Browsing articles tagged with " fiduciary responsibility"

Cybersecurity and the Cloud Multiplier Effect

Jul 11, 2014   //   by admin   //   Blog  //  No Comments

RFG Perspective: While corporate boards grapple with cybersecurity issues and attempt to shore up their defenses, the inclusion of cloud computing models into the equation are increasing the risk exposure levels. Business and IT executives should work together to aggressively establish processes, procedures, and technology that will minimize the risk exposures to levels deemed acceptable. Additionally, senior executives and Boards of Directors need to play a more active roll in the accountability and governance of cybersecurity by discussing and addressing challenges, issues and status at least quarterly.

An article on the front page of the Wall Street Journal on June 30, 2014 discussed corporate boards racing to shore up cybersecurity. It alluded to a number of corporate boards waking up to cyber threats and worrying that hackers would steal company know-how and intellectual property (IP). In the first half of 2014 1,517 NYSE- or NASDAQ-traded companies listed in their securities filings references to some form of cyber attack or data breach – almost a 20 percent increase from the previous year. In all of 2013 1,288 such filing comments were made whereas in 2012 only 879 companies reported cyber statements. This is good and bad news – good that cybersecurity is getting CEO and Board attention and bad news in that executives are belatedly waking up to an endemic problem.

Fiduciary Responsibility

The Board and CEO have a fiduciary responsibility to shareholders to protect the company’s assets from undue risks. It is not something that can be assigned and then ignored. Yet that is what has happened at many companies over the years. They must be involved in cybersecurity governance and decision-making on an ongoing basis and not shunt it off to Chief Risk Officers (CROs), Chief Security Officers (CSOs or CISOs) and/or IT executives. CEOs and other senior executives should also ensure privacy and security programs are aligned with each business unit’s requirements and that the risk probability and exposures are reasonably known and reduced to an acceptable level. It is important that all parties understand that zero security risks are not possible anymore (nor would the expense be worth it if attainable); what is important is to agree upon what level of risk exposure is acceptable, budget for it, and implement initiatives to make it happen.

At the Board level there should be a risk committee that is responsible for all risk management, including cyber risk. Moreover, best practices suggest Boards should, as a minimum, address the following five areas:

  • regularly reviews and approves top-level policies on privacy and IT security risks
  • regularly reviews and approves roles and responsibilities of lead personnel responsible for privacy and IT security
  • regularly reviews and approves annual budgets for privacy and IT security programs separate from IT budgets
  • regularly reviews and approves cyber insurance coverage
  • regularly receives and acts upon reports from senior management regarding privacy and IT security risk exposures.

These efforts can be done by the full Board or by a risk committee that reports to the Board. Some Boards may have assigned this role to the audit committee but, while it is good that it is addressed, it is not a perfect fit.

Cloud Multiplier Effect

In June the Ponemon Institute LLC published a report on the cloud multiplier effect. The firm surveyed 613 IT and IT security practitioners in the U.S. that are familiar with their companies’ usage of cloud services. The news is not good. Because most respondents believe cloud security is an oxymoron and certain cloud services can result in greater exposures and more costly breaches, the use of cloud services multiplies the breach costs by a factor between 1.38 and 2.25. The top two impacts are from cloud breaches involving high value IP and the backup and storage of sensitive or confidential information, respectively. Most respondents believe corporate IT organizations are not properly vetting cloud platforms for security, are not proactively assessing information to ensure sensitive or confidential information is not in the cloud, and are not vigilant on cloud audits or assessments.

Moreover, disturbingly, almost 75 percent of respondents believe their cloud services providers would not notify them immediately if they had a data breach involving the loss or theft of IP or business confidential information. Almost two-thirds of those surveyed expressed concern that their cloud service providers are not in full compliance with privacy and data protection laws – and this is in the U.S. where the rules are less strict than the EU. Furthermore, respondents feel there is a lack of visibility into the cloud as it relates to applications, data, devices, and usage.

 

Summary

 

Boards, CEOs and senior non-IT management need to become more aware of their cybersecurity exposures and actively participate in minimizing the risks. IT executives, on the other hand, need to present the challenges, status and trends in a more business, less technical manner, including recommendations, so that the other executives can appreciate the issues and authorize the appropriate actions. As the Ponemon study shows, the challenges go beyond the corporate four walls into clouds they have no control over. IT executives need to become involved in the selection and vetting of cloud services providers. Furthermore, business and IT executives must work together and build strong governance practices to minimize cybersecurity risks.

RFG POV: Cybersecurity risk exposures are increasing and collectively executives are falling short in their fiduciary responsibilities to protect company assets. Boards, CEOs and other senior executives must take their accountability seriously and play a more aggressive role in ensuring the risk exposures to corporate assets are known and within acceptable levels. For most organizations this will be a major cultural change and challenge and will require IT executives to proactively step forward to make it happen. IT executives should collaborate with board members, senior executives, and outside compliance services providers to establish a program that will enable executives to establish a governance methodology that monitors and reports on the risks and provides cost/benefit analyses of alternative corrective actions. Moreover, at a minimum, corporate executives must review the governance materials quarterly, and after critical risk events occur, and take appropriate actions.

