10 December 2009

Legal Doctrine: Intelligence - led Threat Assessment...

Corporate Threat Assessment is gaining new momentum as "Operational Risk Management" professionals utilize new business processes and tools to preempt human malfeasance. Whether it is the disgruntled employee who has just been separated from the company or the college student who acts against his math teacher for grades; the question remains: How could this have been prevented?
The Washington Post reports:

A disgruntled 20-year-old student walked into a classroom at the Northern Virginia Community College campus in Woodbridge on Tuesday afternoon and fired at least two shots from a high-powered rifle at his math teacher, authorities said.

The teacher saw the gun, yelled for her 25 students to duck and then hit the floor.

"We heard a boom," one of the students said later. "I thought to myself, did a computer explode?"

The student's shots missed. He put the gun down, sat on a chair in a fourth-floor hallway and calmly waited for police.

Jason M. Hamilton of Baneberry Circle in the Manassas area was charged with attempted murder and discharging a firearm in school zone. He was being held without bail, and police officers said they wanted to question him about a motive.

The legal machine is at work to determine the multitude of reasons why this incident occurred and to collect the evidence in the case. The investigation into "Who Knew What When" will be spinning up almost simultaneously as the plaintiff lawyers determine what opportunities might exist for a law suit. Several areas of questioning for Northern Virginia Community College (NOVA) will include:

1. What evidence is there of a Duty to Care: Did NOVA provide training for professors to alert an internal "Threat Assessment Team" whenever they witnessed or found evidence of specific pre-incident indicators?

2. What evidence is there of a Duty to Warn: Did NOVA warn fellow employees to keep an eye out for any students carrying long slender bags into campus buildings or to monitor parking lots for suspicious activity?

3. What evidence is there of a Duty to Act: Did NOVA provide notice to security employees on the student who was absent during the term for over three weeks ?

4. What evidence is there of a Duty to Supervise: Did NOVA professors report any strange behavior, statements, or even the fact that the student had been absent almost a month?

Human behavioral studies regarding workplace safety suggest, that one in five people come to the institution every day with a serious problem going on in their personal life. This has a dramatic effect not only on workplace performance but also the potential for bad behavior. This bad behavior could be acted out physically or quietly and in stealth mode. In either case, the company, it's employees and the reputation of the institution are at stake. What is your Corporate Threat Assessment Team working on today to preempt the next incident?

As the investigators evaluate the digital evidence in the case such as e-mails, Facebook Wall postings or other information found on a PDA, laptop or home computer the "Smoking Gun" may be uncovered. And when it becomes public, the game changing events will begin to unfold. Many companies feel that having a formal internal "Threat Assessment Team" sends the wrong message to the employees that "Big Brother" is watching. This could not be further from the true state of mind by many employees today. Knowing that a team is proactively addressing the one in five employees everyday in the workplace should provide more peace of mind than the thought of an invasion of privacy.

So what are the typical channels that an employee will use to communicate their grievance or threat?

  • Letter - 2%
  • Phone message - 5%
  • Social Networking site - 7%
  • Text message - 9%
  • e-Mail - 22%
  • Verbal threat - 46%

Source: Laurence Barton, Ph.D. - Current Study to be completed in February, 2010

If this trend continues then over half of the communicated threat will be via a digitally based medium. What is your organization doing today to monitor communications for specific threats to your employees, suppliers or partners? The modification of Acceptable Use Policy and the other legal policy regarding the workplace monitoring of e-mail is not a new phenomenon in many organizations, notably those in the Defense Industrial Base (DIB.)

Recent changes in the privacy settings of Facebook makes much of the information placed in these 350 million profiles public information and therefore, capable of being viewed and analyzed by a proactive threat management team. Here is the analysis from the EFF:

The Ugly: Information That You Used to Control Is Now Treated as "Publicly Available," and You Can't Opt Out of The "Sharing" of Your Information with Facebook Apps

Looking even closer at the new Facebook privacy changes, things get downright ugly when it comes to controlling who gets to see personal information such as your list of friends. Under the new regime, Facebook treats that information — along with your name, profile picture, current city, gender, networks, and the pages that you are a "fan" of — as "publicly available information" or "PAI." Before, users were allowed to restrict access to much of that information. Now, however, those privacy options have been eliminated. For example, although you used to have the ability to prevent everyone but your friends from seeing your friends list, that old privacy setting — shown below — has now been removed completely from the privacy settings page.


There are legal cases pending and there will be more to come about whether the mining of public data for profiling people is against the law. In most cases, it will be dependent on who is doing the collecting and for what reasons. Yet the most sophisticated systems for doing analytics or the latest matrix or mosaic methodology will not be able to provide a fail safe for the corporate enterprise. This is precisely why the earlier mentioned employer "Duties" are so vital to day to day operational risk management. The actions you take before, during and after an incident will be the most vital to your legal and reputations survival.

TWO computer programmers who worked for convicted fraudster Bernie Madoff were charged with bribery by the US Securities and Exchange Commission today.

Jerome O'Hara and George Perez allegedly took bribes to create false documents and trading records for Bernard L Madoff Investment Securities LLC for more than 15 years, according to the SEC's complaint.

"Without the help of O'Hara and Perez, the Madoff fraud would not have been possible," George S Canellos, director of the SEC's New York regional office, said.

"They used their special computer skills to create sophisticated, credible and entirely phony trading records that were critical to the success of Madoff's scheme for so many years."

Operational Risk Management requires a vigilance of monitoring digital information inside and outside the workplace. Those institutions who combine the correct legal doctrine, business processes and technology will prevail in the vast chaos of litigation and human threats within the workplace.

29 October 2009

Legal Risk: The Art of Compliance...

Risk Management is on the mind's of Corporate Directors and in some interesting places according to a recent poll by PWC and Corporate Board Member Magazine:

How has your personal risk as a director changed in the past 12 months?

Increased 69%
No change 30%
Decreased 1%

Some risks are tough to name...

What keeps you up at night?

Unknown risks 59%

...while others are identifiable.

Do you think regulators are more likely to investigate your company?

Yes 71%

Do you think there'll be an increase in shareholder suits?

Yes 65%

If 71% of the directors surveyed think that regulators are more likely to investigate the company where does that feeling come from? Is it the fact that the SEC and others such as the FTC, OCC and others are gearing up to facilitate greater oversight than in past years? Is it the lack of internal focus on creating a systemic Risk Management Framework? Could it be the amount of toxic assets that are still on the balance sheet? The answer is yes, yes, and yes.

So what can Directors do to make sure that management and the company are ready when the "Feds" come to town? The answer may well lie in the ability to show a history and evidence of doing the right thing and doing it with extreme diligence.

For good or bad—okay, mainly for bad, most respondents agree—the government as boardroom-player-cum-active-investor will be around for a foreseeable spell.

Regulation will rise...

Do you think there will be a big increase in regulation?

Yes 91%
No 2%

Of that 91%, 54% “strongly agree” with the premise that there’ll be more regulation, 37% “agree.”

...and spread.

Do you think other companies will have to adopt rules that the government has imposed on those receiving financial help?

Yes 54%
No 20%

Nearly 45% of the respondents say no amount of government control, whether more or less than what we got, could have prevented the severity of the economic crisis.

No to Uncle Sam as paymaster

Respondents are against the feds’ having a say in setting executive pay.

Are government limits on executive compensation justified?

No 88%

Should the government impose further limitations on pay?

No 97%

Should comp be left to the board?

