In this issue:

The ShieldA security newsletter

for businesses

Spring 2016

How U.S. Bank collects and safeguards your information

Combatting destructive malware

Five tips to help safeguard your organization

Cybersecurity from an executive perspective

How U.S. Bank collects and safeguards your informationSince the events of September 11, 2001, banks and regulators are more focused

on limiting the potential for financing terrorist and drug-related activities through our

financial system. As a result, banks have increased their efforts to prevent money

laundering and terrorist financing, and to comply with anti-money laundering (AML)

regulations. These efforts are, in turn, a driving factor in determining which information

is currently required from customers in order to process their transactions.

In August 2014, the U.S. government issued an Advanced Notice of Proposed

Rulemaking entitled “Customer Due Diligence Requirements for Financial Institutions.”

When final, the rule will require banks to verify the identities of “beneficial owners”

of most legal entity customers, including corporations, LLCs, partnerships,

unincorporated non-profits and statutory trusts. “Beneficial owner” is defined as

“the natural person(s) who ultimately owns or controls a customer and/or the person

on whose behalf a transaction is being conducted.” Beneficial owner also pertains

to an individual with an ultimate ownership stake of 25% or more of the equity

interest, and an individual who exercises significant authority to control the legal entity

customer’s affairs.

As a result of the enhanced due diligence requirements, U.S. Bank may request

the following information and documentation from beneficial owners and authorized

signers of new and existing legal entity customers:

• Full legal name• Date of birth• Current residential address• Social Security number or other government-issued

ID number for non-U.S. citizens

U.S. Bank, in some instances, may also request documentary evidence (e.g., driver’s

license) to verify the information provided.

continued...

Spring 2016 | 2U.S. Bank

The Shield

continued…

Information collected from beneficial owners or authorized signers is not shared

outside of U.S. Bank, its subsidiaries or affiliates. Sharing this data within the bank only

occurs for purposes of complying with anti-money laundering laws and regulations.

Access to collected information is limited to users on a need-to-know basis.

U.S. Bank ranked first in the Ponemon Institute 2015 “Privacy Trust Study for Retail

Banking” and has ranked first for the past nine years. We have a legal and ethical

responsibility to ensure information is secure and accurately maintained.

U.S. Bank is committed to protecting the confidentiality, integrity, availability

and privacy of our customers’ data. Our reputation rests, in part, upon securely

maintaining our customers’ information assets.

Spring 2016 | 3U.S. Bank

The Shield

Combatting destructive malwareDestructive malware continues to be a real, dynamic threat to businesses

nationwide. It can compromise data and system confidentiality, availability and

integrity. It can also disrupt business operations and harm brand reputation. Two

high-profile cybersecurity incidents at large corporations help illustrate these

negative effects. The first incident concerned an entertainment company that paid

an estimated $8 million in legal settlement fees to employees whose personal data

was breached. The second incident required a company to spend $40 million in

recovery costs. Neither of these examples considers the amount of lost potential

revenue from reputation damage.

At U.S. Bank, we encourage our customers to be aware of the ever-evolving

cybersecurity landscape and evaluate the risk to their businesses. The Financial

Services-Information Sharing and Analysis Center recently held a working group

with participation from U.S. Bank to explore the growing risk of destructive malware.

Based on their findings, we recommend you incorporate the following best practices

into your organization’s risk management strategy as a measure to prepare for and

combat against a destructive malware attack:

Business recoveryDevelop, test, and update a crisis response and business recovery plan. Designate

response and recovery team members, and include more than just the technology

team. Involve legal counsel, a communications team, corporate management and

the board of directors. Plan how your response team will engage with regulators

and law enforcement.

Malware detectionEarly detection can help prevent long-term damage. Use a combination of risk,

signature and behavior-based detection techniques, working from network baselines.

If a destructive malware attack is detected, a quick response is crucial and should

include both containment and forensic analysis.

Bare metal rebuildIn the event of a cataclysmic destructive malware attack, consider a bare metal

rebuild (BMR) when recovering systems and bringing networks back online. A BMR

differs from restoring a computer as it involves rebuilding the servers from scratch–

eliminating some human error, retaining settings and configurations, and lifting the

administrative burden. A BMR can back up to any earlier available points, effectively

restoring machines that may have been infected for longer periods of time.

continued…

Spring 2016 | 4U.S. Bank

The Shield

continued...

Lessons learnedOnce it’s safe to reconnect to the

network, incorporate any lessons

learned immediately at both the

technical and policy levels. Share threat

indicators with partners, and include as

much information as possible.

Employee educationEducate personnel on how to spot and

avoid phishing and social engineering

techniques. Training should be ongoing

and include reporting procedures.

