7 Lessons from Target's Breach

One Year Later, What Retailers, Bankers Have Learned

By Tracy Kitten, December 10, 2014.           

 

It's been a year since the breach at Target Corp., which exposed 40 million debit and credit cards along with personal information about an additional 70 million customers.
See Also: Account Takeover, Payment Fraud and Spoofed Identities: The Common Thread
Although the attack drew attention to the need for bolstered cybersecurity measures, retail breaches show no signs of abating. Other major payments breaches at retailers since Target have included Sally Beauty, Michaels, Home Depot, Kmart and Staples, to name a few.

Target was a watershed event that put the spotlight on payment card security. Here's a review of seven important lessons learned from the huge breach incident.

1. EMV Alone Is Not Enough

Target's breach spurred congressional hearings and renewed debate among retailers and bankers about the need for a speedy migration to EMV chip technology to help prevent breaches (see Target Hearings: EMV Not Enough).
It also was a catalyst in October for a presidential order to push adoption of EMV chip technology among U.S. retailers and banks.
Visa had years earlier set October 2015 as the counterfeit fraud liability shift date for U.S. merchants and issuers that had not yet transitioned away from magnetic-stripe card technology. But EMV didn't get that much publicity until the Target attack.
In the wake of the retailer's breach, experts and industry groups, including the Payment Card Industry Security Standards Council, said that in addition to EMV, merchants also should implement tokenization and end-to-end encryption, to ensure card data is completely devalued.
"Among all of the large retailers that I talk to, their attitude is that they won't talk to vendors unless they offer tokenization with EMV," says Avivah Litan, an analyst for the consultancy Gartner. "It has to be part of the POS solution."
End-to-end encryption, on the other hand, can be an add-on, she says. "But retailers want to work with vendors that can provide all three."

2. Network Segmentation Is a Necessity

The Target breach also proved how easy it is for hackers to tunnel from one part of a corporate network to another, which is why merchants have to segment their networks.
Hackers broke into Target's POS system after they stole network credentials from Fazio Mechanical Services Inc., a vendor that serves the retailer (see Target Vendor Acknowledges Breach).
Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, says network segmentation would have prevented many of the breaches suffered by retailers, including Target, over the last 18 months (see OCC: Retailers Accountable for Breaches).

3. Third-Party Oversight Is Part of Compliance

The Target breach put a spotlight on vulnerabilities related to third parties. In August, the PCI Council issued new guidance on managing third-party vendor risks that retailers and bankers alike can put to use.

Banking regulatory bodies, such as the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. also have, in the wake of Target, repeatedly reminded banking institutions that they are responsible for ensuring the security of the third-party vendors and service providers with which they work.
See Also: Payments Security & EMV: Join CEO Bob Carr of Heartland Payment Systems

4. Log Monitoring Needs Analytics

A forensics investigation into the Target breach found that transaction logs raised alarms about anomalous activity, but no one picked up on the warnings, according to multiple reports. Thus, the breach went undetected for several weeks.
In November, the PCI Council announced it will issue guidance specifically aimed at log monitoring (see Why PCI Will Issue Log Monitoring Guidance). But experts says log monitoring has to be coupled with additional analytics to be truly effective.
"Everyone is inundated with alerts," Gartner's Litan says. "One retailer may get a half million alerts a day, so it's impossible to go through all of those. By putting context awareness and behavioral analytics to the transaction logs, you can start profiling users and devices. With this context-aware view of transactions, you're able to correlate anomalies across different systems. Then you can go from a few thousand high-priority alerts to a couple hundred."
Analyst Julie Conroy of the consultancy Aite says without analytics, basic log monitoring is counterproductive because of the high rate of false positives. "A key lesson is the ability to apply analytics to the tens of thousands of false positives that these solutions throw off, to help security teams separate the wheat from the chaff," she says.

