,682 Denial of Service/TDos $2,052,340

Credit Card Fraud $88,991,436 Re-Shipping $1,684,179

Extortion $83,357,901 Charity $1,006,379

Spoofing $70,000,248 Gambling $926,953

Government Impersonation $64,211,765 Crimes Against Children $265,996

Other $63,126,929 Hacktivist $77,612

Lottery/Sweepstakes $60,214,814 Terrorism $10,193

Overpayment $53,225,507 No Lead Value $0.00

Phishing/Vishing/Smishing/Pharming $48,241,748

Employment $45,487,120

Source: FBI - 2018 Internet Crime Report


17

BEC scams usually target a company’s senior executives and senior employees who are authorized to transfer

payments. The scam is carried out to conduct unauthorized transfers of funds. Common BEC methods include

spoofed email to employees allegedly from senior executives (e.g. CEO, CFO) or a vendor that:

• Request an emergency wire transfer

• Refer to a “confidential deal” and directs an employee to contact an outside “attorney” for further

instruction

• Request a change to the vendor’s address and payment information in the system

Attackers often research their target’s schedule, waiting until the target is traveling or otherwise unavailable for

immediate verification. Someone from the accounting team recognizes the CFO’s email address and carries out

the wire instructions, unaware that the email did not legitimately come from the CFO. The funds are then received

by an account under the control of the hacker. Despite the large impact of BEC schemes, recognizing many of the

attacks is fairly easy. For example, the email subjects used in BEC schemes are simple and vague, at times

composed only of one word such as:

• Request For

• Transfer

• Request

• Urgent

• Transfer Request

BEC continues to evolve. Victims have reported being contacted by subjects posing as lawyers or law firms

instructing them to make secret or time-sensitive wire transfers. Public and private companies of all sizes have

been affected by this type of scam. Companies with international business dealings are frequently targeted

because transfers to overseas banks would not be out of the ordinary. The scam is carried out by compromising

legitimate business email accounts through social engineering or computer intrusion techniques to conduct

unauthorized transfers of funds. These fraudulent transfers have gone through accounts in many countries, with

a large majority traveling through Asia.

Prevention is critical since recouping stolen cash is rare. Once funds have been wired, recovering the stolen funds

may be possible if the scam is detected within the first 24 to 48 hours, but only with the help of law enforcement.

However, the following controls can help stop these scams:

1. IT controls can prevent and detect fraudulent activities by keeping the scammer out of the system

2. Treasury controls that require multiple approvals of wire transfers

3. Purchasing controls to validate the setup of vendor accounts and changes in vendor payment information

It is critical to have a culture that encourages a questioning mindset, especially when it comes to unusual or

unexpected requests from executives. Encouraging or requiring the recipient of a wire transfer request to confirm

its validity via phone can go a long way toward protecting the company’s assets. Therefore, promoting employee

security awareness can prevent an organization from being a victim of such crime. Employees should be trained

to:


18

• Be wary of irregular email requests from C-suite executives because they are frequently used to trick

employees into acting with urgency.

• Always examine email headers, domain names in the “from” field of the email, and the “reply-to” field of

emails. For more suspicious emails, employees should request help from the IT department.

• Do not open links within the email right away. Examine the links by hovering over the link with the mouse

cursor to expose the web address. If a suspicious address is revealed, further investigation/authentication

must be conducted before initiating the wire transfer.

• Question strange payment requests via email. Examples of these anomalies include requests received at

odd hours, international wires, or unusual payment amounts. Companies should require telephone call-

backs to confirm the authenticity of higher-risk transactions. Always use the known familiar numbers

instead of the one provided in the email requests.

• Report the incident immediately to the appropriate level of management and law enforcement if you

suspect that you are being targeted by a BEC email.

The FBI issued the following tips for BEC victims:

1. Contact the originating Financial Institution as soon as fraud is recognized to request a recall or reversal

as well as a Hold Harmless Letter or Letter of Indemnity.

2. File a detailed complaint with www.ic3.gov. It is vital the complaint contains all required data in provided

fields, including banking information.

3. Visit www.ic3.gov for updated public service announcements (PSAs) regarding BEC trends as well as other

fraud schemes targeting specific populations (real estate, pre-paid cards, W-2, etc.).

4. Never make any payment changes without verifying with the intended recipient; verify email addresses

are accurate when checking mail on a cell phone or other mobile device.

Real-World Case: Infront Consulting Group Inc.

The following case is extracted from IIROC, “Cybersecurity Best Practices Guide for IIROC Dealer Members”, 2016

The chief financial officer for Infront Consulting Group Inc., based in Toronto and Las Vegas, received an email

that appeared to come from the company’s chief executive, instructing her to “process a payment of $169,705.00

USD.” Attached wire transfer instructions directed that payment be made to an investment brokerage in Naples,

Florida.

The scheme failed only because the Infront CEO, by coincidence, called the CFO as she was reviewing the request.

When she asked what the money was for, the CEO said he knew nothing about it. Further scrutiny revealed that

the email was sent from an address similar to the company’s, but that lacked the letter “I” in “consulting.”

http://www.ic3.gov/


19

Identity Theft

Identity theft is one of the most common types of cyber fraud. The term “Identity Theft” is used when a person

purports to be someone else, with an intention to act fraudulently for financial gain. It is also called Online Identity

Theft. The most common sources of identity theft are data breaches affecting governmental or federal websites.

Data breaches also occur at e-commerce websites containing sensitive and important information, such as credit

card information, addresses, email IDs, etc.

The second most common technique for stealing identity information is phishing. Most people will ignore emails

that ask for personal information. However, some phishing attacks, such as the one referred to as the Nigerian

Phishing Scam, do succeed in stealing personal or financial data by preying on naive or unsuspecting people who

fall into criminals’ traps.

Another maneuver is social engineering. This is where the criminals befriend victims in person or over the phone,

email or social media. Once they become “friends”, the criminals can easily get the information needed to

impersonate the victims. According to the Identity Theft Resource Center, there are four main types of Identity

Theft:

Types of Identity Theft

Criminal Identity Theft

A criminal will impersonate someone else, whose details he/she secured via data breaches, phishing or social engineering.

Governmental ID Theft

This is mainly related to income tax issues. The criminal (in this case, it is usually an illegal immigrant) may be working somewhere under another person’s name and identity, and he/she would not file income tax returns. However, the W-2’s are being reported to the IRS, leaving the true person open to IRS inquiries about the additional income that was not reported on the tax return.

Financial Identity Theft

This is related to ID thieves taking out loans or credit cards using a victim’s information. The victim may receive a lender’s letter to find out that he/she has not repaid a loan that he/she did not take.

Medical ID Theft

This refers to ID thieves using victim’s medical benefits at hospitals and pharmacies.

Although criminals target various types of information, the most relevant data are social security and passport

numbers, date of birth, addresses and phone numbers, and passwords. In the U.S., the social security number

(SSN) can be used to open financial accounts, take over existing financial accounts, and obtain credit or run up

debt. Date of birth, addresses, and phone numbers can be used to commit identity theft if they are combined with

other information such as the SSN. Such information is available on a large scale on the internet - either published

voluntarily in one of the various profile settings or stored for other reasons on websites.

Identity theft is a very serious issue. Losses may not only be financial; they may also include damage to reputations.

The actual incidence of identity theft is likely to far exceed the number of reported cases because many victims

do not report such crimes and financial institutions often do not wish to receive negative press.


20

The Federal Trade Commission revealed that up to 9 million Americans have their identities stolen each year, and

at least 534 million personal records have been compromised since 2005 through attacks on the databases of

businesses, governments, institutions, and organizations. Webroot suggests the following seven steps to

preventing identity theft online:

1. Protect your computer and smartphone with strong, up-to-date security software

2. Learn to spot spam and scams

3. Use strong passwords

4. Monitor and review credit scores

5. Place a security freeze on your credit

6. Use only reputable websites when making purchases

Following is the Federal Trade Commission’s Identity Theft Recovery Plan that can be used in the event of an

identity theft:

Identify Theft: A Recovery Plan

Federal Trade Commission www.identitytheft.gov

What To Do Right Away

Step 1: Call The Companies Where You Know Fraud Occurred.

☐ Call the fraud department. Explain that someone stole your identity.

☐ Ask them to close or freeze the accounts. Then, no one can add new charges unless you agree.

☐ Change logins, passwords, and PINs for your accounts.

You might have to contact these companies again after you have an Identity Theft Report.

Step 2: Place A Fraud Alert And Get Your Credit Reports.

☐ To place a free fraud alert, contact one of the three credit bureaus. That company must tell the other two. • Experian.com/help 888-EXPERIAN (888-397-3742) • TransUnion.com/credit-help 888-909-8872 • Equifax.com/personal/credit-report-services 1-800-685-1111

Get updates at IdentityTheft.gov/creditbureaucontacts A fraud alert lasts one year. It will make it harder for someone to open new accounts in your name. You'll get a letter from each credit bureau. It will confirm that they placed a fraud alert on your file.

☐ Get your free credit reports from Equifax, Experian, and TransUnion. Go to annualcreditreport.com or call 1-877-322-8228.

http://www.identitytheft.gov/


21

Did you already order your free annual reports this year? If so, you can pay to get your report immediately. Or follow the instructions in the fraud alert confirmation letter from each credit bureau to get a free report. That might take longer.

☐ Review your reports. Make note of any account or transaction you don't recognize. This will help you report the theft to the Federal Trade Commission (FTC) and the police.

Step 3: Report Identity Theft To The FTC.

☐ Go to IdentityTheft.gov or call 1-877-438-4338. Include as many details as possible. Based on the information you enter, IdentityTheft.gov will create your Identity Theft Report and recovery plan.

• If you create an account, we'll walk you through each recovery step, update your plan as needed, track your progress, and pre-fill forms and letters for you. • If you don't create an account, you must print and save your Identity Theft Report and recovery plan right away. Once you leave the page, you won't be able to access or update them.

Your Identity Theft Report is important because it guarantees you certain rights.

What To Do Next

Take a deep breath and begin to repair the damage.

Close New Accounts Opened In Your Name.

☐ Now that you have an Identity Theft Report, call the fraud department of each business where an account was opened.

• Explain that someone stole your identity. • Ask the business to close the account. • Ask the business to send you a letter confirming that:

• the fraudulent account isn't yours • you aren't liable for it • it was removed from your credit report

• Keep this letter. Use it if the account appears on your credit report later on.

The business may require you to send them a copy of your Identity Theft Report or complete a special dispute form.

☐ Write down who you contacted and when.

Remove Bogus Charges From Your Accounts.

☐ Call the fraud department of each business. • Explain that someone stole your identity. • Tell them which charges are fraudulent. Ask the business to remove the charges. • Ask the business to send you a letter confirming they removed the fraudulent charges. • Keep this letter. Use it if this account appears on your credit report later on.

The business may require you to send them a copy of your Identity Theft Report or complete a special dispute form.

☐ Write down who you contacted and when.


22

Correct Your Credit Report.

☐ Write to each of the three credit bureaus. • Include a copy of your Identity Theft Report and proof of your identity, like a copy of your driver's license or state ID. • Explain which information on your report is fraudulent. • Ask them to block that information. Mail your letters to:

• TransUnion Fraud Victim Assistance Department P.O. Box 2000 Chester, PA 19022-2000

• Equifax P.O. Box 105069 Atlanta, GA 30348-5069

• Experian P.O. Box 9554 Allen, TX 75013

If someone steals your identity, you have the right to remove fraudulent information from your credit report. This is called blocking. Once the information is blocked, it won't show up on your credit report, and companies can't try to collect the debt from you. If you have an Identity Theft Report, credit bureaus must honor your request to block fraudulent information.

If you don't have an Identity Theft Report, you still can dispute incorrect information in your credit file. It can take longer, and there's no guarantee that the credit bureaus will remove the information. To dispute information without an Identity Theft Report, contact each credit bureau online or by phone.

Consider Adding An Extended Fraud Alert Or Credit Freeze.

Extended fraud alerts and credit freezes can help prevent further misuse of your personal information. There are important differences. This chart can help you decide which might be right for you.

An Extended Fraud Alert A Credit Freeze

Lets you have access to your credit report as long as companies take steps to verify your identity

Stops all access to your credit report unless you lift or remove the freeze

Free to place and remove. Available if someone stole your identity.

Free to place and remove. Available to anyone.

Lasts for seven years Lasts until you lift or remove

Set it by contacting each of the three credit bureaus. • Report that someone stole your identity • Request an extended fraud alert • Complete any necessary forms and send a copy of your Identity Theft Report

Set it by contacting each of the three credit bureaus.


23

Hacking

Hacking is a type of fraud where a person’s computer is broken into so that personal or sensitive information can

be accessed. In the U.S., hacking is classified as a felony and it is punishable as such. In hacking, the criminal uses

a variety of software and techniques to secretly access a person’s computer. And, as a result, the person may not

be aware that his/her computer is being accessed from a remote location. All organizations are vulnerable to

attack and no security system is infallible. Famous targets of hacking attacks include NASA, the US Air Force, the

Pentagon, Yahoo, Google, eBay, and the German government.

Hackers take advantage of basic security vulnerabilities in computer systems. The vulnerabilities and weaknesses

allow an intruder to execute commands, access unauthorized data, and conduct denial-of-service attacks.

Examples of vulnerabilities and weaknesses include:

• Unpatched software (e.g., Adobe, Microsoft, and Oracle)

• Unprotected ports

• Poor physical security

• Weak passwords

• Insufficient backup and recovery

• Improper destruction (e.g., discarded electronic devices, portable drives processing and storing sensitive

data)

• Poor security policy

• Outdated infrastructure

• Lack of end-user education

In general, organizations that do not scan for vulnerabilities and proactively address information system

weaknesses face an increased likelihood of having their systems compromised. Best practices to reduce the risk

of being a cyber target suggests that organizations should implement the following procedures:

• Develop automated vulnerability assessment tools for all systems on the network

• Ensure that the scanning tools are regularly updated and contain the latest security information

• Communicate prioritized lists of the most critical vulnerabilities to responsible system administrators

• Ensure that software/applications are updated with security patches regularly

• Subscribe to vulnerability intelligence services in order to stay aware of emerging threats and exposures

Real-World Case: Mega Metals Inc.


Mega Metals Inc., a 30-year-old scrap processor, was defrauded in 2015 when the email account used by an

Italian-based third party broker was compromised. Mega Metals had wired $100,000 to a German vendor to pay

for a 40,000-pound container load of titanium shavings. Following the transaction, the vendor complained that it

had not received payment. An investigation revealed that malicious software implanted on the Italian broker’s

computer systems allowed criminals to collect passwords that provided access to the broker’s email system. They

then sent falsified wire-transfer instructions to Mega Metals for a legitimate purchase.


24

DDoS

A Denial of Service (DoS) message is the error message that a computer user receives when trying to access an

unavailable website, either because the system is completely down or because a website is bogged down with an

excessive amount of Internet traffic. A “DoS attack” typically uses one computer and one Internet connection to

flood a targeted system or resource, thereby reducing or eliminating access to the system. A DoS attack is

different from a DDoS attack. A DDoS (Distributed Denial of Service) attack is when multiple compromised

systems, often infected with a Trojan Horse virus, are used to target a single system causing a Denial of Service

(DoS) problem.

The DDoS attack can use multiple computers and internet connections around the world to essentially disable the

targeted resources. Cloud service providers must have solutions in place to protect their infrastructure as DDoS

attacks continue to evolve.

In a DDoS attack, the incoming traffic flooding the victim originates from many different sources - potentially

hundreds of thousands or more. Therefore, it is impossible to stop the attack simply by blocking a single IP

address. The attacking software may have laid dormant on the computers for months, or longer, and then ‘woke

up’ at a specific time to launch the attack. In addition, it is very difficult to distinguish legitimate user traffic from

attack traffic because it is spread across so many points of origin.

There are many types of DDoS attacks. Common attacks include the following:

Types of DDoS Attacks

Traffic Attacks

Traffic flooding attacks send a huge volume of different data packets to the target. Legitimate requests get lost and these attacks may be accompanied by malware exploitation.

Bandwidth Attacks

This DDoS attack overloads the target with massive amounts of junk data. This results in a loss of network bandwidth and equipment resources and can lead to a complete denial of service.

Application Attacks

Application-layer data messages can deplete resources in the application layer, leaving the target’s system services unavailable.

Botnets

DDoS attacks are often global attacks distributed via botnets. Botnets, derived from “robot network”, are

networks of compromised computers controlled by remote attackers in order to perform such illicit tasks such as

sending spam or attacking other computers, without owners’ knowledge and consent.

There are two methods for detecting bots, including Static Analysis to check a computer’s characteristics against

a list of known threats, and Behavioral Analysis to monitor communications in a network for behaviors that are

known to be exhibited by botnets. If it is discovered that an organization’s network has been infected, it is the

organization’s responsibility to notify stakeholders about a potential compromise of all data residing on the

network. Therefore, cleanup efforts resulting from botnet infestation can be costly and damaging to an

organization’s reputation.


25

Spam

Spam is a very common form of cyber fraud, and it is difficult to control. “Spam” is named after Spam luncheon

meat by way of a Monty Python sketch that suggests Spam is unwanted and unavoidable. Email is the most

common form of spam. Although many email spam messages are commercial in nature, they may also contain

disguised links leading to phishing web sites or sites that host malware. Spam emails can also contain malware as

scripts or other executable file attachments.

Spam emails are highly profitable. The senders have no operating costs beyond the management of the mailing

lists, servers, IP ranges, and domain names. For example, a Dutch spammer reported a profit of around $50,000

by sending out at least 9 billion spam emails.

Most email providers have reacted to rising levels of spam emails by installing anti-spam filter technology. This

technology identifies spam using keyword filters or blacklists of spammers’ IP addresses. To ensure that spam

reaches its intended audience, spammers are increasingly using tactics to avoid. According to Cisco Security

Research, snowshoe spam, which involves sending low volumes of spam from a large set of IP addresses to avoid

detection, is an emerging threat.

Phishing

Phishing is a method where cyber criminals bait the victim into giving out sensitive information. The bait can be

in the form of a business proposal, announcement of a lottery to which the victim never subscribed, and anything

that promises the victim money for nothing or a small favor. Or, it may a false email requesting a profile update

at a bank or other website. Phishing attacks are growing in both frequency and sophistication. For example, the

majority of phishing cases feature phishing as a means to install persistent malware. The main perpetrators for

phishing attacks are organized crime syndicates and state-sponsored actors.

Spear phishing is a type of targeted phishing that is directed towards a specific individual or group of individuals.

It usually has the following characteristics:

• A high level of targeting sophistication and appears to come from an acquaintance (e.g. an associate,

client, friend)

• Contextually relevant to our position/job/interests

• Contains graphics to make the email look legitimate or familiar

The U.S. Cybercrime Center warns people to not get into any kind of agreement that promises something that

seems too good to be true. It is critical that organizations promote security-conscious behavior by employees.

A cybersecurity chain is only as strong as its weakest link, and organizations should be careful when disclosing

commercially sensitive data to its suppliers and advisors, including accountants, lawyers, and financiers.


26

Simple Steps for Internet Safety from the FBI

http://www.fbi.gov October 11, 2016

In today’s digital world, online safety should be of paramount concern for all individuals and organizations because the threats

posed by cybercriminals can’t be ignored. And to counteract these threats, there are steps you can take to minimize the risks

associated with doing any kind of business online, surfing the Internet, and/or sharing information on social media sites.

The first step to greater Internet safety is a basic yet vital one—change online passwords several times a year. Use different

passwords for each online account and make them unique but not easily guessed.

Additional levels of cybersecurity, like two-factor authentication (TFA), can provide even greater protection for your

information. TFA is a technology that increases security by incorporating requirements beyond a password, like a particular

physical trait, a dynamic PIN, or the location or time of a login attempt. Many e-mail service providers and social media

platforms offer TFA as a free service—most require a strong password and supply a PIN that changes periodically. Users can

receive these PINs easily via mobile applications or text messages.

In terms of social media, remember that once personal or organizational information has been posted to a social networking

site, that information can no longer be considered private and can be—and sometimes is—used for criminal purposes. The

highest security settings on an Internet account may not be enough to prevent a leak of sensitive data—for example,

cybercriminals often can obtain personal passwords regardless of their complexity. In doing so, they can gain access to

banking credentials and credit card numbers, get hold of social security information, download malware to a computer, or

hijack a device to perpetrate further crimes. So be careful—post as little personal information as possible, use two-factor

authentication and beware of embedded links that—if clicked on—may lead to scam webpages and malware being

downloaded to your computer or mobile device.

Another level of online security involves protecting your mobile devices from cyber intruders in public places. Not all Wi-Fi

hotspots at coffee shops, airports, or hotels have strong security protections. Persons in close proximity may be able to access

that open network and collect your login information and the content of your online browsing. Securing your phone or tablet

is as simple as avoiding sensitive sites that require a login, so try to avoid signing into bank accounts, e-mail, or social media

accounts while on a public Wi-Fi hotspot. But if you have to, use a reliable personal virtual private network (VPN) service

provider. A VPN enables data encryption and adds a layer of security to communications, making it more difficult for

cybercriminals to spy on you.

An out-of-band backup is another useful cybersecurity technique. This involves backing up your data to a virtual, cloud

environment or storing hard copies of digital data at a physical location elsewhere. Using this method is ideal in combating

ransomware, a type of malware which restricts access to files or threatens their destruction unless a ransom is paid to the

cyber-based criminal.

Kids too can learn steps to Internet safety through the FBI’s Safe Online Surfing (SOS) program. SOS is a nationwide initiative

designed to educate children from grades 3 to 8 about the dangers faced when surfing the web. SOS promotes good cyber

citizenship among students by engaging them in a fun, age-appropriate, competitive online program where they learn how

to safely and responsibly use the Internet.

Though myriad methods and tools exist to protect the public and organizations from the risks of cybercrime, your best

defense is understanding and implementing strong security practices and maintaining them regularly. Doing so can raise a

perpetual firewall against cybercriminals and keep your sensitive data safe.

http://www.fbi.gov/


27

Ransomware

Ransomware, one of the most reprehensible malware-based attacks, is a form of malware that targets both

human and technical weaknesses. The goal is to deny access to critical data and/or systems, both in businesses

and in-home networks.

Recently, ransomware has gained notoriety in the field of cybersecurity due to the growth in the number of victims

and the significant profits that cybercriminals can obtain from this type of malicious campaign. In May 2017, a

worldwide ransomware attack was performed, relying on vulnerabilities found in outdated software. Due to their

failure to update their system regularly, some major health systems, such as the UK’s National Health System,

were attacked and held ransom.

In 2019, the FBI’s Internet Crime Complaint Center received 1,493 complaints identified as ransomware with

losses of over $3.6 million. This number does not include estimates of lost business, time, wages, files, equipment,

or any third-party remediation services acquired by a victim. In some cases, victims do not report any loss amount

to the FBI, thereby creating an artificially low ransomware loss rate. The FBI expects that this type of attack will

continue to rise.

Ransomware is usually delivered through spear-phishing emails to end-users. Once the email recipient clicks on

a malware file, the malware will rapidly encrypt sensitive files or all of the files on a network. However, in newer

instances of ransomware, cybercriminals may not use emails at all. They can bypass the need for an individual to

click on a link by seeding legitimate websites with malicious code, taking advantage of unpatched software on

end-user computers. As a result, the computer could get infected with ransomware when the user clicks on a

malicious link in an email, an instant message, a social networking site or in a compromised website - or if the user

downloaded and open a malicious email attachment.

After the victim organization determines that they are no longer able to access their data, the cybercriminal

demands the payment of a ransom, typically in virtual currency such as Bitcoin. The encrypted files can be

damaged beyond repair, creating a fatal outcome if the user fails to comply with the malware author’s request.

After payment of the ransom, the cybercriminal will supposedly provide a way for the victim to decrypt their data.

Real-World Case: Mahone Bay and Bridgewater


Mahone Bay and Bridgewater, small towns in Nova Scotia, reported infections in municipal computers that

occurred in June 2015. The virus, known as CryptoWall 3.0, attacked non-networked directories either through a

spear-phishing email sent to a system user, or perhaps an infected website visited by a town employee. Once the

link was clicked, the systems were infected with CryptoWall 3.0 and a second virus called CryptoLocker, meant to

encrypt files on the targeted system. Once activated, the viruses delivered an automated message to the user

requesting payment of roughly $900 in return for unlocking the infected files - it is virtually impossible to decrypt

the files unless the ransom is paid. The virus is thought to have originated with criminal groups in Russia. The use

of CryptoLocker techniques is widespread. The U.S. Justice Department estimated that CryptoLocker attacks

infected more than 234,000 machines - resulting in $27 million in ransom payments - in just its first two months

of attacks.


28

Ransomware has become a serious security problem. However, there are certain preventive measures for

ransomware encryption, such as:

• Use fully updated modern operating systems, a good antivirus software or an Internet Security Suite

including an updated secure browser and email client

• Take regular backups to minimize the damage caused in the case of the computer getting infected

• Never click on unknown links or download attachments from unknown sources

• Disable files running from AppData/Local folders

• Promote security awareness and provide training to all employees

• Patch commonly exploited third-party software such as Java, Flash, and Adobe

• Restrict administrative rights

• Scan to identify exploitable vulnerabilities

• Review service provider’s security policy

Ransomware - Warning from the FBI

Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large

businesses—these are just some of the entities impacted by ransomware, an insidious type of malware that

encrypts, or locks, valuable digital files and demands a ransom to release them. The inability to access the

important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or

proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files,

and the potential harm to an organization’s reputation. Home computers are just as susceptible to ransomware

and the loss of access to personal and often irreplaceable items— including family photos, videos, and other

data—can be devastating for individuals as well.

In a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an

attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious

ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are

directed to a website that infects their computer with malicious software.

Once the infection is present, the malware begins encrypting files and folders on local drives, any attached drives,

backup drives, and potentially other computers on the same network that the victim computer is attached to.

Users and organizations are generally not aware they have been infected until they can no longer access their

data or until they begin to see computer messages advising them of the attack and demands for a ransom payment

in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with

bitcoins because of the anonymity this virtual currency provides.

Ransomware attacks are not only proliferating, but they’re also becoming more sophisticated. Several years ago,

ransomware was normally delivered through spam e-mails, but because e-mail systems got better at filtering out

spam, cybercriminals turned to spear phishing e-mails targeting specific individuals. And in newer instances of

ransomware, some cybercriminals aren’t using e-mails at all—they can bypass the need for an individual to click

on a link by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-

user computers.


29

The FBI doesn’t support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee

an organization that it will get its data back—there have been cases where organizations never got a decryption

key after having paid the ransom. Paying a ransom not only emboldens current cybercriminals to target more

organizations, but it also offers an incentive for other criminals to get involved in this type of illegal activity. And

by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.

So what does the FBI recommend? As ransomware techniques and malware continue to evolve—and because it’s

difficult to detect a ransomware compromise before it’s too late—organizations, in particular, should focus on

two main areas:

• Prevention efforts—both in terms of awareness training for employees and robust technical prevention

controls; and

• The creation of a solid business continuity plan in the event of a ransomware attack.

Here are some tips for dealing with ransomware (primarily aimed at organizations and their employees, but some

are also applicable to individual users):

• Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.