Yes 76%


The only hope for "Achieving A Defensible Standard of Care" in your institution could be what Siemens and other wrongdoers have discovered. Spending hundreds of millions of dollars on "Compliance" might be a good thing when the time comes to differentiate yourself in the marketplace and negotiate with the government. Especially if you are a global enterprise doing business in countries that don't exactly have the best reputation with transparency and the rule of law. Here is what Chairman of the Supervisory Board of Siemens AG, Gerhard Cromme had to say on their efforts to date:

Wherever wrongdoing was proved beyond a doubt, we immediately took the necessary actions. Wherever there were systemic weaknesses, we identified them and corrected them. Where the necessary resources were lacking, we provided them. These demanding efforts have paid off: Today Siemens has a clear, transparent structure that no longer allows any gray areas with respect to responsibility. At the same time, these structures make Siemens more efficient, more cost-effective, and thus more competitive. The authorities took into consideration our unflinching desire to do whatever was necessary for a fresh start in determining the size of the penalties and the duration of the proceedings.


Operational Risk encompasses the actions taken by Siemens that includes the new centralized systems for payments, disbursements and other accounting functions that were previously in business units outside of Germany. This consolidation and integration of systems was not easy but represents that a discovery in the vulnerability of controls with a decentralized system warranted the investment in a new way of doing business.

Only time will tell whether any companies Board of Directors efforts to spend more resources on "The Art of Compliance" will make a difference to the regulators, investigators and litigators. One could probably bet that over time it will make a difference. But only if the "Tone at the Top" is commensurate with the actions being asked of the employees and stakeholders, doing the day-to-day tasks running the risk operations of the enterprise.

01 October 2009

Remote Digital Forensics: Complacency Risk...

Operational Risk Management commands a spectrum of disciplines within the global corporate enterprise. While convergence of responsibility, accountability and resources is taking place the internal threats continue to flourish. Why? How could a Chief Security Officer (CSO) not be aware of a specific threat to the institution by unknown subjects half way around the world? The transnational organized crime syndicates that target our weakest organizations know that they don't share information between departments, business units or even shared services within the enterprise. Does your CSO get a briefing from the CISO or CIO / INFOSEC staff on what the latest threats mean to you, such as cyber heists using ACH fraud?

This complacency is an internal threat that continues to amaze many and reinforces what few people truly understand about risk management. The adversaries utilize asymmetric strategy against unsophisticated targets to perpetuate their crimes and overall threats to people, processes, systems and deposit accounts. They are the modern day equivalents of "Bonnie & Clyde", Al Capone with a dash of Al Gonzales all rolled up into a massive threat that is increasing exponentially:

Two Romanian Citizens Extradited to the United States to Face Charges Related to Alleged Phishing Scheme

A phishing scheme uses the Internet to target large numbers of unwary individuals, using fraud and deceit to obtain private personal and financial information such as names, addresses, bank account numbers, credit card numbers, and Social Security numbers. Phishing schemes often work by sending out large numbers of counterfeit e-mail messages, which are made to appear as if they originated from legitimate banks, financial institutions, or other companies.

The investigation leading to the indictment stemmed from a citizen’s complaint concerning a fraudulent e-mail message made to appear as if it originated from Connecticut-based People’s Bank. In fact, the e-mail message directed victims to a computer in Minnesota that had been compromised, or “hacked,” and used to host a counterfeit People’s Bank Internet site. During the course of the investigation, it was determined that the defendants had allegedly engaged in similar phishing schemes against many other financial institutions and companies, including Citibank, Capital One, JPMorgan Chase & Co., Comerica Bank, Wells Fargo & Co., eBay, and PayPal.


Risk Management 101 talks to the X and Y axis with X representing the frequency of risk and Y representing the severity (impact) of the risk. So using the four quadrant model, the lower right box is where low risk times high frequency incidents occur. In the upper left box is where high risk times low frequency incidents occur. Got it.

As a CSO in your organization, where do you spend your time, resources and personnel in terms of their training, awareness and work efforts? Think about it for a minute. Most of you would probably say, "Well we focus on the High Frequency times High Risk incidents, the upper right box of the Risk Management model." Practice and prepare for the incidents that happen often and you will have employees who have no clue on what to do the day that something from that upper left box impacts your organization. The HIGH RISK x LOW FREQUENCY incidents are where you remain most vulnerable.

Arlington Man Sentenced 36 Months for $40 Million Ponzi Scheme

ALEXANDRIA, VA—Preston David Pinkett II, age 70, of Arlington, Va., was sentenced to 36 months in prison for engaging in a massive Ponzi scheme that raised more than $40 million in fraudulent payments from investors. Pinkett was also sentenced to three years of supervised release and ordered to pay $18,774,989 in restitution.


The two years that most frauds are conducted before they are discovered tells most risk managers that even effective accounting and audit controls can't catch these white collar criminals before it's too late. The high risk low frequency incidents are the greatest impact on your institution and yet little or no resources, training or attention is paid to these threats to your reputation and economic livelihood.

Now let's take this step further into what practices you have with exiting employees from your business. Are you conducting exit interviews? Are you examining all of the employee's digital assets for the presence of anti-forensics or the ex-filtration or theft of sensitive, proprietary trade secrets or intellectual property from the corporation? Both of these steps are necessary regardless of the person leaving and the circumstances why they are leaving your institution.

The utilization of "Remote Digital Forensics" and other centralized shared services such as this can provide your Business Units and even suppliers with capabilities that they don't need to staff internally. The technologies and resources exist today to address the stealth of fraud, the crisis stemming from industrial espionage or the disgruntled employee stalking those who they perceive as the reason for their dismissal.

An effective internal approach to high tech and advanced Operational Risk Management as it pertains to the rapidly changing landscape of smart, educated and daring people shall include a robust intelligence and audit capacity. Without it, the transnational eCrime syndicates or the internal employee threat will prey on your vulnerabilities of complacency, lack of training and apathetic approach to the design, configuration or implementation of your systems.

07 September 2009

Red Zone: Behavioral Analysis Interviews...

Industrial Espionage and the theft of trade secrets is on every Operational Risk Management executives mind these days. The recent milestone conviction under the Economic Espionage Act of 1996 in the United States marks the starting point for accelerated investigations by the counter intelligence and OPSEC units of major public and private organizations:

A former Rockwell and Boeing engineer from Orange County was remanded into custody this morning after a federal judge convicted him of charges of economic espionage and acting as an agent of the People’s Republic of China, for whom he stole restricted technology and Boeing trade secrets, including information related to the Space Shuttle program and Delta IV rocket.

How 250,000 pages of classified, proprietary and otherwise sensitive information was found under this employees house is a good question? What might be an even more interesting question is pertaining to the controls for OPSEC and INFOSEC at Boeing in Orange County, CA.

Information Operations (IO) or Information Security controls are only as good as the creativity and the will of the individual human being that exploits the vulnerabilities in the design, configuration or implementation of the layers of defense. This is why the counter intelligence and OPSEC capabilities within the enterprise must be ever vigilant and continuously adapting to the internal insurgency within the organization.

The Operational Risks that the OPSEC team is focused on these days has to do with data leakage prevention (DLP) and insider threat prevention and data exfiltration prevention capabilities. As companies such as Boeing and other Defense Industrial Base (DIB) institutions utilize the latest software, hardware and other technology to assist in the "insider" detection and prevention of stealing, changing or deleting sensitive information there still remains the risk of human factors and social engineering.

