I am not in the financial industry, but as someone who works in the Information Security industry I'll take a crack at this. The failure on the part of San Bernardino County was to not deploy a Mobile Device Management (MDM) solution. If they had, then they would have the capability to unlock the phone and this entire issue would be moot. A MDM would allow the administrators to remove the lock and access information on the device, for example Apple's MDM has the capability of removing a lock code altogether if the device is enrolled in a MDM: "The ClearPasscode command requires the device’s UnlockToken (which was provided to the server during the enrollment phase, in the UpdateToken message):" (https://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf) Any CISO worth their salt is going to deploy an MDM solution as part of good GRC especially if those devices are firm owned, or can access firm data as a MDM can not only let you back into a locked device but can remotely wipe a device that is no longer in your control.