MAC Cyberattack on ABank Case Study


Submit a short write-up (no more than four pages, Times Roman font, 1.5 line spacing, 1″ margins) with your analysis of the ABank case. Keep the write-up in a narrative form but try to address the following issues:

Was ABank adequately prepared for the cybersecurity incidents?
Will ABank survive the cyber attack? Is it in a position to absorb the monetary loss imposed by the attack?
Can you identify recent publicly reported cybersecurity breaches at other midsized banks? What type of attacks were these? How long did it take to discover the attack? What kind of losses did the institution(s) face?
What information should ABank pass on to its customers, and when?
What other parties must a bank inform when a cyber breach occurs?
What should be ABank communication strategy?
Going forward, should ABank increase its investments in cyber security?For the exclusive use of Y. ZHU, 2023.
Mar. 8, 2022
Cyberattack on Abank
The Breach
Ellen Ellsworth, CEO of Abank, woke up to a persistent buzz on her private phone that was supposed to
be used only for emergencies. Only her immediate reports had the number. It was 2:23 a.m., and Ida Inglewood,
the chief information security officer (CISO) of Abank, was on the line. “I am so sorry to call in the middle of
the night,” she began in an agitated voice, only to get right to the point: “We have been breached and we have
lost customer funds.”
Ellsworth jumped up from her bed: “What?”
She did not need to ask any further questions, as Inglewood immediately provided a fuller report of the
situation: “Somebody has gotten unauthorized access to our systems and has transferred money out of
customers’ accounts. We are still trying to assess the full damage, but so far we have confirmed that they have
stolen about $450 million from a total of almost 8,000 accounts (about 0.4% of Abank’s accounts) over the
past five days, and at an increasing pace. It seems the attackers have targeted only savings accounts with balances
between $50,000 and $250,000 and with no activity over the past year, hoping that their owners won’t notice.
They have transferred between 10% and 25% of the balance per account into 18 different accounts at GSBC,
Countrigroup, and BBank—accounts of Delaware-registered corporations that go by names such as Gone LLC.
We have alerted all three but so far we have heard back only from BBank via informal channels. They have
frozen these accounts but tell us that the funds they received have been wired to a network of banks in a tax
haven abroad, where they will likely be impossible to recover.”
At first Ellsworth was speechless, and just listened incredulously to what sounded like a nightmare from
which she needed to wake up. But she quickly regained her footing and her initiative: “How did you find out
and how do you know it was an attack?” she asked pointedly.
Inglewood had just spent the past six hours convincing herself of the answer to Ellsworth’s question:
“Starting two days ago, our helpdesk received calls from customers who claimed that there was an unauthorized
transfer from their account. The helpdesk did not take the first customer who reported seriously—it was an
elderly gentleman who, the helpdesk agent decided, sounded mentally frail. However, another customer called
yesterday afternoon—he was a lawyer who made all kinds of legal threats, so the helpdesk agent escalated the
call, and his supervisor promised to investigate and get back by the next morning. Our back office thought that
the transaction did indeed look suspicious. Around 6:00 p.m., they found out that there were other similar
transactions, and they got the information technology (IT) department involved. All the transactions looked
like they were coming from a script—a piece of computer code—that usually generates automatically recurring
This fictional case was prepared by Anton Korinek, Professor of Economics and Business Administration, and George (Yiorgos) Allayannis, Robert F.
Bruner Distinguished Professor of Business Administration, with grateful acknowledgment of insightful conversations on the topic with Charlie Leonard.
It was written as a basis for class discussion rather than to illustrate effective or ineffective handling of an administrative situation. Copyright  2022 by
the University of Virginia Darden School Foundation, Charlottesville, VA. All rights reserved. To order copies, send an email to No part of this publication may be reproduced, stored in a retrieval system, used in a spreadsheet, or transmitted in any form or by
any means—electronic, mechanical, photocopying, recording, or otherwise—without the permission of the Darden School Foundation. Our goal is to publish materials of the
highest quality, so please submit any errata to
This document is authorized for use only by YANG ZHU in ISGB 7910: IT Strategy and Managment taught by ADITYA SAHARIA, Fordham University from Jan 2023 to Jun 2023.
For the exclusive use of Y. ZHU, 2023.
Page 2
transfers, mostly biweekly salary payments. They looked carefully at everything, and the customers involved
had never requested these transactions. And in any case, that particular script should access only checking, not
savings accounts. At first everybody thought that this was a programming error and did not suspect foul play.
But around 8:00 p.m., IT notified me that there might be malicious activity involved. We have since checked
and rechecked our systems, and it looks like someone is in our network, hiding behind that computer script to
transfer money out of customer accounts.”
“Big picture?” Ellsworth interrupted. In the 15 months since she had hired Inglewood, she had learned and
come to appreciate that Inglewood was always on top of minute details, but this sometimes led to long-winded
descriptions of more technical details than Ellsworth could digest. Up until five minutes ago, Ellsworth’s
interactions with Inglewood had been largely about theoretical threats to cyber security, resource requests for