Sometimes the low tech or human designed detection systems that work on behavioral sciences can be just as effective as the newest software running on the fastest computer box. One example is "The Reid Technique" in the context of doing routine interviews and investigations with a set of "Red Zone" employees. Who are the red zone employees? Those individuals who have certain access to systems or information, leave the organization for involuntary reasons or people that may be 3rd party suppliers to the key people in the red zone. So how does the Reid Technique help?

The Reid Technique is a method of meeting, conferring with, and evaluating, the subjects of an investigation. It involves three different components — factual analysis, interviewing, and interrogation. While each of these are separate and distinct procedures, they are interrelated in the sense that each serves to help eliminate innocent suspects during an investigation, thereby allowing the investigator to focus upon the person most likely to be guilty.

Organizations spend thousands of dollars if not hundreds of thousands doing what are called background investigations. These are many times outsourced to 3rd parties to provide a level of comfort that the person they are going to hire is a person with integrity and has not committed any crimes or lives a lifestyle that is not commensurate with the policies and regulations of the organizations hiring and employment practices.

The Integrity Interview is a highly structured interview with a job applicant. The purpose for the interview is to develop factual information about the applicant's past behavioral patterns.

Specifically, the following areas are assessed during the interview:

Employment History
Theft and Related Activities
Work Related Alcohol Use
Violations of Company Policy
Recent Use of Illegal Drugs
Criminal Behavior


The philosophy behind the interview is very straightforward. The most accurate indicator of an individual's future behavior is their recent past behavior.


The same technique can be used on a departing employee with the emphasis on adherence to all "Acceptable Use" policies regarding digital assets and cyberspace access to organizational data repositories. Individuals who have the characteristics associated with deception could be the target of a further investigation to determine whether any unauthorized information has been sent to a webmail account or if a 4 GB Thumb Drive happened to be plugged into a corporate laptop the night before the last day on the job.

This low tech method may be one of the most effective means for industrial espionage. Old school methods with 21st century technologies. All of the detection hardware and software, CCTV cameras, tagged files or RFID countermeasure will not be able to thwart a diligent, patient and trusted insider. Utilizing Behavioral Interview Analysis can make the difference between early detection or late reaction.

And while the OPSEC group is working on the "Lone Wolf" insider, there are swarms of non-state attackers initiating their 4GW strategy on the cyberspace front of corporations and governments worldwide. Just ask Jeffrey Carr:

The Cyber Domain consists of inter-related threats (financial crimes, espionage, network warfare) that have traditionally been segmented off to different agencies with their own siloed areas of responsibility. What is needed, however, is a unified approach to collection and analysis that mimics the non-traditional, multi-faceted strategies used by non-state actors in both cyber and kinetic conflicts. Project Grey Goose was our proof-of-concept.

Economic espionage and attacks on nations states critical infrastructures requires a substantial shift in policy and taxonomy if we are ever going to be effective in defending ourselves. GreyLogic may be on the right track when it comes to educating those who need it so that they can make the leap to be "Wired for War." While the CEO's and the General's are being briefed on the latest facets of "Weaponizing Malware" we can only hope that OPSEC is conducting the behavioral analysis interview. A face to face encounter, with someone who may just be that one person, who has your most valuable intellectual property or trade secret in the brief case at their feet.

24 August 2009

Health Care: Operational Risk on Steroids...

Health Care Sector Operational Risk Management is on the front burner once again. Recent changes to federal law governing health information suggest expanded regulation, increased enforcement, and significantly enhanced penalties could be on the horizon for businesses not previously subject to HIPAA. The Health Insurance Portability and Accountability Act (HIPAA), which was amended by the American Recovery and Reinvestment Act of 2009 (ARRA) in February, regulates the use of, access to, and dissemination of healthcare information. The increased scrutiny of our own health related personal identifiable information is only the beginning of a national platform for health care. Personal health records will be highly sought after by criminal organizations to help them with extensive online extortion schemes so they can monetize the stolen information.

Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records – say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?

The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.

Transnational economic crime syndicates that have been fueled by the failures in systems and people at institutions in the financial services industry may now be getting a better source to perpetuate their wave of extortion . Just think about the phishing e-mail that goes out to the hundreds of thousands of people who have a particular type of medical condition or are taking a specific drug to help a particular medical diagnosis. Revealing the names, occupations and other relevant information on the subset of male politicians running for office that are currently taking the Pfizer drug for ED or the subset of women talk show hosts that are taking the drug Xanax may have some individuals willing to pay up the 500 or 1000 dollars being demanded from the criminals that stole the Protected Health Information (PHI).

As the United States speeds along towards the consensus on a national health care system the risk of health care data breaches will be rising. Where a doctor had a small staff helping with the back office to bill insurers and where the health care information systems vendors were in high demand you will now have the nexus of targets that cyberspace criminals will be focused on. Like the consumer retailers who rely on third party credit card processing companies to take care of the millions of annual point-of-sale transactions, so too will the consumers of health care services at the retail level. Doctors offices, pharmacies and out patient or triage centers.

The HHS and FTC interim rules were mandated by more stringent privacy and security requirements outlined in the American Recovery and Reinvestment Act of 2009 (ARRA) for Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates and certain non-HIPAA-covered entities.

"This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care," said Robinsue Frohboese, acting director of the HHS Office for Civil Rights.

HHS and FTC said their rules were intentionally written to be harmonious with one another. The entities covered by either rule have up to 60 days to notify individuals whose information was accessed without authorization. If the breach involves PHI belonging to 500 or more people, entities must alert the media and either HHS or FTC, depending on which rule they are subject to. If the breach involves less than 500 people, the entities must keep a log of the incident to be submitted to either HHS or FTC at the end of the year.

Unlike the motive to utilize the information from a compromised credit card to monetize through additional fraudulent purchases, the new health care criminal syndicates will find their own niches. Whether there is a continued attempt at utilizing the PHI for spear phishing attempts at specific individuals online or a more broad use of PHI to steal ones identity to obtain health services at hospitals or physicians offices, the impact could now turn more deadly:

Medical identity theft is potentially lethal to its victims. When the identity thief obtains medical treatment, medical records are created in the name of the victim. When treatment occurs in the same locality as the victim, the treatment of the thief can be appended to local medical records of the victim. With the strong movement towards electronic medical records, all those under the victim’s name and social security number can be collated in seconds. Once the thief’s medical records are collated with the victim’s, there is a risk of mistreatment of the victim, which can potentially lead to death.

Lind Weaver, a retired school teacher, was harassed by a bill collector for a medical bill for the amputation of her foot. The problem was that Weaver still had two feet. Foot amputations are associated with diabetes, a disease that Weaver did not have. Months later Weaver suffered a heart attack, when she awoke in the hospital a nurse asked her which type of drugs she was taking for her diabetes. Had Weaver underwent heart surgery as a diabetic, mistreatment could have been life threatening.


Protected Health Information will continue to be a challenge for those institutions that are trying to achieve a "Defensible Standard of Care" in the decade ahead. The wave of risks associated with online banking and the technologies driven by consumers thirst for financial information will seem non-consequential compared to what we are about to experience in the online health care industry.

31 July 2009

Red Flags Rule: Reputations at Stake...

The "Red Flags Rule" is on the back burner in the United States until November 1, 2009. The Federal Trade Commission has delayed the compliance mandate again. Are you ready? Do you have to comply?

The Federal Trade Commission has postponed a deadline for many of the nation's businesses -- including banks, public utilities and health-care providers -- to comply with a controversial identity-theft prevention program.

The program, called the "Red Flags Rule," was to take effect Aug. 1 but will now be delayed until Nov. 1. The program is aimed at preventing the loss of billions of dollars as the result of the theft of consumer and taxpayer personal information. Under the regulation, companies and institutions would be required to establish a way to identify potential threats at the businesses, find ways of detecting such threats and install measures to prevent them. Employees would also have to be educated about the programs.

