Alexandria Hawkey April 17th, 2016

Alexandria Hawkey April 17th, 2016

Crisis Communications Plan in the Event Crisis Communications Plan in the Event

of an Online Database Hack for

Crisis Communications Plan for an Online Database Hack Involving

JPMorgan Chase and Co.

2

-Table of Contents- Premortem…………………………………………………………………………………………3 Statement from Management to Employees…………………………………………..6 Acknowledgment………………………………………………………………………………..7 Purpose and Objectives……………………………………………………………………….8 Key Publics……………………………………………………………………………………..…9 Crisis Team Directory………………………………………………………………………..11 Emergency Personnel…………………………………………………………………………12 Equipment, Supplies, and Information Needed…………………………………….13 Glossary of Terms……………………………………………………………………………..14 Fill in the Blanks News Release…………………………………………………………..21 Key Messages……………………………………………………………………………………22

3

-Premortem- When dealing with banks, there are many potential crises that could come up at anytime.

A few of them, ranked from least likely to most likely, are:

1. Hackers getting into our databases.

a. In this day and age, hackers are becoming more and more skilled and are

able to break through firewalls and access information from databases. In

an ideal world, our Internet security would be strong enough to prevent

this from happening. In the event that it isn’t, our bank members could

have their identities stolen, credit/debit cards could be copied, company

emails could be released, and any other sensitive information about our

bank members or company. We would need to need to be able to reassure

the bank members and stakeholders that we are working our hardest to fix

the problem and that they’re account safety is our number one priority.

2. CEO is found to be embezzling money from the company through fraudulent

loans or other means.

a. While we hope that Jamie Dimon would not embezzle money or commit

other types of fraud through the company there is a possibility that he

could. We need to be prepared to handle that situation if it arises. If it were

to happen that Dimon committed some sort of fraud, we would need to

gather all of the facts about the situation before making any statements.

We would also need talking points sent out to everyone in the corporation

as soon as possible to hopefully prevent anyone saying something that

could potentially harm our reputation further.

4

3. A false merger rumor.

a. A false merger rumor could put stakeholders on edge and possibly cause

them to take their stock out of the company. When false rumors circulate

and the stakeholders don’t think they are being included with possible

changes to the company, they can feel betrayed and no longer trust the

company. If this were to happen, it would be very important for our crisis

team to set the record straight as quickly as possible. They can keep track

of it by monitoring what members on the board are saying in interviews, or

other forms of communication such as social media.

4. A robbery at one of the banks.

a. While it may seem far-fetched today, bank robberies are still very possible.

This crisis is hard to predict but important to have a crisis team ready in

case it were to happen. In an event of a robbery, there is a potential of a

person or people coming in with guns and other weapons. This could

quickly turn into a hostage situation and would be all over the local and

national news. While it may seem unlikely, with hundreds of banks across

America alone, it is important to have a plan in case it happens.

5. An economic recession.

a. When an economic recession occurs, interest rates tend to fall because

inflation is lower and banks wish to try and stimulate the economy. Also.

Stock markets usually fall because firms make less profits. This usually

5

occurs because banks have created too much money through loans and the

debts for those loans become unpayable. If this was to occur, more than

likely our company will have had a hand in it and it is crucial to reassure

bank members and stockholders that their money is safe with us.

6

-Statement from Management to Employees- As one of the largest banks in the world, we have to take every threat seriously. In our

database, we have millions of account holder’s identities including their account information and personal information. If our system were to be hacked into, their

identities would be at stake. With new ways to hack into systems being developed

everyday, we need to be prepared in the event that our security is breached. We have employed the best people we can to insure that it doesn’t happen and they are the first

people we’ll call to fix the problem.

It would not be the first time something like this has occurred. Recently, in March of

2016, Bangladesh’s central bank was hacked into through the use of malware installed on

one of their computers. It only took one installation to allow the hackers access into $80 million. At our own company in 2014, we were hacked into. 76 million households’ and 7

million small businesses’ information was not secured. Online crime is very real, and is

taken very seriously at JPMorgan Chase. We value our account holders and their

security. Therefore, in the event that this were to happen, it is crucial that our employees across the world are prepared to deal with the media and public quickly and efficiently.

