guarding against the ‘enemy within’ · friday, may 17, 2013 | 3:15 - 4:45 pm speakers: john...
TRANSCRIPT
Friday, May 17, 2013 | 3:15 - 4:45 PM
Speakers:
John Walsh, Steve Shine, David Nanz and Kevin Tanaka
Guarding Against the ‘Enemy Within’ Effective Employee Due Diligence
Before and After They Get the Keys
John F. Walsh
CEO
SightSpan Inc.
Charlotte, NC
The Enemy Within
Before you hand over the keys
•Standard/Repeatable Processes •Periodic Internal Audits •Yearly review and analysis of needs •Understand the process never ends and is never complete
The Enemy Within Standard Background Review
• Employment Checks
• Education Verification
• Criminal Backgrounds
Employee Surveillance
• EDD for Higher Risk Executives
• On Going Negative News Monitoring
• Transaction Monitoring
• System Access Monitoring
• Building Access Monitoring
The Enemy Within – Employees
– Employee Family and Associates
– External and Internal Hackers
– Cyber Criminals
– Contractors/Consultants
– Vendors/ Partners
– Maintenance Teams
– Building Management
– Customers
Real Life Examples
The Enemy Within
Corporate Security Training and Awareness: •Look – Listen – Report Approach •Proper Training and awareness programs will expand your teams exponentially and better protect your people and additional assets •Anonymous Hot Lines •Incident management
The Enemy Within Relationship Ending Processes:
Staff/Vendors/Consultants/Partners
Repeatable and Defined Relationship Ending Process
• System Access Removed
• Building Access
• CP/Mobile and Communication Devices
• Home Technology Equipment
The Enemy Within
Corporate Security Internal/External Threat Management
Fraud System Analytics – Thought Leadership
AML/CTF Risk Management KYE= Know your Employee
Cyber Security Internal and External System Access
The Key to Success Financial Crimes Risk Managers Working in Partnership
Stephen Shine Chief Regulatory Counsel
Prudential Financial
New York, NY
Four Elements
• Robust “On Boarding” Process
• Code of Conduct
• Ongoing Review/Monitoring
• Procedures for Reporting Wrongdoing
On Boarding Process
• Interview
– Inconsistencies/Gaps in Resume
• Background Investigation
– Credit Check
– Criminal Records
– Drug Test
Code of Conduct
• “Set Expectations”
• Broad Policy Statement
• Detailed Code of Ethics
• Insider Trading
• Gifts and Entertainment
Ongoing Monitoring
• Email Review
• Trading Records
• Annual Certifications
• “Trust but Verify”
Procedures for Reporting Wrongdoing
• Dodd Frank Whistleblower Policy – Multiple Reporting Channels • Management
• 800 Number
• Compliance/Ethics
• Investigations
– Training of Managers
– Communication
– “Safe to Say”
David Nanz Supervisory Special Agent
FBI
Miami, FL
Kevin Tanaka Senior Manager, Fraud Investigation and Dispute Services
Ernst & Young
New York, NY
Informing the Risk Assessment
RISK MANAGEMENT
PROGRAM
Top-level Commitment
Communication and Training
Internal Controls
Risk Assessment
Monitoring
Due Diligence
Investigations
Internal sources
►Business Management ►Business Operations ►Compliance ►Corporate Security ► Finance and Accounting
►Human Resources ► Internal Audit ► Information Technology ► Legal ►Operational Risk Management
External sources
►Competition ► Industry Consortiums ► Law Enforcement
►Media ►Regulatory Agencies ►Trade Publications
Tactical approaches to drive early detection and deterrence
Develop Threat Library ►Organization-specific
►Focused on aberrant behaviors
►Define KRIs (key risk indicators)
Conduct Data Analytics ►Leverage existing monitoring capabilities
►Identify presence of KRIs
►Develop Heat Maps / Scorecards
►Locate clusters and outliers
Perform Targeted Transaction Testing ►Unannounced ‘surprise’ audits
►Enhanced due diligence
Anticipate discovering red flags that require further investigation…
RISK MANAGEMENT
PROGRAM
Top-level Commitment
Communication and Training
Internal Controls
Risk Assessment
Monitoring
Due Diligence
Investigations
Developing an effective incident response plan
RISK MANAGEMENT
PROGRAM
Top-level Commitment
Communication and Training
Internal Controls
Risk Assessment
Monitoring
Due Diligence
Investigations
Intake
•Triage and case management
•Assemble multi-disciplinary investigation team
•Determine the scope and investigative work plan
Execute
•Data preservation, collection and processing
•Interviews
•Forensic accounting analysis
•Legal analysis
Reporting & Remediation
•Feedback loop is key to recalibrate overall program as necessary
Please Proceed to Grand Ballroom West for the
Next Session