Cybersecurity, Your Vendors And Your Board
Top Of Board Agendas… But None Of The Checklists We’Ve Seen Address The Way Their Key Vendors Guard, Or Maybe Fail To Guard The Security Of Their Most Sensitive Records… Our Tips
Our in-box has been brimming over these past few months, with invitations to attend conferences, webinars and to download white-papers and checklists on Cybersecurity – and on what, exactly, a Board of Directors needs to know and do about it.
No wonder, of course, after the almost daily reports of successful cyber- attacks on the most sensitive kinds of corporate records: records of their customers’ names and addresses, their email addresses and maybe their passwords, and no doubt, on the frequency, distribution and dollar amounts of many of their financial transactions as well. A recent WSJ tally showed that roughly 600 million customer records had been exposed to some degree over the past few months by breaches at a mere handful of companies: at Heartland Payment Systems (130mm), Sony (100mm), TJX (90mm), J.P. Morgan (76mm), Target (70mm) Home-Depot (56mm) Card Systems (40mm) and Neiman Marcus (1.1mm – but where we’d bet a dollar-weighted measure would have vaulted them into the very top tier of victims in terms of net worth).
A recent posting on the Society Huddle, by Jennifer Naylor of the Center for Board Excellence cited two documents that she – and we too – found to be particularly useful, and relatively easy for non-techies to comprehend: Verizon’s 2014 Data Breach Investigation Report, which readily Googles up and covers huge ground in a mere 60 pages – and the “Twenty Critical Controls” framework, www.counciloncybersecurity.org (106 pages) – which Naylor nicely summarized as “a solid, actionable check list for boards to review with their security teams.” (By the way, if you are not Society members – and/or not in “The Huddle” – you are missing out on one of the best resources for public companies… and their suppliers… anywhere!)
But none of these documents focus attention on one of the most dangerous areas of all to public citizens and their boards – the need to adequately evaluate the Cybersecurity measures that are in force – or maybe not – at your key corporate suppliers.
At a recent Shareholder Services Association meeting in NYC (another group where, by the way, every public company should have a member) a panelist ticked off some of the super-sensitive data a public company’s transfer agent has on file – like every registered shareholder’s name, address, Social Security or TIN number, the number of shares owned, and often, the holders’ e-mail addresses. “And please note too” your editor chimed in, “many transfer agent records also record the holders’ bank account numbers, if they sign up to get dividends via ACH, or for automatic deductions for their DRP - and sometimes their brokerage account numbers, if they have moved money or shares back and forth. And, please don’t forget, many transfer agents are able to look at every stock ownership position a shareholder has – with every single issue that is serviced by that T-A…so this is serious stuff!” Just think for one moment on how easy it is for criminals with access to this info to identify the oldest and richest shareholders - and the most vulnerable ones - for “pfishing expeditions” - or outright theft of their dollars - and all their “dematerialized shares” - by very convincingly impersonating them.
Moving on to some other kay suppliers, let’s not forget about one’s proxy solicitors – who often have exactly the same info on hand – and who often drum up the holders’ phone numbers to boot – which is incredibly easy to do these days.
And, OMG, the various servicers, reporters and ‘finders’ of so-called abandoned property, where the shares and dollars are literally ‘up for grabs’ should unscrupulous vendors – or hackers – find the keys to the kingdom and masquerade as the lost holders or their heirs – and where failures on their part will end up solidly in your company’s lap, or, God forbid, your own.
Scarier yet, perhaps, are your outside law firms – where, as the OPTIMIZER reported several years ago, sensitive files have been hacked – and sophisticated cyber-experts have listened in on Board deliberations and on other strategy meetings involving some of the most sensitive info your company has.
And let’s not forget those outside providers of telephonic and video conferencing services that public companies, and their law firms and other key advisors, use with ever increasing frequency these days.
And OUCH!... You really need to ask your key suppliers about firms THEY use - and how their cybersecurity measures stack up - and exactly what kinds of data are being shared.
And DOUBLE OUCH!...You really need to ask all your vendors about any and all offshoring arrangements they may have – and exactly what kinds of data are being off- shored – and the kinds of basic security measures their suppliers have in place – even before probing for their cyber-security measures. Your editor is absolutely fine with the idea of offshoring – as long as the services are as good as those that can be obtained domestically – and will clearly be less-costly in the end - which oftentimes times they are. But your editor has dealt with many companies where their corporate charter documents (and sometimes federal and/or state regulations too) flatly prohibit the offshoring of share-ownership info, and similar kinds of corporate records (especially in sensitive industries like defense-contractors, and the communications industry as a whole) but where the corporate buyer, or the renewer of service contracts is completely unaware of such issues. And many times, U.S. vendors themselves seem to be unaware of limitations on the info that can be off-shored.
Here, by way of illustration, is a true horror story – that was witnessed a few years ago by your editor and by the Corporate Secretary and Chief Governance Officer of a large and highly-regulated public company during a “due diligence visit” to what then was a major transfer agent:
An employee of the transfer agent was filling in for the usual tour-giver when she brought up an actual transfer in progress to show us. When we asked exactly where this transaction was actually happening, we discovered that it was being processed live and in real time ... “by an associate in India.”
As we watched the screen, we could see that the Indian ‘associate’ was paging through a large group of stock certificates, then the death certificate for the registered owner, then the owner’s account on the TA’s records – that showed his name, address, account number and TIN. The actual will of the decedent was there too – along with the transfer instructions, that gave the names, addresses, TINS and entitlements of the heirs and soon to be transferees…And ooops again!...In observing the pagings-through, we were given a tour of all the other holdings of the decedent - in all of the other issues where the T-A served as T-A!
(Please know, dear readers, that India is your editor’s second favorite country in the world, after his own – and that he is delighted when work can be off-shored there – creating much needed work for our Indian friends – and dollar-savings – and, very often, fast and truly outstanding service for our U.S. friends. But information like this? Which info, by the way is to be shared in the U.S. only with employees that have been finger-printed and bonded when last we looked? “Oh yes, all of our associates have been thoroughly checked-out” we were assured…But having been to India, your editor knows that, sadly, there is no “social security system” there – much less one that issues I-D numbers (except for government employees that is)…and that literally millions of Indians share the same first and last names, and that most dwellings have no house-numbers, and most streets have no visible names…which makes ‘thorough checking’ a difficult if not a totally impossible task, we’d have to say. But please understand: our issue is not about offshoring per se, but about the nature and extent of the information that is off- shored…and, about the most basic security measures in effect…even before exploring cyber-security issues.)