A survey commissioned in 2006 by the FTC revealed that more than nine million Americans have their identities stolen each year at a total estimated loss of $15.6 billion.


The nation is under a barrage of attacks from adversaries that lie in the shadows such as "Conficker" and other botnets or malware and business still delays the compliance measures asked of them. One only has to look deeply into the latest 2009 report from CISCO to better understand the state of risk from "Transnational Economic Crime":

Report Highlights

  • Criminals are exploiting traditional vulnerabilities because they believe security experts and individual users are paying little attention to these types of threats.
  • Compromising legitimate websites for the purpose of propagating malware remains a highly effective technique for criminals.
  • Web 2.0 applications, prized for their ease of use and flexibility, have become lures for criminals.
  • Criminals are now targeting online banking customers using well-designed, localized text message scams that leave virtually no trail in their wake.
  • The Obama administration has made strengthening U.S. cybersecurity a high priority, and plans to meet threats by using technological innovations and partnering with the private sector. Other countries are similarly increasing efforts to enhance cybersecurity and prevent cybercrime.
  • Compared to 2008, the number of vulnerabilities and discrete threats has not risen as quickly. According to research by Cisco, this is a clear sign that the security community is succeeding in making it more difficult for attacks to take root and grow.


Operational Risks are vast and the technology landscape is not getting more narrow, it is expanding. Cloud Computing is now the latest attempt to get cost savings and to make the IT puzzle less of an asset management nightmare. If you think that you understand it and where it's heading, think again. One only has to visit "Black Hat" and the briefings to get a better sense of what the true risks are going to be if not already. This one caught our eye and for good reason:

Nitesh Dhanjani

Psychotronica: Exposure, Control, and Deceit

This talk will expose how voluntary and public information from new communication paradigms such as social networking applications can enable you to remotely capture private information about targeted individuals.

Topics of discussion will include:

Hacking the Psyche: Remote behavior analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware.

Techniques on how individuals may be remotely influenced by messaging tactics, and how criminal groups and governments may use this capability, including a case study of Twitter and the recent terror attacks in Bombay.

Reconnaissance and pillage of private information, including critical data that the victim may not be aware of revealing, and that which may be impossible to protect by definition.

The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages.


The risks to "Social Networking" Twitter-based consumers and the extended digital enterprise are vast. The CISO's and internal audit teams have been having their own internal battle for years and will soon realize that once and for all, they are on the same side of the Cyberspace war. The risks to the organization may come in the form of a major business disruption, denial of service (DOS) or even worse, a significant loss of consumer Personal Identifiable Information (PII). Even if you are considered PCI compliant just as "Network Solutions" was, the loss of reputation can be significant:

Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months, Security Fix has learned.

Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.

The "Red Flag" may have turned to a "White Flag" as you surrender to the lawyers and the federal oversight.

18 July 2009

FCPA: Modern Day "Smoking Gun"...

Corporate malfeasance is on the mind of most global executives today. Their enterprise is consistently fighting the economic challenges and at the same time defending it's reputation as new "Smoking Guns" are revealed. Perhaps these modern day discoveries of wrong doing should be renamed "Smoking Digital Evidence" because this is exactly what it is. Information uncovered through normal monitoring practices or as the result of a specific investigation produces "Red Flag" alerts based upon acceptable use policy or corporate rule sets.

These "Red Flags" uncovered in the context of programs devoted to processing digital evidence is now a standard Modus Operandi for corporate governance, legal and operations risk management. These new tactical business units are being developed in a rapid response to new regulatory and compliance mandates yet the greater pressure is coming from the wake-up calls senior executives have been receiving lately.

The Justice Department's probe of the credit default swaps market is reportedly focusing on Markit Group Holdings Ltd., the London-based supplier of prices in OTC derivatives, and its relationship to a group of major banks that own a stake in the company. The DOJ is scrutinizing the ownership of Markit by a group of banks that control a large amount of pricing in the $28 trillion credit derivatives market.

The banks have received a notice of investigation from the DOJ asking them for details on their trading activity, including how much they have at risk in the market and their monthly value of their credit default swaps, according to Bloomberg News. Banks that own the largest stakes in Markit, include: J.P. Morgan, Bank of America (through its acquisition of Merrill Lynch), Deutsche Bank, Royal Bank of Scotland which acquired ABN Amro, as well as Credit Suisse, Goldman Sachs, Morgan Stanley and UBS, according to Bloomberg News.

"The DOJ is looking to find any wrongdoing in that marketplace," commented Paul Zubulake, senior analyst at Aite Group in an interview with Wall Street & Technology. "Obviously that is going to open up a large can of worms," he said. "It will be costly for the dealers that have to battle the DOJ given the discovery issues, about all the information, emails and instant messages they will need to turn over."

Digital Forensics, Records Management and eDiscovery units at some of the largest financial institutions are working overtime. Finding any "Smoking Digital Evidence" will be the standard operating procedure on most international transactions whether it be in the financial services industry or even telecommunications:

Good news for compliance officers: You now have solid evidence that the benefit of implementing an effective compliance program far outweighs the cost, in the form of the massive Foreign Corrupt Practices Act settlements swallowed by Siemens AG and three of its foreign subsidiaries.

Siemens, a German conglomerate that is one of the largest engineering firms in the world, agreed in December to pay more than $1.6 billion to U.S. and German regulators for a massive bribery scheme that felled the highest executives at the company. Penalties paid to the Justice Department and Securities and Exchange Commission alone topped $800 million, by far the largest sanction ever imposed in an FCPA case.

In the following excerpt, Linda Chatman Thomsen speaks on the massive Siemens investigation: "Furthermore, the $1.6 billion total that Siemens will pay in these settlements is the largest amount that any company has ever paid to resolve corruption-related charges.

And that is fitting because the alleged conduct by Siemens was egregious and brazen. It was systematic, it involved thousands of payments, and it occurred over an extensive six-year period. Siemens created elaborate payment schemes to conceal these corrupt payments to foreign officials. The company’s inadequate internal controls allowed the conduct to flourish.

The details tell a very unsavory story: employees obtained large amounts of cash for Siemens’ cash desks; employees sometimes carried that cash in suitcases across international borders to pay bribes; payment authorizations were recorded on post-it notes that were later removed to avoid leaving any permanent record; there were slush funds and a cadre of consultants and intermediaries to facilitate paying the bribes.

Investigating this intricate scheme and righting Siemens’ wrongs has taken a remarkable and unprecedented level of coordination among many law enforcement agencies around the world."

The internal threat of employees, partners and so called in-country agents who help facilitate business deals is one square in the risk management matrix. The business transactions themselves are becoming part of the Venn Diagram that includes:

  • Business & Global Commerce
  • Personnel Security & Integrity
  • Rule of Law & Litigation
As global institutions continue their expansion across the continents where capital follows security and the rule of law, so too will the attacks on the corporate enterprise.

09 July 2009

Trusted Systems: Human Factors in Play...

The case is U.S. v. Dreier, 09-cr-00085, U.S. District Court, Southern District of New York (Manhattan). It's only the beginning of a long hard road for many unidentified subjects (unsubs) as the fall out from the U.S. Economic crisis uncovers who was stealing others peoples money for their own fraudulent schemes.

Marc Dreier, the New York law firm- founder who pleaded guilty to defrauding hedge funds of more than $400 million, should be sentenced to 145 years in jail, prosecutors said, as a defense lawyer sought a term of as little as 10 years.

