30 July 2011

Legal Risk: General Counsel Digital Leadership...

Operational Risks continue to plague any senior manager with the title of "Corporate General Counsel". "Achieving a Defensible Standard of Care" remains ever so challenging. General Counsel digital leadership is required by the Board of Directors. A recent Corporate Executive Board Report outlined some of their top line issues in a recent Corporate Counsel article by Catherine Dunn:

1. Regulatory issues will converge, while regulation of issues will fragment.

What it means: Common issues—such as data privacy, executive compensation, anti-bribery, and antitrust—are gaining importance in the eyes of regulators the world over, says Lee. But countries and states are regulating those issues in different ways, which makes it more difficult for companies—and in-house legal teams—to harmonize their policies.

2. Information will grow exponentially.

What it means: E-discovery requests are getting bigger (think terabytes, not gigabytes) and the quality of meta-data that could be subpoenaed is getting better (like someone's location, as identified by GPS technology). As more and more information comes into play, the study finds, it "will increase the premium of how companies organize and manage their information."

3. Dueling demands for corporate transparency and consumer privacy will collide.

What it means: Consumer demands for privacy will place more emphasis on data security and how companies shore up their IT infrastructure. "The end result for legal departments is that, at the very least, they're going to need to become more [technologically] literate," says Lee. And again, legal teams will also have to deal with a variable set of regulations, depending on where companies operate.

While consumers want to protect their own information, they also want to to have more information about corporations, information about executive compensation packages, private conversations between executives, and company investments.

4. The legal department's center of gravity will shift.

What it means: As companies expand into emerging markets to capitalize on growth opportunities, risks will follow. "It's going to be more important for those risks to be managed locally," Lee says. The report hypothesizes, then, that in-house legal teams will become more decentralized, decamping from corporate headquarters for local terrain. "Culture is an often-underestimated factor with regard to risk," Lee adds. Seeing as how different countries identify, report, and react to misconduct in different ways, that will also add to the need for on-site legal teams.

Another facet of this shift is that in-house lawyers will take on additional responsibilities—such as auditing and keeping an eye on corporate integrity and employee behavior.

5. The legal services market will mature.

What it means: If five to 10 years ago companies wondered which law firm to partner with, today it's not just traditional firms that are competing for the work, Lee says. Legal- and business-processes outsourcers are "very good for discrete pieces of work," such as discovery and document review, he says, and that could "rival or surpass the quality of law firms."

How fast is fast enough these days to provide your members or customers notice that their bank account has been hacked and money has been transfered to transnational criminal syndicates across the globe? Six hours is too long according to this latest suit against Comerica Bank in Michigan, USA:

It started with a simple e-mail that landed in the inbox of Experi-Metal Inc.'s controller, Keith Maslowski, in January 2009. The message appeared to come from the company's bank, and Maslowski followed the directions to click on a link and enter confidential log-in data and other codes as part of routine maintenance. The details are laid out in a lawsuit that the small metal shop in Sterling Heights, Michigan, filed against Comerica. Scam artists used Maslow­ski's codes to initiate more than 85 wire transfers, moving $1.9 million out of the company's account to China, Estonia, Finland, Russia, and Scotland.

It took the bank only six hours to spot the unusual activity, notify the customer, and stop the transfers. But it wasn't good enough for the federal judge. Court documents show that the company had only two prior transfers in two years. On June 13 U.S. district court judge Patrick Duggan in Detroit ruled that Comerica was responsible for the $560,000 that remained unrecovered because the bank didn't act "in good faith." The judge ruled that "a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier."

Yet another example of the Operational Risks that require more preventive measures for the savvy "General Counsel" (GC) of 2011 and beyond. To what degree are there other "Tripwires" in place for the GC to become a nerve center for detecting those incidents and behavior that is strange or not normal. After all, you can't be everywhere and no one can effectively work 24 x 7. So there remains only one answer. Automation working with Operational Risk experts.

How do the programmers know how many transfers are out of a normal range? In the case of Comerica, Judge Duggan ruled that six hours was too long to stop the fraudulent transfers. You see, the risk for establishing the right business rules can't lie completely with anyone who is doing the programming. Business management, consumers and risk management experts all need to be in the process of developing the triggers and alerts that allow faster response on incidents such as this one.

