Embed Size (px)
Citation preview
JPMorgan Chase & Co.
Risk Assessment Report
Based on the 2014 Data Breach
University of Washington
IMT 552
(For educational purposes only)
Team Members:
Akshay Ajgaonkar
Daniel Kapellmann
Divya Kothari
Dustin Chiang
Manasa Chitiprolu
Sandeep T. Maregowda
Table of Content
I. Executive Summary
II. Information Security in the Financial Industry
III. JPMorgan Chase Data Breach
IV. Stakeholders
V. Identification of Main Assets
VI. Risks Identification
VII. Risk Assessment
VIII. Risk Normalization
IX. Control Planning and Risk Treatment
X. Recovery and Incident Response
XI. Communication and Monitoring
XII. Strategic Recommendations
XIII. Annexes
XIV. References
Executive Summary
The summer of 2014 saw the biggest data breach in American banking history which resulted in
the loss of 83 million records from one of the leading banks in the world, JPMorgan Chase. In the
light of this cyberattack, we as a part of this special assessment team guided by the Chief Cyber
Security Officer, performed an overall assessment. The objective of this assessment was to
identify, assess and evaluate potential risks in order to provide the senior management with
recommendations for actions to prevent future similar breaches. The exercise, based on the ISO
31000 framework, started with the categorization of the overall risks in four clusters: Operational,
Strategic, Financial and Legal Risk. Then, the main six risks were assessed, normalized and
provided with consistent mitigation strategies. Finally, controls were planned and strategic
recommendations were written to involve the senior management into effectively handling future
management of information assets. Through this paper we have evaluated and assessed this
large scale data breach and made effective recommendations to ensure the safety of bank’s data.
(Please not that for purposes of this assignment various assumptions have been taken into
consideration wherever data was not available.)
Information Security in the Financial Industry
Information security is currently one of the main challenges faced by firms in the financial sector
due to the significant losses that may occur due to any breach. Establishing a secure environment
for information assets is a topic of utmost relevance, yet highly convoluted when considering the
diversity of the threats, actors involved and the difficulties of being one step ahead of new potential
scenarios.
According to the Cost of Data Breach Study: Global Analysis study by the Ponemon Institute, the
average cost of an incident in 2015 achieved an amount of $3.8 million dollars, representing an
increase of 23% during only the last two years. This sum accounts for an average of $145 to $154
dollars for each stolen record. (Ponemon Institute, 2015)
In case of the financial industry, the constant increase in the frequency of breaches and negative
impacts over the last few years has led to the creation of the largest non-government
cybersecurity market. Its overall estimated value reached $9.5 billion dollars in 2015 with the
highest estimated growth rate for the 2015-2020 period. In 2014, PwC calculated that financial
organizations spent $4.1 billion dollars collectively in cybersecurity and would spend another $2
billion dollars during the next two years. (Morgan, 2015)
JPMorgan Chase Data Breach
The 2014 cyberattack on the biggest bank in the USA, JPMorgan Chase & Co., was by far the
most serious intrusion in the history of American corporations. This breach resulted in JPMorgan
Chase & Co. losing data associated with approximately 83 million accounts (CNBC, 2015). The
stolen records consisted primarily, names of the account holders, addresses, phone numbers and
email addresses which were compromised by unknown hackers (Kurane & Wills, 2014).
Fortunately for the bank, the hackers were not able to retrieve information on sensitive personal
information about customers, such as social security numbers or account balances. As a
consequence, the firm did not suffer any irreparable harm.
According to The New York Times, the bank’s weak spot was a rather basic one. The breach
could have been stopped had the bank installed a second security authentication measure to one
of its servers in the vast network. It was found that some Eastern European Internet addresses
were used for the attack, but the bank refused to share any further details on the incident (Perlroth,
2014). Bearing in mind the significant amount of money that giant firms such as JPMorgan invest
on security, the recent breach represented an enormous danger for the company in terms of
reputation, economic losses and customer trust.
