guarding against the ‘enemy within’ · friday, may 17, 2013 | 3:15 - 4:45 pm speakers: john...

Friday, May 17, 2013 | 3:15 - 4:45 PM

Speakers:

John Walsh, Steve Shine, David Nanz and Kevin Tanaka

Guarding Against the ‘Enemy Within’ Effective Employee Due Diligence

Before and After They Get the Keys

John F. Walsh

CEO

SightSpan Inc.

Charlotte, NC

The Enemy Within

Before you hand over the keys

•Standard/Repeatable Processes •Periodic Internal Audits •Yearly review and analysis of needs •Understand the process never ends and is never complete

The Enemy Within Standard Background Review

• Employment Checks

• Education Verification

• Criminal Backgrounds

Employee Surveillance

• EDD for Higher Risk Executives

• On Going Negative News Monitoring

• Transaction Monitoring

• System Access Monitoring

• Building Access Monitoring

The Enemy Within – Employees

– Employee Family and Associates

– External and Internal Hackers

– Cyber Criminals

– Contractors/Consultants

– Vendors/ Partners

– Maintenance Teams

– Building Management

– Customers

Real Life Examples

The Enemy Within

Corporate Security Training and Awareness: •Look – Listen – Report Approach •Proper Training and awareness programs will expand your teams exponentially and better protect your people and additional assets •Anonymous Hot Lines •Incident management

The Enemy Within Relationship Ending Processes:

Staff/Vendors/Consultants/Partners

Repeatable and Defined Relationship Ending Process

• System Access Removed

• Building Access

• CP/Mobile and Communication Devices

• Home Technology Equipment

The Enemy Within

Corporate Security Internal/External Threat Management

Fraud System Analytics – Thought Leadership

AML/CTF Risk Management KYE= Know your Employee

Cyber Security Internal and External System Access

The Key to Success Financial Crimes Risk Managers Working in Partnership

Stephen Shine Chief Regulatory Counsel

Prudential Financial

New York, NY

Four Elements

• Robust “On Boarding” Process

• Code of Conduct

• Ongoing Review/Monitoring

• Procedures for Reporting Wrongdoing

On Boarding Process

• Interview

– Inconsistencies/Gaps in Resume

• Background Investigation

– Credit Check

– Criminal Records

– Drug Test

Code of Conduct

• “Set Expectations”

• Broad Policy Statement

• Detailed Code of Ethics

• Insider Trading

• Gifts and Entertainment

Ongoing Monitoring

• Email Review

• Trading Records

• Annual Certifications

• “Trust but Verify”

Procedures for Reporting Wrongdoing

• Dodd Frank Whistleblower Policy – Multiple Reporting Channels • Management

• 800 Number

• Compliance/Ethics

• Investigations

– Training of Managers

– Communication

– “Safe to Say”

David Nanz Supervisory Special Agent

FBI

Miami, FL

Kevin Tanaka Senior Manager, Fraud Investigation and Dispute Services

Ernst & Young

New York, NY

Informing the Risk Assessment

RISK MANAGEMENT

PROGRAM

Top-level Commitment

Communication and Training

Internal Controls

Risk Assessment

Monitoring

Due Diligence

Investigations

Internal sources

►Business Management ►Business Operations ►Compliance ►Corporate Security ► Finance and Accounting

►Human Resources ► Internal Audit ► Information Technology ► Legal ►Operational Risk Management

External sources

►Competition ► Industry Consortiums ► Law Enforcement

►Media ►Regulatory Agencies ►Trade Publications

Tactical approaches to drive early detection and deterrence

Develop Threat Library ►Organization-specific

►Focused on aberrant behaviors

►Define KRIs (key risk indicators)

Conduct Data Analytics ►Leverage existing monitoring capabilities

►Identify presence of KRIs

►Develop Heat Maps / Scorecards

►Locate clusters and outliers

Perform Targeted Transaction Testing ►Unannounced ‘surprise’ audits

►Enhanced due diligence

Anticipate discovering red flags that require further investigation…

RISK MANAGEMENT

PROGRAM

Top-level Commitment

Communication and Training

Internal Controls

Risk Assessment

Monitoring

Due Diligence

Investigations

Developing an effective incident response plan

RISK MANAGEMENT

PROGRAM

Top-level Commitment

Communication and Training

Internal Controls

Risk Assessment

Monitoring

Due Diligence

Investigations

Intake

•Triage and case management

•Assemble multi-disciplinary investigation team

•Determine the scope and investigative work plan

Execute

•Data preservation, collection and processing

•Interviews

•Forensic accounting analysis

•Legal analysis

Reporting & Remediation

•Feedback loop is key to recalibrate overall program as necessary

Please Proceed to Grand Ballroom West for the

Next Session