The Conference Board Governance Center Blog

Feb
10
2011

Nasdaq Hacking a Wake-Up Call for Boards

Don’t you find it somewhat ironic that the one part of Nasdaq’s website hackers were able to break into was the Directors Desk portal, an online application that allows directors to share confidential information about their boards and corporate governance? It’s almost as if the hackers were sending a message to one of the world’s largest online equity markets: “we know boards don’t understand IT governance and security risks; so we’ll show you how vulnerable you are.”

That’s not the way the story is playing in business publications and online. Many news reports [Wall Street Journal and New York Times] are saying law enforcement officials (including the FBI, Secret Service and the SEC) believe the motive behind the weekend hacking was that the perpetrators were trying to get non-public inside information to gain a trading advantage. After the Wall Street Journal broke the story Friday, it became clear Nasdaq had been dealing with this issue for more than a year and that it could indicate a broader attack on other U.S. market exchange websites.For an exchange whose business model relies on a complex network of computers, Nasdaq OMX (the exchange’s official name) decided to act quickly when it found out. It has reiterated that information technology security is priority No. 1 in today’s fast-pace technology-driven world.

Check out the statement the company issued soon after the Wall Street Journal ran. If you look closely, you will notice it made the point of saying the trading side of the website was not breached. Unfortunately for Nasdaq, the Directors Desk portal itself touted its “highest level of security available to protect confidential board communications.”

Statement on Security Violation to Nasdaq OMX Systems

“Through our normal security monitoring systems we detected suspicious files on the U.S. servers unrelated to our trading systems and determined that our web facing application Directors Desk was potentially affected. We immediately conducted an investigation, which included outside forensic firms and U.S. federal law enforcement. The files were immediately removed and at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers. Our trading platform architecture operates independently from our web-facing services like Directors Desk and at no point was any of NASDAQ OMX’s operated or serviced trading platforms compromised.

“Subsequently, the U.S. Department of Justice requested that we refrain from providing notice to our customers until, at the earliest, February 14, 2011, in order to facilitate the continuing investigation. NASDAQ OMX was honoring the U.S. Government’s request to delay notification, but when a story ran in the media on Saturday, February, 5, 2011, regarding a hacking incident at NASDAQ OMX, we immediately decided, in consultation with the authorities, that we must inform our customers.”

“We continue to evaluate and enhance our advanced security controls to respond to the ever increasing global cyber threat and continue to devote extensive resources to further secure our systems. Cyber attacks against corporations and government occur constantly. NASDAQ OMX remains vigilant against such attacks. We have been working in cooperation with the Government’s ongoing investigations and have received their technical advice for which we are appreciative.”

In addition to the obvious IT security risk Nasdaq faces, there is the reputation risk associated with the Directors Desk name now that it has been hacked, but yet it still has a description up on its website http://www.directorsdesk.com/ that states, “Directors Desk provides multiple layers of security to protect our clients’ most vital corporate records. User authentication is tightly controlled through ‘strong passwords,’ fully encrypted transport, procedures surrounding account activation, and encryption of all service level passwords in the system. Role-based security protocols control which content is available to each user upon logging in. Network and host-based Intrusion Detection Systems (IDS) protect all hardware and applications in the Directors Desk server farm.”

While Nasdaq followed its crisis management plan on this incident (it contacted law enforcement officials early, detected and removed the suspicious files and disclosed all this to its customers), the actual hacking itself has not gone unnoticed by some media critics.

 Jeffrey Carr, a columnist with Forbes who writes Digital DAO, had some advice for Nasdaq and other corporations: “My advice to NASDAQ is to cut Directors Desk loose and stay focused on protecting your trading platform. My advice to corporations who are in high technology, banking, energy, and defense sectors (all high value targets to advanced persistent threat actors) is to avoid using any electronic boardroom software that makes you a bigger target than you already are.”

There is one message that all boards may want to take away from this incident: Make sure you truly understand the technology your company and your board use to communicate with each other, stakeholders and the public.

 

 

 



You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Nasdaq Hacking a Wake-Up Call for Boards”

  1. Russell Armstrong Says – Its A Great Post…

    […] Fantastic post thought I would link to it..BTW Eygpt :-) […]…

  2. Michael Atkins says:

    This is an interesting article. As the Director of one of the leading digital forensic software companies and founder of a leading board book portal, it is my opinion that…

    First, boards of directors should establish a board level technology committee to audit and provide oversight to GRC issues. I highly recommend that the CIO has a place at the board to address cyber issues.

    Second, I suggest that federal and law enforcement groups work with general counsels and chief information officers to establish frameworks, processes and best practices for sharing of unclassified information to protect corporations.

    Third, it is the corporations duty and responsibility to maintain an inhouse incident management tracking system that identify incidents and related cases related to fraud, IP, terrorism etc.

    Thank you,
    Michael Atkins

  3. […] Read the original post: Nasdaq Hacking a Wake-Up Call for Boards | Governance Center Blog […]

Leave a Reply