To make matters worse, the breach was discovered by the bank somewhat accidentally. In the
month of July, security employees of the bank learned that the website for the JPMorgan
Corporate Challenge, a charitable race organized by the bank, had been hacked and
compromised. The website being run by an outside vendor pointed back to a bigger problem with
the bank's own network. (Goldstein, 2015) Had this not been discovered, 90 servers of the Bank
being hacked would have gone unnoticed for another extended period of time.
Right after the news of the breach was made public, JPMorgan shares went down by 0.4% during
the after-hours trading (Sam Ro, 2014). A few months later, in June 2015, the executive who was
in charge of protecting JPMorgan Chase’s computer network from hackers was reassigned.
Instead of hundreds of personnel that he managed in the cyber-security unit, he has now been
asked to build relationships with the government, law enforcement and the remaining big U.S.
banks to mitigate the possibilities of future risks. (Robertson & Riley, 2015) Find a detailed
assessment of the former case attached in Annex # 2.
It may also be pertinent to note that despite the immediate thought of capturing this data would
have been for financial fraud or identity theft, the Manhattan court has observed that the breach
may have been caused due to Russian gangs. As alleged by a United States attorney “The
defendants manipulated trading in U.S. securities from overseas, using fake identities to funnel
millions of dollars in unlawful proceeds through a web of international shell companies. Using
false and misleading spam emails sent to millions of people, these defendants allegedly directed
their pump-and-dump scheme from their computers halfway around the world” (Goldstein, 2015).
This may be a key factor in determining the true perpetrator given that being one of the largest
US banks, JPMorgan has played a major role implementing sanctions against Russian institutions
and officials imposed as a result of the conflict in Ukraine. (Robertson & Riley, 2015)
Based on the various sources of information available and further risk/security assumptions, this
paper will seek to identify, assess and evaluate further data breach risks following the Risk
Management framework provided by ISO 31000. The framework also encourages that we
recognize solutions and recommendations for future prevention and recovery. It is important to
mention that the text will mostly analyze the protection of information assets and will be addressed
with publicly available information.
Stakeholders
Main stakeholders related to the JPMorgan Chase breach will be divided in two categories:
internal and external. The first group consists on parties that either collaborate with the risk
assessment process or must get acquainted with it in order to make further related decisions. The
second one involves parties that are not affiliated to the company, but are ultimately interested in
the security of the organization’s information assets.
Internal
According to JPMorgan Chase’s corporate site, the Chief Risk Officer is mainly held accountable
for elaborating detailed assessments. With the support of Chief Cybersecurity Officer, this
executive has to eventually present his findings to the Risk Policy Committee, group organized to
evaluate the findings, make decisions and ultimately collaborate with other parties such as the
Audit and Corporate Governance Committees. (JPMorgan Chase & Co., 2015) It is mainly
important to recall that besides from performing an accurate assessment, communication plays a
primary role in the process thus enabling different stakeholders to correctly perform their duties.
The accountability model is shown in the following diagram.
Internal Accountability Model
External
Some additional stakeholders that may be considered are both the government of the United
States of America and the customers. In the first place, the public sector has supported powerful
financial institutions to recover against breaches and other additional crises due to their
importance for the overall economy. Besides, it is of the nation’s best interest to keep attracting
customers by maintaining a good reputation for the security and good practices of private
institutions.
External Stakeholder Matrix
In the second place, the customers are interested in being able to trust the institution in order to
safely invest or save money without being damaged by security breaches. Other possible
interpretations may consider other banks or competitors trying to learn from the breach and
probably even making an emphasis on security as their competitive advantage. Finally, external
service providers hired by the bank should also be considered as potential stakeholders with high
influence and interest in the bank’s security performance.
Identification of Main Assets
As a first step for the assessment, the primary assets of the organization that could either be in
danger or play a role in data breaches, were grouped in four different categories:
● Physical Assets - Infrastructure and technology used to share, analyze or produce
information. Some examples are servers, networks, computers and other technology
devices either organizational or personal.
● Informational Assets - Refers to software and information stored in different formats. Some
examples are databases, Customer Sensitive Information such as Personal Identifiable
Information and further financial data.
