Category Archives: Technology Risk

Want to scan your crypto wallet for risks? Check: AML crypto BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money.

Vendor Risk Management: The Full Definition

Posted on by

cyber partners

Vendor risk management (VRM) is the practice of evaluating business partners, associates, or third-party vendors both before a business relationship is established and during the duration of your business contract. This is an important concept and practice to put in place during the evaluation of your vendors and the procurement process.

A key feature of VRM is understanding your vendor’s cybersecurity program. This allows you to understand how well they’re going to be able to secure your data, both from a physical and cyber perspective.

buy ocuflox online achievephysiorehab.ca/wp-content/uploads/2023/10/jpg/ocuflox.html no prescription pharmacy

VRM helps ensure that your vendors have a contractual obligation for specific requirements and standards, therefore mitigating your organization’s risk.

There are a number of risks vendors can bring to your enterprise, including:

LEGAL RISK

There are many legal risks associated with sharing sensitive information with third parties. For instance, if your vendor is breached and you lose your customers’ personally identifiable information (PII) like social security numbers or health care records, the law clearly states that you are responsible—not your vendor. Or, if you fail to spell out security expectations in your vendor contract, you may have no legal recourse whatsoever if your vendor compromises your data.

buy advair rotahaler online www.urologicalcare.com/wp-content/uploads/2023/10/jpg/advair-rotahaler.html no prescription pharmacy

REPUTATIONAL RISK

So much of vendor risk management is based on reputation. You are able to ask a lot of questions at the beginning of the vendor procurement process that may help you weed out the businesses you’d rather not work with, but you should also be monitoring news feeds during the procurement process. You, of course, would want to know if a business associate has been hit with a lawsuit during the time you were engaged with them and how that could affect the performance of their contract with you. And don’t forget about the reputational harm that could affect your company if your customers’ sensitive information is stolen due to an unsecure vendor.

FINANCIAL RISK

If a vendor has a poor financial record or past performance, you’ll want to know that information before engaging in a business relationship. That’s why a lot of companies do credit monitoring for their vendors. You’ll also likely want to ask other organizations who have previously done business with the third party in question for references. This way, you’ll be able to clearly evaluate the vendor’s project plan and all the different things they’re planning to do before entering into a contractual relationship.

CYBERRISK

Of the various risks a vendor poses, there are some things you need periodic updates on, which are relevant only at certain points of a business relationship. If you’ve established a vendor’s credit worthiness at the beginning of the process, for example, you’ll likely feel quite comfortable about their financial standing during the rest of the process.

buy albenza online achievephysiorehab.ca/wp-content/uploads/2023/10/jpg/albenza.html no prescription pharmacy

This is a good example of how some elements of vendor risk do not require continuous monitoring. Cyberrisk, however, is not quite as simple.

Cyberrisk is unique in that things can happen on a moment’s notice which could catastrophically damage your organization. You simply cannot rely on periodic or infrequent snapshots and assessments of your vendor’s health to understand cyberrisk. The thing that makes cybersecurity “special” is that it can pose financial, reputational, and legal risks.

It’s important to understand that cyberrisk management doesn’t end when your vendor signs a contract. Managing vendor cyberrisk requires persistent awareness of how the vendor is doing with your security expectations. You have to know at all times whether they are accessing your network in an unauthorized manner, or if your most important data could be jeopardized by their actions. Any slip-up or incident may have a catastrophic impact on your business (and lead to some pretty embarrassing headlines).

CONSIDER THIS

Some losses from “traditional risks” can be recuperated easily and quickly. If a food and beverage vendor doesn’t show up one day to cater a meeting, you’re only dealing with a limited amount of loss. Or, if a vendor doesn’t complete a project to your expectations, there are reasonable steps you can take to remedy the situation without dramatically impacting the bottom line.

But if someone hacks into your corporate network through a vendor and steals your most precious data, the outcome could be catastrophic. Your reputation can be damaged irrevocably, financial losses can be huge, and legal liability may be hard to transfer to your vendor. This is why vendor risk management—and especially IT risk management—is not something to be taken lightly. All angles must be examined with every vendor, both large and small.

