Categories
Blog

SEC Formalizes New Rules on Cyber Breach Disclosures

The SEC has recently voted on new rules that will require companies to disclose material cybersecurity incidents within four days and to make disclosures about their broad cybersecurity risks in their annual report. Tom Fox and Matt Kelly discussed this issue on a recent edition of Compliance into the Weeds. Matt blogged about it on Radical Compliance.

This new set of rules represents a major shift from the past, when companies may have been asked by law enforcement not to disclose an attack until they were done tracking the attackers. The SEC has tried to balance the need for transparency with the need for law enforcement to use the information, and companies can go to the Justice Department to get permission to keep a breach private.

The SEC had originally proposed these rules nearly 18 months ago, in March of 2022. After considering public feedback, the SEC voted on the rules two weeks ago, at the end of July. Companies now have to disclose material cybersecurity incidents within four days of deciding that the incident is material. They must also make disclosures about their broad cybersecurity risks and how they manage those risks in their annual report. This includes disclosing the impact of the breach, such as the financial consequences and any qualitative effects.

The SEC has also proposed a rule that would require companies to disclose the cyber expertise of their board directors. However, this was changed due to public feedback that most of cyber risk management is done at the management level. The two Republican commissioners objected to the rule, saying it was too extensive and unnecessary, and arguing that the SEC was trying to dictate how companies should run their cybersecurity functions. The US Chamber or other groups may try to litigate over the rule, but for now, companies must disclose or discuss the processes for assessing, identifying, and managing material risks from cybersecurity threats.

The Head of the SEC Enforcement Division recently gave a speech about disclosing cybersecurity incidents and what his division looks at for bad practices that might lead to an enforcement action. The SEC Enforcement Director zeroed in on the misleading disclosure and said companies cannot engage in such conduct. He gave examples of companies who have suffered enforcement actions long before any of the new rules were adopted. First American Title Insurance and Pearson both gave misleading disclosures to investors about the nature of the breaches they suffered. First American thought the breach was not material and announced it was not a big deal, but their IT team later realized it was a big deal. Pearson suffered an extensive breach and disclosed to investors that there may have been some exposure of confidential data, when they already knew there was no ‘may’ involved. Companies need to disclose the severity of the incident and the reality of what actually happened.

To ensure compliance with the new rules, companies need to have proper policies for handling cybersecurity incidents that are useful and relevant to their company. Companies cannot simply copy language from a regulation and paste it into their policy manual and declare victory. They need to be clear and relevant to their employees about how to find red flags and how to respond to them.

We took a deep dive into the policy choice of transparency over use of information by law enforcement. Companies can go to the Justice Department and get permission from the Attorney General to keep a breach private if it is a threat to national security or public safety. Companies can then take that permission back to the SEC and tell the SEC the company will not disclose the breach for 30 days. Companies can then go back to the Attorney General’s office for another 30-day extension to keep the breach private. The SEC has tried to cut the baby in half by creating a process to keep some breaches private, but they have made clear they do not want corporate or lawyer-led gamesmanship around these disclosures and want a solid informational disclosure.

As this new rule is sure to have a major impact on how companies handle cybersecurity incidents in the future, it is important for companies to be aware of the new rules and the potential consequences of not complying. Companies need to have proper policies in place to ensure compliance, and they need to be sure to provide accurate and timely disclosures about any material cybersecurity incidents.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective HR in Compliance: Day 2 – The Role of HR in Creating an Ethical Culture

Welcome to the August edition of One Month to a More Effective Compliance Program. In the month of August, 2023 we will consider the role of Human Resources in a best practices compliance program.

Creating an ethical culture in the workplace is essential for any business. Not only does it ensure that employees are making the right decisions, but it also helps to protect the company from potential legal and financial repercussions. But how do you create an ethical environment?

HR can play a key role in this process. They can provide employees with the tools and resources they need to make ethical decisions, such as a personal network for informal guidance and the opportunity to consult with advisory functions. Additionally, HR should support employees who want to do the right thing and ensure that those who speak up are not discriminated against or held back from promotion.

Written protocols are also important for the detection and prevention of unethical behavior. Companies should consider if their compensation system is based on performance or something else, and ensure that incentives are not driving behaviors that are counter to long-term success. Bonus payments and executive share schemes should not be based on short-term business metrics, and cross-cultural differences should be taken into account.

Leadership also plays an important role in creating an ethical culture. Senior leadership should set the tone from the top and reward ethical behavior, while also seeking out diverse opinions and breaking down silos in the corporate organization. Additionally, a speak-up culture should be encouraged to ensure that unethical behavior is not tolerated.

Finally, employees need to understand the organization’s underlying culture in order to make ethical decisions. Companies should ensure that employees have the tools and resources they need to make informed decisions, and that they are not pushed too much change from the top, too quickly and too frequently.

Creating an ethical culture in the workplace is essential for any business. By utilizing HR, written protocols, and leadership, companies can ensure that employees have the tools and resources they need to make ethical decisions. This will help to protect the company from potential legal and financial repercussions, while also creating an environment where employees feel supported and empowered to do the right thing.

