Category Archives: Third parties

Cyberattacks

“Three From China Indicted in Cyberattacks,” The Wall Street Journal, November 28, 2017 B4.  Allegedly hacked into the email account of an economist at Moody’s and gained access to gigabytes of confidential data of Siemens beginning in 2011.

Who has access to your data?  Is the email account of a third-party vendor a potential source of a major leak?  Even an economist?

Advertisements

Leave a comment

Filed under Access, Compliance, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Information, Interconnections, Internal controls, IT, Oversight, Protect assets, Security, Third parties, Value

Why listen to the court?

“Battle at CFPB Rages On,” The Wall Street Journal, December 4, 2017 B9.  The person who lost in her attempt to seize control of the CFPB despite the appointment of Mick Mulvaney as the head of the agency asks the court to do “a more complete legal assessment of her claims.”

I guess if you don’t like the first decision, you might as well ask again, right?

Governance involves having a clear idea of who governs.  I suspect the court will clarify the matter for her and her lawyer.

Leave a comment

Filed under Compliance, Controls, Duty, Employees, Governance, Ownership, Third parties

Eggs and baskets

On the one hand, regulators want to be able to easily see all the trading data about stock trades.  On the other, if you put all the important information in one place, hackers might go after it.  What’s a body to do?

“Exchanges Seek Database Delay, Citing Security,” The Wall Street Journal, November 15, 2017 B18. The NYSE and others asked the SEC to delay the start of a new database of sensitive trading information so that they can enhance the security. By adding a CISO, for example.

The SEC hasn’t been a positive model for computer security, and industry has had a few oopsies as well.  How does one balance ease of regulatory enforcement and security?  Which one is more important?  Who’s responsible/liable if there’s an oops?

 

Leave a comment

Filed under Access, Accuracy, Controls, Corporation, Duty, Duty of Care, Governance, Government, Internal controls, Oversight, Protect assets, Security, Third parties, Value

Crime without punishment

How do you enforce the rules in the future if you haven’t enforced them in the past?

“Bergdahl Avoids Jail Time,”  The Wall Street Journal, November 4, 2017 A3.  A convicted deserter loses some benefits but doesn’t go to jail or get executed.

If you’re the Army, what steps can you take to prevent desertion in the future?  For those in the private sector, has your employer failed to enforce the rules?  What does that do to the culture?  If he had been convicted of sexual harassment, would the sentence have been different?

 

Leave a comment

Filed under Compliance, Controls, Corporation, Duty, Governance, Government, Internal controls, Requirements, Third parties

Source of higher learning

“Hackers Target Schools,” The Wall Street Journal, October 24, 2017 A3.  Cyberthefts and ransomware attacks at a whole host of schools, targeting data on students, as well as the normal financial stuff.

So, how much money should schools spend to prevent hacking and subsequent release of student data?  And isn’t it nice of the news media to report how much ransom the attackers got?

So, whose data is it, anyway?  And who’s the custodian?

Leave a comment

Filed under Access, Compliance, Controls, Duty, Duty of Care, Governance, Government, Information, Interconnections, Internal controls, IT, Oversight, Ownership, Protect assets, Security, Third parties, Value

Your daughter is a risk

Normally, I use articles from The Wall Street Journal to kick off my points.  But the story making the rounds isn’t, as far as I can tell, in the Journal.

“YouTuber says Apple engineer father fired over her viral iPhone video,” New York Daily News, October 29, 2017 (accessed online).  An engineer working on the Apple iPhone X got fired after his daughter posted a video on YouTube showing how it works.

Now,  one assumes the engineer was subject to a confidentiality agreement with his employer, and that Apple restricts disclosure of technology prior to release.  And he screwed up by leaving his test phone out where his daughter could get it and post the video on YouTube.  And Apple had to enforce against the engineer or it would be hard for Apple to enforce against others on the same topic.  Trade secrets need to be secret.

Two things.  First, people do get fired for disclosing their employer’s confidential and proprietary information to third parties (or, apparently, allowing a family member to do so).  Second, do we/you ever leave confidential or proprietary information belonging to our/your employers or clients out where family members can access it?

Leave a comment

Filed under Access, Controls, Duty, Employees, Governance, Information, Internal controls, Protect assets, Third parties, Value

Is your doctor up to date on cybersecurity?

“Pacemaker Fix Against Hackers Raises New Fears,” The Wall Street Journal, October 21, 2017 B4.  Will updating the software crash your pacemaker?  Fix to prevent a potential hacker pathway.

A couple of information points.  Software is information.  Limiting unauthorized access to “my” pacemaker seems to be something the manufacturer should be responsible for.  Who manages the risk of hacking?  What about the risk of the change itself?  Is this a doctor’s call or the patient’s call?

Leave a comment

Filed under Access, Compliance, Controls, Corporation, Duty, Governance, Interconnections, Internal controls, IT, Risk, Security, Third parties