Technology Rebuilding confidence in financial services through robust cyber security strategies By Tim Elliott and Yemi Saka Rebuilding confidence in financial services through robust cyber security strategies

To reignite growth and rebuild security threats have become an customer trust, many financial executive management issue, not services institutions are putting just a technical problem, as they a greater emphasis on digital affect operational continuity and channels such as mobile banking. can undermine the confidence of Success with these channels customers and business partners. requires not just a user-friendly interface but also airtight security This paper offers six steps that customers can depend on. to guide financial services executives in mounting a With many transactions now proactive, high-performance conducted over the Internet, and approach to cyber security. many automated tools available to hackers, financial services companies are more vulnerable to cyber intruders. Given the recent conditions of the financial markets and the tarnished reputation of the financial services industry generally,

2 A complex equation

What portion of your customer base already interacts with your business online, and how fast are those segments growing? What new delivery channels are you considering for your financial services products? How will regulatory activity, acquisitions, or divestures affect your security strategy? How many of your teams are using a cloud-based application to share documents with a customer or vendor? Which of your software developers has recently used his credit card to provision a server on a cloud service? Are you certain of your ability to recover when a key data center suffers a cyber attack? Do you know which of your employees have run up a crushing load of debt or have another reason to turn rogue in your environment?

Banks, credit card companies, customers show no desire to give Unfortunately, the Internet has insurance firms, and other financial up using branches, but at the same limitations on the level of security services institutions have invested time they show increased usage that it can provide when sharing heavily in information technology of direct channels; the growth in information, and thus may become over the past decade to improve use of mobile banking applications an easy target for malevolent use. competitiveness and productivity. barely lags behind that of smart Open systems, interfaces, and Most of these organizations have phone usage. In emerging economies, commonly used document formats become highly dependent on the mobile banking has even leapfrogged can propagate vulnerabilities if Internet for conducting transitions traditional banking channels. appropriate security controls are with their customers. The use of not applied and enforced. Many Internet services among customers and Tremendous benefits can accrue IT solutions are built and released employees has become more pervasive from open, distributed computing without the robust functionality now through a myriad of wired and wireless systems and the rich services offered required for enterprise-wide data devices used in the office, at home, by Google, Amazon, and others. And protection and privacy, particularly in cars and cafes – often bypassing digital channels offer potentially when projects focus on delivery the standard corporate security greater personalization at radically speed rather than security. controls and policy when connected lower cost – as long as customers to unsecure environments. Users trust the system’s security. Accenture’s Additional risks extend from are also requiring financial business 2009 Global Consumer Behavior incubating technologies, from applications to work seamlessly Study asked customers to identify the the marriage of interoperable across multiple environments and dominant factors in their relationships technologies that support cloud- devices including smart phones, with businesses. The top two factors based services, and from the new tablet computers, and kiosks. cited were “easy to do business frontier of social media platforms with” and “trustworthy”.1 That’s the (see sidebar, “Porous perimeters Customers want multiple access security challenge in a nutshell. of social networking websites.”) points and connectivity between them. In banking, for instance,

3 Porous perimeters of social networking websites

Total Unique Percent composition of visitors to Visitors (000) Facebook.com by demographic segment

120,000 18.8% 18.7% 2009 Visitor Trend to Facebook.com, 100,000 MySpace Sites, Twitter.com 30.2% 31.6% 80,000

18.8% 60,000 23.0%

40,000 Facebook.com 32.3% MySpace Sites 26.8% Twitter.com 20,000 Dec 08 Dec 09

0 Persons: 50+ Source: comScore Dec 08 Feb 09 Apr 09 Jun 09 Aug 09 Oct 09 Dec 09 Media Metrix (U.S.) Persons: 35-49 Persons: 25-34 Persons: 24 & under Figure 1. Much of the growing traffic of online social networking

