JPMorgan Chase & Co. Risk Assessment Report Based on the 2014 Data Breach
University of Washington IMT 552 (For educational purposes only)
Team Members: Akshay Ajgaonkar Daniel Kapellmann Divya Kothari Dustin Chiang Manasa Chitiprolu Sandeep T. Maregowda
Table of Content
I. Executive Summary II. Information Security in the Financial Industry III. JPMorgan Chase Data Breach IV. Stakeholders V. Identification of Main Assets VI. Risks Identification VII. Risk Assessment VIII. Risk Normalization IX. Control Planning and Risk Treatment X. Recovery and Incident Response XI. Communication and Monitoring XII. Strategic Recommendations XIII. Annexes XIV. References
The summer of 2014 saw the biggest data breach in American banking history which resulted in the loss of 83 million records from one of the leading banks in the world, JPMorgan Chase. In the light of this cyberattack, we as a part of this special assessment team guided by the Chief Cyber Security Officer, performed an overall assessment. The objective of this assessment was to identify, assess and evaluate potential risks in order to provide the senior management with recommendations for actions to prevent future similar breaches. The exercise, based on the ISO 31000 framework, started with the categorization of the overall risks in four clusters: Operational, Strategic, Financial and Legal Risk. Then, the main six risks were assessed, normalized and provided with consistent mitigation strategies. Finally, controls were planned and strategic recommendations were written to involve the senior management into effectively handling future management of information assets. Through this paper we have evaluated and assessed this large scale data breach and made effective recommendations to ensure the safety of bank’s data. (Please not that for purposes of this assignment various assumptions have been taken into consideration wherever data was not available.)
Information Security in the Financial Industry
Information security is currently one of the main challenges faced by firms in the financial sector due to the significant losses that may occur due to any breach. Establishing a secure environment for information assets is a topic of utmost relevance, yet highly convoluted when considering the diversity of the threats, actors involved and the difficulties of being one step ahead of new potential scenarios.
According to the Cost of Data Breach Study: Global Analysis study by the Ponemon Institute, the average cost of an incident in 2015 achieved an amount of $3.8 million dollars, representing an increase of 23% during only the last two years. This sum accounts for an average of $145 to $154 dollars for each stolen record. (Ponemon Institute, 2015)
In case of the financial industry, the constant increase in the frequency of breaches and negative impacts over the last few years has led to the creation of the largest non-government cybersecurity market. Its overall estimated value reached $9.5 billion dollars in 2015 with the highest estimated growth rate for the 2015-2020 period. In 2014, PwC calculated that financial organizations spent $4.1 billion dollars collectively in cybersecurity and would spend another $2 billion dollars during the next two years. (Morgan, 2015)
JPMorgan Chase Data Breach
The 2014 cyberattack on the biggest bank in the USA, JPMorgan Chase & Co., was by far the most serious intrusion in the history of American corporations. This breach resulted in JPMorgan Chase & Co. losing data associated with approximately 83 million accounts (CNBC, 2015). The stolen records consisted primarily, names of the account holders, addresses, phone numbers and email addresses which were compromised by unknown hackers (Kurane & Wills, 2014). Fortunately for the bank, the hackers were not able to retrieve information on sensitive personal information about customers, such as social security numbers or account balances. As a consequence, the firm did not suffer any irreparable harm.
According to The New York Times, the bank’s weak spot was a rather basic one. The breach could have been stopped had the bank installed a second security authentication measure to one of its servers in the vast network. It was found that some Eastern European Internet addresses were used for the attack, but the bank refused to share any further details on the incident (Perlroth, 2014). Bearing in mind the significant amount of money that giant firms such as JPMorgan invest on security, the recent breach represented an enormous danger for the company in terms of reputation, economic losses and customer trust.
To make matters worse, the breach was discovered by the bank somewhat accidentally. In the month of July, security employees of the bank learned that the website for the JPMorgan Corporate Challenge, a charitable race organized by the bank, had been hacked and compromised. The website being run by an outside vendor pointed back to a bigger problem with
the bank's own network. (Goldstein, 2015) Had this not been discovered, 90 servers of the Bank being hacked would have gone unnoticed for another extended period of time.
