© 2014 Greenwich Associates, LLC. Javelin Strategy & Research is a division of Greenwich Associates. All rights reserved. No portion of these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise.

Cyber Security

Top Risks and Trends for U.S. Large Corporates

December 2014

We help our customers:

• Make smarter business decisions

• Gain a significant competitive advantage

• Improve customer experience

• Transform research into behavioral change

• Deliver actionable insights & identify implementable action steps

• Drive cultural change

• Link financial performance to customer experience

About Greenwich Associates

Firm Facts • Founded in 1972 • Privately held • Headquartered in

Stamford, CT • Fourth largest

interview facility in North America

Greenwich Associates provides authoritative market data, insights and consulting solutions to senior financial professionals worldwide

1

Treasury Department Priorities

16%

8%

11%

5%

6%

2%

3%

2%

38%

45%

33%

29%

29%

24%

24%

20%

46%

47%

56%

66%

66%

74%

74%

78%

Supply Chain Interruption Risk

Economic Risks

Financing Risks

Business Interruption

Efficient Management ofWorking Capital

Regulatory/Compliance Issues

Cost Management

Information (IT) Security

High Priority Low Priority Not a Priority

Source: 2014 U.S. Large Corporate Banking Study – Above $2BB. Question: Using a 3-point scale from 1 = Not a Priority to 3 = High Priority, how focused is your company on each of the following: (A) Business Interruption (B) Supply Chain Interruption Risk (C) Economic Risks (D) Financing Risks (E) Information Security (F) Regulatory/Compliance Issues (G) Cost Management (H) Efficient Management of working capital

What Finance Departments Will Focus on in the coming year

2

Treasury Department Plans

3

18%

22%

10%

31%

11%

63%

Outsource More Functions

Bring More Functions In-House

Reduce Staff

Add Staff

Take More Risk in Short-TermInvesting

Increase Technology Spending

Source: 2014 U.S. Large Corporate Cash Management Study – Above $2BB Note: Respondents may offer multiple responses Question: In the next 12 months, is your treasury department planning to: (1) increase technology spending, (2) reduce staff, (3) add staff, (4) take more risk in short-term investing, (5) outsource more functions, and/or (6) bring more functions in house? What are 2 or 3 top priorities of your finance department in the coming year?

What Treasury Departments Will Do Over the Next 12 Months to Ensure Operational Efficiency

“The first is regulatory compliance requirements. IT and security issues seem to be coming up quite a bit as well.” Fortune 200-300

“Definitely consolidation and IT in the sense that we are secured in information reporting. And reducing risks.” – Fortune 100-200

“We are reviewing our banking relationships, fees, and how to improve and streamline our banks. We are also looking at how we can automate more of the banks' processes and how we can reduce the number of bank accounts.” – Fortune 100

“Reducing our bank fees. Every single year we have pressure to reduce our costs. So we're implementing this treasury system, but we're also going to implement a new upgrade. We're upgrading our BRM, which is what we use to analyze the bank fees.” – Fortune 100

“Allocation of cash. Specifically improving returns on cash and re-evaluation of banking relationships and bank accounts” – Fortune 300-400

“We're putting in a new treasury workstation. We recently expanded into the international space, so we're trying to bring everything up from a cash management perspective to have that for currency and international capabilities on the system.” – Fortune 100

Regulatory

Compliance

Information

Technology

& Security

Relationship

Management

Treasury

Management

Systems

Market Trends

Capital Structure

and Allocation

Cost/ Bank Fee

Reduction

Source: 2014 U.S. Large Corporate Cash Management Study – Above $2BB Question: What are the 2 or 3 cash management challenges you foresee in the next 12-18 months?

