Discussion

profilebenita01
CSIA485Padgett-BealeMAProfile2020.docx

Cybersecurity management & Policy Financial Services Merger & Acquisition: Padgett-Beale and Island Banking Services A case study for Cybersecurity Management & Policy Students Introduction Padgett-Beale, Inc. is a hotel and property management firm with operating locations throughout the worldwide. The company is a Delaware corporation and is headquartered in the town of Lewes near the Atlantic seashore and beaches. The company has a long history of successful mergers and acquisitions for hotels, restaurants, and real estate holding and management companies. Recently, Padgett-Beale’s Board of Directors approved a five-year strategic plan which includes expansion into the financial services sector. This move is viewed as a way for the company to improve profits and reduce costs. The organization chart shown below documents the company’s current structure, including the intended integration of Island Banking Services which Padgett-Beale has just purchased from the bankruptcy courts. Figure 1. Padgett-Beale, Inc. Organization Chart Island Banking Services Island Banking Services is a non U.S. company that operates in the Financial Transactions Processing, Reserve, and Clearinghouse Activities industry, NAICS 2017 Code: 522320. Companies operating in this sector engage in financial transaction processing, financial instrument clearinghouse services, and reserve and liquidity services. The company operates a customer service center and three branch locations on the island but, the majority of its customers use electronic funds transfers, online banking, and credit/debit cards to deposit and withdraw funds. After five years of operation, the company was forced into bankruptcy after criminal money laundering charges were filed against the company and its officers. These charges were filed as part of a multi-national investigation into ransomware attacks and the use of cryptocurrencies to transfer payments from victims to perpetrators[footnoteRef:2]. Investigators analyzing the block chains for the cryptocurrencies found that Island Banking Services was being used as a clearinghouse to convert cryptocurrencies into fiat currencies (dollars, Euros, Yen, etc.) and then transfer funds through anonymous accounts to criminal organizations. Island Banking Services was asked to open its records and/or provide the real identities and contact information for the account holders to law enforcement agents. The company declined to do so triggering an expansion of the investigation into the company and its officers. Search warrants were obtained and used to seize company documents and records (including digital storage devices and media). Figure 2 (below) documents the company’s IT infrastructure as it existed on the day the search warrants were executed. Figure 2. Island Banking Services IT Infrastructure and Assets Included in the Search Warrant. As part of the money laundering investigation, 40% of the company’s computer workstations and 100% of its database servers were seized and taken into evidence. Except for storage devices (hard drives, tapes, and other digital media), all hardware has been returned to the company. The evidence collected from the company’s digital and paper records was used to obtain indictments against the Chief Executive Officer, Director of Customer Accounts, and the Head Teller. Additional criminal charges are pending for the Director of IT Services and two system administrators for illegal activities uncovered during the investigation. Padgett-Beale, Inc. has purchased the digital assets and records of Island Banking Services from the bankruptcy courts. These assets include licenses for office productivity software, financial transactions processing software, database software, and operating systems for workstations and servers. Additional assets included in the sale include the hardware, software, and licensing required to operate the company’s internal computer networks. Padgett-Beale’s legal counsel successfully negotiated with the bankruptcy court and the criminal courts for the return of copies of the company’s records so that it could restart Island Banking Service’s operations. The courts agreed to do so after Padgett-Beale committed in writing to reopening the customer service call center (but not the branch offices) on the island. Reopening the call center will provide continued employment for 10 island residents including 2 call center supervisors. Padgett-Beale intends to relocate the call center to a company owned property approximately 10 miles away from the current location and adjacent to a newly opened Padgett-Beale resort. The remainder of Island Banking Service’s operations including the data center and all IT support will be moved to a Padgett-Beale property located within the continental United States. The immediate impact of this planned move will be to place the financial services operations under U.S. federal banking laws and regulations. Realizing the specialized expertise will be required to identify and meet these requirements, Padgett-Beale’s Merger & Acquisitions team has requested support from the company’s Chief Information Security Officer. The CISO has been charged with ensuring that all IT security requirements are identified prior to the integration of the financial services organization into the company. At a minimum, the CISO’s efforts must include developing an appropriate IT Security management program which meets all applicable requirements of federal laws and regulations applying to the financial services sector. These laws and regulations include: Title 31, U.S. Code, Sections 5311-5330 (The Bank Secrecy Act (BSA)) Title 31, Code of Federal Regulations, Part 103 (BSA implementing regulations) Padgett-Beale Company History

Elmer and Robenia Padgett’s first hotel, Robenia’s Guest House, opened in 1925 with six family suites (two per floor), a tea room, and a formal dining room. The guest house primarily served wealthy families who relocated to the seashore for the summer to escape the heat in New York City. This property provided amenities and services matching those of rival long-stay hotels in major cities along the East Coast. The second and third properties, Padgett’s Hotel and Padgett’s Beach House, were acquired in 1935. Flintom’s Tavern, a landmark restaurant and entertainment venue, was added to the Padgett properties portfolio in 1940.

