These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • TwitThis
  • Digg
  • Technorati
  • YahooBuzz
  • Mixx
  • Wikio
  • Propeller
  • Facebook
  • MySpace
  • LinkedIn

Top Five Financial Sector Security Threats

November 3, 2009 by ADMIN · Comment

By Kevin M. Nixon, Information Security Resources Security Editor

It is usual and customary during the 4th Quarter of any year, to think about the potential threats to our financial institutions and corporations, in an effort to get ahead of the curve and stave off additional failures.

I have listed my Top 5 concerns below and welcome comments from readers.

One:  Regulation

To date, no changes have been made to strengthen Federal Laws or improve SEC reporting criteria.

Under Sarbanes-Oxley (SOX), quarterly and annual reports should not only report a corporation’s financial performance, corporations must also report other events, legal actions, or “material impairments” which can affect the overall stability of the investor’s assets.

In my opinion, the Securities and Exchange Commission took a very narrow view when constructing the modifications for incorporation into “The Securities Exchange Act of 1934”.

The major transparency reporting flaws in SOX relate directly to SEC Act Rule 13a-15.  This rule is the portion of the SEC Act that was modified after the passage the SOX Act section 302, in 2002.

Rule 13a-15 is what requires Chief Executive Officers and Chief Financial Officers to provide their “Certification Statements” where each must attest to the truthfulness and accuracy of the Financial Report to shareholders.

I feel the transparency flaws occurred when the SEC failed to consult with IT Security experts when they provided the definitions of the terms; and I would go so far as to say, perhaps the rule makers acted intentionally in limiting the scope of the terms as a direct reaction to pressures from the large corporations and their lobby groups.

My reason for doubting the sincerity of the rule makers stems from the fact that every single 10-K and 10-Q since the rule went to effect has contained the conditional clause “as defined in Rule 13a-15” in big bold letters atop the executive certification statements.

For example, the Heartland Payment Systems (HPY) quarterly report was filed as follows (NB:  the HPY report incorrectly cites the SEC Rule, (using the words “section 13 or 15(d)), which should be the first clue that something was rotten):

QUARTERLY REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 - For the quarterly period ended September 30, 2008 ,  PART I. CONDENSED FINANCIAL INFORMATION; Item 4.  Controls and Procedures; Page 48:

Evaluation of Disclosure Controls and Procedures

Under the supervision and with the participation of the Company’s management, including its Chief Executive Officer (“CEO”) and Chief Financial Officer (“CFO”), the Company evaluated the effectiveness of the Company’s disclosure controls and procedures (as defined in Rule 13a-15(e) under the Securities Exchange Act of 1934, as amended (the “Exchange Act”)).

Based upon that evaluation, the CEO and CFO concluded that, as of the end of the period covered by this report, the Company’s disclosure controls and procedures were effective and provided reasonable assurance that the information required to be disclosed by the Company in reports filed under the Exchange Act is recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms.

Any system of controls, however well designed and operated, can provide only reasonable, and not absolute, assurance that the objectives of the system will be met.  In addition, the design of any control system is based, in part, upon certain assumptions about the likelihood of future events. Because of these and other inherent limitations of control systems, there is only reasonable assurance that the Company’s controls will succeed in achieving their goals under all potential future conditions.

Changes in Internal Controls

During the quarter ended September 30, 2008, there has been no change in the Company’s internal controls over financial reporting (as defined in Rule 13 a-15(f) under the Exchange Act) that has materially affected, or is reasonably likely to materially affect, the Company’s internal controls over financial reporting.

Rule 13a-15 is written so poorly (and perhaps intentionally so) that the terms can and are interpreted as applying only to a corporation’s financial software and document archive systems.

My opinion is that executive certification statements are worthless when using the conditional clause “as defined by Rule 13a-15”.

Executives depend on the failings of the Rule for their protection.

Corporate attorneys carefully point out, that if the statements of certification remain within the very narrow area as defined, then should anything go wrong, a corporation’s defense against millions in fines and jail time for executives is they were simply following the law as written.

