Posted by: David Schneier
business continuity, business continuity plan, business continuity planning, disaster, disaster recovery, FFIEC, GLBA, NCUA, regulations, regulatory, Regulatory Compliance, Security
There will be no shortage of industry articles and analysis that will emerge from the horrific events in Japan over these past few weeks, that’s for certain. This is arguably the most significant event to hit a major regional economy since World War II and it’s important to learn as many lessons from this tragedy as is possible. My family are fans of the television show “Seconds from Disaster” and one thing it strives to illuminate is that by understanding what went wrong it’s often possible to make sure it won’t happen again.
Japan’s tragedy will serve as a fertile source of both proving and disproving the myriad business continuity and disaster recovery techniques being used around the world today. The most prepared and best trained companies will have very likely fared about as well as could be expected while those who weren’t, those who either had partially baked plans or no plans at all will be lucky to survive in any measurable way. And it’s hard to imagine that most companies didn’t have plans to deal with earthquakes and tsunami’s because they’re credible and consistent threats in the region. But after a quarter century in corporate life and little more than half those years focusing on audit and compliance I’m no longer surprised by anything I encounter.
However there was one story to emerge from Japan this week that I found to be quite shocking. It was about how a banks vault came open during the series of events and someone stole forty million yen (about $500k USD). It happened in the prefecture of Myagi in a town known as Kesennuma and police said that between the wave’s power and the ensuing power outages, the vault came open. What with all the flooding and chaos it took more than a week for someone to get back into the building and discover what had happened.
For many the story seemed plausible if not mildly amusing because who wouldn’t love to wander into a bank and be able to scoop up all the cash floating around. And because in this particular situation no one died or was hurt as a result it’s benign enough to be more entertaining than tragic. It sort of reminded me of a scene in the movie “Ground Hog Day” where Bill Murray’s character figured out the perfect timing to be able to steal a bag of cash out of the back of an armored truck.
But I sort of have a problem with this story because I don’t think it happened the way it’s being portrayed. My very first thought upon reading the details was that either someone left the vault door open as they were fleeing the bank or someone who knows a thing or two about how to open a vault went back in after the fact and exploited the situation to their advantage. The odds that a vault door simply flew open due to what was really a massive flood at that point just doesn’t hold up under scrutiny.
Have you ever actually seen what a door on a bank vault looks like? I have and I’ve probably seen about three dozen or more since I started working in the banking sector and I couldn’t think of how any one of them, if closed properly would ever just come open due to rushing water for a relatively short period of time. First of all they’re all seated within a metal frame and so for the rods or pistons that create the seal to come undone the metal itself would need to have been bent or twisted. Second, they weigh a ton (not as much of an exaggeration as you might think). Even the weakest vaults I’ve encountered have doors that have some serious density to them and would not likely bend under most natural forces. I would sooner believe that the walls that the door and its frame were attached to failed then believe that the door simply “flew open”.
If I had to put on my most skeptical mindset to use I would venture a guess that the person responsible for making sure the vault was properly closed before safely exiting the building rushed through the procedure, didn’t properly lock the vault and in their heightened state of panic just didn’t think about it. While that’s the most likely scenario the second most likely version is that someone who knows how to open the vault door and who knew after a day or so that no one would ever be concerned with theft while there were still lives to save made their way into the crippled building with its security systems down and manually opened the door and had at it. But under either scenario it’s almost entirely likely that the person(s) who stole the money had an idea about what to do and took advantage of the situation. I mean, they obviously entered the bank after the disasters struck and they weren’t likely looking for survivors if they were of a mindset to grab what had to be a sizable physical haul.
And the thing is that there’s no viable lesson to be learned from a story such as this. I’m certain the bank had a procedure in place that specified how all cash drawers were to be placed in the vault and that the vault itself should be locked upon exiting during a disaster. While in certain physical disaster scenarios it’s possible to install an individual to monitor the facility during and after the event this wasn’t one of those times as everyone needed to flee the area. And having someone come back the next day to keep an eye on things was probably the last thing anyone associated with the bank was concerned with (and rightfully so) as they had lives to save and keep safe.
So no usable lesson to learn and probably no way to ever find out what really happened. For my money I hope they find the people behind this because it makes me angry to think that while so many people struggled to search for survivors or to recover bodies there were people looking to profit from the situation.
And if there’s anything for the BCP community to glean from this story it’s that no plan can truly account for every possible scenario. It’s a hard lesson to learn but perhaps one that serves a purpose if for no other reason than to underscore the need for adequate insurance coverage.