Assessing and Preventing Financial Risks

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, I’m Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies. Hello, Justin

Justin Daniels 0:37

Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels 0:52

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and check out our new book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. All right, now that I’m through the introduction, where I can’t even properly introduce myself, I can put my my funny hat icon. Good. talk seriously, with clown hair on my head

Justin Daniels 1:44

might make you more intelligent. You never know. Not when

Jodi Daniels 1:47

you’re looking at me. So for everyone listening, we’re recording around the Halloween time where I might have had a meeting where I needed to wear a costume. So I wore my very colorful Halloween hats. I encourage you to check out the YouTube video and I can’t speak and introduce myself with a straight face with Justin sitting over here smirking. All right, let’s have a fun guest let’s

Justin Daniels 2:14

chat. Yes, we have great guests today because now we’re heading into the C suite to talk about privacy and security. So today we have Gary Vecchiarelli, Chief Financial Officer of CleanSpark Inc. He brings more than two decades of experience in finance and accounting with a specific focus on Plan mergers, acquisitions and debt financing is held senior positions with multiple publicly traded high growth companies. During his tenure in public accounting, Gary opened BTOS Las Vegas audit practice his clients have ranged in size from 50 million to over 1 billion covering multiple industries. Gary, how are you today?

Gary Vecchiarelli 2:56

Alright, great. I feel a little underdressed.

Jodi Daniels 2:59

That’s okay, Justin didn’t even bring his costume either. Yes, it’s almost it’s really good costume actually got ruined in the winter last year by our daughter who thought it would be a great snow collector. So Gary, Justin really highlighted a bit of your background. But we always like to ask people how their career evolved to their current role.

Gary Vecchiarelli 3:21

For months, thanks for having me. And congratulations on the book. Thank you so much. So it’s very exciting. So my background, like Justin said, you know, the first half of my career was a public accounting. So it was mainly focused on middle market companies, which are typically high growth, very entrepreneurial. So many of those companies face different challenges than their than their fortune 1000 counterparts. They’re often very focused on running the business versus worrying about the finance regulations or even privacy and security. And then the second half of my career went into private and personally worked for companies operating in the market space. So worked in a few different industries, living in Las Vegas a little hard to get away from gaming. So I have some gaming hospitality around and then joined clean spark here in December last year. So it’s been quite a progression, but a CPA by trade license in 2006. And so internal controls, financial reporting, Excel spreadsheets, all that good stuff is near and dear to my heart. So

Jodi Daniels 4:29

I started my career that way. I started at Deloitte. Oh, did you financial statement auditor? I did. I had my three fancy letters. The 200 To keep up like, I couldn’t keep up with all of the training for that. And for privacy, I had to pick one. So I decided to pick the current profession when I moved over to privacy. There you go. So,

Justin Daniels 4:51

from a CFO perspective, Gary, how do you view managing security from a financial management perspective?

Gary Vecchiarelli 4:57

Great Great question. So, um, you know, from a financial perspective, it’s important really to control risk, right? So. So it’s less about the actual money and being part of a budget, right. It’s about how you’re laying out costs and what you’re doing to prevent, you know, prevent events happening in the future, whether it be a data breach, or hack or something like that. So, from my perspective, it’s really a lot of risk management, when you look a lot at the various internal control frameworks that are out there, one of which is called COVID, which is based on the COSO internal control framework. Items like COVID are really exist to help prepare a framework to prevent fraud and hacks and things like that. So from my perspective, it’s almost kind of like insurance, it’s important to have your firewalls and internal controls and, and testing and recovery plans, and all of that in place, really, to make sure that you got a tight ship to not take on any water and prevent anything unauthorized from happening. Guys, I’m just gonna finish by saying, you know, that there’s obviously huge financial consequences if there’s a breach, right? Not just from a liability perspective. But even something as simple as social security numbers being breached in in the cost of offering monitoring to, to those users who had their information access could could potentially been hundreds of 1000s, or millions of dollars, as we’ve seen with, you know, major cases over the last decade or so. So again, from the CFO perspective, a lot of it is risk management, and making sure that we’re not we’re being proactive versus reactive. Thank you for that. So,

Justin Daniels 6:46

you know, I thought about this, but since you’ve got experience in gaming in some other very wide variety of industries, how does the industry of your company play a role in how you think about privacy and security?