The rival requests came in court filings today in federal court in Manhattan. Dreier will be sentenced on July 13 by U.S. District Judge Jed Rakoff. Investors who placed more than $740 million with Dreier lost at least $400 million, lawyers said.


Operational Risks associated with 3rd party suppliers is a continuous concern. Effective due diligence with partners and service providers is a necessary task, on a quarterly basis. Many institutions leave it up to the service level agreement (SLA) or the written contract to be the monitor. To their demise, written words on a contract are not enough. Especially, when the partners are the lawyers themselves.

New York prosecutors on Wednesday said 13 people and a mortgage origination company have been indicted on charges of running a multimillion-dollar real-estate fraud that cheated lenders through sham sales.

The defendants include employees at the Long Island, New York-based mortgage company AFG Financial Group Inc, several attorneys and other defendants, according to Manhattan District Attorney Robert Morgenthau.

The investigation is continuing, and Morgenthau said the size of the scheme could eventually total $200 million.

One lawyer accused of engaging in fraudulent transactions was involved in transactions adding up to more than $100 million, Morgenthau said.

Lenders who were victimized in transactions made by that one lawyer included New Century Mortgage Corp, WaMu/Long Beach Mortgage Co, Countrywide Financial, First Franklin Financial Corp and Mortgage Network USA Inc.


The financial services sector will continue to be a quagmire for transactions for decades to come. The due diligence, fact checking and assurance that the "Deal" is a solid one will continue to under go a tremendous burden on all parties. The consumer, the lender and the underwriters.

The human factors associated with crimes such as fraud are well known. The study of the "Ponzi Scheme" has been a text book case for study in business schools for years. What may not have been so obvious is the science behind the human motivators. And maybe not even noticeable, is how accustomed the human is to trusting the automated world we live in. The fact that computers calculate what we have purchased in the retail store is one of the first trusted information scenarios we grow up with. How many people actually add up all of the dozens of items in their grocery cart, calculate the tax and any discounts to see if the Point of Sale (POS) system has done it's math correctly?

So what is Human Factors Science?

Human factors are sets of human-specific physical, cognitive, or social properties which either may interact in a critical or dangerous manner with technological systems, human natural environment, or human organizations, or they can be taken under consideration in the design of ergonomic human-user oriented equipments. The choice/identification of human factors usually depends on their possible negative or positive impact on the functioning of human-organization and human-machine system.

Did someone try to steal Goldman Sachs’ secret sauce?

While most in the US were celebrating the 4th of July, a Russian immigrant living in New Jersey was being held on federal charges of stealing top-secret computer trading codes from a major New York-based financial institution—that sources say is none other than Goldman Sachs.

The allegations, if true, are big news because the codes the accused man, Sergey Aleynikov, tried to steal is the secret code to unlocking Goldman’s automated stocks and commodities trading businesses. Federal authorities allege the computer codes and related-trading files that Aleynikov uploaded to a German-based website help this major “financial institution” generate millions of dollars in profits each year.


Trusted Systems and the information that flows from them is only as good as the programs that run them and the people who developed the millions of lines of code in the software. The trading systems at the NYSE, NASDAQ and Hang Seng Index are only a reliable as the calculations and the integrity of the systems themselves. When that trust is compromised in the trusted system, whether it be a program or a person, human factors take over.

26 June 2009

Digital Forensics: Right to Question CSI's...

The US Supreme Courts ruling in MELENDEZ-DIAZ v. MASSACHUSETTS will have significant impact on Digital Forensics expert practitioners. Legal cases utilizing the examination of computers and other digital assets containing relevant information will have more testimony by CSI analyst experts. The New York Times report by Adam Liptak says:

Crime laboratory reports may not be used against criminal defendants at trial unless the analysts responsible for creating them give testimony and subject themselves to cross-examination, the Supreme Court ruled Thursday in a 5-to-4 decision.

Noting that 500 employees of the Federal Bureau of Investigation laboratory in Quantico, Va., conduct more than a million scientific tests each year, Justice Kennedy wrote, “The court’s decision means that before any of those million tests reaches a jury, at least one of the laboratory’s analysts must board a plane, find his or her way to an unfamiliar courthouse and sit there waiting to read aloud notes made months ago.”

The outcome of the ruling for the prosecution is that forensic examiners and scientists will be more thoroughly scrutinized in the tests they perform. The process will require more effective documentation and the ability to play back for a jury exactly the process utilized to support any facts of evidence. This will not be difficult as Best Practices today are being utilized such as the video taping of the entire test and examination. Achieving a "Defensible Standard of Care" will however be even more of a priority for Operational Risk Management professionals.

The defendant will have the ability to cross-examine the analyst, whether it was making a determination on what the blood type was of the accused attacker or the date, time, and place that the defendant sent an e-mail from the office computer to a co-conspirator.

In the digital forensics environment, the ruling means that the subject matter experts will simply be spending more time in court and on the witness stand. This will impact the time it takes to conduct the trial yet the rights to examine the process, expertise and documented procedures for the evidence that has been introduced is an important issue.

From an Operational Risk Management point of view, this means that your eDiscovery and Digital Forensics certified examiners will be under the magnifying glass and subject to the questioning by counsel. We see an increased attention related in civil matters coming soon. Several states are asking that the outsourced entities associated with inspection of digital assets be licensed by the state itself, as a Private Investigator. This provision would subject the expert authority to also being legally certified in the knowledge of state laws pertaining to civil procedure, chain of custody and legal procedures on the handling of evidence.

The question remains on whether the Supreme Court Justice's were thinking beyond the test for the presence of a drug, as this case was focused on in MELENDEZ-DIAZ v. MASSACHUSETTS. The defense bar will be utilizing this ruling to go beyond the criminal courts to the civil trials where white collar cases are largely based upon the documents, e-mails and other digital evidence that has been retrieved using forensic procedures.

It will be interesting to see how this ruling impacts the professional licensing, certifications and documentation of examinations for the 21st century Digital Forensic "CSI".

11 June 2009

4GW: U.S. CyberSpace OPS Risk...

The Washington, DC beltway bandits are buzzing in anticipation of President Obama's selection for the next defender and policy maker for United States CyberSpace. We wonder what branch of the armed forces s/he will be associated with and to what degree they gain the agreement of the power base that CyberSpace is indeed a "Strategic National Asset", once and for all.

Meanwhile, OPS Risk Managers are dealing with transnational non-state actors (in some cases funded by nation states) that are robbing our private sector and government agencies blind. Stealing Personal Identifiable Information (PII), Corporate Intellectual Property, Defense R & D and classified State secrets. The next commander of U.S. CyberSpace has an even bigger job once the job starts; protecting and defending our country's vital Digital Infrastructure. This nexus of criminal, terrorist and irregular warfare is being waged on a 24/7 basis here in the homeland.

So how do you go about fighting this 4th Generation (4GW) war comprised of well organized, decentralized, clandestine subjects operating in the cyber shadows? This begins with creating an effective Information Sharing Environment (ISE), a fusion of who, what, when, how, where and maybe why. Defending the nation against the physical attacks of the likes of Al-Qaida or the virtual attacks from Yingcracker has some very interesting similarities.

If the next Secretary of U.S. CyberSpace is going to take the fight to those who wish to copy, delete, probe, scan, flood, bypass, steal, modify and spoof their way across our Digital Infrastructure, they could learn from this synopsis from Robert Haddick:

Does it take a network to beat a network?