Right after the news of the breach was made public, JPMorgan shares went down by 0.4% during the after-hours trading (Sam Ro, 2014). A few months later, in June 2015, the executive who was in charge of protecting JPMorgan Chase’s computer network from hackers was reassigned. Instead of hundreds of personnel that he managed in the cyber-security unit, he has now been asked to build relationships with the government, law enforcement and the remaining big U.S. banks to mitigate the possibilities of future risks. (Robertson & Riley, 2015) Find a detailed assessment of the former case attached in Annex # 2.
It may also be pertinent to note that despite the immediate thought of capturing this data would have been for financial fraud or identity theft, the Manhattan court has observed that the breach may have been caused due to Russian gangs. As alleged by a United States attorney “The defendants manipulated trading in U.S. securities from overseas, using fake identities to funnel millions of dollars in unlawful proceeds through a web of international shell companies. Using false and misleading spam emails sent to millions of people, these defendants allegedly directed their pump-and-dump scheme from their computers halfway around the world” (Goldstein, 2015). This may be a key factor in determining the true perpetrator given that being one of the largest US banks, JPMorgan has played a major role implementing sanctions against Russian institutions and officials imposed as a result of the conflict in Ukraine. (Robertson & Riley, 2015)
Based on the various sources of information available and further risk/security assumptions, this paper will seek to identify, assess and evaluate further data breach risks following the Risk Management framework provided by ISO 31000. The framework also encourages that we recognize solutions and recommendations for future prevention and recovery. It is important to mention that the text will mostly analyze the protection of information assets and will be addressed with publicly available information.
Main stakeholders related to the JPMorgan Chase breach will be divided in two categories: internal and external. The first group consists on parties that either collaborate with the risk assessment process or must get acquainted with it in order to make further related decisions. The second one involves parties that are not affiliated to the company, but are ultimately interested in the security of the organization’s information assets.
According to JPMorgan Chase’s corporate site, the Chief Risk Officer is mainly held accountable for elaborating detailed assessments. With the support of Chief Cybersecurity Officer, this executive has to eventually present his findings to the Risk Policy Committee, group organized to evaluate the findings, make decisions and ultimately collaborate with other parties such as the Audit and Corporate Governance Committees. (JPMorgan Chase & Co., 2015) It is mainly
important to recall that besides from performing an accurate assessment, communication plays a primary role in the process thus enabling different stakeholders to correctly perform their duties. The accountability model is shown in the following diagram.
Internal Accountability Model
Some additional stakeholders that may be considered are both the government of the United States of America and the customers. In the first place, the public sector has supported powerful financial institutions to recover against breaches and other additional crises due to their importance for the overal economy. Besides, it is of the nation’s best interest to keep attracting customers by maintaining a good reputation for the security and good practices of private institutions.
External Stakeholder Matrix
In the second place, the customers are interested in being able to trust the institution in order to safely invest or save money without being damaged by security breaches. Other possible interpretations may consider other banks or competitors trying to learn from the breach and probably even making an emphasis on security as their competitive advantage. Finally, external service providers hired by the bank should also be considered as potential stakeholders with high influence and interest in the bank’s security performance.
Identification of Main Assets
As a first step for the assessment, the primary assets of the organization that could either be in danger or play a role in data breaches, were grouped in four different categories:
● Physical Assets - Infrastructure and technology used to share, analyze or produce information. Some examples are servers, networks, computers and other technology devices either organizational or personal. ● Informational Assets - Refers to software and information stored in different formats. Some examples are databases, Customer Sensitive Information such as Personal Identifiable Information and further financial data. ● Human Assets - Personnel and human factors involved in the processes implemented by the organization as well as external users and stakeholders. Some examples are vendors, managers/employees and customers. ● Reputational Assets - Those factors that allow JPMorgan Chase & Co. to maintain or increase its brand presence as well as the goodwill and demand by external parties. Some examples are the share’s value, customer trust and credibility.