The number of data breaches and other cyber criminal activities will continue to rise as long as the General Counsel remains aloof or segmented from the departments and business units that can establish effective automated "Trip Wires" to get notified when something is "Not Normal".

Here are just few of the larger and most reported incidents in 2011 according to Law.com:

April 1: Epsilon Inc., the world's largest e-mail marketer, reveals an unauthorized entry into Epsilon's e-mail system, exposing customer names and e-mail addresses.

April 26: Sony Network Entertainment America and Sony Computer Entertainment America disclose a "carefully planned, very professional, highly sophisticated criminal cyberattack designed to steal personal and credit card information." The intruders stole identity data from about 77 million PlayStation Network and Qriocity customer accounts.

May 10: Citigroup Inc. discovers a breach exposing more than 360,000 customer names, account numbers, and contact information. Citigroup waits almost a month before notifying its customers, and later says $2.7 million was stolen.

May 24: The Los Angeles Times reports that a Bank of America Corporation insider leaked detailed customer data to a ring of identity thieves resulting in $10 million in losses. The bank later confirmed the loss, which occurred sometime last year but came to light only recently, when the bank began informing customers.

June 15: Automatic Data Processing Inc., the world's largest payroll processor, says personal data of one of its 550,000 corporate clients was breached. It ­provided no details.

So what is the answer for the General Counsel? The "Plan-Do-Check-Act" lifecycle applies to the GC just as others in the corporate enterprise. Information Governance is no different for the legal department than it is for the CIO. The problem is, how much are both working in concert so that the holders and managers of digital information are working side by side the legal eagles of the company? Not enough in a world where transnational criminals, advanced persistent threat and insiders are testing your controls and the latency of your alert mechanisms on a daily basis.

The companies plagued with the incidents highlighted in the popular press are working hard to prevent the vulnerabilities exploited by those tasked with finding them. They have invested millions of dollars in technology and sophisticated tools for detection and defense. In todays world of 4 Billion devices connected to wireless networks and ultimately the Internet; working hard just will not suffice anymore.

The General Counsel working in concert with the Chief Information Security Officer (CISO), Chief Information Officer (CIO) and even the Chief Security Officer (CSO) along with outside contract consultants typically defines who is responsible for the ongoing defense of the corporate enterprise. The question now remains; "What is the single Management System that they are all using to manage risk in the organization?" Unfortunately, the answer may be that they are not using the same management system. When your organization has not agreed upon a single management system for risk management then there is no wonder that you have opened yourself up to the possibility of failure. Utilizing a single international standard such as ISO 27001: 2005 could be the beginning of a unified effort by the entire stakeholder community in your organization.

Certifying your Information Security Management System against ISO/IEC 27001 can bring the following benefits to your organization:

  • Demonstrates the independent assurance of your internal controls and meets corporate governance and business continuity requirements
  • Independently demonstrates that applicable laws and regulations are observed
  • Provides a competitive edge by meeting contractual requirements and demonstrating to your customers that the security of their information is paramount
  • Independently verifies that your organizational risks are properly identified, assessed and managed, while formalizing information security processes, procedures and documentation
  • Proves your senior management’s commitment to the security of its information
  • The regular assessment process helps you to continually monitor your performance and improve

09 July 2011

ISO 28000: Bankers Exposed to Supply Chain Risk...

The banking institutions of the globe are on high alert. The Operational Risk doctrine is finally getting beyond the historical threats of fraud and rogue traders to the "New Normal" of other significant business disruptions. It's been on the horizon for some time, yet now Basel is finally enhancing the rules that have so far been ignored or given little consideration:

Banks should bolster their defenses against losses caused by rogue traders, client fraud and other so-called operational risks, global regulators said.

The Basel Committee on Banking Supervision endorsed updated principles on how banks should protect themselves from risks not directly linked to lending or market movements, the group said today on its website.

The measures add to beefed up capital and liquidity rules to toughen regulation of banks following the worst financial crisis since the Great Depression. Rogue traders such as Jerome Kerviel at Societe Generale (GLE) SA and Nick Leeson at Barings Plc can also wreak havoc on individual institutions, said Nicolas Veron, a senior fellow at economics research group Bruegel.

“Barings was killed by operational risk, and Societe Generale came very close to a near-death experience in 2008,” Veron said in a phone interview from Brussels.

