Topic/Theme Reports

Risk Management Chat: Cyber Security in a Globally Integrated World

Jay Dulski, David Hendler

May 27, 2015

Viola Risk Advisors recently had the opportunity to attend the 33rd Annual Monetary and Trade Conference hosted by the Global Interdependence Center (GIC). GIC is a Philadelphia based non-profit which aims to foster dialogue related to global macroeconomic and monetary policy, social and political themes, and free trade. Held at the LeBow College of Business at Drexel University in Philadelphia, attendees included a diverse set of GIC regulars from across the consulting and financial sector, some from the asset management community, Drexel academics, and a contingent from the macroeconomic research field as well. No representatives from GSIB banks were represented, nor sell-side or buy-side companies.

Entitled “Cyber Security in a Globally Integrated World,” the event hosted a powerful speaker lineup, including: IBM’s data security and privacy consultant, Joe Ingemi; a legal faculty member of Princeton and Stanford University, Dr. Andrea Matwyshyn; Drexel University Associate Professor of Criminology and Justice Studies, Dr. Rob D’Ovidio; North Atlantic Treaty Organization (NATO) United States Cyber Defense Advisor, Curtis Levinson; and law firm Shulman Rogers Chairman of the Telecommunications Dept. and Entertainment Practice, Allen Tilles.

A link to GIC’s main website may be found here, and copies of presentations, full speaker bios, and video of the event has been made available on GIC’s resources page.

Summary of Cyber Security Expert Remarks

In his opening remarks George Tsekos, former dean of Drexel’s LeBow College of Business and a member of the GIC advisory board, spoke about the enormous costs surrounding the cyber security situation. He quoted that roughly $5 billion is spent annually on cyber security innovations, a meaningful $50 billion is spent by U.S. corporations on protection (doubled from 2004), and a shuddering $500 billion is the estimated cost of cyber breaches.

Joe Ingemi, a consultant for IBM, provided an overlay of the cyber security world, stressing the overlay of traditional geopolitical politics with the geographical locations of the worst cyber offenders. He also provided a framework for assessing the origin of threats, whether they were integrity violations (such as disgruntled employees), profit motivations, or physical damage, and highlighted some of the vulnerabilities of public and corporate infrastructure. He stressed the importance of tech suitability and second and third degree know-your-vendor procedures.

Dr. Matwyshyn echoed the importance of tech suitability, and focused on the importance of companies establishing reporting procedures, which double as a remedy and a deterrent for cyber risk. She also discussed some of the nuances of the legal framework, both regarding trademarking of computer code limiting security reviews and determining the correct penalties for different cybercrimes.

Dr. D’Ovidio discussed his recent research, which focuses on the variation and effectiveness of various state data breach disclosure laws. Due to the lack of an overriding federal statute, states have created a patchwork of data breach notification laws, and some are much more stringent than others on what has to be disclosed, how consumers are informed, and in what timeframe. He said a federal solution would do a lot to assist consumers, but it has to be stringent. Many pushes in Congress are focusing on liability reduction for companies rather than breach notification standards.

Curtis Levinson, cyber advisor to NATO, gave a provocative presentation, stressing that the days of perimeter firewalls are long gone, and that every network should be assumed compromised all of the time. He also discussed geopolitical realities, and though quantifying cyber risk is tough nut for investment analysts, he did highlight some best practices which can be helpful. These included following NIST standards (“National Institute for Standards and Technology,” click here for their cybersecurity framework), using carved-up networks and internal firewalls to limit breaches, and employing universal end-to-end encryption of data. He also directed attendees to sector specifics ISACs (“Information Sharing and Analysis Centers,” organized under the National Council of ISACs). ISACS are run through the US Department of Homeland Security via the National Infrastructure Coordinating Center (NICC). See www.isaccouncil.org and the sector specific Financial Services ISAC. The International Organization for Standardization (“ISO”) also publishes guidance on cyber security, but exists outside of the DHS framework.

Finally, Allen Tilles of Shulman Rogers focused on liability issues for businesses, discussing some of the nuances of carrying dedicated cyber insurance instead of relying solely on general liability insurance, calling cyber insurance the “wild west” of the insurance world and a very challenging, rapidly evolving space. He also discussed the importance of some best practice “dumb” security measures, such as stripping administrative privileges from non-senior employees. Echoing many themes from Dr. D’Ovidio’s presentation regarding the disparity in legal structure across states and the compliance nightmares this creates, he highlighted WISP protocols (Written Information Security Protocol) as something to look for when evaluating a company’s infrastructure. He also stressed that in the case of a breach, legal advice needs to be your first call, as when a lawyer acts as the mediator with IT you are protected by privilege.