If this plan is not followed in the event of a crisis not only will there be damage to our company’s reputation but to the trust of our account holders as well. This loss of trust

could result in holders pulling out their accounts and stockholders selling their stocks.

That would be detrimental to our company. It is incredibly imperative to maintain our reputation as a bank that people can trust. We trust that you will all keep up your

outstanding work at our company and will continue to in the event of a cyber attack.

7

-Acknowledgment-

By signing this statement, I verify that I have read this plan and am prepared to put it into effect. Jamie Dimon Chairman and Chief Executive Officer _______________________________ Matthew E. Zames Chief Operating Officer _____________________________________ Marianne Lake Chief Financial Officer _____________________________________ Douglas B. Petno Commercial Banking CEO _____________________________________ Daniel E. Pinto Corporate & Investment Bank CEO _____________________________________ Gordon A. Smith Consumer & Community Banking CEO _____________________________________ Mary Callahan Erdoes Asset Management CEO _____________________________________ Ashley Bacon Chief Risk Officer _____________________________________ John L. Donnelly Head of Human Resources _____________________________________ Stacey Friedman General Counsel _____________________________________

8

-Purpose- In the event of a cyber attack and our database is hacked into, we must take immediate

action to inform our publics of the situation and the measure they need to take. It is

imperative that we remain open and honest about the situation so that our publics will

continue to trust us as a company. Corporate responsibility always has been central to

how we do business, starting with operating with integrity in all we do and extending to

all the ways we help our clients and communities navigate a complex global economy.

It is vital that we openly transfer the information the Federal Reserve and Federal Bureau

of Investigation needs. If we are honest and open, the crisis can be more smoothly

resolved and actions can be taken to insure that our account holders’ identities are safe

and that it won’t happen again.

-Objectives- At JPMorgan Chase, we will make every effort to:

1. Initiate the Crisis Communications Plan within 3 hours.

2. Inform the Federal Reserve and Federal Bureau of Investigation as soon as possible.

3. Inform all of the branch owners and managers within 3 hours of the attack.

4. Inform the media and account holders within 4 hours of the outbreak. 5. Keep the media and all publics regularly informed of the measure being taken to

counterattack the hack.

6. Inform the account holders of how they can help protect their identities. 7. Maintain honestly with the media and all publics.

8. Stop the attack as soon as possible.

9. Distribute our results to the media and all publics. 10. Develop new ways to secure our network and implement changes as soon as

possible.

9

-Key Publics- Local Newspaper Personnel Newspaper Address Phone/Fax When/Frequency The Wall Street Journal

1211 Avenue of the Americas New York, NY 10036

555-555-5555 A.M., Daily

The New York Times

620 Eighth Avenue New York, NY 10018

212-556-3622 A.M., Daily

Daily News 4 New York Plaza New York, NY 10004

212-210-2100 A.M., Daily

New York Post 1211 Avenue of the Americas New York, NY 10036

212-930-8288 A.M., Daily

Newsday 235 Pinelawn Road Melville, NY 11747

631-843-2700 A.M., Daily

Local Newswire Personnel Name Address Editor Phone/Fax Times Wire 620 Eighth Avenue

New York, NY 10018

Andrew Rosenthal 800-591-9233

PR Newswire 350 Hudson Street New York, NY 10014-4504

Jenny Scruggs 800-826-3133

NYCity NewsService

219 W. 40th Street New York, NY 10018

Jere Hester 646-758-7736

10

Local TV Stations Station/Channel Address News Director Phone WABC-TV 149 Columbus

Ave, New York, NY 10023

Camille Edwards 212-456-7777

WNBC-TV 350 5th Ave. New York, NY 10118

Dan Foreman 212-736-5459

NY1-News 75 9th Ave. New York, NY 10011

Steve Paulus 212-691-6397

WNET 825 8th Ave. New York, NY 10019

Scott Davis 212-560-1313

Local News Radio Stations Station/Channel Address News Director Phone Number WINS-AM/1010 WINS

