© 2015 Greenwich Associates, LLC. Javelin Strategy & Research is a division of Greenwich Associates. All rights reserved. No portion of these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise.

Helping You Make Smarter Business Decisions

Cyber Security: Top Risks and Trends for Protecting Your Assets

NACT Presentation Thursday,

June 18th , 2015

Today’s Presenters

Marc Harrison Principal Banking

Al Pascual Director

Fraud & Security

Maribeth Farley Relationship Manager

Moderator

About Greenwich Associates

Treasury Department Priorities and Plans

Summary

Agenda

Who’s Being Targeted, Why, and to What Effect?

Attack Vectors

Threat Remediation

2

We help our customers:

• Make smarter business decisions

• Gain a significant competitive advantage

• Improve customer experience

• Transform research into behavioral change

• Deliver actionable insights & identify implementable action steps

• Drive cultural change

• Link financial performance to customer experience

About Greenwich Associates

Firm Facts • Founded in 1972 • Privately held • Headquartered in

Stamford, CT • Fourth largest

interview facility in North America

Greenwich Associates provides authoritative market data, insights and consulting solutions to senior financial professionals worldwide

3

About Greenwich Associates

Treasury Department Priorities and Plans

Summary

Agenda

Who’s Being Targeted, Why, and to What Effect?

Attack Vectors

Threat Remediation

4

Treasury Department Priorities

16%

8%

11%

5%

6%

2%

3%

2%

38%

45%

33%

29%

29%

24%

24%

20%

46%

47%

56%

66%

66%

74%

74%

78%

Supply Chain Interruption Risk

Economic Risks

Financing Risks

Business Interruption

Efficient Management ofWorking Capital

Regulatory/Compliance Issues

Cost Management

Information (IT) Security

High Priority Low Priority Not a Priority

Source: 2014 U.S. Large Corporate Banking Study – Above $2BB. Question: Using a 3-point scale from 1 = Not a Priority to 3 = High Priority, how focused is your company on each of the following: (A) Business Interruption (B) Supply Chain Interruption Risk (C) Economic Risks (D) Financing Risks (E) Information Security (F) Regulatory/Compliance Issues (G) Cost Management (H) Efficient Management of working capital

What Finance Departments Will Focus on in the coming year

5

Treasury Department Plans

6

18%

22%

10%

31%

11%

63%

Outsource More Functions

Bring More Functions In-House

Reduce Staff

Add Staff

Take More Risk in Short-TermInvesting

Increase Technology Spending

Source: 2014 U.S. Large Corporate Cash Management Study – Above $2BB Note: Respondents may offer multiple responses Question: In the next 12 months, is your treasury department planning to: (1) increase technology spending, (2) reduce staff, (3) add staff, (4) take more risk in short-term investing, (5) outsource more functions, and/or (6) bring more functions in house? What are 2 or 3 top priorities of your finance department in the coming year?

What Treasury Departments Will Do Over the Next 12 Months to Ensure Operational Efficiency

“The first is regulatory compliance requirements. IT and security issues seem to be coming up quite a bit as well.” Fortune 200-300

“Definitely consolidation and IT in the sense that we are secured in information reporting. And reducing risks.” – Fortune 100-200

“We are reviewing our banking relationships, fees, and how to improve and streamline our banks. We are also looking at how we can automate more of the banks' processes and how we can reduce the number of bank accounts.” – Fortune 100

“Reducing our bank fees. Every single year we have pressure to reduce our costs. So we're implementing this treasury system, but we're also going to implement a new upgrade. We're upgrading our BRM, which is what we use to analyze the bank fees.” – Fortune 100

“Allocation of cash. Specifically improving returns on cash and re-evaluation of banking relationships and bank accounts” – Fortune 300-400

“We're putting in a new treasury workstation. We recently expanded into the international space, so we're trying to bring everything up from a cash management perspective to have that for currency and international capabilities on the system.” – Fortune 100

Regulatory

Compliance

Information

Technology

& Security

Relationship

Management

Treasury

Management

Systems

Market Trends

Capital Structure

and Allocation

Cost/ Bank Fee

Reduction

Source: 2014 U.S. Large Corporate Cash Management Study – Above $2BB Question: What are the 2 or 3 cash management challenges you foresee in the next 12-18 months?

Cash Management Priorities

7

About Greenwich Associates

Treasury Department Priorities and Plans

Summary

Agenda

Who’s Being Targeted, Why, and to What Effect?

Attack Vectors

Threat Remediation

8

All Industries Are Vulnerable to Breaches It’s the Data That Matters

In 2015, Year-to-Date: Nearly 440 Disclosed Breaches Which represents:

Millions of Records at Risk

According to Data Loss DB, June 10th, 2015

9

Who’s Data Is It? And Then What? Different Parties, Different Data, Different Business Complications

“High Profile Breaches”

Data: Wide variety of PII is being targeted

Complication: Compliance and Customer Avoidance

“High Value Targets”

Data: IP, Trade Secrets, Financial Info, and Business ID

Complication: Unfair Competition and Fraud

“The Worst of Both Worlds”

Data: Any of the above

Complications: Lost Profits All Around

Consumer

Internal

Partner

10

When Personally Identifiable Information Leaves, So Do Customers

Consumer rate of post-breach avoidance, by business type

44% 43%

34% 33% 32% 31% 30% 27% 26%

24% 24% 19% 18%

22%

0%5%

10%15%20%25%30%35%40%45%50%

Pe

rce

nt

of

con

sum

ers

*Caution: Low base Type of organization where data breach occurred

October 2013, n varies 44 to 415 Base: Data breach victims in the past 12 months

©2014 Javelin Strategy & Research 11

Financial Account Info and Credentials Fuel for Account Takeover Fraud

Frequency of reported account takeovers: • 2.11 per 1,000 commercial customers

Of all reported account takeovers: • 65% in did not involve monetary transactions • 9% resulted in funds leaving the institution

