[ntpwg] Weak Enforcement of Corporate Governance and Lax Technical Controls Have Enabled the Illegal Backdating of Stock Options

Brian Utterback brian.utterback at sun.com
Thu Feb 22 08:07:51 PST 2007


So, all timestamps will henceforth be only from audit-able sources? As
almost all articles on option backdating have stated, it is not the
backdating that is illegal, it is doing it without disclosure. The value
of the start date has to be arbitrary, although it could default to
the current date. Are we saying that the programs that handle this data
flag any date field whose default is "now" that has its default 
overridden? It just doesn't seem to make any sense.

Jared Morrisen wrote:
>  >>>>But I fail to see how synchronized clocks on the network would 
> prevent the backdating of stock options. I guarantee that none of the 
> options in question got the date filled in by reading the system clock.
>  
> i think that it is based on the assumption that since the timestamp is 
> from a trusted and audited source, then it is the accurate one.
>  
> /jared
> 
> 
>  
> On 2/22/07, *Brian Utterback* <brian.utterback at sun.com 
> <mailto:brian.utterback at sun.com>> wrote:
> 
>     I don't buy this at all. I think we all agree that time sync has
>     the benfits listed at the end, i.e . "integral part of an effective
>     network and security architecture". But I fail to see how synchronized
>     clocks on the network would prevent the backdating of stock options. I
>     guarantee that none of the options in question got the date filled in
>     by reading the system clock.
> 
>     Jared Morrisen wrote:
>      > Interesting piece...
>      >
>      > *Weak Enforcement of Corporate Governance and Lax Technical Controls
>      > Have Enabled the Illegal Backdating of Stock Options*
>      >
>      > Feb 21, 2007
>      > URL:
>      >
>     http://www.wallstreetandtech.com/showArticle.jhtml?articleID=197007836
>      > <
>     http://www.wallstreetandtech.com/showArticle.jhtml;jsessionid=EFGZH0BSWEZYAQSNDLRSKHSCJUNN2JVN?articleID=197007836>
>      >
>      >
>      > In 2006 hundreds of companies were implicated in stock-option timing
>      > scandals, and a number of executives were indicted for illegally
>      > backdating stock options. While greed is the primary reason for
>      > backdating, it is abetted by weak enforcement of corporate governance
>      > that should prevent the practice in the first place. Often, there
>     also
>      > is a lack of technical controls on corporate networks to deter such
>      > activities.
>      >
>      > Options backdating is the dating of employee stock options with an
>      > earlier date than the actual date of the grant. The objective is to
>      > choose a date on which the price of the underlying stock is lower
>     than
>      > the current price, resulting in an instant profit to the grantee.
>     When
>      > dealing with tens or hundreds of thousands of shares, and price
>      > differentials in the range of $50 a share, the amount of illicit gain
>      > can be immense.
>      >
>      > This time distortion results not only in the value of the option
>     being
>      > much greater to the employee receiving it, but in a correlative
>      > detriment to shareholders by way of stock price dilution. While
>      > backdating of stock options is not necessarily illegal if the
>     grantor of
>      > the stock options properly discloses the backdating, it remains
>     to be
>      > seen whether some other fiduciary duty has been breached.
>      >
>      > Most of the legal issues arising from backdating are a result of the
>      > grantor falsifying documents to conceal the backdating. According to
>      > attorney Louis Brilleman, counsel at Sichenzia Ross Friedman
>     Ference in
>      > New York, a law firm specializing in securities matters,
>     backdating is
>      > illegal under most circumstances. The practice usually leads to the
>      > creation of fraudulent documents through the disclosure of misleading
>      > corporate earnings and the improper reporting of the option grant
>     under
>      > applicable tax rules, Brilleman explains.
>      >
>      > Options backdating has been going on for many years. The rules
>     changed
>      > in 2002 with the passage of Sarbanes-Oxley, but even that did not
>     stop
>      > some companies from continuing backdating practices. Accurate
>     timing of
>      > transactions — stock or otherwise — is fundamental to any SOX
>     report.
>      > Further, beginning in August 2002, and pursuant to SOX and other
