Category Archives: Crisis Management

Want to scan your crypto wallet for risks? Check: AML crypto BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money.

Top Obama Administration Officials, Law Enforcement Reach Out at RSA Conference

Posted on by
loretta lynch at RSA

Attorney General Loretta Lynch addresses RSA Conference 2016

SAN FRANCISCO—Many of the Obama administration’s top brass are here in force, addressing some 40,000 practitioners from every part of the technology and information security industry at the annual RSA Conference. Set against the backdrop of the ongoing fight over between Apple and the FBI encryption and backdoors, the tension ebbed and flowed during sessions with Attorney General Loretta Lynch, Secretary of Defense Ashton Carter, and Admiral Mike Rogers, U.S. Navy Commander, U.S. Cyber Command, and director of the NSA. While many speakers will not address the issue directly, the subtext is clear throughout the show, particularly as the public battle brings considerable interest to the privacy and security issues the RSA has centered on for 25 years.

Indeed, in his keynote address, RSA President Amit Yoran called law enforcement’s current stance on encryption “so misguided as to boggle the mind.” Brad Smith, president and chief legal officer of Microsoft, chimed in as well, asserting that we cannot keep people safe in the real world unless we can keep them safe in the virtual world. He lauded Apple and pledged that the tech giant would stand with Apple in its resistance.

Ash Carter at RSA

Secretary of Defense Ashton Carter in Conversation with Ted Schlein of Kleiner Perkins at RSA

While the gravity of the issue and the massive potential impact for many in the sector are boggling many minds here, the administration officials’ sessions also offered more broadly positive comments for businesses outside the tech sector. The conciliatory tone Lynch and Carter often struck centered on the critical need for partnerships between technology and government. They tried to emphasize the ways the administration is reaching out to private entities, both within Silicon Valley and across corporate America at large.

According to Sec. Carter, for example, the United States Cyber Command has three core missions: defending the Department of Defense’s network; helping American companies, the economy and critical infrastructure; and engaging in offensive cyber missions. The second is a key pillar, he said, as the DoD must keep in perspective that the strength of American entities is the strength of the nation. From threat intelligence to the Defense Innovation Unit Experimental he announced yesterday, to be helmed by Google’s Eric Schmidt, Carter believes there is considerable need for industry to engage with government on cyberrisk, and both parties have valuable assets to contribute. “Data security is a necessity, and we must help our companies harden themselves,” Carter said. Indeed, he wants both help for and from the industry. In closing, he said, “We are you. You pay us. We represent you and our job is to protect you, and we’d love to have your help.”

He also noted that the DoD is trying to learn a bit about managing its cyberrisk from the commercial sector’s best practices. “We do grade ourselves and we’re not getting good grades across the enterprise,” Carter told reporters Wednesday, according to Defense News. “I have these meetings where I call everyone in and we have these metrics which tell us how we’re doing [and] if you don’t score well, that is evident to the Secretary of Defense at those meetings.

“We don’t assume for a minute that we’re doing a perfect job at this,” he added. “That’s the whole reason for me to be here and the whole reason for me to be engaging with this community here at this conference.”

Carter also announced that the Department of Defense will be hosting “Hack the Pentagon,” a bug bounty program offering white hat hackers cash for finding and reporting vulnerabilities in the Pentagon’s websites. Many companies have been offering these programs to try to discover their exposure in a controlled setting, without the risk of reputation damage, personal information exposure and business interruption that accompany an unknown hacker finding them instead. Carter called these a “business best practice” to gauge preparedness.

Federal law enforcement also has a notable presence at RSA and is making a pronounced effort to reach out to businesses regarding cyberrisk, threat intelligence, and managing a cyberattack. Indeed, in one session Tuesday, panelists from the Department of Homeland Security, FBI and the White House urged a call to action for businesses to get serious about proactively building bridges with law enforcement and to make use of the many resources the administration is trying to activate to help private industry fortify against cyber threats. The government is working to make it easier for companies to turn to it for help, they said, and attitudes are shifting to more consistently recognize and respect victimized businesses and minimize business interruption.

Some in the audience expressed skepticism, such as one man who seized upon the Q&A portion of a session on government departments’ specific roles in fighting cyber criminals. He asked how the government can be trusted to help industry when it cannot protect itself. But corporate entities should be taking note, particularly of the services available. While many hesitate to share threat intelligence or even successful attacks, Eric Sporre, deputy assistant director of the FBI’s cyber division, stressed that FBI Director James Comey has made it a directive for FBI field offices to develop relationships with local businesses and to treat businesses as crime victims, not perpetrators. In responding to attacks, he noted, the Bureau sometimes even brings in victim services to holistically approach aiding in the investigation and recovery process.