 

California – Gone Too Far Again

Dec 13, 2012   //   by admin   //   Blog  //  No Comments

Lead Analyst: Cal Braunstein

California Governor Jerry Brown signed into laws Assembly Bill (AB) 1844, which restricts employers’ access to employees’ social media accounts, and Senate Bill (SB) 1349, which restricts schools’ access to students’ social media accounts. Due to the overbroad nature of the laws and the definition of social media, enterprises and schools may have difficulty complying while performing their fiduciary responsibilities.

Focal Points:

  • Although both laws expressly claim they are only regulating “social media,” the definitions used in the laws goes well beyond true social media over the Internet. The statutes use the following definition: “social media” means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations. In effect, the law governs all digital content and activity – whether it is over the Internet and/or stored in local storage devices on in-house systems.
  • Additionally, AB 1844, which covers employer-employee relationships, restricts employers’ access to “personal social media” while allowing business-related access. However, the law does not define what comprises business or personal social media. It assumes that these classifications are mutually exclusive, which is not always the case. There have been multiple lawsuits over the years that have resulted from disagreements between the parties as to the classification of certain emails, files, and other social media.
  • Many organizations inform employees that email and social media activity performed while using the organization’s computer systems is open to access and review by the company. Furthermore, some entities have employees sign an annual agreement to such rights. However, the law makes it illegal for employers to ask for login credentials to “personal” accounts and the statute does not allow access to mixed accounts, which supposedly do not exist.

RFG POV: The new California statutes are reminiscent of CA Senate Bill 1386 (SB 1386), which requires any state agency or entity that holds personal information of customers living in the state to divulge any infringement of databases that include personal information, regardless of the business’ geographic location. The new laws do more harm than good and allow potential class action civil suits in addition to individual suits. This will make it more difficult for organizations to protect the entity, its image, enterprise data and client/student relationships, and ensure appropriate conduct guidelines and privacy requirements are being met. In addition, the ambiguities in the wording of the laws leave them open to interpretation, which in turn will eventually lead to lawsuits. Business and IT executives can expect these new laws to extend beyond the borders of the state of California, as did SB 1386. IT executives should review the legislation, discuss with legal advisors all elements of the laws, including the definitions, and explore ways to be proactive with their governance, guidelines and processes to prevent worst case scenarios from occurring.

RBS Fiasco – A Harbinger of Things to Come?

Jul 14, 2012   //   by admin   //   Blog  //  No Comments

Lead Analyst: Cal Braunstein

 

The Royal Bank of Scotland (RBS) group, which includes NatWest and Ulster Bank, recently experienced a massive week-long outage caused by an IT failure. Retail customers were unable to receive or make payments, thereby greatly impacting people’s ability to process wages, mortgages, and other transactions; thereby damaging the bank’s and people’s reputations. The bank’s retail customer account system utilizes CA Inc.‘s CA-7 batch scheduling software. What should have been a routine procedure and straightforward upgrade fix by operations staff was unintentionally converted into a major catastrophe.

The story is that an operator running the end-of-day overnight batch cycle accidentally erased the entire scheduling queue. This error required the re-entry of the entire queue – a complex process requiring an in-depth understanding of the core system’s processes and detailed knowledge of legacy software. All this had to be completed within the overnight batch processing window, which for most firms is tight and leaves little room for error correction and reruns. This proved to be impossible, especially as pent-up demand and payment instructions built up over time in the queue, causing other RBS systems, such as access to its online banking, to be out of service. Eventually RBS had to rerun the previous day’s transactions before new ones could be inputted into the system. The delays and backlog of up to 100 million transactions fed upon themselves extending the outage over multiple days.

RFG notes that many observers pointed the finger at the bank’s legacy mainframe systems – both the hardware and software. However, RFG believes this is not the real story. The vast majority of banks run their retail customer account systems using mainframes and legacy software every day and this is a rare event. RBS runs on System z servers, so one cannot claim it is using ancient iron that is outdated.

The real culprits are the bank’s processes and personnel management. The multi-year banking crisis that RBS (and others) went through caused the firm to undertake cost cutting measures over the past few years. IT organizations were not exempt from the staffing actions and many of the IT jobs were outsourced to a team in India. Reports state that the person responsible for the error was part of this team but an RBS executive claims otherwise. Outsourced or not, two things are evident: the staff was inexperienced and not adequately trained for the task, and processes and procedures did not exist to quickly identify the problems and correct them rapidly. The issues here are not technology but people and process.

RFG POV: The RBS business environment is not unique. Because of the financial meltdown that began in 2008, banks, other financial institutions, and enterprises of all types have been forced to slice budgets across multiple years and IT budgets are no exception. For many companies this cost cutting continues. However, it does not mean that IT is no longer accountable and responsible for its actions – it has a fiduciary responsibility to keep the business running regardless of the disaster. RBS did not properly staff and/or train its operations crews and did not have appropriate procedures in place to prevent such a failure. In many organizations the procedures are not well documented and smooth operations are dependent upon the institutional knowledge and skills of senior staff and frequently when there are cuts, these high priced administrators/operators are the first to go. IT executives should proceed cautiously when “rightsizing” staff and ensure that key skills and/or institutional knowledge are not being lost in the process. Documentation tends to be an IT Achilles heel. IT executives need to ensure all procedures are well documented, tested, and staff is fully trained on them. As the proverb goes, an ounce of prevention is worth a pound of cure.