Another Hit to Shareholder Value

December 11, 2008 by ADMIN
Share |

By Laura Wilson, Information-Security-Resources.com Corporate Liability Editor

The financial industry is scrambling to survive the record losses resulting from laissez-faire irrational exuberance. In the process, the controls that are supposed to protect sensitive data and systems are compromised.

The financial losses from the increasing number of security breaches will fall on shareholders as companies face damage to reputation, civil litigation, regulatory actions, and possible criminal sanctions for failing to protect regulated information.

Financial industry management needs a strong reminder from consumers, shareholders and regulators that a crucial but much neglected part of the job description is protecting the regulated data and systems that are vulnerable during this meltdown.

Much of the financial industry has focused on the volume and speed of deals rather than on quality and common sense security.  There is a proclivity to regard control functions like lawyers, auditors, and security experts as ‘cost centers’ rather than ‘revenue centers’.

Remember when the Soviet Union broke up and nobody could keep track of the plutonium?   The threat is just as real in the break-up of our financial institutions.  The security ball has been dropped, and no one in the industry wants to acknowledge the resulting exposure and unknown liabilities now looming.

It’s not just the specter of insider theft of sensitive data.  Sometimes nobody knows how the information gets exposed.  When a financial company merges or goes out of business, information gets lost in the shuffle.  Imagine all those projects involving sensitive data and systems that suddenly have new managers, or those that have been abruptly abandoned.

Information security is a chain of responsibility, and the links have been broken.

Leading financial writer bonddad notes that we had more than 500,000 additional displaced workers, just in November, just in the U.S.A.  That’s 500,000 people with little to no prospects for full employment anytime in the near future. That’s 500,000 announced layoffs, not including those whose hours will be cut, or wages reduced, or booked orders cancelled.

CNNMoney.com projects further job-shedding in the financial companies that have your personal data:

“Bloated by years of frenzied growth, Wall Street banks and other firms are shedding tens of thousands of jobs and slashing entire divisions in their most drastic downsizing since the Great Depression…Through October, 130,000 financial jobs had been eliminated throughout the industry this year, according to employment firm Challenger, Gray & Christmas. The elimination of 53,000 jobs at Citigroup — part of a 20 percent downsizing at the firm — will raise the number to around 180,000. That would be the industry’s biggest yearly contraction ever…

…The sectors of the industry that deal with mortgage-related asset-backed securities and other risky investments are expected to be among the most battered. The subprime fiasco has left investors wary of holding such investments. As a result, many financial firms have closed mortgage-related divisions. Experts expect that trend to accelerate next year.”

That’s 180,000 unhappy, potentially financially desperate people, many of whom have access to “secure” systems and your private data. Some of those 180,000 are miffed, particularly when reading about the golden parachutes, unearned deal bonuses, and outright cash payments for those at the top of this crisis.

And what about those flash drives? And the many laptops, hard drives, and Blackberries that just never turn up for a final inventory, assuming there is one? Just exactly who is responsible for collecting and protecting all of this unsecured data?  Did they get laid-off too?

The story below was provided to colleague Anthony M. Freed, and the implications of this revelation are stunning. A former underwriter for the now-defunct First Magnus, a major player in the subprime lending frenzy, recalls the day they were given their pink slips:

I worked for them (First Magnus), and on August 16th 2007 they sent out an e-mail and 6,000 employees lost their jobs. There was no warning and none of the management knew before we did. We all left the same day within hours of receiving the e-mail.

We left our branch in Houston with thousands of loan documents piled from floor to ceiling - we were told a few months prior to retain every document - they took away the shredders and the secure shred bins that we would typically use, and we were drowning in confidential documents like duplicate credit reports, bank statements, duplicate loan applications - every bit of personal information imaginable. Not the normal way to disband a financial company.

Think about it - I guess the management company of the building who took control of the office after we left did something with it.  I know that the court gave them (First Magnus) permission in their Bankruptcy to abandon all leases and property that was left behind.

Our computers were also left behind. 300 (First Magnus) offices across the country were similarly abandoned.

I have managed deals for some of the largest players in the financial industry, involving access to a Fort Knox of regulated systems and data.

Based on my real-world experience, I do not trust the weakened controls that purport to safeguard information that the financial industry holds in trust for the public.  I have grave concern about the widespread and long-term harm to consumers, shareholders, and our national security when these controls are bypassed.

(A just-released 90-page report by CSIS, the Center for Strategic and International Studies, underscores the national security threat baked into our vulnerable information systems.)

To bring it home on a personal level, imagine the harm to your finances and your reputation if your identity is stolen and your financial information misused.

Now, imagine the harm you will suffer if a hacker steals your identity or your banking information, and uses your stolen information or money to commit an act of terrorism or other crime.

Now, multiply that threat by the millions of compromised identities endangered by the epidemic of information security breaches.

This unacknowledged systemic weakness affects anyone whose personal information is collected by a financial company, and any shareholder in a company that can have a security breach.  It should be of concern to management facing the threat of lawsuits or regulatory actions.

This weakened system should alarm anyone interested in our national security and countering terrorism.

Here’s a first step for shareholders, consumers, and everyone else concerned about our security:  Remind the financial companies, directors and officers, and managers that they are responsible for this regulated information.
It is part of their job to protect it.
Remind them that they are on the line for mismanagement, negligence, and the resulting liabilities if the stuff gets out. Remind them that, before thinking about taking lavish salaries, severance, deal bonuses, or parachutes, they had better think about that data.

Laura is a business consultant and an advocate for information security, consumer protection, long-term shareholder value, and better management decisions. Her specialty is finding and fixing risks and threats to sensitive data. Her experience includes international banking, credit card, and mortgage companies, venture capital portfolio companies, and software and technology providers. She practiced law in Silicon Valley during the tech boom and meltdown, handling corporate governance and information protection.

Stay Informed With RSS Feeds or Email Alerts Here: 

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com
These icons link to social bookmarking sites where readers can share and discover new web pages.
  • TwitThis
  • LinkedIn
  • Google Bookmarks
  • Digg
  • StumbleUpon
  • YahooBuzz
  • del.icio.us
  • Wikio
  • Propeller
  • Facebook
  • MySpace
Share |


Filed under: Breach, Class Action Lawsuit, D&O Liability, FEATURE ARTICLE, Financial, Insider Threat, Sarbanes-Oxley, Uncategorized, hackers, identity-theft, malware, national security, privacy 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments

4 Comments on Another Hit to Shareholder Value

  1. sandy on Fri, 12th Dec 2008 8:11 am

    2. Most of them never had respect for any regulations anyway, so why does this surprise? The sensitive information was too readily available, even in a mortgage brokers office, or loan agent. That is like giving the street punk your vital information. Sorry, most of them were punks, and crooks.

  2. pligg.com on Fri, 12th Dec 2008 10:44 am

    3. Data Theft: Another Hit to Shareholder Value…

    We left our branch in Houston with thousands of loan documents piled from floor to ceiling - we were told a few months prior to retain every document - they took away the shredders and the secure shred bins that we would typically use, and we were drow…

  3. pligg.com on Mon, 15th Dec 2008 3:40 pm

    4. Economic Meltdown Exposes Financial Data to Black Market…

    It’s not just the specter of insider theft of sensitive data. Sometimes nobody knows how the information gets exposed. When a financial company merges or goes out of business, information gets lost in the shuffle. Imagine all those projects involv…

  4. Financing The MBS Fix: The 800 Pound Gorilla « Your Mortgage or Your Life… on Mon, 22nd Dec 2008 1:32 pm

    5. [...] is also a tremendous risk to data security and system integrity in this process, with aditional costs of their [...]

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!