cyber preparedness (of which only parts were usually approved), and incident response plans that everybody
hoped would never need to be put into practice. But here they were. “What’s our plan for this?” Ellsworth
Inglewood felt like she had to add one more disclaimer before going there: “Well…the worst part is that
there could be more. We have checked all the transactions generated by that particular script, and I have
convinced myself that there are only $450 million in losses there, but we don’t know how this all happened or
if they used any other ways of transferring funds than that script.”
Ellsworth sighed.
Returning to Ellsworth’s question, Inglewood continued, “I just emailed you our cybersecurity incident
response plan—the first step is that I will set up a conference call to give an initial incident report to
management. This will happen in the next 10 minutes, but I wanted to call you informally, in advance, to give
you a heads-up. For the conference call I also want to loop in chief legal counsel and PR to go through the
legal implications and to formulate a communications strategy. And I have already reached out to our
consultants at Cybersecurity Associates, so they should also be on the call. Do you want me to include anyone
else? For now, I thought this would be best handled on a need-to-know basis.”
Ellsworth took a deep breath. “Well, $450 million would blow a huge hole into our liquidity position. You’ll
also need to tell Finn and Trisha.” Finn Fitzgerald and Trisha Trahan were, respectively, CFO and treasurer of
The Plan
Abank was a medium-sized bank with 4,000 employees and total assets of $52.2 billion; it was
headquartered in Cleveland, Ohio. (See Exhibit 1 for balance sheet information and Exhibit 2 for an
organizational chart.) Abank was listed on the New York Stock Exchange (NYSE) and had traded at a closing
price of $76.43 the preceding day, giving rise to a market capitalization of $6.3 billion. Abank had originated in
the Midwest but was now active across the United States. It had traditionally followed a prudent business model
compared to its peers. It had, for example, avoided any significant losses during the subprime meltdown and
the ensuing financial crisis of 2008–9. This gave it a reputation as one of the most reliable banks in the United
States and had allowed it to expand significantly faster than its peers over the past decade. This reputation was
now at risk.
Inglewood was the first CISO of Abank since information security had only recently received special focus
there, driven by the lobbying of one of the bank’s board members who had witnessed a material cyber incident
at another corporation. As a result, Abank had increased its spending on cybersecurity significantly in recent
This document is authorized for use only by YANG ZHU in ISGB 7910: IT Strategy and Managment taught by ADITYA SAHARIA, Fordham University from Jan 2023 to Jun 2023.
For the exclusive use of Y. ZHU, 2023.
Page 3
years, reaching a level of $1,800 per employee in 2019. This amount was still somewhat below the average of
$2,300 per employee in the financial industry.1
Cybersecurity incidents had afflicted a growing number of US corporations and their customers in recent
years, imposing not only significant reputational damage but also substantial financial costs. In 2018, the White
House Council of Economic Advisers estimated the annual cost of malicious cyber activity for the US economy
to be between $57 billion and $109 billion, with a strong upward trajectory.2 A vast majority of large
corporations experienced attempted cyberattacks every year, and even among small- and medium-sized US
businesses, 76% experienced a cyberattack in 2018.3 See Exhibit 3 for an overview of the 10 largest US
cybersecurity incidents to date and the resulting losses. See Exhibit 4 for examples of how cybersecurity
incidents affected the stock prices of two prominent victims of cyberattacks in the United States in recent years,
Equifax and Marriott.
One of Inglewood’s initial activities at Abank had been to work out Abank’s first cybersecurity incident
response plan (IRP), which involved designating an incident response team (IRT) and laying out a strategy for
how the bank would respond in the event of a cyberattack. As CISO, Inglewood headed the IRT as the
designated IRT coordinator. See Exhibit 5 for an overview of the main elements of Abank’s IRP. Abank’s
regulator, the Federal Deposit Insurance Corporation (FDIC), strongly encouraged banks to create and
maintain an IRP for cybersecurity incidents, following guidance that the Federal Financial Institutions
Examination Council (FFIEC) had established under the authority of the Gramm-Leach-Bliley Act of 1999
(GLBA). Interestingly, the relevant section of the GLBA focused primarily on standards for safeguarding
customer information, not on protecting banks from cyber theft and financial losses.
Prior to her call to the CEO, Inglewood had already activated the members of her IRT, encompassing the
chief technology officer (CTO), Terry Thorbeck, and two of his staff members who were programmers and
were considered sufficiently trustworthy to help her with the initial investigations. Given the severity of the
incident, Inglewood had also activated the incident response retainer that Abank had signed with Cyber Security
Associates (CSA), one of the leading firms in the cybersecurity space. The retainer agreement with CSA allowed
Abank to tap a team of the world’s leading cybersecurity specialists to investigate the incident, contain and
eradicate any intrusions, recover all systems, and advise Abank on legal and regulatory responses to the incident
as well as a communications strategy.
When Inglewood’s regular contact at CSA heard about the particulars of Abank’s breach, he immediately
escalated the incident to Patricia Packer, one of the two managing partners of the firm. Packer led CSA’s
response together with a team of technical consultants, a legal consultant who would advise Abank on its legal
