Categories
Trekking Through Compliance

Trekking Through Compliance – Episode 46 – Compliance and Culture Lessons from A Piece of the Action

In this episode of Trekking Through Compliance, we consider the episode A Piece of the Action, which aired on January 12, 1968, and occurred on Star Date 4598.1.

The Enterprise crew attempts to contact the inhabitants of planet Sigma Iotia II, whose inhabitants of Sigma Iotia II have built a culture around the book Chicago Mobs of the Twenties accidentally left behind a hundred years ago by the S.S. Horizon. At the Horizon’s visit, the noninterference directive was not in effect, so Kirk, McCoy, and Spock wondered what sort of “contamination” they would encounter. Upon arriving, they are held at gunpoint but are taken safely to the “Boss” after a machine gun attack by rival boss Krako.

There are a dozen or so Bosses, each controlling his territory. Krako, the Boss of the southside territory, also wants heaters and instructions on how to use them and offers Kirk one-third of the proceeds for their use. The Bosses are impressed by a display of the Enterprise’s firepower and agree to Kirk’s planet unification, with Oxmyx as head Boss and Krako as his Lieutenant. Spock has reservations about leaving a criminal organization in charge and wonders how Kirk plans to collect a 40% cut every year.

As the Enterprise leaves, however, McCoy realizes he has left his communicator behind in Bella’s office. The communicator contains a transtator, an integral part of all machinery in the Enterprise, so the imitative Iotians will likely have made impressive technological progress the next time the Federation visits them.

Commentary

The Enterprise crew encounters a planet’s culture based on 1920s gangsters due to a book left behind by a previous ship. Kirk and his team navigate complex political landscapes, proposing a unified leadership under Federation guidance. The episode parallels compliance in modern settings, emphasizing the importance of stakeholder engagement, cultural impact assessments, gradual policy implementation, preservation of core cultural elements, capacity building, and continuous improvement. These lessons highlight the delicate balance between cultural preservation and progress in compliance.

Key Highlights

  • Story Synopsis: A Piece of the Action
  • Fun Facts and Deeper Questions
  • Compliance Lessons from Star Trek
  • Strategies for Effective Compliance

Resources

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Compliance Into the Weeds

Compliance into the Weeds: The Convergence of Cybersecurity and Internal Controls

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into a recent SEC enforcement action involving RR Donnelley, where a cyber breach was characterized as an internal control

In this episode, we discuss how criminal activities in cyberspace are outpacing regulatory measures and the law’s ability to keep up. The conversation touches on the idea that access controls for valuable corporate assets, whether financial data or sensitive information, are becoming indistinguishable in the eyes of cybercriminals. The discussion includes a thought-provoking perspective on merging cybersecurity and anti-money laundering functions, as both deal with improper electronic transactions. The core concern is not just the breach itself, but also the prevention of data exfiltration.

Key Highlights:

  • Corporate Jewels: Money vs. Data
  • Cybersecurity and Anti-Money Laundering
  • Improper Electronic Transactions
  • Focus on Data Exfiltration
  • Conclusion: Preventing Data Theft

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
The Hill Country Podcast

The Hill Country Podcast: Dr. Brent Ringo on One Year at KISD

Welcome to award-winning The Hill Country Podcast. The Texas Hill Country is one of the most beautiful places on earth.

In this podcast, Hill Country resident Tom Fox visits with the people and organizations that make this the most unique area of Texas. This week, Tom welcomes back Dr. Brent Ringo of Kerrville ISD.

They discuss a significant $1.7 million donation aimed at hiring additional grade-level leaders to improve math and reading outcomes for third graders. Dr. Ringo also discusses KISD’s new early college high school designation, the community and teacher feedback processes, improvements in academic performance, and strong partnerships with local businesses and Schreiner University. Athletic and fine arts successes within the district are also highlighted.

Key Highlights:

  • Exciting Donation to KISD
  • Early College High School Designation
  • Reflections on the Past Year
  • Transparency and Accountability in Texas Public Schools
  • Partnerships with Local Businesses and Shriner University
  • Looking Forward to the Next School Year

Resources:

KISD

Other Hill Country Focused Podcasts

Hill Country Authors Podcast

Hill Country Artists Podcast

Texas Hill Country Podcast Network

Categories
Daily Compliance News

Daily Compliance News: July 17, 2024 – The Menendez Guilty Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Senator Robert Menendez is guilty.  (WSJ)
  • Carlos Watson was found guilty. (Bloomberg)
  • Deutsche Bank flouted accounting rules. (FT)
  • Does Amazon Prime Day cause injuries?  (WaPo)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Executive Compensation and Compliance Incentives

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In today’s episode, what is the role of executive compensation in compliance incentives?

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

To check out The Compliance Handbook, 5th edition, click here.

Categories
Great Women in Compliance

Great Women in Compliance: Amy Hanan – ‘Relentless Curiosity’ in Life and Work

While marketing professionals typically operate “behind the curtain,” Amy Hanan is taking center stage these days. As a chief marketing officer for LRN, she’s recently been a keynote speaker at a headline session for a major compliance event and is traveling the globe leading roundtables that connect top compliance & ethics professionals with the latest research trends.

