Digital fraud, cyber crime increases globally during coronavirus

Connect Global Group holding virtual summit June 16

CGG logoCOVENT GARDEN, LONDON — The coronavirus outbreak is wreaking havoc on commercial activity across the globe and hastening cyber and financial crime.

A growing dependence on digital infrastructure — coupled with this sudden increased threat landscape — has raised the cost of failure. It has allowed cyber and financial criminals to feed on augmented levels of fear and uncertainty from those who are finding themselves online more and more, today and in the future.

The solution: Financial institutions need to activate boosted digital hygiene standards, be extra vigilant on verifications and follow official updates to protect customers and their own business.

That’s why Connect Global Group — known for its forums, professional training, content library, and community of experts — has put together perhaps the year’s most important interactive, virtual summit on cyber and financial crimes. The cyber threat and crime summit, called IDENTITY.i Virtual Summit, takes place June 16. The speakers and panel of international experts will focus on anti-money laundering (AML) technology and processes; know your customer (KYC) processes at large and small institutions; true digital identity verification, as well as effective methods of detecting and halting fraud and other financial crimes on systems you or your customer’s run.

The IDENTITY.i Virtual Summit allows you to address key challenges in the areas of Open Banking and Digital Identity, Client Onboarding and Client Lifecycle Management, Financial Crime and Fraud — all from the comfort of your home office.

Tune in to more than 25 keynote speakers, access vital case studies and engage with in-depth panel discussions. Participants can also download hundreds of assets and literature in your “digital swag bag”, ask questions in real-time, maintain networking bonds in the virtual lounge and witness innovative solutions in the virtual exhibition hall.

Open Banking, Innovation and digitization are imposing yet another operational challenge that will force financial institutions to rethink their day-to-day processes to achieve efficiency and effectiveness in KYC, Client onboarding, AML, financial crime and fraud prevention. To be efficient, the community must come together to develop a single standard practical approach to customer onboarding and financial crime prevention built around emerging technologies of digital identities, Open Banking, Blockchain, ML and AI. Along with enabling operational efficiency and cost reduction, this will allow much-needed focus on de-risking, which can make AML, Fin Crime and KYC processes effective.

Key Take-aways from the upcoming IDENTITY.i Virtual Summit:

  • Understand Emerging Financial Crime Risks in an Open Banking World
  • Latest Trends and challenges if tackling fraud in the digital age
  • Enhance Client Lifecycle Management (CLM) with AI
  • Revolutionize Client Onboarding with Digital Identity and AI
  • Streamline Compliance with ML
  • Optimize KYC processes and information sharing of Global Banks

To register, please go here.

NLYTE survey: Most companies seek real-time view of software, technology assets

From Pres Releases

More than 80 percent of technology asset decision-makers say a lack of technology asset management is a key business issue for the C-suite, the latest Nlyte Software survey shows.

Nlyte, which develops software for managing computing infrastructure says the fact that a third (31 percent) of organizations still track it manually, is no surprise.

The study, commissioned by Nlyte and delivered by Sapio Research, also found that almost two thirds (61 percent) of business leaders see a need for a real-time view of their technology and software assets. With over a third (37 percent) of respondents believing they could save 20 percent of their budget by remediating underutilized software, and 39 percent stating they could save their IT delivery teams six to ten percent time in daily business operations – but only if they had a real-time view of the situation.

It’s all about the risk

Despite the apparent priority, the motivating factor behind the decision to implement asset control across the entire technology stack is most likely to come from a cybersecurity breach, according to 29 percent of respondents. And there are stark differences between how managers and senior teams see this as a priority, with C-suite respondents believing that assets are being scanned hourly (27 percent) or daily (35 percent): yet those at manager level are less confident (8 percent and 28 percent respectively).


It also seems that the majority (84 percent) of asset decision makers are still concerned about the prospect of a vendor software audit, and as nearly a quarter (21 percent) of respondents face fines – a worrying amount that perhaps comes from an inability to manage processes well, rather than any deliberate misdemeanor.

“Organizations seeking to regain control of the disorderly technology assets proliferating throughout their organization would be advised to consider TAM,” said Robert Neave, cofounder, Chief Technology Officer, and Vice President of Product Management for Nlyte Software. “Across our transnational sample (USA, UK, and France) 96 percent say that hardware and software technology asset control is a top 5 priority for the business, yet this still isn’t being implemented across the board.”