345 Hudson St New York, NY 10014

Ben Mevorach 555-555-5555

WCBS-AM/WCBS Newsradio 880

524 W. 57th St. New York, NY 10019

Rachel Ferguson 212-975-7675

WABC-AM/77 WABC Radio

One Penn Plaza, New York NY 10121

Evelyn del Cerro 212-615-3200

WOR-AM/WOR Radio 710

32 Avenue of the Americas New York, NY 10013

Tom Cuddy 212-377-7900

11

-Crisis Team Directory-

Title Employee Cell Phone

Email

Crisis Comm. Mgr.

Alexandria Hawkey

847-254-6116

alexandriahawkey@jpmorganchase.com

Backup Crisis Comm. Mgr.

Joseph M. Evangelisti

555-555-5555

josephevangelistis@jpmorganchase.com

Crisis Control Room Coord.

Andrew Gray

555-555-5555

andrewgray@jpmorganchase.com

Spokesperson Alexandria Hawkey

847-254-6116

alexandriahawkey@jpmorganchase.com

Media Contact

Jennifer Kim

555-555-5555

jenniferkim@jpmorganchase.com

Expert Steve O’Halloran

555-555-5555

steveohalloran@jpmorganchase.com

Legal Advisor

Linda Bammann

555-555-5555

lindabammann@jpmorganchase.com

12

-Emergency Personnel- Federal Reserve Bank of New York 33 Liberty St. New York, NY 10045 (212) 720-6130 Federal Investigation Bureau 23rd, 26 Federal Plaza New York , NY 10278 (212) 384-1000 NYPD 1 Police Plaza Path New York, NY 10007 (646) 610-5000

13

-Equipment, Supplies, and Information Needed- The following should be on file in the event of a cyber attack:

1. Biographies of executives

2. Preventative information for account holders

3. Cyber attack fact sheets

4. Fill-in-the-blank news releases

5. Identity protection fact sheets

6. Backup security for the database

7. Glossary of terms

8. Internet Sources

9. Information on the FBI’s investigation

10. Information on the Federal Reserve Bank’s investigation

11. A hotline for account holders to call with their questions

12. Reports of the online security team’s findings

14

-Glossary of Hacking Terms-

Adware: Adware can mean the software that automatically generates advertisements in a

program that is otherwise free, such as an online video game. But in this context it more

commonly means a kind of spyware that tracks your browsing habits covertly to generate

those ads.

Anonymous: A non-hierarchical hacktivist collective, Anonymous uses hacking (and

arguably cracking) techniques to register political protest in campaigns known as “#ops.”

Best known for their distributed denial of services (DDoS) attacks, past activities have

included attacks against the Church of Scientology; Visa, Paypal, and others who

withdrew their services from WikiLeaks’ Julian Assange after that group began releasing

war documents; #OpTunisia and others purporting to support the Arab Spring; and a

campaign that brought down the website of the Westboro Baptist Church. #Ops are

usually marked with the release of a video of a reader in a Guy Fawkes mask using a

computer generated voice. Offshoot groups include AntiSec and LulzSec.

Back door: A back door, or trap door, is a hidden entry to a computing device or software

that bypasses security measures, such as logins and password protections. Some have

alleged that manufacturers have worked with government intelligence to build backdoors

into their products. Malware is often designed to exploit back doors.

Black hat: Black hat hackers are those who engage in hacking for illegal purposes, often

for financial gain, though also for notoriety. Their hacks (and cracks) result in

inconvenience and loss for both the owners of the system they hack and the users.

15

Bot: A program that automates a usually simple action so that it can be done repeatedly

at a much higher rate for a more sustained period than a human operator could do it. Like

most things in the world of hacking, bots are, in themselves, benign and used for a host of

legitimate purposes, like online content delivery. However, they are often used in

conjunction with cracking, and that’s where its public notoriety comes from. Bots can be

used, for instance, to make the content calls that make up denial of service attacks. Bot is

also a term used to refer to the individual hijacked computers that make up a botnet.

