Commerce tightens exports of items that can be used for surveillance of private citizens. The Kitchen reviews the interim final rule – stop by for more.
Day: November 2, 2021
The Compliance Life details the journey to and in the role of a Chief Compliance Officer. How does one come to sit in the CCO chair? What are some of the skills a CCO needs to success navigate the compliance waters in any company? What are some of the top challenges CCOs have faced and how did they meet them? These questions and many others will be explored in this new podcast series. Over four episodes each month on The Compliance Life, I visit with one current or former CCO to explore their journey to the CCO chair. This month, my guest is Wendy Badger, CCO at Tennant Company.
Wendy knew she wanted to be a lawyer long before she went to law school. She was the first person in her family to graduate from college and then obtain an advanced degree. She talked about some of the challenges she faced and the support and mentorship she received. We then discussed her early legal career – immediate jump to compliance in the early 2000s through a very non-traditional path of joining an international trade association where she found passion for and niche in compliance.
Resources
Wendy Badger LinkedIn Profile
Troy Fine is Tom Fox’s guest on this week’s episode of the Innovation in Compliance Podcast. He is the Senior Manager of Cybersecurity Risk Management and Compliance at Drata. Troy joins Tom to talk about data security, data protection, and risk management.
Internal and External Auditing
Auditing is external and internal. External auditing entails third parties coming in to assess a company’s controls, security frameworks, and determining if they meet compliance requirements. Internal auditing involves people who work directly for the company they are assessing. They are a lot more involved with the business, and understand the requirements of the business better, so they take a more collaborative approach. Internal audit identifies the gaps within the organization, so the business can remedy them quickly, and so that the business can be prepared for an external audit. Troy points out that sometimes internal audit would assist external audit, with external audit relying on the testing that internal already performed.
How Drata Scales Your Company
Integrity and trust are the core ethos of Drata. “We built this product so that our customers can prove to their customers that they could have trust in their data security,” Troy tells Tom. Currently, the company has over fifty integrations that they can pull data and test from, as well as many new frameworks. What this means is that as Drata’s customers get their own customers and more requests for compliance, Drata will be able to support them through additional controls. Customers and clients are able to create a more secure environment in their organizations and meet their compliance standards at the same time. Drata allows customers to manage their control environment via continuous monitoring. When an auditor comes in to assess, they can see the control operated over a long period of time.
Assessing Third-Party Risk
Within the Drata platform, there is a vendor management page where customers can start monitoring their vendors. Customers can rank them from low to medium to high risk. For medium- and high-risk vendors, customers can log and track how well those vendors are meeting security requirements. “Part of our control testing is to check if the customer is monitoring their vendors appropriately,” Troy remarks. “We want to make sure they’re also monitoring their vendors, so we provide them a template that allows them to make sure that we’re viewing the SOC 2 reports appropriately, and identifying any risk or end-user controls that they need to perform.”
Zero Trust
Tom asks Troy what companies need to be thinking about in terms of cybersecurity in the coming years. “A big area to focus on is going to be this idea of Zero Trust,” Troy says. A greater emphasis on verification, based on location, customer behavior, or just a change in general, is going to be seen in the not too distant future. “As the workforce becomes more remote, the idea that somebody behind the keyboard is not the same person that was in your office is becoming a bigger question,” he adds. Implementing Zero Trust frameworks is going to become more important.
Resources
Troy Fine | LinkedIn
Drata
Monaco Speech: Part 2 – Monitors
Deputy Attorney General (DAG) Lisa O. Monaco gave a Keynote Address at ABA’s 36th National Institute on White Collar Crime last week (Monaco Speech). Her remarks were noted by many commentators, including on Compliance Into the Weeds where Matt Kelly and myself took a deep dive into her speech in a rare emergency podcast. Her remarks reframed a discussion about this Department of Justice’s (DOJ) priorities on white collar criminal enforcement, including under the Foreign Corrupt Practices (FCPA). Her remarks should be studied by every compliance professional as they portend a very large change in the way the DOJ and potentially other agencies enforce the FCPA. This has significant implications for every Chief Compliance Officer (CCO), compliance professional and corporate compliance programs.
