Category Archives: Corporation

Criminal charges for a CEO

Corporations get charged with criminal conduct from time to time.  But seldom does the CEO at the time also get charged.

“Barclays Hit With Fraud Charges,” The Wall Street Journal, June 21, 2017 B1.  Charges of fraud and illegal payments filed against the bank and its former CEO (and a few other executives) in the UK.

As usual, the shareholders get the bill for any fines (and any diminution in share value).  Curiously absent were any charges against the directors of the Bank’s Board at the time.  But maybe the failure of the Board to detect this level of criminal activity will result in civil suits against the directors for negligent supervision.

Maybe Shearman & Stirling can write another report. (See Wells Fargo posts, supra).  Willie Sutton wasn’t the only crook who knew where the money is/was.

Leave a comment

Filed under Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Oversight, Protect assets, Risk assessment, Supervision

Contractors and the Cloud

Do you have contractors who analyze your data for you?  Do they use cloud storage?  Do you know?  How secure it that?  Is that prohibited by your service contract?

“Data on 198 Million Votes Exposed Online,” The Wall Street Journal, June 20, 2017 A4. Deep Root Analytics, a Republican party consultant, used an online storage system that was reportedly open to the world for several days.  Most/some of the information exposed was publicly available information on voters.  A lot of voters.

Well, at least the Russians (or the DNC) didn’t hack it.  Or did they?

What controls do you have that protect information your consultants are using and the opinions you are paying them to provide you?  Do you care?  It’s not like it’s money or anything.

Leave a comment

Filed under Access, Board, Controls, Corporation, Duty, Governance, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Security, Third parties, Vendors

Kidnapping v. stealing information

One unique aspect of information is that it can be stolen, yet remain in the owner’s possession.  Apparently, medical facilities are required to report if your medical information is stolen, but not if it is merely kidnapped and held for ransom.

“Some Cyberattacks Go Unreported,” The Wall Street Journal, June 19, 20127 B3.  Whether hospitals need to report a ransomware attack of their files as a data breach is a “gray area,” and the federal government doesn’t require such reports, even if the government knows about them.  Some hospitals don’t report ransomware attacks, so these attacks are not in the HHS statistics.

So, patients don’t know when hospitals have weak security protection.  What value, then, are the government statistics?  Do they need a big asterisk?

 

Leave a comment

Filed under Controls, Corporation, Data quality, Duty, Government, Information, Internal controls, IT, Legal, Requirements, Security, Third parties, To report, Value

Weakest link

Where do you start if you want to pierce a corporation’s cybersecurity protections?  The CEO.

“Goldman, Citi Bosses Duped by Email Prankster,” The Wall Street Journal, June 13, 2017 B11.  Although nothing confidential was leaked, the CEOs bought into phishing emails.

Hard to blame the Chief Information Security Officer.  One assumes there’s a policy in place, but can you write a policy to protect against this?  Who else in the corporation isn’t following the existing policy?  How do you fix? Two-factor authentication for every email to/from a senior exec?  Encryption?

Leave a comment

Filed under Access, Compliance, Compliance, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Management, Policy, Security

Surgical precision

How do you deal with claims of sexual harassment?  Have two law firms conduct investigations and fire 20 people.  But will that be the end or the middle?

“Uber Fires Over 20 In Wake Of Probe,” The Wall Street Journal, June 7, 2017 B1.  Over two hundred claims investigated and no action taken in 100 of them.

Were there supervisors who participated or condoned or who failed to notice or respond?  Were there reporting practices and policies in place?  If harassment was “accepted” in the Uber culture, who’s to blame?  HR?  The Board?  Management?  How long had this been going on?  How much will the shareholders have to pay?

A summary of one of the law firm reports is due out soon.

Leave a comment

Filed under Board, Compliance, Compliance, Compliance, Controls, Corporation, Culture, Culture, Duty, Employees, Governance, Internal controls, Management, Oversight, Oversight

We have a Winner

What do you do when you discover who violated the law by leaking a classified document?  You arrest them.

“Contractor Charged in Leak,” The Wall Street Journal, June 6, 2017 A4.  Reality Winner, an employee of a contractor for the NSA, was arrested and charged for leaking a classified document to the news media.  A criminal offense.

Interesting story of how the government found out.  A news agency provided a copy of the document and requested the government to confirm its accuracy.  The government could tell from looking at the copy that it had been folded, and concluded someone printed it out and sneaked it out.  IT logs showed six people had printed it out.  The computer of one of them showed email contact with a news agency.  When questioned, Ms. Winner fessed up.

Common themes:  the NSA needs to watch the employees of its contractors carefully; IT has a record, somewhere; criminals get arrested; a newspaper can inadvertently disclose confidential sources.

 

Leave a comment

Filed under Access, Controls, Corporation, Duty, Employees, Governance, Government, Information, Internal controls, IT, Oversight, Ownership, Protect assets, Security, Third parties, Vendors

Rank has its privileges

One might suppose accountability and responsibility apply to CEOs.  Then, again ….

“Gymnastics Boss Paid Severance,” The Wall Street Journal, June 3, 2017 A9.  The CEO, who was nominally in charge when the team doctor for the women’s gymnastics team allegedly abused female gymnasts, gets a $1 million severance package.

One wonders what the Board would have paid him if they fired him for cause.  The gymnastics federation reportedly sat on the results of an internal investigation of the sexual abuse allegations for five weeks.  The CEO said the federation didn’t have an obligation to report sexual abuse by its coaches to law enforcement.  Didn’t the ex-president of Penn State just get sentenced to jail for similar acts or omissions?

One of the Board’s fundamental jobs is to hire the CEO; another is oversight.  Everyone has a duty to report violations of law.  It would appear either the Board or the CEO or the Federation wasn’t doing its or his job.  Maybe the Board gets severance, too.  What do the shareholders get?

The bill.

Leave a comment

Filed under Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Oversight, To report