Social Security Risk Management – Congress and President Get a “D” and a NIST Tier 1 or 2 Rating

I’m going to rant a little in this “fun” post. Another week, another article about social security going broke, about tweaks to “fix” it by payroll tax increases, cutting benefits, taxing benefits, and/or raising the age to receive benefits. The following is another disheartening article about the doom of social security, about beginning in 2017 and thereafter new increases in the age to receive benefits, that even those reductions in benefits won’t “fix” social security, and that those increases originated way back in 1983.  For the article Click Here.  The point is, 1983 was over 30 years ago, and even before that it was known that social security was failing. The options are not good for anyone who has paid for social security for all of their working life, or even just for a significant number of years, for younger people (in their 20’s and 30’s) who are new or relatively new to the mandatory social security payment program, or for people who are somewhere in the middle (in their 40’s). I suspect that few people would voluntarily pay into such a system if they were allowed to vote on it today.

I don’t fault elected representatives who speak up and propose new fixes, because social security has to be fixed. It’s just that none of the options are good. I have already lost when you consider the amounts that my employers and I have paid into social security over my working life. And that was money year after year that could have been better used for many other things.

The President is the CEO of social security. Congress, the Senate and the House, are the Board of Directors. That means whomever is in office at the time, and in the case of the social security system, that means year after year, decade after decade.  Let me just say that if social security was a company the CEO and the Board would all be fired, or the program would have been terminated or really fixed or altered decades ago.

Have you seen the NIST – National Institute of Standards and Technology – Framework for Improving Critical Infrastructure Cybersecurity? The Framework originated in 2014, as a U.S. Government recognized outline for risk management steps in cybersecurity. The following is an August 31, 2014, blog post discussing the Framework, Click Here. You will note that the Framework includes a Tier rating system for how developed an entity’s risk management system is, Tier 1 being the worst and Tier 4 being the best. Below I have copied and pasted the four Tiers. Based on the NIST Tier descriptions, I rate social security system design and risk management at Tier 1, or perhaps a Tier 2 rating. You give it your rating. Social security is not even close to the Tier 4 rating that it should have given that payments into social security are forced on people, the astronomical amount of money that is withheld and paid into the system each pay period, and how people really are entirely dependent on the honesty and integrity of the system’s operation, management and risk management, including the honesty and integrity of the President as CEO and Congress as the Board. Below are the NIST Tiers. Enjoy.

Dave Tate, Esq. (San Francisco/California).

NIST Tiers:

Tier 1: Partial (first and lowest level of risk management practices) – Risk management practices are not formalized.  Risk is managed on an ad hoc and sometimes reactive manner. There is limited awareness of cybersecurity risk at the organizational level.  An organization may not have the processes in place to participate in coordination or collaboration with other entities.

Tier 2: Risk Informed (second level of risk management practices) – Risk management practices are approved by management but may not be established as organizational wide policy.  The organization knows its role in the larger ecosystem but has not formalized its capabilities to interact and share information externally.

Tier 3: Repeatable (third level of risk management practices) – The organization’s risk management practices are formally approved and expressed as policy. There is an organization-wide approach to manage cybersecurity risk. The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events.

Tier 4: Adaptive (forth and highest level of risk management practices) – The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity is part of the organizational culture and evolves from an awareness of previous activities, information share by other sources, and continuous awareness of activities on their systems and networks. The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs.

* * * * *


Addressing Cybersecurity Oversight in Audit Committee Charters | JD Supra

Cybersecurity continues to emerge as a key risk that is attracting the attention of regulators and boards of directors. Companies take different approaches regarding how the board…

Click on the following link for the discussion:

Click on the link, which contains a short JD Supra update from Wilmer Hale discussing KPMG’s 2015 Global Audit Committee Survey. The survey is long and contains useful information (over 80 pages). I am making this post because of the discussion about audit committees being given responsibility for cybersecurity oversight. That’s fine, but I suggest that the overall board still must be actively involved in this oversight, you need to be sure that the audit committee members are qualified and have the time to take on this area of oversight, and the audit committee members and other stakeholders should have a good understanding about just what the oversight involves and how the committee should go about that oversight.

As we all know, cybersecurity is an important area of oversight that can significantly effect all businesses. Enjoy.

Dave Tate, Esq. (San Francisco/California)

My other blog: trust, estate, conservatorship and elder abuse litigation,