22 June 2007

Private Equity: Nexus of Risk...

In recent comments in the main stream security media we have heard that convergence is over. It means that the arguments are over on whether convergence is a highly debated topic, not that it is still occuring. In fact, it is speeding up with M & A activity and the private equity surge to buy and sell large global enterprises.

Why would a company like Blackstone Group do an MBO with a company like Intelenet Global Services? Convergence in information technology is still happening under the umbrella of Business Process Outsourcing (BPO) at a rapid pace. More layoffs and elimination of redundant data centers, call centers and customer service centers is a tremendous business. Especially when you are trying to gain control, slice up and sell companies like Sungard, Nielson and other significant investments in critical infrastructure. It's going to be a deja vu moment anytime soon. When you are operating a private equity firm with so many facets you require special people with power and to give you advice. That is why Paul O'Neil is only a phone call away from the Senior Managing Directors at BX.

What kind of Operational Risks are happening within the portfolio of private equity firms like Blackstone as they try to achieve economies of scale and convergence? The same kind that exist within any organization that is focused on convergence and divergence of information simultaneously. Centralize telecom and decentralize risk management to the business units. Centralize information processing and decentralize access through mobile devices. The list goes on.

Execution, Delivery & Process Management

Losses from failed transaction processing or process management, from relations with trade suppliers and vendors. This includes Transaction Capture, Execution & Maintenance Miscommunication, Data entry, maintenance or loading error Missed deadline or responsibility, Model / system misoperation Accounting error, entity attribution error, Delivery failure, Collateral management failure Reference data maintenance, Monitoring & Reporting Failed mandatory reporting obligation, Inaccurate external report (loss incurred), Customer Intake & Documentation Client permissions / disclaimers missed Legal documents missing / incomplete, Customer / Client Account Management Unapproved access given to accounts, Incorrect client records (loss incurred), Negligent loss or damage of client assets, Trade partners, non-client vendor misperformance and vendor disputes.

Business Process Outsourcing (BPO) and Business Process Management (BPM) are being hailed as the answer to mitigating much of the operational risk exposures. It is also about creating new found synergies and elimination of redundant systems in order to drive greater return on investment. Yet all of the enterprise architecture, IT reengineering and Six Sigma / Lean will not change the current and impending threat to our interdependent Internet Protocol (IP) linked economy.

John Schwarz from the New York Times highlights the reality of the possibility of an Internet Armageddon. "ANYONE who follows technology or military affairs has heard the predictions for more than a decade. Cyberwar is coming. Although the long-announced, long-awaited computer-based conflict has yet to occur, the forecast grows more ominous with every telling: an onslaught is brought by a warring nation, backed by its brains and computing resources; banks and other businesses in the enemy states are destroyed; governments grind to a halt; telephones disconnect; the microchip-controlled Tickle Me Elmos will be transformed into unstoppable killing machines."

Private sector companies that are owned or controlled by large private equity and alternative investment hedge funds may be even more at risk and the target of both nation state (China) and non-state actors (Al-Qaeda in Europe). Getting access to the information on the future plans, strategy and architecture of protecting critical infrastructure companies is a priority by those who wish to wage a simultaneous salvo of both digital and physical attacks.

A major hurdle that nations face in defending their critical infrastructures is working with the entities that actually own their countries' telecommunications networks, electrical grids, and transportation systems. This is a major issue in the United States, given that the private sector owns more than 85% of the critical infrastructure and doesn't take kindly to government demands that shareholder money be invested in protection rather than expansion.

Cooperation between government and private-sector critical infrastructure owners is essential. "When it comes to information warfare, corporations in general are no match for a trained [enemy] intelligence officer," David Drab, a 27-year veteran of the FBI who retired in 2002 and is now principal for information content security with Xerox Global Services, said in an interview. These officers have an objective, they have resources, and often they have the element of surprise on their side, he added.

Acceleration of private equity investments puts control of managing the vital lifeblood of information into the hands of Senior Managing Directors, CIO's and Project Managers at the BPO third parties. The nexus of thinking from these participants is to do what ever it takes to converge operations and eliminate redundancy. One can only hope that they are becoming together to discuss the same topics as other large financial institutions. The East Coast Buildings Plot is just one example of why this is imperative.

In publicly released statements, bin Laden has also stressed his “policy” of “bleeding America to the point of bankruptcy.” And an excerpt from the Al Qaeda publication Sawt al-Jihad states:

“If the enemy has used his economy to rule the world and hire collaborators, then we need to strike this economy with harsh attacks to bring it down on the heads of its owners. If the enemy has built his economy on the basis of open markets and free trade by getting the monies of investors, then we have to prove to these investors that the enemy's land is not safe for them, that his economy is not capable of guarding their monies, so they would abandon him to suffer alone the fall of his economy.”


19 June 2007

FACTA: The Writing is on the Wall...

Now that the financial community is wiping their brow with a sigh of relief on this latest Supreme Court ruling, what can a General Counsel or Chief Risk Officer expect? Will the adversarial train of plaintiff suits slow down and come to a halt. Not likely.

The U.S. Supreme Court's ruling that blocks investors from suing Wall Street investment banks under antitrust laws could save Wall Street firms a bundle by limiting investors to smaller recoveries.

In a case dating back to the dot-com bubble, the high court ruled Monday that antitrust suits would pose a "substantial risk" to the securities market. Damages in antitrust cases are tripled, in contrast to penalties under the securities laws.

The ruling struck down a lower court decision that would have allowed investors to go after Wall Street firms that they say engaged in anticompetitive practices by conspiring to drive up prices on about 900 newly issued stocks in the late 1990s.

Because the well-documented implosion of names like Enron Corp. swallowed any serious money that investors might hope to recover from that and other flame-outs, some investors have turned to the banks and other Wall Street regulars such as accounting firms that did work for such companies.

Wall Street institutions in the case before the Supreme Court were Credit Suisse Securities (USA) LLC, formerly Credit Suisse First Boston LLC; Bear, Stearns & Co. Inc.; Citigroup Global Markets Inc.; Comerica Inc.; Deutsche Bank Securities Inc.; Fidelity Distributors Corp.; Fidelity Brokerage Services LLC; Fidelity Investments Institutional Services Co. Inc.; Goldman, Sachs & Co.; The Goldman Sachs Group Inc.; Janus Capital Management LLC; Lehman Brothers Inc.; Merrill Lynch, Pierce, Fenner & Smith Inc.; Morgan Stanley & Co. Inc.; Robertson Stephens Inc.; Van Wagoner Capital Management Inc.; and Van Wagoner Funds, Inc.

These institutions may not have "Anti-Trust" anxiety from the Supreme Court any longer yet there are plenty of other Operational Risks on their minds. Namely International Fraud.

In an era of data warehousing, metadata management, business process management and the looming BASEL II Accord there are plenty of conversations about what to do about fraud and other regulatory compliance. Multi-factor authentication for online banking systems is not a trivial matter when it comes to Enterprise Risk Management. Is the customer service organization ready for the upgrade? Is the consumer going to be confused on what questions they are being asked to get access to their latest online credit card statement? What is my customer "churn" factor? In other words, how many of my customers are jumping ship as a result of the operational risks that have turned their loyalty into consumer driven class action fraud litigation?

An International Banking Fusion Center is on the horizon and it's not too far from the same justification that addresses Know Your Customer (KYC) and the financing of terrorism.

According to one study respondent, "Organizations are secretive of fraud losses and that inhibits our ability to work together."

"The sharing of intelligence is key to being able to take advantage of the predictability of fraud," First Data's Barwell continues. "Banks are sitting on valuable data that, if analyzed innovatively, could provide fraud intelligence worth sharing. One major bank has shown that if their internal client databases across business lines and geographies are analyzed using sophisticated link analysis tools, spurious networks of accounts can be uncovered and, when fully investigated, could uncover organized networks of first-party fraud accounts."

Barwell adds that several U.S. banks have expressed interest in taking the "quantum leap" to true data sharing.

The International Language of Fraud

"In the last eight to 10 years, fraud has really gone international," says Steve Baker, director of the Midwest region of the Federal Trade Commission (FTC). The FTC maintains a Consumer Sentinel database that includes more than 3.5 million consumer fraud complaints and is accessible to more than 3,000 law enforcement agencies internationally. In 2006, 22 percent of the reported fraud was cross border.

So What? What does information sharing have in common with:

International fraud, Identity Theft and the risk of litigation within the banking or credit card industry. Now the bankers want to sue the retailers and recover losses for the lack of privacy and security controls at the retailers. Since December 2006, plaintiffs’ class action firms in California and elsewhere have filed over 200 nationwide class actions in federal court against a broad spectrum of retailers and restaurants alleging violations of the Fair and Accurate Credit Transactions Act ("FACTA"). In addition to California federal courts, FACTA cases have been filed recently in federal courts in Pennsylvania, Illinois, New Jersey, Nevada, Maryland and Kansas.

13 June 2007

ID Theft: The Innocent Insider...

If you were a betting person you might think that the threat of 1 Million Botnets is a greater Operational Risk than a "lone wolf insider". What is the likelihood that one person will impact your business and disrupt your operations vs. the power of thousands of rogue computers unleashing a salvo of malicious code or denial of service attacks on your institution?

A botnet is a collection of compromised computers under the remote command and control of a criminal “botherder.” Most owners of the compromised computers are unknowing and unwitting victims. They have unintentionally allowed unauthorized access and use of their computers as a vehicle to facilitate other crimes, such as identity theft, denial of service attacks, phishing, click fraud, and the mass distribution of spam and spyware. Because of their widely distributed capabilities, botnets are a growing threat to national security, the national information infrastructure, and the economy.

“The majority of victims are not even aware that their computer has been compromised or their personal information exploited,” said FBI Assistant Director for the Cyber Division James Finch. “An attacker gains control by infecting the computer with a virus or other malicious code and the computer continues to operate normally. Citizens can protect themselves from botnets and the associated schemes by practicing strong computer security habits to reduce the risk that your computer will be compromised.”

Yet there are individuals within your own organization who lie in wait, innocently. For the right timing and the right vulnerability to be exploited. They have been unknowingly planning and operating under cover for years and are masters at evading detection. In the Executive Suite, the "Bot" may operate in the background or under the radar of management audits and risk management control mechanisms. So how do you catch them or at least detect their presence? Send everyone on vacation.

When was the last time you had the fraud investigators training the internal auditors? When did you last utilize a "True" Independent outside advisor, investigator or consultant to assist your CISO in early detection. If you have 10,000 employees, 99.x% of these employees are hard working and honest people without any hidden agenda to bring harm to the organization or individuals inside the company. However, not all who would bring harm to you are stealing money or other physical assets from the warehouse. We aren't talking about a few items from the office supplies closet or a case of beer from the 7-11.

We are talking about the one employee who is operating a "Botnet" from behind the walls of your Fortune 50 company. Do you have anyone sharing pictures or music in the executive suite? Without you detecting it.

We define peer-to-peer, bot, and botnet below.

  • peer-to-peer - A peer-to-peer network is a network in which any node in the network can act as both a client and a server.
  • bot - A bot is a program that performs user centric tasks automatically without any interaction from a user.
  • botnet - A botnet is a network of malicious bots that illegally control computing resources.

Some definitions of peer-to-peer networks require no form of centralized coordination. Our definition is more relaxed because the attacker may be interested in hybrid architectures. Our definition of a bot is not inherently malicious. However, the malicious nature of a bot is implicit under some contexts. Finally, we do define a botnet to be malicious in nature.

The case study of the Trojan.Peacomm bot demonstrates one implementation of peer-to-peer functionality used by a botnet. That "Lone Wolf" in your organization could be your innocent administrative secretary and they don't even know it.

10 June 2007

The New New Math: Corporate Responsibility...

The "New New Math" (N2M) is the evolution of economics and return on investment in the modern day organization. Is it a hybrid equation of a previously published and patented algorithm? An upside down or inside out way of justification for new resources or or just new emphasis on the latest shareholder suit. The N2M is something all too often found in the most successful corporations across the globe and it's starting to see the light of day as a result of increasing Operational Risks.

Another way of looking at and understanding the "New New Math" for investment can be found in the roots of what some would say is just good old fashioned Corporate Social Responsibility (CSR):

Corporate Social Responsibility (CSR) is a concept that organizations, especially (but not only) corporations, have an obligation to consider the interests of customers, employees, shareholders, communities, and ecological considerations in all aspects of their operations. This obligation is seen to extend beyond their statutory obligation to comply with legislation.

CSR is closely linked with the principles of Sustainable Development, which argues that enterprises should make decisions based not only on financial factors such as profits or dividends, but also based on the immediate and long-term social and environmental consequences of their activities.


So the N2M on Return on Investment is now being considered across the enterprise and the Board of Directors meetings. ROI discussions are shifting away from the typical GAAP dialogue and more directed at whether new strategic initiatives are "The Right Thing To Do." When you have executives nodding their heads in the meeting about making positive decisions to invest millions of dollars in corporate initiatives based upon it's "The Right Thing To Do" justification, you are experiencing the "New New Math" (N2M)

Making strategic decisions on CSR and N2M is quickly becoming the emotional reasoning and rationale for many corporate enterprise investments. Measuring the ROI doesn't always come in a percentage of dollars invested or a normal way of thinking about getting a return. Many times the executives who champion these initiatives have an underlying reason for doing so that reaches into their personal lives. So when you invest in more robust security for the company or significant programs to increase the protection for key employees, that ultimate driver could be as simple as losing a fellow colleague to kidnapping or the latest law suit.

How your organization is perceived internationally may dictate the degree of risk for your traveling executives. The attack on an employee may be an attack on your "Brand" and what the general public believes that you stand for, in the "minds eye" of the media blur.

Why us?
Where businesses are the target of terrorism, it is usually because of what they represent, rather than anything they do or don’t do themselves. Global brands can assume symbolic significance for terrorists. The US National Counterterrorism Center’s list of significant terrorist events describes 24 attacks on McDonald’s restaurants between 1993 and 2005 worldwide.

Of the minority where responsibility was claimed, motivation for the attacks included nationalism, anti-globalisation, religion and Marxism – but in each case the perpetrators objected to the restaurant as a symbol of America, not a purveyor of products. Mr Jenkins notes that, before 9/11, the two best correlated predictors of whether a US firm would suffer an attack were size and familiarity to the public – corporate behaviour, even philanthropy, was inconsequential. Added to this is the very real possibility of risk displacement: business targets are often easier to hit than government facilities or sites.

Attacks on your organziation or employees don't always have to take a violent twist. Many times these are orchestrated under the cloak of a "personal scandal" or even the filing of a civil Intellectual Property litigation. Legal Risk is a consistent threat to the enterprise and is far often the most effective way of bringing down the house in terms of putting a cloud of uncertainty and speculation about a company that may be in, a competitors "cross hairs."

A week after the public learned of Qualcomm Inc.'s bombshell admission that it withheld potentially thousands of important documents in a high-stakes patent trial against Broadcom Corp., many in the intellectual property community are still buzzing about the gaffe.

The case is even more striking because the attorney who has publicly apologized for Qualcomm's error has a strong reputation in his field, as does his firm. Yet several attorneys say it's still too early to assign blame for the error.

"Whenever there are accusations of concealment of evidence and they prove to be true, there definitely is going to be harm to the lawyers and the parties," said Anup Tikku, an IP associate with Kirkpatrick & Lockhart Preston Gates Ellis, who has followed the case closely. "What I find difficult to understand is how Qualcomm interviewed witnesses, put them on the stand and did not realize these documents existed."