Prosecutors Reveal ‘Securities Fraud on Cyber Steroids’

Posted on by

The investigation into a huge cyberattack on JP Morgan Chase last year has exposed one of the largest computer hacking and fraud schemes to date.

online pharmacy periactin with best prices today in the USA

According to U.S. prosecutors, Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein, all from Israel, hacked a total of 12 companies to expose the personal information of more than 100 million people, netting hundreds of millions of dollars in profit. The men face 23 criminal counts, including wire fraud, computer hacking, illegal internet gambling and money laundering, with alleged crimes targeting 12 companies, including nine financial services companies and media outlets including the Wall Street Journal. Investigators say their massive criminal empire used 75 shell companies that employed hundreds of people, and hacked seven major banks, ran an online casino, laundered money around the world and set up an illegal Bitcoin trading operation.

online pharmacy zestril with best prices today in the USA

“It is hacking in support of a diversified criminal conglomerate,” said Preet Bharara, U.S. attorney for the Southern District of New York. “In short, it is hacking as a business model.”

In addition to the hack of JP Morgan, which U.S. Attorney General Loretta Lynch called “the largest theft of customer data from a U.S. financial institution” and exposed the personal information of 83 million customers, the criminals also attacked E*Trade Financial Corp., TD Ameritrade, Scottrade Inc., Fidelity Investments and News Corp’s Dow Jones, which publishes the Wall Street Journal. The breaches date as far back as 2007.

“By any measure, the data breaches at these firms were breathtaking in scope and in size,” Bharara said. “This showcases a brave new world of hacking for profit.”

Breaking into these financial institutions gave the attackers information to target specific people, and gave them extra insight into the stock market. According to the indictment, they used the customer data to contact individuals and push them to buy stocks in order to manipulate their prices. In addition to the pump-and-dump scheme, sometimes the defendants reportedly engineered mergers with shell companies to create publicly traded stocks that could be manipulated.

online pharmacy symbicort with best prices today in the USA

Bharara called the scheme “securities fraud on cyber steroids.”

Beginning in 2012, in addition to disguising payments and constantly obtaining new bank accounts, the men further tried to evade detection by hacking into a company that assessed merchant risk for credit-card issuers. The breach allowed the defendants to read employees’ emails and figure out how to sidestep the company’s efforts to monitor illegal payments, according to the indictment.

The defendants are also accused of operating at least 12 illegal internet casinos, even launching cyberattacks against rival gambling businesses to review executives’ email and gain a competitive edge. Shalon hacked competitors’ customer databases and directed denial of service attacks to shut down their businesses.

Several compliance officers may soon feel the heat as well: the investigation found that, in operating the online casinos and illegal pharmaceutical payment processing enterprises, the co-conspirators deceived financial institutions into processing and authorizing payments between the casino companies and others. “They colluded with corrupt international bank officials who willfully ignored its criminal nature in order to profit from, as a co-conspirator described it to Shalon, their payment processing ‘casino/software/pharmaceutical cocktail’,” the indictment charges.

According to prosecutors, the case illustrates the growing power of criminals and their tools, and makes such crimes particularly difficult to solve. But it may also highlight one key resource to do so: self-reporting to law enforcement. Officials credited JP Morgan’s early cooperation for helping to uncover the network of criminal activity. The firm came forward early on to share information with the government, a move many forensic investigators encourage.
buy prednisone online https://galenapharm.com/pharmacy/prednisone.html no prescription

This case provides one of the clearest examples of why: hackers frequently use the same schemes to target a swath of companies in a given industry. While many companies worry about the reputational and regulatory risks of disclosing a breach to law enforcement, as hackers grow more sophisticated in their techniques and complex in their operations, it may prove an ever more critical step in the breach response and investigation process.

“Shalon, Aaron, and their co-conspirators allegedly robbed victim companies, often for months at a time, stealing the contact information of tens of millions of customers,” said FBI Assistant Director-in-Charge Diego Rodriguez. “They cloaked themselves in secrecy, but their methods rivaled those of the traditional masked robber. Today’s indictment sheds light on an increasingly complex threat. But just as criminals continue to develop relationships with one another in order to advance their objectives, the law enforcement community has developed a collaborative approach to fighting these types of crimes.”