5. Executives, Boards Are Accountable

In May, Gregg Steinhafel resigned as Target's chairman, president and CEO. In the statement issued about Steinhafel's resignation, the company noted that he "held himself personally accountable and pledged that Target would emerge a better company."
Steinhafel's announcement came just two months after the resignation of Beth Jacob, Target's CIO during the time of the breach.
The two resignations came shortly after Target's chief financial officer, John Mulligan, was first questioned about the breach before Congress (see Target, Neiman Marcus Differ on EMV).
The congressional attention given to Target's breach, coupled with the resignation of two of its key officers, made waves in the financial services industry, too. Over the summer, banking regulators launched a pilot cyber-exam program at 500 community banks to review the cyber-awareness of C-level executives and boards of directors at those institutions.
In November, the Federal Financial Institutions Examination Council noted that cybersecurity awareness among executives and boards was in need of improvement, and that cyber-awareness had to be a higher priority across the board (see FFIEC: Boards Need Cyber Training).

6. Retailers May Be Liable for Breaches

The debate over who should be liable when card data is compromised at the retail level also has heated up since the Target breach. For months, banking groups and retail associations have been at odds about who is responsible for bearing the losses associated with card breaches (see Hold Merchants Accountable for Breaches?).
While bankers argue they're stuck with expenses related to card reissuance and fraud, retailers say they indirectly cover these costs for banks through the interchange fees they pay to the card brands (see Card Breaches: Retailers Doing Enough?).
~Banking regulatory bodies, such as the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. also have, in the wake of Target, repeatedly reminded banking institutions that they are responsible for ensuring the security of the third-party vendors and service providers with which they work.
See Also: Payments Security & EMV: Join CEO Bob Carr of Heartland Payment Systems

4. Log Monitoring Needs Analytics

A forensics investigation into the Target breach found that transaction logs raised alarms about anomalous activity, but no one picked up on the warnings, according to multiple reports. Thus, the breach went undetected for several weeks.
In November, the PCI Council announced it will issue guidance specifically aimed at log monitoring (see Why PCI Will Issue Log Monitoring Guidance).
But experts says log monitoring has to be coupled with additional analytics to be truly effective.
"Everyone is inundated with alerts," Gartner's Litan says. "One retailer may get a half million alerts a day, so it's impossible to go through all of those. By putting context awareness and behavioral analytics to the transaction logs, you can start profiling users and devices. With this context-aware view of transactions, you're able to correlate anomalies across different systems. Then you can go from a few thousand high-priority alerts to a couple hundred."
Analyst Julie Conroy of the consultancy Aite says without analytics, basic log monitoring is counterproductive because of the high rate of false positives. "A key lesson is the ability to apply analytics to the tens of thousands of false positives that these solutions throw off, to help security teams separate the wheat from the chaff," she says.

5. Executives, Boards Are Accountable

In May, Gregg Steinhafel resigned as Target's chairman, president and CEO. In the statement issued about Steinhafel's resignation, the company noted that he "held himself personally accountable and pledged that Target would emerge a better company."
Steinhafel's announcement came just two months after the resignation of Beth Jacob, Target's CIO during the time of the breach.
The two resignations came shortly after Target's chief financial officer, John Mulligan, was first questioned about the breach before Congress (see Target, Neiman Marcus Differ on EMV).
The congressional attention given to Target's breach, coupled with the resignation of two of its key officers, made waves in the financial services industry, too. Over the summer, banking regulators launched a pilot cyber-exam program at 500 community banks to review the cyber-awareness of C-level executives and boards of directors at those institutions.
In November, the Federal Financial Institutions Examination Council noted that cybersecurity awareness among executives and boards was in need of improvement, and that cyber-awareness had to be a higher priority across the board (see FFIEC: Boards Need Cyber Training).

6. Retailers May Be Liable for Breaches

The debate over who should be liable when card data is compromised at the retail level also has heated up since the Target breach. For months, banking groups and retail associations have been at odds about who is responsible for bearing the losses associated with card breaches (see Hold Merchants Accountable for Breaches?).
While bankers argue they're stuck with expenses related to card reissuance and fraud, retailers say they indirectly cover these costs for banks through the interchange fees they pay to the card brands (see Card Breaches: Retailers Doing Enough?).


While courts have dismissed numerous class action suits filed by consumers against breached retailers, a class action suit filed against Target by banking institutions, seeking to recoup their breach-related costs, has won court approval to proceed (see Target Breach Suit Won't be Dismissed).
See Also: Account Takeover, Payment Fraud and Spoofed Identities: The Common Thread
If banks win that suit, it could send a strong message about the financial responsibilities retailers should bear in the wake of a breach.