and regulatory obligations, and a PR consultant who would advise on a communications strategy. Inglewood
decided to also include Packer and CSA’s legal and PR consultants on the call to provide an initial incident
report to management.
The Call
At 2:35 a.m., Ellsworth’s phone rang again. Abank’s IRT, CFO, treasurer, and chief legal counsel, as well
as the CSA team, were already on the line, assembled in what felt like a virtual war room that was physically
distributed across bedrooms and home offices all over Cleveland. In accordance with the IRP, Inglewood
1 Karen Edelman, Blythe Hurley, and Abrar Khan, Pursuing Cybersecurity Maturity at Financial Institutions, Deloitte Insights, 2019, (accessed Apr. 1, 2021).
2 The Cost of Malicious Cyber Activity to the U.S. Economy, Council of Economic Advisers, 2018, (accessed Apr. 1, 2021).
3 2018 State of Cybersecurity in Small & Medium Size Businesses, Keeper Security, Inc., and Ponemon Institute LLC, November 2018, (accessed Apr. 1, 2021).
This document is authorized for use only by YANG ZHU in ISGB 7910: IT Strategy and Managment taught by ADITYA SAHARIA, Fordham University from Jan 2023 to Jun 2023.
For the exclusive use of Y. ZHU, 2023.
Page 4
started her initial incident report by outlining what she knew about the attack, along the lines of what she had
just told Ellsworth. Then she called on Packer to provide her perspective on what was usually done in such
Packer started out by declaring that Abank was in uncharted territory: “We have served many corporations
that were hacked and experienced theft of private customer information, of intellectual property, or of trade
secrets, sometimes valued in the billions. But to the best of my knowledge, this is the first digital bank heist in
the history of the US financial sector—the first time a financial institution was hacked, and funds were
transferred out of customer accounts at such a large scale.” She emphasized one crucial aspect of her response:
“At this point, we are sharing information about the incident on a need-to-know basis. We cannot rule out that
this was an inside job, or that the hackers received at least some help from the inside.”
Ellsworth turned the conversation to her top priority: “Are we still vulnerable?”
Inglewood and Packer jointly explained that they had determined that the safest course of action would be
to freeze all transfers from Abank accounts until it could be ascertained that the system was no longer
compromised. They had also backed up all customer data immediately prior to the freeze in case the hacker,
alerted by the lockdown, attempted to erase any traces of the intrusion by deleting information. Customers who
logged into Abank’s online banking system got a notification that transfers would be delayed because of
technical maintenance; customers who attempted to withdraw funds from ATMs obtained error messages. At
2:45 a.m., they felt that these measures would not create major disruptions to Abank’s business activity.
Meanwhile, a technical response team from CSA, assisted by the two programmers on the IRT, was busily
investigating the full scope of the breach and diagnosing what had happened. One of the team’s first activities
was to scan Abank’s network logs to search for potential clues.
“The freeze on deposits is ok for now,” Ellsworth interjected, while putting pressure on CSA to restore
regular business soon. “But starting at 6:00 a.m., it would take a serious toll on our reputation and credibility if
our ATM cards aren’t working. And if Abank does not restore the capacity to make transfers and withdrawals
at the beginning of regular business hours, around 8:00 a.m., depositors may panic. If they lose confidence in
us, then they will withdraw their deposits the moment we’re open, and there will be nothing left to pay you,”
she warned.
Being used to agitated clients, Packer assured Ellsworth that her technical team was doing the best it could
and focused on how to proceed: “I cannot make any promises, but let’s reconvene at 5:30 a.m. to evaluate what
we have learned by then and determine a strategy for Abank on whether to unfreeze the deposits and reopen
for regular business.”
With the technical response underway, the participants of the conference call could now turn their
discussion to the regulatory and legal response to the incident. Like Packer, the legal consultant from CSA
emphasized that they were in uncharted territory and that the regulatory mandates on banks experiencing
cybersecurity breaches were significantly heavier than for most other sectors. Together with the chief legal
counsel of Abank, the consultant brainstormed on the four major legal and regulatory obligations triggered by
the attack:
(1) The FDIC
Abank’s main regulator was the FDIC, which oversaw both the smooth functioning of banks and the
liquidation of banks that had run into difficulty. If the FDIC determined that Abank was no longer viable, it
was required to put it into receivership, which meant the FDIC would take it over and transfer its assets and
deposit base to another bank of the FDIC’s choosing. This could happen at a moment’s notice when a bank
did not satisfy its regulatory capital requirements, as detailed in Exhibit 6. The FDIC’s procedures were
This document is authorized for use only by YANG ZHU in ISGB 7910: IT Strategy and Managment taught by ADITYA SAHARIA, Fordham University from Jan 2023 to Jun 2023.
For the exclusive use of Y. ZHU, 2023.
Page 5
designed to safeguard as much as possible for the bank’s depositors, but after depositors and other claimholders
were paid out, there was frequently nothing left for shareholders when a bank was closed down. And
management, as well as most other employees, typically lost their jobs.
The FDIC’s takeover procedures were originally designed for banks in financial difficulty, and they had
never been employed for a bank that had seemed in good financial health but experienced a cyberattack. Legally,
the FDIC was required to put a bank into receivership if its bank capital / asset ratio fell below 2%. However,