On June 5 United States Joint Forces Command (USJFCOM) wraps up a week-long war game designed to test the Pentagon's vision of warfare in the future. The war game looks ahead to the year 2020 and examines how U.S. and allied military forces -- along with civilian government, non-government, and international institutions -- cope with a failing state, a globally networked terrorist organization, and a peer competitor. The results of the war game are supposed to influence the conclusions of this year's Quadrennial Defense Review, an in-depth review of the Pentagon's strategies.

Officials at USJFCOM won't discuss the results of the war game until at least July; many of the most interesting conclusions may remain classified. But the commander of USJFCOM, General James Mattis of the Marine Corps, described his vision of the future while delivering a speech at the Center for Strategic and International Studies.

Mattis discussed how today's adversaries have adapted to U.S. conventional military superiority by forming disaggregated networks of small irregular teams that hide among indigenous populations. United States military forces, by contrast, have only come under greater central control. According to Mattis, this shift is due to evolutions in intelligence-gathering and communications technologies. Call it the new iron law of military bureaucracies: when commanders gain the technical ability to micromanage, they will micromanage.

Mattis believes that in order to defeat modern decentralized networks, U.S. forces will have to become decentralized themselves. This will entail giving autonomy to and requiring initiative from the youngest junior leaders in the Army and Marine Corps. High-performance small infantry units, "a national imperative" according to Mattis, will need to operate independent from higher control, finding their own solutions to local problems as they implement broader policy guidance.


Whether the troops are fast roping out of helicopters or behind the flat screen detecting and analyzing the stealth cyber attack, the approach to defeating the adversaries is much the same. Infiltrating the "cells" and collecting valuable INTEL on the global enemy is what gives us the "Ground Truth." The commander for U.S. CyberSpace will soon be educated on the private sectors role in achieving this continuous and lofty goal of a creating more decentralized and clandestine citizen soldiers.


As the private sector battles the non-state actors for preservation and protection of valuable customer data, corporations are simultaneously being attacked by adversarial plaintiff lawyers.

U.S. insurer Aetna has been targeted in a lawsuit alleging it failed to protect personal information of employees and job applicants, documents indicate.

The lawsuit comes after Aetna, of Hartford, Conn., was struck by computer hackers to access a company Web site holding personal data for 450,000 current and former employees as well as job applicants, the Hartford Courant reported Wednesday.


The private sector would enjoy having our government involved in more proactive efforts to seek out and stop these criminal and terrorist entities that prey on organizations that remain vulnerable. The Operational Risks associated with litigation in the corporate enterprise are here to stay. If the public and private sector can once and for all coordinate, collaborate and "Share Information", we can disrupt, capture, prosecute and defeat our cyber adversaries.

02 June 2009

Continuity of Operations: Mother Nature or Active Shooter...

Continuity of Operations in the context of business gets on the Board of Directors agenda after every tragedy. Whenever the magnitude of the business disruption involves loss of life, or major property damage the executive management goes into "Crisis Management" mode. Unfortunately for many, this may be the only time the Board and corporate executives have tested or exercised for such an incident.

So what is Continuity of Operations? What does it mean to your business? How pervasive does this Operational Risk strategy have to be? Let's think about a simple process from the time a sales person picks up the phone to schedule an appointment to the time the product or service team has delivered or installed the items that have been sold to the customer.

In the context of university higher education, the process of recruiting, admissions, housing, fund-raising, sports and alumni relations. How many touch points, steps in the process or procedures for manufacturing, integration, sourcing, learning and implementation exist? Now think about your supply chain that provides the necessary resources, energy, infrastructure and people to make it all happen. Does this business issue seem like a trivial matter?

The aftermath of any major incident will require a thorough investigation to determine what happened. Everyone will have their version of what they saw, heard, felt and remember about it. Then the finger pointing, litigation and media frenzy begins. Only then do the Board of Directors and Executive Management wish they had practiced and exercised for the eventual day that has now landed on their front door step.

Such an example is in the news again, more than two years after the tragic day in April 2007 on the campus of Virginia Tech University in Blacksburg, Virginia. In Lucinda Roy's latest book, "No Right To Remain Silent", her opinions magnify the need for effective continuity of operations planning, exercises, auditing and testing:

After tragedies like this, people clam up. They are warned that it is too dangerous to talk about the specifics of a case when lawyers are chomping at the bit, when the media is lying in wait like a lynch mob. But people also remain silent when they are worried that what they have to say could injure them somehow.

In the days and weeks that followed the tragedy at Virginia Tech I was reminded of how much silence has to say to us if we listen with care.

Sadly, the tragedy at Virginia Tech did not usher in an era of openness on the part of the administration. Questions that related to the specifics of the shootings, to Cho, or to troubled students in general were viewed in the wake of the tragedy as verbal grenades.

Many of you may remember where you were when you heard the news. Just like you will always remember where you were on the morning of September 11, 2001. Yet April 16, 2007 could very well be more significant as the analysis and the investigation continues.

Sadly, we know how this story turned out: On April 16, 2007, Seung-Hui Cho shot two people to death in a Virginia Tech dormitory, then chained the doors to a classroom building shut and methodically killed 30 more before committing suicide. It was the worst school shooting in American history.

Who knew what when? The litigation is ongoing and some still are seeking the truth. Proving the truth will require substantial analysis of tens of thousands of documents, e-mail messages, hand written notes, depositions, medical records and school work. Yet when it gets boiled down to the facts and the issues, "Continuity of Operations" protocols, practice and preparedness will be at the core of the matter.

Does your organization have facilities where an all hazards approach is talked about and is continuously aware of the threats to life and property along with the economic implications of any business disruption? If you have people and property in California the answer is yes. Earthquakes, brush fires and now even the lack of government resources are existing risk factors. If you have people and property in or near symbolic locations such as New York City's Wall Street, Washington, DC's Capitol, or the St. Louis Arch then your organization should have heightened situational awareness and crisis management mechanisms already in place. The whole State of Florida, North & South Carolina, Louisiana, Texas and others who know the aftermath of Hurricane Katrina are sensitized to the requirements for effective preparedness.

So what is the difference in an event such as the "Active Shooter" scenario on your campus or the catastrophe sent by "Mother Nature"? The answer is the accuracy in predicting the event itself. All the preparedness for either event starts with the mind set that it will happen. Only one can be prevented, preempted or neutralized before it can cause harm.

Sadly, the Report of the (Virginia Tech) Review Panel to the Governor, issued in August 2007, contained important inaccuracies, despite the panel’s best efforts to get to the truth. University officials, it now appears, may have been less than candid and forthright in their responses to the questions put to them by the panel.

25 April 2009

Human Factors: Early-Warning System...

Predictive Intelligence And Analytics From 1SecureAudit Provides Transnational Organizations With A Preemptive Human Factors Early-Warning System

According to Managing Director and Chief Risk Officer of 1SecureAudit, Peter L. Higgins, the complexity of today's extended global enterprises requires a new governance lens to view hidden insider risks and to guide management executives to achieving a defensible standard of care.

"Our newest consulting practice accelerates the time line in identifying employee insider risks and potential threats associated with international client transactions," said Higgins. "Ms. Marcia Branco is launching our new client offering with more than a decade of experience identifying the complex connections between human behavior and corporate operational risk responsibility."

Advocating a "People First" approach, Ms. Branco, vice president, practice director of the Predictive Intelligence and Analytics practice, believes corporate personnel; partners and suppliers represent a tremendous asset and simultaneously a significant legal liability to a business. "People are the primary focal point to better understanding and resolving systemic risk problems within the walls of the enterprise and beyond to the extended supply-chain," said Branco.

