1.What are the risks that can be identified in the case? Do you believe the actions taken by both Silver Bank and Diamond Security were appropriate? 2.After carrying out an analysis and evaluation of Silver Banks cyber-security problem, how would you say that cyberattacks can be mitigated? 3.What basic guidelines did Diamond Security need to develop a strategy aligned with Silver Banks cyber-security policy? What lessons can be learned from Diamond Security and Silver Banks experience managing cyber-security risks and the banks decision-making?

Silver bank: vulnerability and risks during cyberattacks Csar Jhonnatan Horna, Leonardo Toro and Otto Regalado-Pezua Introduction The morning of Tuesday, September 15, 2020, Diamond Security Co. Chief Operations Manager Ivn Ramrez was finishing up a basic security system installation in the offices of Silver Bank when a new cyberattack blasted financial entities around the world. The financial entities that could defend themselves were those that had sufficient security protocols and the software necessary to face the pernicious attack. However, those that did not possess these mechanisms had to pay a high price for their lack of preparation. In the case of Silver Bank, its security system had multiple vulnerable points. Cyberattacks on financial institutions seek to gain access to clients' accounts to withdraw or transfer money. Gaps in the security systems are exploited to access critical information technology (IT) infrastructure. Some infiltration mechanisms include using the credentials of hacked accounts, sending phishing emails, using advanced anti-virtual machines (VM)/ Sandbox techniques and using malware-laced proxy applications. On the day of the attack, Santiago Or, General Manager of Silver Bank, and Marcelo Tapia, IT and Organization Director, urgently called for a meeting with Ramrez and asked him to take immediate action against the attack. Ramrez left the meeting very satisfied with the agreements made therein, as he had been a firsthand witness to the devastation the attack had brought. He was forced to act quickly to safeguard not only the bank's confidential information but also the money put at risk. Diamond security and its fight against cyberattacks Diamond Security offered IT security packages to implement a system to protect the privacy of the information stored in its clients' computer systems. This package was supplemented by various consulting sessions, training programs and awareness-raising measures for its clients' employees. These practices aligned with Diamond Security's vision for information safety, in which everyone in a client company was committed and involved. Diamond Security's satisfactorily implemented projects together with its years in the market had forged a reputation for the company. Moreover, the organization had invested in research on new internet-based threats, which made it possible to provide services to governmental organizations, as well as companies in the telecommunications, banking and insurance sectors. The company had been founded at the end of the 1990s, when the internet was beginning its worldwide expansion. At first, its client portfolio was made up of small businesses that wanted to incorporate new technologies in preparation for the new millennium. Years later, when cyberattacks against all kinds of entities were on the rise, Diamond Security decided Csar Jhonnatan Horna is based at the Department of Operations and IT, ESAN University, Lima, Peru. Leonardo Toro and Otto Regalado-Pezua both are based at the Department of Marketing, ESAN University, Lima, Peru. Disclaimer. This case is written solely for educational purposes and is not intended to represent successful or unsuccessful managerial decision-making. The authors may have disguised names; financial and other recognisable information to protect confidentiality. to specialize in providing services specifically against this type of threat. Its hard work and excellent service soon became recognized in its country of origin, and it was able to expand into other markets, as well. By 2020, Diamond Security was operating in five Latin American countries (Colombia, Peru, Ecuador, Brazil and Chile), providing specialized IT security services. It possessed a technical team consisting of hundreds of employees all throughout its many offices and continued to work with both state and private entities. In recent years, however, the company had been losing its competitive edge. Reports showed that it was being displaced by its competitors in the most relevant sectors: insurance and banking. Even so, in other sectors, it was possible to position the brand to obtain the desired results, but these clients represented just a small market share. Diamond Security decided its goal was to recover its position with clients in the financial sector, so management began using a strategy specifically directed at banks: security packages tailored to clients' specific needs and vulnerabilities, along with upgrade programs. The goal set was to sign yearlong IT security service contracts with at least five financial institutions over a 12-month period. Additionally, once the contract was signed, opportunities to provide related services were to be analyzed so that Silver Bank could become the main cyber-security provider for these companies. Although the established goals presented a challenge, the established action plan made them reachable. Ramrez, as the sales representative, attended meetings with potential clients to offer them Diamond Security's packages. In preparation for these meetings, Ramrez and his team would start by running a diagnostic of the potential client company's security situation so that the possible package to solve its particular problems could be presented. During these diagnostics, several recurring themes kept popping up: - lack of understanding about the vulnerability of IT systems and risk control; - lack of interest in information protection systems; - low frequency of severe cyberattacks; - lack of historical data on the damage caused by attacks; and - limited budget for cyber-security. Due to normative changes put in place by the Peruvian regulatory entity that supervised financial institutions' IT security, companies were being forced to improve their IT systems. One of these companies was Silver Bank, which received proposals from various IT security providers: Diamond Security, Safety Web and Virus Block. In the end, its years of experience in the market tipped the scale in the favor