● Human Assets - Personnel and human factors involved in the processes implemented by
the organization as well as external users and stakeholders. Some examples are vendors,
managers/employees and customers.
● Reputational Assets - Those factors that allow JPMorgan Chase & Co. to maintain or
increase its brand presence as well as the goodwill and demand by external parties. Some
examples are the share’s value, customer trust and credibility.
Assets Categorization Diagram
The above diagram shows the four different categories that enclose the organization’s main
assets that maintain a direct or indirect relationship with data breaches. Even though this
assessment is mostly centered on protecting the informational assets from data breaches, it is
important to recall that the four categories are deeply interrelated into the different processes and
procedures implemented by the institute`on. For this reason, protection of informational assets
will generate an impact on the safety of the other additional categories.
Risk Identification
The current exercise is mostly focused on the protection of informational assets in order to ensure
the safety of additional primary physical, human and reputational factors. Based on this premise
and public data related to the JPMorgan Chase breach 2014, the following main risks were
identified and categorized:
Operational
1) Inadequate controls and procedures (such as not implementing double authentication in
servers or not implementing secure network configurations) may lead to the exposure of
restricted data and systems to external malicious parties.
2) Failure to contemplate potential impact of human error when utilizing the informational
assets of the company could generate unintended disclosure of data and delude currently
implemented security controls.
3) Lack of substantial training for employees to protect informational assets of the company
may generate unintended disclosure of data and lower the effectiveness of currently
implemented security measures.
4) Failure to implement correct software flags to inform when an unauthorized party is
attempting to access the system may lead to the lack of adequate and timely incident
response against attacks.
5) Failure to implement adequate physical protection to the infrastructure of the company
may enable possible direct intrusions from external malicious entities.
6) Carelessness of employees may affect the company by enabling external access to its
information assets with the support of lost or stolen equipment, devices or credentials.
7) Impossibility to separate the protection of internal networks from that of external providers
hosting the websites of the company may lead to potential further data breaches and
external inclusion to the main systems of the organization.
8) Lack of regular monitoring of customer's information databases slows the bank’s actions
to respond against attacks, find and fix vulnerabilities thus enabling intrusions to last for
long periods of time.
Strategic
1) Failure to protect the bank’s information systems may generate the disclosure of private
data from users and customers thus damaging the reputation of the institution and its
overall financial performance.
2) Slow adaptation to technology advances from potential malicious actors leaves the
company vulnerable to diverse external threats from different origins.
3) Failure to protect sensitive information from the bank may lead to the disclosure of
confidential data about its customers and employees thus enhancing the competition’s
appeal in the market.
4) Inability to efficiently integrate the members from the security team may lead to cultural
conflict thus generating potential loss of productivity.
5) Failure to protect the information of customers and employees (such as contact details,
home addresses and further private information) may affect the company by losing the
trust and support of their human factors.
6) Inefficient communication strategies to include security in the overall culture of the firm
could increase the probability of threats impacting the informational assets of the
company.
Financial
1) Failure to implement efficient organizational policies to correctly manage information may
lead open the doors for further attacks or even encourage unintended disclosure thus
generating financial and reputational losses to the company.
2) Failure to protect the personal information of customers may lead to theft and incorrect
use of their resources through impersonation and other malicious methods.
3) Losing reputation as a consequence of information unsafety affects the company by
decreasing the demand of the users and inviting new entrants to reconsider working with
competing organizations.
Legal/Compliance
1) Failure to comply with government regulation related to data protection and unauthorized
disclosure could generate lawsuits against the bank and even strengthen government
intervention.
2) Lack of regular and thorough auditing may lead the company to experience further
breaches and/or get involved in legal disputes.
3) Failure to correctly protect information of customers and employee affects the company
by engaging them in legal disputes with further possible financial and reputational negative
impacts.
4) Lack of awareness of employees driving the destruction or deletion of documents related
to data breaches affects the company by exposing it to further legal discussions.