• Patch operating system, software, and firmware on digital devices (which may be made easier through a

centralized patch management system).

• Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.

• Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely

needed, and only use administrator accounts when necessary.

• Configure access controls, including file, directory, and network share permissions appropriately. If users only

need to read specific information, they don’t need write-access to those files or directories.

• Disable macro scripts from office files transmitted over e-mail.

• Implement software restriction policies or other controls to prevent programs from executing from common

ransomware locations (e.g., temporary folders supporting popular Internet browsers,

compression/decompression programs).

• Back up data regularly and verify the integrity of those backups regularly.

• Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

Impact of Security Breaches

The Target data breach in 2014 was one of the largest in history. The personal details of some 70 million people

may have been compromised. Although Target had invested over $100 million in cybersecurity measures, it had

failed to establish end-to-end monitoring and response capabilities and could not respond quickly enough when

hackers targeted its point of sale (PoS) system during an intensely busy period. The security breach damaged its

reputation and created a loss of business and was followed by the company’s chief executive leaving the position.

Details of the impact of cybersecurity incident on Target’s financial statements are addressed in “Appendix C:

Financial Statement Disclosure -Target Corporation 2015 Quarterly Report”.

According to an annual research report made by the Ponemon Institute and IBM:


30

• In 2018, the average cost of a data breach increased by 6% to $3.8 million.

• The mean time to identify a data breach was 197 days, and the meantime to contain it was 69 days.

• The average cost per stolen record worldwide increased to $154 in 2018.

The scope and severity of the impact of a security breach will depend on the nature of the attack and the

organization’s ability to react and minimize its effect. Examples of the business effect of a cyberattack include:

1. Loss of personal data, such as customer contact or bank details, or sensitive personal data

2. Inability to operate and conduct business, such as a DDoS attack that overwhelms the email servers

3. Loss of customers and business with reductions in customer satisfaction and retention

4. Damage to the value of the organization leading to a stock price drop

Deloitte identified the domino effect following a security breach:

In general, the costs of cybercrime presented below are related to both dealing with cybercrime as the internal

cost (e.g. detection, recovery, and incident response) and the consequences of the cyberattack as the external

consequences (e.g. business interruption, and revenue loss). The Ponemon Institute identified the following cost

framework for cybercrime.

Internal Cost Activity Centers External Consequences & Costs

• Detection

• Investigation & Escalation

• Containment

• Recovery

• Ex-post Response

• Information Loss or Theft

• Business Interruption

• Equipment Damage

• Revenue Loss

Based on an Experian study, Security as Business Risk: How Data Breaches Impact Bottom Lines, the management

of data breaches should be assessed from a traditional business risk perspective. Risk management typically

weighs the business uncertainties within the following key categories:

Security incident occurs

Negative social media coverage

Staff unable to access systems

Extreme pressure on operations

Forensic investigation

Negative local/national press

Cost of notifying customers

Contractual breachRegulatory

investigation/fineRemediation costs

Loss of customers Lost sales Loss of jobsLoss of

organization/ business


31

Reputation Damage

Security breaches not only impact a company’s bottom line, but also its reputation, brand, and intellectual

property. A recent study revealed that reputational damage is considered the most significant impact of a security

breach, followed closely by legal, investment and/or enforcement costs. The risk to a company’s reputation can

cause more long-term damage than any other type of risk. Damaged reputations shrink shareholder value and

involve negative publicity, loss of clients or key employees and decreased revenue. Reputation risk has become

so critical that a number of online tools have emerged which use social medial to track how corporate reputations

are impacted during a crisis.

According to Reputation Impact of a Data Breach study conducted by the Ponemon Institute, in terms of

reputation impact, not all data breaches are equal. Some breaches are more devastating than others to an

organization’s reputation and brand image. The following are the most meaningful findings in instances when

three different types of information assets are lost or stolen as a result of data breaches:

1. When records containing confidential customer information are lost or stolen: the study asked

respondents to evaluate the consequences to an organization that had a data breach involving the loss or

theft of more than 100,000 confidential consumer records. About 81% of respondents said it would affect

the economic value of their organization’s reputation as well as its brand image. According to

respondents, the average diminished value of the brand as a direct result of the incident is 21%. To restore

the organization’s reputation would take on average about one year (11.8 months).

2. When records containing confidential employee information are lost or stolen: the study asked


theft of more than 100,000 confidential employee records. About half (51%) of respondents said this

would affect the economic value of their organization’s reputation and brand image. According to these

respondents, the average diminished value of the brand as a direct result of the incident is 12%. To restore

the organization’s reputation would take an average of about 8 months.

3. When records containing confidential business information are lost or stolen: the study asked


theft of trade secrets, new product designs, source code or strategic plans. The breach involved a small

number of extremely sensitive files. About 80% of respondents said this would affect the economic value

of their organization’s reputation and brand image. According to these respondents, the value of the

company’s brand was diminished on average by 18% as a direct result of the incident. To restore the

organization’s reputation would take on average about 8 months.

A Risk to Brand and Shareholder Value

Brand value is what a company’s actual name means to a customer. According to an Experian study, higher brand

equity translates into customer loyalty, premium pricing, and higher stock values. Brand risk constitutes anything

that detracts from its equity. High brand risk and low brand equity means lower customer trust, loss of sales and

higher marketing costs to rebuild equity. As an example, the American automobile industry suffered from a large


32

quality perception gap during the 1980s, and their brand equity suffered as global competitors grabbed market

share and customer base at the expense of these U.S. companies.

As shareholders maintain an equity position in a company, any risks they face become risks to equity value. A large

loss of customers during a crisis may lower equity value which could result in more expensive credit, curtailing of

research and development as well as changes in corporate leadership. This type of risk is tactical in nature,

although it expresses itself in a very public manner. Most data breaches result in some loss of equity value in the

short-term.

Compliance

Compliance risks stem from the application, or lack thereof, of laws and regulations instituted by a wide range of

countries such as privacy laws in the European Union, India, and Japan, and in the U.S. regulations also exist for

specific market verticals, such as for companies allowing credit card payments (PCI) or holding patient health

information (HIPAA).

Real-World Example: Sony

Corporate Overview

Sony is a highly respected multinational conglomerate based in Japan, with FY 2011 earnings of $86 billion. While the company has many distinct business units, Sony is best known for producing high-quality electronics.

Sustained Breaches

Sony’s challenges began in April 2011 with a massive breach of its PlayStation Network, later followed by additional breaches, including one directed against its online entertainment division. These breaches resulted in the loss of 100 million customer records and the shutdown of business operations for several Sony units over a period of weeks.

Sony Response

Sony’s major challenge with responding to these data breaches was to deftly manage its image. In this respect, Sony failed miserably. The company received tremendously negative media attention for its perceived delay in notifying customers of the breach. This became such an issue that the CEO himself, Howard Stringer, was forced to address the onslaught of media questions. However, Stringer’s defense of Sony’s one-week delay fell on disbelieving ears and only worsened the public reaction.

When considering the public apology offered, it’s important to remember that Sony is based in Japan, where an apology of this sort would simply be accepted and the matter closed. Suffice it to say, this broader cultural context was lost amidst the firestorm of damaging publicity. From a security professional’s perspective, Sony was technically prudent and responsive. From a consumer’s perspective, however, the perception of Sony’s misguided response created a backlash.

While meant to be a positive development, the May 2011 announcement that Sony was creating a Global CISO role raised more concerns than it settled the matter. Given the wide range of systems breached and business units affected, the belated implementation of this role begs the question of why didn’t Sony have a CISO in place before these breaches. The perception is that security was an afterthought not taken seriously by Sony and that individual business units were left to handle security on their own. Little else can explain the breakdown of Sony’s cyber defenses.


33

Sony’s initial customer responses included offering credit-monitoring services to affected customers, enhanced customer support, creation of welcome back programs and implementation of new security systems. Direct costs to date are approximately $171 million, but given its legal fees and other potential lost revenues, Sony’s total cost estimates from these breaches range from $13 billion to $20 billion over the long term.

Victimology

Sony’s breaches invite an examination of victimology. Initial reports suggest that the personal information of 75 million PlayStation users was compromised by these breaches. One might imagine these PlayStation users to be teenaged and young adult gamers. The reality is that many of these gamers don’t own credit cards. Instead, it is their parents or legal guardians whose information was lost. The real loss, however, is one of trust. Sony’s damaged reputation might plant the following question in the minds of millions of consumers: If this company doesn’t care enough to secure my information, do they really create the kind of reliable high-end appliances my family needs in the future?

Source: Experian - Security as Business Risk: How Data Breaches Impact Bottom Lines


34

Review Questions - Section 1

1. An employee made a false claim for reimbursement of inflated business expenses. He believes that his behavior was harmless because the financial loss to the agency was immaterial. Which of the fraud triangle elements best explains his action?

A. Opportunity B. Capability C. Rationalization D. Pressure

2. An individual steals online credit and financial information and uses them in a criminal manner. What term

describes this behavior?

A. Financial Statement Fraud B. Business Email Compromise C. Cyber Fraud D. Email Account Compromise

3. What type of cyber fraud sends a victim an enticement in the hopes that the victim will provide confidential

information?

A. Ransomware B. Hacking C. Phishing D. Spam

4. What is the most effective technique to reduce the risk of being a business email compromise victim?

A. Requiring two-factor authentication for all remote access sessions B. Conducting vulnerability assessment scans of the wireless network C. Implementing secure backup and recovery processes D. Promoting employee security awareness behavior

5. Which of the following offenses involves criminals taking out loans or credit cards using a victim’s information?

A. Payment card skimmers B. Exploits C. Financial Identity theft D. Business email compromise

6. Hundreds of thousands of computers are part of some network being used for performing malicious actions,

such as sending spam and launching denial of service attacks. Which of the following terms describes this type of threat?

A. Payment card skimmers B. Point-of-Sale Intrusions C. Zero-day attacks D. Botnets


35

II. Trends in the Cyber World Industry 4.0, the current trend of automation and data exchange in manufacturing technologies, includes cyber-

physical systems, the Internet of Things, and cloud computing. On entering Industry 4.0, the fourth industrial

revolution, organizations will need to overcome hurdles caused by digitization and integration of vertical value

chains (i.e., from product development and purchasing through manufacturing, logistics, and services) and

horizontal value chains (i.e., from suppliers to customers and all key partners).

Industry 4.0 is no longer a “future” trend. For many companies, it is now at the heart of their strategic and research

agenda. Companies are combining advanced connectivity and automation, cloud computing, sensors 3D printing,

connected capability, computer-powered processes, intelligent algorithms and the Internet of Things services to

transform their businesses. According to PwC’s Global Digital Operations Study 2018, digitization and smart

automation are expected to contribute as much as 14% to global GDP gains by 2030, equivalent to about US$15

trillion in today’s value.

The Internet of Things

According to Gartner Inc., the Internet of Things (IoT) is the network of physical objects that contains embedded

technologies to communicate with and interact with the external environment. Some common examples of IoT

products include:

• Smart thermostats that interact with a smartphone application

• Smart refrigerators that alert consumers when certain food items run low

• Smart lighting systems and outlets

• Security systems that are accessible remotely

• Health monitors family members and doctors can access

• Connected cars as well as car and truck tracking devices

• Wearables such as Fitbit health monitors, Apple Watch, etc.

• Amazon Echo and Google Home

• Smart payment systems using smartphones to increase convenience and reduce transaction costs

• Inventory-tracking sensors and devices used in warehouses as well as during shipments

• Automatic toll tracking and payment systems, as well as smart parking lots

With billions of people connected to the internet today and the number of connected devices expected to exceed

50 billion by the year 2020, IoT represents a major transformation in the digital world. It has the potential to

1ST Mechanization, Water Power, Steam Power

2ND Mass Production,

Assembly Line, Electricity

3RD Computer and

Automation

4THCyber Physical Systems


36

affect every individual and business. It also encompasses technologies such as smart grids, smart homes,

intelligent transportation, and smart cities, as well as all the necessary computing infrastructure to make

widespread communication between those devices possible.

IoT is fast becoming the must-have element of business technology as it offers opportunities such as cost

reductions and improved decision-making with real-time updates and more accurate fact-finding. However, new

technologies also create new vulnerabilities as cybercriminals can exploit the resulting increase in

interconnectivity. This is especially concerning as businesses become more reliant upon real-time data. Any

interruption in the process chain - even for a minute - could cause a severe business interruption, thus impacting

the balance sheet and income statement. In addition, as technology evolves, older devices that remain in use also

create vulnerabilities. This also applies to outdated operating systems and unsupported software.

IoT will increasingly rely on cloud computing and smart devices with built-in sensors, along with thousands (if not

millions) of applications to support them. The use of outsourced services and storage such as cloud computing

also presents many risks. Cloud computing was originally developed to address cost, convenience, and reduced

complexity. However, cloud computing needs serious improvement in terms of security because safeguards for

protecting integrated environments are severely lacking.

One major cloud provider problem can result in data breach losses for many. An HP study reveals that 70% of the

most commonly used IoT devices contain vulnerabilities. According to a Business Insider Intelligence Survey, 39%

of the respondents said that security is the biggest concern in adopting IoT technology. IoT also suffers from

platform fragmentation and a lack of technical standards. The variety of IoT devices, in terms of both hardware

variations and differences in the software running on them, makes the task of developing applications difficult.

Customers will be hesitant to bet their IoT future on

proprietary software or hardware devices using

proprietary protocols that may diminish or become

difficult to customize and interconnect.

Since many opportunities for connected devices will

develop through technological integration and

collaboration, security risks to IoT are growing and

changing rapidly. According to EY, the increased use of the

internet and mobile devices shows that the “responsibility

boundary” is disappearing. As a result, the risk landscape

becomes more muddied. As such, who is responsible when

a 3-year old Wi-Fi-connected outlet in the home is targeted

by overseas hackers in order to cause a power surge in the

New York area? Is it the homeowner, the device

manufacturer, the Wi-Fi router developer, or the utility

company?

In a company, a cybersecurity system must also include the organization’s broader network, including clients,

customers, suppliers/vendors, collaborators, business partners, and even alumni. Together, they constitute the

Risk Landscape

Data & Apps

Physical Environ-

ment

Change Mgt.

Third-Party

Suppliers & Vendors

Internal Employees

Security & Privacy

Infra-structure

Legal & Regulatory


37

entire “business ecosystem.” A standard approach to risk management assumes that the trust boundary is already

defined. However, the definition of “risk” must be expanded and enhanced to address new security

concerns/issues as new technologies are implemented to handle new functions, new processes, new devices, new

policies, and structures.

Cybersecurity Framework Adoption

The Adaption to the New Reality

An information security framework is a series of documented processes that are used to define policies and

procedures around the implementation and ongoing management of information security controls in an

enterprise environment.

The technology revolution has dramatically changed the way organizations conduct business. Traditional

boundaries have shifted as organizations operate in a dynamic environment that is increasingly interconnected,

integrated, and interdependent. The ecosystem includes not only employees, partners, and customers but other

participants such as law firms, investment banks, service providers, government agencies, regulators, industry

affiliations, and competitors. An organization’s data constantly flows in and out and is distributed and disbursed

throughout the ecosystem. This expands the domain that organizations need to protect. As a result, the integrity

and stability of an organization’s business are now, more than ever, dependent on other entities in the ecosystem.

The exposure and impact on the business can significantly increase when attackers actively target the

vulnerabilities throughout the ecosystem. For example, a law firm may be targeted in order to obtain the strategic

documents related to a business deal at one of its clients. A Fortune 500 company can be hacked through a

phishing attack at the weakest link in their supply chain. As cybersecurity risks dramatically evolve, and

cyberattacks accelerate at an unprecedented rate, an organization’s approach to cybersecurity must keep pace.

The following table lists highlights of how businesses should adapt to the new reality.

The Reality Historical IT Security Perspectives Today’s Leading Cybersecurity Insights

Scope of the Challenge Limited to your “four walls” and the extended enterprise.

It spans the entire interconnected global business ecosystem.

Ownership and Accountability

IT-led and operated. Businesses must be aligned; CEO and board must be accountable.

Attackers’ Characteristics

One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain.

Organized, funded, and targeted; motivated by economic, monetary, and political gain.

Information Asset Protection

One-size-fits-all approach. Prioritize and protect your “crown jewels”, which are those information assets or processes that, if stolen, compromised, or used


38

inappropriately would render significant hardship to the business.

Defense Posture Protect the perimeter; respond if attacked.

Know you will be attacked. Plan, monitor, and rapidly respond when attacked.

Security Intelligence & Information Sharing

Keep to yourself. Public/private partnerships; collaboration with industry working groups.

Source: PwC - 10 Minutes on the Stark Realities of Cybersecurity

New Approaches for a Changing Business Environment

As IT security becomes a top priority for all modern organizations, a wide range of security frameworks are

available to guide companies in their efforts to protect their critical systems and data. Dimensional Research

conducted a 2016 survey sponsored by Tenable Network Security to identify trends in the adoption of security

frameworks. IT and security professionals were asked to understand which security frameworks were adopted

around a wide range of topics, the motives for such adoption, and how fully they were adopted. Many security

frameworks have a strong reputation in specific areas. The following table lists some security framework

acronyms used with a brief description.

Security Framework Acronyms Description

ISO = ISO/IEC 27001/27002

ISO is international. ISO/IEC 27001 is a robust framework that helps organizations protect information such as financial data, intellectual property or sensitive customer information. The key requirements are discussed in the “ISO/IEC 27000:2013” chapter.

CIS = CIS Critical Security Controls

The CIS controls are a set of internationally recognized measures developed, refined, and validated by leading security experts from around the world. The key controls are discussed in the “Critical Security Controls” chapter.

CSF = NIST Framework for Improving Critical Infrastructure Cybersecurity

CSF is an initiative of the U.S. federal government from 2013 Executive Order 13636, which calls for the development of a voluntary cybersecurity

framework. Details of CSF are discussed in the “Executive Order − Critical Infrastructure Cybersecurity” and “Cybersecurity Framework Best Practice: The NIST Framework” chapters.

PCI = Payment Card Industry Data Security Council Standard

The PCI is a proprietary information security standard for organizations handling branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

Adoption of Security Frameworks as Common Practice

Based on survey results, the adoption of a security framework is a common practice. 84% of organizations are

leveraging a security framework. The adoption of security frameworks is the norm in banking and financing (88%),

information technology (87%), government (86%), and manufacturing (83%). All these industries boast security


39

framework adoption rates above 80%. Education and healthcare are only slightly behind at 77% and 61%

respectively.

A lack of data protection has played a critical part in the high-profile hacking stories of the past few years, such as

those concerning the Office of Personnel Management, Sony and Target. All organizations are at risk - it really

doesn’t matter if a company is a public or a private organization, a big or a small firm, a for-profit or a not-for-

profit organization. The sensitive information that a company processes, archives or transmits requires extensive

protection measures.

Organizations adopt security frameworks and standards to protect data protection and/or to fulfill a contractual

or regulatory requirement. Measures may be established by the company’s own initiative, or measures may be

mandated by other parties, such as suppliers, partners, clients or the government. A smart company knows that

the implementation of, and compliance with, new security standards is necessary in order for the organization to

remain competitive and achieve its long-term objectives.

Adoption of Wide Range of Security Frameworks as a Norm

Although there is no single security framework being used by the majority of companies, the security frameworks

most commonly used are PCI (47%), ISO (35%), CIS (32%), and CSF-NIST (29%). It is also common for organizations

to adopt multiple security frameworks, as 15% of companies are using three or more of these.

Currently, PCI is slightly more common than the other frameworks. However, when considering the current

adoption of each security framework combined with the plans for adoption, as seen in the following chart, it is

expected that CSF-NIST (43%), CIS (44%), and ISO (44%) will have equivalent levels of adoption, moving closer to

that of PCI (55%).

Source: Dimensional Research - Trends in Security Framework Adoption 2016

Increased Adoption of the NIST Framework as Best Practices

The National Institute of Standards and Technology (NIST) Framework, an initiative stemming from Executive

Order 13636, is a U.S. federal risk-based framework that serves as a foundation for organizations. However, the

survey shows that security frameworks are not limited to specific industries. For example, there is a broad range

0%

10%

20%

30%

40%

50%

60%

CSF - NIST Framework CIS Critical SecurityControls

ISO 27001/27002 PCI

Security Framework Adoption

Have Adopted Plan to Adopt Total by the End of 2016


40

of industries in addition to governments using CSF - NIST Framework, including banking (19%), information

technology (17%), healthcare (12%), manufacturing (11%), education (5%), and more. Although the vast majority

of organizations already leverage a security framework, many of them plan to adopt additional frameworks in the

coming years, with CSF - NIST Framework at the top of the list, followed by CIS and ISO.

Companies implement security frameworks in order to comply with the requirements of a business relationship,

government, or a certification mandate. The survey results below show that the most common reason for

adopting CSF - NIST Framework was linked to best practices (70%), followed by requirements by a business partner

(29%), compliance with a federal contract (28%), or related to other organizations (20%).

Source: Dimensional Research - Trends in Security Framework Adoption 2016

The Rising Threats of Corporate Cybercrime

The technology revolution has dramatically changed the way organizations conduct business. Traditional

boundaries have shifted, and organizations operate in a dynamic environment that is increasingly interconnected,

integrated, and interdependent. The ecosystem includes not only employees, partners, and customers but other

participants such as law firms, investment banks, service providers, government agencies, regulators, industry

affiliations, and competitors. Consequently, it expands the domain that organizations need to protect.

Companies are increasingly vulnerable to incoming cybersecurity threats from new directions and adversaries. IT

assets that are commonly compromised and used during attacks include, but are not limited to, servers, network

components, user devices, storage media, people, network and system design specifications, and VPN

configurations. Attacks in various forms, such as hacktivism, corporate espionage, insider, and criminal activity,

can cost an organization time, resources, and irreparable harm to its reputation.

Cybercrimes can be committed from a remote location, outside any local law enforcement agencies. Catching

such criminals is difficult. Therefore, this has led to a rise in cybercrimes across all industries. In a recent McAfee

Labs publication, The Hidden Data Economy, the following prices were identified as average selling prices for

stolen cards:

20%

28%

29%

70%

NON-FEDERAL ORGANIZATIONS CONTRACT REQUIREMENTS

FEDERAL CONTRACT REQUIREMENTS

BUSINESS PARTNER REQUIREMENTS

ALIGNING WITH CYBERSECURITY BEST PRACTICES

0% 10% 20% 30% 40% 50% 60% 70% 80%

Key Motivations for the Adoption of CSF - NIST Framework


41

Payment Card Number with Card Verification Value (CVV2)

United States

United Kingdom Canada Australia

European Union

Payment Card Information $5-$8 $20-$25 $20-$25 $21-$25 $25-$30

Personal Health Information $15 $25 $25 $25 $30

Personal Data $15 $30 $30 $30 $35

Non-Card Financial $30 $35 $40 $40 $45

Source: McAfee, The Hidden Data Economy

Cyber attackers are continuously changing tactics, increasing their persistence and expanding their capabilities.

Threat actors in the 21st century are highly trained and incorporate sophisticated attack techniques.

The threats exist across all industries, and organized crime is becoming increasingly sophisticated in its use of

technology to commit crimes. These threat actors may target PoS systems or customer databases to gather user

credentials, stored financial data, and stored personal information. The Verizon 2019 Data Breach Investigations

Report revealed that:

• External actors have long been the primary culprits behind confirmed data breaches

• Financial gain is the most common motive behind data breaches

• Phishing and the hacking action variety of use of stolen credentials are prominent fixtures

• Ransomware is still a major issue for organizations

• DoS attacks are at the top of action varieties associated with security incidents

• When the method of malware installation was known, email was the most common point of entry

• Workstations, web applications, and mail servers are in the top group of assets affected in data breaches

The report analyzed the following nine classification patterns to help companies prioritize their efforts in

addressing breach possibilities.

Category Description Key Findings

Web App Attacks

Any incident in which a web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms

Over one-half of breaches in this pattern are associated with unauthorized access to cloud-based email servers.

Point-of-Sale Intrusions

(PoS)

Remote attacks against the environments where card-present retail transactions are conducted. POS terminals and POS controllers are the targeted assets.

The Accommodation industry is still the most common victim within this pattern, although breaches were less common this year.

Insider and Privilege Misuse

All incidents tagged with the action category of Misuse—any unapproved or malicious use of organizational resources—fall within this pattern.

This is mainly insider misuse, but former and collusive employees, as well as partners, are present in the data set.


42

Miscellaneous Errors

Incidents in which unintentional actions directly compromised a security attribute of an asset.

Misdelivery of sensitive data, publishing data to unintended audiences, and misconfigured servers account for 85% of this pattern.

Physical Theft and Loss

Any incident where an information asset went missing, whether through misplacement or malice.

The top two assets found in Physical Theft and Loss breaches are paper documents and laptops. When recorded, the most common location of theft was at the victim work area, or from employee-owned vehicles.

Crimeware

All instances involving malware that did not fit into a more specific pattern. The majority of incidents that comprise this pattern are opportunistic in nature and are financially motivated.

Command and control (C2) is the most common functionality (47%) in incidents, followed by Ransomware (28%).

Payment Card Skimmers

All incidents in which a skimming device was physically implanted (tampering) on an asset that reads magnetic stripe data from a payment card (e.g. ATMs, gas pumps, POS terminals, etc.).

Physical tampering of ATMs and gas pumps has decreased from last year. This may be attributable to EMV and disruption of card-present fraud capabilities.

Cyber-espionage

Incidents in this pattern include unauthorized network or system access linked to state-affiliated Actors and/or exhibiting the motive of espionage.

Threat actors attributed to state-affiliated groups or nation-states combine to make up 96% of breaches, with former employees, competitors, and organized criminal groups representing the rest. Phishing was present in 78% of Cyber-espionage incidents.

Denial-of-Service Attacks

Any attack intended to compromise the availability of networks and systems. This includes both network and application attacks designed to overwhelm systems, resulting in performance degradation or interruption of service.

This pattern is based on the specific hacking action variety of DoS. The victims in our data set are large organizations over 99 percent of the time.

Sources: Verizon, 2019 Data Breach Investigations Report

To understand the cyber threats relevant to an organization, it is critical to determine what information would be

valuable to outsiders or what information would cause significant disruption if unavailable or corrupt. For

example, retailers set a top priority on protecting customer data. R&D organizations are usually focused on

protecting intellectual property. Manufacturers need reliability of production, quality of products and supply chain

systems.


