JULY/AUGUST 2019 PRSRT STD U.S. POSTAGE PAID SAL T LAKE CITY , UT PERMIT NO. 6563Association News The Association News contains valuable information about the Association and its members. The Association News is free for members and non-members alike. The Value Examiner® The Value Examiner is an independent, professional development journal dedicated to the exploration of value and its ramifications for consultants. It is the singular source of timely, technical, in-depth articles written for consultants by practitioners and academics at the top of their respective fields. QuickRead® Readers of the weekly QuickRead will come to appreciate it as a primary source for current news and information highlights in areas of interest to the financial consultant, and for immediate use in their practice. Journal of Forensic and Investigative Accounting (JFIA) The JFIA is an open access journal showcasing articles which focus on creative and innovative studies employing research methodologies; improve forensic accounting research skills, tools, and techniques; and stimulate discussion and experimentation in instructional means in the fields of forensic accounting and fraud. Around the Valuation World® The Around the Valuation World webcast is the next generation method of obtaining the latest updates, news, trends, and activity occurring in the rapidly evolving business valuation and financial forensics profession. Each month, a team of industry experts cover the profession’s leading publications and deliver an online summary of all you need to know. To learn more about these publications and how to subscribe, visit publications or call Member/Client Services at (800) 677-2009. Build Your Reputation Authoring Articles for the Industry's Publishing Juggernaut NACVA stands alone from other professional valuation organizations in its commitment to publishing. Write an Article, Earn CPE, and Gain Recognition Many of these publications give authors the opportunity to get published, earn valuable CPE credit, and share their expertise with their peers. To learn more on this opportunity, A PROFESSIONAL DEVELOPMENT JOURNAL for the CONSULTING DISCIPLINES on the cover in this issue … t h e v a l u e e x a m i n e r JULY | AUGUST 2019 3 12 21 JULY/AUGUST 2019 6 THE ROLE OF MANAGERIAL ABILITY IN FIRM VALUATION By Davit Adut, PhD; Marinilka Barros Kimbro PhD; Marc Picconi, PhD; and Philipp Schaberl, PhD In this article, the authors provide an explanation based on Ohlson (1995) and empirical evidence that managerial ability significantly influences the relationship between market value and accounting fundamentals, such as book value of equity, net income, cash flows, and accruals. LETTERS TO THE EDITOR In this issue, we have two detailed responses to articles that appeared earlier this year. Response to How Not to Use Duff and Phelps Data, May/June 2019 By Joshua Feldman, CPA, CFE, CVA, AIAF I read the article, How Not to Use Duff & Phelps Data. I agree with some of Grabowski, d’Almeida, and Jacobs (D&P) observations, but certainly not all, as my article (Rethinking Using Arithmetic Mean Returns in Calculating Small Company Risk Premiums, The Value Examiner, November/December 2018) would indicate. Response to Vasicek and Blume Betas: Back to the Future (Parts I and II) , January/February 2019; March/April 2019 By Prof. Dr. Leonhard Knoll, Prof. em. Dr.; Dr. h.c. Lutz Kruschwitz, Prof. Dr.; Dr. Andreas Löffler; and Prof. Dr. Daniela Lorenz In the first two issues of The Value Examiner in 2019, Diana Raicov and Richard Trafford offered a further contribution to the ongoing studies on the modification of CAPM and, in particular, on the empirical estimation of Beta. They compare different methods for estimating Beta and evaluate them according to the criteria of unbiasedness, stability, and predictive ability. We would like to make some comments on their procedures and results. Association News The Association News contains valuable information about the Association and its members. The Association News is free for members and non-members alike. The Value Examiner® The Value Examiner is an independent, professional development journal dedicated to the exploration of value and its ramifications for consultants. It is the singular source of timely, technical, in-depth articles written for consultants by practitioners and academics at the top of their respective fields. QuickRead® Readers of the weekly QuickRead will come to appreciate it as a primary source for current news and information highlights in areas of interest to the financial consultant, and for immediate use in their practice. Journal of Forensic and Investigative Accounting (JFIA) The JFIA is an open access journal showcasing articles which focus on creative and innovative