27 February 2007

Whistleblower: The FCPA & Voluntary Disclosure...

Operational Risks involving people are happening everyday in your organization. It may be going on for a day, a week and sometimes years. But at some point someone has to tell someone before it gets violent or the company loses any more corporate assets.

What is the anonymous phone number at your organization to phone in the "Whistleblower" information? Who is responsible for the follow through on investigations? How can you insure against employee confidentiality and any possible reprisals?

In most cases the call is by phone and not by some other method. It is rarely a hoax and the hotline is keeping tabs on the subordinate / management battle over half of the time.
What's the best way for an employee to blow the whistle on fraud or related infractions? The most popular way seems to be via hotlines or similar reporting tools. According to a joint report from the CSO Executive Council, an organization of corporate and government security executives, and The Network (a hotline provider), almost two-thirds of the nearly 200,000 reports it studied were made via hotlines without first alerting anyone in management.

Few of those alerts prove to be false alarms. The study, which tracked incidents at 500 organizations over the past four years, found that 65 percent of the reports were serious enough to warrant investigation, while 46 percent led to some type of action being taken. Corruption and fraud accounted for 10 percent of the incidents, well behind personnel-management situations (51 percent). Company and professional-code violations accounted for 16 percent and employment-law violations 11 percent.

Compliance with an effective Whistleblower program is just the beginning of developing a culture that has a zero tolerance for the kinds of risks that make an HR manager or General Counsel have constant nightmares. This is certainly the case on the front lines where business is being transacted and deals are being cut on a global basis. Is there sufficient due diligence to determine whether any party in the transaction is not in violation of the Foreign Corrupt Practices Act (FCPA)?
By definition, FCPA crimes generally occur thousands of miles outside of the United States. Why would counsel advise a corporate client to bring such activities to the attention of the SEC or the DOJ? Is it necessary to self-report when, as a good corporate citizen, the client has investigated thoroughly, corrected the problem, and taken substantive remedial measures including firing the wrongdoers and correcting the financials?

Having the possibility of a deferred prosecution agreement is the strategy utilized more often than you would think these days. In any case, SOX requires a Whistleblower program, and the next phone call may have to do with that last big deal that closed last quarter. Why Voluntary Disclosure?
The DOJ's "Principles of Federal Prosecution of Business Organizations," commonly known as the "Thompson memorandum" and published in 2003 on the heels of SOX, also played a significant role in the surge of voluntary disclosures. The Thompson memorandum placed an "increased emphasis" on a company's cooperation with the government when considering whether to prosecute. Voluntary disclosures were an important part of that cooperation.

At the end of the day all of the auditing will never catch the people that know the system. That is why the anonymous phone number can make all the difference in mitigation of significant risks to your enterprise.

23 February 2007

The Board Room: IT Strategy Focus...

A new survey or 400 directors published in the March/April issue of Corporate Board Member Magazine by Deloitte Consulting has some interesting insights. In regard to the use of Information Technology as important or very important to insure success in various areas of the business:

  • 69% say implementing the right IT strategy is "very important" in compliance.
  • 66% in learning about and retaining customers.
  • 57% in managing risk.
  • 50% in competitive positioning.

So how come only 14% say they are "completely and actively involved" in IT strategy?
Boards of Director's are in the dark and this won't be changing very dramatically unless you are the result of a significant incident such as T.J. Maxx:

According to The Boston Globe today, TJX Companies has stated that a data breach it revealed last month may have occurred a year earlier than investigators initially thought. The company operates the retail outlets T.J. Maxx, Marshalls and HomeGoods (2,500 stores in the United States), so the earlier date of the hacking may mean millions more customers were exposed. The company declined to give numbers, however.

TJX discovered the breach in December 2006, and it made news on Jan. 18, 2007. At that time the company reported that hackers may have made off with credit and debit information from transactions in the United States, Canada and Puerto Rico from some months in 2003 as well as transactions between May and December 2006.

Yesterday, according to the Globe, TJX said a systems review revealed that intrusions had occurred as early as July 2005, not May 2006.

This trickle of data breaches spread over time led some experts to judge the corporation’s computer systems outdated, weak and not up to card-company security standards.

Information Technology strategy and the amount of effort or time a Board of Directors spends on it is most likely determined by the CEO. If they trust the Chief Information Officer and what they are doing, then they leave it alone. This is becoming an area under greater scrutiny by Directors as these kinds of incidents occur on a more regular basis in the news. However, just because it's not in the news, doesn't mean that it's not happening today at your institution.

There is another war brewing between the banks, retailers and the credit card issuers about who is the guilty one. At the end of the day, consumers will lose. Even pressure by VISA and others to make sure merchants are in compliance with the laws around encrypting data and the storage of the data may not be enough. The retailers have already started their lobbying efforts:

As information security has become a major focus of consumers, governments and businesses alike, the care with which companies protect credit card data has become increasingly important. In many instances, the Achilles heel of data security is a lack of application controls.