43

The following table highlights security breaches by industry based on the Verizon Data Breach Investigations

Report:

Industry Top 3 Data Breaches Threat Actors Actor Motives Data

Compromised

Accommodation and Food Services

Point of Sale intrusions, Web applications and Crimeware patterns represent 93% of all data breaches

External (95%), Internal (5%)

Financial (100%) Payment (77%), Credentials (25%), Internal (19%)

Educational Services

Miscellaneous Errors, Web Application Attacks, and Everything Else represent 80% of breaches

External (57%), Internal (45%), Multiple parties (2%) (breaches)

Financial (80%), Espionage (11%),

Fun (4%),

Grudge (2%), Ideology (2%)

Personal (55%), Credentials (53%), and Internal (35%)

Financial and Insurance

Web Applications, Privilege Misuse, and Miscellaneous Errors represent 72% of breaches

External (72%), Internal (36%), Multiple parties (10%),

Partner (2%)

Financial (88%), Espionage (10%)

Personal (43%), Credentials (38%), Internal (38%)

Healthcare

Miscellaneous Errors, Privilege Misuse and Web Applications represent 81% of incidents

Internal (59%), External (42%), Partner (4%), and

Multiple parties (3%)

Financial (83%), Fun (6%), Convenience (3%), Grudge (3%), and Espionage (2%)

Medical (72%), Personal (34%), Credentials (25%)

Information

Miscellaneous Errors, Web Applications, and Cyber- Espionage represent 83% of breaches

External (56%), Internal (44%), Partner (2%)

Financial (67%), Espionage (29%)

Personal (47%), Credentials (34%), Secrets (22%)

Manufacturing

Cyber-Espionage, Web Applications, and Privilege Misuse represent 71% of breaches

External (75%), Internal (30%), Multiple parties (6%),

Partner (1%)

Financial (68%), Espionage (27%), Grudge (3%), Fun (2%)

Credentials (49%), Internal (41%), Secrets (36%)

Professional, Technical and

Scientific Services

Web Applications, Everything Else, and Miscellaneous Errors represent 81% of breaches

External (77%), Internal (21%), Partner (5%), Multiple parties (3%)

Financial (88%), Espionage (14%), Convenience (2%)

Credentials (50%), Internal (50%), Personal (46%)

Retail

Web Applications, Privilege Misuse, and Miscellaneous Errors represent 81% of breaches

External (81%), Internal (19%)

Financial (97%), Fun (2%), Espionage (2%)

Payment (64%), Credentials (20%), Personal (16%)

Sources: Verizon, 2019 Data Breach Investigations Report

Finally, according to Kaspersky Lab, Evolution of Cyber Threats in the Corporate Sector, the targeted attacks on

business have evolved as follows:


44

• Financial organizations such as banks, funds and exchange-related companies, including cryptocurrency

exchanges, have been subjected to attacks by cybercriminals.

• The attacks are meticulously planned. For example, the cybercriminals study the interests of potential

victims (e.g. employees at the targeted company), and identify the websites they are most likely to visit;

they examine the targeted company’s contacts, equipment and service providers.

• The information collected at the preparation stage is put to use. The attackers hack legitimate websites

that have been identified and the business contact accounts of the targeted company’s employees. The

sites and accounts are used for several hours to distribute malicious code, after which the infection is

deactivated. It means that the cybercriminals can re-use the compromised resources again later.

• Signed files and legitimate software is used to collect information from the attacked network.

• Attackers often use malicious files signed with valid digital certificates.

• Attackers use legitimate programs in attacks, allowing the attackers to go undetected for longer periods.

• Attacks are diversifying to include small and medium-sized businesses.

Real-World Case: TJX Companies Inc.


Hackers who stole 45 million customer records including millions of credit card numbers from The TJX Companies

Inc. did so by breaking into the retail company's wireless local area network (LAN).

TJX had secured its wireless network using Wired Equivalent Privacy (WEP) - one of the weakest forms of security

for wireless LANs. According to The Wall Street Journal, hackers cracked the WEP encryption protocol used to

transmit data between price-checking devices, cash registers, and computers at a store in Minnesota. The

intruders then collected information submitted by employees logging on to the company's central database in

Massachusetts, stealing usernames and passwords. With that information, the hackers set up their own accounts

on TJX's system. Over an 18-month period, their software collected transaction data, including credit card

numbers, into approximately 100 large files. Analysts estimated that the breach would cost the company

approximately $1 billion, excluding any litigation costs.


45

III. Challenges in the Cyber World

Overview

Cyberattacks are becoming more destructive

globally. In today’s cybercrime environment, the

issue is not whether a business will be

compromised, but rather how successful or

damaging an attack will be. The increase of the

technological pace accelerates cyber threats, and many organizations are suffering cyber losses because they did

not get the basics right. From insufficient board involvement (or readiness/awareness) to poor system

configurations and inadequate controls over third parties with access to their network, companies are often

leaving the cyber door wide open for intruders. As cybercriminals become more sophisticated in their efforts to

target their victims, organizations must also grow their capabilities to successfully combat and defeat them.

In a 2017 survey, CEOs at Fortune 500 companies revealed that their

top threats and challenges are the pace of technological change and

cybersecurity. Cyber threats create a great cost and resource drain.

According to the Gemalto Breach Level Index, over 2.6 billion data

records were compromised globally in 2017. Fortune Magazine

estimated that cyberattacks cost businesses $400 billion every year.

In addition, there will be an estimated shortfall of 1.5 million

professionals in the global information security workforce within five

years.

It is vital that executives accept more responsibility for managing and mitigating cybercrime risks and set an

appropriate tone at the top. Management must instill a cyber risk-aware culture and ensure that all departments

are aligned in the fight against fraud. This is key in order to succeed in today’s environment. With so much at

risk, C-level executives and boards are still reluctant to tackle cybersecurity issues. Although reasons vary by

organizations, EY identified the following most significant obstacles:

Cybersecurity Obstacles for Executives & Boards

➢ A crowded agenda

Cybersecurity is just one of many pressing issues demanding board-level engagement, particularly

in a time of ongoing economic volatility.

➢ The IT silo

Cybersecurity has traditionally been thought of as an IT issue that focuses on protecting the IT

systems that process and store information, rather than on the strategic value of the information

itself.

➢ “Not our problem”

Increased Technological

Pace

Accelerating Cyber Threats

Greater Cost & Resource Drain

Top 2 Greatest Threats & Challenges

of CEOs

The Pace of Technogical Change

Cybersecurity


46

Cybersecurity has been seen as a significant problem only in select sectors such as the military or

financial services. But if your sector relies on digital data to operate and compete, your information

and IT systems are worthy of appropriate risk management.

➢ Difficult to gauge

Unlike many types of organizational risk, cyber threats are hard to predict, making the risks and

potential impact difficult to gauge. Senior leaders may feel they lack the expertise necessary to

make enterprise-wide decisions or may be wary of being pulled too deeply into technical processes.

➢ Invisible pay-off

In the face of competing demands for scarce resources, it can be hard for executive leadership to

invest money, people and time in the unknown and unpredictable rather than in shareholder

deliverables or more obvious needs.

➢ Wrong priorities

Organizations have overinvested in preventative controls at the expense of detect/ response

capability.

Source: EY - Cyber Program Management: Identifying ways to get ahead of cybercrime, 2014

Engagement of Leadership

The responsibility for addressing cyber vulnerabilities starts at the top. The CEO and boards are responsible for

ensuring the company designs and implements an effective cybersecurity program. However, many boards are

not sufficiently proactive regarding cyber threats. According to PwC, almost half of all boards still view

cybersecurity as an IT matter, rather than as an enterprise-wide risk issue. The survey responses were from more

than 500 executives in U.S. businesses, law enforcement services, and government agencies. 30% of respondents

said their senior security executive makes quarterly security presentations. However, one in five (20%)

respondents stated their Chief Information Security Officer (CISO) or Chief Security Officer (CSO) makes a security

presentation to the board only once a year. Even worse, 29% of respondents said their security leaders make no

presentation at all.

The National Association of Corporate Directors recommends that risk oversight be a function of the full board

because the crucial link between strategy and risks needs a full commitment. Therefore, it was troublesome to

note that 30% of respondents said no board members are engaged in cyber risks. Only 15% of respondents said

the audit committee is engaged in cyber risks, which is surprisingly low considering that cybersecurity has become

one of the hot topics on the audit committee’s agenda in the past several years. One explanation for the

comparatively weak engagement of the audit committee members may be that they lack a deep knowledge of

technical issues. The audit committee often oversees risk management activities and monitor management’s

policies and procedures. It plays a significant strategic role in coordinating cyber risk initiatives and policies and

confirming their efficiency. Thus, the audit committee should be aware of cybersecurity trends, regulatory

requirements, and major threats to the organization. The audit committee must ask questions about the state of


47

specific security programs to determine an organization’s tolerance for risk and to evaluate the decisions made

by management. Examples of questions that the audit committee need to ask about management include:

• Has the company experienced an increase in the number of security breaches?

• Who are the company’s likely threat actors?

• Has the company assessed the insider threat (e.g. BYOD, supply-chain threats)

• Does the company have a security framework to guard against known and emerging threats?

• Can we detect malicious or unauthorized activities, and can we act and recover quickly to minimize the

impact?

• Does the company have cyber insurance? If yes, it provides adequate coverage?

• How does the company know what data is leaving the company and what monitoring controls are in

place?

• How does the company detect malicious or unauthorized activities?

• Is there an ongoing, company-wide awareness and training program established around cybersecurity?

As noted, compounding the problem is the fact that many boards and management still perceive cybersecurity as

strictly an IT issue. Not only does this perception increase an organization’s potential exposure to attack, but it

also widens the communications gap between those charged with protecting the enterprise and those whose

obligations are to ensure a return to investors and shareholders, while maintaining strong corporate governance.

The CEO and the board should take ultimate ownership of the cybersecurity program. It is critical that cybercrime

rank high on the agenda items discussed with the CEO and the board on a regular basis. Research statistics indicate

that the most senior people within organizations are not placing enough emphasis on the importance of managing

the real threats that cybercrime presents to their organizations. PwC also identified the following reasons why

boards should actively oversee cybersecurity issues:

• Incidents can impact an organization’s global operations as the effect of cybersecurity is systemic.

• The financial impact can be significant and can include costly class-action lawsuits, which may reflect on

boards’ fiduciary responsibility to preserve corporate financial value.

• As regulations evolve, compliance is becoming more challenging and increasingly costly. For example, the

European Union’s Data Protection Directive includes a proposal for fines of up to 5% of a company’s global

revenue.

• The IoT has brought new threats, including compromise of industrial controls and smart building systems

that can cause extreme risks and tremendous physical damage.

• Cybersecurity insurance should be considered as a regulatory hedge against cyber risks.

• Adversaries such as nation-states and organized crime are working together to attack organizations for

economic sabotage, theft of trade secrets, money laundering, terrorism, and military and intelligence

operations.

• Cyberattacks can result in substantial financial losses and damaged brand reputation by disrupting an

organization’s strategic objectives, such as a planned merger or acquisition, the launch of a new product,

or a business deal with a potential customer.


48

Managing Cyber Risks

Cybersecurity should be treated as a corporate risk issue rather than just an IT risk. However, a recent EY study

suggests that many board members generally do not understand their organization’s digital footprint well enough

to properly assess the risks. Although technology officers are able to provide relevant data, such as the number

of attempted breaches, it can be difficult to convert the data into meaningful information that could help boards

better understand the possible risks facing the organizations. In addition, board members may not know how to

evaluate the quality of the information received or ask the right questions. A lack of deep knowledge of technical

issues can lead to hesitation and inaction which can damage the company’s brand and/or, reputation, disrupt

business continuity, and lead to financial and legal ramifications.

Executives and boards must get up to speed in understanding and appropriately managing cybersecurity activities

and related obligations. Best practices suggest that a comprehensive oversight program can help companies

streamline board reporting, integrate the multi-department activities required to mitigate operational cyber risks

and demonstrate that reasonable security protocols and procedures are in place. EY suggested that the board

should consider asking the following key questions:

• Where does our risk appetite collide with current and anticipated regulations?

• How do we compare to others?

• What gains in efficiency have been made?

• What are the succession plans for key cybersecurity talent?

• • What is the cyber risk impact of strategic decision X that is being considered?

Organizations that treat cybersecurity as a matter of enterprise-wide risk demonstrate to external stakeholders

that they understand their security and risk obligations and intend to be a good corporate citizen. Only after

cybersecurity is incorporated into the organization’s overall risk management structure can executive leadership

have confidence that their single most important business asset - information - is sufficiently protected against

the threats of today and tomorrow.

Areas of Focus for an Organization’s Cybersecurity

✓ Architecture

✓ Asset management

✓ Awareness

✓ Business continuity management

✓ Data infrastructure

✓ Data protection

✓ Governance and organization

✓ Host security

✓ Identity and access management

✓ Incident management

✓ Metrics and reporting

✓ Network security

✓ Operations

✓ Policy and standards framework

✓ Privacy

✓ Security monitoring

✓ Software security

✓ Strategy

✓ Third-party management

✓ Threat and vulnerability management



49

The 2016-2017 NACD Public Company Governance Survey revealed the following top 10 cyber-risk oversight

practices being performed by the boards over the previous 12 months:

1. Reviewed the company’s current approach to protecting its most critical data assets

2. Reviewed the technology infrastructure used to protect the company’s most critical data assets

3. Communicated with management about the types of cyber-risk information the board requires

4. Reviewed the company’s response plan in the case of a breach

5. Assessed risk associated with third-party vendor or suppliers

6. Assessed risks associated with employee negligence or misconduct

7. Assigned clearly defined roles to its standing committees with regard to cyber risk oversight

8. Leverage internal advisors, such as internal auditors or the general counsel, for in-depth briefings

9. Discussed the legal implications of a breach

10. Reviewed the scope of cyber coverage in the case of an incident

EY further indicated that business leaders should consider whether the organization’s cybersecurity framework

could respond to the following issues:

What business leaders are asking about their cybersecurity readiness

➢ Regulatory risk

How will governments and regulators respond to the increasing threat of information risk?

➢ Geopolitical shocks

What is our organization’s exposure to these shocks? How responsive is our IT organization?

➢ Reputation risk

How would a cyberattack affect our reputation and brand?

➢ Control failures

Could gaps or weaknesses in our IT controls and security be contributing factors?

➢ Information risk

How will our organization address the key risk areas of security, resilience and data leakage?

➢ Expansion in emerging markets

Does increasing our company’s footprint add to the challenge of business continuity?

➢ Reshaping the business

How much would our information risk profile change?

➢ Regulatory risk

How will governments and regulators respond to the increasing threat of information risk?

➢ Shared service centers

Would using third parties or shared service centers increase risks to our security and IT sourcing?

➢ IP and data security

Is our organization covered against data leakage, loss, and rogue employees?

➢ Acquisitions and integration


50

How successful are our organization’s investments if we’re unable to integrate the information

belonging to an acquired company?

➢ Hitting the headlines

Hacktivists are ideological by nature. How might issues such as tax policy, pay and environmental

management result in our company becoming a cyber target?


Real-World Case: Office of Personnel Management

In June 2015, the US Office of Personnel Management (OPM) announced that it had been the target of a data

breach targeting the records of as many as four million people. The FBI later determined the number of individuals

targeted was expected to reach 18 million. The data breach, which started in March 2014 (or earlier), was noted

by the OPM in April 2015. It has been described by federal officials as being among the largest breaches of

government data in the history of the U.S.

The OPM had been warned multiple times of security vulnerabilities and failings. A March 2015 OPM Office of

the Inspector General’s semi-annual report to Congress warned of “persistent deficiencies in OPM’s information

system security program,” including “incomplete security authorization packages, weaknesses in the testing of

information security controls, and inaccurate Plans of Action and Milestones.”

Information targeted in the breach included personally identifiable information such as Social Security numbers,

as well as names, dates, and places of birth, and addresses. The hack went deeper than initially believed and likely

involved the theft of detailed security clearance-related background information. As of July 9, 2015, the estimate

of the number of stolen records had increased to 21.5 million. This included records of people who had undergone

background checks but were not necessarily current or former government employees. The stolen data included

5.6 million sets of fingerprints.

Soon after, Katherine Archuleta, the director of OPM, and former National Political Director for Barack Obama’s

2012 reelection campaign resigned. A July 22nd, 2015 memo by Inspector General Patrick McFarland said that

OPM’s Chief Information Officer Donna Seymour was slowing her investigation into the breach, leading him to

wonder whether or not she was acting in good faith. In February 2016, Donna Seymour resigned, just two days

before she was scheduled to testify before a House panel that is continuing to investigate the data breach.

Internet of Things - Security Concerns

Everything from refrigerators to baby monitors to sprinkler systems are interconnected, and while these devices

have made life easier, they have also created new attack targets for hackers. According to Cloud Security Alliance,

Security Guidance for Early Adopters of the Internet of Things, traditional enterprise security solutions do not

sufficiently address the IoT security concerns and challenges, including:

• Increased privacy concerns that are often confusing

• Platform security limitations that make basic security controls challenging


51

• Ubiquitous mobility that makes tracking and asset management a challenge

• Mass quantities that make routine update and maintenance operations a challenge

• Cloud-based operations that make perimeter security less effective

According to a Business Insider Intelligence Survey, 39% of the respondents said that security is the biggest concern

in adopting IoT technology. IoT also suffers from platform fragmentation and a lack of technical standards. The

variety of IoT devices, in terms of both hardware variations and differences in the software running on them,

makes the task of developing applications difficult.


52

IV. Government Acts to Enhance Cybersecurity

An Overview of Key Legislations

Cybersecurity is one of the most serious economic and national security challenges facing the U.S. and the world

today. As cyber threats have become more sophisticated, and attacks have increased each year, the public is

increasingly aware of the gaping threats facing our nation’s critical infrastructure, national defense, and financial

system in the digital realm. The increased access of the internet opens up vulnerabilities that allow our adversaries

to potentially cause catastrophic economic and physical harm to our country. Cybersecurity legislation has been

a topic of interest on Capitol Hill for a number of years. Congress has introduced hundreds of bills and held many

hearings examining cybersecurity challenges and vulnerabilities to governments, businesses, and our international

partners. Some significant laws that Congress has passed to address cybersecurity include:

➢ The Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, which prohibits various attacks

on federal computer systems and on those used by banks and in interstate and foreign commerce.

➢ The Electronic Communications Privacy Act of 1986, which prohibits unauthorized electronic eavesdropping.

➢ The Computer Security Act of 1987, which gave the National Institute of Standards and Technology (NIST)

responsibility for developing security standards for federal computer systems, except the national security

systems that are used for defense and intelligence missions, and gave responsibility to the Secretary of

Commerce for promulgating security standards.

➢ The Paperwork Reduction Act of 1995, which gave the Office of Management and Budget (OMB) responsibility

for developing cybersecurity policies.

➢ The Clinger-Cohen Act of 1996, which made agency heads responsible for ensuring the adequacy of agency

information security policies and procedures, established the chief information officer (CIO) position in

agencies and gave the Secretary of Commerce authority to make promulgated security standards mandatory.

➢ The Homeland Security Act of 2002 (HSA), which gave the Department of Homeland Security (DHS) some

cybersecurity responsibilities in addition to those implied by its general responsibilities for homeland security

and critical infrastructure.

➢ The Cyber Security Research and Development Act, also enacted in 2002, which established research

responsibilities in cybersecurity for the National Science Foundation (NSF) and NIST.

➢ The E-Government Act of 2002, which serves as the primary legislative vehicle to guide federal information

technology (IT) management and initiatives to make information and services available online, and includes

various cybersecurity requirements.

➢ The Federal Information Security Management Act of 2002 (FISMA), which clarified and strengthened NIST

and agency cybersecurity responsibilities, established a central federal incident center and made OMB, rather

than the Secretary of Commerce, responsible for promulgating federal cybersecurity standards.

➢ The Cybersecurity Information Sharing Act of 2015, which is intended to encourage and facilitate the sharing

of security threat and defensive measure information with government agencies and other companies, in

order to strengthen the country’s overall cybersecurity protections. The Act, arguably the most significant

piece of federal cyber-related legislation enacted to date, establishes a mechanism for cybersecurity


53

information sharing among private-sector and federal government entities. It also provides safe harbors from

liability for private entities that share cybersecurity information in accordance with certain procedures, and it

authorizes various entities, including outside the federal government, to monitor certain information systems

and operate defensive measures for cybersecurity purposes.

According to Congressional Research Services, legislation introduced since the 111th Congress has addressed 10

key areas and proposed changes to current laws:

Legislation Addressed Key Areas Related to Cybersecurity

1. National strategy and the role of government;

2. Reform of FISMA;

3. Protection of critical infrastructure (including the electricity grid and the chemical industry);

4. Information sharing and cross-sector coordination;

5. Breaches resulting in theft or exposure of personal data such as financial information;

6. Cybercrime;

7. Privacy in the context of electronic commerce;

8. International efforts;

9. Research and development, and

10. The cybersecurity workforce Financial services

Source: Congressional Research Services - Cybersecurity: Authoritative Reports and Resources

The government also has directed a series of actions to continue strengthening cybersecurity and modernizing

agencies’ technology infrastructure to address this ever-growing problem, i.e. the increasing severity of cyber

threats. These efforts are highlighted in the following key events on the White House website:

➢ Make cybersecurity one of the Administration’s first cross-agency priority management goals, which is

“Improve cybersecurity performance through ongoing awareness of information security, vulnerabilities, and

threats impacting the operating information environment, ensuring that only authorized users have access to

resources and information; and the implementation of technologies and processes that reduce the risk of

malware”;

➢ Spur information sharing through the President’s executive order to encourage the development of

Information Sharing and Analysis Organizations to serve as the hubs for sharing critical cybersecurity

information and promoting collaboration for analyzing this information within and across industry sectors;

➢ The Federal Chief Information Officer initiated a 30-day Cybersecurity Sprint on June 12, 2015. The

Cybersecurity Sprint Team (Sprint Team), led by the Office of Management and Budget, was comprised of

representatives from the National Security Council, the Department of Homeland Security, the Department

of Defense, and other Federal civilian and defense agencies. The Cybersecurity Strategy and Implementation

Plan (CSIP) is the result of a comprehensive review of the Federal Government’s cybersecurity policies,

procedures, and practices by the Sprint Team.

➢ In early 2015 the Federal Chief Information Officers Council and the Chief Acquisition Officers Council created

a working group to review current contract clauses and information technology acquisition policies and

practices around contractor and subcontractor information system security. As a result of the review,

proposed guidance was released. The intent of the proposed guidance is to take major steps toward

implementing strengthened cybersecurity protections in Federal acquisitions and therefore mitigating the risk

of potential incidents in the future; and


54

➢ The Cybersecurity Information Sharing Act, passed in October 2015, is a US federal law designed to improve

cybersecurity in the US through enhanced sharing of information about cybersecurity threats. Specifically,

the law allows the sharing of internet traffic information between the US government and private technology

and manufacturing companies. The main provisions make it easier for companies to share personal

information with the government, especially in cases of cybersecurity threats, creating a system for federal

agencies to receive threat information from private companies.

Cybersecurity Strategy and Implementation Plan

To strengthen the cybersecurity of federal networks, systems, and data, the Federal Chief Information Officer

(FCIO) initiated a 30-day Cybersecurity Sprint in 2015. The Cybersecurity Sprint Team (Sprint Team), led by the

Office of Management and Budget (OMB), was comprised of representatives from the National Security Council

(NSC), the Department of Homeland Security (DHS), the Department of Defense (DoD), and other Federal civilian

and defense agencies. The initial Sprint memo instructed agencies to implement a number of immediate high-

priority actions to enhance the cybersecurity of Federal information and assets. The Cybersecurity Strategy and

Implementation Plan (CSIP) is the result of the Cybersecurity Sprint, and it incorporates progress-reporting and

corrective actions that are ongoing.

The CSIP consisted of a comprehensive review of the Federal Government’s cybersecurity policies, procedures,

and practices by the Sprint Team. The goal was to identify and address critical cybersecurity gaps and emerging

priorities and make specific recommendations to address these gaps and priorities. The CSIP sought to strengthen

Federal civilian cybersecurity through the following five objectives:

1. Prioritized Identification and Protection of high-value information and assets;

2. Timely Detection of and Rapid Response to cyber incidents;

3. Rapid Incident Recovery and Accelerated Adoption of lessons learned from the Sprint assessment;

4. Recruitment and Retention of the most highly-qualified Cybersecurity Workforce by the Federal

Government, and

5. Efficient and Effective Acquisition and Deployment of Existing and Emerging Technology.

Specifically, the CSIP’s key actions included:

➢ All agencies will continue to identify their high-value assets (HVAs) and critical system architecture in order to

understand the potential impact on those assets from a cybersecurity incident and ensure robust physical and

cybersecurity protections are in place. The identification of HVAs will be an ongoing activity due to the

dynamic nature of cybersecurity risks.

➢ DHS will accelerate the deployment of Continuous Diagnostics and Mitigation (CDM) and EINSTEIN capabilities

to all participating Federal agencies to enhance the detection of cyber vulnerabilities and protection from

cyber threats.

➢ All agencies will improve the identity and access management of user accounts on Federal information

systems to drastically reduce vulnerabilities and successful intrusions.


55

➢ OMB, in coordination with NSC and DHS, will issue incident response best practices for use by Federal

agencies, incorporating lessons learned from past cybersecurity incidents to ensure future incidents are

mitigated in a consistent and timely manner. The best practices will serve as a living document to be

continuously updated.

➢ The National Institute of Standards and Technology (NIST) will provide updated guidance to agencies on how

to recover from cyber events.

➢ The Office of Personnel Management (OPM) and OMB will initiate several new efforts to improve Federal

cybersecurity workforce recruitment, hiring, and training and ensure a pipeline for future talent is put in place.

➢ The Chief Information Officer (CIO) Council will create an Emerging Technology Sub- Committee to facilitate

efforts to rapidly deploy emerging technologies at Federal agencies.

➢ The President’s Management Council (PMC) will oversee the implementation of the CSIP in recognition of the

key role Deputy Secretaries play in managing cybersecurity within their agencies.

➢ CIOs and Chief Information Security Officers will also have direct responsibility and accountability for the

implementation of the CSIP, consistent with their role of ensuring the identification and protection of their

agency’s critical systems and information.

Executive Order - Critical Infrastructure Cybersecurity

Background

Cybersecurity threats have exploited the increased complexity and connectivity of critical infrastructure systems,

placing the nation’s security, economy, and public safety and health at risk. Similar to financial and reputation

risks, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue, and result in

harming an organization’s ability to innovate, gain and maintain customers.

To address these risks, in February 2013, the Obama Administration issued Executive Order 13636 (EO 13636),

Improving Critical Infrastructure Cybersecurity. EO 13636 directs the Executive Branch to:

• Develop a technology-neutral voluntary cybersecurity framework

• Promote and incentivize the adoption of cybersecurity practices

• Increase the volume, timeliness, and quality of cyber threat information sharing

• Incorporate strong privacy and civil liberties protections into every initiative to secure critical

infrastructure

• Explore the use of existing regulations to promote cybersecurity

EO 13636 defined critical infrastructure as:

“The vital systems and assets in the US such that the incapacity or destruction of such systems and assets would

have a debilitating impact on society, national economic security, national public health or safety, or any

combination of those matters.”


56

The critical infrastructure sectors include both public and private owners and operators. Members of each critical

infrastructure sector perform functions that are supported by information technology (IT) and industrial control

systems (ICS). This reliance on technology, communication, and the interconnectivity of IT and ICS has changed

and expanded the potential vulnerabilities and increased potential risk to operations.

