Thomas Murray helped a major Middle Eastern Central Securities Depository (CSD) to reduce its attack surface, build security and demonstrate resilience.
“Thomas Murray Cyber Risk has not only allowed me to significantly improve our CSD’s security posture, but also to communicate the improvements to our management, justifying budget and comparing us to other CSDs in the Middle East.”
Chief Information Security Officer, Middle Eastern CSD
The CSD’s large IT Security team was subscribed to a range of threat intelligence feeds, which it used to monitor the CSD’s security posture. The problem? Too much data, too little quantification, too much manual work required – so that, in the end, much was left undone.
The team had little visibility over its public-facing IT infrastructure, and was unaware of the number of digital assets it was unnecessarily exposing in the public domain. It did not know what company data had been leaked to the Dark Web, and so was not able to assess the impact of employee behaviour on the company’s security.
The CSD recognised that it needed to subscribe to a threat intelligence tool; the problem, as always, was knowing which one to choose. Its main requirements were to:
- Monitor its attack surface for breaches, vulnerabilities and misconfigurations. It needed to receive all relevant threat intelligence feeds in a single platform.
- Quantify its security posture in a risk rating, so it could track and benchmark its performance.
- Benchmark itself against other CSDs in the region, to understand whether more investment was required to improve its security.
- Achieve an affordable solution that reflected the economic conditions of the market.
In the end, the CSD chose Thomas Murray because of the scope and timeliness of our data, the actionability of our risk rating, our unique benchmark of more than 140 CSDs, and highly competitive pricing.
The CISO and his team logged into the platform 252 times in the first six months of the subscription to identify security gaps, quantify risks, and build and execute a remediation action plan.
The team identified breached employee email credentials and was able to validate the findings with the employees in question, requiring them to undergo additional training and enhancing the company’s employee cybersecurity training programme more widely.
It identified a large number of redundant hosts that needed to be taken offline, as well as a variety of potentially vulnerable services, expired certificates and other vulnerabilities that were a drag on performance and represented a significant potential risk to the CSD’s data and operations.
Thomas Murray Cyber Risk allowed the team to focus on building and executing a remediation action plan, rather than spending time manually collating and interpreting multiple complex data feeds. The CSD was able to reduce its attack surface by 48% in the first six months, increasing its cyber risk rating by 95% and moving from the bottom quartile of CSDs globally to a rating that was better than 88% of its peers.
After the first six months:
Director of a Major Middle Eastern CSD
“The evaluation is very beneficial not only for our IT Security team but for the company as a whole. As CSDs we have to be as prepared as we can be against cyber risks, so Thomas Murray’s new initiative will be a golden key for that.”
Director of Cyber Security, Latin American financial institution
“The tool is good for us to identify cybersecurity risks to which our domain and its sources are exposed, as well as how to mitigate them.”
Head of Network Management, a European Bank
“Thomas Murray provided information we do not get by any other means today. It’s very useful. The tool is impressive and a nice answer to a problem in the banking industry: how do you manage a large network of service providers, distributors, partners and other third parties without costs creeping up? Cyber is going to be on the agenda for years to come and this tool is going to help us to keep ahead of our third-party risk management requirements.”
Cyber Specialist, third-party risk management at a US bank
“Responses to cyber questionnaires can be very PR-focused, and it’s difficult to get transparency. Security ratings cut through poor response rates to provide a health check based on objective, verifiable public data. We have integrated Thomas Murray’s cyber risk ratings and threat intelligence into our monitoring of agent banks and CSDs globally, and are looking to add additional groups from across the bank.”
IT Security Officer at a Central European bank
“The tool is well-designed and very user-friendly. Monitoring service providers and other third parties’ cyber risk is going to become a regulatory imperative soon; right now it is best practice and something banks should be looking at. Thomas Murray’s platform is great for monitoring our third parties, particularly those who are not very transparent in their DDQ responses. We really like the ability to benchmark our bank and our service providers against like-for-like peers and competitors, this is really important.”
CISO responsible for TPRM at a Global Bank
“The established US threat intelligence providers are expensive and only part of the puzzle. Thomas Murray’s new platform is a very, very good tool for managing our third parties – it is fully automated and isn’t ‘noisy’, which can become a serious relationship issue with some providers. My team really likes the look and feel of the platform as well as the clarity of thought that has gone into making this tool.”
IT Security Specialist of a Swiss financial institution
“Thomas Murray Cyber Risk is a great complement to the tools we use today. It provides much more comprehensive information around the vulnerabilities in our IT infrastructure – and particularly has a lot more details about breached employee emails and passwords than other providers. This is extremely helpful as it allows us to contract those employees with specific, actionable intelligence, and so that we can improve the email behaviour of all staff.”
CISO of an African financial institution
“The tool is very interesting. It gives us the capability to be proactive, rather than reactive, about building the security of our core infrastructure. We are a regulated company and subject to military surveillance by our government; Thomas Murray’s tool used ethical and indirect methods to discover every week the vulnerabilities that we would normally identify during our annual penetration testing.”
Head of IT Security of a Latin American stock exchange
“The Cyber Risk platform is more complete than our existing vulnerability scanning, and we will use it to either replace or complement it. The benchmarking in particular is extremely useful.”
Director of a large Turkish financial institution
“We have been able to make major improvements to our critical applications since using the tool, increasing our score and identifying further action points to stabilise our overall rating in future. Thomas Murray has enabled us to improve our internal processes as well, by pulling together all the necessary threat intelligence feeds so that my team can focus on implementing the findings, instead of gathering the data.”
CISO, Global Custody Bank
“Thomas Murray Cyber Risk’s approach is sophisticated. Its machine learning algorithm identifies our third parties’ public IT infrastructures with huge accuracy and requires no manual intervention. We feel we can place reliance on the ratings to build a robust third-party risk management framework. The solution was new to us, but the scope and accuracy of the data is better than anything I have seen in the market.
It is an excellent, affordable tool for evaluating the security posture of the bank’s third parties, and its benchmarking is more meaningful and granular than tools I’ve used in the past. The fact that we can also leverage their automated due diligence tool, thereby managing the whole process in a single platform, makes a big difference and I anticipate we will extend its usage across the bank.”
Head of Network Management, Global Custody Bank
“In the past, we only had occasional contact with our IT Security team, who helped to validate the responses to some DDQs [due diligence questionnaires]. Recent regulations and geopolitical events demonstrated to our bank the need to monitor the cyber risk of our post-trade counterparties around the world. Thomas Murray has been instrumental in developing such a programme for us, and in bringing Network Management and IT Security together.
With Thomas Murray we are able to affordably monitor hundreds of banks, market infrastructures and other third parties globally. No other provider could do this for us at such scale and with such granular knowledge of risks specific to the post-trade sector.”