Gary Vecchiarelli 6:59

Yeah, so So it’s essential. So I’ll draw comparison for my current company. So CleanSpark is one of the world’s largest publicly traded stocks right now. And we don’t have customers per se. So we don’t have a lot of confidential information. Most of the confidential information that we have really relates to social security numbers of our employees, maybe some tax or identifying information for some of our vendors, and a lot of the Bitcoin transaction. In fact, all the Bitcoin transactions that run through our machines are encrypted, so we don’t know who’s transacting and what amount and where it’s going from our to as much different than let’s take the casino gaming environment, where you have, where those environments have a lot of information, not only do they have a large number of employees, this whole security numbers there, but they also have the tax information, or all of the players because of the reporting requirements. There’s also a lot of vendors there, the casinos are required to do due diligence on many of the vendors that that they work with. So there can be confidential information there. So it absolutely plays a role. And it really, the industry is really going to define what the scope and what the risk is. And in some industries, it’s gonna be a lot greater to be greater with financial institutions, gaming companies, things like that. Less so for us. But, but nonetheless, everyone needs to worry about privacy and security in some regard, because the risks really do vary by industry.

Jodi Daniels 8:29

So you highlighted how a financial department has a lot of personal information. And what I find in talking to companies, they actually never think about the financial department, they always focus on the core operations, marketing, HR, where personal information is but finance departments have that information. And as a result, finance departments tend not to think about privacy and security as much as they should. So why do you think it is that these departments continue to struggle with wire fraud that often originate from a phishing email?

Gary Vecchiarelli 9:07

Great question. So we all get those emails, right. Like I’ve gotten a tax text from our CEO multiple times from local numbers, you know, seeing everything from hey, I need you to wire money to this company versus I need gift cards for and so so they’re out there, we’ve all had those type of emails, but I think that ultimately it comes down to companies not only a few things is one, having a good internal control environment to communicating and training our people. These These scammers are really have gotten really good sophisticated about social engineering. And in going for the people that might be a little scared to question the CEO might because why not go after the AP clerk who’s, you know, working hourly basis, they don’t want to question the fact that the CEO might be number one, but but in an internal control environment where you have properly design controls, and they’re working efficiently, never happen. Let me give you an example. Even if our CEO were to ask someone to buy gift cards in any amount, that would require something called a purchase requisition. So, in an internal control environment, at least the one that I’m used to, and then I’d like to set up is having those purchases and approvals, approved in advance of actually uncovering or committing the company is an extra step to go ahead and prevent things like this. Now, if it’s $25, maybe ends up being a de minimis amount based on an authorization matrix you have because the more material and amount is maybe the more signatures you need, having a basic process where he got to complete a form, what am I going to charge as to what account is it going to go to how are we going to pay for it, and make sure that the proper people approve it in advance is one way that can be be prevented in growing companies, in times, they may not have built out internal control frameworks. And as a public company, we’re subject to the provisions of Sarbanes Oxley. And we adhere to the COSO standards. And so COSO standards and a framework really help reduce the probability that any fraud or really material misstatement would happen. But again, in these entrepreneurial, closely held companies, sometimes the only internal control is the owner gets the bank statements at his or her house, and reviews them after the fact. And, and like I said, In the beginning, a lot of these middle market or small, small companies are so focused on being entrepreneur and growing, that they just don’t have sophisticated controls in place. But again, some basic controls like approving purchases before they happen, is one way to really prevent a lot of that wire fraud. We’re seeing now,

Jodi Daniels 11:46

the Sarbanes Oxley work that you just mentioned, harkens back when I left public accounting, I went to implement Sarbanes Oxley at a very large organization, here in Atlanta. So very familiar with the idea of internal controls. And Gary, you talked about the struggle for the smaller companies. And what I wanted to ask you is since you’ve seen companies from 50 million to billions, where is a good place for a company to start realizing it’s time for us to put in these internal controls? I mean, all of us sitting here might say, at the very beginning, absolutely, you should do that. But for the person who might not who might need a little bit extra convincing. Is there a time that you’ve seen where there’s been an event, there’s been a something that’s the trigger point to get them to take it seriously?

