In 2006 hundreds of companies were implicated in stock-option timing scandals, and a number of executives were indicted for illegally backdating stock options. While greed is the primary reason for backdating, it is abetted by weak enforcement of corporate governance that should prevent the practice in the first place. Often, there also is a lack of technical controls on corporate networks to deter such activities.
Options backdating is the dating of employee stock options with an earlier date than the actual date of the grant. The objective is to choose a date on which the price of the underlying stock is lower than the current price, resulting in an instant profit to the grantee. When dealing with tens or hundreds of thousands of shares, and price differentials in the range of $50 a share, the amount of illicit gain can be immense.
This time distortion results not only in the value of the option being much greater to the employee receiving it, but in a correlative detriment to shareholders by way of stock price dilution. While backdating of stock options is not necessarily illegal if the grantor of the stock options properly discloses the backdating, it remains to be seen whether some other fiduciary duty has been breached.
Most of the legal issues arising from backdating are a result of the grantor falsifying documents to conceal the backdating. According to attorney Louis Brilleman, counsel at Sichenzia Ross Friedman Ference in New York, a law firm specializing in securities matters, backdating is illegal under most circumstances. The practice usually leads to the creation of fraudulent documents through the disclosure of misleading corporate earnings and the improper reporting of the option grant under applicable tax rules, Brilleman explains.
Options backdating has been going on for many years. The rules changed in 2002 with the passage of Sarbanes-Oxley, but even that did not stop some companies from continuing backdating practices. Accurate timing of transactions — stock or otherwise — is fundamental to any SOX report. Further, beginning in August 2002, and pursuant to SOX and other securities laws, the SEC started requiring companies to disclose their stock-option awards within two days of options grants.
With new regulations in place, backdating now is a regulatory issue, and, as such, companies can no longer bury their heads in the sand and hope no one notices. It has become clear that the element of time is now an internal control. Any weaknesses in tracking the time of stock-option grants must be investigated, reported and corrected.
Companies now must take the necessary steps to ensure that any backdating will be detected. Besides the development of policies, procedures and standards around backdating, there are technical solutions that can be implemented to support such an endeavor.
Time Synchronization Is Imperative
These technical solutions center on time synchronization. Companies must proactively create a time-synchronization mandate and ensure that it is correctly deployed throughout their IT environments. Fortunately, creating such a time synchronization infrastructure is relatively easy, and the ROI on such an undertaking can be significant.
As time-synchronization hardware is a needed investment, properly communicating the need to management is crucial to getting funding for the technology. Synchronizing time is a fundamental business and technology decision that should be an integral part of an effective network and security architecture.
The need for this is evident in that an enterprise information network and security infrastructure is highly dependent on synchronized time. In addition, there also are regulatory issues that require correct synchronized time — from NASD OATS, FFIEC and GLBA, to Visa CISP and many more. All of these regulations recognize that correct time is critical for transactions across a network. Many events on the network need the correct time to initiate jobs, complete transactions, etc. Correct time is critical for billing systems, authentication systems, manufacturing, forensics and more.
Common to all of these regulations is the requirement that financial transactions and changes to electronic records be accurately time-stamped. To provide accurate time stamps, all network devices must be synchronized relative to national and international time standards.
At the application and operating system level, most applications and networking protocols require correct synchronized time. Vendors such as Microsoft, Cisco, Oracle, Red Hat, Novell and Baan all state that their systems must be configured to an authoritative time server for proper and secure use.
Time servers cost from $2,000 to $10,000, depending on the level of accuracy and redundancy required. Time servers, which take but a few hours to install, provide additional benefits, such as reduced downtime and the ability to mitigate legal exposure.
Options backdating is the problem, and time synchronization is the solution. But getting from solution to implementation takes proper planning and project management. With that, the following five steps can be used as a high-level framework for implementing synchronized time in your organization.
Step 1: Risks and Requirements
The first step is to formally determine the risk to your company if you do not have synchronized time. Don't underestimate the risks; if you don't practice due care pertaining to the time on your network system, you can be legally liable for negligence and held accountable for the ramifications of that negligence.
Next, determine how accurate your clocks need to be. This can be anywhere from milliseconds to a few seconds. Finally, advise management of the risks of nonsynchronized time and get their approval for the purchase of time-synchronization equipment and the initiation of a time-synchronization project.
Step 2: Hardware and Software
Start meeting with vendors of time-synchronization equipment to determine the solution that best fits your organization and specific needs. Some of the leading vendors in this space include Spectracom, Symmetricom and EndRun Technologies.
Step 3: Policy
If policies for time synchronization are not in place already, work with the information security department to ensure that time synchronization becomes part of the global enterprise information technology policy. Time synchronization must be made part of the corporate IT systems and security policies. Without a policy, there will be no impetus for staff to achieve accurate, synchronized time. Often, a simple policy, such as, "Time synchronization to an accurate time source is required on all enterprise network devices," is a sufficient first step.
Step 4: Architecture
The first step to architecting an accurate time-synchronization solution is to establish a network time source, known as a reference clock, for tracability to national and international standards. A typical reference clock would use GPS (Global Positioning System) to receive time from satellites. Second, create a downstream topology for all network components to use the reference clock as the network's master source of time.
Step 5: Auditability
Steps 1 through 4 are important from a technical perspective. But even with the most sophisticated timing device, you still need to have independent and auditable time controls in place. As part of this, you must be able to prove to auditors and regulators that the time on any monitored system was correctly synchronized with a specified time source.
Also, it is important to note that time synchronization will not magically cure a regulatory material weakness leading to an internal controls problem. Those in control of time synchronization still can manipulate time and/or data. It becomes an issue, at least in part, of taking control over this material weakness away from insiders. With that, it is imperative to ensure that insiders are not engaging in any time-based data manipulation.
Also, if something goes to court, you need to prove that all your devices on your network are synchronized and that all transactions that took place are able to provide an accurate, authenticated time source. This requires that all logs are handled within the context of digital forensics and staff members are following the appropriate rules of evidence.
The backdating fiasco demonstrates that the need for synchronized time is a crucial business and technology requirement. As such, it is an integral part of an effective network and security architecture. Ensuring accurate time is relatively inexpensive and offers a significant ROI. And it is a great way to stop your company from getting negative press — not to mention to keep your management team from being indicted.