Category Archives: Regulatory Risk

Для тех, кто интересуется безопасным доступом к онлайн-играм, наш партнер предлагает зеркало Вавады, которое позволяет обходить любые блокировки и сохранять доступ ко всем функциям казино.

Measuring Risk: Why We Need Standards for Continuous Monitoring & Assessment

Posted on by

Continuous monitoring on its own is great for the detection and remediation of security events that may lead to breaches. But when it comes to allowing us to measure and compare the effectiveness of our security programs, there are many ways that simply monitoring falls short. Most significantly, it does not allow us to answer the question of whether not we are more or less secure than we were yesterday, last week or last year.

This is a question that we all have grappled with in the security community, and more recently, in the board room. No matter how many new tools you install, settings you adjust, or events you remediate, there are few ways to objectively determine your security posture and that of your vendors and third parties. How do you know if the changes and decisions you have made have positively impacted your security posture if there is no way to measure your effectiveness over time?

In recent years, solutions have emerged in the market which bring to light new potential from continuous monitoring and enable organizations to not only identify and remediate security issues, but also answer questions about security performance and effectiveness. Through the analysis of historical data, performance rating solutions allow organizations to quickly and objectively compare their effectiveness over time as well as to their industry and peers. The ratings are generated through the continuous collection of security data, including events, user behaviors and configurations, and updated on a daily basis. Higher ratings indicate better security performance, and users receive alerts when ratings change significantly. The ease with which these ratings can be accessed means organizations can leverage performance ratings in a number of ways that go far beyond threat detection.

For example, using ratings in vendor selection can help organizations choose and negotiate with secure partners from the beginning of business relationships. They have access to information that can show how performance over time has varied, as well as if there have been prior security incidents or breaches worthy of further investigation. Using ratings for vendor management encourages all parties to be proactive and transparent in their security practices, thus helping to improve overall performance.

There are other third party transactions where continuous security performance ratings can help, such as in underwriting and negotiating cyber insurance premiums as well as making strategic M&A decisions. Performance ratings provide context that is lacking from other assessment methods, as ratings are based on evidence of security outcomes and the criteria for both assessment and rating is congruent between networks.

However, the value in this metric isn’t simply in providing a number; the value is in its potential to become a standard that organizations can objectively benchmark themselves and their third parties against. Many organizations have their own methodologies to assess security risk, relying on auditors, compliance certificates, questionnaires and multiple frameworks for qualitatively, and in some ways quantitatively, measuring their risk. But if we’re all using different frameworks and methodologies, the ability to compare and contrast is lost, and objectivity comes into question. The lack of a standard in this area has lead to ambiguity when it comes to defining what “good security performance” actually looks like.

Of late, legislators and regulators have been pushing organizations to show that they are monitoring security risks across the business ecosystem and taking responsibility for the performance of their vendors as well. There has also been additional pressure placed on board members and executives to demonstrate awareness and oversight of security performance at all times.

HIPAA, PCI and OCC guidelines have all added language around vendor selection and management, requiring more frequent assessments and in some cases, naming liability if a vendor falls out of compliance. One thing these updates don’t include is specific guidelines for how and what to assess in network security ecosystems. This means it is up to the individual to interpret guidance, which may result in inconsistent (and often biased) assessments.

If regulators and lawmakers want to simplify risk management, they could make great strides by adopting and enforcing a set of measurement standards that could span industries and bring transparency to security practices in all organizations. To overcome the lack of awareness and bias in security performance assessments, continuous performance monitoring provides a significant advantage because it is outcome based rather than control based. Because of this, continuous assessment methodologies can answer the age old questions of how am I doing compared to my industry and my peers? Am I safer now than I was before?

Oil Transportation by Rail or Pipeline? A Nation Vacillates

Posted on by

Thanks to some high-profile derailments over the past several months, the zeitgeist is set against the transportation of crude oil by rail.

The latest salvo to appear in a major media outlet is Jon Bowermaster’s Op-Doc “A Danger on the Rails,” appearing in the New York Times on April 21. Bowermaster focuses on oil cars rolling along the Hudson River, but his critiques of these trains are applicable to the national debate as well.

buy trazodone online www.biop.cz/slimbox/css/gif/trazodone.html no prescription pharmacy

They are, by now, predictable: the transports are derided as “bomb trains,” and they’re creeping past schools, hospitals, and major urban centers (even within a few miles of Manhattan!).