Corporate Social Responsibility extends to Enterprise Litigation Governance and goes well beyond just understanding electronically stored information (ESI). The "New New Math" on doing the right thing in preparation for legal risk are taking on new dimensions as the implications of judgements in favor of the plaintiff set new legal precedence and case law. The Board of Directors and executive management are getting the message that protecting their employees from violence and politically motivated terrorism is just as imperative as preparation for adversarial law suits.

When you hire a defense firm and they get blindsided about eDiscovery or Enterprise Content Management (ECM) and your own Records Management and IT personnel are scratching their heads, your "Brand" is going to take hit. The operational risks associated with a lack of preparedness and a limited strategy for preemptive action calls for the "New New Math." It's coming to a board room near you and when it does, don't be surprised that the investment decisions are based more on emotion than on your controllers 27 pages of hard numbers.

07 June 2007

Risk Visualization: Enterprise Prevention...

When bankers start talking about how to reduce fraud and other critical operational risks across the institution there is going to be plenty of debate. Where do you focus your resources and investments in order to get the best ROI and economic value? If you thought the pornographers were the leading ledge of innovation on the Internet, there is a new breed of international criminals and corporate attackers that have emerged at the top of the pyramid. Financial services organizations are taking an enterprise view of global risk prevention to try and keep ahead of these increasingly clever and technology oriented crooks:

Fraud likely has been around in some form for as long as people have been using banking services. But while the crimes remain a constant for financial institutions, the methods for perpetrating them have become just as diverse as the products and services offered by banks. Today's financial institutions have to be on their toes more than ever to keep that one important step ahead of fraudsters.

This isn't easy in a world where fraud has become the domain of organized crime rings with vast resources that often are out of reach of domestic law enforcement. "We're seeing an increase in losses across all fraud types in the context of fraud rings being more organized and sophisticated with their use of technology," says Christopher Ward, SVP and manager, payables and receivables solutions, with Charlotte, N.C.-based Wachovia ($707 billion in assets). "But [banks'] ability to detect and stop losses is growing faster than the losses themselves."

"The bad guys are more ingenious today," adds Milton Santiago, SVP, head of electronic banking products, for ABN AMRO (Amsterdam; US$1.3 trillion in assets) in Chicago. "For example, in traditional check fraud, they'd wash the entire check and alter all the information on it. Once positive pay was introduced, criminals got wise to this and just modified the payee information. So banks responded and developed payee positive pay."


Having an enterprise view of holistic risk is the "Holy Grail" and some would say that focusing on the account and not more on the customer is the wrong approach. What is clear about the online evolution of fraud activity is that social engineering is working in the exploitation game. Hardening all of the systems with two factor authentication or even IP Geolocation is just part of a layered risk strategy:

The US Federal Financial Institutions Examination Council (FFIEC) has issued guidance stating that banks must better authenticate the identity of their Internet customers by the end of 2006. There are of course a number of possible solutions. These include shared secrets, security tokens, and even biometric devices. Many, however, are cost-prohibitive and can negatively impact customers’ online banking experiences. And crucially they all fail to identify one vital element: where the account is being accessed from. This is an important indicator of whether the person accessing an account really is your customer. That’s where IP geolocation comes in.

Working from within the walls of your institution trying to figure out how to protect your assets and your customers is merely a myopic strategy. The attackers are moving too fast and have access to the same tools in their labs where they utilize their own methods and processes for exploiting the vulnerabilities in your latest applications. Now that you have spent millions on implementing that new AML or fraud detection system, are you sleeping any better at night?

True strategic analysis of risk and the convergence of relevant data makes scenario development, proactive planning and open source intelligence an area that requires consistent attention. Simulations and evaluation of possible physical and digital exploits that haven't even been detected yet could provide the proactive and preventive advantage you have been seeking. What is your latest hypothesis? Have you tested it effectively to determine the likelihood and impact of success?

Training and practicing for the unknown and unthinkable puts you and your team in a more resilient mode to survive the next attack. Whether it's through the front door, the suppliers back door or through the copper wire into your customers home or business office, detection is critical. Anticipation and deterence is imperative.