Consider both the astonishing spread In another recent case, a hacker companies are themselves engaged and the particular challenges of named Kirllos has been selling in marketing and customer contact social networking sites. Nearly four Facebook user names and passwords. activities through these sites. out of five Internet users visited Researchers at VeriSign estimate such a site in December 2009, and Kirllos has sold almost 700,000 of Another concern for financial the activity now accounts for 11 the 1.5 million accounts he or she is institutions is how easily this type percent of all time spent online in the offering. The asking price: $25 to $45 of information could be used to United States, making it one of the per 1,000 accounts, depending on the steal identities of employees and most engaging activities across the number of contacts each user has.3 customers. Once an employee Internet, according to comScore.2 identity is compromised, intruders Other forms of tap users’ can take control of the employee’s Since the premise of social networking “100 things about me” postings to computer and slip inside the sites is to more easily and efficiently mine data that is typically used to network, as occurred last year share personal information, site users answer password-reset questions such at one major financial firm.4 tend to lower their guard. These sites as “What was your first pet’s name?” thus become attractive locations The most effective solution for the for illegal data mining and malware Once the security of an employee’s near term will consist of several insertion. One , laptop is breached through a social elements: employee and customer , has targeted Microsoft networking site, the company’s education about safe online behavior; Windows users of Facebook, MySpace, systems and infrastructure become security controls such as Policy Friendster, Twitter, and similar sites susceptible to cyber attacks. Yet Enforcement Agents or Network to gather sensitive information such blocking access to sites may not fully Access Controls on the end user’s as credit card numbers. Although address the problem. For one thing, device; and monitoring techniques social networking companies have employees can often access the sites that give an early alert on legitimate become more conscious of these through their own smart phones – breaches versus mounds of false threats, staying ahead of new on which they may also check their positives hiding these attacks. attacks is a major challenge. corporate email. Moreover, many

4 Many of these applications deliver been involved in security breaches •  and Clampi , which business benefits relatively quickly, since January 2005.5 Such breaches steal online account credentials but they often fall short of standard can have serious implications for with a focus on bank accounts, IT security policies and procedures. the enterprises involved, resulting in have gained in size and strength in Even networked photocopiers or fax fines, increased costs for remediation, recent months. Cheap ($700), and machines have their own Internet or temporary stock price drops. easy-to-use toolkits that hackers Protocol addresses that tend not The threat is particularly acute for can purchase to control botnets be secured in the same way as a financial services firms, given that are widely available online.8 computer desktop, giving cyber the storage and exchange of money attackers a path into the company. forms the core of the business. A Customer information of all kinds is So the attack surface has gotten few heart-stopping data points: also at risk as online shopping and much broader, from many more point-of-sale capture have become sources at home and abroad. • A May 2009 survey by Actimize widespread, forcing various industries found that 81 percent of financial to adjust as a result. Every merchant With greater dependence on web- services organizations expect that accepts credit card payments has based applications comes a far more an increase over the next year already experienced the considerable serious consequence of infrastructure in ATM/debit card fraud.6 cost and expense to strengthen compromises and disrupted operations protection against identity theft through data breaches, data loss, and • Computer hackers stole more and the resulting financial losses. non-compliance with government sensitive records in 2009 than in regulations or important industry the previous four years combined, standards – along with the potential with ATM cards and PIN information erosion of customer confidence. growing in popularity, a Verizon study found. Organized criminal In the United States alone, more groups orchestrated nine in ten of than 346 million records containing the most successful attacks, with sensitive personal information have 93 percent of the records exposed coming from the financial sector.7 5 The industrialization of cyber crime

Make no mistake; the adversaries a technical problem to a high have become smarter, better priority business problem meriting organized, and more persistent. attention at the highest levels of Earlier this year, a crew of hackers the financial services organization. was sentenced to prison for breaking The increased breadth and depth into systems belonging to Heartland of government regulation is forcing Payment Systems, a processor of enterprises to invest more, to credit card transactions. The crew remediate legacy weaknesses, and to sold millions of credit card numbers prepare for the minefields ahead. to Russian criminals and used some of the data to make unauthorized ATM withdrawals. Cyber criminals are also now targeting hotels to steal credit-card data from guests. The common weakness at hotels is the security surrounding point-of- sale software, which hotels use to process credit-card transactions.9

The proliferation of attacks and threats has pushed cyber risk management from primarily

Figure 2. Top 10 largest reported data breaches

Organization Estimated number of people or accounts Financial impact affected Zurich Insurance 46,000 customer records $3.6 million fine Heartland Payment Systems 100 million transactions, 175,000 merchants $41 million settlement TJX Companies. 45 million customer records $20 million in investigative costs U.S. Dept of Veteran Affairs 76 million veterans’ medical records Not available Card Systems -2005 40 million credit card accounts Not available U.S. Dept. of Veterans Affairs 17.5 million veterans Laptop recovered, no financial impact BoNY/Mellon 12.5 million Not available Certegy Check Services 8.5 million $975,000 settlement TD Ameritrade 6.3 million Not available CheckFree Up to 5 million Not available Hannaford Bros. 4.2 million Not available