7. Cyberthreat Intelligence Sharing Must Improve

The Target breach also raised awareness about the need for more cross-industry information sharing. The sharing of cyberthreat intelligence among banking institutions has been on an upward swing since 2012, after numerous distributed-denial-of-service attacks targeted leading U.S. banks.
But it wasn't until the retail breaches of the last year that serious consideration was given to the need for similar information sharing among retailers, as well as across the payments and financial landscape.
In May, the Retail Industry Leaders Association announced the launch of the Retail Cyber Intelligence Sharing Center - an effort to improve sharing among retailers and other public and private stakeholders, including the Department of Homeland Security and law enforcement.
Then in June, Tim Pawlenty, CEO of the Financial Services Roundtable, explained why information sharing in the retail sector needed to mimic information sharing within the financial sector.

Why You Need Both a Hardware and Software Firewall - SecurityMetrics Blog

Why You Need Both a Hardware and Software Firewall - SecurityMetrics Blog

The ISO 27001 & ISO 22301 Blog

http://www.iso27001standard.com/blog/2013/11/25/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/?utm_source=twitter&utm_medium=mj&utm_campaign=blog

Most Targeted Attacks Exploit Privileged Accounts

Most Targeted Attacks Exploit Privileged Accounts

by Brian Donohue    November 20, 2014     

We all like to write and talk about flashy zero-day vulnerabilities. However, a new threat report cautions enterprises not to flatter themselves, because the majority of criminals are not using valuable zero-days exploits to penetrate corporate networks: they’re phishing privileged account credentials from executives and IT staffs, or simply guessing passwords for automated service accounts and, in turn, exploiting that access to gather valuable information.
“Everyone thinks about the zero-day vulnerability, but they’re rarely exploited in a widespread pattern in the wild. They’re so valuable that attackers apply them in very limited way,” said Craig Williams, senior technical leader and security outreach manager for Cisco Talos Security Intelligence and Research Group. “For every zero day you hear about, there are millions of known vulnerabilities that are far more likely to be used against you.”

A report commissioned by CyberArk and based on interviews with a  variety of industry experts from Cisco, Deloitte, Mandiant, RSA Security and Verizon claims that attacks leveraging privileged accounts proceed faster and are more difficult to detect than those that rely predominately on malware or vulnerabilities. Some 80 percent of targeted attacks, the experts responded, involve a privileged account being hacked at some point.

On average, the interviewees in this report said attacks often persist for months or years before they are discovered. The average attack, they said, is ongoing for six to eight months before anyone notices. That figure is corroborated by findings published by Mandiant claiming the median number for days in an ongoing attack is 229.
“Privileged accounts even enable attackers to destroy evidence of their activities and establish redundant access points and backdoors that make it nearly impossible to keep them off internal networks,” CyberArk says.
A significant part of the problem relates to inventory. CyberArk data suggest that, on average, organizations have at least three or four times as many privileged accounts as they have employees. Many organizations are not even aware how many privileged accounts exist. While it may seem easy enough to count accounts, the problem is more complicated than that, particularly when organizations must account for  the proliferation of corporate data and applications in cloud, as well as mobile and social environments.
Many privileged accounts are provisioned for machines rather than people. IT departments are said to set up “service accounts” to enable machine-to-machine access to software applications, data and computing equipment. These service accounts are often granted broad network access and sometimes the ability to connect to any machine on the network. There are so many of these service accounts at some organizations that many are forgotten about or nearly impossible to effectively monitor.
Interestingly, Christopher Novak, a global managing principal working in investigative response for the Verizon RISK Team notes that phishing, not brute-force nor dictionary attacks, are most commonly used to hijack human accounts, suggesting that weak passwords are not really the problem here. However, he says IT teams frequently assume  that service accounts will only be used internally, and many of those end up with default, easily guessable credentials.
“We’ve seen 25 or 30 attacks recently in which attackers used (publicly available) default passwords,” Novak says. “Also, account lockouts are usually turned off for service accounts to prevent breakdowns in dependencies between systems. And because it’s presumed individuals aren’t using [these accounts], analysts dial down the sensitivity on alerts. Service accounts are out of sight, out of mind. So, if a threat actor gets into the environment and enumerates the service accounts, which is easy to do, they can make a lot of headway very quickly with low risk of discovery.”
Furthermore, attackers are displaying increasing levels of sophistication when it comes to exploiting access to privileged accounts. They use these accounts to infiltrate a wide range of systems as a sort of access insurance in case one of their avenues into the network is sealed off. Security investigators in the report said attackers are increasingly hacking embedded devices in the so-called “Internet of Things” to establishing multiple privileged identities in Microsoft Active Directory to ensure redundant points of access.
In the end, CyberArk says companies need to know what privileged accounts exist within their organization and limit to the best of their ability the number of administrative or default or hard-coded credentials, application backdoors and SSH keys they maintain. They also need to make it harder to get privileged access to multiple systems changing default passwords and using different administrative passwords on each system. Privileged accounts that do exist need to be proactively monitored to ensure they are interacting with data assets in normal ways. Firms should also perform regular audits of their information assets and how those  assets are accessed, monitor and limit the privilege level of service accounts and apply patches early and often. Beyond that the report urges companies to practice classic defense in depth, because the more overlapping security layers that exist, they say, the more you lower your risks.

