Risk Roundup for September and October 2019
This month’s Risk Roundup takes us to California for wildfires and scheduled power shutoffs. We keep the focus on the grid with an alarming GAO report. We then revisit the Volkswagen scandal with an emerging risk. Finally, we digress over a story about direct deposit paychecks.
Risk of California wildfires prompts energy company blackouts
In October, wildfires raged throughout California as residents fumed over power outages. The scheduled shutoffs were designed to help prevent fires. They also ignited criticism. Residents complained about not being informed. The governor blamed the shutdowns on the energy company’s greed and mismanagement.
Wildfires present a threat to local businesses in the fires’ path, but a power outage impacts all businesses in the energy company’s coverage area. The fire and fury highlight the importance of business continuity planning and having a plan for likely disruptions. The plan helps to guide recovery efforts and bring critical operations back online first. The goal is to minimize the impact of interruptions. It’s essential to test and keep your plan updated.
GAO report: Electric grid vulnerable to cyberattacks
The Government Accountability Office (GAO) is an independent, nonpartisan agency that works for Congress. A GAO report released in late September found the Department of Energy is not doing enough to protect the grid against cyberattacks. The report cited industrial control systems that support grid operations as particularly vulnerable. Actors that are capable of interfering with the grid include foreign nations, criminal groups, and terrorist organizations.
Public agencies and private organizations should look into the NIST Cybersecurity Framework to help bring structure to the chaos of cybersecurity. NIST is technology-neutral, and the controls and guidance are free. You can become familiar with the framework and then consider a technology platform for leveraging the framework to do more.
Volkswagen scandal puts disclosures in the risk spotlight
In early October, German prosecutors charged three Volkswagen executives with allegedly misleading shareholders in the months before the 2015 incident involving falsified emission reports. The case puts focus on disclosure practices. When and what should an organization disclose? Requirements differ from Germany to the EU and US.
Laws aside, an organization should revisit its disclosure practices and risk management controls with an eye on protecting the organization and its executives. Is the disclosure required by law? Is the disclosure the right call for shareholders or the business? You need a go-forward strategy for managing disclosure risk.
Payroll company vanishes with $35 million mostly in workers’ paychecks
Workers received their direct deposit checks, only to have the money disappear. Given how payroll is processed, it sounded like a third-party incident or cybercrime. Every pay period for 12 years, MyPayrollHR, a subsidiary of ValueWise Corp., submitted a digital file to a California firm called Cachet Financial Services. The file told Cachet which employee accounts at which banks should be credited and by how much. It was the firm’s standard operating procedure.
In early September, instead of the file going to Cachet, the money was deposited in a bank. MyPayrollHR/ValueWise CEO, Michael T. Mann, has been charged with bank fraud.
The lesson here is the importance of a strong policy and control environment. An organization needs governance, not a ship captain going rogue. Controls and policies must be current, and it’s a good idea to have continuous monitoring in place for rapid response after an incident.
This month’s edition of Risk Roundup showcases the value of good governance and oversight in managing risk. Be on the lookout and expect to hear more on disclosure risk. The case of fraud and stealing people’s paychecks that pay bills and put food on the table is awful and a crime. It’s also unethical to treat workers this way.
We’ll be back in late December with our yearly wrap-up on the major risks for 2019.
NSCC members face a new compliance requirement: cybersecurity confirmation. It sounds easy, complete a form, but risk is high. Here’s guidance.
Compliance departments are seriously challenged these days. As business swirls in response to COVID-19, compliance has taken a back seat. That can lead to trouble—violations, fines or both—due to missing deadlines. Management, in a questionable move, may ask compliance to do something taboo. Instead of reading a half empty glass post designed to help compliance deal with these challenges, they instead get a half full glass post that is brimming with optimism for compliance’s role during COVID-19.
COVID-19 has pushed several risk disciplines into the spotlight, including business continuity, third party risk, cybersecurity, and data privacy. We’ll explore each one and deliver advice and guidance.