14 September 2009

26 Wall Street: Risk Management Ground Zero...

Today President Obama speaks from the same place in Wall Street that the U.S. government has some of it's roots as a nation. The topic on this anniversary of the demise of Lehman Brothers is risk management. This ground zero of managing credit, market and operational risk in one of the financial capitals of the globe brings several topics to the discussion table. Liz Moyer makes the point:

It's been a year since the $600 billion bankruptcy filing of Lehman Brothers and the financial market meltdown that forced the government into a multitrillion-dollar rescue of the U.S. banking system.

But for all the talk and hand wringing (and billions in direct government equity stakes in major banks and loan and debt guarantees) there's also been little real progress on how, or if, Washington might regulate its way out of this kind of mess in the future. Don't expect that to change anytime soon, as markets become more, not less, complex and interconnected.


If the American public has witnessed substantial up hill battles with reform for health care, they can be assured that the "Financial Services" lobby will be even stronger. The regulation of institutions such as so called alternative investment firms (hedge funds) has many of them already leaving the U.S. for safer havens overseas. The trading will continue and the people behind the unique investment vehicles are getting even more creative. Investors are now buying up the pools of insurance products that have to payout upon peoples deaths. Life insurance settlements are being bundled and sold just as toxic mortgages and the bets are on with these products, just as they were with the housing market. Are people living longer or dying sooner? I guess that depends on where you live, what you eat and what your family history is.

The creativity of trading new and exotic products will continue and the watch dogs will have their hands full trying to figure out where to regulate and what agency should have the oversight. Free market capitalism as the regulator has already proven that it doesn't work. Consolidation of agencies that focus on the regulation and compliance enforcement of the financial services and investment industry is a tremendous risk in itself. The systemic root cause of the greed, compensation exploitation and the financial product innovation lies with some very smart people. The same people who can make a major difference in managing risk in their institutions going forward.

Regardless of the instruments that are invented for trading and the people who trade them, they all rely on one thing. Software and escalating requirements for more computing power, Terabytes and Petabytes of storage and the operational risks associated with information moving around the planet at almost light speed. Information and bits of data that can influence decisions on the buy or sell strategies, is only as good as the mathematics and the algorithms coded into software.

The oversight of future financial products and the ability to take new offers to the market must have people looking at the math and the code. The systemic risks that erupted in the world markets over a year ago are a result of a complexity of systems and the speed of change in our connected economy. All of the transparency, accountability and reform of compensation packages will not impact the zeros and ones that make up the sophistication of the trading markets.

A single consumer financial protection agency will make the consumer feel better that the government is looking after them. It will modify behavior in the innovation and it may even close the gaps in the current rule sets. However, the operational risks associated with the confidentiality, integrity and assurance of information will continue to rise. These risks are consistently displayed in the public press and websites such as the Identity Theft Resource Center:

There are currently two ITRC breach reports which are updated and posted on-line on a weekly basis. The ITRC Breach Report presents individual information about data exposure events and running totals for a specific year. The ITRC Breach Stats Report develops some statistics based upon the type of entity involved in the data exposure. Breaches are broken down into five categories, as follows: business, financial/credit, educational, governmental/military and health care. Other more detailed reports are generated throughout the year and posted on a quarterly basis.

It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of categories. What they all have in common is that they usually contain personal identifying information in a format easily read by thieves, in other words, not encrypted. The ITRC tracks five categories of data loss methods:

  • Data on the Move
  • Accidental Exposure
  • Insider Theft
  • Subcontractors
  • Hacking

Yet operational risks such as these are only a piece of the total risk management equations as it pertains to Wall Street, International Banking and the so called systemic risks talked about today as the Washington Post says:

Warning that "history cannot be allowed to repeat itself," President Obama urged Wall Street on Monday to help jump-start a stalled effort to overhaul the U.S. financial regulatory system and head off a potential reprise of the U.S. economic crisis.

Visiting New York on the first anniversary of the nation's biggest bankruptcy, Obama used a speech at Federal Hall at 26 Wall St., site of George Washington's 1789 inauguration, to rally support for regulatory reform and call on the financial community to take responsibility for avoiding the abuses and failures that led the nation into a financial crisis last year and triggered a global recession.


Our greatest threat is complacency as was indicated today in the context that we do nothing as a result of the failures of people, processes, systems and external events.

01 September 2009

Social Engineering: Duplicity of Twitter Risk...

The use of commercial-off-the-shelf (COTS) software applications and the revolution of Cyberspace virtual hardware devices connected to the "Cloud" has proactive Operational Risk professionals "burning the midnight oil". How many of your Executive Management and other employees with roles and access to sensitive proprietary information are using Twitter today? Did any of them update their Facebook profile last evening indicating their next travel stop? Are any of these individuals part of the corporate Mergers & Acquisitions team?

The use of social networking tools is not new when it comes to networking with colleagues or updating the professional experience history. What is less well known is how foreign intelligence agencies and competitive intel units from commercial enterprises are utilizing these products and solutions to perpetuate their collection of human and program information.

