Tag Archives: Guidepost Solutions

Kenneth Citarella

Cyber risk protection is a key aspect of reputation management for corporate leaders, high net worth individuals and their organizations. We interviewed Kenneth Citarella, Senior Managing Director, Investigations and Cyber Forensics at Guidepost Solutions to gain insight into the most common (and often surprising) threats they face. Guidepost Solutions LLC is a multinational investigations firm specializing in monitoring, compliance, international investigations, and risk management solutions. Mr. Citarella’s areas of expertise at the firm include computer crime and fraud.

What are some examples of cybercrimes you have seen that could have been prevented with better due diligence and proactive risk assessment?

We were retained to investigate problems at a firm after it had hired a new CFO to oversee the design and implementation of a new computer network. The new CFO hired a personal friend as a consultant on the project. Then they conspired to overbill the firm and monitor the emails of key personnel. Simple due diligence would have disclosed the relationship. Also, it is important to remember that due diligence on a third party vendor who will have access to your network must include their cybersecurity practices. One of the most publicly scrutinized attacks on a retail chain began through its HVAC vendor. Incidents such as these illustrate how important it is to be aware of your network’s vulnerabilities so you can identify and implement preventive practices.

How have the new technologies used by corporations changed due diligence methods — and where do you continue to see vulnerabilities?

Due diligence methods have not changed that much. Internet-based research has been around for years. But the objectives and scope have greatly expanded. For example, if you are acquiring a company, you are not only concerned with their profitability, personnel, facilities and other traditional qualities, but with their digital practices as well. Can your networks be integrated? Are data protection procedures equivalent? Are your BYOD polices the same? Questions like these have to be addressed so that you are at least aware of the risks you are assuming. These questions are as necessary as evaluating internal financial controls and inventory. The issues are similar when evaluating third-party vendors. They handle your data and access your network. Their cyber vulnerabilities become yours.

What are the most common cyber threats facing high net worth individuals and their families?

High net worth individuals and their families face all the same cyber risks as anyone else, but they are also more lucrative targets and often have higher Internet profiles—of which they may not be aware. For example, information about a prominent executive may exist on multiple websites, including those of his employer’s, a conference he attended, and a trade association he is involved with, as well as on public media platforms. In addition, the executive’s children may be active on numerous social media platforms, leaking details of family and parental activities. From these rich sources, a criminal can mine enough details to craft a carefully scripted approach targeting a specific person (which is known as spear phishing). Far more sophisticated than the more general shotgun attempts aimed at the unwary public, these attacks will reference details of the target’s professional or personal life that only a genuine associate would typically know. That is what makes them so hard to resist. Add the fact many high net worth individuals have personal administrators for their homes or offices who answer emails and the risk escalates. Modern communications have effectively created a due diligence obligation for high net worth individuals to know and control their Internet profiles in order to minimize their risks.

If you could give them one piece of preventive advice, what would it be?

Assume you are at risk. Get educated about your vulnerabilities, address them and periodically reassess.

Cyber risk is in the news daily (and many more incidents are not made public). Can you provide examples of the type of incidents that are most damaging to corporate and executive reputations?

Recent headlines provide all the examples we need. Multiple retail chains have been hurt because they cannot protect their customer data. If the public hesitates to shop at a store because of data breach concerns, sales, income and stock price can all fall. Intrusions have destroyed emails and corporate assets, exposed embarrassing internal communications and identified people looking for sexual affairs. Reputation repair for the individual and the organization may take an extended period of time—or may not happen at all. A high-profile corporate or personal life in the 21st century requires adequate cybersecurity at home and at work as well as a protected and controlled Internet profile. Highly qualified professional assistance to secure those objectives is a must.

This is the third in a series of interviews with experts whose work relates to online reputation management.

 
 
online reputation management

Hedge fund Greenlight Capital has filed a petition in New York State Supreme Court seeking the identity of an anonymous blogger at Seeking Alpha, an investor website.  In mid-February Bloomberg published a report stating the contributor “allegedly disclosed the fund’s stake in Micron Technology Inc. (MU) before it was made public.” Greenlight plans to sue the blogger if the petition succeeds – making it a potentially groundbreaking legal case.

Key excerpts from the Bloomberg article state:

Greenlight said in a Nov. 25 filing with the U.S. Securities and Exchange Commission that it purchased 23 million shares of Boise, Idaho-based Micron, a maker of memory chips, in the third quarter. Eleven days earlier, Greenlight had disclosed the stake to the SEC and asked that the agency not publicly identify Micron as the investment in question.

A frequent contributor to the site, identified only as “Valuable Insights,” revealed the investment in a post on Nov. 14, before Greenlight disclosed its position to the SEC, the investment manager said in a petition filed yesterday in New York State Supreme Court in Manhattan. The hedge fund said in the petition that the website post drove up its costs.

Greenlight said in the petition it intends to sue “Valuable Insights,” identified on the site as a fund manager with more than 20 years of experience in the securities industry.

Seeking Alpha declined to identify the contributor in a letter dated Nov. 26, saying that submissions are made at the “sole responsibility” of the posting user, according to filings in the case.

Seeking Alpha said in the letter that it doesn’t pre-screen comments on its site and can’t guarantee their accuracy, integrity or quality, and that it’s not in a position to reveal its users’ identities without “clear and substantial grounds,” according to the filings.

Why it is difficult to sue for internet content….but not impossible

Website operators have legal immunity over what is said and posted on their sites. That means they are not held responsible for it in a court of law (except, generally, in cases that constitute defamation). Specifically, according to Section 230 of the Communications Decency Act, “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” That law was passed in 1996.

Online defamation lawsuits constitute a growing area in legal practice. If something posted about a person is deemed by a court to be a false and unprivileged statement of fact harmful to someone’s reputation – or, to cite recent cases, is “injurious,” interferes with one’s livelihood or possesses any number of related characteristics – the website can be required by law to remove the information and reveal the poster’s identity.

Tim Fernholz at Quartz said, “The hedge-fund manager maintains that only someone who was legally obligated to keep the information confidential could have written the Seeking Alpha post, and he wants to know the person’s true identity in order to sue. Since the author of the note isn’t a journalist relaying information from an anonymous source (a classic way big deals are leaked) but an investor, it’s possible the judge won’t follow the usual protections for anonymous speech and instead force Seeking Alpha to divulge the author’s identity,” he writes.

People who have successfully sued in response to online defamation (typically a series of anonymous posts about them) have been awarded millions of dollars in damages. The posters’ identities have become public, often in the news media.  It can be very difficult to take such a step and succeed.  But a firm like Greenlight Capital has the financial weight to see such a lawsuit through. While it is not a defamation suit, there may be similarities in terms of visibility. Greenlight can also utilize private resources to reveal the anonymous writer should legal channels fail to do so.

Cyber investigators increasingly active in private sector

Private investigators are increasingly active in such cases. Often such experts come out of law enforcement and the legal community. For instance, Kenneth Citarella is the Managing Director for Investigations and Cyber Forensics at Guidepost Solutions, an investigations and compliance firm that was established by Andrew J. O’Connell, a former federal prosecutor and Special Agent with the U.S. Secret Service.

For additional insight

The Electronic Frontier Foundation’s online defamation law guide for bloggers includes general information on this topic.