both the legal consultant and the chief legal counsel agreed that if Abank did not open at the beginning of
regular business hours, pressure would build on the FDIC to take it over in order to transfer deposits to other
banks that were not compromised and give depositors access to their funds.
The FDIC was created by the 1933 Banking Act, and one of its main goals was to maintain public trust in
the stability of the banking system. As part of this mission, the FDIC guaranteed bank deposits up to a value
of $250,000 per depositor. This would be sufficient to cover the losses of Abank customers affected by the
cyberattack, but it would not prevent larger depositors from withdrawing their funds if they started to worry
about becoming the next victims. The FDIC recognized that once a bank had lost the confidence of its
depositors, there would be a bank run, and the resulting large-scale withdrawals would bankrupt it. It therefore
preferred prompt corrective action before a large-scale run by depositors could take place. Given the moderate
size of Abank, the consultants worried that Abank could be a great test case for the FDIC’s capacity to liquidate
banks that experienced a cyberattack.
The chief legal counsel proposed that, together with Inglewood, Packer, and the legal consultant, their next
step should be to notify the FDIC’s Security Operations Center, providing an initial report on the incident to
satisfy the regulatory requirements for the prompt disclosure of security breaches. This would also allow them
to tap the expertise of the FDIC’s Breach Response Team. The chief legal counsel viewed it as critical to the
survival of Abank to remain on good terms with the FDIC.
(2) Law enforcement
Concurrently, the security consultant listed the law enforcement entities that Abank should contact to
report the incident and potentially receive support from in investigating the incident. Top of the list was the
United States Computer Emergency Readiness Team (US-CERT), an organization within the Department of
Homeland Security that specialized in analyzing cyber threats and coordinating incident response activities. USCERT had some of the nation’s leading experts on incident response for cyberattacks, although CSA believed
that its analysis and response capabilities were superior.
The consultant also suggested that Abank contact the FBI to report that a crime had been committed, and
that Abank should do its best to preserve all evidence. Furthermore, the consultant advised, Abank should
brace itself for potential congressional inquiries into its cybersecurity practices once the incident became public.
(3) Securities and Exchange Commission (SEC)
Next, the legal consultant reminded the participants on the call that Abank, as a publicly listed company,
was responsible for reporting material cybersecurity incidents to its investors. Given that a substantial amount
of funds was missing, the incident was certainly material. The SEC had issued detailed guidance in February
2018 on how to report cybersecurity incidents. If Abank had not made any other public announcements about
the incident by the time the NYSE opened, it would still be required to issue a public statement to investors to
report on the situation. One big concern was that such a statement could lead to a panic. Moreover, the legal
consultant emphasized that the participants on the call must refrain from any trade in Abank’s stock before the
full extent of the cyberattack was made public, as this would constitute insider trading.
This document is authorized for use only by YANG ZHU in ISGB 7910: IT Strategy and Managment taught by ADITYA SAHARIA, Fordham University from Jan 2023 to Jun 2023.
For the exclusive use of Y. ZHU, 2023.
Page 6
(4) Customer notification
A fourth issue was that Abank needed to report any breaches of personal information to its customers.
The requirements on how to do this were rather scattered—there were 47 different customer notification laws
across the 50 states of the United States. The CSA legal consultant would provide the expertise required to
navigate these reporting requirements.
Crunch Time
Over the following hours, the IRT at Abank and CSA worked frantically to investigate the cyberattack.
They became increasingly confident that there were no additional losses beyond what Inglewood had initially
reported. They also found out more about who had perpetrated the attack: it seemed that an employee of Adata,
the software company that provided Abank’s main back-office database, had gone rogue and inserted a script
into Abank’s systems that was executed daily and conducted the fraudulent transfers. The script was now
However, as the IRT prepared for the 5:30 a.m. update to management, Packer and Thorbeck disagreed
on whether to take Abank back online. Thorbeck was shaken by the fact that an employee of Adata, a company
with which he had worked closely for many years, had betrayed his trust and triggered an existential crisis for
Abank: “How can we be sure that there was only one malicious computer script? We need to carefully comb
through everything that this guy has touched in recent months! Before that, it would be irresponsible to
unfreeze our accounts.”
By contrast, Packer saw considerable benefits from reactivating the system: “We will indeed have to audit
Abank’s computer systems more carefully—but that process will take us at least 48 hours. Moreover, there is
no better way to tell whether further malicious code is present in a system than to take it back online and
observe it carefully.”
To Thorbeck, this sounded like the advice of a cybersecurity expert who was used to dealing with stolen
user data, but who had never before dealt with a bank where actual money was at stake: “You take this system
online, and millions of dollars could be gone in seconds.”
The Critical Decision
At 5:30 a.m., the participants on the conference call reconvened. As the IRT coordinator, Inglewood was
responsible for advising Ellsworth on how to proceed. In a preparatory call around 5:15 a.m., Ellsworth told
