Immediate Vault Immediate Access

Prosecutors Reveal ‘Securities Fraud on Cyber Steroids’

The investigation into a huge cyberattack on JP Morgan Chase last year has exposed one of the largest computer hacking and fraud schemes to date.

online pharmacy periactin with best prices today in the USA

According to U.S. prosecutors, Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein, all from Israel, hacked a total of 12 companies to expose the personal information of more than 100 million people, netting hundreds of millions of dollars in profit. The men face 23 criminal counts, including wire fraud, computer hacking, illegal internet gambling and money laundering, with alleged crimes targeting 12 companies, including nine financial services companies and media outlets including the Wall Street Journal. Investigators say their massive criminal empire used 75 shell companies that employed hundreds of people, and hacked seven major banks, ran an online casino, laundered money around the world and set up an illegal Bitcoin trading operation.

online pharmacy zestril with best prices today in the USA

“It is hacking in support of a diversified criminal conglomerate,” said Preet Bharara, U.S. attorney for the Southern District of New York. “In short, it is hacking as a business model.”

In addition to the hack of JP Morgan, which U.S. Attorney General Loretta Lynch called “the largest theft of customer data from a U.S. financial institution” and exposed the personal information of 83 million customers, the criminals also attacked E*Trade Financial Corp., TD Ameritrade, Scottrade Inc., Fidelity Investments and News Corp’s Dow Jones, which publishes the Wall Street Journal. The breaches date as far back as 2007.

“By any measure, the data breaches at these firms were breathtaking in scope and in size,” Bharara said. “This showcases a brave new world of hacking for profit.”

Breaking into these financial institutions gave the attackers information to target specific people, and gave them extra insight into the stock market. According to the indictment, they used the customer data to contact individuals and push them to buy stocks in order to manipulate their prices. In addition to the pump-and-dump scheme, sometimes the defendants reportedly engineered mergers with shell companies to create publicly traded stocks that could be manipulated.

online pharmacy symbicort with best prices today in the USA

Bharara called the scheme “securities fraud on cyber steroids.”

Beginning in 2012, in addition to disguising payments and constantly obtaining new bank accounts, the men further tried to evade detection by hacking into a company that assessed merchant risk for credit-card issuers. The breach allowed the defendants to read employees’ emails and figure out how to sidestep the company’s efforts to monitor illegal payments, according to the indictment.

The defendants are also accused of operating at least 12 illegal internet casinos, even launching cyberattacks against rival gambling businesses to review executives’ email and gain a competitive edge. Shalon hacked competitors’ customer databases and directed denial of service attacks to shut down their businesses.

Several compliance officers may soon feel the heat as well: the investigation found that, in operating the online casinos and illegal pharmaceutical payment processing enterprises, the co-conspirators deceived financial institutions into processing and authorizing payments between the casino companies and others. “They colluded with corrupt international bank officials who willfully ignored its criminal nature in order to profit from, as a co-conspirator described it to Shalon, their payment processing ‘casino/software/pharmaceutical cocktail’,” the indictment charges.

According to prosecutors, the case illustrates the growing power of criminals and their tools, and makes such crimes particularly difficult to solve. But it may also highlight one key resource to do so: self-reporting to law enforcement. Officials credited JP Morgan’s early cooperation for helping to uncover the network of criminal activity. The firm came forward early on to share information with the government, a move many forensic investigators encourage.
buy prednisone online https://galenapharm.com/pharmacy/prednisone.html no prescription

This case provides one of the clearest examples of why: hackers frequently use the same schemes to target a swath of companies in a given industry. While many companies worry about the reputational and regulatory risks of disclosing a breach to law enforcement, as hackers grow more sophisticated in their techniques and complex in their operations, it may prove an ever more critical step in the breach response and investigation process.

“Shalon, Aaron, and their co-conspirators allegedly robbed victim companies, often for months at a time, stealing the contact information of tens of millions of customers,” said FBI Assistant Director-in-Charge Diego Rodriguez. “They cloaked themselves in secrecy, but their methods rivaled those of the traditional masked robber. Today’s indictment sheds light on an increasingly complex threat. But just as criminals continue to develop relationships with one another in order to advance their objectives, the law enforcement community has developed a collaborative approach to fighting these types of crimes.”

ERM vs GRC: The Right Tool for the Job

What is the best way to build a birdhouse?

online pharmacy diflucan with best prices today in the USA

You may be able to use one tool with multiple functions, such as a multi-tool (a type of Swiss Army knife). However, the convenience afforded by these tools is achieved by reducing the effectiveness and efficiency for more complex projects. Most of us would rather have a tool belt with specific tools suited to the project, such as a hammer, screwdriver and utility knife. Why? Independent tools with specific uses are more powerful, more efficient and more effective at completing the tasks for which they were specifically designed. The tool belt acts as an integrator, a common platform on which the other functions are based.

ERM is the tool belt on which specific governance and compliance functions can be based. These two functions can exist independently, but when driven by risk-centric and data-grounded ERM practices, they become more efficient and effective.  ERM-driven governance divisions utilize risk intelligence to promote risk awareness and attitude throughout an enterprise.  ERM-driven compliance divisions utilize risk intelligence to bring all levels of enterprise into agreement with regulations, audit recommendations and corporate policies.

