SEC Issues Attack Disclosure Guidelines

October 16, 2011

One of the things that can make assessing the overall state of system and network security difficult is the reluctance of some organizations to reveal that they have been attacked.  Sometimes, they prefer to keep the attack secret, or at least try to, presumably because they feel that disclosure would be embarrassing and damaging to their public image.  Some state laws require disclosure, especially in cases where personal data is exposed, but even in these cases there is a tendency to do the least disclosure possible.

Public corporations — those whose stock is publicly traded — have for many years had a duty, under US securities law and associated regulations, to disclose material events that might affect the firm’s business or prospects.  For example, if another firm  were to introduce an improved competing product, or if the corporation were sued on the grounds of patent infringement, a disclosure to investors would be required.

Now, according to an article at ThreatPost, the Kaspersky Lab security news service, the US Securities and Exchange Commission [SEC] has issued guidance that suggests circumstances under which corporations may need to disclose attacks, or potential attacks.

The Securities and Exchange Commission has issued new guidance to help public companies determine when they may need to disclose an attack–or even a potential attack–in order to make potential investors aware of possible risks to the company’s business.

The SEC has issued the material as guidance, not as a regulation.  It is still up to the companies themselves to determine exactly what they should disclose; but the publication of this guidance will probably motivate a bit more openness.  As the actual guidance document says, the disclosure determination is to be made within the framework of existing law and regulation.

Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.

We live in an environment where people, and companies, are becoming more and more reliant on technology to carry our their everyday business; moreover, businesses in general actively promote conveniences made possible by technology.  So I think there can be little argument that a system security breach could potentially have a very material effect on a firm’s prospects, and I welcome this move by the SEC as a logical extension of the disclosure framework that has been in place for many years.

High-Value Recycling

April 13, 2011

Bruce Schneier has a post at his Schneier on Security blog (link in the side bar) that refers to another instance of a security problem created by good old-fashioned human error.  As is the case with virtually every currency, the monetary authorities responsible for the Euro, the official currency of the Euro-zone (the majority but not all of the members of the European Union), have a process in place to remove worn-out or damaged coins from circulation.  The coins are then “destroyed” (as coins), and the materials sold to scrap metal dealers.  (This of course assumes that the materials are worth less than the face value of the coin; this is usually, but not always, the case.)

This is fine in principle; however, as the linked article from Der Spiegel relates, the implementation of the process left something to be desired in terms of security.  The problem stems, in the first instance, from the design of the €1 and €2 coins.   As you can see in the photo below, these coins are bimetallic, made up of an inner disc, surrounded by an outer ring.  (The photo shows the side of the coins that is common to all issues, regardless of nationality.)

Illustration of Euro Coins


Apparently the “destruction” procedure used for these coins sometimes just separated the inner disc from the outer ring.  The resulting pieces were then sold to dealers in China for recycling.   Apparently some of the Chinese firms carried out the recycling by putting the pieces back together (Krazy Glue, anyone?), and then sending them back to Germany via accomplices among Lufthansa flight crews.  The accomplices would then turn in the reconstructed coins at the German Bundesbank, in exchange for new ones.  The Bundesbank was not chosen as a redemption point at random.

According to a Thursday statement by the Frankfurt public prosecutors, the German Bundesbank is the only place in Europe which exchanges damaged coins for free. The bank accepts such coins in bags containing up to €1,000 worth of coins. They are weighed rather than counted and only periodically checked.

Apparently, the scam was finally uncovered when a German customs officer noticed an airline employee struggling with a very heavy suitcase, which, when opened, turned out to contain thousands of re-assembled coins.


Property Follies

March 11, 2011

There has been a great deal of discussion about the causes of the most recent financial crisis, and the ensuing recession, with many conflicting suggestions about how to prevent a recurrence.  Last week’s issue of The Economist has a special report on one of the more mundane potential culprits: property (or real estate).  It argues that, although property is widely regarded as a relatively safe investment, it is in some ways one of the most dangerous of assets.

There were many reasons for the housing bubble that has now burst, from huge amounts of global liquidity seeking high returns to the rise of private-label securitisation. But it is striking how often property causes financial trouble. “We do not want to fight the last war,” says one European banking regulator, referring to property busts, “but the fact is that we keep fighting the same war over and over.”

There are a number of reasons to think that property investments are riskier than the common perception.  The first is the sheer size of the property market.  The article estimates that, even after the recent decline in prices, the total value of property in the rich world is something like $ 80 trillion (of which about 3/4 is residential), compared to about $ 20 trillion in all equities.  To make another comparison, the value of property investments is close to 200 % of the combined countries’ GDP in 2010.

Property, especially residential property, is also an inconvenient asset in many ways.  If you have a portfolio of stocks or bonds, you can sell a portion of it to raise funds.  It is hard to sell off a bathroom and a couple of closets from your house.  The property market also tends to be illiquid; quoted values are based, typically, on a small number of recent transactions; one odd deal can significantly affect the results.  And just wanting to sell a house does not guarantee that you will find anyone who is interested in buying.

Property is also the one asset where ordinary investors can achieve very high leverage, perhaps putting down only a few percent of the purchase price in equity.  Together with tax subsidies for mortgage interest, this leads, at least in the US market, to artificially high house prices.  Since the notional owners have so little equity, things can turn sour quickly when prices fall.  The article estimates that about 25% of mortgages in the US are currently “under water”: the outstanding balance on the loan is more than the property is worth.   The recent popularity of low-quality “liar loans” (with no income verification) and “innovative” securitization has hardly helped matters.