Backup solutionsEmphasize backup solutions, particularly

offline backups, to facilitate a quick data

restoration and maintain integrity.

Limit administrative accessMost users do not need the ability

to modify user accounts or install

software on computers IT teams are

trying to manage for them. Removing

administrative access from standard

users can dramatically reduce the

impact malware is able to make.

IBM Trusteer Rapport Consider installing IBM Trusteer Rapport

for financial malware protection, which

is made available to all U.S. Bank

SinglePoint® clients at no cost. Visit

http://www.trusteer.com/landing-page/

usbank-business for more information.

If you believe that computers used to

process financial transactions have

been infected with malware, contact

your U.S. Bank representative to secure

your accounts.

Spring 2016 | 5U.S. Bank

The Shield

Five tips to help safeguard your organizationBusiness Email Compromise (BEC) scams targeting domestic and foreign businesses

that regularly perform wire transfers continue to be the number one threat to our

customers’ financial assets. Data from the FBI estimates the total loss of this global

threat to be in excess of $1.2 billion.* Based on several recent high-profile incidents,

that number is sure to increase, emphasizing the need for heightened awareness and

vigilance in executing key internal controls.

To help shield your organization from fraud, there are various internal control

enhancements and security practices to consider. While no single control or set of

controls will offer absolute assurance, we suggest the following five tips:

1. Confirm and verify email requests for fund transfers. Contact the

requestor by phone using an independently obtained phone number

or one that you already have on file. Special scrutiny should be paid to

transfers requested to new or recently updated accounts. Nearly all BEC

scams can be stopped in their tracks if organizations adopt this basic

control.

2. Use dual control for money movement activities. This allows for two

levels of scrutiny and authorization to help stem the risk of illegitimate

funds transfers.

3. Use multi-factor authentication for web-based email accounts.

Fraudsters are known to leverage actual accounts of executives with

email credentials pilfered from spear phishing campaigns. Multi-factor

authentication adds another layer of control to deter cyber crooks from

accessing employee accounts.

4. Communicate quickly when fraud or security events occur. Notify

your key banking partners and information security staff immediately. If

appropriate, contact law enforcement and file a complaint with the FBI’s

Internet Crime Complaint Center.

5. Create awareness within your organization. Evaluate staff compliance

with internal controls by using real-world security awareness testing.

* Source: 8/27/2015 FBI Public Service Announcement. Data compiled from Oct. 2013 through Aug. 2015.

Links: http://www.ic3.gov/default.aspx http://www.ic3.gov/media/2015/150827-1.aspx

Spring 2016 | 6U.S. Bank

The Shield

Cybersecurity from an executive perspectiveIn preparation for the annual Executive Leadership Forum last fall, U.S. Bank

administered a survey to determine the primary drivers of business decisions and

risk oversight for executives. The survey was sent to forum registrants to provide

forum speakers with a basis for their content; nearly 60 percent of the registrants

participated in the survey. Focused on trending issues, opportunities and disruptions,

responses to the survey emphasized the significance of cybersecurity in the current

risk landscape and the importance of education on all lines of defense. Key cyber

security results from the survey were:

Threats Cybersecurity attacks

on U.S. commercial and

government networks, and

the cybersecurity vulnerability

of U.S. infrastructure and

services ranked highest on

the survey.

U.S. Bank Executive Leadership Forum | Summary Report 10

Security and CybersecurityTOP NATIONAL SECURITY CHALLENGES

Asked to rank a list of top national security challenges, three stand out: cybersecurity and cyberattacks on U.S. government and commercial networks, cybersecurity vulnerabilities of U.S. infrastructure and services, and domestic terrorism.

Other national security challenges listed in the survey draw much lower rankings. They generally include issues involving notorious political aggressors and known geo-political issues that are covered almost daily by the media.

Cybersecurity attacks on U.S. commercial and government networks

71%

Cybersecurity vulnerabilities of U.S. infrastructure and services

56%

Domestic terrorism 42%Russia’s activism in Europe 40%

Renewed advances of nuclear weapons in countries such as Russia, China, Iran and North Korea

36%

Pan-national terrorist organizations 27%Large scale population movements due to political and civil unrest abroad

22%

High sovereign debt levels and weak economies in countries such as Greece

15%

China’s military ambitions 11%Cross-border movements of weapons 5%

For example, at a time when Russia is visibly increasing its military presence in the Middle East (Syria) and Europe (Ukraine), and NATO is reviewing its defense strategy in Eastern Europe, Russia’s [military] activism in Europe ranks only fourth on the list.

Large scale population movements due to political and civil unrest abroad do not receive a high ranking either, despite the growing Syrian refugee crisis.

And, despite China’s more aggressive naval and air force presence and island construction in the South China Sea, China’s military ambitions barely register as a concern among the survey’s respondents.