The Association of Certified Fraud Examiners affirms "U.S. organizations lose an estimated seven percent of annual revenues to fraud," and insider negligence is the highest cause of data breaches, reports the Ponemon Institute & PGP Corporation. The complexity and quantity of insider threats is growing at the same time as businesses are facing shrinking budgets and mounting pressures to maintain and grow profits with fewer resources. "How successful has your company been at identifying and swiftly addressing issues, conflicts and preventing malfeasance? Whether originating internally from an employee or contractor or at your extended border of partners, suppliers and clients, predictive intelligence is essential?" asks Higgins.

1SecureAudit provides critical assessments, internal investigations, strategy execution and program development. These proactive governance and advisory services generate positive change to business culture, operations and bottom line.

"Our distinctive 'People First' approach examines your organization's human capital assets to gain unique insights on corporate culture, company issues and the workforce's attitude about management and business initiatives. We convert these human factor data into predictive intelligence to preemptively determine how to best shape current and new corporate strategies. Our clients are able to take advantage of short-lived opportunities, attract and retain employees, partners and customers, demonstrate a more defensible standard of care and promote a trustworthy corporate reputation," stated Branco. "Does your organization consistently adhere to and enforce corporate policies, ethical standards and procedures that value your employees and respond to shareholder advocates?"

Working with 1SecureAudit to integrate predictive intelligence in any business strategy and practices is a sound investment that directly contributes to corporate management's, Board of Directors', and shareholders' peace of mind. For more information, visit 1SecureAudit.com or e-mail RDU (at) 1SecureAudit.com.

07 April 2009

Economic Impact: Proving the Truth...

The Madoff investigations into so called "feeder firms" are now gaining momentum. The question on who are the victims and where fraud is suspected continues it's due course. The process of client referrals is not a crime and allegations that correlate this with fraudulent behavior is a flawed mindset. The current basis in the Merkin case has more to do with non-disclosure of where clients money was actually invested:

Andrew Cuomo, the New York attorney general, yesterday filed civil fraud charges against the hedge fund manager Ezra Merkin, alleging he secretly channeled more than $2.4bn to Bernard Madoff's Ponzi scheme in exchange for lucrative fees.

The move is the second regulatory action in two weeks against one of the big so-called "feeder" funds that sent billions of dollars to Mr Madoff, who pleaded guilty to one of history's biggest investment frauds.

Mr Cuomo accused Mr Merkin, a leading figure in the New York charity community and former chairman of financing company GMAC, of steering money from charities, universities and non-profit organisations to Mr Madoff without their permission and reaping about $470m in fees for his three funds.

"Merkin duped individual investors, non-profits and charities into believing he was responsibly managing their investments, when in actuality he was dumping them into history's largest Ponzi scheme,'' Mr Cuomo claimed yesterday.


Operational Risk professionals in these hedge funds and other alternative investment firms are getting prepared. These organizations will continue to be under the regulatory spotlight for years to come. Fraud and the fear of fraud will make their potential clients even more diligent in their understanding of where their funds are being invested. The federal watchdogs, oversight mechanisms and civil law suits will require firms to have their risk management "Act" together.

When it comes time to prove the truth, whether innocent or guilty, it will come down to information. The likelihood that this information is housed in a database, e-mail system or off-site disaster recovery repository is almost certain. Digital information that is part of any inquiry for civil or criminal action is subject to the "Rules of Evidence" and the "Federal Rules of Civil Procedure." This is where most of the alternative investment firms have their greatest exposure and vulnerability today. Call it the "Readiness Factor".


In a groundbreaking case from the past year, Qualcomm Inc. v. Broadcom Corp., No. 05CV1958, 2008 WL 638108 (S.D. Calif. March 5, 2008), the court found the plaintiffs to have committed "monumental and intentional" discovery violations for failing to produce thousands of documents requested in discovery. The court cited the "impressive education and extensive experience" of Qualcomm's attorneys to justify significant sanctions for failure to produce relevant e-mails, including reporting to the State Bar of California.

The "Readiness Factor" goes far beyond the process or procedures for preserving evidence. It starts with the creation of information inside the organization. How is it classified, where is it stored and who has access to it? These are fundamental Information Technology and Records Management 101 questions that any prudent organization has already answered. Where most firms find themselves with their backs up against the "legal wall" has to do with relevance, authenticity, and admissibility of information.

The "Alternative Investment" industry is quickly learning that their own IT professionals are going to end up on the witness stand and in early depositions. They are going to be hearing questions such as:

  • What policies or procedures do you manage in your department/organization?
  • What training do you have on the collection and preservation of "Electronically Stored Information"?
  • Explain your responsibility or supervision of access controls, folder management, indexing, purging controls and metadata?
  • Describe the procedures your firm utilizes to identify the places, people (custodians) and quality of the data that has been preserved for this case?

The list continues and the IT professionals better be ready. Adversarial counsel will be digging deep to get after the key components of authenticity and spoilation issues. The unfavorable outcomes from a lack of readiness can produce an "Economic Factor" that far exceeds the cost of just finding and producing the information for e-Discovery.

The economic impact of proving the truth in any case can be significant. If you were a savvy and smart prosecuter, the cases that would filter to the top for scrutiny may very well be those firms that display the most "IT Immaturity." Getting some wins under your belt with some relevant case law could determine how fast future cases are settled far in advance of ever getting to trial.

For those "Alternative Investment" firms that are behind the 8 Ball, here is a good place to start your own discovery of the total cost of proving the truth. The E-Discovery Road Map.

07 March 2009

Compliance: Workplace Security, Ethics & Governance...

Bernie Madoff clones and the 11,000 other unregulated investment advisors across the US will be subjected to increased scrutiny in 2009 and beyond. The SEC, FINRA, US Treasury FINCEN, FBI and the tribe of banking regulators are all gearing up for audits, inspections and more granular forensic accounting examinations.

Fraud and the corruption of corporate America is hard to detect. Even more difficult when the watchdogs are too busy or without the resources to do the job effectively. Post Enron and the whole SOX wave of documentation, controls implementation and testing the Big Four Accounting firms were very busy.

The cases are among a series of recent alleged frauds at financial firms. While they have been handled differently, they have shined a light on loopholes in federal regulations, such as fragmented regulations governing brokers, investment advisers, auditors and other firms. And the cases have underscored obstacles facing authorities, including inadequate resources for detecting wrongdoing and difficulties in gaining access to foreign financial accounts.

"Reform is needed to close the existing regulatory gaps that expose investors to risk," said Richard Ketchum, chief executive of the Financial Industry Regulatory Authority, Wall Street's self-policing agency.

SEC Chairman Mary L. Schapiro is looking to work with lawmakers to overhaul the nation's financial regulatory system. This week, the SEC announced that it would partner with a government-funded research center to study ways to better assess the thousands of tips and complaints that come in each year. The House and Senate plan to consider legislation as early as late spring that would bring all financial activities under federal regulation. The details, however, aren't clear.

At the SEC, Schapiro plans a new focus on spotting fraud and other market manipulation early on. She plans to create a large team to seek out where abuses might be occurring. Then she plans to direct the SEC's limited examination staff toward those places. "We've got to be able to conduct risk assessment that allows us to understand where problems might arise and connect the dots between different problems in different places -- whether they're generated by different products, different firms or different trends in the economy," Schapiro said in a recent interview.