Viola Risk Advisor View

In the last five months since we launched Viola Risk Advisors, we have written many articles highlighting the top of mind concerns that the banking industry has regarding cyber security threats. In our ongoing Risk Management Chat series we noted various cyber security concerns from different audiences whether FMUS and exchanges (see: Risk Management Chat:  FMUs & Systemic Risk Controls), senior counterparty credit officers of GSIB banks/G-SIFI companies (see Risk Management Chat: CRM Panel – Lions & Tigers & Bears, Oh My!), and other regulators (see: Risk Management Chat: “Risk” Culture Club’s Karma Chameleon).

In our annual review of the U.S. GSIBs, we incorporated the DTCC’s Systemic Risk Checklist which lists cyber security as among the most harmful threats to the global financial system. Our eight “10K Take” reports reviewed the 13 systemic risks highlighted by the DTCC that usually starts off with cyber security threats. Most of the banks we reviewed discussed cyber security threats, some admitted to intrusions, and some noted how they had committees and working groups monitoring and implementing programs. Still, there has not been much information from the banks, whether in their SEC filings or other panel discussions, on how to measure this risk from the outside as investors and counterparty risk managers. While this recent GIC program related various channels of intrusion and best practices, the banking industry is still rather silent on these issues. We would hope over time that some type of metrics with updates on monitoring practices would become more detailed so that third-party investors and risk managers could rank the likelihood of major cyber threats more accurately across their coverage lists.

IBM Consultant’s View: Motives & Degree of Destructiveness

The first presentation was an overview, “lay-of-the-land” orientation by Joe Ingemi, who works as an independent consultant for IBM. His first point was that, in the post 9/11 world, the simple truth is that even though hackers can be anywhere, they still have to be somewhere, and the question becomes whether the post 9/11 philosophy stated by then-President George W. Bush, that any nation which harbors terrorists is hostile to the United States, applies to the electronic realm. The IBM consultant defined a “cyber attack” as “any attempt to steal from, defraud, disrupt, or destroy personal or enterprise level data via network systems.” He said that we are halfway along the development arc of cyber security, as just a few years ago some of the crucial technology was just beginning, such as smartphones, enterprise computing, and outsourcing. Now that those technologies have matured their security gaps and vulnerabilities are being identified, and there will be an iterative process of new security innovations followed by new security threats.

But he also posed some pertinent questions that must be asked when considering cyber threats. Why would someone exploit the vulnerability? What is the attacker’s intent? And what is the type of data/information involved? The speaker offered the following framework around the different kinds of cyber security scenarios. The first motivation is an integrity violation. These types of attacks may stem from politics or emotional distress, and can include everything from a disgruntled employee to the recent high-profile Sony hack, which is largely believed to have been retaliation by North Korea in response to their production of The Interview, a movie considered insulting to the North Korean leader.

A second motivation is of course profit. This includes piracy and theft of intellectual property or strategy, as well as other possibilities. As an example, he offered that the Syrian Electronic Army hacked the Associated Press and leaked a fake news story that President Obama had been shot. Though quickly debunked, the intervening timeframe saw the U.S. stock market decline substantially. This also encompasses recent thefts of medical records. The IBM consultant made an interesting side-point that a big reason China is interested in hacking U.S. medical records is to jump start their own domestic life sciences industry. This espionage may be due to China lacking the necessary historical troves of sample data to develop, choose, and approve new treatments, data which takes decades to compile. Such data may be developed organically of course, but if it is stolen from someone else, this could lead to significant developmental advantages.

The third and final motivation is physical damage. This encompasses destruction of property and infrastructure, terrorism breaching of defense contractors, espionage, and the inflicting of casualties either directly or indirectly.

The IBM representative identified a few hot concepts that are developing rapidly within the cybersecurity space. These concepts include: 1) IaaS (infrastructure-as-a-service, aka cloud computing), 2) PaaS (platform-as-a-service, which includes the big client relationship manager (CRM) platforms like Salesforce), 3) the vast universe of apps, 4) public-private hybrid systems and questions of where data is physically stored, 5) limiting access (ex: granting an office system administrator entire rights is unwise), and 6) making sure that the security solution fits the tasks at hand.