That safety net setup certainly didn’t prevent Heartland from having to spend $51.4 million of un-budgeted expenses as a direct result of a System Intrusion;  nor did it restore confidence to shareholders when Heartland Payment Systems (HPY) published in Form-8K on Friday, August 6, 2009; a full eight months after the announcement of data theft.

I don’t believe that the SEC intentionally created Rules that would allow corporations to commit fraud; however, there hasn’t exactly been a rush to correct the current deficiencies by congress or the SEC to prevent some very narrow interpretations of the existing regulations.

The reason I selected Regulatory Compliance as the number one potential security threat to our financial institutions and corporations is the failure to act.

I firmly believe that financial institutions and corporation should be fined if any computer system, containing any data deemed “private or protected” under any of the data protection laws, is breeched or found to be operating without controls to prevent unauthorized access.

Simply, a breech or unauthorized intrusion should be considered having the same significant financial impact as an officer or key executive leaving.

Form K-8 the “current report” companies must file with the SEC to announce major events that shareholders should know about.

Shareholders should not have to discover a data breech from the news media; and until corporations are made to stop hiding their dirty laundry, consumer confidence will remain lukewarm.

Congress needs to modify the existing SOX regulation and require the SEC to modify the current “material impairments” clause.

The required modification  needs to include:

Any and all suspicious software anomalies resulting from the installation of intended or unintended programmatic changes, any unauthorized access, perceived or actual by real person(s) or software residing on primary, ancillary, networked, test, devices or an associated or an affiliated device or group of devices , with the potential of affecting the integrity of those data in part or whole and used as an element or evidence of financial accuracy or resulting in the unplanned diversion of funding to satisfy information security requirements.

The time spent investigating, validating, gathering evidence; preserving evidence and maintaining calm in a storm are generally not budgeted. A database breech and release of protected information is subject to notification of all affected parties.

The events involving Heartland Payment Systems (HPY) clearly illustrate the need for increased supervision of financial institutions.

A Thief is a thief; they can be a hacker, and insider trading secrets, or an executive of the company manipulating reports, facts or funds.

Financial institutions and corporations continue to finance their debt via the Bond Market.  Since the rules, regs, auditing and oversight have not changed, we are being set-up for another financial crash.

I strongly recommend and support modifications to Sarbanes-Oxley which to modify the CEO and CFO attestation statements. These statements are frequently filed as Exhibits to each Quarterly SEC filing.

To emphasize my point, I recommend that readers conduct some research of their own.

When a data breech is announced or makes news regarding any public company, go immediately to the corporations webpage, or to any brokerage website.

If on the corporate site, look for the Investor Relations page, and look for a press release or Form-8K filing.  If readers are unable to locate notices of “Material Impairment”, communicate your dissatisfaction with the corporate officers, the SEC and most importantly the elected officials, which represent readers in congress.

Two:  Capital

Threat #1, which involves the regulators and executives, gives rise to #2 Why should I give a damn? (aka, Care in print).

Tier 2 and middle managers, have simply stopped attempting to budget for security applications, hardware or even skilled fractional outsourced knowledge.

Why?  Middle management is suffering from the Alfred E. Neuman “What? Me Worry?” Syndrome.

Operational, capital and staff budgets have been cut off at the hips, and middle management is trailing around inside our financial institutions and corporations like snails, leaving a moist trail behind them.

Three:  Cutting Corners

With 1 and 2 above, the few remaining institutions that might care only want to give the appearance of being clean -they simply apply more cheap perfume to cover the smell.

They are only willing to hire outside consultants on the cheap, only willing to pay the minimum amount, and come very close to giving the consultants direct instructions “to find nothing significant”.

Four:  Liability

Operating with no budget, no staff, and no safety net to protect what I would term a dangerous management high wire act. Financial institutions and corporations are seeking alternative ways to collect from others for their lack of responsibility.