About Brian Donohue

- See more at: http://threatpost.com/most-targeted-attacks-exploit-privileged-accounts/109514#sthash.zFyXXWqX.dpuf

Beth Israel fined $100,000 for patient data breach

The Boston Globe

Steven Senne/AP

Beth Israel Deaconess Medical Center will pay $100,000 after a physician’s laptop holding personal information for nearly 4,000 patients and employees was stolen in 2012.

By Jack NewshamGlobe Correspondent  November 21, 2014

Beth Israel Deaconess Medical Center agreed to pay $100,000 to settle a complaint by the Massachusetts attorney general’s office that its lax data security led to the theft of personal information of about 4,000 patients and employees.
In May 2012, a physician’s unattended laptop was stolen from his desk at the hospital. The laptop contained health information of 3,796 patients and Beth Israel employees, as well as personal information, such as Social Security numbers, of 194 other Massachusetts residents. The attorney general’s office argued the hospital’s lack of security and failure to encrypt patient data was against the law.
“The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” said Attorney General Martha Coakley.
Dr. John Halamka, chief information officer at Beth Israel Deaconess, said the hospital has since improved its security procedures.
“After this incident, we worked closely with the federal and state governments, as well as security industry experts, to ensure that [the hospital] adopts state-of-the-art security policies and technologies,” Halamka said in a statement. “Every device we purchase is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted.”
Beth Israel is not the first hospital to be penalized for poor data security by Coakley’s office. Earlier this year, Women and Infants Hospital of Rhode Island agreed to pay $150,000, and South Shore Hospital settled a suit by the Attorney General for $750,000 in 2012.

Jack Newsham can be reached at jack.newsham@globe.com. Follow him on Twitter @TheNewsHam.

Ingrijpende privacywet op komst: EU-toezichthouder gegevensbescherming Peter Hustinx blikt vooruit [interview]

21nov 2014

Buitenlandse opsporingsdiensten, de Nederlandse Belastingdienst en commerciële Big Data-exploitanten grasduinen in persoonsgegevens. De oude Europese richtlijn uit 1995 die het toezicht regelt, wordt eindelijk vervangen. Peter Hustinx, Hoofd van de Europese Toezichthouder voor Gegevensbescherming, richt zijn blik op de vergaande Europese Privacy Verordening.

Het voornemen van ING om – zo leek het – betaalgegevens van klanten door te verkopen aan externe partijen leidde eerder dit jaar tot een storm van kritiek. Het overheersende gevoel: inzage in het huishoudboekje vormt een te grote inbreuk op de privacy. Geschrokken door het oproer van klanten, de Consumentenbond, De Nederlandsche Bank en de Autoriteit Financiële Markten, trok ING het plan snel weer in. De privacy-kwestie zal de ‘megatrend’ Big Data niet remmen. Het verzamelen en samenvoegen van zoveel mogelijk data is de Heilige Graal van marketeers. De Boston Consulting Group voorspelt dat het in 2020 in Europa een economische waarde vertegenwoordigt van bijna 1 biljard euro.