Andy Ozment, assistant secretary for cybersecurity and communications at the Department of Homeland Security, also highlighted the preventative measures his department offers companies, including personal risk assessment services. In some cases, chief information security officers and other executives engaged in cyberrisk management functions have been getting DHS assessments, using them as a tool to drive investment or otherwise sell cyber upwards with the board or C-suite of their organizations.

NYC Crane Collapse Part of a Troubling Trend

Posted on by

NYC Crane Collapse

Last week’s crane collapse in Lower Manhattan, which killed one person and injured three others, has heightened focus on crane safety, resulting in stricter rules for operators. The 565-foot crane toppled as it was being secured against high winds as a safety precaution.

More than 140 firefighters responded to the disaster in addition to police officers and utility workers who were there in case of gas leaks or other damage caused by the impact.

Mayor Bill de Blasio called for an investigation and instituted new safety policies effective immediately, while ordering that 376 other crawler cranes and 53 larger tower cranes currently operating in the city also be secured. The new rules require crawler cranes to cease operations and go into safety mode when there is a forecast for steady wind speeds of at least 20 miles per hour, or gusts of at least 30 m.p.h. Previously, cranes were allowed to operate until measured wind speeds reached 30 m.p.h. or gusts increased to 40 m.p.h.

“I want people to hear me loud and clear: We’ve had some construction site incidents that are very troubling,” de Blasio said at a news conference. “We have more and more inspectors who are going to get on top of that. We’re going to be very tough on those companies.”

He added, “We’ll send advisories to crane engineers when wind conditions warrant it, and engineers will be required to certify that they will indeed cease operations. If we don’t receive this certification, we will be issuing violations and we will raise the base penalty for failure to safeguard a site from the current $4,800 to $10,000.”

While construction in the city has increased over the past two years, the New York Times reported that the rise in deaths and injuries has exceeded the rate of new construction, that supervision at building sites was often lacking, and that preventative safety steps were not being taken.

Indeed, the list of incidents involving cranes has grown to eight since 2008, according to ABC News and the Associated Press.

— March 2008: A nearly 200-foot-tall crane fell as it was being lengthened in a neighborhood near the U.N. headquarters, demolishing a townhouse and killing six construction workers and a tourist. The crane rigger was tried and acquitted of manslaughter. An inspector accused of falsely saying he had checked the crane days before it toppled was acquitted of charges related to the collapse but convicted of falsifying inspection records related to other cranes.

— May 2008: A tower crane snapped, fell apart and crashed into a Manhattan apartment building, killing the crane operator and a construction worker on the ground. The crane owner was acquitted of manslaughter. A mechanic pleaded guilty to criminally negligent homicide. Together, the 2008 collapses prompted the resignation of the city buildings commissioner and a bribery case in which the city’s chief crane inspector pleaded guilty to taking payoffs to fake inspection and licensing exam results. The collapses also led to new safety measures, including hiring more inspectors and expanding training requirements and inspection checklists.

However, Comptroller Scott Stringer said in a 2014 audit that the city Department of Buildings hadn’t fully implemented safety recommendations on cranes and other issues, and Stringer reiterated his concerns Friday. The Department of Buildings disputed some of the audit’s conclusions, but spokesman Joe Soldevere said the agency had implemented many of the comptroller’s recommendations and “there is more oversight of cranes in place than ever before.”

— October 2012: A crane’s boom nearly snapped off and dangled precariously over a block near Carnegie Hall during Superstorm Sandy, as winds gusted to an estimated 80 to 100 mph. No one was injured, but people in a nearby hotel and other neighboring buildings had to flee in the midst of the storm as engineers scaled 74 stories to make sure the crane wasn’t in danger of falling.

buy zydena online blackmenheal.org/wp-content/uploads/2023/10/jpg/zydena.html no prescription pharmacy

— April 2012: A mobile crane’s boom fell and broke apart while hauling rebar at a subway station construction site, killing a worker. The site was exempt from most city construction safety rules because it belonged to a state transit authority.

buy amaryl online blackmenheal.org/wp-content/uploads/2023/10/jpg/amaryl.html no prescription pharmacy

— January 2013: A crane’s 170-foot-long boom fell and pulled down part of the wooden framework of an apartment tower under construction in Queens, injuring seven workers. Three workers had to be extricated from beneath fallen machinery.

— April 2015: Hydraulics malfunctioned on a small crane mounted on a truck while a worker was inspecting it in Manhattan, causing the boom to collapse and fall on him, killing him. The device wasn’t subject to the same regulations and inspections as larger cranes.

— May 2015: A mobile crane dropped a 13-ton air conditioning unit being placed atop a Manhattan office building. The air conditioning equipment fell 28 stories into the middle of an avenue. Ten people were injured by debris, and part of the building facade was shattered.

Overcoming ‘Balkanization’ of Business Continuity Planning

Posted on by

Fragmentation

To be sustainable, organizations must prepare for crises that occur or risks that crystalize. General responses to those threats include alternative office sites, IT back-ups and communication protocols. As reality demonstrates over and over, it is critically important to have a strong leader in a crisis situation, be it the captain of a ship in a storm, the commanding officer of a platoon under fire or the CEO of a company in turmoil. A cacophony of contradicting orders or disintegration in the line of command is the surest way to increase a disaster’s impact and the time needed to recover.

Instead of creating a strong BCP landscape with clear lines of command and control, however, we more often see “balkanization,” or fragmentation of responsibilities. Business continuity planning, environmental health and safety, operational risk and IT disaster recovery are different teams with overlapping roles and responsibilities for crisis management.

The newest buzzword is resilience, which is discussed in a growing number of articles and lectures and defined as the “ability to bounce back to a normal operating status after a state of crisis.” There are also a number of overlapping areas with the aforementioned functions—and that is just on an intra-company level. The OECD has issued Guidelines for Resilience System Analysis, urging member states to set up resilience management on a country level basis.

Recent private initiatives like the 100 Resilient Cities (100RC) by the Rockefeller Foundation brings resilience management to an urban level. So if a natural disaster hits a major city, thousands of firms, and the city itself, will invoke a patchwork of crisis plans. For a larger disaster, there might also be a national crisis plan. Are there clear lines of command, however? Is everybody aware of what to do? We doubt it.

Modern BCP management does not need more specialization and buzzwords, but coordination of the different functions and initiatives to provide a clear, consistent and timely response. One of the most pressing tasks is establishing a common risk language to ensure that all stakeholders involved in the process have the same understanding. For example: While the 100RC initiative is coining the term CRO for chief resilience officer, the acronym is also widely used as an abbreviation for chief risk officer. So while talking about roles and responsibilities of a CRO, everyone involved should have a clear understanding about which CRO is meant.

100RC also looks at urban resilience in terms of surviving and thriving, regardless of the challenges—be they acute shocks (such as severe weather or earthquakes) or chronic stress (long term unemployment and violent crime)—and it seeks a much wider remit than the traditional concept of resilience as “the ability to bounce back from an event.”

The response is to call for a more coordinated approach working across multiple stakeholders through the chief resilience officer who, according to Michael Berkowitz (President of 100RC) “needs to build connections across not just various departments of municipal government, but across an entire ecosystem of people and places.” This is welcomed, since it is both forward looking and holistic in its approach to solving some of the world’s major issues in the next 20 years. Given that most entities are no longer stand-alone enterprises, but part of an increasing global network of customers, suppliers, regulators and other stakeholders, disaster recovery cannot be handled effectively by an individual member of that network. Instead, the entire group needs to collaborate to create an effective disaster recovery program. A central CRO who coordinates the needs of the various parts of the network seems to be the best way.

While we see this forward looking risk management approach to resilience as a welcome development, it does further complicate interaction between resilience and BCP by muddying command and control and introducing the potential for more stakeholders into an already complex chain. What is required for this to work is very clear planning and, one could argue, the ability for external (such as municipal) CROs to assume command of enterprises under his or her jurisdiction.

As of now, in most jurisdictions it is the responsibility of the CEO and the board to determine and define risk capacity and risk appetite. This leaves little room for outsourcing BCP or resilience planning. The key question, then, is whether a change in mindset and approach is required to enable the development of network-wide recovery solutions, thus overcoming the balkanization of BCP.

Legal Woes Highlight Dangers of the Food Industry Supply Chain

Posted on by

chipotle

A spate of recent cases offers a clear warning for the food industry about the legal and reputational perils of not getting more serious about supply chain control.

On Monday, the U.S. Supreme Court declined to consider an appeal from Nestle, Archer Daniel Midlands Co. and Cargill Inc., allowing a slave and child labor lawsuit to proceed against the three food industry giants.

Three plaintiffs who claim they were trafficked from Mali as child slaves and forced to work harvesting and cultivating beans in Cote d’Ivoire, and allege that the companies aided, abetted or failed to prevent the torture, forced labor and arbitrary detention they suffered.

According to Reuters:

The plaintiffs, who were originally from Mali, contend the companies aided and abetted human rights violations through their active involvement in purchasing cocoa from Ivory Coast. While aware of the child slavery problem, the companies offered financial and technical assistance to local farmers in a bid to guarantee the cheapest source of cocoa, the plaintiffs said.

The defendants knew about the child slavery problems in the region and offered both financial and technical farming assistance to support the agriculture methods in place, the plaintiffs claim. What’s more, they say, the defendants could have used their leverage in the cocoa market to stop or limit the alleged child labor practices and failed to do so.

According to the Wall Street Journal:

Mark Theodore, a partner at Proskauer Rose, said that the ruling reinforces to companies that they need to be socially responsible employers. And while there is no way to ever completely prevent such risks, he said the ruling is a reminder to companies that they “should be monitoring and also maybe doing a little bit of introspective thinking about their own practices to avoid these things, or prevent them from happening, or to put themselves in legally defensible position if they can’t prevent them.”

In September, the Justice Department finalized a landmark conviction of the former head of the Peanut Corporation of America, who was sentenced to 28 years in prison for knowingly shipping salmonella-tainted products that sickened 714 people and killed nine. That may be the department’s first step in a new approach to taking food industry product safety more seriously, and more aggressively pursuing wrongdoing on a criminal level. The Justice Department has now opened formal investigations into the e. coli outbreak at Chipotle and the listeria outbreak at Blue Bell Creameries, both of which sickened hundreds of consumers.

The department has already signaled a broad intention to focus more efforts on individual law-breakers in corporate crimes. Now, the government appears to be showing the food industry that things are changing in terms of corporate responsibility and food safety, according to Andrew Lankler, partner at Baker Botts. Lankler told the Wall Street Journal that the Department of Justice is signaling that whatever standard the food industry thought it needed to meet for food safety, the bar is higher. “The department is going to step up enforcement in areas where they can prove they sold tainted product,” he said.

And the trouble at Chipotle shows little sign of abating. The CDC is still investigating multiple outbreaks, and the chain has now been served a subpoena as part of a criminal probe by the U.S. Attorney’s Office and the Food and Drug Administration’s Office of Criminal Investigations regarding an isolated norovirus incident in August.

A fourth lawsuit was recently filed by a customer who claims he was sickened by the same strain of e. coli linked to Chipotle, but this case dates back to July, meaning far more people may have been affected in the outbreaks. At least nine suits have been filed by customers, and Bill Marler, a food and safety litigator in Seattle, claims more are coming from the 75 Chipotle-related clients he represents.

At this week’s ICR conference this week, CEO Steve Ells said he is hopeful that the CDC will soon declare the restaurant’s e. coli outbreak over, adding, “we know that Chipotle is as safe as it’s ever been before.”

To that end, Chipotle announced today that it will close all of its stores on Feb. 8 to have a corporation-wide meeting with all staff regarding food safety.

But customers remain extremely wary. Indeed, while it may be an e. coli cliché, it would not at all be a stretch to say public opinion about the brand remains in the toilet, with YouGov’s BrandIndex score for the company seeing a drop equal to that of GM during its crisis.

yougov poll chipotle

To combat that, the company also announced plans to launch a sizable new marketing campaign to win back customers, using direct mail and traditional advertising to attempt to win back consumer confidence. As Fortune reported, executives said the campaign will attempt to provide a “detailed story of what happened” to explain to customers why they are now safe, and that it will not focus overtly on food safety, but will have “an undertone” of humility.

Chipotle’s stock dropped nearly 42% in the wake of the outbreaks, and according to an SEC filing, sales at stores open more than a year were down 30% last month. Ells and his team admitted they could not guess how much the fallout will impact 2016 financial results, but expect it will be a “messy” year. Costs are expected to go up from the marketing campaign and new food safety measures, including processing more food through centralized kitchens in an attempt to better control the conditions of ingredients.

The company darkened its outlook for Q4 results, and As Wells Fargo Securities wrote in a recent research note, “We expect CMG to point to a hard-fought and long-tailed [same-store sales] recovery across 2016, and to stress that there is still much work to be done in assessing the sizeable costs associated with the company’s supply chain overhaul.”

For more about food safety crises and product recall, check out the following articles from Risk Management:

Feeding an Appetite for Trust, A Q&A with Center for Food Integrity CEO Charlie Arnot

Food Safety Updates Stalled by Funding

Maximizing Coverage for a Product Recall