The following diagram summarizes the identified risks and categorize them according to their
nature:
ERM Risk Universe
Risk Assessment and Mitigation
Based on the list of risks identified in the former section, the following assessment will include the
six most relevant findings as well as an analysis of their probability and potential impact. At the
same time, risk drivers and mitigation strategies will be defined for each one of them:
Risk: # 1 Inadequate controls and procedures may lead to the exposure of restricted data and systems to external malicious parties.
Risk Dimension: Operational
Risk Drivers/
Contributing Factors Probability Impact Current and Planned Mitigations
Overlooking security controls for SDLC processes on data systems.
L H - Implementation of security controls quarterly monitoring. - Implementing the use of Flags to alert the department lead executives of system breaches and or non-compliance to main security processes.
Lack of communication with third party service providers on compliance with risk mitigation controls.
M H - Establishment of regular meetings to coordinate security measures with third party service providers. - Provide shared training sessions to share information about compliance procedures between both organizations.
Lack of sufficient education and training on controls and procedures for restricting data and systems usage.
M M - Regular training sessions are required to be conducted to make all employees aware about the controls and policies in place in the organization. - Elaboration of the Data Management and Control Procedures Manual to foster equal practices between different departments.
Risk: # 2 Lack of periodic monitoring of customer's information slows the bank’s actions to respond against attacks, find and fix vulnerabilities thus enabling intrusions to last for long periods of time.
Risk Dimension: Operational
Risk Drivers/
Contributing Factors Probability Impact Current and Planned Mitigations
Insufficient robustness of AAA (Authentication, Authorization, and Auditing) process for customers.
M H - Implementation of robust AAA processes for customer data with reviewed by the Risk Management and Audit Committees. - AAA quarterly functional reports to ensure about the efficiency and efficacy of currently implemented mechanisms.
Reports on vulnerabilities are slowly processed.
L M - Forming a sub-unit to perform regular and planned processing of vulnerabilities reports to be performed by the Risk Management Team.
Exceptions against systematic security warnings are consistently made.
L M - Strengthen the mechanisms required to validate exceptions so that they take place only under critical necessity. - Case by case assessment of security exceptions to supervise the correct management of this resource.
Risk: # 3 Slow adaptation to technology advances from potential malicious actors leaves the company vulnerable to diverse external threats from different origins.
Risk Dimension: Strategic
Risk Drivers/
Contributing Factors Probability Impact Current and Planned Mitigations
Costs to migrating data to new technology can deter adaptation
H M - Promote the adoption of interoperable systems that allow easily moving data from one to another location. - Hiring external agencies or consultancies that can assist in migrating to new technologies.
Technology adaption is delegated to external consultants rather than in-house experts.
M M - Hiring in-house experts that may supervise and collaborate with external parties in order to manage information. - Promoting internal management of information whenever it is possible.
Company culture may not encourage effective adaptation with technology.
M L - Implement communication mechanisms to embed technology adoption into the company’s culture.
Risk: # 4 Inefficient communication strategies to include security in the overall culture of the firm could increase the probability of threats impacting the informational assets of the company.
Risk Dimension: Strategic
Risk Drivers/
Contributing Factors Probability Impact Current and Planned Mitigations
Lack of efficient senior leadership in security.
L H - Foster and reward efficient leaders related to security positions thus promoting long lasting work relations with expert managers. - Hiring an expert for the role of a chief information security officer can be highly useful.
Marginalization of senior leadership in security.
M H - Incorporate senior security leadership in general meetings with high executives. - Promote strong communication security strategies to get high executives involved in the overall information risk management process.
Risk assessment team may not be fully funded and supported by senior leadership.
M M - Enable transparency mechanisms between the Risk assessment team and the senior leadership by means of regular meetings or presentations. - Enforce minimum security budget requirements for senior leadership.
Risk: # 5 Failure to comply with government regulation related to data protection and unauthorized disclosure could generate lawsuits against the bank and even strengthen government intervention.
Risk Dimension: Legal
Risk Drivers/
Contributing Factors Probability Impact Current and Planned Mitigations
Noncompliance with audit requirements due to time or funding.
M M - Enforce internal auditing mechanisms to ensure adequate compliance. - Establish minimum time and budget requirements to comply with external audits.