“Does operational risk generally cause systemic crises? No. But it can have a major impact on individual institutions when things go wrong,” said Veron.

Today’s changes build on rules from 2004 that require lenders to hold reserves against risks including natural disasters, computer hacking, systems failures, theft, fraud and unauthorized trading.

So where is the weakest link in the 63 "Principles for the Sound Management of Operational Risk"? We still think it is this one, number 54 under the Principle of Mitigation and Control:

54. Outsourcing is the use of a third party – either an affiliate within a corporate group or an unaffiliated external entity – to perform activities on behalf of the bank. Outsourcing can involve transaction processing or business processes. While outsourcing can help manage costs, provide expertise, expand product offerings, and improve services, it also introduces risks that management should address. The board and senior management are responsible for understanding the operational risks associated with outsourcing arrangements and ensuring that effective risk management policies and practices are in place to manage the risk in outsourcing activities.

The reason that we believe this to be a single-point-of-failure, is the tremendous number of outsourced services from the critical informations systems infrastructure in the banking industry to the supply chain risk of the major global firms who the banks themselves are investing in for the continued commerce of the world.

One key aspect of this area of Operational Risk has to do with the sense of risk mitigation that usually occurs with the use of a "Service Level Agreement" (SLA) with a vendor or service provider. The General Counsel and the legal team are responsible for the prudent review and drafting of outsourcing contracts. This (SLA) in many cases is never audited or tested to find out how a supplier would respond or behave, during a major incident that impacts their particular area of supply chain operations. This brings us to ISO 28000.

ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. Security management is linked to many other aspects of business management. Aspects include all activities controlled or influenced by organizations that impact on supply chain security. These other aspects should be considered directly, where and when they have an impact on security management, including transporting these goods along the supply chain.

Regardless of the legal documents agreed upon with you and your Tier 1 suppliers, you can bet that they have their own supply chains that you have not done any due diligence on. Can you trust that all of your Tier 1 suppliers have gone down another layer or two to ensure their own survivability for a myriad of operational risks? Adopting an international management system such as ISO 28000, will send you on your way to a more adaptive enterprise and with improved business resilience.

Now the question might be, how many major banks or hedge funds are major investors in companies such as DP World? Are they ISO 28000 certified to be more business resilient at their respective supply chain points of failure?

DP World Cochin has announced that the International Container Transhipment Terminal (ICTT) at Vallarpadam has been certified under the ISO 28000 Standard for Supply Chain Security Management system, and has joined the other DP World terminals in India to be the only container terminal in the country to be certified in port security. Dubai: In 2007, Port operator DP World has raised $3.25 billion in Islamic and conventional bond sales to refinance existing debt and fund its expansion. The company said it exceeded its target of $3 billion for the two bond issues. Barclays Capital, Citi, Deutsche Bank and Lehman Brothers lead managed the two issues, helped by Dubai Islamic Bank for the sukuk. DP World, the world's third largest marine terminal operator, manages 42 terminals in 22 countries. Its investment commitments run into billions of dollars over the next few years in several countries, including India, Turkey, Britain, Senegal, Peru and China. Total capacity at DP World's ports was 48 million TEUs ((twenty-foot equivalent container units) in 2006 and is expected to increase to 84 million TEUs by 2016 when new terminals are built.

So the final analysis on Operational Risk Management in your particular supply chain, may very well be beyond the surface of the Service Level Agreement (SLA). The General Counsel and Legal team would be highly advised to dig deeper than their Tier I suppliers in "Achieving a Defensible Standard of Care." Barclays, Citi and Deutsche should be more confident that DP World is one of a few companies managing their Operational Risks with ISO 28000 at one port. Now your next step, may be to find out whether the precious semiconductors you need to manufacture your companies electronic products are in the hands of the DP World Dubai Port Jebel Ali, Terminal 1 or DP World Cochin.

You should not be alarmed that DP World has a vacancy for the SVP, Global Operations:

VAC2531 - Senior Vice President - Global Operations

Division: Operations
Location: Dubai, U.A.E.
Closing Date: 11-Jul-2011
About the Role:

This position reports to Executive Vice President and Chief Operations Officer - DP World and the main purpose of the role is to develop, lead and assist in the implementation of DP World's standards in the management of Safety, Environment, Security, Operations and Engineering, in line with DP World business and Container Terminal Strategies.