FusionX Global Strategy & Governance

Cyber Security An Essential Part of the Risk Management Program

Protecting the Financial Industry

Focusing on the MENA Region

Cyber Security Targets Interconnected Banking & Financial Institutions

As financial institutions become more interconnected, their vulnerabilities to cyber risk increase

It is management’s duty to protect the bank and it’s clients from known sources of probable risk

Cyber security is becoming one of the primary concerns within multinational corporations and governments. The BIS underlined that this category of risk should be considered as a strategic management issue as well as IT.

A major concern for multinationals – These risks

are now a determining factor for the continued

sustainability and competitiveness of

interconnected businesses.

Financial institutions in particular are

increasingly faced with threats surrounding:

• Theft of banks’ & clients’ money

• Destruction of information

• Disruption of operations

• Espionage

Targeting the Middle East and North Africa

(MENA)

The MENA region is particularly susceptible to

these threats due to a lack of solid regulation

and immature information security structures,

as well as being the targets of politically

motivated attacks.

Additionally, we have witnessed sophisticated

organized criminals from other parts of the

world migrate their attacks away from western

banks and toward the MENA region, as they

present a “softer” target for not having adequate

security controls in place.

Managing Cyber Risk

Effective information security requires an

enterprise-specific design of solutions that

consider and tackle the ever evolving cyber

security risks. Since cyber security is also a

strategic risk management issue, an appropriate

corporate governance structure is required that

would serve to uphold such an investment as

part of the Board of Director’s duties towards

Risk Management.

MENA is particularly vulnerable to the lack of a preventative strategy

MENA financial institutions are becoming the primary targets of information-related criminal activities

Recent Events in the MENA region highlight the fact that protecting banking information is an immensely positive risk-management strategy.

Because North American financial institutions

and banks have hardened their computer

systems, there is an increasing trend for large,

transnational organized criminal groups

targeting MENA banks and financial centers.

This has led to the loss of large amounts of funds

from Middle Eastern banks to these organized

crime groups. In addition, hostile countries in

the region are using State-sponsored offensive

computer attacks to damage and destroy the

computer systems of rival country Central

Banks and financial centers.

Arab banks under attack

It was described as "a massive 21st-century

bank heist”. Two banks in the Middle East (one

in the United Arab Emirates and another in

Oman) were targets of a gang of cybercriminals

in the United States. In a span of 10 hours, USD

45 million was stolen by hacking into a database

of prepaid credit cards and withdrawal of

customer money from ATMs in 27 countries.

Banks in the kingdom of Saudi Arabia have also

been victims of many cyber security crimes.

Ensuring Cyber-security leads to diminishing risk exposures

Dimensions of Cyber Risk

The majority of data gathered and compiled by financial institutions and banks is done electronically. The failure to secure the organization from evolving threats can further expose them to even greater risks.

Three key cyber risks affecting banks include:

Scope of the Threat

The rate by which cyber-attacks evolve and

diversify is very high.

Industry Interconnection

The interconnection of banks and the financial

industry, which is crucial to the financial

system's functioning, is also an area of

vulnerability when it comes to cybersecurity.

Moreover, many banks, especially small and

medium sized institutions, contract with third-

party vendors and service providers to expand

their offerings and improve efficiency.

Rising Costs

Banks are paying more to strengthen their

cybersecurity protections as the risks to their

institutions grow. At the same time, launching

an attack on the industry is getting cheaper.

Technical Proposal to Banks & Financial institutions

To mitigate your bank’s cyber risks and enhance its management of them, we replicate the exact cyber-attacks that your enemies will carry out against your computer systems and network. We will then identify the vulnerabilities of your computer system and plug those holes making the system impervious to attack, thus saving your institution millions of dollars in probable losses. Specifically, we can provide the highest quality services and products in the following areas:

Periodic vulnerability assessment and tactical

penetration testing (“red cell scenarios”) of the

client’s computer network mimicking actual

cyber-attack methods of the client’s main

threats (whether national governments,

criminal groups, or terrorist groups) to ensure

the network is secure and to identify and

quickly resolve any network vulnerabilities.

