The Shield Newsletter from U.S. Bank

Spring 2016
The Shield
A security newsletter
for businesses
In this issue:
How U.S. Bank collects and
safeguards your information
Combatting
destructive malware
Five tips to help safeguard
your organization
Cybersecurity from an
executive perspective
How U.S. Bank collects and safeguards
your information
Since the events of September 11, 2001, banks and regulators are more focused
on limiting the potential for financing terrorist and drug-related activities through our
financial system. As a result, banks have increased their efforts to prevent money
laundering and terrorist financing, and to comply with anti-money laundering (AML)
regulations. These efforts are, in turn, a driving factor in determining which information
is currently required from customers in order to process their transactions.
In August 2014, the U.S. government issued an Advanced Notice of Proposed
Rulemaking entitled “Customer Due Diligence Requirements for Financial Institutions.”
When final, the rule will require banks to verify the identities of “beneficial owners”
of most legal entity customers, including corporations, LLCs, partnerships,
unincorporated non-profits and statutory trusts. “Beneficial owner” is defined as
“the natural person(s) who ultimately owns or controls a customer and/or the person
on whose behalf a transaction is being conducted.” Beneficial owner also pertains
to an individual with an ultimate ownership stake of 25% or more of the equity
interest, and an individual who exercises significant authority to control the legal entity
customer’s affairs.
As a result of the enhanced due diligence requirements, U.S. Bank may request
the following information and documentation from beneficial owners and authorized
signers of new and existing legal entity customers:
•
•
•
•
Full legal name
Date of birth
Current residential address
Social Security number or other government-issued
ID number for non-U.S. citizens
U.S. Bank, in some instances, may also request documentary evidence (e.g., driver’s
license) to verify the information provided.
continued...
The Shield
continued…
Information collected from beneficial owners or authorized signers is not shared
outside of U.S. Bank, its subsidiaries or affiliates. Sharing this data within the bank only
occurs for purposes of complying with anti-money laundering laws and regulations.
Access to collected information is limited to users on a need-to-know basis.
U.S. Bank ranked first in the Ponemon Institute 2015 “Privacy Trust Study for Retail
Banking” and has ranked first for the past nine years. We have a legal and ethical
responsibility to ensure information is secure and accurately maintained.
U.S. Bank is committed to protecting the confidentiality, integrity, availability
and privacy of our customers’ data. Our reputation rests, in part, upon securely
maintaining our customers’ information assets.
U.S. Bank
Spring 2016 | 2
The Shield
Combatting destructive malware
Destructive malware continues to be a real, dynamic threat to businesses
nationwide. It can compromise data and system confidentiality, availability and
integrity. It can also disrupt business operations and harm brand reputation. Two
high-profile cybersecurity incidents at large corporations help illustrate these
negative effects. The first incident concerned an entertainment company that paid
an estimated $8 million in legal settlement fees to employees whose personal data
was breached. The second incident required a company to spend $40 million in
recovery costs. Neither of these examples considers the amount of lost potential
revenue from reputation damage.
At U.S. Bank, we encourage our customers to be aware of the ever-evolving
cybersecurity landscape and evaluate the risk to their businesses. The Financial
Services-Information Sharing and Analysis Center recently held a working group
with participation from U.S. Bank to explore the growing risk of destructive malware.
Based on their findings, we recommend you incorporate the following best practices
into your organization’s risk management strategy as a measure to prepare for and
combat against a destructive malware attack:
Business recovery
Develop, test, and update a crisis response and business recovery plan. Designate
response and recovery team members, and include more than just the technology
team. Involve legal counsel, a communications team, corporate management and
the board of directors. Plan how your response team will engage with regulators
and law enforcement.
Malware detection
Early detection can help prevent long-term damage. Use a combination of risk,
signature and behavior-based detection techniques, working from network baselines.
If a destructive malware attack is detected, a quick response is crucial and should
include both containment and forensic analysis.
Bare metal rebuild
In the event of a cataclysmic destructive malware attack, consider a bare metal
rebuild (BMR) when recovering systems and bringing networks back online. A BMR
differs from restoring a computer as it involves rebuilding the servers from scratch–
eliminating some human error, retaining settings and configurations, and lifting the
administrative burden. A BMR can back up to any earlier available points, effectively
restoring machines that may have been infected for longer periods of time.
continued…
U.S. Bank
Spring 2016 | 3
The Shield
continued...