Reliance on external audit relationships rather than an internal auditing team.
L H - Forming an internal audit team that performs quarterly, half yearly and yearly assessments. - Promote coordination between internal and external auditing teams.
Internal processes and audits do not align well with government regulation.
L M - Collaboration between legal department and internal audit teams to ensure compliance with government regulation.
Risk: # 6 Failure to implement efficient organizational policies to correctly manage information may lead open the doors for further attacks or even encourage unintended disclosure thus generating financial and reputational losses to the company.
Risk Dimension: Financial
Risk Drivers/
Contributing Factors Probability Impact Current and Planned Mitigations
Organizational policies do not align well with business objectives.
L H - Coordinating organizational policies and business objectives by analyzing through the lens of information security and risk management. - Establish strong monitoring mechanisms to keep organizational security policies aligned with the main business objectives.
Organizational policies hinder employee performance with everyday tasks.
M M - Elaborate a report based on employees consultation regarding the flow of organizational policies and how the facilitate or complicate their daily tasks. - Increase awareness about the necessity of following organizational policies for the good functioning of the firm.
Insufficient performance tracking and management for organizational policies.
M H - Keep track on the performance of organizational policies, where they fail and how to make them better. - Maintain constant communication with employees to understand the impact of organizational policies on their daily jobs and how they follow these procedures.
Risks Normalization
After meeting with the main stakeholders and analyzing their interests, the following chart was
prepared. Based on the assessment, each of the below risk is identified with the likelihood of the
occurrence of the threat and the impact of the threat.
Main Risks Evaluation
ID Risk Stakeholders Involved Impact Likelihood
1 Inadequate controls
and procedures
Business Team, Government
Regulatory Body, IT Team 5 2.7
2 Lack of periodic
monitoring
External and Internal Audit
Committee, Governance
Committee
4.8 2.5
3 Slow adaptation to
technology IT Team, Business 2.6 4.1
4
Inefficient
Communication
Strategies
CEO, Key business stakeholders,
External Vendors 4 2.2
5 Failure to implement
organizational policies
Key Business Stakeholders, IT
Team 3.9 1.7
6 Non-compliance with
government regulation
Legal Team, Technical Team,
External Vendors, Government 4.7 2
As part of Risk Normalization process, the below impact and likelihood have been accepted by
the stakeholders and a heat map visualizing the below information is presented.
Risk Heat Map
Control Planning and Risk Treatment
According to the results presented by the risk normalization process, risks 3, 4 and 5 may be
tolerated and managed by the team on a regular basis. In order to address them, the cybersecurity
and risk managers will be informed so that better communication, alignment with business
objectives and fast adaptation to technology will be addressed for the mediate future.
However, risks 1, 2 and 6 must be prioritized and immediately addressed based on the matrix of
probability- impact that shows the stakes are high enough to require the implementation of
immediate controls. The following activities will be implemented to resolve each of these
problems:
Risk Title: Inadequate controls and procedures
Risk Description: Failure to implement efficient controls and procedures to protect customer and bank’s information
Associated Business Objectives: Customer trust and support, Information assurance, Adaptation to changes in the industry
Risk Type: Operational Risk Category: Information Security, Policies and Procedures, Incident Response
Impact Rating: 5 Likelihood Rating: 2.7
Management Activity and Controls Rating: 1. Implementation of alert Flags to inform department lead executives about system
breaches and or non-compliance to main security processes 2. Security controls quarterly monitoring and regular meetings to coordinate with internal
and external service providers 3. Shared compliance and policy training sessions involving main internal stakeholders
and external service providers 4. Elaboration of Data Management and Control Procedures Manual (DMCP) to foster
equal practices between different departments
Suggested Owners: Chief Risk Officer, Chief Cybersecurity Officer, Audit Committee