Today, I am going to take up the third change announced by Monaco, the use of corporate monitors. I asked Affiliated Monitors Inc., (AMI) founder Vin DiCianni for his thoughts around the remarks on monitors. He said, “For Affiliated Monitors this refreshed approach by DAG Monaco highlights the seriousness which businesses must place on the investment in their programs and in addressing what has for some been a negative experience with a monitor. For those who might be the subject of a monitorship, DAG Monaco recognized that the negativity that has sometimes surrounded monitorships as being punitive, should be seen in a different light bringing value, pointing a way forward and as a solution which has had great success in resolving matters.”
In 2021, we have seen several enforcement actions which seemed quite well suited for monitors.Of course, the DOJ recently announced that some companies have been failing to live up to their settlement resolutions and have proposed the extension of current monitorships. Monaco echoed this sentiment stating, “Recently, two different multinational corporations separately announced that each had received a breach notification from the Justice Department.”
Monaco’s remarks may well have been tailored to these 2021 FCPA resolutions and companies in breach of their settlement obligations when she stated, “In recent years, some have suggested that monitors would be the exception and not the rule. To the extent that prior Justice Department guidance [Benczkowski Memorandum] suggested that monitorships are disfavored or are the exception, I am rescinding that guidance. Instead, I am making clear that the department is free to require the imposition of independent monitors whenever it is appropriate to do so in order to satisfy our prosecutors that a company is living up to its compliance and disclosure obligations under the DPA or NPA. Of course, the decision to use monitors must also include consideration of how the monitorship is administered and the standards by which monitors are expected to do their work. And the selection of monitors will continue to be accomplished in a fashion that eliminates even the perception of favoritism. The department will study how we select corporate monitors, including whether to standardize our selection process across the divisions and offices.”
Monaco went on to explain several reasons for need for the increased use of monitorships. The first is in the area of recidivist offenders. However, this is beyond simply recidivist FCPA offenders and ties into another part of the Monaco speech. It deals with the DOJ taking into account the full panoply of corporate misconduct which might lead to tax investigations, import control enforcement actions or any anti-trust concerns to resolve any FCPA enforcement action. It all seems to me to be around the issue of trust. Monaco stated, “Stepping back, any resolution with a company involves a significant amount of trust on the part of the government. Trust that a corporation will commit itself to improvement, change its corporate culture, and self-police its activities. But where the basis for that trust is limited or called into question, we have other options. Independent monitors have long been a tool to encourage and verify compliance.” If the DOJ cannot trust you to follow the law in some areas, it may not trust you to fulfill your compliance obligations under a FCPA resolution.
Earlier in her speech Monaco talked at length on the importance of corporate culture. She noted, “But corporate culture matters. A corporate culture that fails to hold individuals accountable, or fails to invest in compliance — or worse, that thumbs its nose at compliance — leads to bad results. Let me also be clear: a company can fulfill its fiduciary duty to shareholders and maintain a commitment to compliance and lawfulness. In fact, companies serve their shareholders when they proactively put in place compliance functions and spend resources anticipating problems. They do so both by avoiding regulatory actions in the first place and receiving credit from the government. Conversely, we will ensure the absence of such programs inevitably proves a costly omission for companies who end up the focus of department investigations.”
When taken as a whole, Monaco’s speech says that once again, the DOJ wants companies to be good corporate citizens. Moreover, it all starts with culture and flows from there. If a company puts making a quarterly number above all else, that becomes the corporate culture and employees will do whatever is necessary to accomplish this goal. Conversely, if the values of the company are to do business ethically and in compliance, that will be taken into account. This ups the ante for corporations which find themselves in an FCPA investigation or enforcement action.
Join us tomorrow when we consider Monaco’s remarks on corporate culture.