Commercial property is slightly less crazy, but even there, otherwise sensible investors can do silly things.  Quite a few years ago, when I was working as a pension fund consultant, one of our clients made a sizable investment in a commercial property fund.  The fund manager had shown them graphs of the steadily increasing value of the fund over the previous several years.  I pointed out that, if their equity managers were allowed to value their portfolios based on what they thought the stocks should be worth, the volatility of their returns would very likely be lower.  The client went ahead with the investment anyway.  Then there was an economic downturn, and they wanted to shift some money from property to another asset class.  Unfortunately, they had not read the clause in their contract, standard for real estate funds, that said that the manager could not be forced to sell property in order to meet a redemption request.  I don’t know if they ever got their money out.

Buying a house also is not a straightforward financial transaction:

…  if housing were simply a financial investment, buyers might be clearer-eyed in their decision-making. People generally do not fall in love with government bonds, and Treasuries have no other use to compensate for a fall in value. Housing is different. Greg Davies, a behavioural-finance expert at Barclays Wealth, says the experience of buying a home is a largely emotional one, similar to that of buying art. That makes it likelier that people will pay over the odds.

Perhaps some of this will finally sink in.

Real Causes of the Financial Crisis

February 21, 2011

Yesterday’s Washington Post has an amusing article by Michael Lewis (author of Liar’s Poker, Moneyball, The Big Short, and others) on the true causes of the financial crisis.  It’s short, but entertaining; here’s an excerpt to give you the flavor:

Government policies have emboldened ordinary Americans to borrow money they never intended to repay, just like rich people do, and cowed the financial elite into lending it to them. You can’t forget to bear-proof the garbage cans and expect the bears won’t notice.

I’ve been a fan of Lewis’s writing since I read his first book, Liar’s Poker; it was the first honest inside account of what Wall Street is like that I ever read, and still one of very few.



February 6, 2011

Over the last decade or so, the nature of much malicious computer “hacking” has changed.  In the early days of the Internet, many attacks were motivated by a desire for thrills, or prestige; more recently, this hacking has become a more traditional and organized criminal activity, often motivated by money.  (There are also attacks motivated by ideology or politics, of course.)   So it is not surprising that the number of attacks targeted against financial institutions has risen.

According to a report published by the Wall Street Journal, some computer networks owned by NASDAQ (originally, the National Association of Security Dealers Automated Quotation system) have been under attack for most of the past year.  (The NASDAQ Stock Market is the largest US trading platform for stocks not listed on the New York Stock Exchange [NYSE].  It is the largest screen-based trading exchange in the US, listing 2800+ issues, and the largest in the world by trading volume.)  Apparently the attack did not affect the trading system core, but did affect peripheral Internet-accessible systems also run by NASDAQ.

Hackers have repeatedly penetrated the computer network of the company that runs the Nasdaq Stock Market during the past year, and federal investigators are trying to identify the perpetrators and their purpose, according to people familiar with the matter.

The exchange’s trading platform—the part of the system that executes trades—wasn’t compromised, these people said. However, it couldn’t be determined which other parts of Nasdaq’s computer network were accessed.

According to a follow-up story in the New York Times yesterday, the attacks first were discovered when NASDAQ staff noticed several suspicious files on their servers.  Apparently, the application that was directly affected was a bulletin-board sort of system for corporate managements.

The company said it had determined that a Web-based application on its servers called Directors Desk, on which corporations can store and share information, might have been affected. Nasdaq said the suspicious files “were immediately removed and at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers.”

According to NASDAQ, the trading platform runs independently from the Internet — something that good security practice would certainly suggest.  Still, there is always a nagging fear that some out-of-the-way flaw may have been overlooked.  NASDAQ, the NYSE, and other exchanges are, reasonably, concerned about the effect incidents like this one might have on investors’ confidence, especially in an era when more and more trades are being executed via computer-based systems, as opposed to traditional exchange trading floors.

As you might have guessed, there is an investigation under way.

Financial Crisis Report Issued

February 1, 2011

The US Financial Crisis Inquiry Commission [FCIC] was established in 2009 to diagnose our recent economic and financial crisis — dubbed the “Great Recession”.

The Financial Crisis Inquiry Commission was created to “examine the causes, domestic and global, of the current financial and economic crisis in the United States.” The Commission was established as part of the Fraud Enforcement and Recovery Act (Public Law 111-21) passed by Congress and signed by the President in May 2009.

Last week, the FCIC published the report [PDF, 662pp.] of its findings.  The report includes not only the findings of the FCIC as a whole, based on 15 days of public hearings, interviews with 700+ individuals, and the review of many documents, but also two dissenting reports from some members of the FCIC.

I have just started reading the report, but the New York Times has a summary article.  That article, and the first pages of the report itself, make it clear that there is plenty of blame to go around.

The report examined the risky mortgage loans that helped build the housing bubble; the packaging of those loans into exotic securities that were sold to investors; and the heedless placement of giant bets on those investments.

Enabling those developments, the panel found, were a bias toward deregulation by government officials, and mismanagement by financiers who failed to perceive the risks.

This makes sense.  Although the financial system is an extremely complex web of interconnections, it is really not very likely that one participant, or even a few, could cause the near-collapse of the whole thing.  I’ve written here before about some the financial factors that may have contributed to the crisis (in “Formulas for Disaster”, parts 1, 2, 3, and 4, and the sequel), and will post another note when I’ve had time to go over the report.

%d bloggers like this: