Categories
Principled Podcast

Principled Podcast – S10E9: What are the Latest Global Standards and Trends in E&C Program Effectiveness?

What you’ll learn on this podcast episode

Since 2014, LRN has published an annual Ethics & Compliance Program Effectiveness Report that reflects the input of ethics, compliance, and legal professionals from around the world. These reports aim to identify key differentiators that make some E&C programs more effective than others—especially in the midst of global risks and crises. But the risk landscape has shifted dramatically over the last few years; we’ve experienced the COVID-19 pandemic, worldwide political upheaval, and the start of the war in Ukraine. How are E&C programs weathering these challenges? What changes have they made to adapt, and what global trends are emerging as a result? In this episode of LRN’s Principled Podcast, LRN Advisory colleagues Emily Miner and Susan Divers discuss key findings from a special Global Standards Edition of LRN’s E&C Program Effectiveness Report. 

Download the LRN E&C Program Effectiveness Report – Global Standards Edition. 

Take this 10-minute survey and share your experiences for LRN’s 2024 E&C Program Effectiveness research. Results will be published in February. 

Guest: Susan Divers

Susan_Divers_Principled_Podcast

Susan Divers is a senior advisor with LRN Corporation. In that capacity, Ms. Divers brings her 30+ years’ accomplishments and experience in the ethics and compliance area to LRN partners and colleagues. This expertise includes building state-of-the-art compliance programs infused with values, designing user-friendly means of engaging and informing employees, fostering an embedded culture of compliance and substantial subject matter expertise in anti-corruption, export controls, sanctions, and other key areas of compliance.

Prior to joining LRN, Mrs. Divers served as AECOM’s Assistant General for Global Ethics & Compliance and Chief Ethics & Compliance Officer. Under her leadership, AECOM’s ethics and compliance program garnered six external awards in recognition of its effectiveness and Mrs. Divers’ thought leadership in the ethics field. In 2011, Mrs. Divers received the AECOM CEO Award of Excellence, which recognized her work in advancing the company’s ethics and compliance program.

Mrs. Divers’ background includes more than thirty years’ experience practicing law in these areas. Before joining AECOM, she worked at SAIC and Lockheed Martin in the international compliance area. Prior to that, she was a partner with the DC office of Sonnenschein, Nath & Rosenthal. She also spent four years in London and is qualified as a Solicitor to the High Court of England and Wales, practicing in the international arena with the law firms of Theodore Goddard & Co. and Herbert Smith & Co. She also served as an attorney in the Office of the Legal Advisor at the Department of State and was a member of the U.S. delegation to the UN working on the first anti-corruption multilateral treaty initiative.

Mrs. Divers is a member of the DC Bar and a graduate of Trinity College, Washington D.C. and of the National Law Center of George Washington University. In 2011, 2012, 2013 and 2014 Ethisphere Magazine listed her as one the “Attorneys Who Matter” in the ethics & compliance area. She is a member of the Advisory Boards of the Rutgers University Center for Ethical Behavior and served as a member of the Board of Directors for the Institute for Practical Training from 2005-2008.

She resides in Northern Virginia and is a frequent speaker, writer and commentator on ethics and compliance topics. Mrs. Divers’ most recent publication is “Balancing Best Practices and Reality in Compliance,” published by Compliance Week in February 2015. In her spare time, she mentors veteran and university students and enjoys outdoor activities.

Host: Emily Miner

Host - Emily Miner

Emily Miner is a vice president in LRN’s Ethics & Compliance Advisory practice. She counsels executive leadership teams on how to actively shape and manage their ethical culture through deep quantitative and qualitative understanding and engagement. A skilled facilitator, Emily emphasizes co-creative, bottom-up, and data-driven approaches to foster ethical behavior and inform program strategy. Emily has led engagements with organizations in the healthcare, technology, manufacturing, energy, professional services, and education industries. Emily co-leads LRN’s ongoing flagship research on E&C program effectiveness and is a thought leader in the areas of organizational culture, leadership, and E&C program impact.

Prior to joining LRN, Emily applied her behavioral science expertise in the environmental sustainability sector, working with non-profits and several New England municipalities; facilitated earth science research in academia; and contributed to drafting and advancing international climate policy goals. Emily has a Master of Public Administration in Environmental Science and Policy from Columbia University and graduated summa cum laude from the University of Florida with a degree in Anthropology.

Categories
Innovation in Compliance

Innovation in Compliance – Jamie Hoyle on Finding the Needle in a Haystack for Communications Compliance

Innovation comes in many forms, and compliance professionals need to not only be ready for it but also embrace it. One of those areas is in financial services communications compliance. My guest in this episode is Jamie Hoyle, VP of Product at MirrorWeb Jamie Hoyle is a seasoned software engineer and technology executive with a strong background in compliance and communication surveillance. He currently serves as the VP of Product at MirrorWeb, where he leverages his expertise in capturing and utilizing metadata from native APIs and platforms to provide valuable business intelligence in communication surveillance.

Jamie’s perspective on the topic of “MirrorWeb: a surveillance platform for digital communication compliance” is that communications compliance is a crucial aspect of regulatory enforcement actions, which are only increasing. He emphasizes the importance of capturing insights from emerging platforms and technologies and scaling these surveillance platforms to meet the requirements of both regulated and non-regulated businesses. Join Tom Fox and Jamie Hoyle on this episode of the Innovation in Compliance podcast to learn more about Jamie’s insights and experiences.

