Evolving Operational Risk Management: Security, Fraud and Organized Crime

Transcription

1 Evolving Operational Risk Management: Security, Fraud and Organized Crime February,

2 Agenda Introduction Our View of Security, Fraud and Organized Crime What is happening today? - Insider Threat - Cyber Security - Camouflaged Fraud Final Thoughts Q & A

3 Introduction Joshua A. Kotok, CFE, CISA Joshua Kotok is an Executive Director responsible for leading Infinitive Insight's risk practice. An accomplished professional with more than 12 years of risk and management consulting experience, Joshua specializes in delivering high-value programs for Financial Services and Government entities. Prior to joining Infinitive, Joshua was the Senior Manager of Operational and Technology risk for the Making Home Affordable program at Fannie Mae. Joshua also has prior experience working for Protiviti and Arthur Andersen. Joshua holds a Bachelor of Science degree in Information Systems from Florida State University and is a Certified Fraud Examiner (CFE) as well as a Certified Information Systems Auditor (CISA). Joshua has held numerous industry association board positions including serving as President of the ISACA South Florida chapter and Vice President of the icoast CIO Council.

4 Security, Fraud and Organized Crime: Environment Business landscape continues with significant uncertainty Regulatory compliance and supervision is rapidly expanding - Dodd-Frank / Consumer Financial Protection Bureau - SEC Cyber Disclosure Obligations - New FFIEC Guidelines - BASEL III - Foreign Corrupt Practices Act Pace of required business changes and evolution is increasing at a breakneck speed Reduced margins and increased performance target measures

5 Security, Fraud and Organized Crime: Operational Risk Impact The challenges occurring within the environment today have the following effects: Operational lapses and loss of employee morale and motivation - Employee flight risk and turnover - Internal controls fatigue Increased internal fraud (insider threat) - Loss of information or theft Increase in operational incidents - Increase in residual risk

6 Security, Fraud and Organized Crime: Operational Risk Impact Operational Risk Frameworks are not evolving to meet the emerging challenges - Emerging threats are not identified and escalated timely Tone at the top remains the same - The organization continues to approach risk in a reactive manner Social media continues to expand and evolve - Reputational risks resulting from security fraud and organized crime now have a larger impact The rate of change is rapid - Developments of key risk and control indicators remain a challenge for most companies

7 Operational Risk View of Financial Fraud & Organized Crime

8 Insider Threat: Corruption is on the Rise Occupational Frauds by Category - Frequency 3 Source: Association of Certified Fraud Examiners, Report to the Nation

9 Insider Threat: Corruption Defined Employees or contractors intentionally exceeding or misusing an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization s data, systems, and/or daily business operations* Insider Executive Management Employees Contractors & Subcontractors Vendors Customers Interns Family Malicious Intent to harm (short term vs. long term) Strong sense of entitlement - The Company Owes Me Intent to gain at the expense of company, other employees, or your customers *Carnegie Mellon Cylab Common Sense Guide to Prevention and Detection of Insider Threats

10 Insider Threat: Malicious Activities Everyone can agree they: - Steal data with commercial value - Install logic bombs, deploy malware - Steal intellectual property However they may also be involved with: - Financial fraud - Kickbacks & bribes - Abuse company assets for personal gain - Share inside information - Extortion They typically are very active when: - Company changes and uncertainty exists - Major life event - Moving companies

11 Insider Threat: Identification Non-Technical Methods: - Change your mindset - Stop complaining about your budget - Assume all insiders are malicious - Find the puzzle makers on your risk management team - Put yourself inside their shoes - Determine who has not taken vacation - Review Accounts Payable, Vendor Master and Procurement activity - Review functional segregation of duties - Visit facilities at off-hours (late at night, weekends)

12 Insider Threat: Identification Basic Technical Methods: - Find the adult material on the network - Find the non-compliant desktops with unauthorized software - Look at outbound to personal services - Look at outbound web traffic (e.g ) - Reauthorize all outbound traffic - Re-inventory all desktops to identify personal computers connected to the network - Don t take comfort in 98% compliance

13 Insider Threat: Response Don t wait to find one to then figure out what to do: Look at your Operational Incident Response Team (OIRT) plan - Is it designed to deal with a insider threat? - How do you manage decisions regarding law enforcement? - When should the CEO know? - Do you have criteria to ensure forensic is captured? - What s your strategy to find others involved in the plot?

14 Insider Threat: Response Practice the plan Stakeholders in an event can vary dramatically. Potential stakeholders, if not in your plan, should be: - CEO, Head of HR, Head of Communications, General Counsel, Chief Privacy Officer, Chief Compliance Officer, Chief Audit Executive, CIO/CTO, Head of Physical Security, COO/CFO/CRO/, Law Enforcement - Don t expect them to know why they are in the plan - You must train and make them aware

15 Insider Threat: Communication Let all employees/contractors know that you have identified an insider threat It is important that people know you are watching Never underestimate the power of tipsters - when they know someone cares Reward the team generously when they catch one The cafeteria and the water cooler are the best opportunities for employees/contractors to share and discuss

16 Insider Threat: Operational Risk Management Risk Inappropriate Disclosure or Misstatement Insider Trading Definition Intentional misstatement or disclosure for improper gain of business information to internal or third parties (regulators, analysts, etc.), excluding financial statement misrepresentations. Intentional buying and selling of shares to obtain an improper benefit on the basis of material, nonpublic information.

17 Insider Threat: Operational Risk Management Risk Theft Corruption Definition Insider theft of monetary, physical, information, or intellectual assets from company or a third party. (e.g. an employee steals and sells proprietary models, false trades) Intentional fraudulent behavior by employees and others with significant authority or influence. (e.g. steering business to select vendors in exchange for kickbacks)

18 Insider Threat: Hedge Fund Imposter The Attorney - Marc Dreier A High-profile New York lawyer and sole owner of Dreier LLP, a 500-person law firm The Law Firm Was based on a new model where the attorneys are not equity partners. Instead they were offered generous salaries and commissions on new businesses. But there s a catch Dreier is the only person in control of the finances The Scam Mr. Dreier comes up with a plan to sell fake promissory notes IOU s to hedge funds. He issues $200 million worth of notes to hedge funds in New York and Connecticut. For six years he enjoys the fruits of his success

19 Insider Threat: Hedge Fund Imposter In 2008, the financial markets began to weaken and hedge funds started reigning in their investments Dreier became desperate as hedge funds requested in-person meetings with his client Sheldon Solow to verify that their funds really would be returned Dreier began impersonating executives and even paid a former client $100,000 to impersonate the CEO of Solow Realty inside the actual Solow offices Eventually Marc Dreier was caught, convicted and sentenced to 20 years in prison for securities and wire fraud

20

21 Insider Threat: Operational Risk Management The insider threat is out there The value proposition of finding them include: - Benefits to the company - Reduction in operational risk levels - Improving the skills of your team - Creates significant funding opportunities for strategic projects - Support real training and awareness The herd is always on the move - don t wait

22 Cyber Security: The Landscape Dependency on digital technology continues to increase As this dependency has increased so has the frequency and severity of cybersecurity incidents Organizations need to rethink how they assess cybersecurity disclosure obligations Federal securities laws are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision* *

23 Cyber Security: Risks & Impact The objectives of cyber attacks vary widely and may include: - Theft of financial assets - Theft of intellectual property - Theft of other sensitive information belonging to a company s customers, or other business partners. Organizations that fall victim to successful cyber attacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to: - Remediation costs - Increased cybersecurity protection costs - Lost revenues - Reputational damage - Regulatory Issues (MRAs)

24 Cyber Security: SEC Disclosure Obligations Public organizations are required to comply with the following: Companies should review the adequacy of disclosures related to cybersecurity risks and cyber incidents Perform an evaluation of potential deficiencies in disclosure controls and procedures that might render them ineffective Companies should disclose conclusions on the effectiveness of disclosure controls and procedures Companies must disclose an inability to record, process, summarize, and report information that are required to be disclosed in Commission filings due to prior cyber incidents

25 Cyber Security: Disclosure Obligations The following provides an overview of specific disclosure obligations by public organizations regarding risks and cyber incidents as outlined by the SEC: Risk Factors: Disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. Management s discussion and Analysis of financial condition and results of operations (MD&A): Address cybersecurity risks and cyber incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty.

26 Cyber Security: Disclosure Obligations Description of Business: If one or more cyber incidents materially affect a company's products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant s Description of Business. Legal Proceedings: If a material pending legal proceeding to which a company or any of its subsidiaries is a party involves a cyber incident, the registrant may need to disclose information regarding this litigation in its Legal Proceedings disclosure. Financial statement disclosure: Cybersecurity risks and cyber incidents may have a broad impact on a company s financial statements, depending on the nature and severity of the potential or actual incident.