An initial technical threat and vulnerability

assessment of existing computer network, both

software and hardware, with recommendations

and procurement of updated hardware and

software systems based on what the client

needs the network to meet them.

Implementation of new hardware and software

into the computer system fully integrated with

security packages, solutions and training to

ensure the computer system’s integrity and

security from all threats.

Cyber security policy, procedures and

awareness training for all personnel who will be

operating and maintaining the computer

system, and the development of an “in-house”

continuing training program.

On-demand incident response and threat

analysis support as well as access to subject

matter experts.

Evaluation of the corporate governance matrix

as far as cyber security is concerned. This

exercise will consider related reporting and

responses at all governance levels, including the

Board of Directors.

Providing a set of proposals to improve the

cyber risk governance at all levels so as to be in

line with best practices

Help the client in implementing its cyber risk

governance proposals in line with international

best practices.

A U.S. Company at the Forefront of Information Security

FusionX represents an innovative information security, technology, intelligence, and risk management

company that utilizes a unique approach providing holistic security solutions in complex environments to

counter the most advanced, ever evolving, and persistent cyber security threats.

Philosophy: FusionX’s philosophy is “we think like your adversaries and anticipate their next moves”. Its

methodology provides a flexible framework for addressing the full-spectrum of the client’s computer/cyber

security risk management issues drawing from established best practices, best-in-class technology

solutions, and unprecedented risk assessment expertise.

Specialization: FusionX specializes in the financial/banking sector, and currently has clients that are some

of the largest banks in the United States, some with over $10 trillion USD under custody. The FusionX team

regularly finds vulnerabilities that would be exploited by criminals and provides countermeasures and

mitigation strategies to prevent and deter costly cyber attacks.

The FusionX Team

Its computer/cyber security team has been working together for over 15 years to provide the highest

quality technical consulting services to international corporations and governments.

Collectively, its team has worked with hundreds of companies and government organizations (assessing

millions of systems) to address their information security concerns using comprehensive risk management

principles. They have worked with every critical infrastructure sector to provide enterprise-wide technical

vulnerability assessments including assessments of control systems (SCADA) and other critical networks

such as the government, transportation and financial services sectors.

FusionX team members come from companies like UUNET, WheelGroup, BTG, Network Solutions, Titan,

SAIC, CounterPane Internet Security, iDEFENSE, iSIGHT Partners, Security Design International, Technical

Defense, Total Intel, and Computer Sciences Corporation.

About Us

FusionX Senior Computer Expert

Specialization: He is an international security expert specializing in counterterrorism, critical infrastructure

protection, intelligence, risk management and cyber security issues.

Global Experience: He has previous computer and cyber security experience at the highest levels of several

other well-respected computer and information technology companies that operated in the U.S., China,

India, Europe and South America. This expert provided strategic consulting services to select foreign

governments and corporations on issues of information warfare and security, critical infrastructure

protection and cyber security.

Publications & Television: His research on cyber security and security lead to a widely published thesis

entitled, “National Security in the Information Age”, as well as having co-written or authored chapters for

several books, including “Cyber adversary Characterization”, “Threats in the Age of Obama”, Information

Warfare Volume 2”, and “Sun Tzu Art of War in Information Warfare”. In addition, he has appeared on

CNN, MSNBC, FOX News, NPR, CBS News, BBC Television, NWCN, Australian television and dozens of other

domestic and international radio and television programs as an expert on cyber security.

Lecturer: He is an adjunct professor at Georgetown University, and is the Founding Director of the Cyber

conflict Studies Association. Furthermore, he has lectured on the computer networks and cyber security to

the National Defense University, the Swedish, Australian, Japanese and New Zealand governments, and

various universities and colleges.