Finally, it is interesting to note that concerns over pan-national terrorist organizations rank lower than domestic terrorism.

CRITICAL INFRASTRUCTURE SECURITY

Most respondents to the survey see cybersecurity attacks on U.S. government and commercial networks and cybersecurity vulnerabilities of U.S. infrastructure and services as two of our biggest national security threats.

Along those same lines, fewer than half of the respondents view the nation’s mobile communications systems, electric power supplies, natural gas supply lines, internal corporate networks, or data networks as “very secure,” “secure,” or “somewhat secure.”

When it comes to critical infrastructure security, banking and financial systems are viewed as being the most secure. But, this is only relative: Just one in five respondents rate these systems as “very secure” or “secure.”

21%-13%Banking & financial systems

4%-25%Data networks

4%-26%Internal corporate networks

4%-30%Natural gas supply lines

8%-32%Electric power supply

0%-45%Mobile communications networks

Not secure Very secure or secure

Secureness Banking and financial

systems, data networks

and internal corporate

networks were

considered the most

secure. Natural gas

supply lines, electric

power supplies and

mobile communication

networks were ranked

lowest.

continued…

-45%

-32%

-30%

-26%

-25%

-13%

0%

8%

4%

4%

4%

21%

Mobile communications networks

Electric power supply

Natural gas supply lines

Internal corporate networks

Data networks

Banking & financial systems

Not secure Very secure or secure

-45%

-32%

-30%

-26%

-25%

-13%

0%

8%

4%

4%

4%

21%

Mobile communications networks

Electric power supply

Natural gas supply lines

Internal corporate networks

Data networks

Banking & financial systems

Not secure Very secure or secure

The Shield

continued…

Awareness Survey participants perceived that within their companies, top management and

those responsible for oversight have a keen understanding of cybersecurity risks. Mid-

level managers and front line personnel were perceived as considerably less aware.

Although the results of the survey are not unexpected, they reinforce the risks of doing

business in a highly-connected and changing technology environment. The results

stress the importance of protecting your organization, employees and customers.

Here’s how this can be accomplished:

• Estimate current cyber security risks and trends on an ongoing

basis and take adequate precautions against them.

• Maintain an employee awareness program on social engineering

attacks prevention.

• Assess your organization’s current level of awareness at each

business layer.

• Implement a social engineering campaign with additional training

and/or conduct periodic assessments.

• Evaluate the efficacy of your current detection software and

internal controls. Determine whether they are adequate to defend

your organization against a cyber attack.

U.S. Bank and SinglePoint are registered trademarks of U.S. Bank National Association. ©2016 U.S. Bank. 7973 MMWR-86414 (04/16)

U.S. Bank Executive Leadership Forum | Summary Report 11

INTERNAL UNDERSTANDING OF CYBERTHREATS

While cybersecurity is among the top concerns of CEOs and other executives today, the survey’s findings indicate that more training would be in order to educate front line personnel and mid-level managers about the nature of cyberthreats and how to address them.Survey respondents rate the board, the C-suite, and company executives as having a strong understanding

of the nature of cyberthreats and the actions needed to protect their companies.

However, the respondents see considerable gaps in understanding among mid-level managers and front line personnel in this regard. As many as one-third of the respondents say lower-ranking company personnel do not understand — or at least, not very well — the nature of cyberthreats and how to head them off.

Extremely Well

Well

Somewhat

Not Very Well/ Not at All

Executive (VP and above)

C-suite

The board

Mid-level managers

Front line personnel

Internal Understanding of Cyberthreats

28% 35% 31% 6%

26% 31% 39% 4%

18% 35% 37% 10%

9% 22% 44% 24%

4% 13% 50% 33%

U.S. Bank Executive Leadership Forum | Summary Report 11

INTERNAL UNDERSTANDING OF CYBERTHREATS

While cybersecurity is among the top concerns of CEOs and other executives today, the survey’s findings indicate that more training would be in order to educate front line personnel and mid-level managers about the nature of cyberthreats and how to address them.Survey respondents rate the board, the C-suite, and company executives as having a strong understanding

of the nature of cyberthreats and the actions needed to protect their companies.

However, the respondents see considerable gaps in understanding among mid-level managers and front line personnel in this regard. As many as one-third of the respondents say lower-ranking company personnel do not understand — or at least, not very well — the nature of cyberthreats and how to head them off.

Extremely Well

Well

Somewhat

Not Very Well/ Not at All

Executive (VP and above)

C-suite

The board

Mid-level managers

Front line personnel

Internal Understanding of Cyberthreats

28% 35% 31% 6%

26% 31% 39% 4%

18% 35% 37% 10%

9% 22% 44% 24%

4% 13% 50% 33%