Cash Management Priorities

4

All Industries Are Vulnerable to Breaches It’s the Data That Matters

In 2014, Year-to-Date: Nearly 200 Disclosed Breaches

in the U.S. (excluding Government and Education) Which represents:

280 Million+ Records at Risk

According to Privacy Rights Clearinghouse, October 21st, 2014

5

Who’s Data Is It? And Then What? Different Parties, Different Data, Different Business Complications

“High Profile Breaches”

Data: Wide variety of PII is being targeted

Complication: Compliance and Customer Avoidance

“High Value Targets”

Data: IP, Trade Secrets, Financial Info, and Business ID

Complication: Unfair Competition and Fraud

“The Worst of Both Worlds”

Data: Any of the above

Complications: Lost Profits All Around

Consumer

Internal

Partner

6

When Personally Identifiable Information Leaves So Do Customers

Consumer rate of post-breach avoidance, by business type

44% 43%

34% 33% 32% 31% 30% 27% 26%

24% 24% 19% 18%

22%

0%5%

10%15%20%25%30%35%40%45%50%

Pe

rce

nt

of

con

sum

ers

*Caution: Low base Type of organization where data breach occurred

October 2013, n varies 44 to 415 Base: Data breach victims in the past 12 months

©2014 Javelin Strategy & Research 7

Financial Account Info and Credentials Fuel for Account Takeover Fraud

Frequency of reported account takeovers: • 2.11 per 1,000 commercial customers

Of all reported account takeovers: • 65% in did not involve monetary transactions • 9% resulted in funds leaving the institution

For takeovers where monetary transactions were created: • 76% in involved wire transfers (with 4% ACH and 18% check writing and

other)

Where funds were fraudulently transferred from the financial institution: • 82% in involved wire transfers (with 14% ACH and 4% check writing and

other) • 39% of losses involved wire transfers (with 52% ACH and 9% check writing

and other)

Business Financial Accounts are High-Value Targets for Criminals

Source: FS-ISAC Commercial Account Takeover Survey Press Release, January 9th, 2013

8

Employees Remote Access

Company Data

Suppliers

Website Workstations

Servers

Social Engineering

Weak Authentication

Company Data

Compromised Vendors

Web Injection

Malware

Unpatched Vulnerability

Zero-Days Need Not Apply Common Threats by Type

Criminals rely on tried-and-true methods for compromise, long before they resort to more sophisticated measures such as “zero-day” attacks

9

Everyday Threats Compromising Businesses and Their Customers

• Non-complex passwords without additional authentication factors are easily bypassed (guessed, stolen, etc.)

Weak Authentication

• Hackers rely on known vulnerabilities in operating systems and other common software to gain entry and glean data

Unpatched Vulnerabilities

• Trojans and other forms of malware can exfiltrate data, be used to access financial accounts, or create “bots” Malware

• Vendors are targeted for their access to clients’ systems, either directly or through products they provide

Compromised Vendors

• Employees throughout the organization are at risk, as hackers utilize seemingly legitimate communications Social Engineering

• Public-facing websites are compromised and misused to glean customer data or to deliver malware Web Injection

10

But When All Else Fails… And Hackers Absolutely Have to Have it…

Zero-day exploits rely on previously unknown vulnerabilities to compromise systems, and typically target common software platforms, including operating systems, browser software, productivity software, and various plug-ins.

Most commonly in use and development by nation states, such as China, Russia, and the U.S., independent security firms now offer zero-day exploits on the open market. Cybercrime has created a market for “near zero-day exploits” to be packaged together into kits available for purchase on underground markets.

According to RAND: “Zero-day prices range from a few thousand dollars to $200,000–$300,000, depending on the severity of the vulnerability, complexity of the exploit, how long the vulnerability remains undisclosed, the vendor product involved, and the buyer.”

What are

they?

Who creates them?

Once the purview of nation states, “zero-days” have become accessible for top-tier cybercrime groups, or are repurposed into exploit kits later in their lifecycle

How much

do they cost?

11

Seven Steps for Mitigating Threats From the Everyday to the Zero-day

1. Secure buy-in from senior leadership

2. Educate employees

3. Upgrade authentication inside and out

4. Harden externally facing web properties

5. Monitor network traffic for anomalous activity

6. Update software promptly and thoroughly

7. Prepare for the worst case scenario

12

Summary

Treasurers recognize that business profitability is at risk because of cyber threats.

13

Corporations can reduce their risk by:

• Becoming aware of the threats they currently face

• Creating a culture of cyber-awareness throughout their organization

• Adjusting security policies and procedures to address current threats

• Understanding and planning for the risks they face from counterparties

• Partnering with their financial service providers to constantly improve the security of their accounts