One only has to watch Tony Gilroy's latest movie "Duplicity" with Clive Owen and Julia Roberts to better understand the risks to corporate and national security. Gilroy's sequence of the Jason Bourne series to Michael Clayton and now Duplicity and "State of Play" all have very important lessons for us. Here is the Duplicity synopsis:

Julia Roberts working for the CIA and Clive Owen working for MI6 play competing undercover corporate high level top secret business spies who may or may not be conning each other. The movie shows us what lengths mega corporations will try and go to keep their new product information out of the hands of their competitors. The spies in this case will not even acknowledge their relationship as a sly parallel to regular relationships. The implication here is that most people do not say or trust themselves in relationships, but as spies Julia and Clive have good reason to be wary. Multi continent travels, many plot twists and counter twists follow. The music is light locations are beautiful and evokes the Ocean's movies and fun is had by all even if you can't always follow the plot.

Are you following someone on "Twitter" that is with one of your competitors? Do you know all of your followers personally? Who is in your supply or customer chain that may be leaking vital information before it's ready for "Prime Time"? What is the point. Hypothesis? Let's see if this makes any sense:

Lockheed Martin has thousands of suppliers. Each of those suppliers is interested in selling their products or services to LMT's competitors to increase their own market share. VirTra is one of those suppliers and provides the following capabilities to Lockheed:

(OTC:VTSI.PK), today announced
that VirTra has received another order from Lockheed Martin Simulation Training
and Support business for VirTra`s newest and smallest Threat-Fire device, the
Threat-Fire II.

The Threat-Fire II is a clip-on return fire simulator, similar in function to
the Threat-Fire belt; however, the Threat-Fire II is designed to clip-onto an
officer or soldier`s duty belt. The Threat-Fire II is not only small and
lightweight to be unobtrusive, but it is also rechargeable and compatible with
VirTra`s wireless system.

"We are thrilled that Lockheed Martin has ordered our very latest Threat-Fire
II. Our Threat-Fire line of return fire are highly effective simulation training
aids and it is an honor that an industry pioneer like Lockheed Martin Simulation
Training and Support continues to order VirTra`s unique training devices,"

You can get to this press release from following this Twitter page and you ask yourself why would this person be tweeting about Lockheed Martin or VirTra's deal with them?

1,691 Following 1,313 Followers

VirTra Receives Fourth Order from Lockheed Martin Simulation ... http://bit.ly/1ZNuVz

A quick Open Source search reveals that she is a Sales Manager at Harrahs/Rio in Las Vegas. Whether she got this information on the VirTra deal because she is following someone or one of her followers sent her this "Tweet" on the press release does not matter. She could have read this information in the local newspaper or on the RSS feed she has set up for tracking the Defense Industrial Base companies doing business together. What matters is the relevance of this information and the speed that it is currently being known by many, not just a few.

There is no law prohibiting the "Tweeting" of public information as long as the so called public information is not subject to some national classification scrutiny or some kind of insider information for the review of the SEC. What is more likely is that she is like millions of others on the web who are using social networking to drive you to a web site that is being driven by advertising or some other multi-level marketing offer.

This is just one small illustration of the power and the vulnerability that exists with the COTS software operating in our planet's virtual digital cloud today. How we apply it's use for the good or the bad of humanity is up to each of the humans behind the keys on the PDA, Blackberry or PC. Therefore, just as the Internet has spawned the age of transnational economic crime, child pornography and cyber extortion plots so too will these same tools on our mobile devices be leveraged to do us potential harm or good.

Viral Marketing is here to stay and the use of these new age tools to spread the word on a new product, a new stock offering or the sighting of a celebrity on Rodeo Drive in Beverly Hills is exploding:


  • The Ponzi scheme and related investment Pyramid schemes, are early examples of viral marketing. In each round, investors are paid interest from the principal deposits of later investors. Early investors are so enthusiastic that they recruit their friends resulting in exponential growth until the pool of available investors is tapped out and the scheme collapses.
  • Multi-level marketing popularized in the 1960s and '70s (not to be confused with Ponzi schemes) is essentially a form of viral marketing in which representatives gain income through marketing products through their circle of influence and give their friends a chance to market products similarly. When successful, the strategy creates an exponentially growing network of representatives and greatly enriches adopters. Examples include Amway and Mary Kay Cosmetics among many others.

Tom Olzak offers us some great perspective on how to deal with the inevitable digital wave upon us:

Defending against the inevitable

Trying to adequately control new employee use of public social networking by simply telling them to stop is futile, although use of these sites should be addressed in the company’s acceptable use policy. And employee behavior can be modified somewhat by awareness training, but behavior is what it is. Some employees will continue to act in either careless or malicious ways, especially if motivated to do so. However, there are still things you can do, in addition to basic security controls, to mitigate risk, including:

  1. Block use of public social networking sites from the office is my strongest recommendation. This will help protect your data or social engineered information, about your company or network, from finding its way directly from the employee’s desk or your network, to either a social networking site or a friend met at such a site.
  2. Implement DLP (data leakage prevention). Know where and how your data is moving. If an online ‘friend’ of one of your employees happens to gain access because of sharing activities, you will be able to block data loss or at least know it’s happening.

Keep your eyes and ears open to what you are saying at the local restaurant or on the phone in the lobby of that big metro area hotel. It could be known to your competitors or your enemies within a matter of minutes.