US Critical Infrastructure

1. Chemicals 2. Commercial facilities 3. Communications 4. Critical manufacturing 5. Dams 6. Defense industrial base 7. Emergency services 8. Energy

9. Financial services 10. Food & agriculture 11. Government facilities 12. Healthcare & public health 13. Information technology 14. Nuclear reactors, materials, & waste 15. Transportation systems 16. Water & wastewater systems

Source: Department of Homeland Security - Critical Infrastructure Sector

EO 13636 directed the National Institute of Standards and Technology (NIST) to work with stakeholders in

developing a voluntary framework based on existing standards, guidelines, and practices, for reducing cyber risks

to critical infrastructure. As a result, in February 2014, the NIST released Framework for Improving Critical

Infrastructure Cybersecurity Version 1.0, commonly known as the Cybersecurity Framework (the Framework). The

Framework is a risk-based framework serving as a foundation for organizations for cybersecurity future

regulations. It is created through a collaboration between governments and the private sectors and uses a

common language to address and manage cybersecurity risk in a cost-effective way based on business needs.

Moreover, it leverages and integrates industry-leading cybersecurity practices that have been developed by

organizations such as the NIST and the International Standards Organization (ISO).

Summary of the Key Provisions

Baseline Framework to Reduce Cyber Risk to Critical Infrastructure

A central requirement of the EO was the establishment of a voluntary Cybersecurity Framework (the Framework)

for reducing cyber risks to critical infrastructure entities. The EO directed the NIST to lead the development of the

Framework that would include a set of standards, methodologies, procedures, and processes that align with

policy, business, and technological approaches to address cyber risks. To enable critical infrastructure entities to

benefit from a robust, competitive market for cyber services and products, the Framework itself must be

“technology-neutral.” In addition, to be consistent with the EO, the resulting Framework must also:

• Identify potential opportunities for improvement through future collaboration with particular critical

infrastructure sectors and standards-making organizations;

• Provide guidance for measuring the performance of an entity implementing the voluntary Framework,

and


57

• Include methodologies to identify and mitigate the impact of the Framework’s recommended

cybersecurity measures or controls on business confidentiality and individual privacy and civil liberty

concerns.

Although NIST is the designated lead for the development of the Framework, NIST engages extensively with other

stakeholders and interested parties to ensure the process is collaborative. NIST summarized key stakeholder

inputs shaping the development of the Framework, including:

• The language of the Framework and how it is communicated is critical to success;

• The fact that the Framework must reflect the characteristics of people, processes, and technologies;

• The fact that the Framework must be inclusive and not disruptive of good cyber practices currently in

use;

• The fact that the Framework must include fundamental aspects;

• The fact that the determination of risk tolerance for critical infrastructure entities must be informed by

national interests, and

• The fact that the threat information that is shared must inform the Framework implementation.

It is important to know that the Framework complements, and does not replace, an organization’s risk

management and cybersecurity program. An organization can use its current processes to leverage the

Framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while

aligning with industry practices. In February 2014, NIST issued the Framework for Improving Critical Infrastructure

Cybersecurity Version 1.0. Details of the Framework are discussed later in the “Cybersecurity Framework Best

Practice: The NIST Framework” chapter.

The EO expressly requires NIST, consistent with its statutory responsibilities, to review and update the

Cybersecurity Framework and related guidance “as necessary, taking into consideration technological changes,

changes in cyber risks, operational feedback from owners and operators of critical infrastructure, experience from

the implementation of the Framework, and any other relevant factors.”

Cybersecurity Information Sharing

The EO encouraged a renewed commitment to exchange information between critical infrastructure entities and

the government. The goal was to increase the volume, timeliness, and quality of cyber threat information shared

with U.S. private sector entities. The EO delegated to the DHS and the Director of National Intelligence the

responsibility to develop the Enhanced Cybersecurity Services program. The goal here is to ensure the timely

production of unclassified reports of cyber threats to the U.S. homeland, identify a specific targeted entity, and to

establish processes for rapidly sharing those reports with the targeted entity. The program is a voluntary sharing

program that permits critical infrastructure entities to exchange information with the government related to cyber

threats.

DHS’s goal is to use the program to disseminate a broad range of sensitive and classified cyber threats information

through DHS’s network of intra-government cybersecurity organizations. The information would be distributed

to qualified Commercial Service Providers who are authorized to receive classified information, in order to help

protect their customers.


58

However, cyber threat information exchange programs are facing the following challenges:

Challenges of Cyber Threat Information Exchange Programs

Reporting Liabilities

Although most of the programs include procedures to protect the anonymity of reporting companies, participants remain concerned about potential reporting liabilities. For example, companies are wary of the potential improper disclosure of sensitive or proprietary company information to other industry competitors, as well as the disclosure of threat or reach information in a manner that could cause reputational harm.

Exposure to Tort-

Related Claims

Where incident reporting involves potential gaps or vulnerabilities in a third-party’s hardware or software application (e.g., vulnerabilities in a server architecture or malware detection program), companies are highly concerned about the exposure to tort-related claims by the third-party manufacturer or developer.

Personal Privacy

Personal privacy risks also loom large in any discussion of voluntary disclosure programs, as threat disclosures often entail sharing consumer information and personal data with the Government.

Limitations to Share Classified

Information

There exist practical limitations on DHS’s and DoD’s ability to share classified intelligence with industry participants. Classification levels limit the audience’s capability to receive classified threat information and slow the process of disseminating the information.

The Limited Scope of

Information Sharing

Whether the scope of the EO’s information-sharing program, which is limited to critical infrastructure entities, is too narrow and could unintentionally shift the frontline of the cyber battleground to smaller companies, where vendors and support contractors who do not fall under the protections of the EO could become unwitting “back doors” to critical systems they serve.

Source: The Cybersecurity Executive Orders: Implementation Efforts in the First 250 Days

Cybersecurity Systems and Risk Reporting Act

HR 5069, Cybersecurity Systems and Risks Reporting Act, was introduced in April 2016 in the House. This bill would

have amended the Sarbanes-Oxley Act of 2002 (SOX) and apply to cybersecurity systems and cybersecurity

systems officers. In general, requirements for “the principal financial officer or officers” would be extended to

“cybersecurity systems officer or officers”. The bill defines cybersecurity systems as:

“A set of activities or state, involving people, processes, data or technology, whereby the protection of an

information system of the issuer is secured from, or defended against, damage, unauthorized use or modification,

misdirection, disruption or exploitation.”

Here is what the bill proposed:

➢ The definition of an audit is changed by adding information systems to financial statements, i.e. auditing

information systems and financial statements.


59

➢ The audit committee would be responsible for reviewing financial and cybersecurity systems reporting

processes.

➢ The definition of professional standards would be modified to add cybersecurity systems standards and

practices.

➢ Three new terms are defined, including information systems, cybersecurity systems, and cybersecurity risk.

➢ Information systems are a set of activities involving people, processes, data or technology which enable the

user to obtain, generate, use and communicate information.

➢ The responsibility for information systems is added to the existing responsibility for financial reports.

➢ This requirement is added for principal cybersecurity systems officer.

➢ The assessment of information system controls is added to other internal controls stating adequate internal

control and cybersecurity systems structures and procedures for financial and information systems reporting.

➢ The disclosure of cybersecurity systems experts on the audit committee is required.

➢ The SEC is required to define “cybersecurity expert”.

➢ The SEC is required to review an issuer’s information systems and cybersecurity systems statements.

Although the bill did not pass in 2016, it is clear that the board and management need to be held accountable for

managing cyber risk just as they are responsible for managing the remainder of existing financial risks. Cyber risk

is just another form of risk, which should be part of the financial audit process, especially when a cyber breach

has a significant impact on the financial statements.

Real-World Case: Ukraine Power Grid Attack

The following case is extracted from the United Kingdom, 2016 National Security Strategy.

A cyberattack on western Ukrainian electricity distribution companies Prykarpattya Oblenergo and Kyiv Oblenergo

on December 23, 2015, caused a major power outage, with disruption to over 50 substations on the distribution

networks. The region reportedly experienced a blackout for several hours and many other customers and areas

sustained lesser disruptions to their power supplies, affecting more than 220,000 consumers.

The use of the BlackEnergy3 malware has been blamed by some for the attack after samples were identified on

the network. At least six months before the attack, attackers had sent phishing emails to the offices of power

utility companies in Ukraine containing malicious Microsoft Office documents. However, the malware was not

likely to have been responsible for opening the circuit breakers which resulted in the outage. It is probable that

the malware enabled the attackers to gather credentials that allowed them to gain direct remote control of

aspects of the network, which would subsequently enable them to trigger the outage.

This Ukraine incident is the first confirmed instance of a disruptive cyberattack on an electricity network.


60

A Byte Out of History - $10 Million Hack, 1994-Style

www.fbi.gov Stories January 21, 2014

It was hardly the opening salvo in a new era of virtual crime, but it was certainly a shot across the bow.

Two decades ago, a group of enterprising criminals on multiple continents—led by a young computer programmer

in St. Petersburg, Russia—hacked into the electronic systems of a major U.S. bank and secretly started stealing

money. No mask, no note, no gun—this was bank robbery for the technological age.

Our case began in July 1994, when several corporate bank customers discovered that a total of $400,000 was

missing from their accounts. Once bank officials realized the problem, they immediately contacted the FBI.

Hackers had apparently targeted the institution’s cash management computer system—which allowed corporate

clients to move funds from their own accounts into other banks around the world. The criminals gained access by

exploiting the telecommunications network and compromising valid user IDs and passwords.

Working with the bank, we began monitoring the accounts for more illegal transfers. We eventually identified

approximately 40 illegal transactions from late June through October, mostly going to overseas bank accounts and

ultimately adding up to more than $10 million. Meanwhile, the bank was able to get the overseas accounts frozen

so no additional money could be withdrawn.

The only location where money was actually transferred within the U.S. was San Francisco. Investigators

pinpointed the bank accounts there and identified the owners as a Russian couple who had previously lived in the

country. When the wife flew into San Francisco and attempted to withdraw funds from one of the accounts, the

FBI arrested her and, soon after, her husband. Both cooperated in the investigation, telling us that the hacking

operation was based inside a St. Petersburg computer firm and that they were working for a Russian named

Vladimir Levin. (See the sidebar for more on the San Francisco angle of the case from one of the agents who

worked it.)

We teamed up with Russian authorities—who provided outstanding cooperation just days after a new FBI legal

attaché office had been opened in Moscow—to gather evidence against Levin, including proof that he was

accessing the bank’s computer from his own laptop. We also worked with other law enforcement partners to

arrest two co-conspirators attempting to withdraw cash from overseas accounts; both were Russian nationals

who had been recruited as couriers and paid to take the stolen funds that had been transferred to their personal

accounts.

In March 1995, Levin was lured to London, where he was arrested and later extradited back to the United States.

He pled guilty in January 1998.

Believed to be the first online bank robbery, the virtual theft, and ensuing investigation were a needed wakeup

call for the financial industry…and for law enforcement. The victim bank put corrective measures in place to shore

up its network security. Though the hack didn’t involve the Internet, the case did generate media coverage that

got the attention of web security experts. The FBI, for its part, began expanding its cybercrime capabilities and

http://www.fbi.gov/


61

global footprint, steadily building an arsenal of tools and techniques that help us lead the national effort to

investigative high-tech crimes today.

Reflections of a Case Investigator

Special Agent Andrew Black, who back in 1994 was part of a white-collar crime squad in the FBI’s San Francisco

Office, recalled that he became involved in the New York-based investigation when it was discovered that some

of the money moved out of the bank by the hacker ended up in several San Francisco bank accounts.

“At the time,” Black said, “we didn’t have a cybercrime team in the office, so the white-collar crime route seemed

the most logical way to go.” He remembered that in August 1994, after identifying the owners of the bank

accounts as Russian nationals Evygeny and Ekaterina Korlokova—who had an apartment in San Francisco—

Ekaterina attempted to withdraw funds from one of the accounts. “Because the account had been frozen, she

wasn’t able to get the money,” he said. Ekaterina went back to her apartment and started packing her bags. Black

said when he and an FBI interpreter went to her residence to arrest her, her suitcases were in the hallway and she

had a one-way ticket to Russia.

And where was her husband? Black said Evygeny had flown back to Russia, “leaving his young wife alone in the

U.S. to withdraw the illegal funds from their bank accounts.” But Ekaterina, who agreed to cooperate in the

investigation, managed to convince him to return—according to Black, she “read him the riot act over the

phone…in Russian, of course.” He returned, was arrested, and agreed to cooperate as well.

Black remembered that the case garnered a great deal of attention at the time, “which was good because it

resulted in a lot more focus on network security.” And after it ended, he gave presentations on it to raise general

awareness of an emerging criminal threat. “There was a particularly high demand for the presentation from the

banking industry,” he added. And in 1995, Black was asked to become a part of the San Francisco FBI’s newly

formed computer intrusion squad…one of the Bureau’s first.


62

V. Cybersecurity Standards Cybersecurity standards have existed for several decades. Users and providers of these standards have

collaborated in many domestic and international forums. The standards are techniques or technologies that

attempt to protect the cyber environment by reducing risks, including around the prevention or mitigation of

cyberattacks. They may include tools, policies, security concepts, security safeguards, guidelines, risk

management approaches, actions, training, best practices, and technologies. Highlights of widely recognized

cybersecurity standards are discussed in the following sections.

ISO/IEC 27001:2013

An information security management system (ISMS) preserves the confidentially, integrity and availability of

information by applying a risk management process. It provides confidence to interested parties that risks are

adequately managed. The establishment and implementation of an organization’s ISMS are influenced by the

organization’s needs and objectives, security requirements, the processes employed and the size and structure of

the organization. All of these influencing factors are expected to change over time. Therefore, it is important that

information security is considered in the design of an organization’s processes, information systems, and controls.

In October 2013, the International Organization for Standardization (ISO) and the International Electrotechnical

Commission (IEC), the specialized system for worldwide standardization, published the latest version of ISO/IEC

27001:2013. The official title of the standard is Information technology − Security techniques − Information

security management systems − Requirements, which is part of the growing ISO/IEC 27000 family of standards.

• This latest version of ISO/IEC 27001 puts more emphasis on measuring and evaluating how well an

organization’s ISMS is performing.

• There is also a new section on outsourcing, which reflects the fact that many organizations rely on third

parties to provide some aspects of IT.

• In general, the latest version is relevant to the challenges of modern-day business. It is based on a high-

level structure, which is a common framework for all revised and future ISO management system

standards.


63

Mandatory Clauses Controls

Clause Key Requirements # of Controls

4 Context of the Organization

• Identify all external and internal issues relevant to the organization and its information or information that is entrusted by 3rd parties;

• Establish all interested parties and stakeholders and how they are relevant to the information;

• Identify requirements for interested parties which could include legal, regulatory and/or contractual obligations;

• Define the scope of ISMS linked with the strategic direction of the organization, core objectives and the requirements of interested parties, and

• Demonstrate to the organization how to establish, implement, maintain and continually improve the ISMS in relation to the standard

8

5 Leadership

Top management demonstrates leadership and commitment by:

• Establishing the ISMS and information security policy, and

• Ensuring that the information security policy is compatible with the strategic direction of the organization and that these are made available, communicated, maintained and understood by all parties

19

6 Planning

This clause:

• Outlines how an organization plans actions to address risks to information;

• Focuses on how an organization deals with information security risk and needs to be proportionate to the potential impact they have, and

• Discusses the need to establish information security objectives and the standard defines the properties that information security objectives must-have.

39

7 Support

This clause focuses on getting the right resources and the right infrastructure in place:

• All personnel should be aware of the information security policy, and how they contribute to its effectiveness and the implications of not conforming;

• Internal and external communications relevant to information security and the ISMS are appropriately communicated

• Determine the level of documented information necessary to control the ISMS

28

8 Operation

This clause is all about the execution of the plans and processes that are the subject of previous clauses, such as:

• Dealing with the execution of the actions determined and the achievement of the information security objectives;

• Identifying and controlling outsourced processes and functions, and

• Dealing with the performance of information security risk assessments at planned intervals

9

9 Performance

Evaluation This clause is all about monitoring, measuring, analyzing and evaluating the ISMS to ensure that it is effective and remains so.

29

10 Improvement

• How the organization reacts to nonconformities, takes action, corrects them, and

deals with the consequences;

• How the organization will eliminate the causes of such nonconformities so they

do not occur elsewhere, and

• Demonstrate continual improvement of the ISMS

16

Total control Points 148


64

Since the publication of the 2005 version and its update in 2013, the number of ISO/IEC 27001 certificates granted

has grown every year. For example, based on the annual ISO Survey of Management System Standard

Certifications 2017, a total of 39,501 ISO 27001 certificates were issued, representing an increase of 19% from the

previous year. There is a clear trend towards increasing the number of certifications not only around the world

but also in the U.S.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (Framework) is a voluntary guidance based on existing standards, guidelines,

and practices for critical infrastructure organizations to better manage and reduce cybersecurity risk. Version 1.0

of the Framework, issued in February 2014, was prepared by the National Institute of Standards and Technology

(NIST) with extensive private sector input. More than 3,000 people from diverse parts of industry, academia, and

government participated in workshops and webinars around the country helped to develop the Framework. The

Framework was developed in response to Executive Order 13636, which outlines responsibilities for Federal

Departments and Agencies to aid in Improving Critical Infrastructure Cybersecurity.

CIS Critical Security Controls

The Center for Internet Security (CIS) is dedicated to enhancing the cybersecurity readiness and response among

public and private sector entities. Led by the CIS, the CIS Critical Security Controls (CIS Controls), aimed at IT users

worldwide, are a prioritized set of cyber practices created to stop today's most pervasive and dangerous cyber-

attacks. These include attacks like credit card breaches, identity theft, ransomware, theft of intellectual property,

loss of privacy, and denial of service. The Controls align with and map to all of the major frameworks, such as the

NIST Cybersecurity Framework, and regulations are validated by a community of leading global experts. According

to CIS, organizations that just apply the first five CIS Critical Security Controls can reduce their risk of cyberattack

by around 85%. Implementing all 20 CIS Controls increases the risk reduction to around 94%.

Top 5 CIS Controls

CIS Controls Highlights of Controls

CSC1: Inventory of Authorized & Unauthorized

Devices

1.1 Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organization’s public and private networks.

1.2 If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration protocol (DHCP) server logging, and use this information to improve the asset inventory.

1.3 Ensure that all equipment acquisitions automatically update the inventory system as new and approved devices are connected to the network.

CSC 2: Inventory of Authorized &

2.1 Devise a list of authorized software and version that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses.


65

Unauthorized Software 2.2

Deploy application whitelisting technology that allows systems to run software only if it is included in the whitelist and prevents execution of all other software on the system.

2.3 Deploy software inventory tools throughout the organization covering each of the operating system types in use, including servers, workstations, and laptops.

CSC 3: Secure Configurations for

Hardware & Software on

Mobile Devices, Laptops,

Workstations & Servers

3.1 Establish standard secure configurations of the organization’s operating systems and software applications.

3.2 Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise.

3.3 Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the image are possible.

CSC 4: Continuous Vulnerability

Assessment and Remediation

4.1

Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risks.

4.2

Correlate event logs with information from vulnerability scans to fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools is itself logged. Second, personnel should be able to correlate attack detection events with prior vulnerability scanning results.

CSC 5: Controlled Use of

Administrative Privileges

5.1 Minimize administrative privileges and only use administrative accounts when they are required.

5.2 Use automated tools to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorized by a senior executive.

Source: Center for Internet Security - The Critical Security Controls

ETSI − ICT Standards

ETSI, the European Telecommunications Standards Institute, produces globally applicable standards for

Information and Communications Technologies (ICT), including fixed, mobile, radio, converged, broadcast and

internet technologies. ETSI is officially recognized by the European Union as a European Standards Organization.

Although ETSI was initially funded to serve European needs, it has become highly respected as a producer of

technical standards for worldwide use. ETSI has more than 800 member organizations drawn from 66 countries.

Members include the world’s leading companies and innovative R&D organizations. Examples of leading

companies from the U.S. include Oracle Corporation, BROADCOM CORPORATION, SPRINT Corporation, and MITRE

Corporation.

Growing dependence on networked digital systems has brought with it an increase in both the variety and quantity

of cyber threats. The different methods governing secure transactions in various countries make it difficult to

assess their respective risks and ensure adequate security. In 2014, ETSI set up a technical committee, known as

TC CYBER, on cybersecurity to address the growing demands for standards in this field. TC CYBER is responsible


66

for the international standardization of cybersecurity. The activities of TC CYBER include the development of

standards in the following areas:

• Cybersecurity;

• Security of infrastructures, devices, services, and protocols;

• Security advice, guidance and operational security requirements to users; and

• Security tools and techniques to ensure security.

ETSI produces the following specifications, standards, and guides with its own particular purpose:

Different Types of ETSI Standards

Standards Purpose

European Standard

Used when the document is intended to meet needs specific to Europe and requires transposition into national standards, or when the drafting of the document is required under a mandate from the European Commission /European Free trade Association.

ETSI Standard Used when the document contains technical requirements.

ETSI Guide Used for guidance to ETSI in general on the handling of specific technical standardization activities.

ETSI Technical Specification

Used when the document contains technical requirements and it is important that it is available for use quickly.

Source: www.etsi.org/standards/different-types -of-etsi-standards

http://www.etsi.org/standards/different-types%20-of-etsi-standards


67


7. Which of the following standards is primarily used by organizations that handle branded credit cards, such as

Visa, MasterCard, and American Express?

A. NIST Framework

B. The Standard of Good Practice

C. Payment Card Industry Data Security Council Standard

D. ISO/IEC 27001:2013

8. All of the following are TRUE related to security framework adoption EXCEPT:

A. Security frameworks are used by a broad range of industries

B. Most organizations use a single security framework in their security program

C. Best practice drives the NIST Framework adoption

D. Many organizations plan to adopt additional frameworks with the NIST Framework heading the list

9. Which of the following is NOT one of the top five CIS Critical Security Controls?

A. Perform an inventory of all devices

B. Perform an inventory of all software

C. Establish security configuration

D. Email and Web browser protection


68

VI. SEC Enforcement Action As a result of increasing cyberattacks on SEC registrants, the SEC has dramatically increased its focus on the

adoption and implementation of cybersecurity policies and procedures. Since 2014, the SEC’s Office of

Compliance Inspections and Examinations (OCIE) has developed a series of actions to address rising concerns

about cybersecurity threats. OCIE has published two Risk Alerts on cybersecurity. The SEC has published a

guidance update on cybersecurity and also hosts a Cybersecurity Roundtable. In September 2015, the OCIE

announced its plan to conduct another cybersecurity analysis to collect information on how widely firms have

implemented cybersecurity procedures and controls. Also, the SEC has signaled an intent to expand its efforts not

only for financial institutions subject to extensive SEC oversight (such as broker-dealers and investment advisers)

but for all publicly-traded companies. In addition, cybersecurity remains a top concern on the SEC’s examination

priority list, especially with regard to internal security program assessment and evaluation. The following section

discusses the SEC’s focus on how financial firms address cybersecurity risks and its 2016 examination priorities

list.

The SEC’s Focus on Cybersecurity

SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies & Procedures

As companies increasingly depend on digital technologies to conduct their operations, the risks to companies

associated with cybersecurity have also increased, resulting in more frequent and severe cyber incidents.

The SEC has become more active on cybersecurity issues in recent years and visibly entered the cybersecurity

enforcement arena in 2011 responding to concerns that public companies may not have been providing

adequate disclosures about cyber incidents, both in the wake of recent high-profile cases of data security

breaches.

In September 2015, the SEC issued a cease-and-desist order (the “Order”) and settled charges against R.T.

Jones Capital Equities Management (“R.T. Jones”) for failing to establish required policies and procedures to

safeguard customer information in violation of Rule 30(a) of Regulation S-P (“Rule 30(a)”) under the

Securities Act of 1993. Rule 30(a) requires:

“Every broker, dealer, investment company and registered investment adviser to adopt written policies and

procedures reasonably designed to ensure the security and confidentiality of customer information and to

protect customer information from anticipated threats or unauthorized access.”

According to the Order, from September 2009 to July 2013, R.T. Hones stored personal information of its

clients and other persons on its third party-hosted web server without adopting such written policies and

procedures. In July 2013, a hacker gained access to the data on R.T. Jones’ web server, rendering the

personal information of more than 100,000 individuals vulnerable to theft. The Order specifically notes that

R.T. Jones failed to conduct periodic risk assessment, implement a firewall, encrypt customer information

stored on its server or maintain a response plan for cybersecurity incidents.

The Order’s emphasis on cybersecurity highlights the SEC’s heightened focus on the adoption and

implementation of cybersecurity policies and procedures by registered investment advisers.

Source: SEC Press Release - SEC Charges Investment Adviser with Failing to Adopt Proper Cybersecurity Policies & Procedures


69

SEC Cybersecurity Initiative

Background

In March 2014, the SEC sponsored and invited industry representatives to a Cybersecurity Roundtable to

underscore the importance of cybersecurity. Chair Mary Jo White emphasized the “compelling need for stronger

partnerships between the government and private sector to address cyber threats.” In April 2014, OCIE published

a Risk Alert, OCIE Cybersecurity Initiative, announcing a series of examinations of more than 50 registered broker-

dealers and investment advisers. The OCIE examinations were designed to:

1. Identify cybersecurity risks;

2. Assess cybersecurity preparedness and

3. Obtain information about the industry’s recent experience with certain types of cyber threats.

The examinations were focused on the following areas:

✓ The Entity’s Cybersecurity Governance;

✓ Identification and Assessment of Cybersecurity Risks;

✓ Protection of Networks and Information;

✓ Risks Associated with Remote Customer Access and Funds Transfer Requests;

✓ Risks Associated with Vendors and other Third Parties;

✓ Detection of Unauthorized Activity, and

✓ Experiences with Certain Cybersecurity Threats

In February 2015, OCIE published summary observations of the findings from these examinations, Cybersecurity

Examination Sweep Summary, reflecting the legal, regulatory and compliance issues relating to cybersecurity in

the securities industry. In September 2015, the SEC issued a Risk Alert, OCIE’s 2015 Cybersecurity Examination

Initiative, announcing that OCIE will be conducting a new Cybersecurity Examination Initiative focused on key

topics such as:

• Governance and Risk Assessment;

• Access Rights and Controls;

• Data Loss Prevention;

• Vendor Management;

• Training, and

• Incident Response.

The following sections highlight the observations of the examinations resulting from the Cybersecurity

Examination Initiative and the targeted areas for its second round of cybersecurity examinations.


70

Cybersecurity Examination Sweep Summary

To better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues

associated with cybersecurity (the Cybersecurity Examination Initiative), OCIE’s National Examination Program

staff (the staff) examined 57 registered broker-dealers and 49 registered investment advisers in 2014. Through

these examinations, the staff collected and analyzed information from the selected firms relating to their practices

around:

Cybersecurity Examination Scope

• Identifying risks related to cybersecurity;

• Establishing cybersecurity governance, including policies, procedures, and oversight processes;

• Protecting firm networks and information;

• Identifying and addressing risks associated with remote access to client information and funds transfer request;

• Identifying and addressing risks associated with vendors and other third parties, and

• Determining unauthorized activity.