Periodic resurgences in popularity of the seashore as a vacation destination occurred over the next fifty years (1940-1990) as bridges were built, roads were improved, and regional economies strengthened. These resurgences brought additional competition as new motels and resorts operated by national chains entered the seashore vacations market. Major weather events in the 1970’s resulted in damage to both Padgett’s Beach House and Flintom’s Tavern causing both to close for an extended period of renovations. The Padgett family’s brand remained strong, despite these setbacks, as members of the family took a personal interest in the day-to-day operations and management of the company.

Padgett’s was not an early adopter of computers and information technology. But, over time and as younger family members entered the business, computers began a slow march into the company’s offices in the form of personal computers with word processing, spreadsheets, and database systems. Personal computers also made their way into manager’s offices in the hotel properties where spreadsheets proved valuable in tracking revenues and expenses. In 1982, an embezzlement scandal at Flintom’s Tavern forced the company to adopt computer-based point of sale (POS) systems throughout the company for all cash handling functions (hotel front desks and restaurants). A benefit of the POS systems were the built-in reporting functions, which enabled the company to more closely track cash and credit sales by property. By 1995, the company had fully integrated custom hotel management software into its operations. This software and the associated databases were hosted on company owned / operated mainframe computer systems. By the end of the decade, information technologies were in use to support all aspects of the company’s internal operations (accounting, customer service, property management, and reservations). Figure 3 (shown below) provides a notional diagram of the company's IT infrastructure.

Figure 3. Notional Depiction of Padgett-Beale’s Corporate IT Infrastructure

At the beginning of the new century, the company adopted its first strategic plan with a heavy emphasis upon growth and expansion. Under this plan, the company branched out and began offering hotel and resort management services to other hoteliers and property owners. Advanced telephony services and implementation of custom software allowed Padgett’s to offer one of the first centralized reservations management services. The company also leveraged the Internet and World Wide Web to launch a resort affiliates program, which provided a menu of business related services to member properties. These services included: online advertising and promotions, architecture and design assistance, business operations consulting, group business insurance, and guest loyalty programs. The hotel and resort management services business area continues to be the major source of revenues and profits for the company and its owners.

As part of Padgett’s expansion plan, the company purchased Beale Realty Holdings in 2001 and formed Padgett-Beale, Inc. (PBI). Shortly thereafter, PBI embarked on a series of real-estate acquisition activities, which led to the purchase of several large tracts of prime Eastern Shore waterfront property. The company’s long-term plan was to hold the properties as real estate investments and, when market demand rose sufficiently, expand into development, sales, and management of condominiums and vacation time-share properties. The focus on long term investment was a wise choice as this particular market segment was adversely impacted by the housing boom/bust in the mid 2000’s.

At the time of purchase, the waterfront properties were in use as campgrounds and resorts for tent-campers, travel-trailers, and motorhomes. These camping facilities were allowed to continue their existing operations with minimal investment and oversight for the next 15 years (2002 – 2017). During this laissez-faire management period, some campground managers modernized their camp offices and stores by purchasing computer-based point of sale systems that allowed them to accept credit and debit cards. Most of these managers also outsourced their reservations management to a third party online reservations system, which provided a customized website to advertise each park and provide access to the online reservations system. A few campgrounds did not modernize beyond setting up a simple website with contact information and a few photographs. These facilities continue to use a mail or telephone-based reservation process with a “cash only” payment policy.

In 2015, the day-to-day operations and management of PBI was transitioned to a new leadership team recruited from leading hotel and resort management companies. The new leadership team includes the Chief Executive Officer, Chief Financial Officer, Chief Operating Officer / Director for Resort Operations, and the Corporate Counsel (attorney) who is also dual-hatted as the Chief Privacy Officer. Under this new leadership, the company was reorganized to better focus on the three most profitable business areas: Resort Operations, Reservations Services, and Resort Affiliates. Management and daily operations for the three company owned hotel properties (Robenia’s Guest House, Padgett’s Hotel, and Padgett’s Beach House), Flintom’s Tavern, and the campgrounds / trailer parks were transferred to the newly formed Property Holdings and Development division.