Source: Privacy Rights Clearinghouse, reported at www.abcnews.com, June 14, 2010; Zurich fine: http://www.silicon.com/technology/security/2010/08/25/zurich-insurance-fined-2m-over-data-breach-39746267/

6 Core cyber principles for an uncertain world

As senior executives weigh their next Effective cyber security should be moves in cyber security, we advocate incorporated into processes through- a proactive approach: Anticipate out an enterprise, not just on the what new threats may challenge perimeter. As financial services firms the enterprise and which security build, acquire, or source the right elements can help to improve combination of capabilities, the performance; then weave the right experiences of leading cyber security security features into the enterprise’s professionals offer up a set of six infrastructure and digital assets. principles that have proven quite effective in guiding the development of Getting ahead of the threats is a comprehensive cyber security strategy. not easy, to be sure. The measures taken in most financial services The key principles of cyber security enterprises have been largely 1. Identify and secure the IT assets reactive, designed to defend against themselves, not just the perimeter. a repeat occurrence of an attack 2. Build a hard-nosed that has already occurred. Reactive “culture of security.” capabilities are still useful, to reduce 3. Pay closer attention to response times to and reporting of application security. incidents, but a reactive mode is 4. Check and double-check user identity. not sufficient. Few enterprises have 5. Get smart about mobile device security. sufficiently implemented the controls necessary to protect themselves. 6. Develop acute situational awareness.

7 The Key Principles of Cyber Security

1. Identify and secure the no longer sufficient. It’s more 2. Build a hard-nosed IT assets themselves, not effective to secure the data or “culture of security.” asset itself, wherever it travels just the perimeter. and wherever it lives. Financial Financial services firms do not Because of the complexity of their services firms should embed cyber always clearly define cyber security business model, many financial resilience and defensive capabilities governance structures, including services firms don’t know the channels throughout the organization, not specific oversight responsibilities. They through which all of their information just individual components. may also find that the management assets are accessed or where they’re responsibility and accountability can specifically located (in vendor This is not always a straightforward be dispersed and fragmented, with applications, mobile devices, partner task, as it requires navigating a the Chief Information Officer, Chief networks, or elsewhere). Effective maze of regulatory, compliance, Security Officer, Chief Privacy Officer, cyber security starts by knowing what privacy, and business demands. or the legal function all having data and technology are essential to Current and pending compliance some involvement. For instance, serving one’s customers, ensuring the frameworks differ by country, by the CIO could be responsible for information is protected, and making industry, and by activity within a maintaining IT and data security, sure business continuity programs company. An organization must the CPO for setting policies and are clearly established. There should be agile enough to keep pace with procedures, and the general counsel be a detailed plan to protect these changes in demand and in the nature for ensuring the organization is assets and capabilities from being of cyber threats. Most initiatives complying with regulations. As a compromised, including a robust test of thus will benefit from an end-to-end result, it’s not clear where the buck the plan to make sure that it’s viable. approach, from problem analysis to stops on information security. monitoring the controls that follow That’s one reason for the big While organizations typically focus implementation of the solution. on securing the IT perimeter, that’s gaps in IT security policies among financial services institutions. As

Figure 3. Large holes in IT security policies CIOs’ response to “What portion of your organization do you believe is following your security policy related to:”

Source: Survey of 226 CIOs, part of Accenture’s Disabling security software (anti-virus) 85% 76% “High Performance in IT Research, 2010”

Accessing sensitive data with non approved 65% computer equipment 56%

Using , text messaging, personal email 60% 38%

Downloading non-approved third party business apps 55% 35%

Using external social network sites 43% 36%

Using encryption for sensitive data 36% 24%

Using personal mobile devices 36% 30%

Reporting suspected breaches 40% 30%

Requesting exceptions 36% 35%

Employees responsibility for protecting sensitive data 40% 27% Financial Services Data classification and protection 39% 21% Overall

8 shown in Figure 3, CIOs in financial security strategy.10 These executives roles and responsibilities for data services estimate that only about lead such activities as the coordination owners and stewards. In some 40-60 percent of their workforce is of industry-wide exercises like cases, it may make sense to establish following most policies, according the Cyber Attack against Payment a privacy and protection council, to the new Accenture High Processes Exercise conducted recently composed of stakeholders from across Performance in IT Research, 2010. by the Financial Services Information the business, which is responsible Sharing and Analysis Center. for overseeing how sensitive data By contrast, organizations that is managed and used, as well as for exhibit a culture of security do make Such organizations tend to view continuous improvements of the responsibilities and accountabilities themselves as stewards, not owners, organization’s security posture. explicit. They go beyond the leadership of personal data and take actions levels and focus on employee to protect data entrusted to them. Any data protection framework awareness and accountability. Looking Accenture’s recent survey of business should address protection in a at examples from other industries, executives in 19 countries confirms unified manner and avoid addressing Sun Microsystems, General Electric, that organizations with clear regulatory compliance in separate and Intel all have formally extended responsibilities and strong policies silos of country, business process, the remit of their privacy officer’s are less likely to experience security or type of data. Organizations role to information governance breaches, as shown in Figure 4. should create a common set of data and/or data security to ensure a privacy and protection standards holistic approach to information The first step to building this culture that can be applied consistently management and protection. is to put in place an IT governance from country to country to minimize program that integrates the people, complexity, cost of compliance, and Some financial services organizations, processes, and technology needed chances for breaches while at the such as Bank of America, have hired to manage data effectively and same time enabling responsible data cyber security “czars” who have efficiently. Effective governance sharing and global data flows. specific responsibility for cyber programs typically start by defining

Figure 4. Data protection policies matter (percent of business executives responding)

Ensure data collected and used is accurate, 51 not false or misleading (Accuracy) 59

Limit data collection to only that which is needed to 43 fulfill legitimate business needs (Minimalization) 53

Give consumers or customers the ability to view and 48 edit information collected about them (Access) 55

49 Have a policy about their privacy practices (Disclosure) 56

Regularly monitor privacy and data protection regulatory- 59 71 compliance requirements

66 Know where personal information on customers and 75 employees resides within the organization's IT enterprise

Source: Accenture survey, 2009 0% 10% 20% 30% 40% 50% 60% 70% 80%

Two or more breaches No breaches

9 3. Pay closer attention to attack and its ability to process increases in identity theft; risks to applications. and handle sensitive information associated with having an extended regardless of who builds or maintains enterprise of customers, suppliers, Many serious breaches result from it. The system should undergo and contractors with access to application-level weaknesses. Most stringent testing to help confirm enterprise applications; and greater applications were not engineered that mission-critical applications use of mobile devices that adds with security in mind, because can be run with reduced risk. another interface to secure. developers assumed they would sit behind a secure perimeter. As There are two key issues here. First, For many digital systems, the that assumption is no longer valid, designing consistently defined security traditional paradigm of identity legacy applications will eventually services into applications as part of authentication is based on knowing have to be reengineered, and new the system development lifecycle is phrases or numbers that once were applications need to be developed a significant evolutionary step for an considered secret or at least protected under a new security paradigm. organization. The second, to test and – such as one’s Social Security remediate the existing applications number or mother’s maiden name. Nor is protecting the perimeter around to the same standard – whether they Now much of that information may applications enough of a defense, were built in house or purchased be commonly available or at least because firewalls or anti-virus and installed or deployed at a vendor discoverable, undermining the premise solutions may not be comprehensive location – is another critical step of conventional authentication. enough. Most financial institutions in ensuring secure applications should extend security to the device and the data they contain. Mastering the ability to determine level as well to the application layer. whether customers, suppliers or employees are who they claim to be Trusted applications development and 4. Check and double- when they access enterprise systems delivery thus is a critical component check user identity. and facilities is crucial to enterprise of a cyber security initiative. Financial Identity management has become performance. Yet with IT budgets under services firms need to be able to a top security priority with the increased scrutiny, many CIOs are measure an application’s resistance convergence of several trend: sharp

10 Many serious breaches result from application- level weaknesses. Most applications were not engineered with security in mind, because developers assumed they would sit behind a secure perimeter.

