You are the Chief Risk Officer (CRO) of LIFT, a global ride sharing service. At 9:00 AM, you read in today’s newspaper that your main competitive rival, U-Beer has just been hit with a cyber breach. The root cause of the incident was employee misconduct and the inappropriate misuse by that employee of company funds to pay off hackers who had breached security parameters and gained access to customer sensitive data including (names, address and social security #’s). The employee failed to escalate or notify anyone in internal management of the breach until the event was made public. U-Beer has since removed their Chief Information Security Officer (CISO) and is in full-blown crisis management mode as public concern around the situation has escalated. The CEO of U-Beer has also been under tremendous pressure by the media and customers to resign off the back of the incident.
At 10:00 AM, you get a call from the CEO of LIFT, your boss, asking for more details on the situation at U-Beer and whether this type of incident could occur at LIFT. You commit to do an analysis of the situation and report back by 5:00 PM to the CEO and he wants answers to the questions to follow.
Please Answer the Following Questions. You are encouraged to make assumption(s) about the current control environment, known internal gaps, key risks previously identified and known issues from Internal Audit or other areas of the firm in formulating your response. Be creative and think out of the box!!! Use and state assumptions where facts are not available.