Lessons learned
Limit administrative access
Once it’s safe to reconnect to the
network, incorporate any lessons
learned immediately at both the
technical and policy levels. Share threat
indicators with partners, and include as
much information as possible.
Most users do not need the ability
to modify user accounts or install
software on computers IT teams are
trying to manage for them. Removing
administrative access from standard
users can dramatically reduce the
impact malware is able to make.
Employee education
Educate personnel on how to spot and
avoid phishing and social engineering
techniques. Training should be ongoing
and include reporting procedures.
Backup solutions
Emphasize backup solutions, particularly
offline backups, to facilitate a quick data
restoration and maintain integrity.
U.S. Bank
IBM Trusteer Rapport
Consider installing IBM Trusteer Rapport
for financial malware protection, which
is made available to all U.S. Bank
SinglePoint® clients at no cost. Visit
http://www.trusteer.com/landing-page/
usbank-business for more information.
If you believe that computers used to
process financial transactions have
been infected with malware, contact
your U.S. Bank representative to secure
your accounts.
Spring 2016 | 4
The Shield
Five tips to help safeguard your organization
Business Email Compromise (BEC) scams targeting domestic and foreign businesses
that regularly perform wire transfers continue to be the number one threat to our
customers’ financial assets. Data from the FBI estimates the total loss of this global
threat to be in excess of $1.2 billion.* Based on several recent high-profile incidents,
that number is sure to increase, emphasizing the need for heightened awareness and
vigilance in executing key internal controls.
To help shield your organization from fraud, there are various internal control
enhancements and security practices to consider. While no single control or set of
controls will offer absolute assurance, we suggest the following five tips:
1. Confirm and verify email requests for fund transfers. Contact the
requestor by phone using an independently obtained phone number
or one that you already have on file. Special scrutiny should be paid to
transfers requested to new or recently updated accounts. Nearly all BEC
scams can be stopped in their tracks if organizations adopt this basic
control.
2. Use dual control for money movement activities. This allows for two
levels of scrutiny and authorization to help stem the risk of illegitimate
funds transfers.
3. Use multi-factor authentication for web-based email accounts.
Fraudsters are known to leverage actual accounts of executives with
email credentials pilfered from spear phishing campaigns. Multi-factor
authentication adds another layer of control to deter cyber crooks from
accessing employee accounts.
4. Communicate quickly when fraud or security events occur. Notify
your key banking partners and information security staff immediately. If
appropriate, contact law enforcement and file a complaint with the FBI’s
Internet Crime Complaint Center.
5. Create awareness within your organization. Evaluate staff compliance
with internal controls by using real-world security awareness testing.
*Source: 8/27/2015 FBI Public Service Announcement. Data compiled from Oct. 2013 through Aug. 2015.
Links: h ttp://www.ic3.gov/default.aspx
http://www.ic3.gov/media/2015/150827-1.aspx
U.S. Bank
Spring 2016 | 5
The Shield
and Cybersecurity
Cybersecurity fromSecurity
an executive
perspective
TOP NATIONAL SECURITY CHALLENGES
In preparation for the annual Executive Leadership Forum last fall, U.S. Bank
Asked to rank a list of top national security challenges,
administered a survey to determinethree
the stand
primary
of business
decisions and
out:drivers
cybersecurity
and cyberattacks
on U.S.
government
and
commercial
networks,
cybersecurity
risk oversight for executives. The survey was sent to forum registrants to
provide
vulnerabilities
of U.S.
andregistrants
services, and
forum speakers with a basis for their
content; nearly
60infrastructure
percent of the
domestic terrorism.
participated in the survey. Focused on trending issues, opportunities and disruptions,
Other national security challenges listed in the survey
responses to the survey emphasized the significance of cybersecurity in the current
draw much lower rankings. They generally include
risk landscape and the importanceissues
of education
all linespolitical
of defense.
Key cyber
involvingon
notorious
aggressors
and
known geo-political issues that are covered almost
security results from the survey were:
daily by the media.
Threats
Cybersecurity attacks
on U.S. commercial and
government networks, and
the cybersecurity vulnerability
of U.S. infrastructure and
services ranked highest on
the survey.