In today’s “risk-centric” business landscape, why is the combined approach of governance, risk and compliance (GRC) favored over ERM? GRC, like the multi-tool, has the capability to serve several functions — governance, risk management and compliance — in a holistic manner. This is meant to integrate silos and reduce redundancy, bureaucratic conflicts and work overlaps.

online pharmacy vilitra with best prices today in the USA

However, reality has shown that these benefits are often rarely or never realized. Real-world GRC implementations have been marred by repeated failures to anticipate or mitigate adverse risk events.

online pharmacy vibramycin with best prices today in the USA

These events occur due to failures caused by the priority given to executive, governance and compliance objectives over solid risk-based business intelligence. Unable to effectively and efficiently drive a risk-centric organization, GRC is a tool weakened by its complexity.

The problems with multi-tools are the same problems faced by GRC. Most people — in this case, organizations — use only one or two tools, regardless of effectiveness or efficiency. More often than not, in current business implementations, GRC has a tendency to be driven primarily by regulations and largely bureaucratic objectives. The priority given to governance and compliance objectives over risk management has reduced the effectiveness and efficiency of ERM divisions. ERM has been demoted to an endorsement tool, one that is used to validate executive, governance and compliance processes and functions. This reversal of priorities costs organizations billions of dollars.

Don’t believe me? From the infamous Ford Pinto memo, to BP Deepwater Horizon, to the $6 billion JPMorgan debacle and most recently Hurricane Sandy, we have seen how the focus on governance and compliance above real risk has substantially increased the effect of adverse risk events. These failures point to fundamental problems within GRC framework and implementation.

These problems suggest:

  1. There is not enough attention paid to the exhaustive discovery of risk, how risks are connected, and how risks are integrated into all business processes, functions and strategies.
  2. If governance and compliance functions continue to be given priority over enterprise risk management, organizations can expect to pay massive penalties to cover mistakes.
  3. Third, but by no means last, truly risk-centric organizations should have a belt of effective and efficient tools, each specifically suited to a task and driven by risk intelligence.

Without addressing these points, all-too-frequent and massive failures will continue to be a factor in business environments and a continued source of material for news media outlets. These failures should be anomalies. Driven by proper ERM implementation, a successful governance and compliance function can produce effective and sustainable benefits for all stakeholders.

JP Morgan’s Poor Risk Management

JP Morgan’s $6.2 billion “London Whale” trading loss was a much-publicized event in 2012. In the aftermath, some called for the resignation of CEO Jamie Dimon, while others pointed their finger at lax risk management standards within the bank. Yesterday, we finally found out what JP Morgan’s opinion on the matter is in a lengthy report. Their conclusion: inadequate risk management financial oversight within the chief investment office (CIO) and JP Morgan as a whole.

To be more specific, on page 97 the report states, “CIO Risk Management lacked the personnel and structure necessary to properly risk-manage the Synthetic Credit Portfolio, and as a result, it failed to serve as a meaningful check on the activities of the CIO management and traders.

buy keflex online medilaw.com/wp-content/uploads/2015/03/jpg/keflex.html no prescription pharmacy

This occurred through failures of risk managers (and others) both within and outside of CIO.”

The head of the CIO, Peter Weiland, resigned quietly in October while others involved either left the bank or their positions were rearranged over the past several months. But Jamie Diamond escaped partly unscathed (he did have to testify before Congress and recently had his pay cut to a tiny $11.5 million from $23 million). Interestingly enough, so did JP Morgan’s chief risk officer and the CIO chief risk officer, which is confusing considering the statement on page 97.

buy sildalis online medilaw.com/wp-content/uploads/2015/03/jpg/sildalis.html no prescription pharmacy

Two top CFOs were held responsible for the costly blunder, however.

As CFO reported yesterday:

The report, released Wednesday, said JPMorgan’s former top CFO, Douglas Braunstein, “bears responsibility” for weaknesses in financial controls related to the investment portfolio and could have asked more questions about changes in its value and its increasing exposure to adverse movements in the financial markets.

The other former finance chief criticized in the report was John Wilmot, who headed the CIO’s finance function.

buy bactroban online medilaw.com/wp-content/uploads/2015/03/jpg/bactroban.html no prescription pharmacy

Wilmot and his team failed to set up robust reporting controls, the report said, “including sufficient circulation of daily trading activity reports, [which] made early detection of problems less likely.”

While the task force noted that the “primary control failures were risk management failures,” the finance organizations headed by Braunstein and Wilmot “could have done more.” In the case of the CIO’s finance team, the task force stated that in part it took “too narrow [a] view of [its] responsibilities,” believing the issues related to the CIO’s credit portfolio “were for the risk organization and not finance to flag or address.”

So while the JP Morgan task force noted that there were errors made on both the risk management side and the finance side, the bank ultimately held the finance department responsible. Braunstein stepped down while Wilmot resigned and will be leaving the bank this year.

The roles of CRO and CFO are often intertwined and overlapping. Do highly risky decisions involving potentially large losses or gains require the oversight of the finance or risk management department, or both? It likely remains a case-by-case basis and this JP Morgan fumble will likely remain the industry’s glaring example of what not to do.