Regarding the IoT (internet-of-things), this touches on the security of mobile devices, sensors, UAVs (drones), and especially controllers. Industrial controllers are the programs which run complicated devices, everything from medical devices to power plants. If those controllers can be copied or breached, the assets may be reverse engineered or adversely compromised. In the emerging world of ultra-connected devices, everything becomes a potential security risk. For example, if your toaster and your coffee maker are internet-enabled, how much security attention are they getting, and are they open doors to your internal network?

Also discussed was 3D printing as a disruptive manufacturing technology that has the potential to drastically reduce inventories and redefine supply chains. The side effect of this new production could be that intellectual property becomes even more important than physical goods, and its need to be secured.

IBM Consultant’s View: Geography of Cyber Threats

The IBM consultant then moved on to an overview of the geography of cyber threats, as at the end of the day, a cyber attack still needs to be executed by someone somewhere sitting at a computer. He noted that among foreign players, Russia is #1, with a cyber command almost equal to the US. Cases in point illustrating Russian’s cyber security reach is that recently they successfully compromised the energy grids of the Baltic states, have compromised the Ukrainian Prime Minister’s data, and even hacked into President Obama’s personal emails. In addition to the state-sponsored side, Russian organized crime is also extremely active. Estimates are that Russian organized crime has stolen 1.2 billion passwords.

China is next on the list, with the People’s Liberation Army spearheading a very active cyber apparatus. PLA “Unit 61398” was begun in 2006 (even though China denies its existence) and functions in strategic alignment with the Chinese government, advancing their strategic and economic goals. Another unofficial government entity is “Little Panda.” It is speculated that Chinese cyber units orchestrated the medical record thefts of Anthem BCBS and US Community Health. Chinese cyber units are also actively monitoring internet communications in the ASEAN countries.

Following China and Russia is the Islamic Republic of Iran. Iran is in the midst of a string of cyber push, and is suspected to have carried out attacks on Saudi Aramco and U.S. financial institutions. The speaker noted that a cyber arms race is developing in the Middle East between Israel and Iran, and there has been some speculation that if Iran actually diverts resources from its nuclear program due to ongoing negotiations with the West, they could increase their cyber capacity.

North Korea is also a player in the cyber warfare space, and from 2009-2011 carried out several attacks on South Korean government and military targets. Major cyber units include army units 121, 91, 35, and Lab 110, all of which have different specialties.

ISIS is also a cyber concern, however information is very fluid on their sophistication. No one knows how organized they are and what kinds of sympathizers they may have in Western countries with expertise. So far they have been focusing on social media, with high profile events such as the recent US CENTCOM twitter feed hack. So far, damage has been minimal.

Lastly is Syria. Though very much in flux due to the roiling civil war, the Syrian Electronic Army has been a player on the global stage. Largely acting in defense of the Assad regime, theyorchestrated attacks on news organizations and have also attacked the Sands Casino in Las Vegas (due to billionaire owner Sheldon Adelson’s support for Israel).

IBM’s Ingemi said that the similarities among the different hacker geographies are that the countries have high levels of internet surveillance, high corruption, no civil society, anti-liberal values, hostile to the west, and have state sponsored cyber-entities. The key takeaway is that cyber attacks are low cost attacks, but even in this new paradigm old power structures, regimes, and countries are important. Trade relationships alone are not enough to overcome rivalries, and cannot solve security alone.

IBM Consultant’s View: Actionable Recommendations – Infrastructure Size & Know Your Vendor

As actionable recommendations, he stressed a few points. First was making sure that cyber risk infrastructure is appropriate to the size and type of the business at hand. Many companies waste money on sophistication they don’t need, and sometimes “dumb” measures, like removing non-senior workers from administrative privileges, go farther than a fancy technological platform. He also stressed knowing your vendor relationships, and the second and third degree relationships both on a macro level and on a business level. If the US trades/shares info with India, what if China hacks India instead of the US as the softer target?