Botnet: A botnet is a group of computers controlled without their owners’ knowledge

and used to send spam or make denial of service attacks. Malware is used to hijack the

individual computers, also known as “zombies,” and send directions through them. They

are best known in terms of large spam networks, frequently based in the former Soviet

Union.

Brute force attack: Also known as an exhaustive key search, a brute force attack is an

automated search for every possible password to a system. It is an inefficient method of

hacking compared to others like phishing. It’s used usually when there is no alternative.

The process can be made shorter by focusing the attack on password elements likely to be

used by a specific system.

Clone phishing: Clone phishing is the modification of an existing, legitimate email with a

false link to trick the recipient into providing personal information.

Code: Code is the machine-readable, usually text-based instructions that govern a device

or program. Changing the code can change the behavior of the device or program.

16

Compiler: A compiler is a program that translates high-level language (source code in a

programming language) into executable machine language. Compilers are sometimes

rewritten to create a back door without changing a program’s source code.

Cookie: Cookies are text files sent from your Web browser to a server, usually to

customize information from a website.

Cracking: To break into a secure computer system, frequently to do damage or gain

financially, though sometimes in political protest.

Denial of service attack (DoS): DoS is used against a website or computer network to

make it temporarily unresponsive. This is often achieved by sending so many content

requests to the site that the server overloads. Content requests are the instructions sent,

for instance, from your browser to a website that enables you to see the website in

question. Some have described such attacks as the Internet equivalent of street protests

and some groups, such as Anonymous frequently use it as a protest tool.

Distributed denial of service attack (DDoS): A DoS using a number of separate

machines. This can be accomplished by seeding machines with a Trojan and creating a

botnet or, as is the case with a number of Anonymous attacks, by using the machines of

volunteers.

Doxing: Discovering and publishing the identity of an otherwise anonymous Internet

user by tracing their online publically available accounts, metadata, and documents like

email accounts, as well as by hacking, stalking, and harassing.

Firewall: A system using hardware, software, or both to prevent unauthorized access to a

system or machine.

17

Hacking: Hacking is the creative manipulation of code, distinguished, albeit

amorphously, from programming by focusing on the manipulation of already written code

in the devices or software for which that code was already written. Metaphorically it

extends to social engineering in its manipulation of social code to effect change. Many

prefer to use the term cracking to describe hacking into a machine or program without

permission. Hackers are sometimes divided into white hat, black hat, and gray hat

hackers.

Hacktivist: A hacker whose goals are social or political. Examples range from reporting

online anonymously from a country that attacks free speech to launching a DDoS

campaign against a company whose CEO has issued objectionable statements. Not to be

confused with slacktivism, which refers to push-button activism in which a supporter of a

social or political campaign’s goals does nothing but register their support online, for

instance by “liking” a Facebook page.

Hash: A hash is a number generated by an algorithm from a string of characters in a

message or other string. In a communications system using hashes, the sender of a

message or file can generate a hash, encrypt the hash, and send it with the message. On

decryption, the recipient generates another hash. If the included and the generated hash

are the same, the message or file has almost certainly not been tampered with.

IP: Internet protocol address. It’s the distinctive numeral fingerprint that each device

carries that’s connected to a network using Internet Protocol. If you have a device’s IP

you can often identify the person using it, track its activity, and discover its location.

18

IRC: Internet relay chat is a protocol used by both groups and for one-on-one

conversations. Often utilized by hackers to communicate or share files. Because they are

usually unencrypted, hackers sometimes use packet sniffers to steal personal information

from them.

Keystroke logging: Keystroke logging is the tracking of which keys are pressed on a

computer (and which touchscreen points are used). It is, simply, the map of a

computer/human interface. It is used by gray and black hat hackers to record login IDs

and passwords. Keyloggers are usually secreted onto a device using a Trojan delivered by

a phishing email.