Source: National Exam Program Risk Alert Volume IV Issue 4, February 3, 2015

In addition to reviewing the related documents, the staff interviewed key personnel at each firm regarding its:

✓ Business and operations;

✓ Detection and impact of cyberattacks;

✓ Preparedness for cyberattacks;

✓ Training and policies relevant to cybersecurity, and

✓ Protocol for reporting cyber breaches

In 2015, the OCIE published the following observations from the examinations conducted under the Cybersecurity

Examination Initiative:


71

Summary Examination Observations

➢ The vast majority of examined broker-dealers (93%) and advisers (83%) have adopted written

information security policies. Most of the broker-dealers (89%) and the majority of the advisers (57%)

conduct periodic audits to determine compliance with these information security policies and procedures.

o Written policies and procedures generally do not address how firms determine whether they are

responsible for client losses associated with cyber incidents. The policies and procedures of only

a small number of the broker-dealers (30%) and the advisers (13%) contain such provisions, and

even fewer of the broker-dealers (15%) and the advisers (9%) offered security guarantees to

protect their clients against cyber-related losses.

o Many firms are utilizing external standards and other resources to model their information

security architecture and processes. Most of the broker-dealers (88%) and many of the advisers

(53%) reference published cybersecurity risk management standards, such as those published by

the NIST the ISO, and the Federal Financial Institutions Examination Council (FFIEC).

➢ The vast majority of examined firms conduct periodic risk assessments, on a firm-wide basis, to identify

cybersecurity threats, vulnerabilities, and potential business consequences. These broker-dealers (93%)

and advisers (79%) reported considering such risk assessments in establishing their cybersecurity policies

and procedures.

o Fewer firms apply these requirements to their vendors. A majority of the broker-dealers (84%)

and approximately a third of the advisers (32%) require cybersecurity risk assessments of vendors

with access to their firms’ networks.

➢ Most of the examined firms reported that they have been the subject of a cyber-related incident. A

majority of the broker-dealers (88%) and the advisers (74%) stated that they have experienced cyber-

attacks directly or through one or more of their vendors. The majority of the cyber-related incidents are

related to malware and fraudulent emails.

➢ Many examined firms identify best practices through information-sharing networks. Almost half of the

broker-dealers (47%) were members of industry groups, associations, or organizations (both formal and

informal) that exist for the purpose of sharing information regarding cybersecurity attacks and identifying

effective controls to mitigate harm.

➢ The vast majority of examined firms report conducting firm-wide inventorying, cataloging, or mapping

of their technology resources.

➢ Almost all the examined broker-dealers (98%) and advisers (91%) make use of encryption in some form.

Source: National Exam Program Risk Alert Volume IV Issue 4, February 3, 2015


72

Areas of Focus for Cybersecurity Examinations

In light of recent cybersecurity breaches and continuing cybersecurity threats against financial services firms, the

second round of Cybersecurity Examination Initiative will focus on the following areas:

Cybersecurity Examination Initiative Targeted Areas

Area Description

Governance & Risk Assessment

Examiners may:

✓ Assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below;

✓ Assess whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business, and

✓ Review the level of communication to and involvement of senior management and boards of directors

Access Rights and Controls

Examiners may review how firms control access to various systems and data via the management of user credentials, authentication, and authorization methods. This may include a review of controls associated with:

✓ Remote access;

✓ Customer logins;

✓ Passwords;

✓ Firm protocols to address customer login problems;

✓ Network segmentation and tiered access.

Data Loss Prevention

Examiners may assess how firms:

✓ Monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads, and

✓ Monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.

Vendor Mgt.

Examiners may:

✓ Focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract term, and

✓ Assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.

Training

Examiners may:

✓ Focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior, and

✓ Review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.

Incident Response

Examiners may assess whether firms have:

✓ Established policies;

✓ Assigned roles;

✓ Assessed system vulnerabilities, and

✓ Developed plans to address possible future events.

Source: National Exam Program Risk Alert Volume IV Issue 8, September 15, 2015


73

In sharing the key focus areas for the Cybersecurity Examination Initiative, the National Exam Program hoped to

encourage registered broker-dealers and investment advisers to reflect upon their own practices, policies, and

procedures with respect to cybersecurity.

According to SEC 2019 Examination Priorities, examinations will focus on, among other things, proper

configuration of network storage devices, information security governance generally, and policies and procedures

related to retail trading information security. Specific to investment advisers, OCIE will emphasize cybersecurity

practices at investment advisers with multiple branch offices, including those that have recently merged with

other investment advisers, and continue to focus on, among other areas, governance and risk assessment, access

rights and controls, data loss prevention, vendor management, training, and incident response.

Real-World Case: SEC Charges Investment Adviser with Failing to Adopt Proper Cybersecurity

Policies & Procedures

The following case is extracted from SEC Press Release - SEC Charges Investment Adviser with Failing to Adopt

Proper Cybersecurity Policies & Procedures

As companies increasingly depend on digital technologies to conduct their operations, the risks to companies

associated with cybersecurity have also increased, resulting in more frequent and severe cybersecurity incidents.

The SEC has become more active on cybersecurity issues in recent years and visibly entered the cybersecurity

enforcement arena in 2011 responding to concerns that public companies may not have been providing adequate

disclosures about cybersecurity incidents, both in the wake of recent high-profile cases of data security breaches.

In September 2015, the SEC issued a cease-and-desist order (the “Order”) and settled charges against R.T. Jones

Capital Equities Management (“R.T. Jones”) for failing to establish required policies and procedures to safeguard

customer information in violation of Rule 30(a) of Regulation S-P (“Rule 30(a)”) under the Securities Act of 1993.

Rule 30(a) requires:

“Every broker, dealer, investment company and registered investment adviser to adopt written policies and

procedures reasonably designed to ensure the security and confidentiality of customer information and to protect

customer information from anticipated threats or unauthorized access.”

According to the Order, from September 2009 to July 2013, R.T. Hones stored personal information of its clients

and other persons on its third party-hosted web server without adopting such written policies and procedures. In

July 2013, a hacker gained access to the data on R.T. Jones’ web server, rendering the personal information of

more than 100,000 individuals vulnerable to theft. The Order specifically notes that R.T. Jones failed to conduct

periodic risk assessment, implement a firewall, encrypt customer information stored on its server or maintain a

response plan for cybersecurity incidents.

The Order’s emphasis on cybersecurity highlights the SEC’s heightened focus on the adoption and implementation

of cybersecurity policies and procedures by registered investment advisers.


74

Cybersecurity Guidance No. 2015-02

Both registered investment companies (funds) and registered

investment advisers (advisers) increasingly use technology to

conduct their business activities. Due to the rapidly changing

nature of the business environment and cyber threats, the SEC

Division of Investment Management continues to focus on

cybersecurity and monitor events in this area. In April 2015, the

Division issued an IM Guidance Update No. 2015-12 (Guidance), to

highlight the importance of the cybersecurity issues faced by funds

and advisers. The Guidance stated that funds and advisers need to

actively manage their cybersecurity risks and be prepared to

respond in the event of a cyberattack.

In the Division’s view, failure to mitigate exposure to compliance

risk associated with cyber threats through compliance policies and

procedures could constitute a violation of the rules under the U.S. Investment Advisers Act of 1940. The US

Investment Company Act of 1940 requires funds and advisers to adopt and maintain written policies and

procedures designed to assure compliance with federal securities laws. These rules also require annual reviews

to ensure that the policies and procedures are effectively implemented. Similarly, the Guidance states that failure

to mitigate harm from cyberattacks that expose personal identification information, or that prevent investors

from exercising their legal rights, could be violations of the SEC’s identity theft red flag rules, or Section 22(3) of

the Investment Company Act. The Guidance also states that funds and advisers need to protect confidential and

sensitive information related to these activities from third parties, including information concerning fund investors

and advisory clients. In conclusion, the Guidance reinforced a regulatory trend that cybersecurity standards are

viewed as best practices and would now be under the force of laws.

The following section discusses the key measures including risk mitigation, prevention, detection and response to

threats, written policies/procedures and training that funds and advisers may consider when managing

cybersecurity risks.

Risk Mitigation

The Guidance indicated that an effective assessment would assist in identifying potential cybersecurity threats

and vulnerabilities so as to better prioritize and mitigate risk. Therefore, it is critical that funds and advisers should

conduct a periodic assessment of the following factors:

• The nature, sensitivity, and location of information that the firm collects, processes and/or stores, and the

technology systems it uses;

• Internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology

systems;

• Security controls and processes currently in place;

IM Guidance Update

Risk Mitigation

Prevention, Detection

& Response to Threats

Policies, Procedure & Training


75

• The impact should the information or technology systems become compromised, and

• The effectiveness of the governance structure for the management of cybersecurity risk

Prevention, Detection, and Response to Threats

In addition to mitigating risks, the Guidance indicated that funds and advisers should create a strategy that is

designed to prevent, detect and respond to cybersecurity threats. Such a strategy should address the following

matters:

1. Controlling access to various systems and data via management of user credentials, authentication and

authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and

network resources, network segregation, and system hardening

2. Data encryption

3. Protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage

media and deploying software that monitors technology systems for unauthorized intrusions, the loss or

exfiltration of sensitive data, or other unusual events

4. Data backup and retrieval

5. The development of an incident response plan. The effectiveness of the governance structure for the

management of cybersecurity risk

A firm’s obligations do not stop at the front door. Nearly all funds and advisers rely on third-party vendors and

service providers to carry out their daily operations and a cyberattack on one of those third parties may have the

same impact as an attack on the firm itself. Therefore, the Guidance highlighted the importance of assessing

third-party vendors’ cybersecurity policies and procedures, including the use of contractual provisions to ensure

a minimum level of compliance.

Policies and Procedures and Training

To ensure that fund officers and employees understand cybersecurity risks and how to respond to related

incidents, firms should implement policies and procedures and conduct regular training. Firms should also

consider how to educate investors and clients about how to reduce their exposure to cybersecurity threats

concerning their accounts.


76

Cybersecurity Disclosure Obligations

Background

The federal securities laws are in part designed to encourage the disclosure of timely, comprehensive, and

accurate information about risks and events that a reasonable investor would consider important to an

investment decision. The SEC has made clear that material cybersecurity risks and incidents should be disclosed

to investors. Companies must disclose in their public filings the risks associated with cyberattacks as well as any

potential material effect on their financial statements. However, the determination of what materials, as well as

when and how to disclose, is less clear. As a result, the SEC Division of Corporate Finance issued guidance in

October 2011 around how disclosures about cybersecurity matters should be provided in regards to each

registrant’s specific facts and circumstances. This chapter discusses the SEC’s focus on public companies’

disclosure obligations regarding cybersecurity risks and cyber incidents.

An Overview of CF Disclosure Guidance − Topic No. 2

In October 2011, prompted by recent high-profile data security

breaches in the public and private sectors, the SEC Division of

Corporate Finance issued disclosure guidance on cybersecurity

risks and cyber incidents as part of its Corporate Finance

Disclosure Guidance series (CF Guidelines). The following sections

provide an overview of specific disclosure obligations.

On February 21, 2018, in response to the increasing significance

of cybersecurity incidents, the SEC issued much-anticipated

interpretive guidance on cybersecurity disclosure. The guidance

affirms and expands upon the 2011 cybersecurity disclosure

guidance issued by the staff of the Division of Corporation

Finance. The new guidance also notably addresses the importance

of the board’s role in overseeing the management of

cybersecurity risks, the need for corporate cybersecurity policies

and procedures, considerations concerning potential insider trading prohibitions by companies investigating

potential breaches, and Regulation FD and selective disclosure prohibitions in the cybersecurity context.

Risk Factors

In determining whether the disclosure of risk factors is required, registrants are expected to evaluate their

cybersecurity risks and take into account all available relevant information, including:

• The occurrence of prior cybersecurity incidents, including their severity and frequency;

• The probability of the occurrence and potential magnitude of cybersecurity incidents;

Disclosure Obligations

Risk Factors

MD&A

Description of Business

Legal Proceedings

Financial Statement Disclosures

Diclosure Controls & Procedures


77

• The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs,

including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain

cybersecurity risks;

• The aspects of the company’s business and operations that give rise to material cybersecurity risks and

the potential costs and consequences of such risks, including industry-specific risks and third-party

supplier and service provider risks;

• The costs associated with maintaining cybersecurity protections, including, if applicable, insurance

coverage relating to cybersecurity incidents or payments to service providers;

• The potential for reputational harm;

• Existing or pending laws and regulations that may affect the requirements to which companies are subject

relating to cybersecurity and the associated costs to companies; and

• Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents

Cybersecurity risk disclosure must adequately describe the nature of the material risks and specify how each risk

affects the registrant consistent with the Regulation S-K Item 503(c). Registrants should avoid generic risk factor

disclosure. Appropriate disclosure may include the following information:

1. Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity

risks and the potential costs and consequences

2. Description of outsourced functions with material risks and how those risks are addressed

3. Description of material cybersecurity incidents experienced in the aggregate or individually as well as their

costs and consequences

4. Risks related to cybersecurity incidents that may remain undetected for an extended period

5. Description of relevant insurance coverage

A registrant may need to disclose cybersecurity incidents in the form of context. For example, if a registrant

experienced a material cyber attack in which malware was embedded in its systems and customer data was

compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack

may occur. Instead, the registrant may need to discuss the occurrence of the specific attack and its known and

potential costs and other consequences. If a breach is deemed non-material by a company, the company may still

receive a comment from the SEC asking for an explanation of why it was not considered material. Examples of

common SEC comments include:

• “Please include appropriate risk factor disclosure regarding the online nature of your business, with

particular attention to the cyber-security issues and web server maintenance.”

• “Please expand your risk factor disclosure to describe the cybersecurity risks that you face or tell us why

you believe such disclosure is unnecessary.”

• “We note your disclosure regarding [a security breach]. In future filings please disclose in this section and

in the ‘Liquidity and Capital Resources’ section”

Registrants may consider the following best practices regarding risk factors disclosure such as:

1. Disclosing any specific/material cybersecurity breaches that have occurred

2. Explaining how the company has dealt with the breaches


78

3. Listing the specific types of cybersecurity risks (e.g. viruses, intruders, operational disruption)

4. Including cybersecurity risks under their own separate and stand-alone category heading

5. Providing the specific reason(s) why cybersecurity risk could be material

6. Including the potential consequences from a cybersecurity breach

7. Indicate if the company has taken steps to handle cybersecurity breaches (e.g. insurance coverage)

Appendix A demonstrates how companies disclose the risk factors.

It is important to know that the federal securities laws do NOT require disclosure that itself would compromise a

registrant’s cybersecurity. Instead, registrants should provide sufficient information to allow investors to

understand the nature of the risks faced by the registrant, without exposing specific weaknesses.

MD&A

Registrants should address cybersecurity risks and cyber incidents in the MD&A section of their Form 10-K and

Form 10-Q if the costs or other consequences represent a material event, trend, or uncertainty that is reasonably

likely to have a material effect on the registrant’s operations, liquidity, or financial condition. For example, if

material intellectual property is stolen in a cyberattack, and the effects of the theft are reasonably likely to be

material, the registrant should describe the property that was stolen and the effect of the attack on its results of

operations, liquidity, and financial condition and whether the attack would cause reported financial information

not to be indicative of future operating results. If it is reasonably likely that that attack will lead to reduced

revenues, an increase in cybersecurity protection costs, including litigation, the registrant should discuss these

possible outcomes, including the amount and duration of the expected costs, if material.

Appendix B demonstrates how a company disclosed data breach representing a material evet.

Description of Business

A registrant should provide adequate disclosure in Item 101 of Regulation S-K if one or more cyber incidents

materially affect the registrant’s products, services, relationships with customers or suppliers, or competitive

conditions. In determining whether to include a related disclosure, registrants should consider the impact on each

of their reportable segments. For example, if a registrant has a new product in development and learns of a cyber

incident that could materially impair its future viability, the registrant should discuss the incident and the potential

impact to the extent it would be material.

Legal Proceedings

A registrant may need to disclose information regarding litigation in Item 103 of Regulation S-K if a material

pending legal proceeding, to which the registrant or any of its subsidiaries is a party, involves a cyber incident. For

example, if a significant amount of customer information is stolen, resulting in material litigation, the registrant

should disclose the name of the court in which the proceedings are pending, the date instituted, the principal

parties, a description of the factual basis alleged to underlie the litigation, and the relief sought.


79

Financial Statement Disclosures

Cybersecurity risks and cybersecurity incidents may have a broad impact on the financial statements, depending

on the nature and severity of the potential or actual incident. In general, financial statement disclosures include:

1. Costs incurred to prevent cybersecurity incidents

2. Costs incurred to mitigate damages from a cybersecurity incident

3. Losses from asserted and unasserted claims

4. Diminished future cash flows

5. Impairment of assets

This section summarizes the registrants’ obligations regarding cybersecurity incidents for financial statement

disclosure.

Prior to a Cybersecurity Incident

Registrants may incur substantial costs to prevent cybersecurity incidents. Accounting for the capitalization of

these costs is addressed by Accounting Standards Codification (ASC) 350-40, Internal-Use Software, to the extent

that such costs are related to internal-use software.

During and After a Cybersecurity Incident

Registrants may seek to mitigate damages from a cybersecurity incident by providing customers with incentives

to maintain the business relationship. Registrants should consider ASC 606-10, Revenue from Contracts with

Customers, to ensure appropriate recognition, measurement, and classification of these incentives.

Cybersecurity incidents may result in losses from asserted and un-asserted claims, including those related to

warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from

their remediation efforts. Registrants should refer to ASC 450-20, Loss Contingencies, to determine when to

recognize a liability if those losses are probable and reasonably estimable.

Cybersecurity incidents may also diminish future cash flows, requiring consideration of impairment of certain

assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other

long-lived assets associated with hardware or software, and inventory. Registrants may not immediately know

the impact of a cybersecurity incident and may be required to develop estimates to account for the various

financial implications. Examples of estimates that may be affected by cybersecurity incidents include estimates

of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred

revenue.

Appendix C demonstrates how a company disclosed the impact of a cybersecurity incident on financial statements.

Disclosure Controls and Procedures

Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures. To

the extent cybersecurity incidents pose a risk to registrant’s ability to record, process, summarize, and report

information that is required to be disclosed in Commission filings, management should also consider whether


80

there are any deficiencies in its disclosure controls and procedures that would render them ineffective. If a

cybersecurity breach occurs or new risks arise in between periodic reporting requirements, companies should

consider whether disclosing such information on a Form 8-K is appropriate. Companies should disclose this

information if the cybersecurity incident or newly presented cybersecurity risk affects the accuracy and

completeness of previous filings.

If a cybersecurity breach occurs or new risks arise in between periodic reporting requirements, companies should

consider whether disclosing such information on a Form 8-K is appropriate. Companies should disclose this

information if the cyber incident or newly presented cybersecurity risk affects the accuracy and completeness of

previous filings.

Appendix D demonstrates how a company disclosed its cybersecurity incident in between periodic reporting

requirements.


81


10. Which of the following measures ensures that employees understand cybersecurity risks and know how to

respond to incidents, in accordance with the SEC Division of Investment Management Guidance Update No.

2015-02?

A. Prevention, Detection, and Response

B. Policies, Procedure, and Training

C. Adequate Infrastructure Funding

D. Risk Mitigation

11. Which of the following is NOT a key aspect of the SEC Division of Investment Management Guidance Update

No. 2015-02?

A. Prevention, Detection, and Response

B. Policies, Procedure, and Training

C. Adequate Infrastructure Funding

D. Risk Mitigation

12. Depending on the circumstances, disclosures of cyber risks and cybersecurity incidents may be required for

public companies in all of the discussions EXCEPT?

A. Risk factors

B. Description of business

C. Proceedings

D. Design of secure system configurations

13. Which of the following forms is used for disclosure of a cyber incident that materially affects the company’s

relationships with customers?

A. Form 10-K

B. Form 8-K

C. Form 10-Q

D. Regulation S-K


82

VII. Cybersecurity Risk Management Cyber risks must be identified, understood, quantified,

and planned for in the same way as any other potential

business threat or disruption, such as a natural disaster,

with a response plan, roles and responsibilities,

monitoring and scenario planning. Too many

organizations are taking an ad hoc approach to managing

their risks and vulnerabilities, and it exposes them to

greater threats. Company leaders and boards can no

longer afford to view cybersecurity as a technology

problem because the likelihood of a cyberattack is an

enterprise risk management issue.

According to the World Economic Forum Global Risk

Landscape 2018, cyberattacks were rated the 7th most

likely global risk to occur out of 50 potential risks. Key

elements of effective cybersecurity risk management are

discussed in the following sections, including threats and vulnerabilities awareness, understanding cyber risks,

implementation of an effective framework, detection of and response to cyberattacks, and establishment of cyber

risk roles and responsibilities.

Top 10 World Economic Forum Global Risk

1. Unemployment or underemployment

2. Fiscal crises

3. Failure of national governance

4. Energy price shock

5. Profound social instability

6. Failure of financial mechanism or institution

7. Cyberattacks

8. Interstate conflict

9. Terrorist attacks 10. Unmanageable inflation

Source: World Economic Forum Global Risk Landscape 2018

Cybersecurity Risk

Management

Recognize Threats &

Vulnerabilities

Understand Cyber Risks

Implement an Effective

Framework

Detect & Respond to

Cyberattacks

Define Cyber Risk Roles & Responsibili-

ties


83

Recognize Threats and Vulnerabilities

The Cyber Criminal Profile

Cyber attackers are continuously changing tactics, increasing their persistence and expanding their capabilities,

and the nature of the cyber threats has evolved from unsophisticated attacks to state-sponsored attacks. Attacks

in the form of hacktivism, corporate espionage, insider and nation-states threats, terrorism, and criminal activity

can cost an organization time, resources, and irreparable harm to its reputation. The ongoing evolution of

cybersecurity threats from script kiddies to sponsored attacks is demonstrated by the following table.

Unsophisticated attackers

(Script Kiddies)

Sophisticated attackers

(Hackers)

Corporate espionage

(Insiders)

State-sponsored attacks

(Advanced Persistent Threats),

hacktivism, identity thefts

Experimentation:

You are attacked because

you are on the internet and

have a vulnerability.

Monetization:

You are attacked because

you are on the internet and

have information of value.

Your current or former

employee seeks financial

gain from selling your

intellectual property.

- You are targeted because of

who you are, what you do, or

the value of your intellectual

property.

- Cyberattacks to promote

political ends, such as

Hacktivist. The theft of

personally identifiable

information (PII) is increasing.


Today, organizations are exposed to ultra-sophisticated attackers who deploy increasingly targeted malware

against systems in multistage attacks. These attacks refer to Advanced Persistent Threat (APT) actors, the most

significant and challenging threats, who aim to support their own businesses by providing them with innovative

technology or a competitive edge over their competition. McAfee describes APTs as:

“More insidious and occur largely without public disclosures. They present a far greater threat to companies and

governments, as the adversary is tenaciously persistent in achieving their objectives. The key to these intrusions is

that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the

immediate financial gratification that drives much of cybercrime, another serious but more manageable threat”

APTs conduct activity largely supported, directly or indirectly, by a nation-state. APTs target carefully selected,

high-value data in every industry, from aerospace to wholesalers, education to finance. These threat actors may

further seek to understand supply chains, manufacturing processes, and programmatic business details to

replicate these processes or identify weaknesses.

The following table lists the profiles of threat actors including their motives, target, and impact.

1980s/1990s 1980s/1990s 20xx


84

Profiles of Threat Actors

Actors Motives Target Impact

Nation

States

➢ Economic, political,

and/ or military

advantage

➢ Espionage and

ideological

• Trade secrets

• Sensitive business

information

• Emerging technologies

• Critical infrastructure

− Loss of competitive

advantage

− Disruption to critical

infrastructure

Organized

Crime

➢ Immediate financial

gain

➢ Collect information

for future financial

gains

• Financial/Payment

systems

• Personally identifiable

information

• Payment card

Information

• Protected health

information

− Costly regulatory

inquiries and penalties

− Consumer and

shareholder lawsuits

− Loss of consumer

confidence

Hacktivists

➢ Influence political

and/or social

change

➢ Pressure business to

change their

practices

• Corporate secrets

• Sensitive business

information

• Information related to

key executives,

employees, customers

and business partners

− Disruption of business

activities

− Brand and reputation

− Loss of consumer

confidence

Insiders

➢ Personal advantage,

monetary gain

➢ Professional

revenge

➢ Patriotism

• Sales, deals, market

strategies

• Corporate secrets, IP,

R&D

• Business operations

• Personnel information

− Trade secret disclosure

− Operational disruption

− Brand and reputation

− National security impact

Source: PwC, Answering Your Cybersecurity Questions, 2014

To focus resources and maximize security, organizations should first identify the most likely source of attack;

internal and external. Details are discussed in the following sections.


85

Internal Threats

Internal threats to information run from the inadvertent (simple user error, loss of mobile devices) to the malicious

(internal fraud, data theft). In general, internal intruders are users with privileges or authorized access to a system

with an account on a server or with physical access to the network. The Internet Security Glossary describes “Inside

Attack” as an attack initiated by an entity inside the security perimeter. An insider threat may come from a current

or former employee, contractor, or other business partner who has or had authorized access to an organization’s

network, system, or data, and intentionally misused that access in a manner that negatively affected the

confidentiality, integrity, or availability of the organization’s information or computer systems.

Malicious Insiders

Insider threats can be difficult to defend against because the perpetrators misuse the access privileges they

obtained for legitimate business functions. Employees, contractors, advisers and those in the supply chain are

often within the security firewalls of organizations, with authority to access technology and use and distribute

data. Recent statistics reveal that privilege abuse is the leading cause of data leakage by malicious insiders.

Malicious insiders are trusted employees of an organization and have access to critical systems and data. Insiders

usually involve system administrators, end-users, executives and managers who have different objectives. For

example, system administrators abuse access privileges and smuggle exfiltrated data out on unapproved devices

while end-users often are involved in accidental data loss. They all pose the greatest threat. A Ponemon study

revealed that it takes the most amount of time, on average, to resolve attacks from malicious insiders, malicious

code and web-based attackers. Malware, viruses, and botnets on average are resolved relatively quickly. The time

it takes to resolve the consequences of the attack increases the cost of cybercrime.

Source: Ponemon Institute, 2015 Cost of Cyber Crime Study

Malicious insiders can cause financial and reputational damage through the theft of sensitive data and intellectual

property. They can also pose a destructive cyber threat if they use their privileged knowledge, or access, to

facilitate, or launch, an attack to disrupt or degrade critical services on the network. The CERT Insider Threat

Center suggests that the following employees pose the greatest insider threat risk:

2.2

2.4

5.8

12.3

19.3

21.9

27.7

47.5

54.4

0.0 10.0 20.0 30.0 40.0 50.0 60.0

BOTNETS

VIRUSES, WORMS, TROJANS

MALWARE

STOLEN DEVICES

DENIAL OF SERVICE

PHISHING & SOCIAL ENGINEERING

WEB-BASED ATTACKS

MALICIOUS CODE

MALICIOUS INSIDERS

Average Days to Resolve Cyberattacks


86

• Disgruntled employees who feel disrespected and are seeking revenge;

• Profit-seeking employees who believe that they can make more money by selling stolen intellectual

property;

• Employees moving to a competitor or starting a business who, for example, steal customer lists or

business plans to give themselves a competitive advantage, and

• Employees who believe they own the intellectual property that they helped develop. As a result, they take

the intellectual property with them when they leave the organization.

Real-World Case: South Korean Credit Bureau


The personal data of at least 20 million bank and credit card users in South Korea was stolen from three credit

card firms by a temporary consultant working with the personal credit ratings firm Korean Credit Bureau (KCB).