Toezichthouder Peter Hustinx

Overheden laten zich ook niet onbetuigd, bleek uit de onthullingen van klokkenluider Edward Snowden over de voorheen onnavolgbare werkwijze van de Amerikaanse inlichtingendienst NSA. De Nederlandse Belastingdienst is ook volop aan het grasduinen. Zo wist de fiscus in augustus nog in hoger beroep toegang te forceren tot de klantgegevens van de parkeerdienst SMS Parking.

Peter Hustinx

De Nederlandse jurist Peter Hustinx (69) is als Hoofd van de European Data Protection Supervisor (EDPS) vanuit Brussel bezig om toezicht te houden op de gegevensbescherming bij alle EU-instellingen – van de Europese Commissie tot de tientallen agentschappen en de Europese Centrale Bank. Daarnaast geeft de EDPS advies aan de Raad en het Europees Parlement bij de totstandkoming van wetgeving waar gegevensbescherming een rol speelt.
De heetste aardappel momenteel: de nieuwe Europese Privacy Verordening die de gedateerde privacyrichtlijn uit 1995 moet vervangen. Het voorstel is in maart met grote meerderheid aangenomen door het Europees Parlement en gaat nu naar de Raad van Ministers die de Verordening, al dan niet geheel of gedeeltelijk, kunnen aannemen. De inwerkingtreding zal naar verwachting pas in 2017 plaatsvinden. De Europese Privacy Verordening is een stuk ingrijpender dan de verouderde richtlijn.

Europese Privacy Verordening

• Boetes tot maximaal 100 miljoen euro of 5 procent van de wereldwijde omzet bij overtreding van de regels
• Strengere eisen aan de beveiliging van privacygevoelige informatie en een meldplicht (aan de toezichthouder) bij datalekken
• Expliciete toestemming van klanten vereist zodra bedrijven persoonsgegevens (Big Data) willen verwerken. Klanten moeten deze toestemming ook weer kunnen intrekken
• NO-NSA clausule: Bedrijven mogen persoonsgegevens niet meer zonder toestemming van de toezichthouder delen met buitenlandse overheden
• Het ‘recht om vergeten te worden’ in zoekmachines
• De verplichting om een Functionaris voor de Gegevensbescherming aan te stellen bij instanties die persoonsgegevens verwerken van meer dan 5.000 mensen in een jaar