Or if you know your vendor, who is their vendor and are they a security risk? He also advocated for state and local governments to take the lead in working with businesses to foster information sharing and education. This extends to local law enforcement as well, so that they have the tools to perform forensic electronic investigation. On a federal level, the IBM consultant advocated for a common regulatory regime, as well as rating nations based on their cyber activities. He also referenced the current proposed Trans-Pacific Partnership (TPP). If the U.S. begins sharing intellectual property with trading partners in Asia, protecting that intellectual property in those other countries becomes a serious concern. He believes there should be a cyber defense umbrella and cooperation just like with traditional military defense.

Legal Scholar View: In-House Procedures, The Law & Congress

The second presentation was by Dr. Andrea Matwyshyn, who is currently the Microsoft Visiting Professor at the Center for Information Technology Policy at Princeton University, focusing on more of the legal and public policy issues surrounding cyber security. She opened by criticizing the term “cyber security,” as inadequate, saying that “information security” would be more appropriate, as you must consider human elements as well, and noted that information security must be viewed through a dynamic rather than static lens. An extremely important question is whether management and legal is set up to handle the information security in the long term.

Dr. Matwyshyn’s first discussion was a prudent one, discussing tech suitability. The “shiniest, newest” security platform will not be the best fit for every business, and she echoed the IBM consultant’s views that the shoe has to fit the foot. She also discussed the dark side of the drive towards an ultraconnected IoT world. One example she offered is that nuclear power does not need to be online. They have functioned safely for half a century as “dumb,” unconnected, resilient and much safer systems. An engineer being able to control fuel rods from an iPad from his couch is probably a poor idea. She also discussed the consumer push towards IoT goods, as companies follow market preferences and march towards more and more connectivity. She noted as another example that there are now internet-enabled toasters, and that if the marketplace becomes such that you cannot even buy a conventional toaster, this presents long term security problems.

Dr. Matwyshyn also spent a good deal of time discussing the importance of reporting policies for information security within companies. Information sharing among business is key, and having a clearly visible “front door” option (such as a bright box on a company website) to report potential breaches is often deterrence in and of itself. She noted two reporting standards, ISO 30111 and ISO 29147, which are useful starting points.

From a regulatory perspective, Dr. Matwyshyn drew on her recent experience of acting as an advisor to the US Federal Trade Commission (FTC) and noted that “security-by-design” is a major theme of where regulators are headed. Security-by-design references building in security frameworks from step one and avoiding “reverse-fit” problems, in other words trying to shoehorn security onto already existing infrastructure.

Another key component of regulatory focus is on the legal side regarding the penalties for cyber offenses. There is a push in Congress to legislate harsher penalties for cyber crimes, however Dr. Matwyshyn noted that this must be balanced with finding constructive punishments that do not eviscerate the future generation of IT professionals. Citing the relevant law of the Computer Fraud and Abuse Act, she noted that by today’s standards, Bill Gates, Steve Jobs, and Mark Zuckerberg would all have been potentially jailed as felons for what they did in their early years. She opined that the recent push to remove misdemeanor computer intrusion is unwise, as it leaves no legal option for low-level or juvenile offenders other than more serious charges.

Another relevant trend on Capitol Hill has been data breech harmonization via standardizing reporting and filing procedures, however Dr. Matwyshyn that many recent pushes have revolved around decreasing company liability in the event of data breaches. From a public policy perspective, this may be undesirable, as it places the burden of a breach solely on consumers.

Finally, she referenced the Digital Millennium Copyright Act. Designed to protect intellectual property, it had a serious unintended side effect in the security realm. The act mandates that only limited portions of the computer code of software, firmware, or industrial controllers may be available to third party security review, the balance, as much as 40%, being protected as intellectual property. However, in the information security field, the number of experts is very small and disparate relative to the need, and if products can only be partially reviewed for security flaws, the academic research and security communities are prevented from doing their jobs. There is current discussion about adding a testing exemption, but if not amended, Dr. Matwyshyn warned that a black market could develop with vulnerability identification and peddling.

She noted that the FTC is involved on the market facing, consumer side via Section 5 of the FTCA, and the SEC is involved with respect to public companies. She also noted that the SEC issued guidance in October 2011, and is not satisfied with the breach disclosure requirements of companies.