studies employing research methodologies; improve forensic accounting research skills, tools, and techniques; and stimulate discussion and experimentation in instructional means in the fields of forensic accounting and fraud. Around the Valuation World® The Around the Valuation World webcast is the next generation method of obtaining the latest updates, news, trends, and activity occurring in the rapidly evolving business valuation and financial forensics profession. Each month, a team of industry experts cover the profession’s leading publications and deliver an online summary of all you need to know. To learn more about these publications and how to subscribe, visit www.NACVA.com/ publications or call Member/Client Services at (800) 677-2009. Build Your Reputation Authoring Articles for the Industry's Publishing Juggernaut NACVA stands alone from other professional valuation organizations in its commitment to publishing. Write an Article, Earn CPE, and Gain Recognition Many of these publications give authors the opportunity to get published, earn valuable CPE credit, and share their expertise with their peers. To learn more on this opportunity, visit www.NACVA.com/article. By Raymond Hutchins and Dave Miles, CPA, CVA, CGMA It is rare and notable when anything new hits the valuation industry. But that moment has come. Cybersecurity due diligence must now be part of any new business valuation. To ignore this new reality invites unnecessary credibility challenges, liability, and litigation. Cybersecurity risk applies to all businesses today, not just large enterprises. The authors discuss the overall impact on business valuation. CYBERSECURITY AND BUSINESS VALUATIONS: INCREASING VALUE AND REDUCING RISK FOR VALUATORS ACADEMIC INSIGHTS ROUND TABLE DISCUSSION: EDUCATING TOMORROW’S LEADERS With: Peter Lohrey, PhD, CVA, CDBV; Lari Masten, MSA, CPA, ABV, CFF, CPVA, CVA, MAFF, ABAR; Danny Pannese, MST, CPA, ABV, CVA, CSEP; Keith Sellers, CPA, ABV; and Richard Trafford, MSc, CVA, CFE, MAFF, FAIA, FCT, FHEA Moderated by Nancy McCarthy, Senior Editor, The Value Examiner Over the course of the year, this column is expertly written by Peter Lohrey. However, in the summer months, Dr. Lohrey takes a well-deserved break. Last month, our guest editor was Matthew Crane, DBA, ASA, CPA. This month, Dr. Lohrey has been joined by several members of The Value Examiner editorial board for a lively discussion on the challenges and needs of students who one day hope to enter the valuation profession. 27A PROFESSIONAL DEVELOPMENT JOURNAL for the CONSULTING DISCIPLINES EDITORIAL STAFF CEO & Publisher: Parnell Black Senior Editor: Nancy J. McCarthy Associate Editor: Lynne Johnson EDITORIAL BOARD Chairman: Lari B. Masten, MSA, CPA, ABV, CFF, CVA, ABAR, MAFF Past Chairman: Michael Goldman, MBA, CPA, CVA, CFE, CFF Ashok Abbott, MBA, PhD John E. Barrett Jr., MBA, CPA, ABV, CVA, CBA Gary W. Baum, MBA, CPA, CVA Neil J. Beaton, CPA, ABV, CFF, CFA, ASA Rod P. Burkert, CPA, ABV, CVA, MBA Lorenzo Carver, MS, MBA, CVA Wolfgang Essler, CVA (Germany) Richard W. Goeldner II, ASA, CBA, CVA Judith Heim O’Dell, CPA, CVA Andrew M. Malec, PhD Danny A. Pannese, MST, CPA, ABV, CVA, CSEP Kevin Papa, CPA, CVA, ABV Donald Price, CVA, ASA Angela Sadang, MBA, CFA, ASA Keith Sellers, CPA, ABV Richard Trafford, MSc, FAIA, FCT, CVA, CFE, MAFF, PGCLTHE, FHEA (U.K.) Sarah von Helfenstein, MBA, CVA Todd Zigrang, MBA, MHA, FACHE, ASA The Value Examiner® is a publication of: National Association of Certified Valuators and Analysts® (NACVA®) 5217 South State Street, Suite 400 Salt Lake City, UT 84107 Tel: (801) 486-0600, Fax: (801) 486-7500 E-mail: ANNUAL SUBSCRIPTION United States—$215 International—$255 U.S. Funds Free to accredited university libraries The Value Examiner® departments 4 JULY | AUGUST 2019 t h e v a l u e e x a m i n e r SUBMISSION DATES Issue Submission Dates Publish Dates Nov./Dec. Oct. 15 Jan. 1 2020 Jan./Feb. Dec. 15 Mar. 1, 2020 Mar./Apr. Feb. 15 May 1, 2020 May/Jun. Apr. 15 Jul. 1, 2020 ALL SUBMISSIONS The Value Examiner is devoted to current, articulate, concise, and practical articles in business valuation, litigation consulting, fraud deterrence, matrimonial litigation support, mergers and acquisitions, exit planning, and building enterprise value. Articles submitted for publication should range from 500 to 3,000 words. Case studies and best practices are always welcome. SUBMISSION STANDARDS All articles should be thoroughly edited and proofread. Submit manuscript by e-mail (in standard word processing format) to Nancy Include a brief biography to place at the end of the article and a color photo of the author. See authors’ guidelines and benefits pdf. The Value Examiner accepts some reprinted articles, if accompanied by appropriate