New Approaches Needed for Effective Data Risk Management

Posted on by

virus

Over time, the role of corporate legal departments has expanded to address the increasing risks in corporations—from increasing involvement in implementing corporate policies to leading employee training on procedures for managing electronic communications, social media, and bring your own device (BYOD) policies. This shift, however, is not enough to meet the challenges posed by an increasing range of risks proliferating within global organizations. Legal and compliance groups must also take the lead in finding new ways to leverage the power inherent in their data and address the challenges posed by massive data stores, information and network security challenges, as well as regulatory compliance requirements.

Failings of Traditional Strategies

In the past, organizations used straightforward, people-intensive methods to search for and remediate risk. For example, organizations instituted policies training, hoping that it would be sufficient to corral employee use of electronic communications, BYOD, and social media. Some may have formed working groups or intradepartmental committees designed to consider the implications of data privacy or information security for their businesses. Others rely on basic technology, such as keyword searches, that trigger electronic alerts when they find a hit in a document.

While these tools are still important to demonstrate compliance, they are insufficient alone to monitor for risk.

buy estrace online www.biop.cz/slimbox/css/gif/estrace.html no prescription pharmacy

Older technology falls short when it comes to handling unstructured data, such as e-mail. For example, discerning employees will be too cautious to use triggering keywords such as “donations” or “bribes” when referring to illicit activity. Keywords are also notoriously inaccurate: if over-inclusive, they may yield a stockpile of irrelevant information, while under-inclusive keywords could omit critical documents from discovery.

Trends Drive New Risk Management Approaches

Three recent trends—escalations in data volumes, increasing threats to data privacy and security, and heightened regulatory scrutiny—highlight the need for more intensive means to investigate risk in organizations.

1-Burgeoning Data Stores

With today’s hyperfocus on information, risk follows data. The more data sources organizations have, and the more locations for storage of data, the greater the legal exposure.

Email is perhaps the most insidious source of risk, as hackers may look to exploit unwitting employees who may open spoofed e-mails containing malware or viruses designed to attack the corporate network. Along with e-mail, employees also have more ways than ever to share confidential corporate data such as trade secrets with outsiders. Newer forms of unstructured data, such as social media and instant messaging, allow people to disperse troubling information even more rapidly than before.

As more organizations look for low-cost storage for their data reserves, they have turned to the cloud—yet another source of potential risk to data privacy. Cloud providers may be susceptible to the same hacker schemes as employees. Moreover, depending on the terms of their service-level agreements, they could employ lax security protocols, lack disaster-recovery plans, share data with other clients, or transfer data to third parties, all without notifying the data owner. Furthermore, depending on the location of the cloud storage, it may trigger the application of international laws that protect data privacy and prevent the processing or transfer of a corporation’s data.

2-Data Privacy and Security

Traditional approaches to risk management are poorly equipped to meet the demands imposed by today’s data privacy and security regulations, particularly when it comes to the need to protect personally identifiable information, protected health information, nonpublic information, trade secrets, and privileged data.

This is especially true for global organizations, which are likely to have information cross international borders and trigger other nations’ data privacy schemes. Many nations have adopted restrictive schemes designed to protect their citizens’ personal information, such as the European Union’s Data Protection Directive, which controls when and how organizations can collect, process, store, alter, retrieve, and transmit this personal data. Many nations in the Asia-Pacific region have also created data privacy regimes, including China, which has blocking statutes that forbid the cross-border transfer of documents that contain “state secrets” as well as confidential commercial information.

Domestically, organizations must worry about laws such as the Health Information Technology for Economic and Clinical Health (HITECH) Act, which extends the Health Insurance Portability and Accountability Act (HIPAA) to a covered entity’s third-party business associates. Under HIPAA’s Security Rule, organizations and their business associates must take reasonable measures to safeguard protected health information.

buy tamiflu online www.biop.cz/slimbox/css/gif/tamiflu.html no prescription pharmacy

Organizations must vigilantly monitor their data to ensure there are no gaps in security that would violate these rules.

3-Regulatory Enforcement

The nation’s regulatory framework is becoming more complex almost by the day. Regulations that supplement laws such as the Foreign Corrupt Practices Act (FCPA) and the International Traffic in Arms Regulations (ITAR) have generated new areas of vulnerability, particularly when it comes to third-party relationships.