of Diamond Security. In mid-June 2020, the two companies came to an agreement. Diamond Security's basic package would be installed over a period of three months, and the total price would be paid once approved by the regulatory entity. Although at first it appeared it would be a simple job, as the system was being installed, gaps were identified in basic systems, which made the project more complicated. This caused an almost 50% increase in the total price to be paid by Silver Bank, although the final installation date remained unchanged. Silver bank and its presence in the Peruvian market The services provided by Silver Bank included a product portfolio ranging from personal loans, mortgages and vehicle loans to credit and debit card services. It also offered different savings account and life insurance products, interbank transfers and benefits for its most faithful clients. CASE STUDIES | VOL. 12 NO. 12022 Silver Bank was founded more than 80 years ago and had both domestic and foreign shareholders. Despite the difficulties it had faced, the company had been able to expand its domestic operations by increasing its market share and expanding to the country's major cities (see Exhibit 1). This expansion was made possible by the organizational structure, which emphasized commercial development through the opening of new branches throughout the country (see Exhibit 2). That is how Silver Bank was able to increase its number of savings account clients and loan clients. As the years passed and the bank expanded its operations, it was able to make its presence felt throughout the entire nation. In addition to opening new branches, it partnered with bank agents in even the most remote parts of the country. The trust its clients had in the bank was due to the great lengths it went to satisfy them. During the COVID-19 pandemic, things were no different: Silver Bank worked hard to protect its employees' and clients' health. Additionally, it carried out different projects to show solidarity with those affected by the pandemic to contribute to the common good. As mentioned, Silver Bank had a broad product portfolio, and it had an even broader client portfolio. The sectors it worked with ranged from business to manufacturing, agriculture, mining, fishing, construction and real estate. It carried out loyalty campaigns for both small business owners and large corporations, not to mention its individual clients. The bank was constantly working to improve its policies to satisfy its clients. Its deep-rooted philosophy puts the client at the center of its decision-making process. Therefore, it invested a great deal in employee training at every level. Moreover, this customer-centric culture and overarching goal of customer satisfaction carried over to its virtual platforms. Or, in his strategic leadership role in Silver Bank, was well aware of the importance of investing in IT to guarantee the effective delivery of the services offered and to maintain clients' trust; that is why he wished to expand the bank's vision. With this in mind, he scheduled numerous meetings with Tapia and Ramrez to try to understand how the IT area worked, as well as what its needs and contributions were, to revise the company's vision statement. However, most members of the Silver Bank board of directors did not consider this new vision very important and thought that the bank was already investing enough in IT, as it was. At Silver Bank, Tapia led a team of engineers in charge of IT infrastructure and operations who were all following the security policies instituted five years ago. This team was trying to carry out, albeit in a very general way, a business continuity plan (BCP) and a simplified processes outline for disaster recovery planning (DRP) in case any threat to cybersecurity ever came up. Additionally, Or had taken Ramrez to several meetings with the board of directors so that Ramrez, as an expert, could explain the importance of increasing the bank's investment in cybersecurity and of formulating an IT strategy more heavily focused on cybersecurity. In multiple meetings with the board of directors, Ramrez had suggested that it would be ideal to implement a new manager-level role: a Chief Information Security Officer, who would be in charge of developing a security strategy, developing a risk mitigation strategy and effectively monitoring how security resources were used, as there was currently no specialized, cybersecurity-focused team within the IT area. Another suggestion that Ramrez had, since Diamond Security had carried out several external audits of the bank's security systems, was the implementation of ISO 27001 standards to ensure that the bank's processes complied with international security standards. The Diamond Security audits had identified vulnerable points related to the lack of updates in the Secure Socket Layer cryptographic protocols and the public-private key infrastructure. These were both vital elements to ensuring that information remained secure. However, one issue the company could not ignore was cyberattacks. With the expansion of the Internet and its integration into all of the bank's operations, the risk of infiltration was inevitable. No financial entity can permit classified information to be leaked, but this was hard to get management to understand, due to the complexity of the matter and management's belief that investment in security would not be profitable. Cyberattacks on silver bank In 2015, Silver Bank suffered its first cyberattack with serious consequences when a band of hackers sent emails to employees at different banks. In every case, these emails appeared to come from a reliable source because in the subject line they included the name of the bank manager or another person with an important position at the bank. There was no reason to be suspicious of possible system vulnerability. Attached to the emails was a seemingly innocuous file, but once downloaded, this file unleashed a trojan horse virus onto the computer. The virus was disguised as a useful file so that it could access the computers of its targets. However, the virus's malicious code replicated itself in the internal institutional network and took control of the bank's security cameras. In this way, the criminals could see what was happening on the computer screens. They registered operations and clients' PIN numbers after those clients had transferred money into their personal accounts or withdrew it from ATMs. It was only after the victims had communicated with the bank about these irregularities that management realized that bank security had been compromised. The managers immediately contacted their current security provider to fix the problem, although the financial damage had already been done. Then, in 2017, cyber-criminals used a different method to infiltrate the bank's internal network. On this occasion, they hacked the credentials of an employee at one of the branches and were able to get into the network by pretending to be that employee. They also installed a keystroke logger onto the employee's computer. This type of malware keeps track of the user's keystrokes, stores this information and sends it to the perpetrator. The employee worked in customer service, and, as he assisted clients, they introduced their PIN numbers into his computer to carry out certain operations. That was how the criminals were able to access the bank's financial resources. Following client complaints and a long investigation, the problem was identified. On this occasion, not only did the bank reinforce the security system but also employees were given training on data protection, which led to a bigger budget for information technology (IT) security (see Exhibit 3). The following year, the target of cyberattacks was now ATMs, not computers. Through the use of malicious codes, the robbers blocked the confirmation systems that linked a given ATM with another financial entity. When a card is used in the ATM of a bank other than the bank that issued the card, the system links with the issuing bank to approve the operation. In this case, the manipulated ATMs provided the money requested even when the transaction was rejected by the main bank. With help from the authorities, Silver Bank was able to stop those behind this crime and then proceeded to fix the manipulated ATMs. Due to the increase in cyberattacks over the past few months, the Peruvian Association of Banks (ASBANC) had put out an alert to all financial entities so that they could activate their security protocols and keep an especially close watch over all their systems (see Exhibit 4). As for that fateful morning in September 2020, Ramrez was finalizing the details of Silver Bank's security system installation when he noticed that the bank's computer screens had turned blue and that all of the employees seemed very disconcerted, since they could not access any of the bank's information. The internal network was being infiltrated by an external agent, although Silver Bank was not the only institution under threat. The US FBI had warned against a potential cyberattack on financial institutions worldwide, and this threat had finally materialized. However, some banks had ignored this warning and had not taken measures to protect themselves. As the cyberattack began, confusion could be seen on the faces of the personnel in the bank's central office. They did not know what to do because there were no protocols to combat the situation they were facing. The first measures taken by the company were intended to avoid generating panic among its clients: maintaining open channels of communication with them and informing them of what was going on as the root of the problem was being identified. At first, Silver Bank thought it was the only financial entity being attacked, since it had not invested in the most advanced and up-to-date IT security system. This was very worrisome because if it was the only target, the financial, legal and PR consequences would gravely damage the bank and could perhaps even drive its clients to other Peruvian banks. Ramrez could recognize an opportunity to strengthen his company's relationship with the bank when he saw one, so he immediately called Diamond Security's General Manager. During their conversation, he gave a report on what was happening and asked for authorization to solve the problem. Or gave him permission to proceed and made the necessary resources to address the crisis available, including Tapia's entire team. All of this meant additional charges for the bank. The bank's board of directors was informed of Ramrez's proposal and authorized the provision of all of the necessary information to deal with the crisis. Ramrez called up the team, and it began gathering information about the security systems that had been installed by other security companies, reviewing documentation and interviewing the internal IT team to identify vulnerabilities. Once all of this information had been gathered, Ramrez and his team verified the source of the problem: a type of malware called ransomware that sought to extract files from a system and then demand payment for their return. Most criminal acts use ransomware to erase files from the hard drive or take control of the computer on which they have been installed. In some cases, this malicious software goes unnoticed until it is too late to combat. With the information gathered, Ramrez and his team worked together with bank employees to stop the malware from accessing clients' savings accounts. Even so, Ramrez's field experience led him to believe that a cyberattack so easy to solve could not come from an international network of cyber-criminals, and so he carried out a more detailed second analysis that showed that the ransomware designed to extract information from individual clients' savings accounts was just a ploy to distract them from the cyber-criminals' real target: business accounts, which, although fewer in number than personal accounts, had much higher amounts of money in them. Fortunately, the attack was repelled by the Diamond Security team, and greater potential loss, both in terms of finances and reputation, was avoided. Even so, the attackers were able to obtain access to clients' confidential information, such as their cards' PIN numbers, and this had the potential to affect not only the bank's finances but also the trust the clients had in the bank, causing additional legal problems related to the protection of personal information. Once the crisis had passed, Diamond Security became Silver Bank's main IT security provider. Subsequent analysis convinced management of the importance of strengthening the IT security system. Due to new, periodic threats, which neither legislation nor regulators can keep up with, management saw the necessity of carrying out constant improvements to protect client information. The bank's board of directors asked Diamond Security to assess all of the bank's systems and give a quote for what it would take to make those systems more secure. VOL. 12 NO. 12022 EMERALD EMER