charged with reducing risks and threats biometrics (fingerprint or retinal scans) three years.11 It has already become while also improving the administrative and smart cards, to speed the time commonplace in Japan, many parts and cost efficiency of managing user to value and increase the return on of Europe, and in some developing identities and access to information. investment of identity management countries that leapfrogged older initiatives. These trends are putting communications technologies to Effective identity and access cutting-edge solutions in reach, even support their nascent micropayment management programs should create for organizations operating under systems. Whether through SMS- value by embedding pervasive security fiscal constraints. Non-biometric, two- based payments, direct mobile billing, without sacrificing functionality and factor authentication is also useful mobile web payments, or stored value ease of use. Aspects such as single- for managing access and is more cards, the technologies are starting sign on, immediate access revocation appropriate for some environments. to take hold in the United States when needed, self-service functionality, as well. Other financial institutions and real-time analysis to support By combining stronger identity are looking to mobile devices and audits are key components that will management methods with are proliferating applications to both support the business needs while biometric technologies, companies take advantage of this channel. also managing risk appropriately. can redefine how they do business. Open-source protocols such as OpenID, Larger retailers are already using For example, JPMorgan Chase & Co. which allow users to log on to different “pay by touch” systems to verify is offering a mobile remote capture services with the same digital identity, the identity of customers who cash application that customers can use are starting to catch on as a means checks for payment of items. This to electronically deposit checks with of creating strong authentication helps simplify the check authorization their phones. USAA Federal Savings combined with ease of use. process and reduce fraud. Bank, which serves members of the military and their families, introduced Financial services firms can take 5. Get smart about mobile a similar service last year.12 advantage of improving price- device security. performance characteristics of other Overall, mobile banking is expected to authentication technologies, such as reach 400 million people in the next

11 Many of the underlying technologies A third issue is that many U.S. but banks should not wait for the are similar to standard Internet consumers have not yet grown telecom industry to take the lead. banking. But for U.S. financial services accustomed to mobile financial institutions, several considerations services. Despite the spread of 6. Develop acute come into play. First, there are new online banking and shopping through situational awareness. devices and new operating systems personal computers, consumers may Keeping ahead of risks means, first to consider – iPhone, Android, not completely trust in the security of of all, understanding exactly which Windows mobile, BlackBerry, and mobile payments when it’s introduced. key risks the organization is facing others. Each of these has its own Unless consumers believe the system – across the whole risk landscape, way of addressing security, which is safe and their personal data is including employees and the business has implications to the development secure, banks may face resistance partner network, not just compliance teams that need to compensate for to adoption of the new technology, status. Be aware of a risk’s potential security flaws across multiple services. or at least less cooperation by impact on the organization’s overall consumers in exploiting its potential. performance, have a clear view of A related consideration is that mobile which risks might emerge, and have devices are easily lost or stolen. Most Financial institutions should be appropriate measurements in place come with removable media such as preparing now for a sustained to manage or mitigate these risks. a SIM card that may store a huge effort in consumer education and amount of personal data including communications about mobile device Addressing security in business account numbers and passwords, security – good password protocol, network is a sensitive and and can be breached relatively how to erase data remotely if a device complicated challenge because of all easily by a talented hacker. While is stolen, and so on. The situation the players involved, but requires the consumers will turn first to their is similar to what banks had to do same diligence as dealing with the wireless telecommunications carriers when they first introduced ATMs and internal organization. Organizations for help with a stolen device, banks more broadly when the Internet took should collaborate with business and other financial services firms hold. It may make sense to coordinate partners that take equal or greater cannot afford to sit on the sidelines. with telecom carriers in this regard, care with data, and rigorously assess

12 Surveillance Community Intelligence

Administrative Management Downloadable Ruleset

Information Management Network Auditing Security Operation Enhanced Capabilities Malware Databases Risk Management Center Vulnerability Scan Attribution Public Data Network Profiling Order of Battle Incident Management Penetration Analysis Course of Action Governance, Risk and Compliance Cyber Situational Awareness Response Model and Simulation Identity/Access Log Security Information Management Management and Event Remote Management Incident Management Threat Analysis Firewalls Management Center Malware Analysis Data Forensics Vendor IDS / IPS Management Attack Simulation / Data Collection Threat Anti-virus Cyber Cyber Range Management Service Forensics Data Logging