Inglewood that she wanted to hear her views on two specific issues: whether to lift the freeze and what to tell
Abank’s customers.
This document is authorized for use only by YANG ZHU in ISGB 7910: IT Strategy and Managment taught by ADITYA SAHARIA, Fordham University from Jan 2023 to Jun 2023.
For the exclusive use of Y. ZHU, 2023.
Page 7
Exhibit 1
Cyberattack on Abank
Abank’s 2019 Balance Sheet (in millions of US dollars)
Cash and cash equivalents
Loans, net
Property, equipment, and software
Other assets (including intangibles)
Bank deposits
Other liabilities (including accounts payable and benefit plan obligations)
Preferred stock
Common stock and additional paid-in capital
Retained earnings
Risk-weighted assets (for capital adequacy requirements)
Source: Created by authors.
This document is authorized for use only by YANG ZHU in ISGB 7910: IT Strategy and Managment taught by ADITYA SAHARIA, Fordham University from Jan 2023 to Jun 2023.
For the exclusive use of Y. ZHU, 2023.
Page 8
Exhibit 2
Cyberattack on Abank
Protagonists & Organizational Charts
Organizational Chart of Abank
Ellen Ellsworth
Finn Fitzgerald
Ida Inglewood
PR Officer
Terry Thorbeck
Chief Legal Counsel
Trisha Trahan
Organizational Chart of Computer Security Associates
Managing Partner
Patricia Packer
Legal Consultant
PR Consultant
Note: For ease of remembering, the first letters of the first and last names of each protagonist match their job title: Ellen Ellsworth for C-E-O, and so on.
Source: Created by authors.
This document is authorized for use only by YANG ZHU in ISGB 7910: IT Strategy and Managment taught by ADITYA SAHARIA, Fordham University from Jan 2023 to Jun 2023.
For the exclusive use of Y. ZHU, 2023.
Page 9
Exhibit 3
Cyberattack on Abank
Largest US Cybersecurity Incidents by Affected Users and Their Cost
Date of
(in millions)
Direct Cost
(in millions)
Aug. 2013,
Dec. 2014
May–July 2017
Payment Systems
Capital One
March 2019
$80 penalty +
Dec. 2014–Jan.
April 2011
Information Accessed
name, email, date of birth (DOB), phone
number, hashed passwords
name, address, phone number, payment info,
passport number, email, DOB, guest account
name, DOB, address, social security number
(SSN), driver’s license number, credit card
name, credit card number
name, address, email, DOB, income, SSN, credit
score, payment history, credit limit, balances
raw profile data
name, email, phone number, address
name, address, email, SSN, DOB, insurance
number, medical IDs, employment info
name, address, email, DOB, PlayStation Network
password and login
Note: A “hashed” password is similar to an encrypted password. For more on this, see Samuel Gibbs, “Passwords and Hacking: The Jargon of Hashing,
Salting and SHA-2 Explained,” The Guardian, December 15, 2016, (accessed Apr. 12, 2021).
Sources: Yahoo: Dustin Volz, “Yahoo Says Hackers Stole Data from 500 Million Accounts in 2014,” Reuters, September 22, 2016,;
Shubber, “SEC Imposes $35M Fine over Yahoo Data Breach,” Financial Times, April 24, 2018,; Robert McMillan and Ryan Knutson, “Yahoo Triples Estimate of Breached Accounts to 3 Billion,” Wall Street Journal, October 3, 2017,; Jonathan Stempel, “Yahoo Strikes $117.5 Million
Data Breach Settlement after Earlier Accord Rejected,” Reuters, April 9, 2019, (all accessed Apr. 12, 2021).
Marriott: “Marriott Announces Starwood Guest Reservation Database Security Incident,” Marriott International press release, November 30, 2018,; “Marriott Provides Update on
Starwood Database Security Incident,” Marriott International press release, January 4, 2019,; Parmy Olson, “Marriott Faces $124 Million Fine over Starwood Data Breach,” Wall Street Journal, July
9, 2019, (all accessed Apr. 12, 2021).
Equifax: “Equifax Announces Cybersecurity Incident Involving Consumer Information,” Equifax press release, September 7, 2017,; “Equifax Releases Updated Information on 2017 Cybersecurity
Incident,” Equifax press release, March 1, 2018,; “Equifax
Announces Comprehensive Consumer Settlement Arising from 2017 Cybersecurity Incident,” Equifax press release, (all accessed Apr. 12, 2021).
Heartland Payment Systems: Associated Press, “Heartland Payment Systems Hacked,” NBC, January 20, 2009,;
2010,–140m—-so-far.html (both accessed Apr. 12, 2021).
press (accessed Aug. 1, 2019).
Facebook: Carole Cadwalladr and Emma Graham-Harrison, “Revealed: 50 Million Facebook Profiles Harvested for Cambridge Analytica in Major Data
Breach,” Guardian, March 17, 2018,; Mike
Schroepfer, “An Update on Our Plans to Restrict Data Access on Facebook,” Facebook press release, April 4, 2018,; “FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on
This document is authorized for use only by YANG ZHU in ISGB 7910: IT Strategy and Managment taught by ADITYA SAHARIA, Fordham University from Jan 2023 to Jun 2023.
For the exclusive use of Y. ZHU, 2023.
Page 10
Facebook,” Federal Trade Commission press release, July 24, 2019,; “Facebook to Pay $100 Million for Misleading Investors about the Risks It Faced from Misuse of User Data,”
US SEC press release, (all accessed Apr. 12, 2021).
2014,; Emily Glazer and Danny Yadron, “J.P. Morgan Says about
76 Million Households Affected by Cyber Breach,” Wall Street Journal, October 2, 2014, (both accessed Apr. 12, 2021).
Anthem: “Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History,” US Department of
2018,; Anna Wilde Mathews, “Anthem: Hacked Database Included 78.8 Million People,” Wall Street Journal,
February 24, 2015,; Notice of Anthem Data Breach Class
Action Settlement, US District Court for the Northern District of California, 2017,
(all accessed Apr. 12, 2021).
Sony: Kazuo Hirai, Letter to Mary Bono Mack and G. K. Butterfield, May 3, 2011,;
2014, (both accessed Apr. 12, 2021).
This document is authorized for use only by YANG ZHU in ISGB 7910: IT Strategy and Managment taught by ADITYA SAHARIA, Fordham University from Jan 2023 to Jun 2023.
For the exclusive use of Y. ZHU, 2023.
Page 11
Exhibit 4
Cyberattack on Abank
Stock Price Movements in Response to Cyberattacks
Equifax (EFX)
Marriott (MAR)