>      > securities laws, the SEC started requiring companies to disclose
>     their
>      > stock-option awards within two days of options grants.
>      >
>      > With new regulations in place, backdating now is a regulatory issue,
>      > and, as such, companies can no longer bury their heads in the
>     sand and
>      > hope no one notices. It has become clear that the element of time
>     is now
>      > an internal control. Any weaknesses in tracking the time of
>     stock-option
>      > grants must be investigated, reported and corrected.
>      >
>      > Companies now must take the necessary steps to ensure that any
>      > backdating will be detected. Besides the development of policies,
>      > procedures and standards around backdating, there are technical
>      > solutions that can be implemented to support such an endeavor.
>      >
>      > *Time Synchronization Is Imperative*
>      >
>      > These technical solutions center on time synchronization.
>     Companies must
>      > proactively create a time-synchronization mandate and ensure that
>     it is
>      > correctly deployed throughout their IT environments. Fortunately,
>      > creating such a time synchronization infrastructure is relatively
>     easy,
>      > and the ROI on such an undertaking can be significant.
>      >
>      > As time-synchronization hardware is a needed investment, properly
>      > communicating the need to management is crucial to getting
>     funding for
>      > the technology. Synchronizing time is a fundamental business and
>      > technology decision that should be an integral part of an effective
>      > network and security architecture.
>      >
>      > The need for this is evident in that an enterprise information
>     network
>      > and security infrastructure is highly dependent on synchronized
>     time. In
>      > addition, there also are regulatory issues that require correct
>      > synchronized time — from NASD OATS, FFIEC and GLBA, to Visa CISP and
>      > many more. All of these regulations recognize that correct time is
>      > critical for transactions across a network. Many events on the
>     network
>      > need the correct time to initiate jobs, complete transactions, etc.
>      > Correct time is critical for billing systems, authentication
>     systems,
>      > manufacturing, forensics and more.
>      >
>      > Common to all of these regulations is the requirement that financial
>      > transactions and changes to electronic records be accurately
>      > time-stamped. To provide accurate time stamps, all network
>     devices must
>      > be synchronized relative to national and international time
>     standards.
>      >
>      > At the application and operating system level, most applications and
>      > networking protocols require correct synchronized time. Vendors
>     such as
>      > Microsoft, Cisco, Oracle, Red Hat, Novell and Baan all state that
>     their
>      > systems must be configured to an authoritative time server for proper
>      > and secure use.
>      >
>      > Time servers cost from $2,000 to $10,000, depending on the level of
>      > accuracy and redundancy required. Time servers, which take but a few
>      > hours to install, provide additional benefits, such as reduced
>     downtime
>      > and the ability to mitigate legal exposure.
>      >
>      > Options backdating is the problem, and time synchronization is the
>      > solution. But getting from solution to implementation takes proper
>      > planning and project management. With that, the following five
>     steps can
>      > be used as a high-level framework for implementing synchronized
>     time in
>      > your organization.
>      >
>      > *Step 1: Risks and Requirements*
>      > The first step is to formally determine the risk to your company
>     if you
>      > do not have synchronized time. Don't underestimate the risks; if you
>      > don't practice due care pertaining to the time on your network
>     system,
>      > you can be legally liable for negligence and held accountable for
>     the
>      > ramifications of that negligence.
>      >
>      > Next, determine how accurate your clocks need to be. This can be
>      > anywhere from milliseconds to a few seconds. Finally, advise
>     management
>      > of the risks of nonsynchronized time and get their approval for the
>      > purchase of time-synchronization equipment and the initiation of a
>      > time-synchronization project.
>      >
>      > *Step 2: Hardware and Software*
>      > Start meeting with vendors of time-synchronization equipment to