Encryption alone is not the answer. With most of the encryption techniques, the same key is used to lock and unlock the data. The problem is: How do you secure these keys in the POS application? Once these keys are compromised, the "secured" data is no longer secure.

The best way to secure data is to not store data. A technology knows as “tokenization” offers a greater level of security by substituting a unique identifier (a token) for a card number, so the card data is never in the system. This token is a random unique value and has no way to be deciphered to gain knowledge of the associated card information. With tokenization, the merchant swipes the card data and sends the information through a gateway to a processor and receives back an approval. But instead of sending the card data itself back to the merchant and the POS system, it is converted to a token: a globally unique, randomized representation of credit card data that is 16 characters long. Only the token is stored in the system.

The token spans the lifetime of the transaction so it provides full support for tips, tabs and incremental authorizations. The merchant does not need the card number or data past the initial request, so storing this information is unnecessary. The entire liability to protect the card data is now on the gateway, where it should be. The primary objective of tokenization is to enable businesses to operate normally while not storing the sensitive data that is the target of data thieves. This technology also eases the burden of compliance for merchants. If no data is stored on site, the merchant has a significantly reduced PCI compliance burden.

The Board of Directors who discuss IT strategy on a regular basis perform better financially and those who don't may be paying the price.

18 February 2007

Economic Intelligence: Wake-up Call...

Chris Cooper plays a traitor in the movie based on the true story of Robert Hanssen. "Breach" is a wake up call for the United States to continue its counterintelligence initiatives with vigor. However, this story is written not from the perspective of Hanssen, but that of another FBI employee who assisted in his capture and prosecution.

Based on the true story, FBI upstart Eric O'Neill enters into an operational risk power game with his boss, Robert Hanssen, an agent who was ultimately convicted of selling secrets to the Soviet Union. Eric now lives in Washington, DC and is an attorney, he never became an FBI agent. His role played by Ryan Phillippe, shows the audience how even Eric was skeptical that someone like Hanssen could be a traitor.

Critical to the agency’s ability to arrest and convict Hanssen was the placement of 26-year-old special surveillance operative Eric O’Neill in Hanssen’s office. Working directly under Hanssen, O’Neill was able to provide the team of investigators with information needed to take down one of the worst spies in the history of the United States.

Shortly after being intimately involved in the Hanssen investigation, O’Neill left the FBI to study law. O’Neill also took time to work on a book based on his experiences, which ultimately led to Breach, a film about his involvement in the Hanssen case.

Counterintelligence is the number 2 priority behind Counterterrorism at the FBI.

The Cold War is not over, it has merely moved into a new arena: the global marketplace. The FBI estimates that every year billions of U.S. dollars are lost to foreign competitors who deliberately target economic intelligence in flourishing U.S. industries and technologies, and who cull intelligence out of shelved technologies by exploiting open source and classified information known as trade secrets. Foreign competitors who criminally seek economic intelligence generally operate in three ways to create their spy networks:

1. They aggressively target and recruit susceptible people (often from the same national background) working for U.S. companies and research institutions;

2. They recruit people to locate economic intelligence through operations like bribery, discreet theft, dumpster diving (in search of discarded trade secrets), and wiretapping; and,

3. They establish seemingly innocent business relationships between foreign companies and U.S. industries to gather economic intelligence including classified information.

In an effort to safeguard our nation's economic secrets, the Economic Espionage Act (EEA) was signed into law on October 11, 1996.

How to Protect Your Business from Espionage: 6 steps
1. Recognize there is a real threat.
2. Identify and valuate trade secrets.
3. Implement a definable plan for safeguarding trade secrets.
4. Secure physical trade secrets and limit access to trade secrets.
5. Confine intellectual knowledge.
6. Provide ongoing security training to employees.

14 February 2007

OPS Risk: The Bishop vs. A Stolen Laptop...

Now that the news is in the mainstream media about the recent threats to financial institutions, one can only wonder how soon this case will be solved. The Bishop is being compared to the "Unabomber". Profilers believe that he is white male, a loner with dangerous beliefs that he can manipulate stocks.

The U.S. Postal Inspection Service is alerting financial firms of potential danger from a would-be letter bomber after companies in Kansas City and Denver were targeted with explosive devices and threatening notes, an agency spokeswoman said on Monday.

Working with the Securities and Exchange Commission, the Postal Inspection service is trying to obtain contact information for thousands of financial companies to warn them of the threats, said spokeswoman Wanda Shipp.

"The events may be linked, and the recipients were probably not selected at random," the postal advisory reads.