Drexel U. View: Size & Scope of Breaches

The next presentation focused on data breach notification laws, and was presented by Dr. Robert D’Ovidio, Associate Professor of Criminology and Justice Studies and Associate Dean for Humanities and Social Science Research at the College of Arts and Sciences at Drexel University. Dr. D’Ovidio opened by framing just how many people can be affected by data breaches, highlighting that the Connecticut Anthem breach alone affected 1.7 million people. This has been a trend over the last several years. ID theft used to be a waiter stealing your credit card; now it’s organized crime stealing millions of SSN’s at once. Dr. D’Ovidio repeatedly highlighted that corporations simply must disclose breaches to customers, as customers bear all of the detrimental effects of data breaches and rely on disclosure. He noted that in 2008, 2009, and 2010, respectively 25%, 35%, and 27.5% of data breaches were reported to law enforcement. Direct reporting was worse, with less than 20% of breaches being reported to consumers. Because of this dismal reporting, over the last several years state governments have stepped in a guardian role with breach notification laws. California passed the first state-level law in 2002, and now 47 states and the territories have some kind of data breach notification law on the books. Alabama, New Mexico, and South Dakota are the only states that lack disclosure laws.

Dr. D’Ovidio then spent a few minutes discussing the results of some of his research, which includes creating a statute index to rank the different state laws on an apples-to-apples basis. The index looks at six qualifiers: definition of data breach, types of data covered, details of notification (what do companies have to tell customers), contact methods, and penalties for noncompliance. On this scale, 25 states were classified as weak, 22 were classified as moderate (including PA and NJ, and DC), and MT, IN, MD, and NC were classified as strong, with NC classified as the strongest. The takeaway is that the state governments can and should act in a guardian role to protect consumers via notification laws. However this patchwork of state law makes it very difficult from a compliance perspective. Companies who do business in different states (like national banks) must be compliant in every state, so it becomes a very complex exercise for some companies.

In the Q&A session, Dr. D’Ovidio noted that he believes that a federal law data breach notification law is required to standardize the various state laws, however he criticized bills currently making their way through Congress as being light on index standards and focusing mainly on commercial liability reduction, which does not help to protect consumers. In response to a question, he also noted that software providers, such as Microsoft, are often indemnified via their licensing agreements. Therefore, the company whose Microsoft servers are breached bears the responsibility, whereas Microsoft is shielded. He also noted that the business of brokering data makes liability and disclosure very difficult.

In response to question regarding central repositories of breaches, he noted that there are ID theft clearinghouses, and that some large companies like Verizon publish breach reports. Dr. D’Ovidio noted that the next stage of his research will focus on why some states have such strong notification laws, including looking at the statehouse testimony while the laws were being drafted. He feels that we are a few rounds away from federal legislation.

NATO Advisor View: No Walls to Man - The New Cyber Security Paradigm

The fourth presentation entitled “Vulnerability Assessment: A New Paradigm,” was presented by Curtis K. S. Levinson, US Cyber Defense Advisor to NATO. Mr. Levinson’s presentation was the most provocative, opening with the unequivocal statement that “we are at war.” Stating that cyber adversaries are “here, among us, behind us, in our systems and already attacking,” he noted that they are stealing the United States most precious asset, that is information. He stated that this is not simply an “us-vs-them” situation. Mr. Levinson stated that he assumes 100% infection of every network, all of the time, public and private, foreign and domestic, friendly and hostile, and that this multiverse of connections is the global unifying theme; the good guys are in the bad guys’ systems, the bad guys are in the good guys’ systems. And this is the “new paradigm” he presented; that the days of perimeter defense and firewalls, of keeping intruders out, is over. It’s not that the perimeter has been breached, he stated. Rather, there is no perimeter. In the cyber realm, there are no consistent good guys and bad guys, there are no treaties there are no negotiations. Everything is in flux all of them time.

Mr. Levinson noted that you simply cannot eliminate the many threats, so the question becomes whether you understand the threats and whether you can successfully work around them. Noting that China’s PLA and Russia’s SVC (CIA counterpart) are the largest bad actors in the cyber realm, he gave the example of how to deal with the Chinese equipment manufacturer Huawei. Many Western governments are concerned about Huawei, a very large discount electronics and wireless equipment manufacturer subsidized by the Chinese government (manufacturer ZTE is also a concern). Although the U.S. and its allies have yet to find any detectable security bugs in Huawei equipment, speculation is that some hardware is probably intentionally designed to breach Western networks.