Further findings from Nlyte’s research:

  • 61 percent told us that a real-time view of technology and software assets would enhance their IT innovation to support their business goals.
  • Yet, only 45 percent said that their assets are validated daily (30% do this weekly)
  • 50 percent are tracking assets in their data center – at least a majority (62 percent) are doing so for desktop and laptops
  • 78 percent of the global respondents claimed that up to 20 percent of their assets remain undetected from network scans
  • On average 67 percent of devices have the latest security software and firmware patches, less than half (49%) have a solution that scans and validates all devices; 48 percent of devices are not proactively managed at all
  • 36 percent of C-suite aren’t tracking their edge assets – where the risk of intrusion is highest

Technology Asset Management

Several of the learnings from this research showed that large organizations as a whole have no agreement on a clear vision of what their asset management strategy is for. A lightweight, agentless technology-based solution, like TAM, that isn’t limited to certain vendor platforms or industry protocols removes these headaches. Such a solution allows for the discovery of any and all types of technology assets, compute, storage, network, software, firmware, IoT and more.

Nlyte’s TAM solution delivers a self-aware IT infrastructure by updating CMDB, DCIM, and BMS systems with current assets configuration and location improving efficiency and SLA on change management workflows and to helpdesk tickets. It identifies all things attached to the organization’s network, providing detailed information about location, configuration, and accessibility monitoring for unplanned changes, unauthorized access, vulnerable software, lost and unresponsive assets.

Access the whitepaper here:

Lockpath launches templates to Keylight Team Edition, premier GRC platform

Lockpath just launched templates to its Keylight Team Edition, its premier governance, risk management and compliance (GRC) platform.  .

Templates included with the platform are a pre-built starting point for customers to solve their initial compliance management needs, the company said.

“In today’s rapidly changing regulatory environment, businesses are continually seeking ways to streamline and improve their integrated solutions,” said Chris Caldwell, Lockpath’s co-founder and CEO. “Our platform helps them overcome the challenge of building and implementing a robust compliance program quickly and efficiently.”

The addition of templates to Keylight Team Edition gives customers the ability to quickly create and implement policies. The additional steps needed for an effective compliance management program such as mapping to controls, logging awareness events and collecting attestations, can be accelerated with templates.

“Last year we launched Keylight Team Edition to give our SMB customers better access to an integrated risk management program and now templates further enhance this commitment to all of our customers,” Caldwell said.


Lockpath’s initial library of pre-defined templates includes the initial elements to comply with regulations and frameworks such as GDPR, CCPA (California Consumer Privacy Act), ISO 27001, NIST SP800-53, Sarbanes Oxley (SOX), HIPAA, COBIT, PCI-DSS and more. The library will continue to expand based on customer feedback. Templates can also be customized to fit any organization’s specific needs and preferences.


Templates are continuously updated to remain current as regulations change. This gives our customers assurance knowing they will have access to reliable, up-to-date information.


“As regulations change frequently or new regulations are established, compliance can be a daunting task for even experienced practitioners,” said Chris Goodwin, Lockpath’s Chief Technology Officer and Co-Founder. “An organization can choose from any of our pre-built templates for the most widely used frameworks or regulations and customize them as needed.”

Lockpath’s templates will be available out-of-the-box to all Keylight Team Edition customers and can be added by request to Standard and Enterprise editions of Keylight. To learn more about Lockpath, the Keylight Platform and templates visit

About Lockpath: Lockpath is an enterprise software company that helps organizations understand and manage their risk. For more information on Lockpath and the Keylight Platform, visit

Strange Craft: The True Story of an Air Force Intelligence Officer’s Life with UFOs

strangecraft coverU.S. Air Force Major George Filer belongs to the generation of pilots and airmen who first became aware of the strange aircraft showing up in the Earth’s atmosphere after World War II.

These men – military professionals who flew planes, commanded ships, served as radar operators and air traffic controllers at air fields around the world – began to whisper amongst themselves about encounters with suspected extraterrestrial aircraft. During secret debriefings at U.S. bases, pilots and air crew told their commanders of seeing strange lights at night and in the daylight, groups of saucer- or cigar-shaped craft that easily paced them just a few yards off their plane’s wingtip.