Assets Categorization Diagram
The above diagram shows the four different categories that enclose the organization’s main assets that maintain a direct or indirect relationship with data breaches. Even though this assessment is mostly centered on protecting the informational assets from data breaches, it is important to recall that the four categories are deeply interrelated into the different processes and
procedures implemented by the institute`on. For this reason, protection of informational assets will generate an impact on the safety of the other additional categories.
The current exercise is mostly focused on the protection of informational assets in order to ensure the safety of additional primary physical, human and reputational factors. Based on this premise and public data related to the JPMorgan Chase breach 2014, the following main risks were identified and categorized:
1) Inadequate controls and procedures (such as not implementing double authentication in servers or not implementing secure network configurations) may lead to the exposure of restricted data and systems to external malicious parties. 2) Failure to contemplate potential impact of human error when utilizing the informational assets of the company could generate unintended disclosure of data and delude currently implemented security controls. 3) Lack of substantial training for employees to protect informational assets of the company may generate unintended disclosure of data and lower the effectiveness of currently implemented security measures. 4) Failure to implement correct software flags to inform when an unauthorized party is attempting to access the system may lead to the lack of adequate and timely incident response against attacks. 5) Failure to implement adequate physical protection to the infrastructure of the company may enable possible direct intrusions from external malicious entities. 6) Carelessness of employees may affect the company by enabling external access to its information assets with the support of lost or stolen equipment, devices or credentials. 7) Impossibility to separate the protection of internal networks from that of external providers hosting the websites of the company may lead to potential further data breaches and external inclusion to the main systems of the organization. 8) Lack of regular monitoring of customer's information databases slows the bank’s actions to respond against attacks, find and fix vulnerabilities thus enabling intrusions to last for long periods of time.
1) Failure to protect the bank’s information systems may generate the disclosure of private data from users and customers thus damaging the reputation of the institution and its overall financial performance. 2) Slow adaptation to technology advances from potential malicious actors leaves the company vulnerable to diverse external threats from different origins.
3) Failure to protect sensitive information from the bank may lead to the disclosure of confidential data about its customers and employees thus enhancing the competition’s appeal in the market. 4) Inability to efficiently integrate the members from the security team may lead to cultural conflict thus generating potential loss of productivity. 5) Failure to protect the information of customers and employees (such as contact details, home addresses and further private information) may affect the company by losing the trust and support of their human factors. 6) Inefficient communication strategies to include security in the overall culture of the firm could increase the probability of threats impacting the informational assets of the company.
1) Failure to implement efficient organizational policies to correctly manage information may lead open the doors for further attacks or even encourage unintended disclosure thus generating financial and reputational losses to the company. 2) Failure to protect the personal information of customers may lead to theft and incorrect use of their resources through impersonation and other malicious methods. 3) Losing reputation as a consequence of information unsafety affects the company by decreasing the demand of the users and inviting new entrants to reconsider working with competing organizations.
1) Failure to comply with government regulation related to data protection and unauthorized disclosure could generate lawsuits against the bank and even strengthen government intervention. 2) Lack of regular and thorough auditing may lead the company to experience further breaches and/or get involved in legal disputes. 3) Failure to correctly protect information of customers and employee affects the company by engaging them in legal disputes with further possible financial and reputational negative impacts. 4) Lack of awareness of employees driving the destruction or deletion of documents related to data breaches affects the company by exposing it to further legal discussions.
The following diagram summarizes the identified risks and categorize them according to their nature:
ERM Risk Universe
Risk Assessment and Mitigation
Based on the list of risks identified in the former section, the following assessment will include the six most relevant findings as well as an analysis of their probability and potential impact. At the same time, risk drivers and mitigation strategies will be defined for each one of them:
Risk: # 1 Inadequate controls and procedures may lead to the exposure of Risk Dimension: restricted data and systems to external malicious parties. Operational
Risk Drivers/ Probability Impact Current and Planned Mitigations Contributing Factors Overlooking security L H - Implementation of security controls quarterly controls for SDLC monitoring. processes on data - Implementing the use of Flags to alert the systems. department lead executives of system breaches and or non-compliance to main security processes. Lack of communication M H - Establishment of regular meetings to coordinate with third party service security measures with third party service providers on providers. compliance with risk - Provide shared training sessions to share mitigation controls. information about compliance procedures between both organizations. Lack of sufficient M M - Regular training sessions are required to be education and training conducted to make all employees aware about on controls and the controls and policies in place in the procedures for organization. restricting data and - Elaboration of the Data Management and systems usage. Control Procedures Manual to foster equal practices between different departments.