U als Europese toezichthouder, maar ook de nationale toezichthouders, werken met wetgeving die is afgeleid van een richtlijn uit 1995. Is dat nog wel houdbaar in het internettijdperk?
‘Een pak melk dat zuur is, ga je niet opdrinken. Dat doen wij helaas nog wel. De huidige regels in de richtlijn hebben hun houdbaarheidsdatum overschreden. Het was destijds een heel goede stap vooruit om zeker te maken dat alle landen in Europa ongeveer dezelfde maatregelen namen op het gebied van gegevensbescherming. Maar inmiddels 20 jaar later zijn er een aantal dingen gebeurd, zoals het internet, sociale netwerken en mobiele communicatie.’
In de voorgestelde Europese Privacy Verordening is een maximale boete vastgelegd van 5 procent van de geconsolideerde jaaromzet zodra bedrijven zich niet houden aan de nieuwe wetgeving. Wat voor krachten worden er losgemaakt zodra dergelijke boetes worden voorgesteld?
‘We hebben in jaren niet zoveel gelobby gezien, parlementsleden zijn werkelijk gebombardeerd. Er is hele zware druk uitgeoefend door buitenlandse regeringen en Europese en Amerikaanse bedrijven die op het internet in Europa actief zijn. Maar ik merk in de discussie dat er teveel uitgegaan wordt van worst case analyses. Zo zijn er bedrijven die zeggen: je moet dadelijk overal toestemming van klanten voor krijgen zodra we hun data willen gebruiken, dat is het einde van internet.
Nou, toestemming is een belangrijk element, maar het is niet altijd nodig. Een bedrijf kan er alleen niet meer van uitgaan dat ze wegkomen met dingen als “stilzwijgende toestemming” of “opt-out toestemming” – er is een hele reeks van woorden die ze daarvoor gebruiken. Dan onderschat je de problematiek ongelooflijk, want als dát toestemming is, dan weet ik bijna zeker dat het niet bindend is. En de volgende dag moet je het kunnen intrekken, daar heeft men helemaal geen rekening mee gehouden.’
In de nieuwe verordening wordt ook het principe van “one-stop-shop” toezicht geïntroduceerd: het land waar de hoofdvestiging van een bedrijf is gevestigd, krijgt de verantwoordelijkheid over het gehele toezicht op dat bedrijf. Hoe ziet dat er dadelijk uit in de praktijk?
‘Het toezicht is dadelijk zo verdeeld dat iedere nationale toezichthouder bevoegd blijft op zijn eigen territorium, maar er komt een lead authority, een one-stop-shop. Er is nu een hele discussie over ontbrand wát dat precies inhoudt. Is de toezichthouder dan enkel het land waar de hoofdvestiging van een bedrijf is gevestigd, of doet hij het samen met anderen?’
De toezichthouder in Ierland krijgt het dan druk omdat daar veel grote tech-bedrijven zoals Google, Facebook en Apple daar hun Europese hoofdkantoren hebben gevestigd.
‘Als zo’n bedrijf daar gevestigd is, wordt dat land de lead. In Ierland zijn veel bedrijven neergestreken die een grote rol spelen op internet, dat zal met de taal en het fiscale regime te maken hebben. Als je die one-stop-shop als een exclusieve operatie ziet – en dat was aanvankelijk toch een beetje de beeldvorming – dan is het zorgwekkend dat er misschien verschil in behandeling zou kunnen zijn in Ierland en andere landen. Gaan de Ieren wat soepeler handhaven? Onze ervaring is dat onze Ierse collega’s hun werk uitstekend doen.’
Maar bij hen staat wel een groot deel van hun BBP op het spel als ze besluiten om een boete van 5 procent van de jaaromzet van bijvoorbeeld Google te geven. Wie kan aangesproken worden op falend toezicht?
‘Dat is één van de vragen die nu in het laatste stadium veel hoofdbrekens kosten. Ik verwacht dat het toezicht in de verordening gebaseerd gaat worden op een vorm van samenwerking waarbij de lead een stevige rol krijgt, maar waar beslissingen van de lead op een of andere manier in een groep genomen worden. Door samenwerking moet voorkomen worden dat er forum shopping gaat plaatsvinden.’
Hoe realistisch is het volgens u dat grote internetbedrijven besluiten om hun hoofdvestigingen uit Europa terug te trekken?
‘Helemaal uitsluiten kun je dat niet, zo is nu eenmaal de wereld, maar het is niet erg realistisch. Bedrijven als Google hebben een sterke aanwezigheid op de Europese markt. Hun verantwoordelijkheid ligt daardoor hier. Zelfs als hun data in werkelijkheid in Jersey of op de Kaaimaneilanden zijn opgeslagen, of in de cloud en nobody knows where, zijn ze aansprakelijk voor de beveiliging. Als een bedrijf – ik ga geen namen noemen – de gegevens opslaat in de cloud, en accepteert dat de provider niet kan zeggen wáár dat is – moeten er wel afspraken gemaakt worden of deze de juiste beveiligingsmaatregelen heeft genomen. Het is volstrekt onverantwoord om zonder nadere bepaling van controls gegevens in de cloud op te slaan, want dan kom je je verantwoordelijkheden niet na. Dan ben je in gebreke. Als de markt zich bewust is van zijn verantwoordelijkheid dan zal de gegevensbescherming toenemen.’
Wie moet dat verantwoordelijkheidsbesef bijbrengen: de toezichthouder of de markt zélf?
‘Bedrijven moeten het zelf oppakken. In de huidige richtlijnen en toekomstige verordening staat dat het bedrijf de verantwoordelijke is voor naleving: het moet de noodzakelijke maatregelen treffen om te verzekeren dat gegevens worden beschermd. En als zij dat niet doen, moet een toezichthouder er iets aan doen. De nieuwe regels en het nieuwe beleid zijn belangrijk om onachtzaamheid aan te pakken. De nieuwe verordening zal een paar keer hard worden toegepast en dan krijg je: “Waarom krijg ík een boete?” Daarna gaat het zich verspreiden en dan zeggen mensen: het schijnt tegenwoordig zo en zo te moeten gebeuren. Ja, dat was eigenlijk al jarenlang zo, maar dat waren we vergeten. We moeten die olietanker zien te draaien – bedrijven die wel de gouden bergen zien, maar onvoldoende over gegevensbescherming hebben nagedacht.’
***********
Dit is een ingekorte weergave van een interview dat onlangs in Tijdschrift voor Compliance werd gepubliceerd. Het vijfde nummer van 2014 is geheel gewijd aan het thema Compliance en Privacy en gaat onder meer over de Big Data trend en gegevensbescherming. Klik hier voor een abonnement of proefnummer.