Award-winning investigative reporter John Guerra spent four years interviewing Filer, a decorated intelligence officer. From objects in the skies over Cold War Europe to a UFO overflight during the Cuban Missile Crisis to strange lights over the DMZ during the Tet Offensive, Filer leaves nothing out about his Air Force UFO encounters, providing Guerra all the amazing details of his six decades investigating extraterrestrials and their craft. Filer’s most memorable case – the shooting of an alien at Fort Dix Army Base in 1978 – is fully recounted for the first time in this book.

Filer – who readers have seen on countless UFO documentaries – is also a member of the Disclosure Project, the famous panel of military experts, astronauts, and scientists that urges the U.S. government to release all it knows about UFOs to the public.

Then, in the fall of 2017, the Pentagon released the F-18 gun camera footage of what can only be described as an extraterrestrial vehicle outperforming U.S. Navy fighters off San Diego …Keys writer John Guerra’s biography of real-life Air Force UFO investigator Maj. George Filer is now out on Amazon. Filer leaves nothing out about his own UFO encounters on the ground and in the air, providing Guerra all the important details of his six decades investigating extraterrestrials and their craft.

Order the book on Amazon



MetricStream report predicts 2019 GRC trends

From MetricStream’s “GRC 2019: The Known Unknowns” 


globeHow will GRC roles evolve in the coming year? What are the weak links to watch out for? Find out in MetricStream’s report on the trends and predictions for 2019. The future of GRC will not just be about managing known risks or monitoring compliance. It will be about sustaining an organization’s social license to operate.


Balancing Value Protection and Value Creation As enterprises strive to stay ahead of the curve, GRC executives will be expected to go beyond their traditional roles as the guardrails of the organization and become enablers of business performance and growth. They will need to find a balance between protecting value and creating it; between being the voice of reason in the C-suite and enabling the business to take the requisite risks to achieve the desired rewards. CROs, for instance, will be called on to help leadership teams decide when to launch a new product, or which markets to target first based on the associated risks and opportunities. In doing so, they will be seen as enablers of innovation.

Truth-tellers and Strategic Advisors

Boards will demand more transparency. They will want to respond more proactively to potential risks and opportunities. Therefore, CROs, CCOs, CAEs, and CISOs will need to deliver insights that are forward-looking, actionable, and performance enabling. They will also need to become better story-tellers, communicating their message clearly, succinctly, and in a way that the board can understand and act on. To support these efforts, new generations of GRC solutions will be designed to predict potential risks with greater accuracy and speed than ever.

Leading from the Front

More risk and compliance responsibilities will move down into the first line of defense. But first, organizations will need to think about how GRC can be adapted to the first line, not how the first line should adapt to GRC. How can GRC be made so intuitive that it becomes a seamless, almost inherent part of employee routines? The answers, to some extent, will lie with technology. GRC tools will increasingly be layered into the systems used by the first line in such a way that when an employee is confronted with a potentially risky or non-compliant transaction, the underlying technology will automatically trigger checklists and workflows to guide the employee towards making the right decision.

GAN Integrity adds new risk management module

From press releases

GAN Integrity this week launched its Risk Management module that builds on GAN’s all-in-one compliance platform. GAN designers say the module is designed to integrate seamlessly with the rest of GAN’s compliance components, so users can make strategic, data-driven decisions based on a holistic and real-time view of all compliance-related activities.

GANCompanies can customize how they frame their risk management and shift to a dynamic approach. The tool complements annual risk assessments and helps compliance teams take action on next steps, company officials said.

“As an organization’s risk management evolves, so does GAN’s tool configuration, enabling real-time identification, assessment and management of all risks,” said Valerie Charles, chief strategy officer for GAN Integrity. “It empowers compliance teams to focus on what matters with technology that enables them to proactively manage any compliance issue that arises, at anytime, anywhere.”

The Risk Management module joins GAN’s comprehensive compliance platform, which includes Training, Due Diligence, Policy, Gifts and Case Management modules.

According to GAN Integrity engineers, the Risk Management module lets teams can:

  • Identify: The user-friendly solution allows users to easily map and manage all risks across the company in a centralized risk library, along with any related controls and action plans.
  • Assess: Detailed information on specific risks enables users to design customized risk rating scales and matrices that are tailored to the organization.
  • Manage: Users exchange manual, paper-driven, siloed processes for a simple and user-friendly solution and import risk assessment data into a configurable tool.
  • Monitor: The module tracks compliance risks in real time using a heat map that enables a company to instantly react to critical changes to risks throughout the business. All changes and activity are saved for later reference.
  • Evolve: The module automatically updates risks based on changes to the business.


FCPA Blog: Panasonic case provides a teachable moment

By Erich Lochner

President and CEO, Steele Compliance Solutions Inc.

Erich Lochner, Steele Compliance Solutions

Erich Lochner, Steele Compliance Solutions

The Panasonic enforcement action in April — resulting in $280 million in penalties and disgorgement to the DOJ and SEC — offers almost every lesson a compliance officer might want to discuss about anti-bribery programs.

First, due diligence matters all the time, all the way down

As often happens with anti-bribery offenses under the FCPA, bribes were relayed to government officials through intermediaries and sales agents. Multiple agents working for Panasonic failed the company’s internal due diligence checks and parted ways with the company — and were then hired back as subcontractors, with a sales agent that had passed the due diligence.

That scenario underlines the point of what due diligence truly is: an effort to expel corrupt third parties from the enterprise permanently, rather than a simple background check to be performed at one moment in time.

If the mantra is, “Companies don’t commit crime; people working for companies do,” then due diligence programs should flag specific high-risk people and ensure they don’t work on behalf of the organization. That can require language in contracts with other third parties (to avoid subcontractor risk), follow-up audits, and similar measures.

Second, accounting controls also matter

Panasonic engaged in considerable books-and-records violations both to mask the improper payments and to inflate revenue and pre-tax income by recognizing revenue early. Panasonic ultimately paid more than $1.75 million to supposed sales agents who provided few (if any) actual services. None of that was properly recorded in the company’s books.

Moreover, Panasonic employees knew about, and concealed, the scheme to sub-contract the sales agents who had been terminated. The third party that employed those sub-contractors was paid from a Panasonic budget line under the sole control of a senior Panasonic Avionics executive, with no oversight from anyone else at the company.

Proper accounting controls are crucial to effective FCPA compliance, since they can choke off the supply of money necessary for criminal violations. For example, a company could require multiple executives to counter-sign any payment above, say, $50,000; and require documentation that the party receiving that money has delivered the services promised.

Compliance with the civil side of the FCPA (implementing strong accounting controls) supports compliance with the criminal side (not paying bribes).

Third, leadership works if the first two issues to matter.

Large organizations are always porous collections of people and business practices. Even the most exhaustive controls, policies, and procedures leave some crack where misconduct can sprout. Strong ethical leadership is the sealant that tries to fill those cracks. The absence of strong leadership does the company no favors.

In Panasonic’s case, an internal audit in 2010 flagged potential problems with high-risk agents, and that report was circulated among senior executives. No follow-up happened for years.

Panasonic didn’t disclose the misconduct voluntarily. Only when the Securities and Exchange Commission began requesting documents did Panasonic admit potential problems and begin cooperating. That said, after the investigation began Panasonic did cooperate fully, including a thorough internal investigation and providing foreign employees for interviews with the Justice Department.

The company ultimately received a 20 percent discount on its penalties, per the DOJ’s new FCPA Corporate Enforcement Policy (pdf).


MetricStream GRC summit highlights issues facing enterprises

By John L. Guerra

GRC & Fraud Software Journal

Gaurav Kapoor, COO MetricStream

Gaurav Kapoor, COO MetricStream

MetricStream’s 2018 GRC Summit in Baltimore brought together governance, risk, compliance and regulatory leaders from various industries and market segments. The three-day summit covered the biggest issues facing GRC practitioners in banking, real estate, health care, and other business sectors.

Gaurav Kapoor, chief operating officer for MetricStream, spoke with GRC & Fraud Software Journal about the summit.

“We created a GRC summit where we could gain feedback from thought leaders and practitioners in the room,” Kapoor said. “It was intensive, with some 500 people representing 300 small to large companies representing a number of different industries – the main takeaway is that we’re all on the same journey.”