Risk: # 2 Lack of periodic monitoring of customer's information slows the Risk Dimension: bank’s actions to respond against attacks, find and fix vulnerabilities Operational thus enabling intrusions to last for long periods of time.
Risk Drivers/ Probability Impact Current and Planned Mitigations Contributing Factors Insufficient robustness M H - Implementation of robust AAA processes for of AAA customer data with reviewed by the Risk (Authentication, Management and Audit Committees. Authorization, and - AAA quarterly functional reports to ensure Auditing) process for about the efficiency and efficacy of currently customers. implemented mechanisms.
Reports on L M - Forming a sub-unit to perform regular and vulnerabilities are planned processing of vulnerabilities reports to slowly processed. be performed by the Risk Management Team. Exceptions against L M - Strengthen the mechanisms required to validate systematic security exceptions so that they take place only under warnings are critical necessity. consistently made. - Case by case assessment of security exceptions to supervise the correct management of this resource.
Risk: # 3 Slow adaptation to technology advances from potential malicious Risk Dimension: actors leaves the company vulnerable to diverse external threats from Strategic different origins.
Risk Drivers/ Probability Impact Current and Planned Mitigations Contributing Factors Costs to migrating data H M - Promote the adoption of interoperable systems to new technology can that allow easily moving data from one to another deter adaptation location. - Hiring external agencies or consultancies that can assist in migrating to new technologies. Technology adaption is M M - Hiring in-house experts that may supervise and delegated to external collaborate with external parties in order to consultants rather than manage information. in-house experts. - Promoting internal management of information whenever it is possible. Company culture may M L - Implement communication mechanisms to not encourage embed technology adoption into the company’s effective adaptation culture. with technology.
Risk: # 4 Inefficient communication strategies to include security in the overall Risk Dimension: culture of the firm could increase the probability of threats impacting Strategic the informational assets of the company.
Risk Drivers/ Probability Impact Current and Planned Mitigations Contributing Factors Lack of efficient senior L H - Foster and reward efficient leaders related to leadership in security. security positions thus promoting long lasting work relations with expert managers. - Hiring an expert for the role of a chief information security officer can be highly useful.
Marginalization of M H - Incorporate senior security leadership in general senior leadership in meetings with high executives. security. - Promote strong communication security strategies to get high executives involved in the overall information risk management process. Risk assessment team M M - Enable transparency mechanisms between the may not be fully Risk assessment team and the senior leadership by funded and supported means of regular meetings or presentations. by senior leadership. - Enforce minimum security budget requirements for senior leadership.
Risk: # 5 Failure to comply with government regulation related to data Risk Dimension: protection and unauthorized disclosure could generate lawsuits Legal against the bank and even strengthen government intervention.
Risk Drivers/ Probability Impact Current and Planned Mitigations Contributing Factors Noncompliance with M M - Enforce internal auditing mechanisms to ensure audit requirements adequate compliance. due to time or funding. - Establish minimum time and budget requirements to comply with external audits. Reliance on external L H - Forming an internal audit team that performs audit relationships quarterly, half yearly and yearly assessments. rather than an internal - Promote coordination between internal and auditing team. external auditing teams. Internal processes and L M - Collaboration between legal department and audits do not align well internal audit teams to ensure compliance with with government government regulation. regulation.
Risk: # 6 Failure to implement efficient organizational policies to correctly Risk Dimension: manage information may lead open the doors for further attacks or Financial even encourage unintended disclosure thus generating financial and reputational losses to the company.
Risk Drivers/ Probability Impact Current and Planned Mitigations Contributing Factors Organizational policies L H - Coordinating organizational policies and do not align well with business objectives by analyzing through the lens business objectives. of information security and risk management. - Establish strong monitoring mechanisms to keep organizational security policies aligned with the main business objectives.
Organizational policies M M - Elaborate a report based on employees hinder employee consultation regarding the flow of organizational performance with policies and how the facilitate or complicate their everyday tasks. daily tasks. - Increase awareness about the necessity of following organizational policies for the good functioning of the firm. Insufficient M H - Keep track on the performance of organizational performance tracking policies, where they fail and how to make them and management for better. organizational policies. - Maintain constant communication with employees to understand the impact of organizational policies on their daily jobs and how they follow these procedures.
After meeting with the main stakeholders and analyzing their interests, the following chart was prepared. Based on the assessment, each of the below risk is identified with the likelihood of the occurrence of the threat and the impact of the threat.
Main Risks Evaluation ID Risk Stakeholders Involved Impact Likelihood Inadequate controls Business Team, Government 1 5 2.7 and procedures Regulatory Body, IT Team External and Internal Audit Lack of periodic 2 Committee, Governance 4.8 2.5 monitoring Committee Slow adaptation to 3 IT Team, Business 2.6 4.1 technology Inefficient CEO, Key business stakeholders, 4 Communication 4 2.2 External Vendors Strategies Failure to implement Key Business Stakeholders, IT 5 3.9 1.7 organizational policies Team Non-compliance with Legal Team, Technical Team, 6 4.7 2 government regulation External Vendors, Government
As part of Risk Normalization process, the below impact and likelihood have been accepted by the stakeholders and a heat map visualizing the below information is presented.
Risk Heat Map
Control Planning and Risk Treatment
According to the results presented by the risk normalization process, risks 3, 4 and 5 may be tolerated and managed by the team on a regular basis. In order to address them, the cybersecurity and risk managers will be informed so that better communication, alignment with business objectives and fast adaptation to technology will be addressed for the mediate future.
However, risks 1, 2 and 6 must be prioritized and immediately addressed based on the matrix of probability- impact that shows the stakes are high enough to require the implementation of immediate controls. The following activities will be implemented to resolve each of these problems:
Risk Title: Inadequate controls Risk Description: Failure to implement efficient controls and procedures and procedures to protect customer and bank’s information Associated Business Objectives: Customer trust and support, Information assurance, Adaptation to changes in the industry
Risk Type: Operational Risk Category: Information Security, Policies and Procedures, Incident Response Impact Rating: 5 Likelihood Rating: 2.7
Management Activity and Controls Rating: 1. Implementation of alert Flags to inform department lead executives about system breaches and or non-compliance to main security processes 2. Security controls quarterly monitoring and regular meetings to coordinate with internal and external service providers 3. Shared compliance and policy training sessions involving main internal stakeholders and external service providers 4. Elaboration of Data Management and Control Procedures Manual (DMCP) to foster equal practices between different departments Suggested Owners: Chief Risk Metrics: Amount and duration of successful minor/major Officer, Chief Cybersecurity data breaches, Number of employees with access and Officer, Audit Committee approved evaluation in DMCP Manual, Quarterly monitoring reports, Number of employees attending to training sessions, Number of alert flags informing of non- compliance with security processes
Risk Title: Lack of periodic Risk Description: Thorough evaluation and periodic monitoring monitoring of security policies, controls and procedures Associated Business Objectives: Information Assurance, Operational Optimization, Risk Mitigation and Critical Assets Management
Risk Type: Operational Risk Category: Information Security, Audit and Monitoring Impact Rating: 4.8 Likelihood Rating: 2.5
Management Activity and Controls Rating: 1. Implementation and revision of robust AAA processes and procedures to protect customer data 2. Conformation of a separate monitoring sub-unit to perform regular reports over control efficiency and effectivity as well as to track, report and fix vulnerabilities 3. Strengthen requirements to validate exceptions and assess case by case petitions in order to supervise correct management of this resource Suggested Owners: Chief Metrics: Half yearly AAA processes and procedures Cybersecurity Officer, Audit revision report, Conformation of security monitoring sub- Committee unit and deriving performance metrics, Number of approved exceptions, Number of petitions to perform exceptions
Risk Title: Non-compliance with Risk Description: Failure to enforce the compliance with government regulation government regulation while performing daily processes and procedures Associated Business Objectives: Operational Compliance, Business Continuity, Information Assurance and Critical Assets Protection
Risk Type: Legal/Compliance Risk Category: Regulatory and Legal, Information Assurance, Policy and Compliance Impact Rating: 4.7 Likelihood Rating: 2.0
Management Activity and Controls Rating: 1. Evaluating complementarity between business objectives and risk/security organizational policies and establish monitoring mechanisms to keep them aligned 2. Elaborate yearly reports based on employees consultation regarding the flow of security policies and how they generate an influence on their daily tasks 3. Keep track on the performance of security organizational policies and implement mechanisms to integrate them among main business processes Suggested Owners: Policy and Metrics: Yearly security operations report, Business Compliance Department, Chief Objectives and Security Assessment, Security policies’ Risk Officer, Chief Cybersecurity performance monitoring, Increase in time consumption to Officer comply with security procedures
Most impactful risks were selected in spite of the low probability. As proven by the 2014 data breach, it is of utmost importance to be prepared for this sort of events that are not only related with daily tasks, but rather with unexpected crisis. For further information about the impact and probability metrics, refer to the annex number 2.
Incident Response and Recovery
Incident management and recovery is a critical part of business continuity planning. In order to effectively respond to the data breach at hand, we assume/propose the following key steps to combat the same:
● Perform Disaster Recovery and Root Cause Analysis ● Segregating internal networks into separate segments to prevent further hacking ● Providing restricted access to critical assets by providing lesser privilege controls ● Quarantining the system that was breached ● Internal communication to create awareness ● Implementing proper training to cyber security personnel
Communication and Monitoring
As suggested by the ISO 31000 framework, the former analysis must continuously work next to a robust strategy of communication and monitoring that evaluates the process and increases awareness among the stakeholders. The previous risk assessment based on the 2014 data breach shows that it is of significant importance to strengthen monitoring activities and enhance the training of key employees in order to increase the security of the organization’s informational assets. As well, these two actions will play an important role in engaging lead managers into investing efforts and resources for further protecting the information of the institution.
However, internal communication should not be the only concern. Considering that the 2014 data breach was covered through diverse media channels, the reputation of the bank was damaged and it is now important to reinforce the conception of strong security actions implemented to protect the information possessed by the organization. It is expected that by enhancing the security-oriented image of the bank, less government intervention will happen and trust will increase among both corporate and individual customers.
The main components of the communication plan should be:
Objectives Audience Strategy Evaluation Criteria Increase customer’s Customers Increasing trust on the - Number of corporate demand of the organization’s safety customers organization’s services standards and promoting - Number of individual JPMorgan Chase & Co. customers as a security champion - Customer’s security institution perception Educate employees to Employees Promote major security - Reported incidents effectively follow awareness among caused by unintended security related policies employees by generating employees’ actions communication - Average time and procedures campaigns and training increase in procedures that show them the impact due to non-compliance of information security in with procedures and their daily lives human error
Engage lead managers Lead Offer lead managers clear - Total expenditure into the information Managers and regular reporting destined to information security process mechanisms in order to security by department increase awareness and - Amount of hired enhance the amount of employees dedicated resources/efforts they to information utilize to secure assurance informational assets - Information security practices yearly survey Gain authorities’ Official Inform key government - Number of addressed goodwill and support by Authorities stakeholders about the key government sharing the company’s success of the bank’s stakeholders information security - Elaboration of achievements related to measures collaborative the protection of their workshops, events and informational assets initiatives
The communication plan will address different stakeholders using diverse methods. While government institutions will be invited to know more about information security achievements, the customers will only know about the bank’s leading position as a safe institution. It must be taken into consideration that the tone of the campaign must show that resources are being allocated to protect information, however it should not show excessive confidence that may invite outsiders to try and breach into the institution’s data assets as a chal enge. Employees and risk managers wil
both be submitted to awareness campaigns and training, and the only differentiation will be related to the sort of sensitive information that each of them may receive.