For takeovers where monetary transactions were created: • 76% in involved wire transfers (with 4% ACH and 18% check writing and

other)

Where funds were fraudulently transferred from the financial institution: • 82% in involved wire transfers (with 14% ACH and 4% check writing and

other) • 39% of losses involved wire transfers (with 52% ACH and 9% check writing

and other)

Business Financial Accounts are High-Value Targets for Criminals

Source: FS-ISAC Commercial Account Takeover Survey Press Release, January 9th, 2013

12

Using Internal Communications Against You Business Email Compromise (a.k.a. “Masquerading”)

$1 billion in total losses projected by year end, according to FBI

13 Image courtesy of www.leadcincinnati.com

Rather than compromise a commercial account directly: • Cybercriminals compromise the

email of a C-suite executive

• Read weeks of emails to understand how employees interact and recent business activity

• Alter contact information in email signatures (i.e., phone numbers)

• Instruct AP staff via email to initiate a wire to an account under their control using a legitimate sounding premise

About Greenwich Associates

Treasury Department Priorities and Plans

Summary

Agenda

Attack Vectors

Who’s Being Targeted, Why, and to What Effect?

Threat Remediation

14

Employees Remote Access

Company Data

Suppliers

Website Workstations

Servers

Social Engineering

Weak Authentication

Company Data

Compromised Vendors

Web Injection Malware

Unpatched Vulnerabilities

Zero-Days Need Not Apply Common Threats by Type

Criminals rely on tried-and-true methods for compromise, long before they resort to more sophisticated measures such as “zero-day” attacks

15

Everyday Threats Compromising Businesses and Their Customers

• Non-complex passwords without additional authentication factors are easily bypassed (guessed, stolen, etc.)

Weak Authentication

• Hackers rely on known vulnerabilities in operating systems and other common software to gain entry and glean data

Unpatched Vulnerabilities

• Trojans and other forms of malware can exfiltrate data, be used to access financial accounts, or create “bots” Malware

• Vendors are targeted for their access to clients’ systems, either directly or through products they provide

Compromised Vendors

• Employees throughout the organization are at risk, as hackers utilize seemingly legitimate communications Social Engineering

• Public-facing websites are compromised and misused to glean customer data or to deliver malware Web Injection

16

When All Else Fails… And Hackers Absolutely Have to Have it…

Zero-day exploits rely on previously unknown vulnerabilities to compromise systems, and typically target common software platforms, including operating systems, browser software, productivity software, and various plug-ins.

Most commonly in use and development by nation states, such as China, Russia, and the U.S., independent security firms now offer zero-day exploits on the open market. Cybercrime has created a market for “near zero-day exploits” to be packaged together into kits available for purchase on underground markets.

According to RAND: “Zero-day prices range from a few thousand dollars to $200,000–$300,000, depending on the severity of the vulnerability, complexity of the exploit, how long the vulnerability remains undisclosed, the vendor product involved, and the buyer.”

What are

they?

Who creates them?

Once the purview of nation states, “zero-days” have become accessible for top-tier cybercrime groups, or are repurposed into exploit kits later in their lifecycle

How much

do they cost?

17

Russia China

18

Nation States’ Cyberattacks are Changing

Image courtesy of www.NationalDefenseMagazine.com

Targets change, but China’s motivation remains the same • China remains focused on nationalistic goals, including bolstering domestic

industries and espionage • Healthcare organizations = learnings to bolster national healthcare infrastructure • Federal employee data = PII to compromise other systems or support blackmail

Russia has less to lose and is actively supporting cybercrime • Since it’s incursion into Ukraine and the subsequent response from the West,

Russia has become a more belligerent cyberactor • Anecdotal evidence suggests that Russian state services are actively supporting

the efforts of cybercriminal organizations, supplying technical expertise

About Greenwich Associates

Treasury Department Priorities and Plans

Summary

Agenda

Threat Remediation

Who’s Being Targeted, Why, and to What Effect?

Attack Vectors

19

Seven Steps for Mitigating Threats From the Everyday to the Zero-day

1. Secure buy-in from senior leadership

2. Educate employees

3. Upgrade authentication inside and out

4. Harden externally facing web properties

5. Monitor network traffic for anomalous activity

6. Update software promptly and thoroughly

7. Prepare for the worst case scenario

20

About Greenwich Associates

Summary

Agenda

Who’s Being Targeted, Why, and to What Effect?

Treasury Department Priorities and Plans

Threat Remediation

Attack Vectors

21

Summary

Treasurers recognize that business profitability is at risk because of cyber threats.

22

Corporations can reduce their risk by:

• Becoming aware of the threats they currently face

• Creating a culture of cyber-awareness throughout their organization

• Adjusting security policies and procedures to address current threats

• Understanding and planning for the risks they face from counterparties

• Partnering with their financial service providers to constantly improve the security of their accounts

Thank You

© 2015 Greenwich Associates, LLC. Javelin Strategy & Research is a division of Greenwich Associates. All rights reserved. No portion of these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of Greenwich Associates, LLC. Greenwich Associates®, Competitive Challenges®, Greenwich Quality Index®, Greenwich ACCESS™, Greenwich AIM™, and Greenwich Reports® are registered marks of Greenwich Associates, LLC. Greenwich Associates may also have rights in certain other marks used in these materials.

Greenwich Associates provides authoritative market data, insights and consulting solutions to senior financial professionals worldwide.

Thank you for taking the time to attend our discussion today.

Additional information or questions contact:

Maribeth Farley +1 203.625.4314

maribeth.farley@greenwich.com

23