To set the stage for discussion, MetricStream announced its new tagline: “Perform with Integrity.”

“That mirrors the desire that companies have to raise performance while maintaining integrity in several aspects of the GRC model.”

According to Kapoor, companies both large and small worry about maintaining not only the integrity of their data, but their company’s integrity in the eyes of their customers who too often find they can’t trust companies to protect their personal data. Top executives at Uber, Facebook, Wells Fargo, and other companies have been summoned before Congressional hearings to answer for misuse of customer data.

“For the last two years, there have been huge breaches of trust when it comes to high-performing companies and major banks,” he said. “Companies are ensuring their GRC platforms are built for performance and integrity, and that’s in addition to preventing bribery, money laundering and other ethical problems. For the companies at our summit, maintaining the trust of their customers topped the list.”

The largest companies at the MetricStream summit said they designed GRC systems that would control ethical standards, prevent data breaches and enable them to report problems quickly to customers when they occur, Kapoor said.

“A large retailer in Sweden said their primary GRC strategy is to align systems that build trust with customers,” Kapoor said. “If there is a breach, how do we deal with customers? How do you write GRC to reflect ‘Tone at the Top?’ When your platform lets you document what kind of policies you need or have in place, you can accomplish these controls.”

At one point, the moderator asked for the attendees to stand and sit back down when the moderator hit their chief concern.

“At change and change management, most sat down,” Kapoor said. “Companies have been faced with so much change, that they are looking for the ability to adapt quickly to concerns and write it into GRC applications. For instance Crypto is an issue nobody knows how to handle. Companies are exposed to more risk like that because things are a lot more digital.”

Less Pain, More Gain: InfoSec risk management and ISO 27001

By Jason Eubanks

Lead Auditor, LockPath


Jason Eubanks, LockPath

Jason Eubanks, LockPath

How have the recent privacy and security violations reported in the news everyday changed your company’s behavior? There’s a silver lining to all the doomsday headlines — they should compel stakeholders in your company to pay more attention and provide more buy-in for proactive safeguarding activities against these risks.

How are you going to leverage this opportunity? You need a fresh approach, management support, a solid plan, and comprehensive technology to support all the moving parts involved in setting up an integrated security and risk management program.

As an experienced governance, risk management, and compliance (GRC) consultant and former auditor, I’ve assessed and supported many companies through the challenges inherent to building a mature, enterprise-wide information security risk management program that aligns with global standards and boosts competitive advantage.

One way many organizations are approaching this is through ISO 27001, an international standard for establishing, operating, maintaining and continually improving an Information Security Management System (ISMS).

This standard pushes organizations to move past checking boxes for adherence to controls by promoting a top-down, risk-based approach to developing processes, policies, and controls that specifically address the organization’s information security risks.

Organizations are certified based on adherence to a set of process level clauses (requirements) and controls used to support the processes, and auditors certify against these requirements.


Why try to certify?

I’ve seen a growing number of companies working toward ISO 27001 certification (or towards compliance without undergoing the certification process). Implementing this standard is a highly effective way to build an integrated risk management program by establishing an ISMS.

An ISMS is comprised of the people, processes and IT systems used to apply a risk management program for managing an organization’s most sensitive and valuable data.

Approaching ISMS development in alignment with ISO standards will help your organization protect its critical data and IT assets, build resilience against threats and incidents, and be prepared for challenges and opportunities as they arise.

Even though it is voluntary, ISO 27001 certification is a valuable undertaking for many reasons. ISO 27001 is highly recognized and respected worldwide, encourages continual improvement and serves as a solid foundation for other IT risk and compliance standards and frameworks.

If you can meet the ISO 27001 standard, you are well positioned to comply with most other information security regulations, as well as client information security requirements.

At this point, organizations doing business globally are increasingly encouraged to achieve certification to stay competitive and win new business. As US companies expand operations internationally, they are often forced to comply with additional privacy and security regulations and provide additional assurances to partners and customers.

In addition to being an important indicator of information security maturity, a certified ISMS operates as a marketing tool, and as a seal of approval, providing a competitive advantage over competitors. For evidence of this trend, do a quick search on ISO 27001 certification; note that the results are packed with company press releases announcing certification and re-certification.