The Australian government has made the decision to ban Huawei equipment, but this is probably not an option for the U.S .and may not be effective anyway. Using the words “boycott” or “ban” in international trade is difficult, especially when it’s to your largest trading partner and a large holder of your sovereign debt. Besides, “banning Huawei” doesn’t get around the problem of network security. Example: Verizon and AT&T have worldwide service. Do they own cell towers or operate directly everywhere on Earth? Of course not, they work with local partners, and those local partners buy Huawei; therefor their networks will always be vulnerable even if they “ban” the devices. He also made the comment that the Chinese probably know more about our infrastructure and telephone poles than we do.

Mr. Levinson then discussed network trends. IT covers computers, servers, virtualization (cloud), and brick and mortar infrastructure including routers and switches. He noted that the distributed computing models of the 1980s is moving back toward the original mainframe model of the 1960s, as mainframes are much stronger than dispersed networks, and also noted that nothing “on the cloud” can ever be removed, as it is backed up and spread across multiple networks multiple times. What about if you change providers? The only real protection is strong cryptography from the beginning. In other words, you cannot keep someone from stealing your safe with all of your data inside, but you can keep them from opening it.

Mr. Levinson also discussed the vulnerability of often-overlooked “operational tech”, mainly industrial systems, everything from HVACs to elevators to medical devices. Discussing the industrial controllers which Joe Ingemi discussed in the opening presentation, he gave an illustrative example. Mr. Levinson is a frequent attendee of the Defcon conference, a world-renowned “hacker” conference. A few years ago it was held in Las Vegas. Conference attendees, to prove a point, turned off the elevators of the 50-story Vegas strip resort for one hour, causing the entire building to grind to a halt before switching them back on at will. They then proceeded to disable the hotel’s front desk systems, causing all check-ins and check-outs to stop, causing bedlam; after one hour the front desk systems were restored. The hotel had been expecting some kind of hijinks and warned the conference goers that the HVAC systems were off limits (due to the extreme summer Las Vegas temperatures) as well as any gambling systems (“people still die from stealing from Las Vegas casinos”). Those crucial systems remained untouched, but the point was clear.

Mr. Levinson also discussed “personal tech” which included things like tablets, smartphones, wearables, medical devices, and also law enforcement devices. He noted that whenever local police set up a mobile command center, it’s “wifi heaven” for hackers, as very few municipalities encrypt their radios, computers, and police equipment, leaving a gaping vulnerability into municipal, state, and federal networks. As an illustrative example, he shared the story of an investment banker friend who did all of his personal banking and trading from his smartphone. He advised him this was incredibly stupid, and to just wait until he got home, where he could use his pc behind his hardware firewall.

Mr. Levinson advised that the security as a whole is moving to end-to-end encryption, and dual firewalled carved up networks (internal “air pockets” like water-tight compartments to contain breaches). He also noted that Crowdstrike is one U.S. firm at the forefront of offensive cyber capability, and that U.S. Cyber Command is based in Fort Mead. He quipped that there is no MAD in cyber space.

We asked about FMUs, and any collaboration with the defense space. He outlined a few things in response, and noted that ISACs are sector specific and run through the Department of Homeland Security. NCCIC is the umbrella. As previously noted, see www.isaccouncil.org and the sector specific Financial Services ISAC. New frontiers are in trying to move to STIX™ (“Structured Threat Information eXpression”) protocols and TAXII™ “Trusted Automated eXchange of Indicator Information”), basically initiatives that enable common threat sharing. More information may be found on them here at the US-CERT’s website, the DHS Computer Emergency Readiness Team.

Allen Tilles: A Lawyer’s Perspective

In a very informative concluding presentation, Allen Tilles of Shulman Rogers tied together the themes of the previous speakers, discussing data breach notification laws, infrastructure vulnerabilities, insurance nuances, and what to do in the case of the breach. After asking the audience to contemplate the scary what-if scenario of all of the traffic lights turned around a Super Bowl game turned green due to unencrypted, vulnerable sensors, he highlighted social engineering (scamming human workers to inadvertently compromise a system) as the largest threat for businesses. For example, someone could go into a bank branch, ask their loan officer for a glass of water, and drop a USB drive into their desktop, immediately infiltrating the intranet before the loan officer returns. He stressed that from a legal perspective, proving compliance with applicable law is paramount, and highlighted some potential laws to focus on: COPPA (Children’s Online Privacy Protection Act), CFAA (Computer Fraud and Abuse Act), FACTA (Fair and Accurate Credit Transactions Act), and HIPAA (Health Insurance Portability and Accountability Act). He also stressed the need for legal advice to be involved immediately in any data breach scenario, as only then may the conversations be protected by privilege. He also highlighted the existence of WISP protocols as an indicator of whether a company was seriously monitoring its cyber risk.

