“Marriott Says Starwood Data Breach Affects Up to 500 Million People,” The Wall Street Journal, November 30, 2018 (online). Data breach potentially affecting passports and credit cards of as many as 500 million guests at Marriott’s Starwood properties, which were acquired in 2016. They knew about this in September, but reflects a breach that may go back to 2014.
So, two years after an acquisition, the target’s information security practices blow up in the acquiror’s face. What does that say about the acquiror’s duty to integrate the data practices and controls around information protection?
Does your M&A team think about information governance issues? Is that an identified risk, with an identified (and owned) action plan? Did the Board identify this as a risk? What the value of this information considered part of the transaction value? How was that reflected?
Filed under Board, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Value
This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security. But the topics do overlap.
So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates? That’s an identified risk, right?
“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3. Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems. Can the hackers take control of those systems or shut them down?
Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago? Contractors can be a massive IT security risk.
Is this part of Information Governance?
What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems? And to control the third parties who do have that access? Is there a process?
Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors
“Angry Users Are Threat to Facebook,” The Wall Street Journal, March 23, 2018 B1. User reaction to the use of user data may imperil FB; users lose trust.
For a company recently valued at $500 billion, the loss of a customer base and momentum may be terminal. Or at least painful. Just because they didn’t take care of its users’ information.
Again, is this an information governance blog or a crisis management and response blog? The issues seem to overlap a good deal of late. Is this just a risk of the business, or does it say something about the company’s culture or governance? What exactly is FB selling, and to whom? What was their reputation?
Filed under Board, Controls, Corporation, Culture, Culture, Duty, Governance, Internal controls, Oversight, Oversight, Protect assets, Protect information assets, Risk Assessment, Third parties, Vendors
I am not sure what to say about the Nunes memo about the DOJ and the FBI and the FISA court, and classified information and governance and compliance. Too political to be educational.
So, the right-hand news item instead. “Fed Limits Wells Fargo Growth, Replaces Directors,” The Wall Street Journal, February 3, 2018 A1. Following a pretty bad year or two, following the customer cramming schedule or the auto insurance. A former CEO. Lower bonuses. Now the government takes control of a large bank and replaces the directors. Restricts the bank’s future growth. A 6% stock value drop, before this week’s really bad sell-off. Cost: $300-400 million. Government says, “We cannot tolerate pervasive and persistent misconduct at any bank ….”
What’s the value of compliance? Is it the possible loss of your ability to control your company? Is this a lesson for directors, in that they may lose their positions (but they don’t have to refund their fees)(yet- the derivative suits are coming soon). They didn’t even do that to BP! The Chief Risk Officer is also retiring later this year.
Business case for compliance or better risk management? For knowing what’s going on in your company? Not sure what the lesson is for the shareholders.
Filed under Board, Business Case, Compliance, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Inform market, Inform shareholders, Internal controls, Oversight, Oversight, Protect assets, Risk, Risk Assessment, Risk assessment, Supervision, To report
The Yahoo hack may have affected 1.5 billion customers. But in terms of targeted hacks, OPM was pretty big. There’s a new contender for the Hack of Hacks.
“Equifax Reveals Huge Breach,” The Wall Street Journal, September 8, 2017 A1. The records (name, address, Social Security number, birth date, etc.) of 143 million US consumers at the credit reporting company have been hacked. That’s roughly half the US. And they sat on it for awhile (since they discovered in on July 29).
Will this fundamentally change the landscape? Will we see EU-level privacy controls in the US? Will the directors of Equifax face personal liability for not ensuring the information was protected? How can you protect your Social Security Number five years from now? How will credit decisions be made in the future?
Filed under Access, Accuracy, Board, Compliance, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Oversight, Oversight, Privacy, Protect assets, Protect information assets, Risk Assessment, Security, Supervision, Value, Vendors
One of my common themes is the duty of directors. They get paid a lot of money to act as fiduciaries for the company’s shareholders.
“Warren Keeps Pressure on Wells,” The Wall Street Journal, June 20, 2017 B10. Senator Elizabeth Warren (D. Mass.) is leaning on the Federal Reserve (arguably an independent body) to remove 12 directors who served on Wells Fargo’s Board when the account- cramming scandal was going on. Other problems have emerged at Wells Fargo since then.
The shareholders didn’t/couldn’t vote them out in April, and so far (as I know) the directors haven’t been held personally liable for negligent oversight. So it’s nice that someone is still pursuing the people in charge at the time that (some of the) bad things were happening.
Some executives got fired or their bonuses were docked. The shareholders lost a bundle in fines and penalties paid by the company. It would be nice if the directors were held responsible and accountable — not just to penalize them, but to put other directors on notice of what they are getting paid to do, and for whom.
Would be nice to have a poster child for the director’s duty.
Filed under Board, Compliance, Compliance, Compliance Verification, Controls, Culture, Directors, Duty, Duty of Care, Governance, Inform shareholders, Internal controls, Oversight, Oversight, Protect assets, Risk Assessment, Risk assessment, Supervision
“Venezuela Alleges Fraud in $1.3 Billion Oil-Rig Lease,” The Wall Street Journal, March 16, 2017 A10. “Officials at PdVSA [the state oil company in Venezuela] were accused of embezzlement by paying inflated fees.”
How do you track whether the company is paying inflated fees to companies owned by Saudi princes, with a no-bid contract to an industry newcomer? You do track that, don’t you? As a director you would want to make sure that people weren’t paying too much for service contracts. Why would the state oil company pay inflated rates? Aren’t these bribes going the ‘wrong’ way? Or was it just waste and incompetence? The difference is only $250,000 a day for seven years.
Do you consider the information governance aspects of the FCPA, beyond the books and records? It is good that the government checks.
Filed under Board, Compliance, Compliance Verification, Controls, Corporation, Definition, Directors, Duty, Employees, Governance, Government, Information, Internal controls, Oversight, Oversight, Protect assets, Risk Assessment, Risk assessment
Do you think about the risk of the failure of a critical information transfer system?
“Bank Lost Its Ability To Process Payments,” The Wall Street Journal, December 8, 2016 B8. The Bank of New York Mellon temporarily lost its access to the SWIFT network, used to process payments within the banking system. Over nineteen hours.
Does your business have a similar business continuity risk, where a critical information transmission system is unavailable? Have you identified that risk and quantified its potential impact? Do you have controls (people, process, or technology, or some combination) to prevent the occurrence, or to limit its impact? Is this a Board responsibility? If not the Board, who?
Filed under Access, Board, Controls, Directors, Duty, Governance, Information, Interconnections, Internal controls, IT, Management, Protect, Risk, Risk Assessment, Risk assessment, Value