Mid-May to July 2017: Equifax servers infiltrated.
July 29, 2017: Breach discovered.
September 7: Breach publicly announced.
September 15: CIO and chief security officer (CSO)
September 26: CEO resigns.

2014–18: Starwood servers infiltrated.
2016: Marriott purchases Starwood.
September 8, 2018: Breach discovered.
September 10: Third-party investigators hired.
November 19: Compromised information
November 30: Breach publicly announced.
Stock Chart of Equifax
Thursday, September 7,
S&P 500 (rescaled)
Stock Chart of Marriott
S&P 500 (rescaled)
Thursday, November
29, 2018
Data sources: Yahoo! Finance; for Equifax timeline: Elizabeth Weise, “A Timeline of Events Surrounding the Equifax Data Breach,” USA Today,
September 26, 2017,; for Marriott
timeline: Josh Fruhlinger, “Marriott Data Breach FAQ: How Did It Happen and What Was the Impact?,” CSO, February 12, 2020,; Howard Poston, “Lessons
Learned: The Marriott Breach,” Infosec, August 7, 2019,; Nicole
Perlroth, Amie Tsang, and Adam Satariano, “Marriott Hacking Exposes Data of Up to 500 Million Guests,” New York Times, November 30, 2018, (all accessed Apr. 13, 2021).
This document is authorized for use only by YANG ZHU in ISGB 7910: IT Strategy and Managment taught by ADITYA SAHARIA, Fordham University from Jan 2023 to Jun 2023.
For the exclusive use of Y. ZHU, 2023.
Page 12
Exhibit 5
Cyberattack on Abank
Key Excerpts from Abank’s Incident Response Plan (IRP)
§1 This Incident Response Plan (IRP) establishes
Abank’s procedures for how to manage cybersecurity
incidents. It establishes an Incident Response Team
(IRT) headed by an IRT Coordinator that is prepared
to respond to cybersecurity incidents in an orderly
fashion. The plan was approved by Abank’s Board of
Directors to meet Abank’s compliance with FFIEC
Standards under Section 501b of GBLA.1
§2 The task of the IRT is to investigate potential
cybersecurity incidents and their impact and to
coordinate a rapid response. The IRT consists of
Abank’s Chief Information Security Officer (CISO),
Chief Technology Officer (CTO) as well as two
designated staff members of the IT department. The
CISO is the designated IRT Coordinator. When the
designated IRT Coordinator is unavailable, the CTO
assumes the role of alternate IRT Coordinator.
If required by the severity of the incident, the IRT
Coordinator calls upon Cyber Security Associates
(CSA), with whom Abank has an incident response
retainer agreement.

