Mandatory MFA + password rotation on all Citrix RAS endpoints with infostealer hits
Force rotation of every credential observed in the HudsonRock corpus for ua.intranet.db.com, sg-kch4/5.dbrasweb.db.com, sg-dsj5.dbrasweb.db.com and any related Singapore/Ukraine RAS hosts. Enforce phishing-resistant MFA (FIDO2 / certificate-based) at the Citrix gateway, not just at the downstream application. Audit whether the Singapore endpoint cohort is BYOD/contractor — if so, fold those endpoints into managed-MDM scope or block their access to corporate credentials.
Targeted credential reset + MFA-enforcement audit for the 5 surfaced executive emails
Confirm Sewing / von Moltke / Hoops / Schaefer / dns.admin role-mailbox have rotated credentials post-breach exposure and that MFA is mandatory on every IdP they authenticate against (M365, SSO, GitHub, AWS, CIM, board-portal SaaS). Treat Hoops's LinkedIn 2012/2016 exposure as worst-case and audit any 13-year-old password-recovery patterns. Subscribe DB's IAM team to HIBP API for continuous credential-leak monitoring on the full @db.com namespace.
Trust-boundary hardening for SaaS vendors in DB's outbound channel (Markit / Frontify / Salesforce)
Audit DKIM / DMARC alignment on subdomains delegated to third-party SaaS (research.ctc.db.markitondemand.com, brand.db.com on Frontify, Salesforce CRM domains). Implement BIMI + verified-mark certificates on @db.com to reduce look-alike-domain phishing success rate. Run typosquat monitoring (e.g., DNSTwist or Group-IB Threat Intelligence) for db.com, autobahn.db.com, flow.db.com, and the executive surname family.
Cert-issuance hygiene: avoid internal codenames + UAT hostnames in publicly-trusted CT-logged certs
Audit DB's PKI policy so that internal codenames (Phoenix, TRXM) and UAT/SIT environment hostnames issue from a private CA rather than a publicly-trusted CA that emits to CT logs. Migrate FIS BaNCS UAT (uatbancs.us.db.com) and the trxm.{int,dev} family to internal-only certificates. Where externally-trusted certs are required, prefer generic anchor names that don't encode the internal codename.
Post-OFSI controls remediation review at DBLB
Independent third-party review of DBLB sanctions-screening controls covering the period post-Russia-2022 sanctions through 2026-04-30, with explicit scoping to entities controlled by Russian streaming, telecoms, and finance-adjacent verticals (Okko, Sber, VTB, Tinkoff, Yandex subsidiaries). Publish remediation milestones to the FCA + OFSI on a quarterly cadence.
Insider-threat playbook scoped to 2026 succession + AGM + private-credit windows
Activate insider-threat monitoring with elevated thresholds during three specific windows: (a) the management-board succession decision window (likely 2026-Q3-Q4 per FT 2026-03-19 reporting); (b) the AGM 2026-05-28 + auditor-counter-motion window; (c) private-credit-disclosure quarterly windows. Constrain attribute-based access for sensitive succession communications and Apollo-related receivables-financing data.
Executive-protection extensions for Chair Wynaendts UAE engagement footprint
Apply executive-protection protocols to Wynaendts's external engagements (calendar opacity, dedicated burner devices for sensitive travel, out-of-band confirmation for any financial-instruction request purportedly from him). Ensure Sheikh Maktoum-related correspondence routes through hardened channels.
Enforce DMARC p=reject across every .db.com subdomain
Extend the @db.com p=reject policy to every subdomain that issues outbound mail (incl. invoicing, M365 sub-tenants, marketing automation). Audit any subdomain currently in p=quarantine or p=none and migrate to p=reject within 90 days. Already-in-place for the apex per ev_005 — extend to the full tree.
Continuous secret-scanning + commit-hygiene across DB GitHub and internal repos
Adopt pre-commit secret scanning (gitleaks, truffleHog) across all DB-administered repositories; integrate alerts into the SOC pipeline; rotate any credential surfaced in scan, paste-site, or external aggregator output (HudsonRock, XposedOrNot, hudsonrock_email) within 24h of detection.
Sanctions-controls compliance dashboard with cross-jurisdiction view (UK OFSI + EU + US OFAC + DE BaFin)
Maintain a single compliance dashboard reconciling sanctions designations across UK OFSI, EU consolidated list, US OFAC, and DE BaFin enforcement actions, with automated reconciliation against transaction monitoring rules. Build in evidence-of-tuning provenance so that any future post-incident review (e.g., a successor to ent_153) can demonstrate forward-looking calibration rather than reactive only.