reprint permission. REPRINTS Material in The Value Examiner may not be reproduced without express written permission. Article reprints are available; call NACVA at (800) 677-2009 and/or visit the website: Production: Mills Publishing, Inc.; President: Dan Miller; Art Director/Production Manager: Jackie Medina; Magazine Designer: Jackie Medina; Graphic Designers: Ken Magleby, Katie Steckler, Patrick Witmer; Advertising Representatives: Paula Bell, Dan Miller, Paul Nicholas, Chad Saunders Administrative Assistant: Caleb Deane. Mills Publishing, Inc., 772 East 3300 South, Suite 200, Salt Lake City, Utah 84106, (801) 467-9419. Inquiries concerning advertising should be directed to Mills Publishing, Inc. Copyright 2019. For more information please visit millspub.com. PRACTICE MANAGEMENT HOW IRS GUIDANCE MAKES IT IMPOSSIBLE TO COMPLY WITH SECTION 2801 IN TWO HOURS OR LESS By Fabio Ambrosio, JD, LLM, MBA, CPA, PFS, ABV, CFP, EA, CVA, MAFF, CFE, CGMA, In 2008 Congress added Section 2801 to the Internal Revenue Code. This section targets those individuals who, by relinquishing citizenship or resi- dency, could potentially escape the gift or estate tax. The author describes, how the mechanics of how Section 2801 have troubled the IRS for the last eleven years. PRACTICING SOLO: ZACHARY SHARKEY By Rod P. Burkert, CPA, ABV, CVA, MBA The author interviews sole practitioner, Zachary Sharkey , CFA, CPA, ABV, from St. Louis, MO. TELLING YOUR STORY: EDITORIAL BOARD MEMBERS AND CONTRIBUTORS TO THE VALUE EXAMINER SAY WHY THEY WRITE (PART II) Compiled by Nancy McCarthy, Senior Editor, The Value Examiner Kindra Hall, a motivational speaker and one of the keynotes at the June 8, 2019 NACVA and the CTI's Annual Consultants' Conference, presented a unique topic: “The Power of Storytelling on Your Journey to the Top.” In the March/April 2019 issue of The Value Examiner, contributors and board members gave insights into why they write. In this issue, we hear from sev- eral more professionals who write as part of their business life. 35 42 45 LITI G A TI O N I N S I G H T S PROPER TRANSFER-PRICING RATES BETWEEN U.S. AND PUERTO RICO: WAL-MART PUERTO RICO, INC. V. ZARAGOZA-GOMEZ By Kevin A. Diehl, JD, CPA For a valuation expert, Wal-Mart Puerto Rico, Inc. v. Zaragoza-Gomez, Civil No. 3:15-CV-03018 (JAF), 174 F. Supp. 3d 585 (2016), is gold. It first dis- cusses how to value transfers between related entities in the U.S. and Puerto Rico, an ongoing issue for many Fortune 500 companies expanding to mul- tiple states and internationally. The case is a good example of transfer-pric- ing valuations in today’s business environment in general. It does ultimately show that Wal-Mart utilizes the proper transfer-pricing valuation steps. 32A PROFESSIONAL DEVELOPMENT JOURNAL for the CONSULTING DISCIPLINES 6 JULY | AUGUST 2019 t h e v a l u e e x a m i n e r VALUATION /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// Cybersecurity and Business Valuations: Increasing Value and Reducing Risk for Valuators By Raymond Hutchins and Dave Miles, CPA, CVA, CGMA It is rare and notable when anything new hits the valuation industry. But that moment has come. Cybersecurity due diligence must now be part of any new business valuation. To ignore this new reality invites unnecessary credibility challenges, liability, and litigation. THE PROBLEM Cybersecurity risk applies to all businesses today. While valuators might think that cybersecurity applies only to larger enterprises, that is incorrect. The internet has created a playing field where size does not matter. Small businesses are using technology every day in completing their tasks, whether it is making a call on a smart phone or using e-mail. Many smaller business owners mistakenly believe that installing a firewall or using antivirus software is enough protection because their companies are small and do not have any “valuable” data. Cybersecurity breaches do not discriminate based on size. Cyber thieves look for opportunity. Small businesses are just as likely to have a cybersecurity breach as large ones—and they have far fewer resources to deal with one when it happens. In today’s world, cybersecurity (like accounting) is a business process that permeates every area of the business. Accounting is a part of the sales cycle; so is cybersecurity. Accounting is a part of the supply cycle; so is cybersecurity. Accounting is a part of the manufacturing process; so is cybersecurity. The point is simple. If a valuation professional gets a bad feeling about accounting, the value of the business is questioned. Likewise, if the valuation professional gets a bad feeling about the cybersecurity, the value should be affected. It is not required that valuation professionals be cybersecurity experts. Valuation