Three key takeaways:

  1. Beware of the three obstacles to creating an ethical culture.
  2. What really matters in your company?
  3. A speak up culture will improve the operational performance of your business.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
Compliance Into the Weeds

Compliance into the Weeds: SEC Rules for Cyber Breach Disclosure

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt consider the new SEC rules on cyber breach disclosures.

This new era of cyber security calls for increased accountability and transparency from companies to protect investors and citizens from cyber threats. The U.S. Securities and Exchange Commission (SEC) recently adopted new cyber disclosure rules requiring companies to disclose material cybersecurity incidents and risks in their annual reports. This policy change will require companies to analyze and disclose the impacts of any material cybersecurity incidents, as well as any potential exemptions from disclosure that companies may seek.

 Key Highlights 

·      New Cyber Breach Disclosure Rules

·      Material Breaches

·      Role of the Board

 Resources

Matt 

LinkedIn

Blog Post in Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Greetings and Felicitations

Greetings and Felicitations: The Future of Healthcare…Is Now: Part 3 – The Specifics of Managing Obesity

What is the future of healthcare and when will it arrive? To explore these and similar questions I visited with Dr. Ben Locwin and Scott Endicott in a five-episode podcast series. Over this series we will explore why the future of healthcare is now; gene and cell therapy, the use and misuse of statistics, Hippocrates and modern healthcare and where healthcare will be headed down the road. In this Part 3, we turn to the specifics of managing obesity.

This episode of the podcast discussed the importance of personal behavioral health in managing obesity, which is a crisis in the US. Starting with the FDA’s Rumor Control Initiative to combat misinformation, Tom Fox, Scott Endicott and Ben Locwin discussed the need for critical thinking when evaluating pharmaceutical products, the importance of involving a healthcare provider in the discussion, and the use of telemedicine to manage obesity remotely. They also suggested that digital fitbits can be used to monitor activity and that physicians can use this data to make recommendations.

The FDA has recently released the Rumor Control Initiative to combat misinformation. This initiative encourages people to check the source of the information and cross-check it with reliable sources, and to look beyond the headlines to get full context. Drug companies are required to list potential adverse effects of treatments, so it’s important to consider the benefits and risks of treatments together. It’s also important to note that people spread misinformation for various reasons, such as wanting to protect those they care about or feeling connected.

Randomized clinical trials are required for all licensed and marketed pharmaceutical treatments. Hypothesis testing, confidence intervals, and analysis of variance are used to evaluate the efficacy of a drug compared to a placebo. Tom suggested that a physician can track a patient’s activity with a digital fitbit and make recommendations during the patient’s 30 days of a month.

It is important to apply critical thinking and use common sense when evaluating pharmaceutical products. Pharmaceutical products are subject to advertising and branding, which can be difficult to evaluate. Pharmaceutical companies used to employ detailers to provide information to healthcare providers and try to get them to prescribe their product, but now they can buy television time to directly advertise to patients. There is a concern that patients may not have the knowledge to understand the biochemistry, biological impacts, and toxicology of the drugs they are taking, so it’s important to have a trusted healthcare advisor and provider to help interpret the data.

Key Highlights

·      Statistics in Healthcare

·      Managing Obesity Remotely

·      Obesity and Behavioral Health

·      Pharmaceutical Advertising

 Resources

Dr. Ben Locwin on LinkedIn

Scott Endicott on LinkedIn

Tom Fox on LinkedIn

Categories
Daily Compliance News

Daily Compliance News: August 2, 2023 – The Connected Cars and Data Privacy Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • CCPA to look at connected cars. (WaPo)
  • Audit firms fight expansion of anti-fraud role. (FT)
  • Former AG Lynch to review NU hazing allegations. (Reuters)
  • Singapore PM to discuss corruption scandals. (Bloomberg)
Categories
The Hill Country Podcast

Hill Country Podcast – Loren Steffy on the Texas A&M Kathleen McElroy Hiring Imbroglio

Welcome to award-winning The Hill Country Podcast. The Texas Hill Country is one of the most beautiful places on earth. In this podcast, Hill Country resident Tom Fox visits with the people and organizations that make this the most unique areas of Texas. Join Tom as he explores the people, places and their activities of the Texas Hill Country.  In this episode Tom visits with Loren Steffy about the controversy regarding the announcement of the hiring of Kathleen McElroy to head the School of Journalism and how it all went sideways.

This matter involves a recent controversy at Texas A&M University and highlighted the need for universities to embrace inclusion and create an environment where all students feel welcome and respected. The controversy began when the school attempted to hire Kathleen McElroy, an A&M graduate, to head the journalism program. The job offer was changed from a tenured position to a one-year position with the possibility of being fired at any time, leading to the resignation of the school’s president. This incident has caused a stir, prompting discussions about the importance of diversity and inclusion in higher education and the unique culture of A&M, which is both inclusive and exclusive. It has also raised questions about the university’s hiring practices and whether they have been giving potential employees and students from diverse backgrounds a fair chance.

 Key Highlights

·       Kathleen McElroy’s Initial Hiring

·       It all goes sideways

·      A&M Culture

·      A&M Hiring Issues

·      What does it all mean?

 Resources

Loren Steffy

Stoney Creek Publishing

Texas A&M’s Journalism Fiasco Has Roots in the School’s Conformist Culture by Loren Steffy in TexasMonthly.com

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn