Category Archives: Enterprise Risk Management

Using ERM to Protect Your Business from The Equifax Fallout

Posted on by

As with many data breaches, the general conclusion of the Equifax attack is that personnel were not aware of the issue beforehand. This conclusion, however, is false.

In early September, I anticipated that a vulnerability in Equifax’s software was known ahead of time, and that this scandal was, therefore, entirely preventable. A month later, the NY Times reported that the Department of Homeland Security sent Equifax an alert about a critical vulnerability in their software. Equifax then sent out an internal email requesting its IT department to fix the software, but “an individual did not ensure communication got to the right person to manually patch the application.”

The Equifax data breach was a failure in risk management. As a credit bureau that deals with the personally identifiable information (PII) of 200 million U.S. customers, Equifax has a legal and moral responsibility to safeguard their customers’ security, and to adopt the proper systems to do so.

For instance, if Equifax had an enterprise risk management (ERM) system in place, the warning from Homeland Security would have been properly recorded and assigned out to the appropriate personnel. This system would have provided transparency over the status of the task in progress, and would have triggered reminders until the vulnerability was patched and verified by the right subject matter expert.

buy xtandi online www.suncoastseminars.com/assets/top/xtandi.html no prescription pharmacy

A Point of No Return

It’s my opinion that this scandal is a point of no return for risk management. While data breaches have abounded in recent years, there has never been one of this magnitude or one that provides every piece of information hackers need to steal our identities. Of course, lawsuits and penalties are piling up around the company’s negligence, but these financial losses are nothing compared to the reputational damages Equifax will suffer—shares fell by 18% following the breach and have yet to fully recover.

What makes this scandal so unique, and therefore a point of no return, is that these reputational damages reach far beyond Equifax. Consumers can’t always choose whether they’re a customer of Equifax, but they can choose whether to do business with the institutions that gave away their information to Equifax in the first place.

I also believe that consumers’ outrage with this scandal will cause them to shift their money, loyalty, and trust to institutions that can demonstrate effective risk management. CEOs and boards of every company will have to prove their organizations have adequate enterprise risk management systems in place. They’ll find that more effective risk management and governance programs are necessary to keep their market shares up and their reputation clean.

Where to Go from Here

While this breach may appear to be an event of the distant past, we are in the eye of the storm. Stolen information can lie dormant for months or years as criminals wait to make their move, and when they do, you’ll have either taken this period of calm as a chance to forget the scandal, finding yourself ill-prepared, or a chance to get to higher ground, finding yourself fully protected.

To protect themselves, businesses must:

  • First, to determine where to focus your security resources, recognize that people, processes, and procedures are now the biggest risks. Businesses need to perform risk assessments across all departments to determine who has access to sensitive information and authentication processes, and what the business impact would be if these employees were to be impersonated.
  • Next, to address these risks, businesses must rewrite their procedures for authenticating the people involved in sensitive requests and actions both verbally and electronically. With so much PII now in the public domain, it is no longer safe to rely on traditional authentication based on these pieces of information.
    buy robaxin online www.suncoastseminars.com/assets/top/robaxin.html no prescription pharmacy

    For example, the security question “What was your first car?” is not effective because the answer is now easily accessible.

    buy vilitra online www.suncoastseminars.com/assets/top/vilitra.html no prescription pharmacy

    A more effective question would be “Who was your best friend in elementary school?”

  • Finally, it is important to keep your third-party vendors in mind. Vendors often have access to sensitive information and processes, which could have an enormous impact on your company. It is crucial, therefore, to extend your internal authentication procedures out to your third parties so that they are authorizing sensitive requests and actions as securely as your own organization.

Our world, including the business world, is becoming increasingly transparent, meaning it’s up to you to act with integrity and protect your stakeholders. Keeping the Equifax data breach in mind, along with enacting these tactical steps, will help you stay ahead of the competition and out of glaring social media headlines.

Risk and Crisis Management Explored at Cyber Event

Posted on by

NEW YORK—Cyberattacks and data security need to be high priorities for all businesses, experts stressed at ALM’s cyberSecure 2017 event here, Dec. 4 and 5. In fact, not only is failing to prepare for an attack or breach risky, it’s foolish, Kathleen McGee, internet & technology bureau chief for the Office of the Attorney General of the State of New York said in Monday’s opening address. She added that not reporting a breach in a timely fashion has its own set of legal and reputational risks, referring to the SHIELD Act (the Stop Hacks and Improve Electronic Data Security Act), introduced to New York State legislature by Attorney General Eric Schneiderman in November.

“Under the SHIELD Act, companies would have a legal responsibility to adopt reasonable, administrative, physical and technical safeguards for sensitive data,” she said Monday, adding that the standards would apply to any business holding data of New Yorkers, whether or not they do business in the state.

McGee noted that even though a company may not have all the details in the first 72 hours following a breach, reporting it to the New York Department of Financial Services (NYDFS) or another regulator is crucial. It is a legal requirement as part of the NYDFS Cybersecurity Requirements for Financial Services Companies, and even if all the pertinent information about an attack is not yet available, divulging what is known will prevent further enforcement action from the state.

“For some companies, data is the only commodity,” she said. “But in the past 10 years, risk assessments have not evolved as quickly as data collection.”

That observation lent itself to a segue for the next session, “Integrating Periodic Risk Assessment to Avoid Becoming the Next Target of a High-Profile Cyberattack.” Panelists covered the importance of formal risk assessments, which will be legally required by regulators like the NYDFS and the General Data Protection Regulation (GDPR) in Europe and goes into effect in 2018.

Moderator Eric Hodge, director of consulting at CyberScout, said education charts the path to a positive assessment and suggested using non-traditional training methods to onboard clients and employees over the course of a year.

“There are a lot of ways to educate other than the traditional annual training session set in a typical conference room,” Hodge said. “You can try white hat phishing to trap people in a safe way. Share your stories every month and be honest about your own failures. There are ways beyond just checking a box.”

eHarmony Vice President and General Counsel Ronald Sarian said his company has learned from its past incidents to better prepare and to update its ERM framework. The dating and compatibility company’s site was breached in 2012, before he joined the group.

“You need to do a data impact assessment and ask: What are your family jewels?” noted Sarian, who said he aims to implement ISO27001 as the ERM framework to secure eHarmony’s international and cyber presence. “We had so much in place already that I thought we should take a shot at it. It takes at least a year but so far it’s working for us.”

When considering ransomware, experts from healthcare, insurance and electronic payments companies spoke passionately during a dedicated session about how they mitigate risks. Christopher Frenz, director of infrastructure at the Interfaith Medical Center strongly advocated for network segmentation, which he uses at the center, in an effort to keep intrusions contained.

As previously reported, Advisen’s recent Information Security and Cyber Risk Management Survey indicated that, for the first time in the seven years of the survey, there has been a decline in how seriously C-Suite executives view cyberrisk. With that trend in mind, panelist Christopher Pierson, Ph.D., chief security officer & general counsel of ViewPost, a provider of electronic invoice and payment services to businesses, outlined his approach to eliciting a response from board members.

“You can’t tell the board that [paying] is not an option unless it’s illegal,” Pierson said. “Educate the board and explain that it is an option to pay terrorists and criminal syndicates. You’ll see the looks on their faces and then you’ll get them [to want to take action].”

For more information about GDPR, read Risk Management magazine’s coverage.

What Organizations Need to Know about Risk Culture Audits

Posted on by

Today’s risks require more proactive oversight by boards of directors on the issue of risk management. Transitioning to this approach is easier said than done, however. The trouble is that many organizations are weighed down by antiquated risk management frameworks that prevent them from being proactive. Even today, how financial services and other industries address risk is deeply ingrained in organizations’ character, requiring a broader change which extends beyond simply implementing new risk management frameworks.

Overcoming this hurdle is easier said than done. In fact, businesses across the capital markets are prime for a risk culture rewiring.

online pharmacy clomiphene with best prices today in the USA

What’s in a risk culture audit?
A risk culture audit is a critical first step in reinventing risk management because it helps identify challenges in behavior and reorients how companies think about today’s increasingly complex risk landscape.

online pharmacy spiriva with best prices today in the USA

Here are the key focus areas in any risk culture audit:

Organization Vision and Values: Evaluating leadership and established communications by senior leaders relative to risk and compliance.

Risk Management: Evaluating the maturity of risk frameworks, defining clear roles and responsibilities, and implementing education and training programs designed to empower individuals to include risk management in their decision-making consistently across the organization.

People Management: Understanding how risk management is introduced early in the onboarding process on the front end and back end, as well as directly into incentive compensation programs.

Risk culture audit lessons learned
I recently led OCC (Options Clearing Corporation) through one of these trailblazing exercises, leading me to my new mantra of “identify, escalate and debate.”

Rather than promote a reactive risk culture in which specific risk incidents derail teams from business-as-usual, we’re adopting a risk-focused culture that enables our teams to escalate an event immediately, assess its impact quickly, and debate its resolution broadly.

While every financial institution has unique considerations in its risk management framework, OCC’s risk culture audit revealed some key hurdles that are commonplace across financial services firms.

The first challenge is developing a risk management framework that boards and management can easily implement for risk oversight. This framework can be difficult to pin down because it must be formal, objective, and metrics-driven—and ultimately must map back to a risk appetite and process that team leaders can follow.

The second challenge is developing an action plan to help team leaders manage the shift toward a proactive risk culture. To effect change, team leaders need to be able to demonstrate that the new approach reduces risk or manages new risks within the firm’s risk appetite.

online pharmacy vidalista with best prices today in the USA

Oftentimes, this means replacing human judgment with transparent rules and objective criteria.

Finally, the third challenge is shifting employees toward adopting a risk-based mindset at the individual level. A successfully retooled risk culture ultimately comes down to the people. Doing this successfully requires firms to reinforce the new risk culture at every turn, such as linking positive risk culture behaviors to performance rewards. At OCC, we are working on this third piece of the puzzle by identifying “risk champions” across the business and training them on the techniques needed to evaluate risk.

At the end of the day, financial institutions’ risk cultures must support risk management models that ensure market confidence does not erode, that issues are addressed, and that business continues as planned. I have concluded the best way for organizations to do this is to use a risk culture audit to identify opportunities that will help them transition to a strong risk-oriented business model. This enables them to comprehensively evaluate and understand the risk posed to their business, put mitigating controls in place, and enable an environment where risk can be discussed openly across the firm.

If companies can re-orient their risk culture to be more forward-thinking, they will put themselves in the best possible position to address today’s ever-evolving and complex risk environment.

High Performance Risk Management

Posted on by

LOS ANGELES—Risk managers, whose job once focused on a basic “bucket of risks,” and making decisions about which risks are transferable and which ones the company should retain, have been “migrating along an evolutionary path which is allowing us to be more strategic,” said Chris Mandel, senior vice president of strategic solutions at Sedgwick, at the RIMS ERM Conference 2017.

During the session “The Trouble with ERM,” he noted that risk managers now need to alter their focus. “The question for risk managers now is, how do we get our organizations to focus on long-term success and recognize the link between strategy and risk?” he said.

Erin Sedor, president at Black Fox Strategy, said that personal experience taught her the importance of connecting with the CEO and aligning with the company’s strategy when setting up a program. “You need to know what they are talking about and understand strategy,” she said.

Unable to find a satisfactory definition of strategy for ERM, Sedor came up with her own: A set of decisions made at a given point in time, based on business intelligence, that when successfully executed, support the purpose, growth & survival of the organization.

She added that, unfortunately, enterprise risk is not a term that resonates with the C-suite, but strategy is.

She identified three major problems with ERM that can dampen its prospects:

  1. A limited view of the organization’s mission, growth and survival.
  2. Silos. Breaking through them is a nonstop process, no matter how a company tries to improve the situation—especially in the areas of risk management, continuity planning and strategy, which typically happen in very different parts of the company. “It is important to link risk management and continuity planning in the strategic planning process, because that will get some attention and get the program where it needs to be,” she said.
  3. Size. Because ERM programs are notoriously huge, she said, “the thought is that ERM will cost too much money, take too many resources and take too long to implement. And that by the time it’s finished, everything will have changed anyway.”

Starting the process by “saying you’re going to focus on mission-critical,” however, can help get the conversation moving. “Because as you focus on that, the lines between risk management, continuity planning and strategic planning begin to blur,” she said.

Sedor described mission-critical as any activity, asset, resource, service or system that materially impacts (positively or negatively) the organization’s ability to successfully achieve its strategic goals and objectives.

She said to find out what mission-critical means to the organization, what is the company’s appetite and tolerance for mission-critical, and the impacts of mission-critical exposures on the organization. “Risk managers will often ask this question first, but you have to come to grips with the fact that not every risk is a mission-critical risk,” she said. “And not everything in a risk management program is mission-critical.” Using that context helps in gaining perspective, she added.

When viewing risk management, continuity planning and strategic planning from a traditional perspective, strategic planning is about capturing opportunity and mitigating threats; risk management is the identification, assessment and mitigation of risk; and business continuity planning is about planning for and mitigating catastrophic threats.

Looking at them from a different vantage, however, strategic planning is planning for growth; risk management allows you to eliminate weaknesses that will impede growth, which is why it’s important; and continuity planning will identify and mitigate the threats that impact sustainability. “That is how they work together,” she said, adding, “you are also looking at weaknesses that, when coupled with a threat, will take you out. Those are your high-priority weaknesses. Using a mission-critical context makes it all manageable.”

At this point, if a risk manager can gain enough leverage to talk to executives throughout the organization about what mission-critical means to the company, its impact, and then about tolerances and creating a more integrated program, “all of a sudden, you’ve talked about ERM and they didn’t even know it,” she said. “They thought you were talking about strategy.”