Category Archives: Risk assessment

Your vendors

This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security.  But the topics do overlap.

So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates?  That’s an identified risk, right?

“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3.  Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems.  Can the hackers take control of those systems or shut them down?

Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago?  Contractors can be a massive IT security risk.

Is this part of Information Governance?

What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems?  And to control the third parties who do have that access?  Is there a process?

Advertisements

Leave a comment

Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors

Wells Fargo, revisited, again

“Wells Refunds Millions to Clients,” The Wall Street Journal, July 20, 2018 B1. Wells Fargo refunds insurance premiums to hundreds of thousands of customers who bought “add-on” services such as pet insurance, identity theft, home warranties, debt protection, and legal services.

This comes amidst an investigation by the CFPB as to whether the way these products were marketed was legal.

The last two years have been tough for Wells Fargo.  How deep did the cultural rot go?

File this one under (a) Governance and (b) Compliance.  And I guess under (c) Information, as well, if you do business with Wells Fargo.  Do the directors pay for this, too?

Leave a comment

Filed under Compliance, Compliance (General), Corporation, Culture, Directors, Duty, Governance, Information, Oversight, Risk assessment

A Mayor’s challenge

“Probes, Cyberattack Distract Atlanta as It Pitches Amazon,” The Wall Street Journal, May 29, 2018 A3.  Investigations of former mayor and the aftermath of a ransomware attack hamper efforts to entice Amazon to the city.

Corporations should conduct structured risk assessments.  Do cities?

One assumes Atlanta has done a risk assessment and identified the risk of official misconduct.  Did it also capture the risk of a cyberattack?  Did the risk assessment suggest that if these risks occurred, Atlanta would lose the chance of phenomenal growth?

 

Leave a comment

Filed under Business Continuity, Communicate, Compliance, Compliance, Controls, Duty, Duty of Care, Governance, Government, Internal controls, IT, Management, Operations, Oversight, Protect assets, Risk assessment, Security, Third parties

Private speech v. public speech

Can your employer restrict what political statements you make in the course of your employment, when you’re getting paid to wear your company shirt on television?

Maybe.

“NFL Adopts New Anthem Policy,” The Wall Street Journal, May 24, A14. Teams (but not players) can be fined if NFL players on the field do not stand for the National Anthem.

Governance

  • Who has the power to make what rules governing whom, and how violations of those rules will be enforced?
  • The League has the power to govern teams, but not players?  (See reference to collective bargaining agreement below.)
  • Will this redirect any fan displeasure away from the NFL and onto the individual teams or players?

Information

  • Is an employee’s political speech information?
  • If information is received, created, or distributed by a company’s employees during the workday in the workplace, is that information company information?
  • If it’s company information, can’t the company limit that distribution?

Compliance

  • Does enforcing rules against the teams and not the players work?
  • Does this comply with the collective bargaining agreement?  Is that why the policy doesn’t apply to the actual players, and just the teams?

 

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Definition, Duty, Employees, Governance, Information, Internal controls, Oversight, Policy, Risk assessment, Third parties, Who is in charge?

When does one use or disclose information?

Often, one has information but doesn’t act immediately, or require others to act on it immediately.  But there have been several instances of the government sitting on information that later turns out was really important.  Is this just not recognizing the risk?  Would they have done anything differently?

“FAA Was Slow to Act On Engine Warning,” The Wall Street Journal, May 21, 2018 B1.  FAA (and the airline industry)  knew of the potential for engine blades to crack for 2 years.  The manufacturer increased inspections. Then one blade cracked, destroying an engine and killing a passenger on the Southwest airlines flight in April.

This seems to link Governance (Who was responsible for deciding that the risk was adequately managed?) and Information (Did everyone have the same level of information?).  Is there also a Compliance vector?  The airlines were complying with government directions.

And how much does the flying public rely on the government to take care of such things?

Leave a comment

Filed under Governance, Protect assets, Reliance, Risk assessment, Who is in charge?

Costly

Wells Nears $1 Billion Settlement,” The Wall Street Journal, April 20, 2018 B1.

Wells Fargo is about to be (has been) fined close to $1 billion for irregularities regarding auto loans, auto insurance,  and mortgage loans.  This is the civil side.  This is in addition to the $185 million for the account cramming scandal in 2016, where the bank opened new accounts and credit cards that consumers did not request.  The Chief Risk Officer is also retiring.

Once again, the shareholders pay mightily for the sins of (mis-)management.

Leave a comment

Filed under Compliance (General), Culture, Governance, Risk, Risk assessment, Supervision

What’s security worth?

“Overstock.com Shares Fall on Crypto Probe,” The Wall Street Journal, March 2, 2018 B10.  After they disclose an SEC investigation into sales of digital tokens, share price drops nearly 5% (initially, it was worse).

I suspect the shareholders are not amused.  But will the compliance spending budget go up?  Are the tokens securities?  The legal spending will definitely increase.

Will the Board’s compensation keep pace?

Leave a comment

Filed under Board, Compliance, Compliance, Corporation, Directors, Duty, Duty of Care, Governance, Oversight, Oversight, Risk assessment