27 Cyber Security: Nortel Corporate Espionage Fallen telecommunications giant Nortel was the subject of international industrial espionage for more than a decade, according to reports obtained by the Wall Street Journal Hackers thought to be based out of China downloaded research and development reports, business plans and employee s from Nortel s corporate computer network for more than a decade Nortel was breached by the hackers when seven passwords of top Nortel executives were stolen The hackers also placed spyware so deep into some employee computers it escaped detection The Journal reported that some of those computers may have been moved to the companies that bought up Nortel assets

28 Cyber Security: Nortel Corporate Espionage Nortel did not take the threat of a security breach seriously, said Brian Shields, a former senior advisor in security systems at Nortel who conducted a sixmonth internal investigation into the matter Shields told the Journal that Nortel that the hackers had access to everything They had plenty of time. All they had to do was figure out what they wanted His report says Nortel also failed to determine whether its products were compromised by hackers, and did not disclose the security breach to investors or the buyers snapping up parts of the firm

29 Cyber Security: AICPA Phishing Scam

30 Cyber Security: Operational Risk Management Risk Sensitive/ Confidential Information Network Security Definition Sensitive or Confidential Information is sent to unauthorized internal or external recipient Sensitive or Confidential Information is not appropriately treated or secured Sensitive or Confidential Information is not disposed of properly Risk of system or network compromise due to unauthorized access, which may result in the introduction of malicious code and/or activity (e.g. phishing scam to obtain credentials)

31 Cyber Security: Operational Risk Management Risk Privacy (NPI/PII) Business Availability, Disruption & Recovery Definition Failure to comply with state or federal privacy legislation requirements. NPI/PII is sent outside of company unencrypted NPI/PII is sent to unauthorized recipient Inappropriate access to systems with NPI/PII through a shared ID An organization is unable to resume business processing capabilities due to an interruption (e.g. cyber-attack, denial of service)

32 Camouflaged Fraud: Mobile Devices Gartner Says Sales of Mobile Devices Grew 5.6 Percent in Third Quarter of 2011; Smartphone Sales Increased 42 Percent As of December 2011, the total number of apps in the Apple App store was over 500,000 IOS Apps generate six times the revenue of Android Apps* *

33 Camouflaged Fraud: Mobile Devices At the end of October 2011, the total number of apps in the Android Market store was 365,404 (Android Market Insights research2guidance)

34 Camouflaged Fraud: Mobile Devices Mobile Fraud The power of mobile is breaking the speed of business by opening new markets and allowing even the smallest companies to play big The increase use of mobile applications has lead to a rise in fraud targeted at the mobile space Mobile fraud schemes are successful when companies are operating in silos and not sharing their view of risks across the organization Rogue Mobile Apps Defined: Created by non-authorized individuals or entities Seek to confuse consumer to believe it is published from an authorized source similar name, use of logo, or similar publisher Similar to other applications but its objectives are to compromise other apps on the device

35 Camouflaged Fraud: What s At Risk Financial Risk - Recovering lost funds to client - Revenue leakage Operational Risk - Deployment of apps with vulnerabilities and exposures - Time and effort necessary to remediate deployed apps Reputational Risk - Lost confidence by consumers - Harsh criticism posted publicly Regulatory Risk - Unwarranted attention by FTC, FDIC and others - Potential fines and penalties

36 Which of these is a Rogue App?

37 XXXXX XXXX - XXXX

38

39

40

41 Camouflaged Fraud: Countermeasures Organizations should develop a full cycle program from discovery through remediation and ongoing monitoring The benefits of full cycle program assist organizations to better understand the behaviors of the rogue apps and potential exposures they may not be aware of by simply taking down rogue sites Discover Acquire & Analyze Forensics Remediate Monitor

42 Wrap Up: Immediate Actions Educate Team on Fraud: Watch American Greed Educate Team on Disconnect between line and executive business: Watch Undercover Boss Perform a self-assessment of existing toolset and framework to evaluate coverage for fraud, security and crime Conduct an outing with your compliance team, build a rapport before an incident occurs Get aggressive on risk awareness Tools alone are not the answer

43 Questions & Answers