A high bar to clear

Many companies struggle to achieve certification. The ISO 27001 standard sets a high bar — it is not a one-and-done, checkbox list of requirements.

It’s a continual living and breathing program that includes understanding interested party requirements, management commitment, cataloging risks, assessing the severity of risks, planning how to remediate risks, and producing documentation to substantiate the risk management activities.

The standard also requires that organizations apply a mindset of continual improvement, where management pushes past program mediocracy and strives to improve the overall health of the ISMS.


Manual approach not working 

Traditionally, ISO 27001-related tasks have been performed manually; documents are stored in network file folders or process owner local drives and tasks are managed through spreadsheets, documents and email.

It is nearly impossible for global, digital businesses to keep up using a manual approach, given the complexity of information security programs, the expanding reliance on supply chains and outsourcing, and the criticality of data and IT systems.


The pain points become acute when it is time for auditors to assess a company’s operations. Scrambling to pull together the proper documentation is a time-consuming hunt that distracts staff from core functions and operational improvement work.

An inability to efficiently prove compliance, of course, increases the likelihood of failing an audit.

This dynamic is disastrous enough for mandatory regulations like HIPAA and SOX. When it comes to voluntary standards like ISO 27001, failed audits, runarounds, and tedious tasks kill stakeholder enthusiasm and make it impossible to gain traction.


How can you bring focus and efficiency to your ISMS efforts, so you can build momentum towards certification? The key is to streamline, centralize, and automate.

As a first step, consider your current processes to document and manage ISMS processes. If they are performed through manual ad hoc processes, then departmental segmentation, duplicated efforts, lack of visibility and accountability, and wasted resources are sure to follow.


Integrated systems deliver lasting benefits

This is why a governance, risk management and compliance (GRC) technology platform is so critical to successful ISMS initiatives and efficient compliance programs. These enterprise software suites are comprised of interoperable tools that all types of organizations deploy to help manage risk, demonstrate regulatory compliance, automate business processes, and prepare for audits.


Streamlined documentation and automated tracking are key features of these tools. When a task (e.g., inventory, assessment, remediation workflow, exceptions approval, policy review, etc.) is performed within the tool, the tool automatically retains the required evidence, allowing GRC teams to gain significant efficiencies.

In contrast, if you’re performing or documenting that task in Excel, it’s nearly impossible to show when or by whom that task was completed.


GRC platforms do far more than establish evidence repositories. They support the work of integrating processes, policies, and controls across departments and business units, which is essential to extending comprehensive risk management throughout the value chain.

Digitally linking processes to risks you identify, to policies you create, and to control procedures you administer weaves a tighter web of protection and oversight. I see the “shall” requirement statements — the standards set by ISO 27001 and other security and risk management frameworks — as objectives.

The processes, procedures, and controls you put in place and maintain with the help of a GRC platform determine if you will achieve those objectives, and how expedient you’ll be getting there.
GRC as instrumental

GRC platforms, when combined with sufficient staff and expertise and supported from the top down, are instrumental in many ways. Whether your organization is building an ISMS from the ground up, seeking a better method for managing and integrating security and risk activities, or trying to streamline the audit process after certification, manual processes will no longer suffice.

Your team can leverage a GRC platform’s capabilities to manage regulatory requirements, policies and procedures, risk assessments, third parties, incidents, asset repositories, vulnerabilities, audits, and business continuity. When deployed across the organization, GRC technology systems facilitate collaboration, and increase visibility and accountability. A team attuned to the importance of working together to develop a world-class ISMS can reach compliance and certification more expediently with these capabilities at its disposal.
These benefits are valuable to every organization. Indeed, there are a lot of companies that will follow the ISO 27001 standards without attempting certification, but achieving the certification is the only way to provide assurance that your information security and risk management processes are compliant with the standard.

The public, legislators, and industry organizations are increasingly aware of and reactive to negative news about corporate data breaches, and individual data privacy issues.

Organizations that have built a mature ISMS that matches the standard of excellence set by the ISO will be well-positioned to sustain competitive advantage and protect their assets and reputation in the face of a myriad of challenges.

Jason Eubanks is a CRISC, ISO 27001 Lead Auditor, Principal Consultant at Lockpath, a provider of integrated risk management solutions.