| Web: | Critical Data Points to Assess the True Risk of a Data Breach PRESENTED BY Ali Alwan Director, SecurityScorecard, Inc.

| Web: | AGENDA Paradigm shift from fortress mentality to security ecosystem Examples of data points around us Security Benchmarking outside-in approach Analysis of financial services industry trends

| Web: | Paradigm Shift – From Fortress to Ecosystem FORTRESS High level of trust You own the blueprint Control of audit, policies “Crown jewels” are in a centralized, monitored data center “IF we get breached…”

| Web: | Paradigm Shift – From Fortress to 3 rd Party Ecosystem ECOSYSTEM Empowered employees (BYOD) Decentralized infrastructure with many 3 rd party cloud services Limited audits without validation “Crown jewels” are everywhere – continuity is not Only as strong as your weakest link “WHEN we get breached…”

| Web: | Your company spends millions of dollars on IT security – systems, technologies, appliances InfoSec professionals Internal Audit professionals External Auditors Processes, technologies, systems Then some manager in marketing dumps your client data to an Excel spreadsheet, and s it to a direct mail firm in Omaha. Perhaps even worse – Usually not random. Usually not one vendor. Often thousands of vendors. Third Party Risk Challenge 5

| Web: | 41% to 63% of breaches involved third parties Per-record costs of a 3 rd party breach higher - $231 vs. $188 71% of companies failed to adequately manage risk of third parties 92% of companies planned to expand their use of vendors in % of anti-corruption actions by DOJ involved 3 rd parties 6 Third Party Breach- The Numbers

| Web: | 40,000,000 - Number of credit and debit numbers stolen 70,000,000 - Number of non-credit-card PII records stolen November 27 to December 15, 2013 – Duration of theft 46% - The percentage drop in profits for 4 th quarter 2013 from the year before $250,000,000 - Total estimated costs as of August 2014 $90,000,000 - Amount paid by Target’s insurers (maxed out) $54,000,000 - Estimated amount generated from sale of cards stolen 0 – Number of CIOs and CEOs who kept their jobs Target by the Numbers, Remember Fazio HVAC? 7

| Web: | So 3 rd party risk is a high priority right? 98% of IT pros feel third-party secure access is not a top priority - Soha Systems via SC Magazine, May 2016

| Web: | CURRENT STATE OF THIRD PARTY CYBERSECURITY Ineffective point-in-time security snapshots ▪Pen & paper questionnaires – expensive, time consuming, and difficult to validate ▪Intrusive penetration tests require expensive and time consuming site visits Difficult to meet needs of business ▪Slow process to onboard new vendors ▪Challanging to communicate security challanges to business executives ▪Offer lower risk vendor alternatives Labor Intensive ▪Unable to scale program beyond small sub-set of critical high risk vendors without a big increase in both Risk & Security teams ▪Difficult to prioritize vendors without benchmarked data ▪Challenging to substantiate survey responses and ensure ongoing compliance

| Web: | Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company. Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle. No universally-accepted framework like CObIT or COSO TPRM – What It Is 10

| Web: | Vendors Customers Joint Ventures Counterparties Fourth parties TPRM – Who It Is 11

| Web: | Examples of Critical Data around us AGENDA

| Web: | Question: What year was Castello di Amorosa castle built in?

| Web: | Critical Data Point: construction photos of the same castle. Any other guesses?

| Web: | Question: How secure is National Weather Service from 0-100?

| Web: | "failed to open stream: No such file or" AND -"topic" AND -"topics" AND -"reply" AND -"replies" AND - "forums" AND -"forum" AND -"answer" AND -"inject" AND -"comment" AND -"comments" AND -"exploit" AND -troubleshoot AND -"troubleshooting" AND -"Previous message" AND -"posts" AND -"documentation" AND - "bug" AND -"discourse" AND -inurl:"forum" AND - "discussion" AND -inurl:"collab" AND -inurl:"community" Critical Data Point “Dorking” which discovers a bad XSS injection

| Web: | Question: Should I book my vacation to China on chinavista.com?

| Web: | Probably not. Critical data point “hacker chatter”

| Web: | Security Benchmarking: Outside/In Approach AGENDA

| Web: | Attack Surface & Degrees of Threat Are Expanded Fortress Habitat 3 rd Party Ecosystem Direct infiltration /exfiltration Indirect data exfiltration Pathway infiltration / exfiltration

| Web: | Are there subtle “data points” that can help us identify companies at significantly higher risk of being breached? FOR MY COMPANY What can a hacker find out without knocking on my door? Do you know? System or app misconfigurations Unpatched or insecure technology Inadvertent exposure Self-enumeration “Unknown unknowns” FOR MY THIRD PARTIES Are my partners as diligent as I am in protecting my data? Do you know? Do the questionnaire results match their true posture? Litmus test – reflections of maturity and awareness

| Web: | Examples of Critical Data Points Beyond Malware Take a holistic approach to security risk assessments Security is more than just understanding malware Trust but validate Data with more depth and breadth DORKING Prevent sensitive information accessibility through advanced search techniques APPLICATION SECURITY Determine if insecure applications exist that may yield information leaks COMPLIANCE VALIDATION Validate compliance with ISO 27001, SIG, & NIST to identify potential gaps in your information security framework SOCIAL ENGINEERING Understand risk for non- technical intrusion based on human interaction HACKER CHATTER Uncover and monitor chatter that puts your company at risk CREDENTIAL LEAKS Instantly know if corporate passwords are circulating out in the hacker underground