w w w. wa l l s t r e e t a n d t e c h . c o m M A R C H 2 0 0 7 41

IN 2006 hundreds of companies were implicated instock-option timing scandals, and a number of exec-utives were indicted for illegally backdating stockoptions. While greed is the primary reason for back-dating, it is abetted by weak enforcement of corpo-rate governance that should prevent the practice inthe first place. Often, there also is a lack of technical

controls on corporate networks to deter such activities.Options backdating is the dating of employee stock options

with an earlier date than the actual date of the grant. Theobjective is to choose a date on which the price of the under-lying stock is lower than the current price, resulting in aninstant profit to the grantee. When dealing with tens or hun-dreds of thousands of shares, and price differentials in therange of $50 a share, the amount of illicit gain can be immense.

This time distortion results not only in the value of theoption being much greater to the employee receiving it, butin a correlative detriment to shareholders by way of stock

price dilution. While backdating of stock options is not nec-essarily illegal if the grantor of the stock options properly dis-closes the backdating, it remains to be seen whether someother fiduciary duty has been breached.

Most of the legal issues arising from backdating are a resultof the grantor falsifying documents to conceal the backdating.According to attorney Louis Brilleman, counsel at SichenziaRoss Friedman Ference in New York, a law firm specializing insecurities matters, backdating is illegal under most circum-stances. The practice usually leads to the creation of fraudu-lent documents through the disclosure of misleading corpo-rate earnings and the improper reporting of the option grantunder applicable tax rules, Brilleman explains.

Options backdating has been going on for many years. Therules changed in 2002 with the passage of Sarbanes-Oxley, but

even that did not stop some companies from continuing back-dating practices. Accurate timing of transactions — stock orotherwise — is fundamental to any SOX report. Further, begin-ning in August 2002, and pursuant to SOX and other securitieslaws, the SEC started requiring companies to disclose theirstock-option awards within two days of options grants.

With new regulations in place, backdating now is a regula-tory issue, and, as such, companies can no longer bury theirheads in the sand and hope no one notices. It has becomeclear that the element of time is now an internal control. Anyweaknesses in tracking the time of stock-option grants mustbe investigated, reported and corrected.

Companies now must take the necessary steps to ensurethat any backdating will be detected. Besides the develop-ment of policies, procedures and standards around backdat-ing, there are technical solutions that can be implemented tosupport such an endeavor.

Time Synchronization Is ImperativeThese technical solutions center on time synchronization.Companies must proactively create a time-synchronizationmandate and ensure that it is correctly deployed throughouttheir IT environments. Fortunately, creating such a time syn-chronization infrastructure is relatively easy, and the ROI onsuch an undertaking can be significant.

As time-synchronization hardware is a needed investment,properly communicating the need to management is crucial togetting funding for the technology. Synchronizing time is a fun-damental business and technology decision that should be anintegral part of an effective network and security architecture.

The need for this is evident in that an enterprise informa-tion network and security infrastructure is highly dependenton synchronized time. In addition, there also are regulatoryissues that require correct synchronized time — from NASDOATS, FFIEC and GLBA, to Visa CISP and many more.

All of these regulations recognize that correct time is crit-ical for transactions across a network. Many events on thenetwork need the correct time to initiate jobs, completetransactions, etc. Correct time is critical for billing systems,authentication systems, manufacturing, forensics and more.

Common to all of these regulations is the requirement thatfinancial transactions and changes to electronic records be

In Sync: Network Time

INDUSTRYVOICE>>> Stock Options Backdating

Ben Rothke, CISSP,Senior Security Consultant, INS

Ben Rothke is a senior security consultant at Mountain View, Calif.-based INS and the author of“Computer Security: 20 Things Every EmployeeShould Know” (McGraw-Hill, 2006). You can contacthim at ben.rothke@ins.com.

>>> About the Author

42 M A R C H 2 0 0 7 w w w. wa l l s t r e e t a n d t e c h . c o m

accurately time-stamped. To provide accurate time stamps,all network devices must be synchronized relative to nation-al and international time standards

At the application and operating system level, most appli-cations and networking pro-tocols require correct syn-chronized time. Vendorssuch as Microsoft, Cisco, Ora-cle, Red Hat, Novell and Baanall state that their systemsmust be configured to anauthoritative time server forproper and secure use.

Time servers cost from$2,000 to $10,000, depend-ing on the level of accuracy and redundancy required. Timeservers, which take but a few hours to install, provide addi-tional benefits, such as reduced downtime and the ability tomitigate legal exposure.

Options backdating is the problem, and time synchroniza-tion is the solution. But getting from solution to implementa-tion takes proper planning and project management. With that,the following five steps can be used as a high-level frameworkfor implementing synchronized time in your organization.

Step 1: Risks and RequirementsThe first step is to formally determine the risk to your compa-ny if you do not have synchronized time. Don’t underestimatethe risks; if you don’t practice due care pertaining to the timeon your network system, you can be legally liable for negligenceand held accountable for the ramifications of that negligence.

Next, determine how accurate your clocks need to be. Thiscan be anywhere from milliseconds to a few seconds. Finally,advise management of the risks of nonsynchronized time andget their approval for the purchase of time-synchronizationequipment and the initiation of a time-synchronization project.

Step 2: Hardware and SoftwareStart meeting with vendors of time-synchronization equipmentto determine the solution that best fits your organization andspecific needs. Some of the leading vendors in this spaceinclude Spectracom, Symmetricom and EndRun Technologies.

Step 3: PolicyIf policies for time synchronization are not in place already,work with the information security department to ensure thattime synchronization becomes part of the global enterpriseinformation technology policy. Time synchronization must bemade part of the corporate IT systems and security policies.

Without a policy, there will be no impetus for staff to achieveaccurate, synchronized time. Often, a simple policy, such as,“Time synchronization to an accurate time source is requiredon all enterprise network devices,” is a sufficient first step.

Step 4: ArchitectureThe first step to architectingan accurate time-synchro-nization solution is to estab-lish a network time source,known as a reference clock,for tracability to national andinternational standards. Atypical reference clock woulduse GPS (Global Positioning

System) to receive time from satellites. Second, create adownstream topology for all network components to use thereference clock as the network’s master source of time.

Step 5: AuditabilitySteps 1 through 4 are important from a technical perspective.But even with the most sophisticated timing device, you stillneed to have independent and auditable time controls inplace. As part of this, you must be able to prove to auditorsand regulators that the time on any monitored system wascorrectly synchronized with a specified time source.

Also, it is important to note that time synchronization willnot magically cure a regulatory material weakness leading toan internal controls problem. Those in control of time syn-chronization still can manipulate time and/or data. Itbecomes an issue, at least in part, of taking control over thismaterial weakness away from insiders. With that, it is imper-ative to ensure that insiders are not engaging in any time-based data manipulation.

Also, if something goes to court, you need to prove that allyour devices on your network are synchronized and that alltransactions that took place are able to provide an accurate,authenticated time source. This requires that all logs are han-dled within the context of digital forensics and staff membersare following the appropriate rules of evidence.

ConclusionThe backdating fiasco demonstrates that the need for syn-chronized time is a crucial business and technology require-ment. As such, it is an integral part of an effective network andsecurity architecture. Ensuring accurate time is relatively inex-pensive and offers a significant ROI. And it is a great way tostop your company from getting negative press — not to men-tion to keep your management team from being indicted. <<<

INDUSTRYVOICE >>> Stock Option Backdating

>>>“Synchronizing time is a fundamental business and tech-nology decision that should be an integral part of an effective network and security architecture.”