Gary Vecchiarelli 12:40

Yeah, so I would tell you, for all businesses, the time to do it was yesterday. It’s just depending on what the scope is. So if you have a checking account, you should have some minimal controls, in some regard. But then as you become more sophisticated, and you have more users and more lines of business, and more ways, you’re facilitating payments, or receiving bills, you need to scale with them. So I’d say every business needs to have some basic control. And the one that I’d said earlier about the you know, the president CEO receiving things payments was one of the very basic controls where there’s a bit of a segregation of duties. And that’s really more of a detective control that preventative control. And I say that because you’d only be able to detect it, your statement comes out, right? So fraud happened on October 2, but you don’t get the paper statement to your house until November 10, you now have more than 30 days past that. And that’s, it may be unlikely that you’re able to do anything about that, that we’ve done in the future. And so I think that a lot of businesses really need to have a preventative, really do what risk assessment, right? Hey, where’s our risk? And what are some potential ways that that people could commit fraud in the company and, and then address controls that are appropriate. But as you know, from your experience, right, a lot of us have PTSD from first implementing Sox because everyone’s hair was on fire. Well, I don’t have any hair anymore. But um, but everyone’s hair was on fire first trying to figure out okay, what do we need to do to comply with Sox? And then how do we do that to where we don’t slow down the operations, the business? And I think that’s the toughest thing for even small business owners is how can you implement smart controls, without out really preventing the company from growing or slowing down operations? And really using the facet? Are there one criteria that makes small businesses really positive effects are nimble, right and that they can react in the market very quickly but if internal controls get very complex internal control structure is burdensome and actually might slow things down so it’s really a bit of a striking a balance and and finding out what are your risks and then just coming up with some smart controls, not only detect also prevent fraud.

Jodi Daniels 14:52

Thank you for sharing. I feel like I do the same thing all day except instead of financial controls, I’ve changed it to data

Justin Daniels 15:00

So Gary, once again, it’s interesting you talk about your role in the gaming and other industries. And obviously, you have to allocate some budget towards privacy, cybersecurity, these controls. And so how does managing this risk? Impact financial decisions are really I guess, your business, overall business goals, we’ll

Gary Vecchiarelli 15:22

start there. Yeah, so I’ll state that. It’s, it’s not cheap, basically, to do it, right. And again, the more sophisticated your business model and operations are, the more you’re gonna have to allocate your budget. Us, again, I’ll draw person, things. Spark, for example, doesn’t have a lot of the risks that maybe some other traditional businesses have, or we’re still in tech space, we all have reminders connect to the internet, there is some concerns about you know, individuals getting into our network and either shutting down miners or having some other negative negative effects on the operating versus the business. So when we go when we sit back, and we do a risk assessment, we really have to figure out okay, what are the potential areas that that we could be attacked? And and where are we at in terms of what defenses we put up? And to what extent do we want to invest in further software or hardware or even insurance, and I’ll tell you, they’re talking about insurance, for example, cyber insurance has gone through the roof Recently, because of a lot of the wire fraud and, and a lot of the data and privacy issues that we’re seeing recently. So it’s almost cost prohibitive for companies and you can’t rely on insurance anymore, or your cyber risk. And a lot of cyber policies require you to have strong controls in the in your IT area anyways. And so to me, I think that if you’re, if I’m looking at managing my risk, I want to make sure I’m investing in the very basic roles, which is firewalls, encryption, and training my people, right training a team members, and having clear and consistent communication amongst team members is important. So they always approach transactions with with a healthy set of skepticism. But then you’re also covering your bases on the boogeyman that you don’t know is going to enter the you know, that might enter the door at night when no one’s in the office, right? You gotta worry about the international hackers coming in and doing things where you might not see it until after the cast and setups. So to kind of boil that down to, you know, really one point, you really can’t spend enough money on cybersecurity. And it really depends on a lot of your risks.

Jodi Daniels 17:38

What are your thoughts on that? What are my thoughts on cyber man,

Justin Daniels 17:41

Mr. Cyber man? I’m a big fan of what Gary does, I’ve seen firsthand. So he, I just think it’s interesting, Gary, how if we had this conversation, if you’re the CFO for like a gaming company, and how you would view the cyber risk with all of the attendant risk with the data, their business processes, and how it’s so completely different with a Bitcoin mining operation, where you really don’t have customers, the magnitude of risk is so different. And I think people don’t realize that cyber in the budget and what you have to protect is just not a one size fits all proposition.