The stolen data, which was sold to phone marketing companies, included customers' names, social security

numbers, phone numbers, credit card numbers, and expiration dates. In the fallout over the theft, dozens of top

executives tendered their resignations, regulators launched investigations into security measures at the affected

firms, and the companies were held liable for full financial losses if customers fell victim to scams related to the

data theft.

Careless Employees

According to EY, careless or unaware employees are the top vulnerability perceived by organizations based on its

Global Information Security Survey results. Those insiders or employees accidentally cause cyber harm through

inadvertent clicking on a phishing email, plugging an infected USB stick into a computer, or ignoring security

procedures and downloading unsafe content from the internet. A significant number of data losses and security

breaches still occur from unintentional events (e.g. innocent mistakes, poor internal security practice), such as

laptops and storage mediums (e.g. thumb drives, flash drives, CDs, DVDs) being inadvertently lost or

compromised, wrong files being attached to emails, or emails inadvertently sent to the wrong recipients. In

addition, cases of lost or stolen laptops holding sensitive data are reported almost daily.

External Threats

External perpetrators, well-funded, persistent and sophisticated, are people who do not belong to the network

domain. Increasingly, people and processes are as much of a target as technology. Cybercriminals are motivated

to evolve as quickly as possible, and responses must be equally agile to keep pace. Public and social media websites

are the most common places where users can be deceived by hackers. An organization’s constant connectivity to

the internet exposes it to a hostile environment of rapidly evolving threats. Moreover, operating systems used on

laptops, PCs, and mobile phones have common and known vulnerabilities exploitable by attackers.

Government agencies are responsible for security-sensitive data that is growing more exposed to public access.

The existence of this information presents an opportunity for cybercriminals to use it for identity theft and fraud

purposes. And financial institutions remain a constant target for cybercriminals because the organizations rely on

online tools to help them communicate with stakeholders.


87

As discussed next, individuals, businesses, government bodies, institutions, and organizations face threats mainly

from nation-states, criminal gangs, and hacktivists.

Nation States

Nation-states, motivated by nationalism, are established and well organized to carry out the most sophisticated

threat in cyberspace. Some cyberattack campaigns may bear the hallmarks of both state and non-state actors,

making positive attribution almost impossible. For instance, a nation-state may develop and use a sophisticated

Trojan horse against another state. Later, after its own counter-Trojan defenses are in place, it may sell the Trojan

horse to cybercriminals on the black market, obfuscating the origin of the original attack.

Nation-states interests include political, economic, military, and financial targets and they usually have specific

tasks such as:

• Gaining intelligence

• Stealing industrial secrets and intellectual property

• Sabotaging critical infrastructures and utilities for political and economic ends

• Listening in on policy discussions

• Conducting propaganda

Each country has a unique political system, history, and culture, and state-sponsored attacks also have distinctive

characteristics - everything from motivation to target to the type of attack. FireEye describes the unique

characteristics of cyber attack campaigns waged by governments in Asia-Pacific, Russia/Eastern Europe, Middle

East, and the U.S.

Characteristics of Cyberattacks Campaigns Waged by Governments

China China employs brute force attacks that are often the most inexpensive way to accomplish its objectives. The attacks succeed due to the sheer volume of attacks, the prevalence, and the persistence of vulnerabilities in modern networks.

Russia/Eastern Europe

These cyberattacks are more technically advanced and highly effective at evading detection. Russia’s attacks are the most complex and advanced. There is more focus on zero-day exploits.

Middle East These hackers are dynamic, often using creativity, deception, and social engineering to trick users into compromising their own computers.

U.S. The most complex, targeted, and rigorously engineered cyberattack campaigns to date. The attacks require a high level of financial investment, technical sophistication, and legal oversight.

Source: FireEye, World War C: Understanding Nation-State Motives Beyond Today’s Advanced Cyber Attacks


88

Organized Crime

Driven by profit and personal gain, organized crime is becoming increasingly sophisticated in its use of technology

to commit fraud and steal funds and valuable information. Criminal groups have been a rapidly growing problem

with international collaboration creating a global marketplace for cybercrime tools. For example, in 2013,

JPMorgan Chase warned 465,000 holders of prepaid cash cards that their personal information may have been

accessed by a global cybercrime ring. Eventually, they stole $45 million from banks by hacking into credit card

processing firms and withdrawing money from automated teller machines in 27 countries.

According to UNODC, upwards of 80% of cybercrime acts are estimated to originate in some form of organized

activity, with cybercrime black markets established on a cycle of malware creation, computer infection, botnet

management, harvesting of personal and financial data, data sale, and ‘cashing out’ of financial information.

Online connectivity and peer-learning are central to the engagement of organized criminal groups in cyber

criminality. Carding, the trafficking of credit card, bank account and other personal information online, is one such

example. Modern carding sites have been described as full-service commercial entities and may provide services

including laundering techniques, phishing kits, malware, and spam lists.

Hacktivists

Hacktivists, whose objectives are to disrupt and embarrass an organization, usually refer to a disparate group that

contains a wide variety of ideologically oriented groups and individuals. Thus, hacktivists usually wish to attack

companies for political or ideological motives. They promote a form of civil disobedience in cyberspace by hacking

into computer systems for political or social purposes to bring attention to an issue, rather than for personal or

monetary gain. For example, in November 2013, hackers claiming links to a group called Anonymous defaced

dozens of websites belonging to Australian businesses and Philippine government agencies in response to spying

allegations.

Real-World Case: Ashley Madison


Canadian company Ashley Madison was targeted by hackers in July 2015. Calling themselves the Impact Team,

the hackers took issue with the company’s business model of providing a forum to facilitate marital infidelity. The

aim of the hackers was to force the company to cease its operations.

In August 2015, the hackers released some 39 million customer profiles, including user profiles, names, and email

addresses. Lawyers representing Canadian victims launched a class-action lawsuit seeking $760 million in

damages. The parent company, Avid Life Media, has indefinitely postponed Ashley Madison’s upcoming initial

public offering, where the company had hoped to raise $200 million.


89

The Cybersecurity Threats

According to the PwC Global Economic Crime Survey 2018, cybercrimes climbed to the 2nd most reported economic

crime, affecting 31% of the responding organizations. Over half of the respondents see an increased risk of cyber

threats as more and more organizations see a higher use of social networks, cloud computing and personal mobile

devices at work. Consequently, these vulnerabilities and also careless employees, outdated information security

controls, and unauthorized access, have increased an organization’s risk exposure.

The interconnectivity of people, devices and organizations in

today’s digital world opens up a new field of vulnerabilities.

Finding loopholes to enter any network is easier than ever for

cybercriminals because there are so many access points and

ways to attack. For example, traditionally closed operating

systems have increasingly been given IP addresses that can be

accessed remotely, so that cyber threats are making their way

into critical infrastructures, such as power generation and

transportation systems and other automation systems. The

growth and spread of connected digital technology not only

motivates criminals to evolve as quickly as possible but also

changes the overall risk landscape of organizations. The actual

and potential threats often come from completely unexpected

places. Each factor is discussed in the following sections.

A Network of Networks

It is anticipated that up to 50 billion devices will be connected to the internet by the year 2020; however, the

awareness of threats seems to be low, and poor user behavior is the main risk associated with mobile devices.

The use of the internet via smartphones and tablets (in combination with bring your own device (BYOD) strategies

by employers) has made an organization’s data accessible everywhere and at any time. Consequently, one

vulnerable device can lead to other vulnerable devices, and it is almost impossible to patch all the vulnerabilities

for all devices.

The BYOD concept has been a growing trend in business. It refers to the policy that allows employees to bring

personal devices including laptops, smartphones, and tablets to their workplace and to use those devices to access

the company’s applications and data. According to EY, while real business benefits can be derived from BYOD in

the workplace, it does carry the following significant risks:

• The employee may lose a personal device that contains business information.

• The employee may unintentionally install applications that are malicious in nature.

• The employee may unintentionally disclose business information, for example, by allowing family

members or friends to use a laptop containing sensitive business information.

• The BYOD implementation, itself, may be in breach of applicable laws and regulations because it may be

in violation of data privacy laws and regulations.

Risk Landscape

Changed by:

A Network of

Networks

Cloud Computing

Application Risk

Privacy & Data

Protection


90

The increased use of BYOD by employees is often unsupported by the organization or not protected within an

organization’s network security architecture. Threats introduced by mobile can be grouped into the following

three categories:

Threats Introduced by Mobile Devices

Device-based threat

Mobile devices enable end-users to perform the business-related tasks (e.g. receiving email and accessing, editing, sharing corporate content) As a result, mobile devices store a significant amount of sensitive data.

Data can be compromised in a variety of ways due to:

• Always-on connectivity which could allow unauthorized parties to access business data

• Software vulnerabilities that allow “jailbreak” or “rooting” of devices, compromising data security

• Portable form-factor making the devices susceptible to theft and misplacement

Network-based threat

The always-on model requires mobile devices to be constantly connected to the internet.

End-users might often rely on untrusted public networks enabling malicious parties to access and intercept transmitted data using:

• Rogue access points

• Wi-Fi sniffing tools

• Sophisticated Man-in-the-Middle (MitM) attacks

User-based threat

Mobile devices empower end-users. While this is great for user-choice, well-meaning end-users often indulge in risky behaviors that could compromise business data.

Examples of risky behaviors include:

• Using unapproved cloud-based apps to share and sync data

• Using unapproved productivity apps that maintain copies of corporate data

• Jailbreaking/ rooting devices to bypass security controls

• Using malicious apps from unapproved app-stores

• Exposing business data with malicious intent

Source: MobileIron, Mobile Security: Threats and Countermeasures

Cloud Computing

As more and more organizations put mission-critical data in cloud computing, with a loss of control, the threats

and attacks will increase. Cloud computing is in need of serious improvement, especially in terms of security.

Moreover, most cloud vendors currently either do not have a privacy policy or have non-transparent policies.

Many organizations are often discovering too late that their cloud provider’s standards of security may not

correspond to their own. The recent events of “CelebGate” and Amazon’s IAAS compromise are live examples of

such issues. When the vendor hosts sensitive organization data, the Institute of Internal Auditors (IIA) suggests

management should implement defined oversight programs such as:

• Active monitoring of service level agreements (SLAs)

• Information security configuration changes

• Independent cybersecurity examination engagements

• Service organization controls (SOC) reports


91

• Vulnerability assessments and penetration tests

• Escalation procedures with vendor management

• Baseline assessments performed to inspect key security controls

• Ongoing evaluations that analyze the technical architecture and controls in place to protect the

organization’s data

Application Risk

There have already been over 200 million apps downloaded and the number of apps downloaded is expected to

reach 260 million by 2022. Mobile devices are fully integrated within daily lives, and apps have been a major

catalyst, including mapping apps, social networking, and productivity tools. However, downloaded apps may

present security risks. According to the EY Global Information Security 2018 survey, the top two threats today

are phishing and malware:

1. Phishing (22%)

2. Malware (20%)

3. Cyberattacks (to disrupt) (13%)

4. Cyberattacks (to steal money) (12%)

5. Fraud (10%)

6. Cyberattacks (to steal IP) (8%)

7. Spam (6%)

8. Internal attacks (5%)

9. Natural disasters (2%)

10. Espionage (2%)

Most successful cyber breaches contain “phishing and/or malware” as starting points. Approximately 550 million

phishing emails sent out by a single campaign during the first quarter of 2018. About 22% see phishing as the

biggest threat. In addition, most employees now own their mobile devices, and organizations have been letting

their employees use their own personal mobile devices to conduct work. Many organizations are reaching out to

corporate IT to support this alternative. However, the support and adoption of BYOD devices in a corporate

environment increases security risks, including malware and app vulnerabilities.

Privacy and Data Protection

Since all smart devices hold confidential information from consumers and businesses, data privacy and data

protection have become key cyber risks. Legislation for data protection has already become much tougher in the

Malicious Apps (Malware)

•The increase in the number of apps on the device increases thelikelihood that some may contain malicious code or security holes.

App Vulnerabilities•Apps developed or deployed by the organization to enable access to

corporate data may contain security weaknesses.


92

U.S., Hong Kong, Singapore, and Australia, while the European Union is looking to agree on European data

protection rules. As a result, tougher guidelines on a country-by-country basis are expected.

Organizations increasingly focus on and allocate more resources to data infrastructure and protection because

theft of sensitive data can be crippling to a company and costly to shareholders. According to OWASP (Open

source Web Application Security Project), some top privacy risks also include web application vulnerabilities,

operator-side data leakage, insufficient data breach response, data sharing with third parties, and insecure data

transfer.

It is important to note that one of the main objectives of data protection and privacy laws is that aggregated

customer data should not allow illegal or discriminatory uses. Organizations should always justify the collection

of personal information and restrict its use to the minimum necessary for business purposes. According to

established regulations, data should be retained for as short a time as possible, and strictly used to support

business operations.

Finally, with the IoT, a large number of sensor-enabled devices are designed to collect data about the users and

their environment. This data presumably provides a benefit to the device’s owner, the device’s manufacturer, and

the supplier. However, the IoT data collection and use can turn into a privacy issue when the individuals who are

observed by IoT devices have different privacy perspectives about the scope and use of that data than those of

the data collector. As a result, privacy is often cited as one of the most significant issues in large-scale IoT

deployment. Respect for privacy rights is integral to ensuring trust in the internet.

Understand Cyber Risks

In light of the increased prevalence of cybercrime, organizations must take a proactive approach to address cyber

risks, such as performing early risk identification. According to the Protiviti Internal Audit Capabilities and Needs

2016 survey results from various departments (e.g., Internal Audit, Audit Committee, IT Audit), the most

significant levels of cybersecurity risk to organizations include brand/reputation damage, data leakage, and data

security. The following are the top 10 cybersecurity risk to organization:

Top 10 Cybersecurity Risk to Organizations

1. Brand/reputational damage 2. Data leakage (employee personal information) 3. Data security (company information) 4. Interrupted business continuity 5. Financial loss 6. Regulatory and compliance violations 7. Viruses and malware 8. Loss of employee productivity 9. Loss of intellectual property 10. Employee defamation

Source: Protiviti Internal Audit Capabilities and Needs Survey 2016


93

As businesses change quickly in today’s world, new product launches, mergers, acquisitions, market expansion,

and introductions of new technology are all on the rise. These tend to have a complicated impact on the strength

of an organization’s cybersecurity and its ability to keep pace with technological advances. For example, as

technology becomes more pervasive, changing business models and increased data (such as customers’,

employees’, and suppliers’ information) require protection from threats stemming from various sources and

motives. Deloitte Development LLC identified key cyber risk drivers, including technology expansion, evolving

business models, data growth, and motivated attackers.

Source: Deloitte Development LLC - Cybersecurity: The Role of Internal Audit, 2015

As organizations become more digitally connected, they increasingly face new exposures, including first-and third-

party damage, business interruption, and regulatory consequences.

Organizations that understand good overall risk management principles should apply the same concepts in

managing their cyber risk.

Source: EY - Global Information Security Survey 2015

Technology Expansion

• Internet, cloud, mobile, and social are mainstream platforms inherently oriented for sharing

• Employees want continuous, real-time access to their information

Evolving Business Models

• Service models have evolved -outsourcing, offshoring, contracting, and remote workforce

Data Growth

• Increased volume of customers’ personal, account, and credit card data, employee’s personal identifiable information and also company trade secrets

•Need to comply with privacy requirements across a wide array of jurisdictions

Motivated Attackers

• Hackers working for nation states

• Continuously innovating and subverting common controls

• Often beyond the reach of a country’s law enforcement

Key Risk Management Principles

1. Focus on what matters most

Must align to the unique business and risk culture

2. Measure and report

Include qualitative statements and quantitative measures

3. Comprehensive in nature

Should cover all risk types, current and forward-looking

4. Allocation of risk appetite

Allocation of appetite to business units and risk types

5. Integrate with business planning

Regulators are increasingly looking for evidence

Applied to Cyber Risk

1. Know the critical information assets

Identify critical business assets most vulnerable to attack

2. Make cyber risk more tangible

Clearly define cyber risk and underlying metrics

3. Align with existing risk frameworks

Financial, operational, regulatory, customer, reputation

4. Make cyber risk relevant to the business

Link organizational level risks to individual business units

and information assets

5. Embed risk appetite in investment decisions

Prioritize investment where critical, empower business

to make informed local decisions


94


14. Which of the following threat actors would have the most interest in financial/payment systems?

A. Disgruntled insiders

B. Nation-states

C. Organized crime groups

D. Hacktivists

15. The attacks, most complex and targeted, require a high level of financial investment and legal oversight. This

type of state-sponsored threat actors are usually employed by which of the following governments?

A. Middle East

B. Europe

C. China

D. United States

16. What is the primary motivation of hacktivists?

A. Espionage

B. Identity theft

C. Embarrassment of an organization

D. Black market activities

17. Which of the following has NOT increased the overall risk landscape of organizations?

A. A Network of Networks

B. Cloud Computing

C. Privacy and Data Protection

D. User education


95

Define Cyber Risk Roles and Responsibilities

Cyber attackers are finding new and better ways to take advantage of the rapid expansion of digitization and the

increasing connectivity of businesses. Cybersecurity is more than a technology issue, and cannot remain in the IT

domain because it affects every level of a business. Therefore, it is critical to implement a multi-layered risk

defense, as suggested by Deloitte Development LLC:

Three Lines of Defense Model

In general, the chief executive officer (CEO) and Board set the tone for enhancing security and are responsible for

ensuring that the company designs and implements an effective cybersecurity program. However, cyber threats

and related mitigation are the responsibility of the entire enterprise. All members have a crucial part to play. A

wide range of individual responsibilities must be documented and detailed throughout the organization.

Detect and Respond to Cyberattacks

Detection

No organization can protect itself without understanding what it is protecting itself from. The first activity any

organization should undertake is developing an understanding of the specific cyber threats it faces. Cyber fraud

1st Line of Defense

Business & IT Functions

2nd Line of Defense

Information & Technology Risk

Management Function

3rd Line of Defense Internal

Audit

• Incorporate risk-informed decision making into day-to-

day operations and fully integrate risk management into

operational processes

• Define risk appetite and escalate risks outside of

tolerance

• Mitigate risks, as appropriate

• Establish governance and oversight

• Set risk baselines, policies, and standards

• Implement tools and processes

• Monitor and call for action, as appropriate

• Provide oversight, consultation, checks and balances,

and enterprise-level policies and standards

• Independently review program effectiveness

• Provide confirmation to the board on risk management

effectiveness

• Meet requirements of SEC disclosure obligations focused

on cybersecurity risks


96

is increasingly common and affects all sectors of the economy, from retail and financial services to health care and

education. Cyberattacks are becoming more destructive as they are increasingly public and prominent. Although

prevention, such as controlling access with firewalls, passwords, and similar measures, remains crucial, the focus

is shifting away from prevention alone to addressing how to respond to intrusions and limit the damage they

cause. Cybercriminals often display certain behaviors or characteristics that may be warning signs or red flags. It

is critical for attacks to be reported to the relevant parties so that they are able to take timely and appropriate

actions as necessary. EY lists the following indicators of potential cyber fraud activities:

Indicators of Potential Cyber Fraud Activities

• Very visible attacks without an obvious purpose: e.g., DDoS; details stolen but with no obvious use to them

• Unexpected share price movements

• New products launched by competitors that are uncannily similar to your R&D and IP and reach the market just before yours — indicating IP theft and knowledge of your growth strategy and timings

• Mergers and acquisition (M&A) activities disrupted: rival bids that show similarities and may demonstrate awareness of confidential plans; M&A targets suffering cyber incidents (e.g., their IP stolen)

• Unusual customer or joint venture behavior: remember that these may not always be genuine customers or partners since cybercriminals can join organizations to gain easier access to your systems and data

• Unusual employee behavior: managers of staff need to be more aware of changes in behavior, especially when those staff work in more sensitive areas

• Operational disruption but without a clear cause

• Oddities in the payment processing or ordering systems

• Customer or user databases showing inconsistent information

Source: EY Global Information Security Survey 2015

A proactive incident response plan starts with a breach detection process focused on domain logging and

monitoring. Most systems use numerous devices to log various types of activity. For example, firewall and

application logs keep records of who logs in, who changes data, what records they view, as well as other

information.

The FFIEC, Cybersecurity Assessment Tool 2015, identifies the following examples of key detective controls:

• Independent penetration testing of network boundary and critical Web-facing applications is performed

routinely to identify security control gaps

• Independent penetration testing is performed on Internet-facing applications or systems before they are

launched or undergo significant change

• Antivirus and anti-malware tools are updated automatically

• Firewall rules are updated routinely and are audited or verified at least quarterly

• Vulnerability scanning is conducted and analyzed before the deployment/redeployment of new/existing

devices

• Processes are in place to monitor potential insider activity that could lead to data theft or destruction

• Audit or risk management resources review the penetration testing scope and results to help determine

the need for rotating companies based on the quality of the work.


97

• E-mails and attachments are automatically scanned to detect malware and are blocked when malware is

present.

• Online customer transactions are actively monitored for anomalous behavior

• Tools to detect unauthorized data mining are used

• Security logs are reviewed regularly

• Logs provide traceability for all system access by individual users

• Thresholds have been established to determine activity within logs that would warrant management

response

• Weekly vulnerability scanning is rotated among environments to scan all environments throughout the

year.

• Penetration tests include cyberattack simulations and/or real-world tactics and techniques such as red

team testing to detect control gaps in employee behavior, security defenses, policies, and resources.

• Automated tool(s) proactively identifies high-risk behavior signaling an employee who may pose an insider

threat.

• An automated tool triggers system and/or fraud alerts when customer logins occur within a short period

of time but from physically distant IP locations.

• External transfers from customer accounts generate alerts and require review and authorization if

anomalous behavior is detected.

• A system is in place to monitor and analyze employee behavior (network use patterns, work hours, and

known devices) to alert on anomalous activities.

• An automated tool(s) is in place to detect and prevent data mining by insider threats.

• Tags on fictitious confidential data or files are used to provide advanced alerts of potential malicious

activity when the data is accessed.

• The institution is leading efforts to develop event detection systems that will correlate in real-time when

events are about to occur.

• The institution is leading the development effort to design new technologies that will detect potential

insider threats and block activity in real-time.

Moreover, the victim organization should also take immediate steps to preserve relevant existing logs. According

to the U.S. Department of Justice - Computer Crime & Intellectual Property Section Criminal Division:

Cybersecurity Unit, the types of information that the victim organization should retain include:

1. Description of all incident-related events, including dates and times;

2. Information about incident-related phone calls, emails, and other contacts

3. The identity of persons working on tasks related to the intrusion, including a description, the amount of

time spent, and the approximate hourly rate for those persons’ work

4. Identity of the systems, accounts, services, data, and networks affected by the incident and a description

of how these network components were affected

5. Information relating to the amount and type of damage inflicted by the incident, which can be important

in civil actions by the organization and in criminal cases

6. Information regarding network topology

7. The type and version of software being run on the network; and


98

8. Any peculiarities in the organization’s network architecture, such as proprietary hardware or software.

Response

After detection comes the response. How does the organization recover from an incident? How does it limit the

damage and stop any illicit activities still occurring in the network? These questions uncover critical elements of a

cybersecurity incident response plan, which also encompasses a communication plan for informing parties directly

affected, other stakeholders, such as board members, vendors, and customers, as well as the outside world. A

cybersecurity incident response plan should reflect the organization’s industry, size, and other factors such as the

overall cybersecurity framework, considering no single model fits all situations. Typically, an incident response

plan outline consists of the following fundamental steps suggested by Crowe Horwath LLP:

1. Inventory and understand the data to be protected.

2. Inventory and classify incidents.

3. Understand known threats and monitor new ones.

4. Identify the stakeholders and incident response team – corporate communications, legal, compliance,

lines of business, IT, and external forensics partners.

5. Set up a command center.

6. Develop and implement a containment and investigation strategy.

7. Develop and implement an evidence preservation strategy.

8. Develop and implement a communication plan for customers, media, regulators, and other stakeholders.

9. Conduct a post-mortem, and apply lessons learned.

According to Hewlett-Packard, Executive breach response playbook: How to successfully navigate the enterprise

through a serious data breach 2015, there are four classes of responses required for a cybersecurity incident:

Technical Response. It is designed to focus on the actions the technical staff takes to analyze and resolve an event

or incident. Technical staff includes the IT groups required to assist with remediation of the event or incident. This

phase can involve several groups or departments within the IT organization to coordinate and provide technical

actions to contain, resolve, or mitigate incidents, as well as providing the actions needed to repair and recover.

Management Response. The management response includes activities that require management intervention,

notification, interaction, escalation, or approval as part of any response. It may also include coordinating with

corporate communications as it relates to any human resources, public relations, financial accounting, audits, and

compliance issues.

Communication Response. These are activities that require some measure of communications to the corporation

and internal and external constituents. Corporate communications should always be consulted prior to any

communications being released. In many cases, management will direct the release of breach information.

Technical ResponseManagement

ResponseCommunication

ResponseLegal Response


99

Legal Response. The legal response, if required, would work with outside regulators, third parties, and other

parties. In addition, legal input would be required for any external communications, to ensure that such

communication is in accordance with company policy and supports any statutory or regulatory requirements.

Responding to cyber incidents usually consists of five stages:

Key Activities of Responding to Cyber Incidents Stage Example of Activities

Response Planning

The response plan is executed during or after an event

Communications

• Personnel know their roles and order of operations when a response is needed

• Events are reported consistent with established criteria

• Information is shared consistent with response plans

• Coordination with stakeholders occurs consistent with response plans

• Voluntary information sharing occurs with external stakeholders to achieve

broader cybersecurity situational awareness

Analysis

• Notifications from detection systems are investigated

• The impact of the incident is understood

• Forensics are performed

• Incidents are categorized consistent with the response plan

Mitigation

• Incidents are contained

• Incidents are mitigated

• Newly identified vulnerabilities are mitigated or documented as accepted risks

Improvement • Response plans incorporate lessons learned

• Response strategies are updated

Source: NIST - Framework for Improving Critical Infrastructure Cybersecurity Version 1.0, 2014

Recover from Cyberattacks

Much of the planning and documentation for recovering from a cybersecurity event needs to be in place before

the event occurs. Therefore, it is critical to have guidance and playbooks that support asset prioritizations and

recovery objectives. The NIST defines a recovery plan as:

“Providing a method to document and maintain specific strategies and decisions regarding the approved means

for implementing and conducting business recovery processes.”

The organization must develop a playbook to recover from a data breach and follows a set of the following

activities identified by the NIST, Guide for Cybersecurity Event Recovery:

1. A description of a set of formal recovery processes to use if the organization experiences a data breach.


100

2. A list of critical people, facilities, technical components, and external services that are required to achieve

the organization’s mission(s). The playbook enumerates the data breach recovery team personnel,

including the incident response team, the IT operational team, which includes application owners,

managers, and administrators, system and network administrators, security and privacy officers, general

counsel, public relations, law enforcement organization, information sharing organization, and external

service providers as required.

3. A current set of functional and security dependency maps focused on systems that process and store

organizational information, in particular, the key assets. These maps identified in the playbook include

context to help the recovery team select the order of restoration priority.