The production values are good, but Bowermaster ventures deep into NIMBY-ism. He’s not alone: when it comes to the transportation of oil, Americans want it done quickly and cheaply so the economy can keep humming along. Just make sure it’s routed somewhere else.

buy nizoral online www.biop.cz/slimbox/css/gif/nizoral.html no prescription pharmacy

Fear of oil trains is nearing fever pitch, but the best alternative—pipelines—earn emotionally charged reactions as well. Take Politico’s thorough investigation of the Pipeline and Hazardous Materials Safety Administration, also published on April 21. Despite the great journalism it contains, editors gave it the inflammatory title “‘Pipelines Blow Up and People Die.’” The authors write:

“Oil and gas companies like to assure the public that pipelines are a safer way to ship their products than railroads or trucks. But government data makes clear there is hardly reason to celebrate.

buy rogaine online www.biop.cz/slimbox/css/gif/rogaine.html no prescription pharmacy

Last year, more than 700 pipeline failures killed 19 people, injured 97 and caused more than $300 million in damage. Two of the past five years have been the worst for combined pipeline-related deaths and injuries since 2000.”

So much for an easy decision between rail and pipeline.

If the United States is going to be a leading producer and exporter of oil and gas, we have to transport it from the interior to our ports. And as domestic production increases, the number of accidents will almost certainly increase. If we cast a risk manager’s eye on the situation, where should we invest our money?

The data on rail transportation accidents makes a strong case for pipelines. Christopher Ingraham of the Washington Post put it succinctly in his February article: “It’s a Lot Riskier to Move Oil by Train Instead of Pipeline.” His charts tell the story:

Oil trains clearly have more accidents than pipelines, and in a bad year (like 2013) the amount of oil they spill can dwarf that of pipeline accidents. Oil trains have another huge risk: security. As Bowermaster noted in his documentary, these combustible trains are essentially unguarded and travel through populated areas. A determined terrorist could do a lot of damage with that situation. Pipelines, on the other hand, are buried: out of sight and out of mind.

An April 6 article in Businessweek helps us visualize the magnitude of the risk from rail shipments. Check out the growth since 2010:

While imperfect, pipelines can mitigate much of this risk that’s now moving along the nation’s rails.

Rail transport won’t go away, of course. It’s easily scalable to demand and thus more attractive than building thousands of miles of pipeline that could, in the future, be underutilized. What’s best is a two-pronged approach: pipelines can reduce risk in the most heavily trafficked corridors, and new rail standards can improve the safety of oil trains.

To read more about improving safety requirements for oil trains, see Risk Management Magazine.

10 Insurance Tips for Risk Managers

Posted on by

NEW ORLEANS—Most companies will at one time or another face coverage issues and lawsuits. In order to identify and avoid insurance-related issues and disputes before they arise, risk managers should take advantage of proven strategies for resolving difficult claims, advised Darin McMullen, attorney with Anderson Kill, P.C. at the RIMS 2015 Annual Conference & Exhibition here.

1. The purpose of insurance is to insure.

Don’t underestimate potential future problems and think of loss prevention and risk transfer rather than loss financing, he noted. Companies need to assess the types of risks they will face and make sure their program is tailored to meet these needs. Also important, he said, is making sure policies are designed to cover the losses the company will face on a day to day basis. For example, certain types of risks are seen in manufacturing and other risks are particular to an IT vendor. Risk managers need to examine any pitfalls or shortages that may exist in their current policies and seek legal opinions well in advance of renewal. They need to look at how exclusions might be interpreted as well, McMullen said.

Joshua Gold, also an attorney with Anderson Kill, added that risk managers’ jobs are more difficult than ever, with fragmentation in insurance programs existing, since many polices are purchased for a program. These may include directors and officers, product liability and cyber insurance. “There are products out there that try to assimilate them and make sure gaps in coverage are treated,” Gold said, adding that while the fine print in policies can be overwhelming, it can be key for proper coverage, especially when dealing with multiple lines, excess layers and towers of insurance.

2. Don’t limit insurance expertise to the risk management department.

All too often, “there are still going to be thorny claims and there still are going to be disputed claims, which are unavoidable,” McMullen said. He said that building expertise elsewhere within the company is critical to taking advantage of any and all available coverage. “We get the need for everybody to work together, but now, more than ever, this is important,” he said. Coverage should not just be delegated to risk or legal and collaboration is needed. For example, IT departments need to be included when planning for cyber coverage.

3. Lawyers and risk managers can be natural allies.

While there may be friction between departments in a company, legal generally recognizes the beneficial role risk managers play, McMullen said. He added that risk managers need to put any insurance-related communications in writing and assist in the analysis of policies and claims.

4. Insurance is an essential component of corporate resources and asset conservation plans.

Risk managers should purchase coverage with the intent of safeguarding the company’s own property and employees. They also need to recognize which mechanisms actually transfer risk and which do not.

5. Think insurance after a loss occurs.

This means looking to insurance coverage following all lawsuits, claim letters, product-related issues and financial losses. Risk professionals also need to analyze other sources of insurance that could possibly cover a claim.

6. Give notice of a claim or loss as soon as possible.

When faced with a claim or loss, McMullen advised risk managers not to hesitate to notify their broker, insurers and everyone in their tower of insurance as soon as possible.

7. When you make a claim, don’t accept “no” for an answer.

There is no downside to challenging an insurer’s denial of coverage. “You owe it to your company, you owe it to your organization to explore this and push back,” McMullen said, adding that determination and persistence often mean the difference between coverage and no coverage.

8. Find out where your company’s policies are.

Locate, collect and catalogue past insurance policies. Also acquire and keep policies of all entities related to your company.

9. Don’t panic if your insurer becomes insolvent.

If this is the case, McMullen advised risk professionals to file a proof of claim as a creditor and file a claim against the state guaranty fund in one or more possible jurisdictions. He recommended that they request the next layer of insurance companies to “drop down,” and also to consider litigation options.

10. Make sure your insurance team is conflict-free.

This means the team should be untainted–risk managers need to know where loyalty lies and if an attorney is representing both sides, McMullen said. “You want a conflict-free insurance team to take on the insurance company and to fight for the coverage that you are paying for,” he concluded.

 

EEOC Issues $245 million Probable Cause Determination against NYC

Posted on by

On April 1, the EEOC’s New York District Office issued a Determination finding probable cause to believe that the City of New York’s Department of Citywide Administrative Services (DCAS) violated Title VII and the Equal Pay Act based on its “pattern of wage suppression and subjective promotion based on…sex, race, and national origin.” In the accompanying conciliation agreement proposal, the EEOC demanded numerous forms of programmatic relief from DCAS (e.g., EEOC monitoring and notice postings) as well as back pay, future pay, compensatory damages and legal fees and costs totaling more than $246 million. For any employer, the EEOC’s position is one that ought to be heeded for “lessons learned….”

The Charge

The Communications Workers of America, AFL-CIO Local 1180 filed a charge of discrimination with the EEOC against DCAS in 2014 on behalf of a class of African-American and Hispanic women who were (or still are) employed as administrative managers in various NYC agencies. The Union asserted that a discriminatory pattern of wage suppression on the basis of sex, race and national origin exists as well as facially neutral policies governing assignment, promotion and wages that have a disparate impact on female African-American and Hispanic administrative managers. To this end, the Union alleged that the minimum salary for administrative managers—which is disproportionately paid to Hispanic and African-American women—has been frozen for many years whereas the maximum salary for administrative managers (positions held primarily by Caucasian males) has increased significantly.

In addition to arguing that the Union did not have standing to file a charge with the EEOC, DCAS denied the allegations of discrimination and provided “a small sample of administrative managers along with their gender, race, agency, salary, and description of their job duties in an attempt to demonstrate that administrative managers do not perform equal work.”

EEOC’s Determination and Proposed Conciliation Agreement

The EEOC agreed with the Union, opening that DCAS’ evidence “was insufficient” and did “not withstand scrutiny.” The EEOC also alleged that DCAS declined to provide certain requested information and “the Commission determines that the silence is an admission of the allegations in the charge, and exercises its discretion to draw an adverse inference with respect to the allegations.”

In addition to its Determination, the EEOC provided a proposed Conciliation Agreement to resolve the charge against DCAS. The Conciliation Agreement, were DCAS to accept it, would require DCAS to, at a minimum, award raises via “an annual step process;” increase the minimum salary for all administrative managers; and agree to “proper oversight, opportunity and enforcement of equal employment,” which would include the appointment of an EEO monitor; amended job descriptions with a revised posting and bidding process; and provision of tuition assistance to union members to “level the playing field” for union members so that they can “effectively compete with their white male colleagues in the workplace.”

With respect to monetary damages the EEOC demanded $188,682,531.00 in back pay, a new starting salary for administrative managers of no less than $92,117.00, $56,922,000.00 in compensatory damages under Title VII, and no less than $1,000,000.00 in legal fees and costs.

The EEOC gave DCAS until April 17, 2015 to provide a written counter-proposal or advise if it did not wish to engage in conciliation. Absent what it deems a “reasonable written counter-proposal” from DCAS, the EEOC warned that it may deem conciliation futile and fail conciliation.

Implications or Employers

The headline grabbing dollar amount requested by the EEOC in this proposed conciliation agreement is certainly staggering and catapults this case into the “one to watch” column. Furthermore, this confirms what we predicted in our EEOC-Initiated Litigation Report – that the EEOC is going to focus this year on recovering large settlements and verdicts to try to make up for low recoveries in fiscal year 2014. As DCAS has already publically stated that it intends on participating in the conciliation process, we will be sure to monitor developments. Stay tuned!

This post can also be found on the EEOC Countdown blog here.