experts are smart enough to understand that a risk exists, and it should be quantified or excluded from the valuation scope. Obviously, “it depends” comes into play. If the costs to mitigate or correct the breach are minimal, then there is less of a problem. However, if those costs are substantial, then the reverse is true. The first takeaway is exactly this: in the limiting conditions or scope limitation of the report, there should be a statement about cybersecurity. At the extreme end, a limiting condition should disclose that cybersecurity risk was not considered and that it may have a material impact on the value of the business. If cybersecurity is considered, the limiting condition can be softened to be in sync with the work performed. CYBERSECURITY: A KEY CONSIDERATION IN ANY BUSINESS VALUATION It is accepted that risk affects valuation, but only recently has it been recognized that cybersecurity is a pervasive risk. Once insurance companies started selling cybersecurity insurance, any arguments to the contrary were stilled. The fact that there is a burgeoning market for cybersecurity insurance is validation that cybersecurity is a real risk. It could be the subject of an entire article, but cybersecurity insurance is not a “get out of jail free card” for dealing with cyber risk. It is the last resort. And, cybersecurity insurance has many landmines of its own because it is a non-standard form policy. In today’s world, most businesses are forced to operate on top of an IT infrastructure that is inherently insecure. Not every business must use this IT infrastructure to move and store sensitive data, but for most businesses, that is the reality. In today’s world: The greater the dependence upon the IT infrastructure to operate the business, the greater the risk. If a business cannot effectively defend its IT systems and data from attack, then it is worth less than a business that can defend itself. It is the valuation professional’s job to define the impact of cybersecurity risk on that valuation. A PROFESSIONAL DEVELOPMENT JOURNAL for the CONSULTING DISCIPLINES t h e v a l u e e x a m i n e r JULY | AUGUST 2019 7 Nowadays, in addition to other valuation factors, a company’s value is directly related to the value of different types of data: •Intellectual property data •Client data •Application (software) data Additionally, that value is impacted by the amount of unmitigated cybersecurity risk, including: •Accessibility to that data •Security of that data • Safety and security of the systems required to use that data •Commitment to security by the people controlling that data If a valuator is not aware of these issues and does not ask questions related to these issues, then how can the valuator establish the company’s true value? And remember, nondisclosure of cybersecurity risk is no longer an option. CASE STUDIES Let’s look at several real-life examples that will demonstrate the point—some larger companies and then some smaller companies. Note that larger companies are more likely able to survive breach events because they have resources to deal with a breach, while smaller companies may have to file for bankruptcy protection or dissolve. Target Breach, December 2013 We will not discuss how the breach happened, but forty million credit cards plus an additional seventy million customer loyalty cards were stolen. Target paid nineteen million dollars in fines and another $154 million in legal settlements. Their 2016 annual report said that total financial cost to the company was $292 million—less a $100 million cyber insurance payment. The event occurred in 2013, and it is still not resolved; hard costs continue to accrue as of 2019. But what is the cost of being distracted by litigation for five to ten years? What is the unfunded liability? How has this impacted Target’s value? The stock price took a major hit immediately after the breach but has since recovered. This is because the target had major resources to respond that a smaller enterprise would not have. Verizon Purchase of Yahoo, 2013–2014 During Verizon’s due diligence process in purchasing Yahoo during 2013–2014, Verizon accidentally discovered a breach of Yahoo’s systems. The personal data of three billion account holders were exposed, but no credit card info was exposed. As a result of this breach, Verizon reduced the purchase price from $4.8 billion to $4.48 billion and demanded that Yahoo shareholders pay costs associated with remediation, loss of customers, business disruption, regulatory fines, legal costs, etc. Yahoo shareholders also had to set aside monies to cover retained liability associated with this breach. While the sale ultimately went through, as of 2019, the matter is still not fully settled. Marriott’s Acquisition