Metrics: Amount and duration of successful minor/major data breaches, Number of employees with access and approved evaluation in DMCP Manual, Quarterly monitoring reports, Number of employees attending to training sessions, Number of alert flags informing of non-compliance with security processes
Risk Title: Lack of periodic monitoring
Risk Description: Thorough evaluation and periodic monitoring of security policies, controls and procedures
Associated Business Objectives: Information Assurance, Operational Optimization, Risk Mitigation and Critical Assets Management
Risk Type: Operational Risk Category: Information Security, Audit and Monitoring
Impact Rating: 4.8 Likelihood Rating: 2.5
Management Activity and Controls Rating: 1. Implementation and revision of robust AAA processes and procedures to protect
customer data 2. Conformation of a separate monitoring sub-unit to perform regular reports over control
efficiency and effectivity as well as to track, report and fix vulnerabilities 3. Strengthen requirements to validate exceptions and assess case by case petitions in
order to supervise correct management of this resource
Suggested Owners: Chief Cybersecurity Officer, Audit Committee
Metrics: Half yearly AAA processes and procedures revision report, Conformation of security monitoring sub-unit and deriving performance metrics, Number of approved exceptions, Number of petitions to perform exceptions
Risk Title: Non-compliance with government regulation
Risk Description: Failure to enforce the compliance with government regulation while performing daily processes and procedures
Associated Business Objectives: Operational Compliance, Business Continuity, Information Assurance and Critical Assets Protection
Risk Type: Legal/Compliance Risk Category: Regulatory and Legal, Information Assurance, Policy and Compliance
Impact Rating: 4.7 Likelihood Rating: 2.0
Management Activity and Controls Rating: 1. Evaluating complementarity between business objectives and risk/security
organizational policies and establish monitoring mechanisms to keep them aligned 2. Elaborate yearly reports based on employees consultation regarding the flow of
security policies and how they generate an influence on their daily tasks 3. Keep track on the performance of security organizational policies and implement
mechanisms to integrate them among main business processes
Suggested Owners: Policy and Compliance Department, Chief Risk Officer, Chief Cybersecurity Officer
Metrics: Yearly security operations report, Business Objectives and Security Assessment, Security policies’ performance monitoring, Increase in time consumption to comply with security procedures
Most impactful risks were selected in spite of the low probability. As proven by the 2014 data
breach, it is of utmost importance to be prepared for this sort of events that are not only related
with daily tasks, but rather with unexpected crisis. For further information about the impact and
probability metrics, refer to the annex number 2.
Incident Response and Recovery
Incident management and recovery is a critical part of business continuity planning. In order to
effectively respond to the data breach at hand, we assume/propose the following key steps to
combat the same:
● Perform Disaster Recovery and Root Cause Analysis
● Segregating internal networks into separate segments to prevent further hacking
● Providing restricted access to critical assets by providing lesser privilege controls
● Quarantining the system that was breached
● Internal communication to create awareness
● Implementing proper training to cyber security personnel
Communication and Monitoring
As suggested by the ISO 31000 framework, the former analysis must continuously work next to
a robust strategy of communication and monitoring that evaluates the process and increases
awareness among the stakeholders. The previous risk assessment based on the 2014 data
breach shows that it is of significant importance to strengthen monitoring activities and enhance
the training of key employees in order to increase the security of the organization’s informational
assets. As well, these two actions will play an important role in engaging lead managers into
investing efforts and resources for further protecting the information of the institution.
However, internal communication should not be the only concern. Considering that the 2014 data
breach was covered through diverse media channels, the reputation of the bank was damaged
and it is now important to reinforce the conception of strong security actions implemented to
protect the information possessed by the organization. It is expected that by enhancing the
security-oriented image of the bank, less government intervention will happen and trust will
increase among both corporate and individual customers.
