October 30, 2017 · 6:48 pm
Would you hide something stupid from the Board?
“GE Board in Dark on CEO’s Use of Extra Jet,” The Wall Street Journal, October 30, 2017 B1. As if it weren’t bad enough that the CEO flies on the company plane, it appears that he brought a second plane along, just in case.
Now why would you keep that secret? Even after an internal complaint several years ago? How do you define waste? Who thought that this was an appropriate use of the shareholders’ money?
Might there be gaps in the compliance program? If this slipped through, what else is out there?
Filed under Board, Compliance, Controls, Corporation, Culture, Culture, Directors, Duty, Employees, Governance, Information, Internal controls, Oversight, Oversight, To report
October 30, 2017 · 6:37 pm
How do you protect against intrusions (including hacking and viruses and ransomware)? Policies and technology, mainly. How do you protect against internal breaches (phishing, etc.)? Policies, training, and a bit of technology. How do you respond to an actual breach? Policies and procedures, training, and technology.
In the response, keep the notice requirements in mind. The rules vary from state to state.
“States Quiz Equifax on Disclosure,” The Wall Street Journal, October 30, 2017 B1. Several states initiate investigations into by Equifax’s delay in reporting after the hack that may have compromised the records of 145.5 million credit accounts. What did they know, when did they know it, and when did they report it, and to whom? Notice to the state, to the fed, to the consumers, and to investors? What’s reasonable, or what’s required by statute?
It’s all about notice. Given the business, should the directors have been on top of this?
Filed under Communications, Compliance, Controls, Corporation, Directors, Duty, Governance, Information, Interconnections, Internal controls, IT, Legal, Oversight, Requirements, Security, To report, Value
October 30, 2017 · 2:45 pm
“Hackers Target Schools,” The Wall Street Journal, October 24, 2017 A3. Cyberthefts and ransomware attacks at a whole host of schools, targeting data on students, as well as the normal financial stuff.
So, how much money should schools spend to prevent hacking and subsequent release of student data? And isn’t it nice of the news media to report how much ransom the attackers got?
So, whose data is it, anyway? And who’s the custodian?
Filed under Access, Compliance, Controls, Duty, Duty of Care, Governance, Government, Information, Interconnections, Internal controls, IT, Oversight, Ownership, Protect assets, Security, Third parties, Value
October 30, 2017 · 2:38 pm
“Countermove in Code War,” The Wall Street Journal October 24, 2017 B4. Kaspersky Lab promises to turn over the source code to deflect allegations that its antivirus software led to the compromise of some confidential US government documents.
What can you do when software you sell to protect information from infection is, itself, potentially infected? What business will you have if you can’t provide adequate assurances?
October 30, 2017 · 2:29 pm
“Fidelity Is Hit by Employee Conduct Problems, The Wall Street Journal October 23, 2017 A1. Several high-level employees canned following sexual harassment allegations.
Who knew Harvey W. would start a trend that reached beyond entertainment into high-finance?
Did these companies not have policies against sexual harassment and bullying? Had compliance with the policies been audited? What’s the compliance history?
Filed under Board, Compliance, Compliance, Compliance Verification, Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Internal controls, Oversight, Oversight
October 30, 2017 · 2:22 pm
Normally, I use articles from The Wall Street Journal to kick off my points. But the story making the rounds isn’t, as far as I can tell, in the Journal.
“YouTuber says Apple engineer father fired over her viral iPhone video,” New York Daily News, October 29, 2017 (accessed online). An engineer working on the Apple iPhone X got fired after his daughter posted a video on YouTube showing how it works.
Now, one assumes the engineer was subject to a confidentiality agreement with his employer, and that Apple restricts disclosure of technology prior to release. And he screwed up by leaving his test phone out where his daughter could get it and post the video on YouTube. And Apple had to enforce against the engineer or it would be hard for Apple to enforce against others on the same topic. Trade secrets need to be secret.
Two things. First, people do get fired for disclosing their employer’s confidential and proprietary information to third parties (or, apparently, allowing a family member to do so). Second, do we/you ever leave confidential or proprietary information belonging to our/your employers or clients out where family members can access it?
October 30, 2017 · 2:05 pm
“Pacemaker Fix Against Hackers Raises New Fears,” The Wall Street Journal, October 21, 2017 B4. Will updating the software crash your pacemaker? Fix to prevent a potential hacker pathway.
A couple of information points. Software is information. Limiting unauthorized access to “my” pacemaker seems to be something the manufacturer should be responsible for. Who manages the risk of hacking? What about the risk of the change itself? Is this a doctor’s call or the patient’s call?
Filed under Access, Compliance, Controls, Corporation, Duty, Governance, Interconnections, Internal controls, IT, Risk, Security, Third parties
October 30, 2017 · 1:56 pm
One of the early warning signs of most crises is a similar problem elsewhere in your industry.
“EU Officials Raid BMW’s Headquarters,” The Wall Street Journal, October 21, 2017 B2. Raid was apparently looking for evidence of antitrust violations in the industry, perhaps including agreements on emissions technologies.
Is this related to the emissions scandal at VW and other car makers?
If you’re a European car manufacturer, does this raise the risks of what’s in your information systems and files today? How can you address?
October 30, 2017 · 1:47 pm
If you find one roach, likely there are others you haven’t found yet.
“Wells Fargo Fires Four Amid Probe of Currency Business,” The Wall Street Journal, October 21, 2017 A1. Apparently, there was/is an issue with WF’s foreign exchange business. Thus, problems were not confined to the retail customer side of their business.
Does this suggest that the problems in the retail side (account cramming, among others) were due to a culture problem or a tone at the top? Did/does WF have a problem getting its employees to act ethically? Why?
If Wells Fargo were serious, what would they do/have done? Merely firing the wrongdoers you catch apparently isn’t enough. What have the directors done to fix, beyond changing the CEO?
October 20, 2017 · 11:03 am
The adventure continues, after Kobe Steel announced earlier this month that workers at several different facilities had fudged paperwork on product quality, dating back to at least 2007. Apparently, getting that type of paperwork accurate is important. To someone.
“U.S. Looking Into Kobe Steel Scandal,” The Wall Street Journal, October 18, 2017 B3. Department of Justice kicks off a request for information after company disclosures about practices in Japan. Affects product sold into manufacturers of train, planes, and cars.
More to follow. Expect Congress to weigh in shortly. Again, the problem occurred in more than one facility, over a period of years. Is that a failure of compliance, or culture, or both?
An example of the intersection of governance, compliance, and information.
Filed under Accuracy, Compliance, Controls, Corporation, Culture, Data quality, Definition, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Oversight, Reliance, Use, Value