Cybersecurity attacks on U.S. commercial and
government networks
71%
Cybersecurity vulnerabilities of U.S. infrastructure
and services
56%
Domestic terrorism
42%
Russia’s activism in Europe
40%
Renewed advances of nuclear weapons in countries
such as Russia, China, Iran and North Korea
36%
Pan-national terrorist organizations
27%
Large scale population movements due to political
and civil unrest abroad
22%
High sovereign debt levels and weak economies
in countries such as Greece
15%
China’s military ambitions
11%
Cross-border movements of weapons
Banking & financial systems
Banking & financial systems
Data networks
Data networks
Internal corporate networks
Internal corporate networks
Natural gas supply lines
Natural gas supply lines
Electric power supply
Electric power supply
4%
4%
-30%
-30%
4%
4%
8%
8%
-32%
-32%
Mobile communications networks
Mobile communications networks -45%
-45%
0%
0%
Not secure
Not secure
Very secure or secure
Very secure or secure
networks were
considered the most
secure. Natural gas
supply lines, electric
power supplies and
mobile communication
networks were ranked
lowest.
continued…
U.S. Bank
And,
force
Chin
as a
Fina
pandom
CRIT
Mos
attac
and
and
threa
Alon
resp
syst
lines
as “v
Whe
bank
mos
resp
or “s
5%
For example, at a time when Russia
is visibly increasing
Secureness
its
military
presence
in
the
Middle
East
(Syria) and
21%
-13%
Banking and financial
-13% (Ukraine), and
21%
Europe
NATO is reviewing its defense
systems, data networks
4% Europe, Russia’s [military] activism
-25% strategy in Eastern
-25% in Europe ranks
4%only fourth on the
andlist.
internal corporate
-26%
-26%
Larg
civil
desp
Spring 2016 | 6
M
The Shield
INTERNAL
UNDERSTANDING OF CYBERTHREATS
berthreats and the actions
needed
mpanies.
continued…
While cybersecurity is among
the top concerns of
of the nature of cyberthreats and the actions
to protect their companies.
CEOsgaps
and other
executives today, the survey’s findings
ndents see considerable
in
However, the respondents see considerable g
indicate
that more training would be in order to educate
ng mid-level managers
and front
understanding among mid-level managers an
front
line personnel
andAwareness
mid-level managers about the
s regard. As many as
one-third
of
line personnel in this regard. As many as oneSurvey
participants
perceived
companies, top management and
naturepersonnel
of cyberthreats and
how
to address
them. that within their
y lower-ranking company
the respondents say lower-ranking company
those responsible for oversight have a keen understanding of cybersecurity risks. Mid— or at least, not very
well —
the
Survey
respondents
rate the board, the C-suite, and
do not understand — or at least, not very wel
managers and front line personnel were perceived as considerably less aware.
ats and how to headcompany
them off.executives aslevel
having a strong understanding
nature of cyberthreats and how to head them
31%
6%
39%
4%
37%
10%
24%
33%
Internal
Extremely Well
Understanding
Well
Somewhat
of Cyberthreats
Executive (VP and above)
28%
C-suite
26%
The board
Not Very Well/
Not at All
Mid-level managers
Front line personnel
35%
4%
4%
37%
35%
10%
44%
22%
13%
6%
39%
31%
18%
9%
31%
50%
24%
33%
Although the results of the survey are not unexpected, they reinforce the risks of doing
business in a highly-connected and changing technology environment. The results
stress the importance of protecting your organization, employees and customers.
Here’s how this can be accomplished:
U.S. Bank and SinglePoint are registered trademarks of
U.S. Bank National Association. ©2016 U.S. Bank.
7973 MMWR-86414 (04/16)
•
stimate current cyber security risks and trends on an ongoing
E
basis and take adequate precautions against them.
•
aintain an employee awareness program on social engineering
M
attacks prevention.
•
ssess your organization’s current level of awareness at each
A
business layer.
•
Implement a social engineering campaign with additional training
and/or conduct periodic assessments.
•
valuate the efficacy of your current detection software and
E
internal controls. Determine whether they are adequate to defend
your organization against a cyber attack.
Ex
We
So
No
No