The main components of the communication plan should be:
Objectives Audience Strategy Evaluation Criteria
Increase customer’s
demand of the
organization’s services
Customers Increasing trust on the organization’s safety standards and promoting JPMorgan Chase & Co. as a security champion institution
- Number of corporate customers - Number of individual customers - Customer’s security perception
Educate employees to
effectively follow
security related policies
and procedures
Employees Promote major security awareness among employees by generating communication campaigns and training that show them the impact of information security in their daily lives
- Reported incidents caused by unintended employees’ actions - Average time increase in procedures due to non-compliance with procedures and human error
Engage lead managers
into the information
security process
Lead Managers
Offer lead managers clear and regular reporting mechanisms in order to increase awareness and enhance the amount of resources/efforts they utilize to secure informational assets
- Total expenditure destined to information security by department - Amount of hired employees dedicated to information assurance - Information security practices yearly survey
Gain authorities’
goodwill and support by
sharing the company’s
achievements related to
the protection of their
informational assets
Official Authorities
Inform key government stakeholders about the success of the bank’s information security measures
- Number of addressed key government stakeholders - Elaboration of collaborative workshops, events and initiatives
The communication plan will address different stakeholders using diverse methods. While
government institutions will be invited to know more about information security achievements, the
customers will only know about the bank’s leading position as a safe institution. It must be taken
into consideration that the tone of the campaign must show that resources are being allocated to
protect information, however it should not show excessive confidence that may invite outsiders to
try and breach into the institution’s data assets as a challenge. Employees and risk managers will
both be submitted to awareness campaigns and training, and the only differentiation will be related
to the sort of sensitive information that each of them may receive.
In general terms, the former plan will be launched with the support of an initial campaign that
shares the message: JPMorgan Chase & Co. cares about data security and has learned from
previous lessons. For this reason the company is now preparing to become a leader in
mechanisms and procedures for enhancing information assurance. Information stored in the
bank’s servers will now be more secure than ever before.” In order fully comply with the message,
success stories and good practices will be shared among the stakeholders thus promoting general
awareness about the relevance of the field.
Besides from the communication strategy, it will be of utmost importance to continue
implementing continuous monitoring initiatives defined by the risk management and security
teams. Both of these actions should closely watch over the entire process of managing risks in
order to allow JPMorgan Chase & and Co. to be sure about the efficiency of it policies and to
enhance the impact among the most relevant stakeholders.
Strategic Recommendations
Considering expected increase of cybersecurity spending to $500 million dollars in 2016,
JPMorgan and Chase is preparing for addressing further information security challenges.
Planning how the money can be appropriately distributed for the most important security
challenges is another issue. In the context of the aforementioned analysis, there are three clusters
of strategic improvements that can serve as the basis for recommendations that JPMorgan Chase
can move forward with. The three clusters of strategic improvements are improvements to
controls and procedures to technology adaptation, communication strategies for external groups,
and alignment between corporate and government policies for effective risk compliance.
Throughout our analysis, evidence suggests that technology adaptation is relatively slow
throughout the JPMorgan & Chase’s business operations. Three key risk drivers affecting this
process could be forced haste in proposing and implementing IT projects and leaving out crucial
monitoring functions, ineffective change management for the organization on new technologies,
and reliance on external consultancy without sustained internal experts. Based on these drivers,
there are top three recommendations for JPMorgan Chase to consider when improving upon
streamlined technology adaptation with effective controls and procedures:
1. Increase monitoring and detection of unauthorized access in information systems holding
sensitive data.
2. Provide consistent IT training sessions on technology use throughout JPMorgan Chase
internally and with third party providers on risk areas such as policies and compliance.
3. Promote internal information management through developing and enhancing in-house
experts’ proficiency with processing data and information systems.
In addition to ineffective technology adaptation, communication strategies with external groups
throughout JPMorgan Chase’s business operations may have affected the company’s response
to dealing with data breaches. Three key risk drivers affecting this process could be based on
isolating senior leadership from external affairs, having inadequate processing and response
measures for external groups, and encouraging loopholes on external access to information.
Based on these drivers, the top three recommendations to improve upon communication
strategies with external groups are outlined as:
1. Encourage inclusiveness of senior security leadership in the organization to discuss
security issues with external groups.
2. Promote better transparency of data and information usage by JPMorgan Chase for
external groups.
3. Reevaluate and develop policies enforcing unauthorized access to data and bolster
robustness of case-by-case evaluations.