For example, the current administration has taken the position that no FCPA infraction is too small to prosecute. Organizations that fail to take proactive measures to search for, disclose, and remediate misconduct are likely to face substantial penalties if a regulatory agency discovers misconduct. Traditional tools, such as internal audits, are not up to the task of detecting the malfeasance of internal fraudsters, who may mask their corrupt behavior with code words or other innuendo that make it difficult to discover using keywords. Unless more advanced tools are used, an organization’s best defense against fraud might be reliance on tipsters.

A similar approach is required to ensure compliance with ITAR. This law imposes stiff penalties, including millions in fines, against U.S. organizations that export “defense articles” without government authorization. “Articles” is defined so broadly that it covers technical, defense-related data in documents, blueprints, drawings, photographs, plans, or instructions. The Directorate of Defense Trade Controls, the U.S. agency that enforces ITAR, is likely to take a more lenient approach with companies that have implemented a rigorous compliance program and that voluntarily disclose and remediate any failures.

Data-Driven Tools

Risk professionals now have a number of advanced analytics tools at their disposal to counteract the additional risks that lurk in emerging forms of data. Linguistic analysis techniques can identify instances where employees use seemingly innocuous words or phrases to engage in subterfuge. Concept clustering is a tool that isolates subtle patterns within documents that seem dissimilar to the untrained—or undigitized—eye. These conceptual search tools can identify patterns in documents, based on keywords or chunks of text, and flag the documents that refer to items that might fall within ITAR’s purview. Data visualization tools can analyze relationships and look for troubling connections that might violate the FCPA, such as links between employees, vendors, and foreign officials. In addition, anomaly detection tools can scan records for irregularities, such as unusual recurring payments.

Counsel, risk and compliance professionals can also apply tools such as technology-assisted review (TAR) to prioritize documents for review based on the likelihood that they contain material of concern. Using TAR, experienced legal counsel code a seed set of documents for relevancy to the issue at hand. Once done, they feed these documents into a computer that is programmed to uncover the logical reasoning behind the lawyers’ coding decisions. Sophisticated algorithms then apply that logic across an entire document population.

buy cytotec online www.biop.cz/slimbox/css/gif/cytotec.html no prescription pharmacy

The process is iterative, so that ultimately the computer’s logic closely mirrors the lawyers’ coding decisions. Organizations can use TAR to limit the population of documents for review, thus expediting the data mining process.

Corporate Directors and Officers Face Cybersecurity Pressure

Posted on by

Stock market down

One of the primary issues confronting corporate directors, officers and others involved in risk management today is cybersecurity. News cycles have been littered with high-profile data breaches at companies ranging from Sony Pictures Entertainment, Wyndham Hotels, Anthem and Home Depot, since Target Corporation’s massive data breach kicked off this scrutiny in 2013. The massive federal data breach earlier this year demonstrated that the U.S. government is not immune either.

A corporate data breach not only inflicts reputational and financial pain on the targeted company, but, depending on the data disclosed, the impact on consumers can be dramatic. According to Redspin’s Breach Report 2013, since 2009, nearly 30 million Americans have had their personal health information accidentally disclosed—or worse, breached. Further, the Cyber Edge Group recently surveyed 800 security decision makers and practitioners and found that more than 70% indicated that their networks were breached in 2014, an increase of 8% from 2013.

Claims against Directors

Cybersecurity is an issue of risk assessment that should be on the mind of board members. As every director has likely experienced, corporate decision-makers are under more scrutiny today than ever before because of corporate scandals that led to the adoption of the Sarbanes-Oxley Act and the more recent Dodd-Frank Act. One of the main objectives of Dodd-Frank is to increase transparency and improve accountability in the corporate financial world. As a result, board members are now required to spend more time overseeing a company’s operations than perhaps was the case in prior years.

A key determinant of liability is how a director acts once a red flag has been identified. When a warning sign appears, a director is required by law to diligently undertake a reasonable investigation.

online pharmacy apixaban with best prices today in the USA

But an open issue at hand is how much training companies provide to their directors so that they can identify potential issues and respond accordingly, or actively oversee the corporate compliance program. In light of many recent cases, the answer is: not enough. One proactive approach is for a corporate board to annually review all of the material events that impacted their company over the past year (both externally and internally) and assess how prepared the management team was for each event. They should also assess the company’s overall approach to cybersecurity policies and practices annually, including any incident response plans.