§5 A cybersecurity incident is any event that threatens
the integrity or availability of Abank’s data and IT
systems or the confidentiality of customer information.
Cybersecurity incidents include unauthorized
acquisition of data or of computer devices that may
contain sensitive customer information, attacks via
phishing/spear-phishing, malware, Distributed Denialof-Service (DDoS) attacks as well as any other
incidents that compromise integrity or availability of
Abank’s data and customer information.
§8 The IRT monitors security risks in an ongoing
manner and implements security standards as necessary
to protect Abank’s data and customer information. The
IRT conducts regular training sessions to ensure
security awareness among employees. Furthermore, the
IRT audits Abank’s security standards and evaluates
and updates Abank’s IRP on a regular basis.

Identification of Incident and Triage
§12 The incident response plan begins with the
identification of a potential cybersecurity incident.
Upon notification, the IRT Coordinator will determine
whether an incident meets the definition of a
cybersecurity incident relevant under this IRP (see §5§7). If a cybersecurity incident is identified, the IRP

declares that a cybersecurity incident has occurred

activates the IRT and any additional internal
resources necessary (see §13)

decides upon a preliminary classification of the
incident as limited or major (see §14)

determines whether to continue or cease
operations for the affected systems (see §15)

identifies whether the incident has criminal
implications that require the gathering and
preservation of evidence in case of a potential
prosecution (see §16)
At any point of the process, the IRT Coordinator may
activate the incident response retainer agreement with
CSA to advise the IRT and work alongside the IRT in
its incident response.