Finally, evidence also suggests that JPMorgan Chase’s corporate policies for risk assessment
and compliance may not have fully aligned with government policies to protect stakeholder and
customer data. Three key risk drivers affecting this process could be constraints on time and
money to handle auditing internally, insufficient performance management for organizational
policies, and having organizational policies that hinder day-to-day operations for individual
branches. Based on these drivers, the top three recommendations to target these risk drivers
could be
1. Have a comprehensive and inclusive internal auditing program through auditing and legal
teams at individual company branches.
2. Have a program for encouraging cyclical compliance and feedback on organizational
policies and their changes.
3. Re-evaluate policies on balancing data and information access and security with
employees such as associates and managers.
Annex # 1
Main survey questions:
1. What controls were in place before the breach and what are currently in place at
JPMorgan Chase?
2. How often are your webpages/systems monitored in order to be sure that there are no
security breaches taking place? Which mechanisms do you use for this?
3. Which are the most valuable assets that you would deem necessary to protect from
information security breaches?
4. According to publicly available information, the breach happened because of the lack of
a second authentication step in one of the servers. How are the rest of the servers
protected? Has anything been done yet in order to address this vulnerability? How is
relevant data from the users protected?
5. Any other potential vulnerabilities you would like to point out before we start with our
external assessment?
6. Has there been any history of non-adherence to any sort of information security related
compliances? (Such as PCI)
Annex # 2
Annex # 3 1. Impact Rating Criteria
2. Likelihood/Probability Rating Criteria
References
JPMorgan Chase & Co. (2015, March). Risk Policy Committee. Retrieved from:
https://www.jpmorganchase.com/corporate/About-JPMC/ab-risk-committee.htm
Kurane, S., & Wills, K. (2014, Dec 22). JPMorgan data breach entry point identified: NYT.
Retrieved from Reuters: http://www.reuters.com/article/us-jpmorgan-cybersecurity-
idUSKBN0K105R20141223
Morgan, Steven C. (2015). Cybersecurity for Banks Report. Retrieved from Cybersecurity
Ventures: http://cybersecurityventures.com/cybersecurity-for-banks-report-q3-2015/
Three charged for largest-ever bank data breach. (2015, November 10). Retrieved from CBS
News: http://www.cbsnews.com/news/three-charged-for-jpmorgan-data-breach-the-largest-ever/
Perlroth, M. G. (2014, October 31). Luck Played Role in Discovery of Data Breach at JPMorgan
Affecting Millions. Retrieved from Deal Book:
http://dealbook.nytimes.com/2014/10/31/discovery-of-jpmorgan-cyberattack-aided-by-company-
that-runs-race-website-for-bank/?_r=0
Ponemon Institute, Ponemon Institute’s 2015 Global Cost of Data Breach Study Reveals Average Cost of Data Breach Reaches Record Levels ( 2015, May 17). Retrieved from IBM: https://www-03.ibm.com/press/us/en/pressrelease/47022.wss Robertson, Jordan and Michael Riley, PMorgan Reassigns Security Team Leader a Year After Data Breach (2015, June 30). Retrieved from Bloomberg: http://www.bloomberg.com/news/articles/2015-06-30/jpmorgan-reassigns-security-team-leader-a-year-after-data-breach Goldstein M, “Arrested in schemes said to be tied to JPMorgan Chase Breach” CNBC. July,
2015 Retrived from: http://www.cnbc.com/2015/07/22/4-arrested-in-schemes-said-to-be-tied-to-
jpmorgan-chase-breach.html
Ro S, “JPMorgan Reveals Gigantic Data Breach Possibly Affecting 76 Million Households”
Business Insider (2014, October) Retrieved from BI: http://www.businessinsider.com/jp-morgan-
data-breach-2014-10
Robertson & Riley, “JPMorgan Reassigns Security Team Leader A Year After Data Breach”
Bloomberg Business (2015, June) Retrieved
from:http://www.bloomberg.com/news/articles/2015-06-30/jpmorgan-reassigns-security-team-
leader-a-year-after-data-breach
“A Structures Approach to Enterprise Risk Management and the Requirements of ISO 31000”
by airmic, alarm, irm; https://www.theirm.org/media/886062/ISO3100_doc.pdf