In general terms, the former plan will be launched with the support of an initial campaign that shares the message: JPMorgan Chase & Co. cares about data security and has learned from previous lessons. For this reason the company is now preparing to become a leader in mechanisms and procedures for enhancing information assurance. Information stored in the bank’s servers wil now be more secure than ever before.” In order fully comply with the message, success stories and good practices will be shared among the stakeholders thus promoting general awareness about the relevance of the field.
Besides from the communication strategy, it will be of utmost importance to continue implementing continuous monitoring initiatives defined by the risk management and security teams. Both of these actions should closely watch over the entire process of managing risks in order to allow JPMorgan Chase & and Co. to be sure about the efficiency of it policies and to enhance the impact among the most relevant stakeholders.
Considering expected increase of cybersecurity spending to $500 million dollars in 2016, JPMorgan and Chase is preparing for addressing further information security challenges. Planning how the money can be appropriately distributed for the most important security challenges is another issue. In the context of the aforementioned analysis, there are three clusters of strategic improvements that can serve as the basis for recommendations that JPMorgan Chase can move forward with. The three clusters of strategic improvements are improvements to controls and procedures to technology adaptation, communication strategies for external groups, and alignment between corporate and government policies for effective risk compliance.
Throughout our analysis, evidence suggests that technology adaptation is relatively slow throughout the JPMorgan & Chase’s business operations. Three key risk drivers affecting this process could be forced haste in proposing and implementing IT projects and leaving out crucial monitoring functions, ineffective change management for the organization on new technologies, and reliance on external consultancy without sustained internal experts. Based on these drivers, there are top three recommendations for JPMorgan Chase to consider when improving upon streamlined technology adaptation with effective controls and procedures:
1. Increase monitoring and detection of unauthorized access in information systems holding sensitive data. 2. Provide consistent IT training sessions on technology use throughout JPMorgan Chase internally and with third party providers on risk areas such as policies and compliance. 3. Promote internal information management through developing and enhancing in-house experts’ proficiency with processing data and information systems.
In addition to ineffective technology adaptation, communication strategies with external groups throughout JPMorgan Chase’s business operations may have affected the company’s response to dealing with data breaches. Three key risk drivers affecting this process could be based on isolating senior leadership from external affairs, having inadequate processing and response measures for external groups, and encouraging loopholes on external access to information. Based on these drivers, the top three recommendations to improve upon communication strategies with external groups are outlined as:
1. Encourage inclusiveness of senior security leadership in the organization to discuss security issues with external groups. 2. Promote better transparency of data and information usage by JPMorgan Chase for external groups. 3. Reevaluate and develop policies enforcing unauthorized access to data and bolster robustness of case-by-case evaluations.
Final y, evidence also suggests that JPMorgan Chase’s corporate policies for risk assessment and compliance may not have fully aligned with government policies to protect stakeholder and customer data. Three key risk drivers affecting this process could be constraints on time and money to handle auditing internally, insufficient performance management for organizational policies, and having organizational policies that hinder day-to-day operations for individual branches. Based on these drivers, the top three recommendations to target these risk drivers could be
1. Have a comprehensive and inclusive internal auditing program through auditing and legal teams at individual company branches. 2. Have a program for encouraging cyclical compliance and feedback on organizational policies and their changes. 3. Re-evaluate policies on balancing data and information access and security with employees such as associates and managers.
Annex # 1
Main survey questions:
1. What controls were in place before the breach and what are currently in place at JPMorgan Chase? 2. How often are your webpages/systems monitored in order to be sure that there are no security breaches taking place? Which mechanisms do you use for this? 3. Which are the most valuable assets that you would deem necessary to protect from information security breaches? 4. According to publicly available information, the breach happened because of the lack of a second authentication step in one of the servers. How are the rest of the servers protected? Has anything been done yet in order to address this vulnerability? How is relevant data from the users protected? 5. Any other potential vulnerabilities you would like to point out before we start with our external assessment? 6. Has there been any history of non-adherence to any sort of information security related compliances? (Such as PCI)