Gary Vecchiarelli 18:17

That’s absolutely right. And and you can’t rely on insurance, because I think it’s kind of like, let’s think about property casualty insurance, for example, right? Just because you have a business, you say, No, I’m just gonna get PNC insurance, just in case there’s a fire doesn’t mean that you can’t take common sense steps, like, let’s not keep cans of gasoline inside the warehouse, right? Let’s make sure things are permitted. Let’s make sure we have a sprinkler system, all that common sense type stuff still needs to happen. You can’t just rely on insurance, because insurance may not cover anything that happens. And frankly, if your business is down, you know, just gonna cause all kinds of problems. So, so again, you got to take some common sense steps, and then maybe overlay it with insurance. Maybe that’s part of your budget strategy. But But you’re right. There isn’t a one size fits all. But it is a continual assessment business owners need to make.

Justin Daniels 19:12

And I would like to add one other precaution is making sure that plastic does not get near the heating element in the dishwasher

Jodi Daniels 19:21

says with a dishwasher running and a potential loss plastic item from one child’s drinking cup. Indeed. Gary taking this risk a step further. How does all of this connect when you’re identifying key vendors? And so thinking about you know, financial decision, you have different size vendors, you have large vendors, small vendors, how do you incorporate the cyber risk and

Gary Vecchiarelli 19:49

those purchases? So he clarified the question a little bit, is it a risk of selecting the right vendors or transactions with them? yours. So

Justin Daniels 20:01

I think what we’re trying to get out a little bit, Gary here is, is when I think about mining operations, if somebody’s working on the company website, they might get one level of concern, if somebody wants to be a host in the Bitcoin mining industry, where they’re gonna be hosting other people’s equipment, that might require a whole different level of assessment of the cyber risk, and how that could impact what you’re willing to spend the transaction, that kind of thing.

Gary Vecchiarelli 20:27

Right? Yeah. So So there’s, there’s a lot to unpack there whenever you’re dealing with parties. And I would read through it, not just with vendors, which would include, you know, contractors, or consultants, or anyone that’s helping our project, but also your full time employees and people in house. But I think ultimately, user access is at the top of the list, right. So if you’re giving someone access to a sensitive part of your network, you need to make sure that that access is approved by the appropriate individuals, and it’s tight. So for example, if you have a consultant come in, and they’re going to, they need access to your mainframe or server for a period of time, and you know, it’s only going to take a week. To do that you shouldn’t give them perpetual access, and just give it to him. And they’re done with the done with the project. And then, and you never go back and revoke it. So that’s one area that that really can cause some exposure for people is with regards to user access. So upfront, you want to make sure that the access is is approved by the appropriate individuals, there’s a time limit. And then there’s a review a periodic review. So maybe it’s every quarter or twice a year, you go through and you say, Okay, let’s look at this system, and who has access to it and figure out whether the access is appropriate, either read or write, or if they should even have access at all. So that’s, that’s, that’s where I would go with that it’s really having some control around around the axis of really anyone

Jodi Daniels 21:49

vendors or not. So the theme of this episode is controls.

Gary Vecchiarelli 21:54

Absolutely, absolutely. And I’d encourage anyone really look up COSO Framework, and it makes great for great bedtime reading. You know, there’s five areas and COSO that talks about, you know, what really makes this frame framework near bulletproof framework. And, and by really implementing at least parts of COSO Framework. I mean, look, us being a publicly traded company, we’re required to under Sarbanes Oxley to have an effective, effectively designed and operating control environment, and all public companies pretty much there are controls to the COSO Framework, but you can learn a lot of good learning lessons in there, because the way it’s structured is just, it’s just fantastic. It’s a great way to detect, prevent, or prevent issues. But interim controls absolutely the foundation of anything here in terms of preventing any privacy or data leaks.

Jodi Daniels 22:47

So it’s all of this privacy and security risk knowledge that you have. We always like to ask everyone, what is your best privacy or security tip that you might offer? You know, your local party, maybe it’s a Halloween party coming up?