§22 For major cybersecurity incidents, the IRT
Coordinator compiles and communicates an initial
incident report to the CEO as soon as possible.
Following the initial incident report, the IRT
communicates updates and changes in status to
1 The Gramm-Leach-Bliley Act of 1999 (GLBA) required the FDIC to establish Standards for Safeguarding Customer Information. As part of these
standards, the FDIC suggests that financial institutions establish an IRP. See the Information Technology Examination Handbook published by the
Federal Financial Institutions Examination Council (FFIEC), of which the FDIC is a member institution.
This document is authorized for use only by YANG ZHU in ISGB 7910: IT Strategy and Managment taught by ADITYA SAHARIA, Fordham University from Jan 2023 to Jun 2023.
For the exclusive use of Y. ZHU, 2023.
Page 13
management as indicated by the severity of the
on the advice of Abank’s Legal Counsel to determine
legal requirements for record-keeping.
Further notification requirements are as follows.

Board of Directors in consultation with CEO
A good starting point to successfully meet
documentation requirements is Abank’s Information
Security Incident Response Form (see appendix A).


Law enforcement if applicable
Containment and Eradication

SEC if applicable

Customers if applicable
See §23-§28 for detailed guidance on each point:

§32 Documenting the incident and the response of
Abank is a critical component of performing Abank’s
duties to its customers, to regulators, and potentially to
law enforcement. Although speed is frequently essential
in responding to cybersecurity incidents, this should
not come at the expense of keeping appropriate
records of the incident. If necessary the IRT can draw


Post-Mortem Analysis
§52 After a cybersecurity incident is resolved, the IRT
prepares a final incident report that is to be delivered to
the CEO and, for major incidents, to the Board of
Directors. The final incident report should include a
detailed analysis of the weaknesses that led to the
incident as well as lessons learned and steps that can be
taken to shore up Abank’s cyber defenses against future
Source: Created by authors.
This document is authorized for use only by YANG ZHU in ISGB 7910: IT Strategy and Managment taught by ADITYA SAHARIA, Fordham University from Jan 2023 to Jun 2023.
For the exclusive use of Y. ZHU, 2023.
Page 14
Exhibit 6
Cyberattack on Abank
Capital Adequacy Requirements for Banks
Tier 1 capital = a bank’s common and preferred equity + retained earnings
[capital that is permanently available during regular operation to cushion losses]
Common equity tier 1 (CET1) = only common equity + retained earnings
[the most easily available category of tier 1 capital]
Tier 2 capital = additional (unaudited) retained earnings and reserves
[supplementary capital available to cushion losses in the event of liquidation]
Risk-weighted assets = sum of a bank’s assets weighted by risk as specified by regulators
[for example, cash or government securities have a risk weight of 0%; loans exposed to credit risk have risk
weights of 20%, 50% or 100%, depending on riskiness; and certain other risky investments may have even
higher risk weights]
Regulatory Capital Ratios:
Capital adequacy ratio = (Tier 1 capital + Tier 2 capital) / Risk-weighted assets
Tier 1 capital ratio = Tier 1 capital / Risk-weighted assets
Common equity tier 1 (CET1) ratio = Common equity tier 1 capital / Risk-weighted assets
Tier 1 leverage ratio = Tier 1 capital / Total assets
Regulatory Capital Adequacy Requirements: to be considered “sufficiently capitalized”
Capital adequacy ratio ≥ 8%
Tier 1 capital ratio ≥ 6%
CET1 ratio ≥ 4.5%
Tier 1 leverage ratio ≥ 4%
Additional CET1 Capital Conservation Buffer:
CET1 ratio ≥ 7% to avoid restrictions on dividends and stock repurchases
Source: FDIC Risk Management Manual of Examination Policies, section 2, “Capital,” (accessed Apr. 13, 2021).
This document is authorized for use only by YANG ZHU in ISGB 7910: IT Strategy and Managment taught by ADITYA SAHARIA, Fordham University from Jan 2023 to Jun 2023.

Purchase answer to see full

We offer the bestcustom writing paper services. We have done this question before, we can also do it for you.

Why Choose Us

  • 100% non-plagiarized Papers
  • 24/7 /365 Service Available
  • Affordable Prices
  • Any Paper, Urgency, and Subject
  • Will complete your papers in 6 hours
  • On-time Delivery
  • Money-back and Privacy guarantees
  • Unlimited Amendments upon request
  • Satisfaction guarantee

How it Works

  • Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
  • Fill in your paper’s requirements in the "PAPER DETAILS" section.
  • Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
  • Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
  • From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.