The internal threat to your institution by your own employees who may do you harm, intentionally or not is just a core factor in day to day Operational Risk Management. Where it gets more interesting to plaintiff lawyers is when there is a clear pattern of ignorance or just plain lack of resource allocation or funding to policing the organization. The even more vulnerable facet of the OPS Risk mosaic could be the supply chain of companies and people who represent the vital outsourced functions. How many mission critical components of running your business have you handed over to call centers, ISP and hosting companies, distribution and delivery, back office administration including accounting and payroll?

One of the key areas of due diligence long overlooked at these investment advisers is the supply chain of feeder firms. The alternative investment industry has it's reach into the accountants and tax advisory services for a good reason. They are the ones who prepare your tax returns. Their insight into your cash flow, ability to invest and necessity for potential hedging of tax liability gives them the opportunity to be great referral agents. How many times has your tax advisor recommended you go see a friend in the alternative investment industry?

Creating awareness among the ranks of corporate America that everyone is going to be under the magnifying glass won't change the motivators:

  • Money
  • Ideology
  • Compromise
  • Ego

Economic challenges inside the corporation or on the home front can increase exposure to heightened threats in the workplace. These include violence, fraud and product theft at a minimum. However, the greatest asset of value being attacked, stolen and sold to the highest bidder is information. Corporate espionage and good old fashioned competitive intelligence is a 21st century Operational Risk Managers nightmare.

Workplace Security, Ethics and Governance programs will continue to be a focus for auditors and inspector generals. A lack of evidence of effective and robust efforts to deter, detect, defend and document withing the confines of the institution could be a differentiator when it comes time for any sentencing guidelines to be considered.

§8B2.1. Effective Compliance and Ethics Program

(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation - Organizations), an organization shall—

(1) exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

21 February 2009

Oversight Risk: Evidence of Compliance...

In light of the tremendous announcements of corporate and financial malfeasance over the past few months, there is a "cramdown" in the works. The US Office of the Special Inspector General for the Troubled Relief Asset Program (SIGTARP) is gearing up.

The Office of the Special Inspector General for the Troubled Asset Relief Program ("SIGTARP") was established by the Emergency Economic Stabilization Act of 2008 ("EESA").

Under EESA, the Special Inspector General has the responsibility, among other things, to conduct, supervise and coordinate audits and investigations of the purchase, management and sale of assets under the Troubled Asset Relief Program ("TARP"). SIGTARP’s goal is to promote economic stability by assiduously protecting the interests of those who fund the TARP programs - i.e., the American taxpayers - by facilitating transparency in TARP programs.

Transparency and effective oversight in the TARP will be accomplished in coordination with other relevant oversight bodies, and by robust criminal and civil enforcement against those, whether inside or outside of Government, who waste, steal or abuse TARP funds.

The Special Inspector General, Neil M. Barofsky, was confirmed by the Senate on December 8, 2008, and was sworn into office on December 15, 2008.


As the new Stimulus Package works it's way to the local and state governments additional oversight will be placed on the bidding, procurement and contracting processes. Compliance with federal and state laws will become ever so vital as funds are applied under TARP in the mortgage markets and "shovel ready" projects are funded for maintenance and repair of critical infrastructures.

As the government ramps up to spend trillions of dollars to revive the economy, loopholes in federal law and a shortage of FBI agents assigned to investigate white-collar crime could lead to a big payday for perpetrators of mortgage fraud and other schemes.

That's the view of lawmakers who want to extend federal fraud laws to private mortgage companies that aren't regulated at the federal level, and provide $155 million a year to the U.S. Justice Department to triple the number of active mortgage-fraud task forces and help the FBI rebuild its white-collar investigation program.


So what should a Chief Compliance Office or Vice-President of Operational Risk Management at an institution be concerned with over the next few years? Get ready. First and foremost, the Board of Directors will be focused on "Corporate Governance Strategy Execution." Public institutions who have most recently taken on the role of becoming a more traditional bank in order to become eligible for government funds are most at risk. Some of these include traditional insurance companies and credit or charge card institutions. This is because they have not had the controls, staff and policy programs in place to effectively deal with all of the new banking regulations and compliance mechanisms the oversight agencies will be scrutinizing during their audits.

Securities and Exchange Commission Chairman Mary Schapiro plans to look into whether the boards of banks and other financial firms conducted effective oversight leading up to the financial crisis, according to SEC officials, part of efforts to intensify scrutiny of the top levels of management and give new powers to shareholders to shape boards.

As she examines what went wrong, Schapiro is also considering asking boards to disclose more about directors' backgrounds and skills, specifically how much they know about managing risk, said the officials,

As new sources of funding flow to the organizations for redistribution to consumers or small businesses the oversight process must be implemented up front. The human factors will play a tremendous role in how ethics are either applied consistently or are absent all together, in day to day operations. Boards of Directors will ensure that corporate management are injecting the correct amount of corporate governance and compliance management oversight to keep human behavior and red flags in check. Operational Risk Managers will be busy expanding their breadth and reach into the corporate enterprise for years to come.

26 January 2009

PII: Achieving a Defensible Standard of Care...

A data security breach of "Personal Identifiable Information" (PII) will impact your organization in the future. This incident is no different than other Operational Risk loss events to your global enterprise this year, such as occupational fraud or the settlement of a lawsuit. Correct?

This time however, the difference is that now your own employees or your customers are the victim. Their PII has been lost or stolen and your organization has been the safeguarding entity of that valuable data until now. Your response is vital and the way you legally and ethically behave is a significant risk factor in itself.

Your brand reputation in the marketplace is on the line and the potential churn in lost customers or employees is at stake. Like many post 9/11 companies, your crisis response protocol is already in place for incidents that require your senior executives and the establishment of an immediate Incident Response Team (IRT).

So why is lost or stolen PII such an important executive issue for any organization?

In privacy, PII is less restrictive than in Information security and one definition can be found in the EU directive 95/46/EC:[1]

Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Although the concept of PII is ancient, it has become much more important as information technology and the Internet have made it easier to collect PII, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes. As a response to these threats, many web site privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.


As your General Counsel and Chief Privacy Officer begin to assess the magnitude and breadth of your recent PII exposure, so too does the plaintiff lawyers. Now the clock starts ticking and each tick gets louder and louder, as different litigation strategies are discussed. In Board Rooms and judges court chambers across the United States, the Federal Rules of Civil Procedure (FRCP) and the admissibility of "Electronically Stored Information" (ESI) is being discussed as a legitimate component of evidence and it's relevance in the case.

What if you could now "Rewind" this scenario and find yourself in a "legal safe zone" to adequately prepare, prevent and even preempt a "Data Security Breach" in your organization. This "legal safe zone" is available today and is as close as your corporate executive conference room, with several "Subject Matter Experts" working side-by-side. It's a professional service solution from the data breach services leader, idexperts.

The "Achieving a Defensible Standard of Care" Readiness workshop in your organization begins with a two day facilitated process for discovery and convergence with your fellow company executives. You will be engaged in a proactive, preventive and preemptive tactical plan in preparation for the day of your next PII-involved Data Security Breach. Upon completion, this operational plan establishes the baseline framework for a complete team-based drill. This outcome will then test the readiness of your key stakeholders internally and external to the company. More importantly, it provides the strategic insight on what vulnerabilities still exist in your particular organizations approach to remediation and legal compliance.


Each year, despite security efforts, millions of personal records are compromised as a result of corporate and public-sector data breaches. Breach response costs - mandated notification, PR, call handling, credit monitoring and legal fees - can add up, yet traditional approaches don't fully mitigate the risk to your business or your customers.


A data security breach of "Personal Identifiable Information" (PII) will impact your organization in the future. The next one will be different.