>      > determine the solution that best fits your organization and specific
>      > needs. Some of the leading vendors in this space include Spectracom
>      > <http://www.spectracomcorp.com/
>     <http://www.spectracomcorp.com/>>, Symmetricom
>      > <http://www.symmetricom.com/> and EndRun Technologies.
>      > <http://www.endruntechnologies.com/
>     <http://www.endruntechnologies.com/>>
>      >
>      > *Step 3: Policy*
>      > If policies for time synchronization are not in place already,
>     work with
>      > the information security department to ensure that time
>     synchronization
>      > becomes part of the global enterprise information technology policy.
>      > Time synchronization must be made part of the corporate IT
>     systems and
>      > security policies. Without a policy, there will be no impetus for
>     staff
>      > to achieve accurate, synchronized time. Often, a simple policy,
>     such as,
>      > "Time synchronization to an accurate time source is required on all
>      > enterprise network devices," is a sufficient first step.
>      >
>      > *Step 4: Architecture*
>      > The first step to architecting an accurate time-synchronization
>     solution
>      > is to establish a network time source, known as a reference
>     clock, for
>      > tracability to national and international standards. A typical
>     reference
>      > clock would use GPS (Global Positioning System) to receive time from
>      > satellites. Second, create a downstream topology for all network
>      > components to use the reference clock as the network's master
>     source of
>      > time.
>      >
>      > *Step 5: Auditability*
>      > Steps 1 through 4 are important from a technical perspective. But
>     even
>      > with the most sophisticated timing device, you still need to have
>      > independent and auditable time controls in place. As part of
>     this, you
>      > must be able to prove to auditors and regulators that the time on
>     any
>      > monitored system was correctly synchronized with a specified time
>     source.
>      >
>      > Also, it is important to note that time synchronization will not
>      > magically cure a regulatory material weakness leading to an internal
>      > controls problem. Those in control of time synchronization still can
>      > manipulate time and/or data. It becomes an issue, at least in
>     part, of
>      > taking control over this material weakness away from insiders. With
>      > that, it is imperative to ensure that insiders are not engaging
>     in any
>      > time-based data manipulation.
>      >
>      > Also, if something goes to court, you need to prove that all your
>      > devices on your network are synchronized and that all
>     transactions that
>      > took place are able to provide an accurate, authenticated time
>     source.
>      > This requires that all logs are handled within the context of digital
>      > forensics and staff members are following the appropriate rules of
>      > evidence.
>      >
>      > *Conclusion*
>      > The backdating fiasco demonstrates that the need for synchronized
>     time
>      > is a crucial business and technology requirement. As such, it is an
>      > integral part of an effective network and security architecture.
>      > Ensuring accurate time is relatively inexpensive and offers a
>      > significant ROI. And it is a great way to stop your company from
>     getting
>      > negative press — not to mention to keep your management team from
>     being
>      > indicted.
>      >
>      >
>      >
>     ------------------------------------------------------------------------
>      >
>      > _______________________________________________
>      > ntpwg mailing list
>      > ntpwg at lists.ntp.isc.org <mailto:ntpwg at support.ntp.org>
>      > https://support.ntp.org/mailman/listinfo/ntpwg
> 
>     --
>     blu
> 
>     "Remember 'A Thousand Points of Light'? With a network, we now have
>     a thousand points of failure."
>     ----------------------------------------------------------------------
>     Brian Utterback - Solaris RPE, Sun Microsystems, Inc.
>     Ph:877-259-7345, Em:brian.utterback-at-ess-you-enn-dot-kom
> 
> 

-- 
blu

"Remember 'A Thousand Points of Light'? With a network, we now have
a thousand points of failure."
----------------------------------------------------------------------
Brian Utterback - Solaris RPE, Sun Microsystems, Inc.
Ph:877-259-7345, Em:brian.utterback-at-ess-you-enn-dot-kom


More information about the ntpwg mailing list