4. Metrics and other factors used to effectively plan for restoration priority may include:

• Legal costs

• Hardware, software, and labor costs

• Amount of lost revenue due to business downtime to include loss of existing and future business

opportunities

• Instantiation of new services to restore customers’ trust

• Gaps identified in the playbook

• Internal users, external business partners, and customers satisfaction

• Service level agreements with internal business teams

• Confidence level around the quality of the backups

• Quality of the overall recovery plan and process used to develop the data breach playbook

5. A set of authorized resources and tested tools that have been used in the exercises

6. A comprehensive recovery communications plan with fully integrated internal and external

communications considerations. It includes specific elements that are included in the content to

communicate with the management team including the board, the general counsel, public relations, law

enforcement organization, the IT team, the employees, and external service providers.

7. Periodic training and exercises were defined and have occurred to validate and restore the components

identified in the dependencies maps, in particular key assets such as infrastructure components, critical

data stores, and IT security functions from known good states, to ensure timely recovery team

coordination and restoration of capabilities or services affected by a data breach event

In summary, a typical recovery plan should include the following elements:

Key Elements of a Recovery Plan

Service level agreement

Relevant service/operational/organization level agreement details – Information about

existing written commitments to provide a particular level of service (e.g. availability

percentage, maximum allowable downtime, guaranteed bandwidth provision). This may

include pre-established external engagement contract support that can assist and augment

the organization’s recovery team in the event of a major cyber event.

Authority Documented name and point of contact information for two or more management staff

members who may activate the plan


101

Recovery team membership

Point of contact information for designated members of the team who have reviewed,

exercised, and are prepared to implement the plan.

Specific recovery details and procedures

Documented system details that apply to the given information system, with diagrams where

applicable. These details may prescribe specific recovery activities that should be performed

by the recovery team, including application restoration details or methods to activate

alternate means of processing (e.g. backup servers, failover site).

Out of band communications

Ability to communicate with the critical business, IT, and IT security stakeholders, including

external parties like incident response and recovery teams, without using existing production

systems, which are frequently monitored by advanced adversaries.

Communication Plan

Any specific notification and/or escalation procedures that apply to this information system.

As an example, some systems impact users outside of the organization, and legal, public

relations, and human resources personnel may need to be engaged to manage expectations

and information disclosure about the incident and recovery progress.

Off-site storage details

Details regarding any arrangement for storing specific records or media at an offline or offsite

location. This is particularly critical given the credible threat of ransomware that encrypts data

and holds the decryption key hostage for payment.

Operational workarounds

Approved workaround procedures if the information system is not able to be restored within

the recovery time objective (RTO).

Facility recovery details

Information that is relevant to the resilience of a physical facility such as an office location or

a data center. Such details might include personnel notification processes, alternate location

information, and communications circuit details

Infrastructure, hardware, and

software

Details regarding access to the infrastructure, hardware, and software to provide intermediary

services used during the recovery process. Examples include an identity management system,

a recovery network, a messaging system, and a staging system to validate the integrity of

recovered data from backups and restore the system in order to instantiate trust in the

infrastructure.

Source: The NIST, Guide for Cybersecurity Event Recovery (NIST Special Publication 800-184)

Cyber Criminal Forum Taken Down

Members Arrested in 20 Countries

Source: www.fbi.gov Stories July 15, 2015

It was, in effect, a one-stop, high-volume shopping venue for some of the world’s most prolific cybercriminals. Called Darkode,

this underground, password-protected, online forum was a meeting place for those interested in buying, selling, and trading

malware, botnets, stolen personally identifiable information, credit card information, hacked server credentials, and other

pieces of data and software that facilitated complex cybercrimes all over the globe.

Unbeknownst to the operators of this invitation-only, English-speaking criminal forum, the FBI had infiltrated this

communication platform at the highest levels and began collecting evidence and intelligence on Darkode members.

http://www.fbi.gov/


102

Today, the Department of Justice and the FBI—with the assistance of our partners in 19 countries around the world—

announced the results of Operation Shrouded Horizon, a multi-agency investigation into the Darkode forum. Among the

results obtained were charges, arrests, and searches involving 70 Darkode members and associates around the world. There

also were U.S. indictments against 12 individuals associated with the forum, including its administrator, several U.S. search

warrants, as well as the Bureau’s seizure of Darkode’s domain and servers.

Said FBI Deputy Director Mark Giuliano, “Cybercriminals should not have a safe haven to shop for the tools of their trade, and

Operation Shrouded Horizon shows we will do all we can to disrupt their unlawful activities.”

During the investigation, the Bureau focused primarily on the Darkode members responsible for developing, distributing,

facilitating, and supporting the most egregious and complex cybercriminal schemes targeting victims and financial systems

around the world, including in the United States.

The Darkode forum, which included between 250 and 300 members, operated very carefully. Ever fearful of compromise by

law enforcement, Darkode administrators made sure prospective members were heavily vetted and that not just anyone

could join.

Similar to practices used by the Mafia, a potential candidate for forum membership had to be sponsored by an existing

member and sent a formal invitation to join. In response, the candidate had to post an online introduction—basically, a

resume—highlighting the individual’s past criminal activity, particular cyber skills, and potential contributions to the forum.

The forum’s active members then decided whether to approve applications or reject them.

Once in the forum, members—in addition to buying and selling cybercriminal products and services—used it to exchange

ideas, knowledge, and advice on any number of cyber-related fraud schemes and other illegal activities. It was almost like a

think tank for cybercriminals.

What’s the significance of this case, believed to be the largest-ever coordinated law enforcement effort directed at an online

cybercriminal forum? In addition to shutting down a major resource for cybercriminals, law enforcement infiltrated a closed

criminal forum to obtain the intelligence and evidence needed to identify and prosecute these criminals. This action paid off

with a treasure trove of information that ultimately led to the dismantlement of the forum and law enforcement actions

against dozens of its worst criminal members around the world.

The case was led by the FBI’s Pittsburgh Field Office, with assistance from our offices in Washington, San Diego, and a number

of others around the country. Yet it wouldn’t have happened without the support of Europol and other partners in 19

countries. In addition to the FBI obtaining enough evidence for search warrants and indictments in the U.S., we shared

information with our foreign partners to help them make their own cases against the Darkode perpetrators residing in their

jurisdictions.

Operation Shrouded Horizon is a prime example of why the most effective way to combat cybercrime—which operates

globally—is a law enforcement response that also transcends national borders.


103


18. According to the Three Lines of Defense model, which of the following controls is part of the first line of

defense’s responsibilities?

A. Independently reviewing cybersecurity program effectiveness

B. Defining risk appetite and escalating risks outside of tolerance

C. Establishing governance and oversight

D. Meeting compliance requirements related to cybersecurity risks

19. According to the Three Lines of Defense model, which of the following controls usually serves as the third line

of defense providing independent assurance?

A. Providing confirmation to the board on risk management effectiveness

B. Classifying data and designing least-privilege access roles

C. Implementing vulnerability management with internal and external scans

D. Deploying intrusion detection systems and conduct penetration testing

20. Which of the following documents provides specific notification and/or escalation procedures that apply to

the particular information system?

A. Service level agreement

B. Operational workarounds

C. Specific recovery details and procedures

D. Communication plan


104

VIII. Changes to Internal Audit

Maximize the Internal Audit Values

Board members and management rely greatly on their internal audit functions to provide assurance and

compliance-related activities. Amid ongoing business transformation, stakeholders increasingly seek more input

from their internal audit groups. This includes not only the risks tied to long-term strategy but the strength of

cybersecurity measures and the risks associated with digital transformation and mobile technology.

According to Protiviti’s Internal Audit Capabilities and Needs Survey 2019 there are substantial year-over-year

increases in the number of organizations that now include cybersecurity risks in their annual audit plans. Nearly

three out of four organizations are evaluating cybersecurity risk as a key part of the annual audit plan. This result

indicates higher levels of interest and concerns among organizations about the cyber threats they now encounter

daily. In addition, many organizations are likely being influenced by their external auditors who place increased

scrutiny on management’s cybersecurity program. It is driven by the current cyber threats environment along

with SEC disclosure obligations. The details of disclosure obligations relating to cybersecurity risks and cyber

incidents are discussed in the “SEC Cybersecurity Disclosure Obligations” section.

An internal audit function provides a holistic approach to identifying where an organization may be vulnerable,

from testing BYOD (bring your own devices) policies to reviewing third-party contracts for compliance with

security protocols. Internal audits can also provide assurance for the effectiveness of IT governance. As

technology issues dominate the priority list for internal auditors, internal audit continues to incorporate data

analytics and other technology in its work. According to the IIA, the top reasons for auditing cybersecurity are that

cybersecurity was rightfully rated a high risk, demonstrating that internal audit leaders have placed the right

emphasis on the ever-increasing importance of cybersecurity driven by:

• Minimizing costly consequences of data breaches (e.g. legal fines, remediation efforts, coverage of

customer losses, and potential loss of business)

• Avoiding reputation damage to the organization, especially the loss of customer data

• Averting non-compliance with regulatory requirements (e.g. General Data Protection Regulation)

• Preventing the loss of intellectual property and other proprietary information

According to Protiviti Internal Audit Capabilities and Needs 2019 survey, cybersecurity risk/threat and enterprise

risk management are at the top of the priority list. As Chief Audit Executives (CAEs) recognize the importance of

providing clarity around IT risks, they understand the need for internal audit to leverage this information as part

of its auditing activities for the organization. The following are the items on CAEs’ priority list:

1. Cybersecurity risk/threat

2. Enterprise risk management

3. Fraud risk management

4. Vendor/third-party risk management

5. COSO Internal Control − Integrated Framework


105

6. Revenue Recognition Standard (ASU 2014-09)

7. AICPA’s Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program

8. Lease Accounting Standard (ASU 2016-02)

9. Evaluating SOC reports

10. Cloud computing

An evolving internal audit provides a holistic approach to identifying where an organization may be vulnerable

from testing BYOD policies to reviewing third-party contracts for compliance with security protocols. Based on

the IIA’s global survey results, internal audit departments that audit cybersecurity are starting to provide a wide

range of valuable services to their organizations. The most frequent services include:

• Assessing controls on addressing internet-connected systems process, store, and/or transport data

• Reviewing the business continuity plan

• Evaluating the cybersecurity risk assessment process

• Assessing cybersecurity prevention procedures

• Evaluating the incident response plan

• Reviewing the crisis management plan

• Providing guidance to cybersecurity plans and performance

When properly resourced and supported, internal audit functions will develop the skills and perspective needed

to provide review and assurance services in cybersecurity. There are six crucial key areas of cyber preparedness.

Here is how internal audit can contribute to each one:

How Internal Audit Can Help with Cyber Preparedness Scope Objective Areas Covered

Governance & Processes

Identify gaps in the policies and procedures implemented in the organization pertaining to information security and IT infrastructure as well as the associated risks

• Review of cybersecurity policies, procedures, guidelines and strategies

• Testing of security operations effectiveness

• Security operations such as log analysis, event monitoring, antivirus management

• End-user security awareness and training

Network Architecture &

Security Review & Behavioral

Analysis

Evaluate whether the security architecture supports the organization’s thresholds for risk, while still supporting key business objectives

• Review of security architecture and devices

• Network topology and zoning

• Log-in procedures and authentication requirements

• Behavioral analysis of the existing network infrastructure

• Assessment of vulnerabilities pertaining to protocol


106

Proactive Advanced Persistent

Threat Review

Mitigate the risk of information leakage and eavesdropping and foresee the expected attacks and threats that the network might be subject to

• Root cause analysis

• Deep packet inspection

• Malware identification

• Code-based malware analysis

• Behavioral analysis

Baseline Security Review

Identify security risks in the network

• Redundancy testing for security-related network components

• Vulnerability analytics

• Conduct of penetration test of the network and servers from internal and external networks

• Review of security patch upgrades on all end-user and server systems

• Review of licenses and inventory of all vendor-specific applications

• Review of baseline configuration of all OS and DB deployed

Cyberattack Identification &

Response

Evaluate procedures and processes enabling discovery and reporting of cyberattack incidents

• Response team

• Reporting

• Investigation

• Recovery and follow-up

• Law enforcement

Vulnerability Identification &

Mitigation

Help discover the vulnerability exploited by cybercriminals and the associated application(s) so that the appropriate fix can be applied to the infected part and stringent steps can be taken to strengthen the capability to combat such attacks

• Identification of exploited vulnerability using analysis of captured malware

• Identification of exploited applications

• Deployment of security fixes, patches, and updates of the exploited vulnerability

• Antivirus signature preparation against the captured malware

Source: EY - Cybersecurity and Internal Audit, 2014

In addition to protection and detection, internal audit plays a central role in helping the audit committee oversee

cybersecurity. For example, the regular assessments conducted by internal audits play an important part in

providing the audit committee with a comprehensive appraisal of the organization’s strengths and weaknesses.

CAEs are in a unique position to educate board and audit committee members about an organization’s diverse

efforts to battle cyber threats.


107

Identify IIA Standards Related to Cybersecurity

The IIA identifies the following selections from the IIA’s International Standards for the Professional Practice of

Internal Auditing (Standards) that are relevant to cybersecurity.

Standard 1210 – Proficiency

Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual

responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other

competencies needed to perform its responsibilities.

1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks and

controls and available technology-based audit techniques to perform their assigned work. However, not

all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility

is information technology auditing.

Standard 2050 – Coordination

The chief audit executive should share information and coordinate activities with other internal and external

providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.

Standard 2110 – Governance

The internal audit activity must assess and make appropriate recommendations for improving the governance

process in its accomplishment of the following objectives:

• Promoting appropriate ethics and values within the organization;

• Ensuring effective organizational performance management and accountability;

• Communicating risk and control information to appropriate areas of the organization; and

• Coordinating the activities of and communicating information among the board, external and internal

auditors, and management.

2110.A2 – The internal audit activity must assess whether the information technology governance of the

organization supports the organization’s strategies and objectives.

Standard 2120 – Risk Management

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management

processes.


108

Cyber Criminal Charged In Scheme to Steal More Than $1.5 Million from A U.S. Financial

Institution

Defendant Allegedly Conducted Unauthorized Intrusion into a Government Website

www.justice.gov Press Release Oct 27, 2016

Yesterday, a complaint was unsealed charging Dwayne C. Hans, a United States citizen, with wire fraud, computer

fraud, and money laundering. According to the complaint, between April 2016 and July 2016, the defendant

masterminded a series of fraudulent activities against a U.S. financial institution in which he masqueraded as an

authorized representative of that institution. Using this ruse, he transferred funds from the financial institution’s

corporate bank accounts for his own use. The defendant also accessed a website run by the U.S. General Services

Administration without authorization and then redirected money intended for the financial institution to his own

bank account.

The defendant’s initial appearance was held yesterday before United States District Judge Thomas O. Rice at the

U.S. Courthouse in Spokane, Washington. The court scheduled a detention hearing for Monday, October 31, to

determine whether the defendant will be held in custody pending his removal to the Eastern District of New York

for further proceedings.

The charges were announced by Robert L. Capers, United States Attorney for the Eastern District of New York,

and William F. Sweeney, Jr., Assistant Director in Charge, Federal Bureau of Investigation, New York Field Office

(FBI).

As alleged in the complaint, the defendant stole $134,000 from the financial institution and attempted to steal

approximately $1.5 million more. Posing as someone authorized to conduct financial transactions for the financial

institution, the defendant misappropriated money from corporate bank accounts to buy shares of stock in publicly

traded companies, invest in a real estate property in Brooklyn, New York, and benefit his family members. He also

conducted an unauthorized intrusion into the website SAM.gov, which stores information about companies that

provide services to the federal government. During this unauthorized website intrusion, the defendant changed

the information in entries pertaining to the financial institution, including by replacing the bank account

information for the financial institution with the defendant’s personal bank account information. As a result, the

Pension Benefit Guarantee Corporation sent more than $1.5 million to the defendant instead of the financial

institution. These fraudulent wire transfers were reversed once they were detected.

The defendant was arrested in Richland, Washington, on October 26, 2016, pursuant to a criminal complaint

issued in the Eastern District of New York.

“Cybercriminals scour the internet for information they can use to steal with impunity,” stated United States

Attorney Capers. “They threaten to undermine our confidence in the internet and in the cyber world, on which

we rely each and every day. The arrest announced today sends all would-be cybercriminals a message – we will

find you, and we will bring you to justice.”

http://www.justice.gov/


109

“Criminals who exploit the internet to commit crimes think they can hide behind the virtual veil of a computer

screen. Yet just as today’s charges remind us that everyone is at risk of becoming a victim of cybercrime, so too

should the public be reminded that the FBI will continue to be a major force in confronting those who think they

can evade the law,” stated FBI Assistant Director in Charge Sweeney.

The charges in the complaint are allegations, and the defendant is presumed innocent unless and until proven

guilty.

Going Dark (from the FBI)

Source: www.fbi.gov Operational Technology

Law enforcement at all levels has the authority to intercept and access communications and information pursuant

to court orders, but it often lacks the technical ability to carry out these orders because of a fundamental shift in

communication services and technologies. This scenario is often called the “Going Dark” problem.

Law enforcement faces two distinct “Going Dark” challenges. The first concerns real-time court-ordered

interception of data in motion, such as phone calls, e-mail, text messages, and chat sessions. The second challenge

concerns “data at rest”, or court-ordered access to data stored on devices, like e-mail, text messages, photos, and

videos. Both real-time communications and stored data are increasingly difficult for law enforcement to obtain

with a court order or warrant. This is eroding law enforcement’s ability to quickly obtain valuable information that

may be used to identify and save victims, reveal evidence to convict perpetrators, or exonerate the innocent.

It's important to note that the FBI supports strong encryption systems. We also know first-hand the damage that

can be caused by vulnerable and insecure systems. As such, the Department of Justice, the FBI, and other law

enforcement agencies are on the front lines of the fight against cybercrime. The government uses strong

encryption to secure its own electronic information and encourages the private sector and members of the public

to do the same.

However, the challenges faced by law enforcement to lawfully and quickly obtain valuable information are

worsening. The Communications Assistance for Law Enforcement Act (CALEA) was enacted in 1994 and applies

only to traditional telecommunications carriers, providers of interconnected voice over internet protocol (VoIP)

services, and providers of broadband access services. Currently, thousands of companies provide some form of

communication service, and most are not required by CALEA to develop lawful intercept capabilities for law

enforcement. As a result, many of today’s communication services are developed and deployed without

consideration of law enforcement’s lawful intercept and evidence collection needs.

When changes in technology hinder law enforcement’s ability to exercise investigative tools and follow critical

leads, we may not be able to root out the child predators hiding in the shadows of the Internet or find and arrest

violent criminals targeting our neighborhoods. We may not be able to identify and stop terrorists who are using

social media to recruit, plan, and execute an attack in our country. We may not be able to recover critical

http://www.fbi.gov/


110

information from a device that belongs to a victim who cannot provide us with the password, especially when

time is of the essence. These are not just theoretical concerns.

We continue to identify individuals who seek to join the ranks of foreign fighters traveling in support of the Islamic

State of Iraq and the Levant, commonly known as ISIL, and also homegrown violent extremists who may aspire to

attack the United States from within. These threats remain among the highest priorities for the FBI and the United

States government as a whole.

Of course, encryption is not the only technology terrorists and criminals use to further their ends. Terrorist groups,

such as ISIL, use the Internet to great effect. With the widespread horizontal distribution of social media, terrorists

can spot, assess, recruit, and radicalize vulnerable individuals of all ages in the United States either to travel or to

conduct a homeland attack. As a result, foreign terrorist organizations now have direct access to the United States

like never before. Some of these conversations occur in publicly accessed social networking sites, but others take

place via private messaging platforms. These encrypted direct messaging platforms are tremendously problematic

when used by terrorist plotters.

Of the Going Dark problem, Director James Comey has said, “Armed with lawful authority, we increasingly find

ourselves simply unable to do that which the courts have authorized us to do, and that is to collect information

being transmitted by terrorists, by criminals, by pedophiles, by bad people of all sorts.” As for the perceived

conflict of interest between keeping people safe and protecting their privacy, “it isn’t a question of conflict,”

according to Comey. “We must care deeply about protecting liberty through due process of law, while also

safeguarding the citizens we serve—in every investigation”, he says.

To help address the challenges posed by advancing communications services and technologies, the Department

of Justice’s National Domestic Communications Assistance Center (NDCAC) leverages and shares the law

enforcement community’s collective technical knowledge, solutions, and resources. NDCAC also works on behalf

of federal, state, local, and tribal law enforcement agencies to strengthen law enforcement’s relationships with

the communications industry.


111


21. Which of the following audits helps an organization identify gaps in the policies and procedures implemented

in the organization pertaining to IT infrastructure?

A. Governance & Processes Review

B. Cyberattack Identification & Response Review

C. Baseline Security Review

D. Proactive Advanced Persistent Threat Review

22. How can Internal Audit contribute to an organization’s cybersecurity preparedness?

A. Integrate risk management into operational processes

B. Monitor decisions made by regulators in response to cyber incidents

C. Implement the user security awareness program

D. Review security architecture and devices


112

Appendix A: Disclosing Risk Factors

Example 1: Comcast Corporation 2015 Annual Report

Risk Factors

We rely on network and information systems and other technologies, as well as key properties, and a

disruption, cyberattack, failure or destruction of such networks, systems, technologies or properties may

disrupt our businesses.

Network and information systems and other technologies, including those related to our network management,

customer service operations and programming delivery, are critical to our business activities. Network and

information systems-related events, including those caused by us or by third parties, such as computer hackings,

cyberattacks, computer viruses, worms or other destructive or disruptive software, process break- downs, denial

of service attacks, malicious social engineering or other malicious activities, or any combination of the foregoing,

or power outages, natural disasters, terrorist attacks or other similar events, could result in a degradation or

disruption of our services, excessive call volume to call centers or damage to our equipment, data, and properties.

These events also could result in large expenditures to repair or replace the damaged properties, networks or

information systems or to protect them from similar events in the future, and any such events could have an

adverse effect on our results of operations.

In addition, we may obtain certain confidential, proprietary and personal information about our customers,

personnel and vendors, and may provide this information to third parties, in connection with our business. While

we obtain assurances that these third parties will protect this information, there is a risk that this information may

be compromised. Any security breaches, such as misappropriation, misuse, leakage, falsification or accidental

release or loss of information maintained in our information technology systems, including customer, personnel

and vendor data, could damage our reputation and require us to expend significant capital and other resources

to remedy any such security breach, and could cause regulators to impose fines or other remedies for failure to

comply with relevant customer privacy rules.

The risk of these systems-related events and security breaches occurring continues to intensify in many lines of

business, and our lines of business may be at a disproportionately heightened risk of these events occurring, due

to the nature of our businesses and the fact that we maintain certain information necessary to conduct our

business in digital form stored on cloud servers. In the ordinary course of our business, there are frequent

attempts to cause such systems-related events and security breaches, and we have experienced a few minor

systems-related events that, to date, have not resulted in any significant degradation or disruption to our network

or information systems or our services or operations. While we develop and maintain systems, and operate a

comprehensive security program, seeking to prevent systems-related events and security breaches from

occurring, the development, maintenance and operation of these systems and programs is costly and requires

ongoing monitoring and updating as technologies change and efforts to overcome security measures become

more sophisticated. Despite efforts to prevent these events and security breaches, there can be no assurance that

they will not occur in the future or will not have an adverse effect on our businesses. Moreover, the amount and

scope of insurance we maintain against losses resulting from any such events or security breaches likely would


113

not be sufficient to cover our losses or otherwise adequately compensate us for any disruptions to our business

that may result, and the occurrence of any such events or security breaches could have an adverse effect on our

business.

Example 2: Hertz Global Holdings 2014 Annual Report

Risk Factors

The misuse or theft of information we possess, including as a result of cybersecurity breaches, could harm our

brand, reputation or competitive position and give rise to material liabilities.

We regularly possess, store and handle non-public information about millions of individuals and businesses,

including both credit and debit card information and other sensitive and confidential personal information. In

addition, our customers regularly transmit confidential information to us via the internet and through other

electronic means. Despite the security measures we currently have in place, our facilities and systems and those

of our third-party service providers may contain defects in design or manufacture or other problems that could

unexpectedly compromise information security. Unauthorized parties may also attempt to gain access to our

systems or facilities, or those of third parties with whom we do business, through fraud, trickery, or other forms

of deception of our employees or contractors. Many of the techniques used to obtain unauthorized access,

including viruses, worms, and other malicious software programs, are difficult to anticipate until launched against

a target and we may be unable to implement adequate preventative measures. Our failure to maintain the security

of that data, whether as the result of our own error or the malfeasance or errors of others, could harm our

reputation, interrupt our operations, result in governmental investigations and give rise to a host of civil or

criminal liabilities. Any such failure could lead to lower revenues, increased remediation, prevention, and other

costs and other material adverse effects on our results of operations.


114

Appendix B: Data Breach Disclosure

Representing a Material Event − Target Corporation 2015 Quarterly Report

For the quarterly period ended August 1, 2015

Item 2. Management’s Discussion and Analysis of Financial Condition and Results of Operations

Other Performance Factors

Consolidated Selling, General and Administrative Expenses

In addition to segment selling, general and administrative expenses, we recorded certain other expenses. For the

three and six months ended August 1, 2015, these expenses included $11 million and $114 million, respectively,

of restructuring costs and $9 million and $12 million, respectively, of Data Breach- related costs. For the three and

six months ended August 2, 2014, these expenses included $111 million and $129 million, respectively, of Data

Breach- related costs (net of expected insurance proceeds), $16 million of impairments, and $13 million of costs

related to plans to convert existing co-branded REDcards to MasterCard co-branded chip-and-PIN cards in 2015

to support the accelerated transition to chip-and-PIN-enabled REDcards.


115

Appendix C: Financial Statement Disclosure Target Corporation 2015 Quarterly Report

For the quarterly period ended August 1, 2015

Notes to Consolidated Financial Statements (unaudited)

Data Breach

In the fourth quarter of 2013, we experienced a data breach in which an intruder stole certain payment card and

other guest information from our network (the Data Breach). Based on our investigation, we believe that the

intruder installed malware on our point-of-sale system in our U.S. stores and stole payment card data from up to

approximately 40 million credit and debit card accounts of guests who shopped at our U.S. stores between

November 27 and December 17, 2013. In addition, the intruder stole certain guest information, including names,

mailing addresses, phone numbers or email addresses, for up to 70 million individuals.

Data Breach Related Accruals

Each of the four major payment card networks has made a written claim against us regarding the Data Breach,

either directly or through our acquiring banks. In August 2015, we entered into a settlement agreement with Visa

under which we will pay up to $67 million to eligible Visa card issuers worldwide that issued cards that Visa claimed

to have been affected by the Data Breach. Our previously recorded accrual for estimated probable losses related

to Visa is consistent with the settlement. We expect to dispute the remaining unsettled claims regarding the Data

Breach that have been or may be made against us by the payment card networks. With respect to the three major

payment card networks other than Visa, we think it is probable that our disputes would lead to settlement

negotiations. We believe such negotiations would affect a combined settlement of the payment card networks'

counterfeit fraud loss allegations and their non-ordinary course operating expense allegations.