Logic bomb: A virus secreted into a system that triggers a malicious action when certain

conditions are met. The most common version is the time bomb.

Malware: A software program designed to hijack, damage, or steal information from a

device or system. Examples include spyware, adware, rootkits, viruses, keyloggers, and

many more. The software can be delivered in a number of ways, from decoy websites and

spam to USB drives.

Master: The computer in a botnet that controls, but is not controlled by, all the other

devices in the network. It’s also the computer to which all other devices report, sending

information, such as credit card numbers, to be processed. Control by the master of the

bots is usually via IRC.

Payload: The cargo of a data transmission is called the payload. In black hat hacking, it

refers to the part of the virus that accomplishes the action, such as destroying data,

harvesting information, or hijacking the computer.

19

Rootkit: A rootkit is a set of software programs used to gain administrator-level access to

a system and set up malware, while simultaneously camouflaging the takeover.

Spam: Unwanted and unsolicited email and other electronic messages that attempt to

convince the receiver to either purchase a product or service, or use that prospect to

defraud the recipient. The largest and most profitable spamming organizations often use

botnets to increase the amount of spam they send (and therefore the amount of money

they make).

Spyware: Spyware is a type of malware that is programmed to hide on a target computer

or server and send back information to the master server, including login and password

information, bank account information, and credit card numbers.

Time bomb: A virus whose payload is deployed at or after a certain time.

Trojan horse: A Trojan is a type of malware that masquerades as a desirable piece of

software. Under this camouflage, it delivers its payload and usually installs a back door in

the infected machine.

Virus: Self-replicating malware that injects copies of itself in the infected machine. A virus

can destroy a hard drive, steal information, log keystrokes, and many other malicious

activities.

Vulnerability: A weak spot hackers can exploit to gain access to a machine.

White hat: An ethical hacker who uses his skills in the service of social good. The term

may also be applied to a hacker who helps a company or organization, or users in general,

by exposing vulnerabilities before black hat hackers do.

20

Worm: Self-replicating, standalone malware. As a standalone it does not report back to a

master, and unlike a virus it does not need to attach itself to an existing program. It often

does no more than damage or ruin the computers it is transmitted to. But it’s sometimes

equipped with a payload, usually one that installs back doors on infected machine to make

a botnet.

21

-Fill in the Blanks News Release-

For Immediate Release

Date____________

JP Morgan Chase Working to Stop Cyber Attack on Online Database

It was discovered at JPMorgan Chase that an online hacker has hacked into our database containing the identities of our account holders. No personal information has been retrieved. As of right now, our online security team is working to secure our account holders’ identities and remove the hacker. “We take these threats to security very seriously. We value our account holders and their safety as our top priority. We are working to stop the cyber attack and prevent any damages as soon as quickly and efficiently as possible.” JPMorgan Chase CEO, Jamie Dimon said. JPMorgan and Chase has contacted local authorities, the Federal Reserve, and the FBI to assist in investigations. While their security is up to date, talented hackers develop numerous new ways to hack into systems frequently. It is unclear as to who is responsible or how they attacked. We appreciate each one of our account holders and we understand that this can be a very confusing and scary situation. We are providing hotlines with experts on the line at (xxx) xxx-xxxx to answer any and all questions and concerns. We will be releasing information as it comes through.

22

-Key Messages-

In the event of a cyber attack where our database is hacked into, our account holders are

our top priority. It is their information that is at risk, that they trusted us to protect. It is

important to our account holders that they know that we consider them our top priority

and that we are doing everything we can to protect their identity.

The following key messages should be communicated in this order:

1. We value our account holders and are doing everything we can to ensure the

safety of their identities.

2. At this time, only the security has been breached and we are doing everything we

can to remove the hacker and secure our database.

3. Please do not be alarmed, cyber attacks happen frequently to large companies and

we have our best team on it.

4. At this time, we do not know who has hacked into the system or why but we will

continue to provide updates as they come in.

5. We are in contact with the FBI and Federal Reserve.