The action comes after Stratfor, a global intelligence firm, last week issued a warning that pipe bombs addressed to American Century Investment Management Inc. in Kansas City and Janus Capital Group in Denver appeared linked to someone known as "the Bishop," who has threatened at least six financial firms since 2005.

The Chief Security Officer's at these institutions have a primary duty of care to insure the safety of employees whenever threats of this magnitude take place. There is no "Radar" that can alert you to when the next incident will occur. This is why many institutions have taken a new "Operational Risk" perspective when it comes to the hazards and events that may impact the business.

A true Operational Risk perspective has it's roots in understanding exposure to risk and the likelihood of an event occuring. Yet how could one ever predict the rise of another so called Unabomber? The fact is that you don't. This is why you must have an "All Hazards" worldview operating within the culture of your organization. The threat could be an innocent looking priorty mail package with a pipe bomb or a thick brown envelope containing the latest class action law suit. You have to be operating in a complete state of preparedness for whatever the next incident brings.

What ORM Is Not . . .

  • About avoiding risk
  • A safety only program
  • Limited to complex-high risk evolutions
  • A program -- but a process
  • Only for on-duty
  • Just for your boss
  • Just a planning tool
  • Automatic
  • Static
  • Difficult
  • Someone else’s job
  • A well kept secret
  • A fail-safe process
  • A bunch of checklists
  • Just a bullet in a briefing guide
  • “TQL”
  • Going away
While this incident entering the mail room has slowed down a few institutions, there is another battle going on in a different part of each business that is a whole different type of risk. This has to do with the frequency and the pervasive spectrum of new risks across the enterprise:

The U.K.’s financial services regulator has levied a heavy fine against the nation’s largest building society over a stolen laptop containing confidential customer information.

The Financial Services Authority (FSA) fined Nationwide Building Society 980,000 (US$1.9 million [m]) for "failing to have effective systems and controls to manage its information security risks," the regulator said.

Nationwide, which has about 11 million customers, did not realize the laptop contained customer information and waited three weeks before starting an investigation, the FSA said.

The speed of change in the connected economy...

08 February 2007

eDiscovery: The New Digital Age...

What does Operational Risk have to do with legal liability? Digital Forensics is a growing discipline across the landscape of corporate, legal and academic institutions. The volumes of electronic information involved in new litigation and investigations calls for expert practitioners and witnesses to make sure that evidence is uncovered, preserved and presented without spoilation. The era of eDiscovery is upon us.

Analyzing the data and making sense of all of it by the investigator is getting easier yet we have a long way to go. This area of event reconstruction or forensic timeline editor is now becoming a reality:

The area of event reconstruction in computer forensics deals with analyzing and evaluating data obtained from a system and use it to determine what happened. The data recovery process is a well-covered area within computer forensics, but little work has been done on how to actually analyze and evaluate the data. Only very crude tools, such as mactimes or individual log analyzers, exist. A comprehensive event reconstruction on a system that takes into account data from various sources, such as file MAC times, system logs, firewall logs, and application data, is mostly done manually by the investigator. With storage capacities growing rapidly and systems permanently being connected to global networks more and more, it is not uncommon that the number of events recorded by a system easily goes into the hundreds of thousands.

This remains only a small facet of the real problem when it comes to finding what is relevant for litigation. In the context of legal discovery, the days of making copies and filing them in boxes is being dwarfed by the newest Federal Rules of Civil Procedure (FRCP) and the preservation of metadata. The best of breed answers to the digital discovery revolution can be found at Stratify, an emerging player in the automated eDiscovery spectrum of software solutions.

Optimize Litigation Readiness

General counsel together with their outside counsel need an effective means to manage documents and emails from key custodians and/or on specific topics in advance of litigation or regulatory discovery requests. When they receive a discovery request they need to be able to easily and quickly select sets of documents for review and analysis in their eDiscovery application.

The Stratify Legal Discovery™ service was designed to fulfill these requirements as the most easy-to-use, efficient eDiscovery solution available to law firms and corporate counsel.

Electronic Document Retention and Production has been a subject of great importance for many years inside law firms and the legal departments of the Fortune 500. The Sedona Conference has forged the way in providing guideance and some best practices to consider when embarking on this challenging mission. The question is, who is looking out for the Russell 2000 small cap company or mid-sized enterprise business? A single person may even represent the legal team, as the sole General Counsel.

Operational Risk includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.

It's just a matter of time if you are in a highly regulated business sector that the time will come for your day in court. Make sure you are ready long before the phone rings or the papers are served. What is the source of the personal identifiable information that has caused this wave of consumer based fraud?

The FTC has released it's study on the methods, origins, victims and costs today of ID Theft. The odds are that the data breach may not be what puts you on the hot seat.

The US futures regulator, the Commodity Futures Trading Commission, has filed a complaint in the District Court for the Northern District of Georgia against New York-based hedge fund manager Cornerstone Capital Management and its chief executive, Joseph Profit of Atlanta.

The complaint alleges that Cornerstone and Profit violated the anti-fraud provisions of the Commodity Exchange Act and a CFTC regulation. On January 31, US district judge Richard Story issued a restraining order freezing the defendants' assets and prohibiting them from destroying documents or denying CFTC staff access to books and records.

06 February 2007

Self-Regulation: NERC Get's Proactive...

Now that the power sector and electrical utilities are going public with their acceptance of converged standards, other sectors may not be far behind. Some of the regulated critical infrastructure sectors have been working towards an industry wide set of controls that must be implemented and audited. Who will be next?

The North American Electric Reliability Council's new cybersecurity standards for critical infrastructure protection have eight categories, which apply utility risk management analyses to networked systems. A thumbnail description of the main areas:

  • Critical cyberassets
  • Security Management Controls
  • Personnel and training
  • Electronic security
  • Physical security
  • Systems Security Management
  • Incident Reporting and Response Planning
  • Recovery plan
You can bet that the drafting team has pulled their language from many of the standards that have already been in practice for years. In fact, most of the launch point for this effort came from work done soon after 9/11. How soon other industry sectors decide to adopt this framework will likely be decided by the lobby shops. Politics aside, the electric utility sector has moved into a phase of self-regulation and for good reason.

The huge blackout of Aug. 14, 2003, in which a software glitch at a single electrical provider in Ohio cascaded into an event in which 50 million people in North America lost power, underscored the importance of the reliability standards discussion. But Miserendino says that the group's biggest motivator was the threat that FERC might come in and do the regulating for it. In part, he says, that's because the 2005 Energy Act made FERC responsible for electrical transmission reliability and gave the federal agency the ability to fine utilities for noncompliance.

We can only hope that other Critical Infrastructure sectors take the same initiative sooner than later. As private enterprises, you can do it your way now or face the governments perspective later.

01 February 2007

Future Jihad: Financing Systemic Ideology...

One only has to listen to a few stories from experts in Counterterrorism to realize that vigilance is still the mantra. Yesterday the facts and observations from Walid Phares made us ever so more aware and even more focused on the mission. Funding of the war of ideas.

His point is clear that the funding of education and systemic transfer of ideology across the globe is why we are still so vulnerable. "The class room. The news room. To the War room."
For the United States, winning the War on Terror depends on two battlefields. The first is overseas, where Washington must confront jihadi forces and help allies to win their own struggles with terrorism. This will require the United States to support democratic change abroad, both as a counterweight to jihadist lobbies and as a means of assisting Arab and Muslim democrats to win the conflict within their own societies.

The second, however, is closer to home. Homeland security planners must be thinking seriously about a duo of unsettling questions. First, are jihadists already in possession of unconventional weapons on American soil, and how can the U.S. government deter them? This crucial issue tops all other challenges, for a terrorist nuclear strike on the U.S. has the potential to transform international relations as we know them. Second, how deeply have jihadist elements infiltrated the U.S. government and federal agencies, including the Federal Bureau of Investigation, the Department of Homeland Security, the Department of Defense, and various military commands, either through sympathizers or via actual operatives?

In a recent Economist Intelligence Unit survey on Operational Risk Management the question is asked:

Which of the following types of threats receive the most attention in your organisation's consideration of Operational Risk?

  • 42% - Loss of Data
  • 36% - Systems Failure
  • 28% - Supply Chain Disruption
  • 27% - Worm or Other Malicious code attack
Unplanned downtime of systems was tied with malicious code, next was human error at 26%, human malfeasance such as theft or fraud at 20% followed by a tie for:
  • 15% - Terrorism
  • 15% - Application Failure
Why is terrorism tied for 8th on this list? Maybe it is because institutions have more confidence in our Homeland Security and the FBI than they do in their own IT department. Or could it be the frequency of the threat that puts these items so high or low on the list of concerns. One thing is certain, the financing of "Future Jihad" is not going away.

In fact, the funding mechanisms are morphing and adapting as new Anti-Money Laundering initiatives and Regulator oversight creates even more difficult avenues for terrorist financing to occur. The private sector still remains the Deputy Sheriff as new transactions take place outside the traditional banking controls of Citi, B of A and HSBC. Hedge funds, insurance companies and other broker / dealers still provide the weak link in the chain for tracking the movement of zeros and ones across a global financial grid.

This multi-dimensional problem is not something to ignore. When you really think about Terrorism, what is your definition? What is a terrorist?

The day will come when you finally realize that a terrorist is and could be increasingly responsible for the top 4 items on the EIU list. It's all a matter of your own worldview.