In addition, more than 100 actions were filed in courts in many states on behalf of guests, payment card-issuing

banks, and shareholders, seeking damages or other related relief allegedly arising out of the Data Breach. The

federal court actions (the MDL Actions) have been consolidated in the U.S. District Court for the District of

Minnesota (MDL Court) pursuant to the rules governing multidistrict litigation and one remaining state court

action has been stayed. In March 2015, Target entered into a Settlement Agreement that, upon approval of the

MDL Court, will resolve and dismiss the claims asserted in the MDL Actions on behalf of a class of guests whose

information was compromised in the Data Breach. Pursuant to the Settlement Agreement, Target has agreed to

pay $10 million to class member guests, certain administrative costs associated with the settlement, and

attorneys’ fees and expenses to class counsel as the Court may award. The claims asserted by payment card issuing

banks and shareholders in the MDL Actions remain pending. One action was filed in Canada relating to the Data

Breach. That action was dismissed but is being appealed. State and federal agencies, including State Attorneys

General, and the Federal Trade Commission are investigating events related to the Data Breach, including how it

occurred, its consequences and our responses. The SEC's Enforcement Division concluded its investigation during

the second quarter of 2015 and does not intend to recommend an enforcement action against us.


116

Our accrual for estimated probable losses for what we believe to be the vast majority of actual and potential Data

Breach related claims is based on the expectation of reaching negotiated settlements, and not on any

determination that it is probable we would be found liable for the losses we have accrued were these claims to

be litigated. Given the varying stages of claims and related proceedings, and the inherent uncertainty surrounding

them, our estimates involve significant judgment and are based on currently available information, historical

precedents and an assessment of the validity of certain claims. Our estimates may change as new information

becomes available, and although we do not believe it is probable, it is reasonably possible that we may incur a

material loss in excess of the amount accrued. We are not able to estimate the amount of such reasonably possible

excess loss exposure at this time because many of the matters are in the early stages, alleged damages have not

been specified, and there are significant factual and legal issues to be resolved.

Expenses Incurred and Amounts Accrued

We recorded $9 million and $12 million of pretax Data Breach-related expenses during the three and six months

ended August 1, 2015, respectively, primarily for legal and other professional services. We recorded $148 million

and $175 million of pretax Data Breach-related expenses during the three and six months ended August 2, 2014,

respectively, partially offset by expected insurance recoveries of $38 million and $46 million, respectively. Along

with legal and other professional services, these expenses included an increase to the accrual for estimated

probable losses for what we believe to be the vast majority of actual and potential breach-related claims, including

claims by the payment card networks. These expenses were included in our Consolidated Statements of

Operations as SG&A, but were not part of our segment results. Since the Data Breach, we have incurred $264

million of cumulative expenses, partially offset by expected insurance recoveries of $90 million, for net cumulative

expenses of $174 million.

Insurance Coverage

To limit our exposure to losses relating to Data Breach and other claims, we maintained $100 million of network-

security insurance coverage during the period that the Data Breach occurred, above a $10 million deductible and

with a $50 million sublimit for settlements with the payment card networks. This coverage, and certain other

customary business-insurance coverage, has reduced our exposure related to the Data Breach. We will pursue

recoveries to the maximum extent available under the policies. Since the Data Breach, we have received $35

million from our network-security insurance carriers of the $90 million accrued.

Data Breach Balance Sheet Rollforward Insurance

(millions) Liabilities Receivable

Balance at February 1, 2014 61$ 44$

Expenses incurred/insurance receivable recorded (a) 175 46

Payments made/received (54) (20)

Balance at August 2, 2014 182$ 70$

Balance at January 31, 2015 171$ 60$

Expenses incurred/insurance receivable recorded (a) 12 -

Payments made/received (15) (5)

Balance at August 2, 2015 168$ 55$

(a) Includes expenditures and accruals for Data Breach-related costs and expected insurance

recoveries as discussed below.


117

Appendix D: Forward Looking Statements

Disclosure Concho Resources Inc. 8-K Filing

September 13, 2017 Form 8-K

Forward-Looking Statements and Cautionary Statements

Forward-looking statements are not guarantees of performance. Although the Company believes the expectations

reflected in its forward-looking statements are reasonable and are based on reasonable assumptions, no assurance

can be given that these assumptions are accurate or that any of these expectations will be achieved (in full or at

all) or will prove to have been correct. Moreover, such statements are subject to a number of assumptions, risks,

and uncertainties, many of which are beyond the control of the Company, which may cause actual results to differ

materially from those implied or expressed by the forward-looking statements. These risks include, without

limitation, the risk factors discussed or referenced in the Company’s most recent Annual Report on Form 10-K and

in the Company’s Quarterly Report on Form 10-Q for the quarter ended March 31, 2017……………; risks and liabilities

associated with acquired properties or businesses; uncertainties about the Company’s ability to successfully

execute its business and financial plans and strategies; the adequacy of the Company’s capital resources and

liquidity including, but not limited to, access to additional borrowing capacity under the Company’s credit facility;

the impact of potential changes in the Company’s credit ratings; cybersecurity risks, such as those involving

unauthorized access, malicious software, data privacy breaches by employees or others with authorized access,

cyber or phishing-attacks, ransomware and other security issues……………..


118

Glossary Botnets Networks of compromised computers, controlled by remote attackers in order to

perform such illicit tasks as sending spam or attacking other computers.

Bring Your Own Device Bring Your Own Device (BYOD) is the practice of allowing employees of an

organization to use their own computers, smartphones, or other devices for work

purposes.

Business Email Compromise A scam carried out by compromising legitimate business email accounts through

social engineering or computer intrusion techniques to conduct unauthorized

transfers of funds.

Critical Infrastructure Systems and assets, whether physical or virtual, so vital to the United States that

the incapacity or destruction of such systems and assets would have a debilitating

impact on cybersecurity, national economic security, national public health or

safety, or any combination of those matters.

Cyberattack Any type of offensive maneuver employed by individuals or whole organizations

that targets computer information systems, infrastructures, computer networks,

and/or personal computer devices by various means of malicious acts usually

originating from an anonymous source that either steals, alters, or destroys a

specified target by hacking into a susceptible system.

Cybercrime Involves any criminal act dealing with computers and networks, and traditional

crimes conducted through the internet, such as hate crimes, telemarketing and

internet fraud, and identity theft.

Cyber Forensics A branch of digital forensic science pertaining to evidence found in computers

and digital storage media in order to provide a conclusive description of

cybercrime.

Cybersecurity The process of protecting information by preventing, detecting, and responding

to attacks.

Cyberspace The interdependent network of information technology infrastructures,

including the Internet, telecommunications networks, computer systems, and

embedded processors and controllers in critical industries. Common usage of

the term also refers to the virtual environment of information and interactions

between people.


119

Cybersecurity Event A cybersecurity change that may have an impact on organizational operations

(including mission, capabilities, or reputation).

Cyber Threat The possibility of a malicious attempt to damage or disrupt a computer network

or system.

Industry 4.0 The current trend of automation and data exchange in manufacturing

technologies, including cyber-physical systems, the Internet of Things, and cloud

computing.

Internet of Things (IoT) The network of physical objects that contains embedded technologies to

communicate and sense or interact with their internal states or the external

environment.

Malware Using malicious software, criminals gain access to computer systems and gather

sensitive personal information such as Social Security numbers, account

numbers, passwords, and more.

Phishing The criminals attempt to acquire sensitive personal information via email.

Ransomware A scam frequently delivered through spear-phishing emails to end-users,

resulting in the rapid encryption of sensitive files on a corporate network. When

the victim organization determines they are no longer able to access their data,

the cyber actor demands the payment of a ransom.

Risk A measure of the extent to which an entity is threatened by a potential

circumstance or event, and typically a function of (1) the adverse impacts that

would arise if the circumstance or event occurs; and (2) the likelihood of

occurrence.

Risk Management The process of identifying, assessing, and responding to risk.

Social Engineering Via social media and other electronic media, criminals gain the trust of victims

over time, manipulating them into divulging confidential information.


120

Index

A

Advanced Persistent Threat, 83

Application Risk, 91

B

Botnets, 24

Business Email Compromise, 16

C

Critical Security Controls, 3, 38, 64

Cyber Fraud, 12

Cyber Threat, 13

Cyberattack, 12

Cybercrime, 12

Cyber-espionage, 42

Cybersecurity, 13

Cybersecurity Examination Initiative, 69, 70, 72, 73

F

Financial Statement Disclosures, 79

FISMA, 52

Form 10-K, 78, 81, 126, 127

Form 10-Q, 78, 81, 126, 127

Form 8-K, 80, 81, 126, 127

H

Hacktivists, 88


121

I

IM Guidance Update No. 2015-12, 74

Information and Communications Technologies, 65

Internet of Things, 35

ISO/IEC 27000, 38, 62

M

Malware, 92

N

Nation states, 87

NIST Framework, 2, 3, 38, 39, 40, 57, 67, 124, 125

P

Payment Card Industry Data Security Council Standard, 38, 67, 124

Payment card skimmers, 42

Phishing, 119

Point-of-Sale Intrusions, 41

R

Ransomware, 64

Regulation S-K, 77, 78, 81, 127

S

SEC Disclosure Obligations, 76

W

Wire transfer, 16


122

Solutions to Review Questions

Section 1

1. An employee made a false claim for reimbursement of inflated business expenses. He believes that his behavior was harmless because the financial loss to the agency was immaterial. Which of the fraud triangle elements best explains his action?

A. Incorrect. Opportunity is the ability to commit fraud or to conceal it. Examples of opportunities include

weak internal control, poor supervision, and lack of training. None of these situations is identified in this

case.

B. Incorrect. Capability is not an element in the fraud triangle. It is an element in the fraud diamond.

C. Correct. Rationalization is the ability for a person to justify a fraud which involves a person reconciling

his/her behavior, such as stealing, with some common excuses. In this case, the employee justified

stealing by using the excuse that the financial loss was minimal to the agency so that his action was

harmless.

D. Incorrect. Pressure indicates a need that an individual attempts to satisfy by committing fraud, such as

living beyond one’s means, high personal debt, and peer pressure. None of these factors are identified in

this case.

2. An individual steals online credit and financial information and uses them in a criminal manner. What term

describes this behavior?

A. Incorrect. Financial statement fraud is committed by an employee who intentionally causes a

misstatement or omission of material information in the entity’s financial reports.

B. Incorrect. Business email compromise (BEC) is defined as a scam targeting businesses and carried out by

compromising legitimate business email accounts through social engineering or computer intrusion

techniques to conduct unauthorized transfers of funds.

C. Correct. Cyber fraud is defined as credit and financial information stolen online by a hacker and used

in a criminal manner.

D. Incorrect. Email account compromise (EAC) is a sister scam to BEC. EAC differs from BEC in that it targets

individuals or individual professionals instead of businesses.

3. What type of cyber fraud sends a victim an enticement in the hopes that the victim will provide confidential

information?

A. Incorrect. Ransomware involves encrypting a victim’s computer and demanding payment for the

decryption key.

B. Incorrect. Hacking involves breaking into a victim’s computer in order to get sensitive information.


123

C. Correct. Phishing will use contests or legitimate-looking emails to get sensitive or confidential

information. For instance, the email could appear to be from a victim’s financial institution, health

provider or even the IRS.

D. Incorrect. Spam is the delivery of high volumes of unwanted email solicitations, frequently with virus-

infected links.

4. What is the most effective technique to reduce the risk of being a business email compromise victim?

A. Incorrect. Although requiring two-factor authentication for all remote access sessions can effectively

reduce the risk of unauthorized access, such control does not directly address the risk of being a business

email compromise victim.

B. Incorrect. An organization should regularly scan systems within the environment to ensure that

vulnerabilities are identified, categorized (e.g., critical, major, moderate) and addressed. However,

vulnerability assessment does not necessarily reduce the risk of being a business email compromise

victim.

C. Incorrect. Maintaining backup operations, developing an emergency response, and establishing post-

disaster recovery are all critical elements of the contingency planning process. However, these procedures

do not reduce the risk of being a business email compromise victim.

D. Correct. While detecting fraud once it occurs is essential to any company, it is obviously best to prevent

it before it happens. Promoting employee security awareness behavior, preventive control is

considered the most effective way to reduce the risk of being a fraud victim.

5. Which of the following offenses involves criminals taking out loans or credit cards using a victim’s information?

A. Incorrect. Payment card skimmers refer to incidents in which a skimming device was physically implanted

on an asset that reads magnetic stripe data from a payment card (e.g. ATMs, gas pumps, POS terminals,

etc.).

B. Incorrect. Exploits are pieces of code designed to take advantage of software vulnerabilities to deliver a

payload (malware) that otherwise would be prevented by system restrictions.

C. Correct. Financial identity theft is related to ID thieves taking out loans or credit cards using a victim’s

information. The victim often receives a lender’s letter stating that he/she has not repaid a loan that

he/she did not take.

D. Incorrect. Business email compromise involves taking over an email account or spoofing an email address

in order to initiate theft via unauthorized ACH or wire transfers.


124

6. Hundreds of thousands of computers are part of some network being used for performing malicious actions,

such as sending spam and launching Denial of Service attacks. Which of the following terms describes this

type of threat?

A. Incorrect. Payment card skimmers refer to all incidents in which a skimming device was physically

implanted (tampering) on an asset that reads magnetic stripe data from a payment card (e.g. ATMs, gas

pumps, POS terminals, etc.).

B. Incorrect. Point-of-Sale Intrusions (POS) are remote attacks against the environments where card-present

retail transactions are conducted. POS terminals and POS controllers are the targeted assets.

C. Incorrect. A zero-day attack is a threat aimed at exploiting a software application vulnerability before the

application vendor becomes aware of it and before the vulnerability becomes widely known to the

internet security community.

D. Correct. Zombie computer networks, also known as botnets, have for several years been the most

important infrastructural component in the world of cybercrime actors. Their role in the world of

cybercrime is central, within a model where the purchase and sale of services, information theft or

campaigns spreading ransomware are facilitated by botnets. In other words, they are used to launch

automated attacks such as DDoS to business and government websites and networks.

Section 2

7. Which of the following standards is primarily used by organizations that handle branded credit cards, such as

Visa, MasterCard, and American Express?

A. Incorrect. NIST Framework was developed in response to Executive Order 13636, which outlines

responsibilities for Federal Departments and Agencies to aid in Improving Critical Infrastructure

Cybersecurity.

B. Incorrect. The Standard of Good Practice, published by the Information Security Forum, is a business-

focused, practical and comprehensive guide to identifying and managing information security risks in

organizations and their supply chains.

C. Correct. Payment Card Industry Data Security Council Standard is the global data security standard

adopted by payment card brands, such as Visa, MasterCard, and American Express that process, store

or transmit cardholder data.

D. Incorrect. ISO/IEC 27001:2013 focuses on information security management systems to help

organizations protect information such as financial data, intellectual property or sensitive customer

information.


125

8. All of the following are TRUE related to security framework adoption EXCEPT:

A. Incorrect. According to Dimensional Research, adoption of frameworks is the norm that banking and

financing (88%), information technology (87%), government (86%), and manufacturing (83%) all have

security framework adoption rates above 80%. Education and healthcare are only slightly behind at 77%

and 61% respectively.

B. Correct. Security teams are searching for guidance, and in many cases, they are getting it from multiple

places. Close to half of organizations (44%) report that they are using multiple frameworks in their

security program, including 15% that are using three or more based on the survey from Dimensional

Research.

C. Incorrect. According to Dimensional Research, the most common reason for adopting the NIST

Framework was best practice (70%). This reason for adopting the NIST Framework was far ahead of any

requirement by a business partner (29%), federal contract (28%), or other organizations (20%).

D. Incorrect. There are many organizations that are planning to adopt additional frameworks in the coming

year with NIST Framework heading the list (14%), followed by CIS (12%) and ISO (9%).

9. Which of the following is NOT one of the top 5 CIS Critical Security Controls?

A. Incorrect. The number 1 priority of the Critical Security Controls is to inventory all authorized and

unauthorized devices.

B. Incorrect. Creating an inventory of all authorized AND unauthorized software is the number 2 priority.

C. Incorrect. The 3rd prioritized control is to create secure configurations for hardware and software on

mobile devices, laptops, workstations, and servers.

D. Correct. Although email and web browser protections are very important, they are number 7 on the

priority list for controls.

Section 3

10. Which of the following measures ensures that employees understand cybersecurity risks and know how to

respond to incidents, in accordance with the SEC Division of Investment Management Guidance Update No.

2015-02?

A. Incorrect. Funds and advisers should create a strategy to help prevent, detect and respond to

cybersecurity risks. Such a strategy often addresses the matters of controlling access, data encryption,

protection against the loss of sensitive data, data backup and retrieval, and the development of an

incident response plan.

B. Correct. To ensure that employees understand cybersecurity risks and know how to respond to

incidents, firms should implement policies and procedures, and conduct regular training. Firms should

also consider how to educate investors and clients about how to reduce their exposure to cybersecurity

threats concerning their accounts.


126

C. Incorrect. Funding was not addressed in the latest guidance update, and it will be up to the firm to

determine how best to fund the other implementation.

D. Incorrect. An effective assessment will help the firm identify potential cybersecurity threats and

vulnerabilities to better prioritize and mitigate risk.

11. Which of the following is NOT a key aspect of the SEC Division of Investment Management Guidance Update No. 2015-02?

A. Incorrect. Funds and advisers should create a strategy to help prevent, detect and respond to cybersecurity risks.

B. Incorrect. Proper education and policies are critical to the firm, the investors, and their clients.

C. Correct. Funding was not addressed in the latest guidance update, and it will be up to the firm to

determine how best to fund the other implementation.

D. Incorrect. An effective assessment will help identify potential cybersecurity threats and vulnerabilities to

better prioritize and mitigate risk.

12. Depending on the circumstances, disclosures of cyber risks and cybersecurity incidents may be required for

public companies in all of the discussions EXCEPT?

A. Incorrect. In determining whether risk factor disclosure is required, a public company is expected to

evaluate its cybersecurity risks and take into account all available relevant information, such as 1) Prior

cybersecurity incidents and the severity and frequency of those incidents 2) Probability of cybersecurity

incidents occurring 3) Quantitative and qualitative magnitude of the risks 4) Potential costs and other

consequences resulting from misappropriation of assets or sensitive information, corruption of data or

operational disruption.

B. Incorrect. A public company should provide disclosure in Item 101 of Regulation S-K if one or more

cybersecurity incidents materially affect the registrant’s products, services, relationships with customers

or suppliers, or competitive conditions. In determining whether to include disclosure, registrants should

consider the impact on each of their reportable segments.

C. Incorrect. A public company may need to disclose information regarding the litigation in Item 103 of

Regulation S-K if a material pending legal proceeding to which the registrant or any of its subsidiaries is a

party involves a cybersecurity incident.

D. Correct. The main purpose of designing a secure system configuration is to protect sensitive

information. Secure configurations should remain confidential as such disclosure may reveal

vulnerabilities in a server architecture or malware detection program that could be exploited by

cybercriminals.


127

13. Which of the following forms is used for disclosure of a cyber incident that materially affects the company’s relationships with customers?

A. Incorrect. Registrants should address cybersecurity risks and cyber incidents in the MD&A section of their

Form 10-K and Form 10-Q if the costs or other consequences represent a material event, trend, or

uncertainty that is reasonably likely to have a material effect on the registrant’s operations, liquidity, or

financial condition.

B. Incorrect. If a cybersecurity breach occurs or new risks arise in between periodic reporting requirements,

companies should consider whether disclosing such information on a Form 8-K is appropriate.

C. Incorrect. Registrants should address cybersecurity risks and cyber incidents in the MD&A section of their

Form 10-K and Form 10-Q if the costs or other consequences represent a material event, trend, or

uncertainty that is reasonably likely to have a material effect on the registrant’s operations, liquidity, or

financial condition.

D. Correct. A registrant should provide disclosure in Item 101 of Regulation S-K if one or more cyber

incidents materially affect the registrant’s products, services, relationships with customers or suppliers,

or competitive conditions.

Section 4

14. Which of the following threat actors would have the most interest in financial/payment systems?

A. Incorrect. Disgruntled insiders usually use their privileged knowledge, or access, to facilitate, or launch,

an attack to disrupt or degrade critical services on the network of their organizations. They often target

market strategies, corporate secrets, R&D, business operations, and personnel information.

B. Incorrect. Nation-states are the most capable actors in the cyber domain. Their interests include political,

economic, military, and financial targets and they will usually target trade secrets, sensitive business

information, emerging technologies, and critical infrastructure.

C. Correct. Driven by profit and personal gain, organized crime is becoming increasingly sophisticated in

its use of technology to commit fraud, steal funds and valuable information focused on

financial/payment systems, personal identification information, payment card information, and

protected health information.

D. Incorrect. Hacktivists, whose objectives may disrupt and embarrass an organization, usually refer to a

disparate group that contains a wide variety of ideologically oriented groups and individuals. In general,

hacktivists wish to attack companies for political or ideological motives. They promote a form of civil

disobedience in cyberspace targeting corporate secrets, sensitive business information, and information

related to key executives, employees, customers, and business partners.

15. The attacks, most complex and targeted, require a high level of financial investment and legal oversight. This

type of state-sponsored threat actors are usually employed by which of the following governments?

A. Incorrect. Middle East hackers are dynamic, often using creativity, deception, and social engineering to

trick users into compromising their own computers. In other words, Middle East attacks may be calculated


128

less in the technology, and more in the clever ways in which malware is delivered and installed on a target

network. They do not necessarily require a high level of financial investment and legal oversight.

B. Incorrect. FireEye indicated that no prominent examples have been discovered of the European Union

(EU) or the North Atlantic Treaty Organization (NATO) conducting their own offensive cyberattacks. On

the contrary, many examples reveal European networks getting hacked from other parts of the world,

particularly China and Russia.

C. Incorrect. Since China is home to 1.35 billion people or more than four times the population of the United

States, China often has the ability to overwhelm cyber defenses with quantity over quality. According to

FireEye researchers, Chinese malware is not the most advanced or creative. China employs brute force

attacks that are often the most inexpensive way to accomplish its objectives. The attacks succeed due to

the sheer volume of attacks, the prevalence, and persistence of vulnerabilities in modern networks.

D. Correct. The United States has conducted the most complex, targeted, and rigorously engineered

cyberattack campaigns to date. The attacks often require a high level of financial investment, technical

sophistication, and legal oversight.

16. What is the primary motivation of hacktivists?

A. Incorrect. The nation-states, motivated by nationalism, are established and well organized to carry out

the most sophisticated threat in cyberspace motivated by espionage and/or ideological. For example, they

usually focus on credentials, internal organizational data, trade secrets, and system information.

B. Incorrect. Driven by profit and personal gain, organized crime groups usually steal credit card numbers,

bank information, and social media and email account information to sell them on the black market.

C. Correct. Hacktivists, whose objectives may disrupt and embarrass an organization, usually refer to a

disparate group that contains a wide variety of ideologically oriented groups and individuals. Thus,

hacktivists wish to attack companies for political or ideological motives.

D. Incorrect. Hacktivists are individuals or groups who perform cyberattacks on targets for political-

ideological reasons. Black market activities are usually the focus of organized crime groups motivated by

financial gain.

17. Which of the following has NOT increased the overall risk landscape of organizations?

A. Incorrect. A Network of networks is one of the factors that change the overall risk landscape of

organizations. Research predicts that 30 billion devices will be connected to the internet by the year 2020.

B. Incorrect. As more and more organizations put mission-critical data in the cloud and with third parties,

with the loss of control and unexpected connectivity, the threats and attacks increase. Therefore, cloud

computing is one of the factors that change the overall risk landscape of organizations.

C. Incorrect. Privacy and data protection are factors that change the overall risk landscape of organizations.

Smart devices hold information from confidential consumer, operational and financial data, and therefore

data privacy and protection become key cyber risks.


129

D. Correct. User education is one of the most cost-effective ways for organizations to help drive down the

risk of cyber fraud.

Section 5

18. According to the Three Lines of Defense model, which of the following controls is part of the first line of

defense’s responsibilities?

A. Incorrect. Internal audit acts as the third line of defense by conducting an independent review of a

cybersecurity program and providing confirmation to the board on risk management effectiveness.

B. Correct. IT management who incorporates risk-informed decision making into daily operation such as

defining risk appetite and mitigating risks serves as the first line defense of data privacy and security.

C. Incorrect. Information and technology risk management who establishes governance and oversight

serves as the second line of defense by setting risk baseline, policies, and standards.

D. Incorrect. Internal audit who helps management to meet compliance requirements related to

cybersecurity risks is the third line of defense of data privacy and security.

19. According to the Three Lines of Defense model, which of the following controls usually serves as the third line

of defense providing independent assurance?

A. Correct. As the third line of defense, the internal audit activity provides senior management and the

board with independent and objective assurance on governance, risk management, and controls.

B. Incorrect. The second line of defense, often comprised of IT risk management and IT compliance functions.

Therefore, classifying data and design least-privilege access roles is considered as the second line of

defense activity.

C. Incorrect. The first line of defense consists of the operational managers that own and manage risks and

controls. Thus, implementing vulnerability management with internal and external scans is one of the

common first lines of defense activities.

D. Incorrect. Deploying intrusion detection systems and conducting penetration testing are examples of the

first line of defense activities.

20. Which of the following documents provides specific notification and/or escalation procedures that apply to

the particular information system?

A. Incorrect. Service level agreement provides Information about existing written commitments to provide

a particular level of service. This may include pre-established external engagement contract support that

can assist and augment the organization’s recovery team in the event of a major cyber event.

B. Incorrect. Operational workarounds refer to approved workaround procedures if the information system

is not able to be restored within the recovery time objective (RTO).


130

C. Incorrect. Specific recovery details and procedures provide specific recovery activities to be performed by

the recovery team, including application restoration details or methods to activate alternate means of

processing (e.g. backup servers, failover site).

D. Correct. The communication plan provides specific notification and/or escalation procedures that apply

to a particular information system. As an example, some systems impact users outside of the

organization, and legal, public relations, and human resources personnel may need to be engaged to

manage expectations and information disclosure about the incident and recovery progress.

Section 6

21. Which of the following audits helps an organization identify gaps in the policies and procedures implemented

in the organization pertaining to IT infrastructure?

A. Correct. The objective of governance & processes review is to identify gaps in the policies and

procedures implemented in the organization pertaining to IT infrastructure. During the review, internal

auditors may review the cybersecurity policies, procedures, and strategies. They may also test operating

effectiveness in accordance with the policies and procedures established.

B. Incorrect. The objective of the cyberattack identification & response review is to evaluate procedures and

processes that enable the discovery and reporting of cyberattack incidents.

C. Incorrect. A baseline security review identifies security risks in the network.

D. Incorrect. The objective of a proactive advanced persistent threat review is to mitigate the risk of

information leakage and eavesdropping and foresee the expected attacks and threats that the network

might be subject to.

22. How can Internal Audit contribute to an organization’s cybersecurity preparedness?

A. Incorrect. Business and IT functions incorporate risk-informed decision making into daily operations,

integrate risk management into operational processes.

B. Incorrect. Legal is normally responsible for monitoring decisions made by regulators in response to cyber

incidents.

C. Incorrect. Executive-level management is responsible to implement user security awareness programs.

D. Correct. Internal Audit performs independent reviews of cybersecurity program effectiveness by

evaluating whether the security architecture supports the organization’s thresholds for risk, while still

supporting key business objectives.

Documents

Fraud and Cybersecurity: Top Issues for the CPA