Wednesday, June 3, 2009

Is Suing a QSA the right thing to do?

I just got done reading a blog entry over at Preachsecurity about Merrick Bank suing the PCI QSA that found CardSystems Solutions to be PCI compliant before they were hacked. The QSA in question here is Savvis. You can read the entry here if you want more background: http://preachsecurity.blogspot.com/2009/06/dangerous-times-for-pci-regulations.html

The question raised by the blog entry is whether or not QSAs should be open to lawsuits when they miss material findings that result in breaches down the road. The author concludes that he isn't sure how he feels on the topic, so I decided to write this up and share my opinion even though he didn't ask for it.

I have decided, based on the little information that I have, that QSAs should be open to lawsuits when they miss material findings. The main reason for this is based on the accounting profession and the auditing of financial statements.

In a nutshell, I believe that IT auditors need to develop the same reputation for honesty and integrity as financial auditors once held. In order to achieve that reputation it is important that auditors be held to extremely high standards, and that includes taking the heat when they miss material findings about a clients security posture.

Opening up QSAs for litigation will force them to be more diligent in their search for material findings so that they will face fewer lawsuits. That will benefit everyone that depends on their audit reports, and it will benefit the customers of companies that are being audited. In time, QSAs that have poor processes will be sued out of business and we'll be left with companies that will gain a reputation for being thorough and accountable for their findings. Arthur Anderson, the auditor that signed off on Enron's books is currently facing over 100 civil suits and the damage to their reputation is so bad that they basically have no business. That was a good thing! We need to make sure that kind of accountability is present in IT auditing as well.

If, on the other hand, we decide to let the auditors get off when they miss material findings, then I feel it is less likely that we will ever have great faith in IT auditors. IT auditors will never have anything to lose if they miss something. They may even be more willing to write a more favorable report in exchange for some bribe, such as consulting income in the future.

So that, in a nutshell, is my argument in favor of suing Savvis. I will agree that CardSystems Solutions should probably also be sued, but that doesn't really do anything for Savvis. I feel bad throwing other IT people under the bus, but this is the kind of blood that will have to be shed for IT auditors to establish a bulletproof reputation.
EDIT: One thing I would like to add is that I think the damages awarded when a QSA is sued should not be so excessive that a single incident would put that QSA out of business. Everyone screws up sometime. I would like to see the awards at a level where QSAs that have real problems would not be able to pay the damages being awarded for multiple suits and would go out of business. Only in cases where there is great deception (like Arthur Anderson) should the damages from a single incident drive a QSA out of business.

3 comments:

Mac said...

You make a very good point here. When I started reading your article, I disagreed with you, but I changed my mind by the time I finished. My original concern was that the increased liability would drive the price up, but it makes sense that a professional be responsible for his or her work.

-Mac

Unknown said...

Wow, thanks Mac. The greatest compliment someone can say about any of my blog entries was that it was worth the time they spent reading it.

Rafal Los said...

@Black Fist: I have been thinking about this all afternoon and have had a bunch of different conversations around the topic too - and have come to the same conclusion Mac did. In order to eliminate all the fly-by-night "QSA Auditors" who were just riding the "make mad money" wave, they need to be held accountable. Given that these types of suits will inevitably raise the cost of the audits (as insurance rates go up, and QSAs start to protect themselves and maybe hire actual trustworthy auditors) it will make it more expensive. Maybe that's a good thing too though, as companies will have to get right the first time and not have the luxury of "shopping around" for a cheap/rubber-stamp QSA.

Thanks for the link!

/rL