of Starwood and Sotheby’s Acquisition of Home1 Both of these acquisitions occurred in late 2018, and in both cases, hackers had been operating undetected inside the IT systems of the companies being acquired for years. In both cases, the hackers were not detected until years after the acquisitions were completed. In neither case was there any hold-back for cyber issues nor any retained liability in the sale documents. The new buyers just had to absorb all negative impacts. Microsoft Purchase of a Small Company for Ten Million Dollars During the purchase, Microsoft did not perform good cybersecurity due diligence and discovered various cybersecurity network and application vulnerabilities after the sale had closed. Microsoft was forced to mitigate all the problems, and it cost them ten million dollars to do so. They paid double for the acquisition. The only saving grace was that there was no breach of the systems or public data involved, or it would have been worse. But from a valuation point of view, this was a disaster. 1 NOTE: on July 9, 2019, the U.K. Information Commissioner’s Office (ICO) has proposed a $124M fine against Marriott related to the acquisition of Starwood. “The GDPR makes it clear that organizations must be accountable for the personal data they hold,” Information Commissioner Elizabeth Denham said. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” 8 JULY | AUGUST 2019 t h e v a l u e e x a m i n e r A PROFESSIONAL DEVELOPMENT JOURNAL for the CONSULTING DISCIPLINES Deal Killed Because of Poorly Built Software This was a company acquisition that CyberCecurity LLC partner, Mitch Tanenbaum, personally witnessed. In 1996, the financial services company Mitch worked for purchased another company for three million dollars. The primary reason they wanted to buy the company was to get ownership of a key piece of software that was core to its business. But the buying company failed to request adequate access to that software to conduct proper cyber due diligence. When the software was originally developed, the developers did not use a secure software development lifecycle process. Therefore, the software application was completely not secure, impossible to maintain, and vulnerable to attack (by the way, the vast majority of legacy software in use today falls into this category). By the time the purchasing company discovered their error, the transaction had already been funded. It was determined that the cost to review the code, remediate the coding errors, and put into place a company-wide cybersecurity program, would have been one million dollars or thirty-three percent of the original valuation of three million dollars. In this case, the buying company was able to reverse the transaction and get their money refunded due to a threat of litigation. After that, the buyer was not willing to stay in the deal because they did not know if sensitive data had already been stolen and/or compromised by competitors. BENEFITS TO CLIENTS CONSIDERING CYBERSECURITY IN VALUATIONS When valuators include cybersecurity due diligence as part of your valuation process, you do the following: • Provide a more accurate valuation of the business •Help the client protect and increase the value of their business •Help the client better understand and protect their data •Help the client better understand and protect their money and assets BENEFITS TO VALUATORS BY CONSIDERING CYBERSECURITY IN VALUATIONS While the conversation may be unexpected and somewhat psychologically painful, benefits accrue to valuators as well. They are: •Reducing the risk and liability associated with valuations that do not factor in cybersecurity • Bringing more value to your clients •Increasing and protecting the value of your practice •Gaining a competitive edge HOW TO DETERMINE WHETHER CYBERSECURITY IS A VALUATION FACTOR While it is certainly true that virtually all businesses today are built upon an insecure IT infrastructure, not all businesses are vulnerable to attack and material financial loss. For example, restaurants that use secure third-party Point-of-Sale (POS) systems could be reasonably immune to attack if they do not directly collect and store customer data. Their IP (recipes and business processes) may be exposed and should be protected, but the remediation of this issue might be fairly inexpensive and fast. To determine if you have a cybersecurity risk, it is important to ask several important questions that help you decide if you are in danger of a cybersecurity breach. TEN CYBERSECURITY VALUATION TEST QUESTIONS 1. Does the company have sensitive data that it is responsible for protecting, and that might be of value to competitors, criminals, or foreign governments (intellectual property, client data, non-public personal information)? 