Gary Vecchiarelli 23:02

Yeah, that’s right, in privacy and security is going to be a big topic. But yeah, I’m sure it is. Make sure that a few things. One is changing passwords, often. That’s very important. And two, I’m gonna have a tip actually, I got this on my desk, I have to show you this, right. So I’m, I’m in the Bitcoin business, and I actually buy bitcoin. And so what I did was I bought these orange dog tags, I have a whole bag full. And what I’m doing is when I take my bitcoin, and I put it on cold storage on a ledger, I need to secure my 24 passphrase key. And it is recommended not to have it stored digitally or saved anywhere on a piece of paper, that’s recommended, actually to etch it in metal. So what I’m gonna do is I’m gonna have, I’m gonna buy a Dremel, and I’m going to etch the words on this and put it in a safe deposit box. In case there’s a fire or anything and no one can can have obviously metal, they’d have to get access to safe deposit box. So that’s that’s something recent I came across it I thought was genius. Because even though you might pull down your your crypto to a cold storage, if you lose that cold storage, you can you can typically recreate that if you have the passphrase with a with a new cold storage. So I think that that’s a good privacy tip for at least people that are crypto.

Justin Daniels 24:23

And Gary, would you mind for our audience explaining to them what cold storage is?

Gary Vecchiarelli 24:27

Sorry. Yeah, so, so cold storage is basically taking it off of what’s called a hot Wallet. So for example, most people are familiar with Coinbase, right? So if you go and buy Bitcoin or crypto and Coinbase and leave it in the Coinbase account that’s considered a hot wallet. And it’s hot because you can go in and very quickly go ahead and create your buyer selling wallet. But what a lot of people are doing is they’re taking it off of the extinct exchanges and putting it into a cold wallet that’s not powered. So it’s basically a USB stick, especially USB stick If, and you take that crypto and your keys off of Coinbase and put it on on this deck, and you can go ahead and secure it off off the off the network so to speak. And you do that for a bunch of reasons, you know, one of which may be if there’s a data breach that you can’t control because someone gets into Coinbase, because they didn’t have the proper interim interim control structure and takes your crypto you very well might be like younger balances. And then also, there’s a lot going on with bankruptcy proceedings to see whether that crypto really if you have crypto and hot wallet, whether that ends up being you end up being an unsecured general creditor, which also might prevent you from getting your crypto so cold storage is the best way to go. If you’re if you’re buying and huddling as they say in the Bitcoin world, you’re buying Bitcoin and just just planning on keeping it for the long term. Cold storage is the way to go. And that’s one way to make sure that no one can hack you. So that’s my, I’d say that’s my privacy and security tips.

Justin Daniels 26:01

The I think cold wallets is a cool Halloween.

Jodi Daniels 26:05

Now you’re prepared.

Justin Daniels 26:07

Thank you for that explanation, Gary. So when you’re not being a CFO, and giving great explanations about cold storage and Bitcoin, what do you like to do

Gary Vecchiarelli 26:18

for fun? Great question. So our work a lot, obviously, we got a lot going on a CleanSpark. But I got two small children, I got two girls aged nine and six right now. And I love my life and love spending time with family getting outdoors. So you know, we’re on computers all the time, like I get the Bitcoin chart up right now. So I see all the transactions happening. And I’d really like just to disconnect and have a good cup of coffee and woods and enjoy nature family. So that to me is spend my doubt.

Jodi Daniels 26:51

It just sounds so nice. Walking with a hot cup of coffee, and it’s brisk outside. That sounds so much fun.

Justin Daniels 26:58

And there’s actually some really cool places to hike and whatnot outside of Las Vegas. Last time I was there and I was looking out beyond the strip.

Gary Vecchiarelli 27:06

There’s some really cool places there’s there’s a lot in basic Vegas, you know, off the strip, right, we got Red Rock got we got the Grand Canyon not far from us, we’d like to go to some Utah mountains, it’s elevation 1000 Plus up there to get some snow and then we can come back down and not have to worry about shoveling our driveways filled out so well. Gary,

Jodi Daniels 27:27

we really appreciate your time and thoughts that you’ve shared today. If people would like to learn more, where should we send them?

Gary Vecchiarelli 27:33

So you can read more about CleanSpark and what we’re doing at cleanspark.com? Or you can follow me on Twitter at a professional Twitter page where like a lot about crypto and Bitcoin and accounting and financial reporting, maybe a little bit and internal controls. And my handle there is @garyvec. That’s garyvec.

Jodi Daniels 27:53

Awesome. Well, thank you so much and we’ll be sure to include that in the show notes.

Gary Vecchiarelli 27:58

Excellent. Thank you appreciate the chat.

Outro 28:04

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.