Key Highlights:

  • Insightful Compliance Solutions for Digital Communications
  • The “Needle in a Haystack” of Communications Compliance
  • The Rise of Individual Accountability in Compliance
  • Communications Surveillance and Compliance Solutions

Resources:

Jamie Hoyle on LinkedIn

MirrorWeb

 

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: November 7, 2023 – The Apology Accepted Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. all from the Compliance Podcast Network. Each day we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • ICO apologizes to the ex-Nat West chief. (FT)
  • A 70-hour work week in India? (BBC)
  • Integrity in cricket. (University of Sussex)
  • Do chatbots violate anti-wiretap laws? (Reuters)
Categories
Blog

SEC, Solar Winds and Compliance

The recent SEC lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach, has brought the issue of executive liability in cybersecurity disclosures to the forefront. This case sheds light on the culture of deception within SolarWinds, where lower-level employees struggled to communicate the severity of cybersecurity issues to management. The lawsuit raises important questions about the personal liability of senior executives for inaccurate risk disclosures and has potential implications for other industries.

The 2020 breach, orchestrated by Russian hackers, targeted SolarWinds’ software, Orion, and exposed highly sensitive information. The hackers gained access to SolarWinds and planted spyware into the Orion program. SolarWinds then distributed an update to its corporate customers, unknowingly spreading the Russian spyware. This allowed the hackers to gain access to the highest levels of the US government and major corporations.

The SEC’s lawsuit against SolarWinds and Tim Brown focuses on the poor disclosures about the company’s information security throughout 2018, 2019, and 2020. While SolarWinds publicly claimed to have good cybersecurity, internal communications revealed that employees were aware of the company’s cybersecurity issues and considered them a mess. This discrepancy between internal knowledge and external disclosures forms the basis of the SEC’s allegations.

The SEC complaint alleges that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

The case raises important questions about the responsibility and liability of senior executives for misleading disclosures. In this instance, the focus is on the former CISO, Tim Brown, who is facing civil penalties and potential trial. The SEC is seeking to bar him from serving at publicly traded companies. However, the case also raises questions about the CEO’s potential liability. In SolarWinds’ case, the former CEO, Kevin Thompson, who did not have a cybersecurity background, may have relied on assurances from the CISO regarding the company’s cybersecurity risks and disclosures.

The issue of executive liability in cybersecurity disclosures is complex. Should senior executives be held accountable for inaccurate assurances provided by their subordinates, especially in areas where they may not have expertise? Security is a complex matter, and executives may rely on the expertise of others to make informed decisions. However, this case highlights the potential consequences of such reliance and the need for executives to ensure accurate and transparent disclosures.

The SEC’s lawsuit against SolarWinds and Tim Brown also raises broader questions about the liability of executives in charge of risk, such as compliance officers. If executives are given assurances that turn out to be incorrect, where does the liability lie? This case could have implications beyond the cybersecurity realm and may impact how executives approach risk disclosures in various industries.

Balancing the need for accurate risk disclosures with the challenges of understanding complex cybersecurity issues is a tradeoff that executives must navigate. The case highlights the importance of fostering a culture of transparency and effective communication within organizations. It also emphasizes the need for executives to stay informed and engaged in areas of risk, even if they do not have direct expertise.

Moving forward, organizations should consider implementing the NIST framework for cybersecurity to effectively defend against cyber threats. This framework provides a comprehensive approach to managing and mitigating cybersecurity risks. By following best practices and ensuring accurate risk disclosures, organizations can reduce the likelihood of facing legal action and protect their stakeholders.

In the SEC Press Release Gurbir S. Grewal, Director of the SEC’s Division of Enforcement said “We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company. Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.” Finally,  “Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

In conclusion, the SEC’s lawsuit against SolarWinds and Tim Brown brings executive liability in cybersecurity disclosures into focus. The case highlights the importance of accurate and transparent risk disclosures and raises questions about the responsibility of senior executives. Executives must balance the need for accurate disclosures with the challenges of understanding complex cybersecurity issues. By fostering a culture of transparency and implementing best practices, organizations can mitigate risks and protect their stakeholders.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Culture: Day 5 – Redesigning Culture

How can you think through a different way to redesign your culture and compliance program based on an article in MIT Sloan Management, entitled The Four-Step Process for Redesigning Work by Lynda Gratton? Gratton believes that a “fear of failure weighs heavily on many leaders tasked with managing new workplace expectations. Seeing the challenge as a process is the way forward.” Her piece provides a great way to think about the decision on hybrid or other models of working going forward.

Understand What Matters

Reimagine new ways of operating

Model and test new ways of working

Act and create

Gratton ended her piece by challenging leaders to ask themselves three questions: “Where are you now on the journey of redesigning work? Are there steps you need to reengage in a more purposeful manner? Are you clear about what your biggest priorities are? The actions you take now will create your signature model of work and define the deal that you are making with your employees and your customers.” The same is even more so for a Chief Compliance Officer, the corporate compliance function and culture.

 Three key takeaways:

1. How to think through redesigning your culture.

2. Understand what matters to your employees.

3. Listen, listen, listen.

Check the free webinar on the new tool, The Culture Audit with Tom Fox and Sam Silverstein on Monday, November 20, 12 CT. For more information and registration, click here.