FusionX Top Computer Expert

Research & Publication: FusionX’s other expert has been recognized throughout the security industry for

his research in multiple areas including adversary profiling and software vulnerability research and

analysis.

Four books have been published by him on the topic of information security, including Cyber Adversary

Characterization – Auditing the Hacker Mind and is a contributor to the popular Stealing the Network

Series.

Lecturer & Speaker: He is a frequent speaker and subject matter expert at world-class computer and cyber

security conferences including Black Hat. In addition, he lectures at various colleges and universities on

computer issues.

Television: He is frequently called upon to provide his expert opinion to mass media organizations,

including BBC News, CNN, Reuters News, Wired and Business Week.

A Wealth of Experience In the Financial Industry, the MENA Region and Corporate Governance

Specialization: Global Strategy & Governance S.A. (GSG) provides advice on Global & Regional Strategic

Positioning, Risk Management Infrastructures, as well as Securing Strategic Corporate Governance

Principles for financial institutions and central banks.

Objective: One of its major objectives is to play a positive role in the global advancement of Risk

Management, Corporate Governance, and Corporate Social Responsibility. A special emphasis in these

fields is directed to the Arab region.

Its vision is to promote a positive socio-economic change in the Middle East and North Africa that can only

be secured through improved corporate strategic and governance rational.

The GSG Team

The GSG team consists of experienced executives, including former senior managers and regulators.

Thanks to an integrated and cohesive corporate culture, GSG helps financial institutions identify an adapted

and realistic strategic positioning.

About Us

GSG’s Leading Expert in Corporate Governance

He has directed GSG’s advisory as well as implementation client projects for various systematically

important MENA banks as well as central banks. These projects included Strategic Repositioning, Mergers

and Acquisitions.

CFO & Board Member Experience with plenty of firsts in the Arab World: Previously the CFO of one of the

top Arab bank groups in the region, he was successful in achieving several important, goals including:

• Raising the Group’s net income after tax from USD 228 million in 2003 to an estimated USD one billion

in 2008.

• The enhancement the Group’s equity from USD 2.9 billion in 2003 to an estimated USD 8 billion in 2008.

• Implementing Basel II and redesigning the Group’s related systems.

• Introducing several modern managerial tools including Asset/liability management and financial

planning concepts.

• Reorganizing the Group's operations in Europe.

• Restructuring of the operations of subsidiary and sister banks.

• Acquisitions of banking and financial institutions outside of the Group’s home country.

• Obtaining the Group an (A-) rating from the international rating agencies: Moody’s, S&P, and Fitch at

the time when the sovereign rating of the home country was (BB).

Publications: He has also published various articles focused on Corporate Governance, Risk Management,

Strategic Positioning, Sovereign Wealth funds, and Capital Adequacy.

Implementation Process Implementing integrated contemporary cyber risk management systems will enable financial institutions to enhance the profitability of existing businesses and achieve stronger control.

A brief visit to the organization (2-3 days) to

conduct a preliminary assessment surrounding

the capabilities and deficiencies of the

organizations’ technical and strategic risk

management infrastructures concerning their

cyber risks.

The client will be sent a proposal detailing the

current status of the institution regarding the

above and proposed plans of action, along with

a detailed pricing for implementation.

Implementation incorporates best-practices.

A gradual implementation of the strategy will be

agreed upon, specifying a clear list of tasks and

time planning. This should identify each

strategic objective, resources needed for its

implementation and the needed time frame to

accomplish it.

An appropriate and organizational

implementation task force will be formed that

will direct and oversee the implementation of

the proposal.

FusionX info@fusionx.com Reston – Arlington – Seattle – Kansas City United States t : + 1 888 7475 411 f : + 41 22 317 9659

Global Strategy & Governance S.A. info@gsgovernance.com P.O. Box 348 CH-1211 Geneva 3 Switzerland t : + 41 22 317 9650 f : + 41 22 317 9659

P.O. Box 212989 11121-Amman Jordan t : + 962 6 565 2642 f : + 962 6 567 6016