All this said, if history is our guide, the likelihood of a corporate board member being held personally liable for poor oversight of a public company is low. This is because directors and officers insurance almost always covers any liability or settlement. According to a 2006 Stanford Law Review study, between 1980 and 2005, there were only 12 cases where directors were forced to make payments that were not covered by insurance, including legal fees.

While data breaches have spawned litigation brought by consumers or employees, widespread litigation has not ensued with shareholders seeking damages as a result of a data breach. This is likely because of the challenges inherent in demonstrating that a company’s share price was materially affected by a breach.

online pharmacy minocin with best prices today in the USA

The data breach at Home Depot provides a good example of potential litigation strategies that may be employed in the future. Following that breach, a lawsuit was filed in Delaware Chancery Court seeking access to Home Depot’s books and records related to the data breach. It appears that the plaintiffs are using this suit to determine whether Home Depot’s directors and officers breached their fiduciary duties by failing to adequately protect the company’s credit card information. Based on what is uncovered, it is likely that future litigation will ensue.

The law regarding director’s liability is fairly well established, and claims typically arise in one of two scenarios: 1) The directors should be liable because they made a decision or took an action that was either negligent or ill-advised (they breached their duty of care); or 2) The directors failed to act in a situation where they could have prevented a loss (they breached their duty of loyalty).

Claims alleging a breach of the duty of care are unlikely to succeed because directors enjoy the protections of the director-friendly business judgment rule. Essentially, the business judgment rule immunizes a director’s conduct from judicial scrutiny as long as the decision is informed, made in good faith, and with the genuine belief that the decision was made in the company’s best interest. Even if a plaintiff can overcome the presumptions in favor of a director by showing gross negligence, many companies have adopted charter or bylaw provisions consistent with Delaware law, thereby insulating directors from liability for a breach of their duty of care. Other states such as Nevada have enacted statutes specifically protecting directors from these types of claims.

In the second scenario, a director is not insulated from liability under Delaware law, and a director’s conduct is evaluated under the standards enunciated in Caremark International Inc. Derivative Litigation and its progeny. This oversight liability attaches when directors consciously disregard their responsibilities either by: 1) failing to implement a sufficient reporting system; or 2) after implementing a reporting system, failing to properly oversee or monitor its operations by serving as passive recipients of information. Simply put, making no decision – or looking the other way – may indeed be worse than making any decision, even a bad one.

Many risks can be mitigated through the use of insurance policies. But with respect to cybersecurity, relying on insurance may prove problematic. With no form of standardized cyber insurance policy language established, different insurers are adopting different approaches. Moreover, an actuarial challenge exists in predicting or gauging the probability and impact of a cyberattack. As a result, it remains difficult to match a cybersecurity policy with the risk profile of a particular company. Also, the damages suffered from a data breach may be multifaceted and unique, with no normal distribution of outcomes. In sum, insurance may be a partial answer, but not necessarily a cost-effective complete solution.

Rise of the Corporate Investigation

Over the past several years, a cottage industry has emerged among lawyers who claim to specialize in corporate investigations. These investigations used to be the purview of a company’s general counsel or legal staff. But courts became less likely to apply the business judgment rule if an investigation was conducted in-house. This reluctance has spawned the exponential growth of corporate investigations, and more or less established that the standard of care is to retain outside counsel. Even though the costs of these investigations can be prohibitive, there appears to be no consensus on a different tactic.

In the face of a government enforcement action, regardless of which regulatory authority is involved, a director’s playbook is pretty straightforward. Directors should establish a committee to exercise day-to-day supervision of an internal investigation and monitor the progress in order to best ensure the company’s protection. One way for directors to limit their exposure—and perhaps cut down on corporate misconduct—is to provide the same oversight on an ongoing, day-to-day basis. This can decrease the number of required corporate investigations and the identification and remediation of issues before they become significant liabilities. Viewed through the eyes of a director, such an approach could lessen the likelihood of future liability.