This leads to complicated vendor/consultant agreements, which require the outside third Party or Contractors to “PAY FOR” the Liability Insurance of the Company, during the consultant engagement.  The following is an example of one corporation’s requirements:

Vendor covenants and agrees that Vendor will, throughout the Term, obtain and maintain, at its own expense, for itself and any of its Subcontractors: (i) comprehensive general liability insurance in an amount not less than $1,000,000 per occurrence (combined single limit) and $2,000,000 in the aggregate; (ii) professional liability insurance for errors and omissions in an amount not less than $2,000,000 annual aggregate and per occurrence; (iii) if applicable, auto liability insurance in an amount not less than $1,000,000 per occurrence (combined single limit); (iv) employee dishonesty insurance in an amount not less than $250,000 and with a deductible no greater than $5,000 naming xyz Inc. as “Loss Payee”; (v) workers’ compensation coverage as required by applicable law or, if not required by applicable law, then no less than coverage at the statutory limits of $1,000,000 per accident, $1,000,000 per employee, $1,000,000 disease policy limit; and (vi) umbrella liability insurance in an amount not less than $3,000,000 per occurrence and in the aggregate.

Such insurance coverage shall provide coverage for Claims and for liabilities or claims for damages resulting from the Deliverables provided hereunder   and the Services performed by Vendor hereunder, and xyz Inc. shall be named as an additional insured under Vendor’s comprehensive general liability insurance hereunder.  Insurance carriers must be rated A-VII or better by A.M. Best Company.

Five:  Foreign Debt

China and Japan but not because of skilled hackers, nukes, or clever imports.

As of July 2009, US Treasury Department reported that China owned $800.5 billion in US Treasury securities and Japan owned $724.5 billion.

In total, China and Japan hold 44.48% of the US debt financed via the sale of Treasury securities.

This exposure to potential financial or political risk should foreign banks stop buying Treasury securities or start selling them heavily was addressed in a recent report issued by the Bank of International Settlements, which states,

Foreign investors in U.S. dollar assets have seen big losses measured in dollars, and still bigger ones measured in their own currency. While unlikely, indeed highly improbable for public sector investors, a sudden rush for the exits cannot be ruled out completely.

In September 2009 China, India and Russia said they were interested in buying IMF gold to diversify their dollar-denominated securities.

One could conclude that all of the Financial, Government and Corporate IT systems being compromised and sniffed by China are just China’s way of “auditing their investments”.

Crimes against the State are punishable by death in China via televised public executions.

If I were an executive in a financial institution or corporation with its debt owned by China, I would do everything I could to solve problems 1 thru 4 above so someone wouldn’t accidentally miscalculate “the drop length” on my rope, like with Saddam.  Headless on the Net is not a successful climb to the top.

If we fail in 2010 to solve 1 thru 4 above, then the 2011 Congressional may have to be published in Mandarin.

Which will mean we will all need to purchase that “Rosetta Stone” Language software that according to the commercials is “Used by the US State Dept” - which proves my final point, Hillary will never be headless.

Failing to clean the mess up quickly will only emphasize that Nostradamus, the ancient Egyptians and the Mayans all knew that 12-21-12 would be the end of things, as we now know them!

With the threat of aftershocks in the US Stock market, continued bank closings and takeovers by the FDIC, serious consideration needs to be given to changing the current reporting, auditing and oversight regulations and the public needs to pressure elected officials into action, before our entire country is taken off financial life support.

* * *

Stay Informed With ISR News Alerts:

Email:

by FeedBurner

* * *

Kevin Nixon has testified as an expert witness before the Congressional High Tech Task Force, the Chairman of the Senate Armed Services Committee, and the Chairman of the House Ways and Means Committee. He has also served on infrastructure security boards and committees including the Disaster Recovery Workgroup for the Office of Homeland Security, and as a consultant to the Federal Trade Commission.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • TwitThis
  • Digg
  • Technorati
  • YahooBuzz
  • Mixx
  • Wikio
  • Propeller
  • Facebook
  • MySpace
  • LinkedIn

Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Government, ISR News, Insider Threat, Kevin M. Nixon, Military, PCI, Sarbanes-Oxley, Uncategorized, due diligence, hackers, healthcare, identity-theft, malware, national security, privacy, virtualization 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,




Tell us what you're thinking...