Category Archives: Third parties


“Read This Extremely Important, Totally Incomprehensible, Completely Convoluted Information About Your Broker!” The Wall Street Journal, July 28, 2018 B1. Confusion over required SEC disclosures.

A four-page summary.  But will people read it?  Will most people read more than 4 bullet points?  Unless, of course, there’s a prize.

What value is disclosure if it is in language that the average person won’t read or won’t understand if he/she does?

Governance or Information?  And a pinch of Compliance?


Leave a comment

Filed under Accuracy, Communications, Controls, Corporation, Data quality, Duty, Governance, Information, Internal controls, Investor relations, Third parties, Value


Apparently, law firms don’t do background checks on incoming partners, at least not if they’re big money makers.

“Top Lawyers Evade Harassment Claims,” The Wall Street Journal, July 31, 2018 A1.  Partner switches to a new firm that didn’t know of his history of harassment.

See also a posting last month on a related topic:

Do law firms think they are somehow immune from the laws that apply to their clients?  Do they read the news?  Do they have a fundamentally different culture?

Just asking.  But this does go to both Compliance and Governance.



Leave a comment

Filed under Controls, Culture, Duty, Governance, Internal controls, Lawyers, Third parties, To report

Your vendors

This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security.  But the topics do overlap.

So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates?  That’s an identified risk, right?

“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3.  Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems.  Can the hackers take control of those systems or shut them down?

Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago?  Contractors can be a massive IT security risk.

Is this part of Information Governance?

What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems?  And to control the third parties who do have that access?  Is there a process?

Leave a comment

Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors

Falsely shouting fire?

“FCC Proposes Revamp Of Online Documents,” The Wall Street Journal, July 12, 2018 A3.  Proposed revision to process for receiving public comments after fake comments filed in the net neutrality discussion.

How does the government restrict our ability to lie to the government where the payment of money or the issuance of a license is not at issue?  Is filing comments under someone else’s name not protected speech?  Or is it fraud?  Yes it’s false, but is it fraud, if all you’re trying to do is sway a regulator’s position?  Is this the same as falsely shouting fire in a crowded theater?

I’m not in favor of submitting comments under a false name or names.  But can the government protect this when people are attempting to petition their elected representatives?

I file this as a restriction on the ability of government to govern all behavior (therefore Governance) and under Information (does it matter that it’s fake?).  Maybe Compliance, seeing as the Constitution applies.

Leave a comment

Filed under Accuracy, Controls, Data quality, Definition, Duty, Governance, Government, Information, Third parties

CEOs in the news

“Ex-CEO at Oil Driller Settles SEC Inquiry On Undisclosed Loans,” The Wall Street Journal, July 17, 2018.  CEO had taken more than $10 million in loans from vendors in return for awarding contracts.

He used the money to cover margin calls and to maintain an extravagant lifestyle.  Also caught up in the scandal was a former portfolio manager who got a seat on the company’s board.

CEOs get hammered, too, for conflicts and poor ethics.


Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Internal controls, Investor relations, Oversight, Policy, Third parties, Vendors

Tapes and onions

Today, with surveillance cameras everywhere, it’s good to remember that everything you say may be recorded.  Even by someone you trust.  And those recordings turn up.

“Cohen Recorded Talk With Trump,” The Wall Street Journal, July 21, 2018 A1.  Trump’s then-personal lawyer recorded a conversation with then-private-citizen Trump about a story about a Playboy model.

Several different layers of onion involving this tape its creation, its collection by the FBI under a warrant, its production after a court-ordered review, its release to the press, and its impact.  And who owns it, at each stage of the process?  Did Trump know he was being taped?  Was this privileged?  Was the privilege waived?  How and by whom?

I just ask the questions.


Leave a comment

Filed under Access, Controls, Discovery, Duty, Government, Internal controls, Lawyers, Legal, Ownership, Privacy, Privilege, Third parties


It’s always good to have a catchy headline.

“Lust, Anger Topple Powerful Lawyer,” The Wall Street Journal, July 14, 2018 A1.  Sexting scandal costs head of major law firm his job (and his ~$6 million salary), even though he did nothing beyond sending and receiving the texts.

Would you trust a lawyer who had such lapses in personal judgment?  Would you trust the law firm of which he was the chairman?  He had reason to suspect the woman he was texting, as he became aware of her when looking into her relationship with a friend of his at church.  Good deeds don’t go unpunished.

She sent copies of the email exchanges to the firm’s executive committee.

The problem with email is that it doesn’t go away, and you can’t control what the recipient does with them.

Important safety tip, Egon,  That bears repeating.  And repeating.

1 Comment

Filed under Board, Communications, Compliance, Controls, Governance, Internal controls, Third parties