Policy and Compliance Data Searching Management

Figure 5. A situational awareness capability map partners’ knowledge, practices, and Banks and other financial services • Expand the scope of vulnerability experience in managing sensitive data institutions therefore need to get assessment or penetration tests across organizational and national more serious about monitoring • Harness external sources of boundaries in accordance with local suspect activity. It does no good threat intelligence to understand privacy laws and industry regulations. to run a Security Information and and train for zero-day exploits Event Management (SIEM) system • Detect reconnaissance activity Hackers and malicious entities search that generates 60,000 log line by a terminated employee for vulnerabilities. For example, items every day if the log file is or a hacker forum the day a merger of two financial ignored and dumped at the end of institutions is announced, a wave of the day. Security will fall short if a Application vulnerability scanner phishing emails typically go out to bank emphasizes cross-selling yet results, rules, SIEM reports, the merging banks’ customers. The cannot correlate SIEM data across chatter on blogs and forums as well goal is to use this trigger event to various lines of business. Moreover, as software vulnerabilities are readily gather personal information from if financial services organizations available sources of threat intelligence. one institution in the name of the only react to suspicious activity, a Layering and fusing these multiple acquirer, and thereby gain access recorded incident, onset of an attack, sources of information helps to form to accounts. Another tactic is to or a malware outbreak, it may be an operating picture where the sum exploit misaligned or lax processes too late. They must also actively is greater than its parts (Figure 5). and protocols between, say, a retail gather cyber intelligence and watch call center and the web channel downstream activities in order to: for another line of business. After all, customer service agents want • Recognize back doors and to help a caller and are paid to get vulnerabilities unseen by point them off the phone quickly, so they compliance and checklist efforts may be prone to giving valuable • Recognize complex and information away to a cyber attacker. chained patterns that indicate the initiation of an attack

13 14 System or technical glitches 35

Negligent or incompetent employees 24

Business-process failures 22

Cyber crime 18

Malicious employees 13

Negligent or incompetent 11 temporary employees or contractors 0% 5% 10% 15% 20% 25% 30% 35% 40%

Source: Accenture survey, 2009

Figure 6 Internal issues are frequent causes of security breaches (percent of business executives responding)

Staying current with evolving threats be more predictive about insider fraud. will entail keeping staff educated They might require periodic urine and trained in cyber security. In a testing, pull employee credit ratings recent Accenture survey of business frequently, or use similar techniques to leaders and individuals, internal anticipate which employees might turn issues – employees (48 percent) rogue. Such activities may be opposed and business or system failure (57 by some executives on grounds that percent) were cited most often as the they demonstrate a lack of trust, but source of the breaches (Figure 6). most employees will accept these measures if the “trust, but verify” Beyond negligent employee approach is communicated effectively. behavior, insider fraud plagues financial institutions perhaps more than other industries. The problem could be an angry employee, or one overwhelmed by debt, who sells information about call center protocol to organized criminals. Or it might be a contractor dismissed for poor performance who programs a logic bomb before he leaves.

Pattern analysis tools, similar to customer relationship management tools, can help to flag anomalies in employee behavior as it occurs. Some financial institutions are also trying to

15 Calibrating risk with cost when funds are tight

With each advance in technology traffic across protocols and networks quickly communicated to others, that enhances connectivity and can improve an organization’s ability so that they can better prepare. communication, the traditional to detect and block these attacks. Even direct competitors can benefit corporate perimeter, with clearly from building a security community, identifiable boundaries, diminishes. Cost and risk are the trade-offs in without revealing their secrets. In its place, a network with limitless any security agenda. Some elements potential is rising—one where financial of a cyber security solution can be Financial services leaders must institutions, their customers, and expensive, with the ROI difficult to take bold steps to ensure that their partners demand access to quantify. It’s not fun and it rarely adds security approaches and solutions information whenever and wherever to the bottom line – but the risk of are agile enough to adapt to rapid they need it. Customers and partners a serious, highly publicized breach is technological change today, while will increasingly consider how the equally hard to quantify and potentially forging the right risk management custodian of their data is going to catastrophic. As the pace of technology program to support business protect sensitive information before accelerates, an enterprise will have growth and high performance. embarking on a long-term relationship. to calibrate its tolerance for risk in accordance with business requirements. As a result, high-performing financial services players will take a more We also urge more pan-industry proactive and holistic approach to collaboration on cyber security cyber security. Since attacks can be issues, through groups such as the multipronged—via email, the web, Financial Services Roundtable. An and the network—the ability to view attack on one institution should be

16 Questions for executives

• Does each manager know what • Have we provided them with the his or her responsibilities are with appropriate guidance and training regard to information security? for how to handle sensitive data and create secure passwords? • Do we assign ownership of and accountability for • Are we proactive about information security through a spotting patterns that can data governance program? signal internal fraud?