Reports

Euro GSIB Banks

Launch Report Credit Suisse: Clipper Ship’s New Captain, New Strategy?
Launch Deutsche Bank: Went Postal, Becoming GS-Like?
Launch Report: UBS – U B What?

GSIB 10K Takes
BAC 10K Takes: Capital Calculation Migraines BK 10K Takes: BK Knows Its Risks
Citi 10K Takes: LatAm Next Credit Crunch?
GS 10K Takes: Kaleidoscope of Risk, But Which Pays Off?
MS 10K Takes:  MS-agical Transformation, Loan Loci
STT 10K Takes: Custodian & Counterparty to the World
WFC 10K Takes:  Credit Quality Good, Disclosure Could Be Better
JPM 10K Takes:  Derivative Discount -- What To Do? 

1Q15 Earnings Reports
JP Morgan:  1Q15 Rebounds, GE/GECC Reflections on JPM
Bank of America:  1Q15 Regional Bank Putt-Putting Along
Launch WFC:  1Q15 Beats; Buy Bonds, Buy Stock, Maintain CRM
Launch Goldman Sachs:  1Q15 Soars, Private Equity Turnover Titan
Citigroup 1Q15:  LatAm & Asia, New Credit Checks
Launch U.S. Bancorp 1Q15:  Quality Lender Waiting for More Growth
Launch Morgan Stanley:  1Q15 Beat, 6-Point Spot On!
Launch SunTrust 1Q15: Chipping Away the Costs
Launch KeyCorp 1Q15: LeBron Back, Loans Talking Smack
Launch Fifth Third 1Q15:  Ho-Hum, where is the Pizazz?  
Launch Regions:  1Q Miss, Needs a New Region?
Launch BNY Mellon 1Q15:  FX and Servicing Revenues Lead Growth

Industry Reports
Why a Fortress-Balance Sheet Matters to the C-Suite
CCAR 2015: Banks Pass, Fed Fails!
CCAR 2015 Part 2: False Victory?
U.S. GSIBs 4Q14 Review: Still An Uphill Core Business Battle
Born on the Bayou - U.S. Bank Energy Exposures 2015

Topic/Theme Reports
Risk Mgt. Chat: Sheila Bair @ NYU, “Club Fed” & “Break-Up Banks” Banter
Risk Management Chat: Shadow Banking – Non-Bank Financial Institutions, Next Black Hole?
Risk Management Chat:  “Risk” Culture Club’s Karma Chameleon
New Corporate Bond Market:  BlackRock’s Black Ops White Paper
Risk Management Chat:  FMUs & Systemic Risk Controls
Risk Management Chat: CRM Panel – Lions & Tigers & Bears, Oh My!
Risk Management Chat: “Risk” Culture Club’s Karma Chameleon

Disclaimer
Viola Risk Advisors, LLC was recently formed and has a limited operating history. The information and opinions presented herein are provided to you for information purposes only and are not to be used or considered as an offer or solicitation of an offer to buy or sell securities or other financial instruments. Our advice is intended to assist institutions with their risk management requirements. We are not providing any investment advice. For example, we have not taken any steps to ensure that the securities referred to above are suitable for any particular investor and nothing herein constitutes investment, legal, accounting or tax advice. This material includes general information that does not take into account your individual circumstance, financial situation or needs, nor does it represent a personal recommendation to you. Information and opinions presented herein have been obtained or derived from sources believed by us to be reliable, but we make no representation as to their accuracy, authority, usefulness, reliability, timeliness or completeness. We accept no liability for loss arising from the use of the information and we make no warranty as to results that may be obtained from the information presented. Past performance should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Information and opinions contained herein reflect a judgment at its original date of publication by us and are subject to change without notice. We may have and may in the future update this material with information that is inconsistent with, and reach different conclusions from, the information presented herein.

Reports and information are intended for distribution to professional and institutional investor customers only. Recipients who are not professionals or institutional investors should seek the advice of their independent financial advisor prior to making any investment decision or for any necessary explanation of its contents. None of the contents, nor any copy of it, may be altered in any way, copied, or distributed or transmitted to any other party without our prior express written consent.

©2015 Viola Risk Advisors.  All rights reserved.