2. Is the business in compliance with applicable state, federal, or professional cybersecurity/privacy laws or requirements (HIPAA, PCI, various privacy laws, and others)? 3. Does the business have a significant online presence? 4. Does the company develop and/or maintain online applications that collect sensitive information, or which are crucial to the operation of the business? 5. Does the company have a written cybersecurity program? 6. Is an executive-level employee responsible for this program? A PROFESSIONAL DEVELOPMENT JOURNAL for the CONSULTING DISCIPLINES t h e v a l u e e x a m i n e r JULY | AUGUST 2019 9 7. Would a cyber incident that affected the company’s reputation impact the value of the company? 8. Would the company be negatively impacted if their online systems (internal or public) were taken out of service for a week or a month due to a cyber incident? 9. What kind of cybersecurity insurance does the company carry? 10. Has the company ever had a cyber incident (virus, ransomware, business e-mail compromise, wire fraud, breach of NPI)? These ten questions should help to decide the extent of the risk cybersecurity present. If the risk is small or immaterial, it might be ignored. But if the risk is determined to be unquantifiable, then a third-party expert should be consulted. And if the risk is large and quantifiable, then the valuation professional should consider that fact in the development and reporting of a conclusion of value. CYBERSECURITY RISK IN DEVELOPMENT STANDARDS In the Asset Approach, can you identify intellectual property that needs to be protected? Is there a risk to computer systems and technology that would affect value? If there is a risk, and it is material, an expert might be sought out to determine how much it would cost to mitigate the risk and the value adjusted accordingly, i.e., treated as an off-balance sheet liability. The hypothetical buyer would do this. In the Income Approach, the discount rate should be adjusted or a direct adjustment to value made. Typically, when company-specific risk is assigned, different characteristics are listed. Based on the ten questions asked in an interview, cybersecurity should be one of the characteristics. Furthermore, if the costs to control and mitigate the risk are known, a direct adjustment to value would be appropriate. Perhaps, cash flow would be adjusted to show the ongoing cost of cybersecurity. The Market Approach becomes interesting. Did the comparable transactions consider cybersecurity risk? Does cybersecurity create a material change in the multiplier? As experts, the data you choose to use must be understood and used accordingly. The additional value of strong cybersecurity and the downward adjustments to value for SECURITY BREACHES IN THE NEWS In July 2019, just before The Value Examiner went to press, It was revealed that a hacker gained access to more than one-hundred million Capital One customers’ accounts and credit card applications earlier this year. According to the bank and the US Department of Justice, the accused hacker, Paige Thompson, gained access to 140,000 Social Security numbers, one million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information. In the same month, Equifax, the credit rating company, announced a settlement agreement with regards to its data breach, which occurred in September 2017. One hundred forty-seven million consumers were affected. Hackers were able to get access to a multitude of consumer private information, including names, Social Security numbers, dates of birth, credit card numbers and even driver’s license numbers. During the investigation into the breach, Equifax admitted the company was informed in March that hackers could exploit a vulnerability in its system, but failed to install the necessary patches. As part of the settlement agreement, Equifax will also pay $175 million in civil penalties to states, and a $100 million fine to the Consumer Financial Protection Bureau. According to experts in cybersecurty such as George Wrenn, CEO of Cybersaint, a company based in Boston, MA, these breaches are an example of when an organization does not practice integrated risk and compliance. According to Wrenn, challenge for many of these enterprises - especially those like Capital One that process such sensitive information - is ensuring that they have the infrastructure in place to be aware when a vulnerability like this exists or a control fails… There needs to be a greater awareness across the entire organization, and especially within the information security organization, that these kinds of breaches directly impact their customers as well as directly impact the business’ bottom line.” Nancy McCarthy, Senior Editor, The Value ExaminerNext >