• Does our information strategy • Are we choosing business allow us to identify, track, and partners with care regarding control how data flows across their own security posture? all our systems and processes? • Do we have a security • Have we evaluated our privacy strategy for mobile payments and protection technologies to and mobile banking? confirm they are providing the necessary level of protection? • Are we coordinating that strategy with the major • Have we built a consistent level wireless telecom carriers? of awareness among employees?

17 How Accenture can help

We address clients’ information • Proactively positioning the enterprise security priorities along the full for potential stress situations and spectrum of activities from strategy reacting quickly to fast-moving events to implementation to operations. • Increasing cost efficiency We understand the importance of despite mounting cyber threats working side by side with clients to and regulatory burdens such build the requisite security capabilities as Sarbanes-Oxley, the Patriot in their own organizations. However Act, and the Dodd-Frank Act we can also partner with clients over • Integrating technology solutions for extended periods to run key security transaction profiling across all types processes on an outsourced basis. of fraud, including improved money The challenges we address laundering monitoring capabilities. There is a pressing need to transform Best-of-breed information the security and risk functions and move beyond pure compliance to value security solutions creation. We help financial services Accenture offers a full spectrum clients make better decisions and of security capabilities including align risk and reward in the pursuit of these core solutions: business advantage on several fronts: • Identity and Access Management Services • Enhancing security capabilities • Application and Infrastructure and embedding a culture of Security Services security and risk management throughout the organization • Information Protection Services • Security as a managed service

18 Notes

1 “Customer 2012: Time for a new contract between banks and their customers?” Accenture, 2010 2 “The 2009 U.S. Digital Year in Review,” comScore, February 2010 3 http://www.networkworld.com/news/2010/042310- 15-million-stolen-facebook-ids.html 4 “How cybercriminals invade social networks, companies,” Byron Acohido, USA Today, March 4, 2010 5 http://www.privacyrights.org/ar/ ChronDataBreaches.htm 6 http://www.actimize.com/index.aspx?page=news196 7 http://www.verizonbusiness.com/about/news/ displaynews.xml?newsid=25282&mode=vzlong 8 “Annual Security Report,” Cisco, 2009 9 “Data Breaches Are Heaviest at Hotels,” The Wall Street Journal, March 18, 2010 10  “BofA Hires Data Security Czar,” Penny Crosman, Bank Systems & Technology, May 20, 2010 11 “Mobile Banking to Reach 400 Million Users,” Penny Crosman, Bank Systems & Technology, June 22, 2010 12 “JPMorgan Chase Now Offering Mobile Remote Capture App,” Will Hernandez, American Banker, July 8, 2010

19 About Accenture Accenture is a global management consulting, technology services and outsourcing company,company. with approximatelyCombining unparalleled 204,000 people experience, serving clientscomprehensive in more thancapabilities 120 countries. across all Combiningindustries and unparalleled business functions,experience, comprehensiveand extensive research capabilities on theacross world’s allmost industries successful and companies, business functions, Accenture andcollaborates extensive with research clients on to the help them world’sbecome most high-performance successful companies, businesses Accentureand governments. collaborates With withmore clients than to help186,000 them people become serving high-performance clients in over businesses120 countries, and thegovernments. company generated The companynet revenues generated of US$23.39 net revenues billion for ofthe US$21.6 fiscal year billion ended for Aug.the fiscal31, 2008. year endedIts home Aug. page 31, is2010. www.accenture.com. Its home page is www.accenture.com

Copyright © 2010 Accenture For more information on using security For more information about delivering high All rights reserved. to achieve high performance in financial performance IT in an economic downturn institutions please contact please contact Michael Nieves at: Accenture, its logo, and [email protected] High Performance Delivered Tim Elliott +1 404.680.6333 are trademarks of Accenture. [email protected] +1-313-887-2636

Yemi Saka [email protected] +1 678-657-4735