Run-amok compliance officers cost Bank of Tokyo Mitsubishi $315 million for sanctions report whitewash

                      

By Richard L. Cassin | Tuesday, November 18, 2014 at 1:52PM

The New York State Department of Financial Services (DFS) Tuesday levied $315 million in penalties against Bank of Tokyo Mitsubishi UFJ (BTMU) for misleading regulators regarding its transactions with Iran, Sudan, Myanmar, and other sanctioned entities.
A year-long  DFS investigation found that BTMU compliance officers pressured the bank's consultant, PricewaterhouseCoopers (PwC), into removing key warnings to regulators in a supposedly "objective" report the bank submitted to the DFS.
Under the DFS consent order, BTMU will pay the additional $315 million penalty beyond a $250 million penalty it paid under a previous June 2013 DFS agreement over its sanctioned transactions.
"As such,"the DFS said, "the total monetary penalty that BTMU has paid in this case is $565 million."
At the direction of the DFS, the bank "will also take disciplinary action against individual BTMU compliance personnel involved in the watering down of the PwC report."
The DFS demanded that BTMU fire Tetsuro Anan (manager, anti-money laundering compliance office, compliance division). Anan has resigned from BTMU, the DFS said.
"On multiple occasions, despite being responsible for anti-money laundering compliance, Tetsuro Anan asked PwC to remove from its report specific issues of material concern to regulators about the bank's misconduct," the DFS said.
The DFS also banned two former compliance officers who now work at BTMU affiliates.
Akira Kamiya (deputy president, Mitsubishi UFJ Securities Holdings) and Tetsuji Kamisawa (executive deputy president, Defined Contribution Plan Consulting of Japan) can't do work involving any New York banks (or other financial institutions) regulated by the DFS, including BTMU's New York branch.
Benjamin M. Lawsky, head of the DFS, said: “We continue to believe that fines -- while often necessary -- are not sufficient to deter misconduct on Wall Street. We must also work to impose individual accountability, where appropriate, and clearly proven, on specific bank employees that engaged in wrongdoing.”
In August, the DFS suspended PwC Regulatory Advisory Services for two years for helping whitewash the BTMU sanctions and anti-money laundering compliance report.
PwC was also required to make a $25 million payment to the State of New York.
As part of Tuesday's order, BTMU will relocate its U.S. Bank Secrecy Act/Anti-money Laundering Compliance (BSA/AML) and Office of Foreign Assets Control (OFAC) sanctions compliance programs to New York, the DFS said.
Those programs will have U.S. compliance oversight over all transactions affecting the New York Branch, the DFS said, "including transactions performed outside the U.S. that affect the New York Branch."
BTMU said in a statement Tuesday it is "committed to conducting business with the highest levels of integrity and regulatory compliance, and to continually improving its policies and procedures."

*     *     *

The New York State Department of Financial Services consent order In the matter of Bank of Tokyo Mitsubishi UFJ, Ltd. New York Branch dated November 18, 2014 is here (pdf).
_______
Richard L. Cassin is the publisher and editor of the FCPA Blog. He can be contacted here.

- See more at: http://www.fcpablog.com/blog/2014/11/18/run-amok-compliance-officers-cost-bank-of-tokyo-mitsubishi-3.html#sthash.kwvVrjxU.dpuf