Industry Overview

Padgett-Beale, Inc. (PBI) operates in the Hotels, Motels, & Resorts industry (NAICS Codes 721110 and SIC Codes 7011) (First Research, 2017). Hotels, motels, and resorts provide short-term housing and lodging for travelers and visitors. Related services offered by companies in this industry include: catering and meals, conferences and event hosting, entertainment, resort amenities (golf, swimming, spa, etc.), etc. Major hotels and resorts may also offer a limited spread of banking services (check cashing, currency conversion, cash advances, and automated teller machines). Some facilities may also offer on-property or in-house medical clinics operated under contract by licensed medical personnel who provide non-emergency care for guests and employees.

Hotels, Motels, and Resorts

Leading firms in this industry include Marriott International, Inc., Hilton Worldwide Holdings, Inc., and Starwood Hotels & Resorts Worldwide, LLC (First Research, 2017). On an annual basis, this global industry generates over $500 billion in revenue. The U.S. segment of this industry generates approximately $175 billion in revenues each year. These revenues may be generated directly from operation and management of company owned properties. Or, revenues may be generated through franchising arrangements or through fees generated in conjunction with property management / hotel operations services provided to other property owners.

Demand for products and services in this industry is driven by two primary factors: (a) business travel and (b) vacation or tourist travel (First Research, 2017). Both of these factors are highly sensitive to the health of regional, national, and global economies. Financial analysts estimate that 75% of industry revenues result from fees for overnight lodging. The remaining 25% of revenues result from sales of related products and services (e.g. meals, beverages, etc.). Labor is the most significant source of expenses. Recent market forecasts (Lodging Staff, 2019) predict that the industry will experience continued growth through 2020. In 2021, a slight decline in revenues is expected followed by a recovery and slight growth in 2022. No major changes are expected in either supply or demand in this industry for the next few years.

This industry uses information technology and the Internet in a variety of ways. First, most brands use the Internet and social media to support their marketing efforts. Second, all but the smallest of properties / brands use information technologies and the Internet to support reservation call center operations. Third, information technologies are used in the daily operations of facilities (front and back of house) and in support of corporate business processes and functions. These technologies include Point of Sale systems for handling customer financial transactions, housekeeping and maintenance management systems, card key access systems for guest rooms and restricted areas, scheduling and timekeeping systems for personnel, and building / facilities management systems that control and monitor energy using systems such as lighting and heating/ventilation/cooling (HVAC) systems. Information technologies are also used to provide physical security in such forms as video surveillance and recording, access controls for equipment and control zones (key pads, badge readers, password controlled logins), and automated access logs which record identity information along with timestamped entry/exit for controlled zones.

Cyber attacks against hotels and hotel chains have increased in recent years. According to Winder (2019), recent attacks have exposed not just customer information but also the security logs including: passwords, IP addresses of inbound and outbound connections, information about ports and protocols for firewalls (open / closed), employee names and usernames, among others. Major chains have also experienced malware attacks which exposed the personal and financial information for millions of customers (Goud, 2018)

References

First Research. (2017). Hotels, motels, & reports: First Research custom report. Retrieved July 26, 2017 from Hoovers Online.

Goud, N. (2018, November 30). Data of 500 million Starwood Marriott hotel customers compromised in cyber attack. Cybersecurity Insiders. Retrieved from https://www.cybersecurity-insiders.com/data-of-500-million-starwood-marriott-hotel-customers-compromised-in-cyber-attack/

Lodging Staff (2019, February 25). U. S. lodging outlook good through 2020, with economic ‘blip’ in 2021 says CBRE. Lodging Magazine. Retrieved from https://lodgingmagazine.com/u-s-lodging-outlook-good-through-2020-with-economic-blip-in-2021-says-cbre/

Philadelphia Consolidated Holding Corp. (2017). Cyber security liability. Retrieved from https://www.phly.com/mplDivision/managementLiability/CyberSecurity.aspx

Winder, D. (2019, May 31). Security systems of major hotel chains exposed by a huge data breach. Forbes. Retrieved from https://www.forbes.com/sites/daveywinder/2019/05/31/security-systems-of-major-hotel-chains-exposed-by-huge-data-breach/#d022f7f52ec2