Hanan’s career path has included the Associated Press (when the internet was in its infancy), along with B2B and legal marketing positions when marketing automation technology was brand new. Honing her professional skills—and her people skills—along the way, Hanan has blazed a trail in a niche where her passion for compliance and ethics serves her well.

Listen in as she talks about the things she’s learned along the way.

Highlights:

  • How raising your hand can change the trajectory of your career
  • The value of “relentless curiosity” in both life and work
  • Curating a leadership style
  • Learning from mistakes—and the power of exercise, tea & fuzzy socks

Resources:

Join the Great Women in Compliance community on LinkedIn here.

Categories
Blog

Navigating the New Frontier: SEC’s Enforcement Action on RR Donnelley and its Implications for Compliance

In the ever-evolving compliance landscape, the recent enforcement action by the Securities and Exchange Commission (SEC) against RR Donnelley is a significant case study. This incident underscores the importance of robust cybersecurity measures and highlights the SEC’s expanding reach into areas traditionally viewed outside its purview. As compliance professionals, understanding the intricacies of this case is crucial for adapting to the dynamic regulatory environment. Matt Kelly and I took a deep dive into the enforcement action in a recent Compliance into the Weeds episode.

RR Donnelley, a company historically known for its printing services and later for marketing services, faced an SEC enforcement action in November 2021 due to a cybersecurity breach. Hackers accessed and copied confidential corporate customer data, which was later posted on the dark web. The SEC’s main contention was that Donnelley failed to disclose this breach to investors promptly and had inadequate internal controls over its IT systems. Ultimately, the company was fined $2.1 million.

The SEC’s enforcement action was based on the premise that Donnelley’s cybersecurity measures were insufficient, leading to unauthorized access to its IT assets. Specifically, the SEC utilized provisions related to internal control over financial reporting to impose sanctions even though no direct accounting fraud or economic loss occurred. This approach represents a novel application of the SEC’s powers, using internal accounting control clauses to address cybersecurity issues.

Matt believes that the SEC’s enforcement hinged on the idea that poor cybersecurity equates to poor internal controls over assets. The SEC interpreted the Exchange Act to mean that access to a company’s assets, whether data or financial, should be controlled and authorized by management. Matt noted in his blog post that the statutory authority for that statement flows from the Exchange Act of 1934, which established the Securities and Exchange Commission and the anti-fraud securities laws we use today. The text of the Exchange Act states that companies must devise and maintain a system of internal accounting controls “sufficient to provide reasonable assurances” on four points:

  • Transactions executed according to management authorization;
  • Transactions are appropriately recorded;
  • Access to assets is permitted only according to management authorization;
  • Recorded accountability for assets is reconciled with existing assets.

The hackers’ ability to access Donnelley’s IT systems without authorization was viewed as a failure of these internal controls.

This interpretation broadens the scope of what compliance professionals must consider under the umbrella of internal controls. Traditionally, internal controls were seen in the context of financial reporting and safeguarding physical assets, most usually cash or cash equivalent. However, it is not simply cash as the only assets these requirements cover but all other corporate assets. Moreover, this case suggests that digital assets and the controls around them are equally critical.

Another critical aspect of the case was the failure to disclose the breach promptly. According to the SEC, Donnelley’s IT security team was aware of the breach but did not quickly escalate it to senior management. It took an external party’s notification for the CISO and senior executives to become fully aware and take action.

This scenario underscores the importance of having robust internal communication channels and protocols to ensure that significant cybersecurity incidents are promptly reported to senior management. Moreover, it highlights the need for transparency with investors regarding such breaches, aligning with the SEC’s mandate to protect investor interests.

Compliance professionals must now consider cybersecurity an integral part of internal control systems. Ensuring that IT systems are secure and that access to digital assets is tightly controlled should be a priority. This involves regular audits of cybersecurity measures, continuous monitoring of IT systems, and implementing robust access control mechanisms.

The case also highlights the necessity of clear and effective disclosure practices. Compliance teams should ensure that there are well-defined procedures for reporting cybersecurity incidents internally and disclosing them to investors when necessary. This might include setting up rapid response teams and informing senior management immediately of significant breaches.

Given the technical nature of cybersecurity, collaboration between compliance and IT departments is essential. Compliance officers should work closely with CISOs and IT security teams to understand potential risks and ensure appropriate controls are in place. This partnership is vital for creating a comprehensive compliance strategy that addresses traditional financial risks and emerging digital threats.

The SEC’s approach, in this case, signals that regulators are willing to use existing frameworks to address new types of risks. Compliance professionals should prepare for increased scrutiny and be proactive in ensuring their organizations meet regulatory expectations. This may involve regular training, staying updated with regulatory changes, and conducting thorough risk assessments.

The RR Donnelley case serves as a wake-up call for compliance professionals, emphasizing the need to adapt to an evolving regulatory landscape. By broadening the scope of internal controls to include cybersecurity and enhancing disclosure practices, compliance teams can better protect their organizations and meet regulatory expectations. Collaboration with IT and staying vigilant about regulatory trends will be vital to navigating this new frontier in compliance. Perhaps more ominously, Matt, in another blog post on the United Healthcare cyber-attack in Q1 2024, asked, ” If the SEC applied that theory of enforcement against Donnelley, shouldn’t that same theory now be applied against UnitedHealth? At this point, we should discuss exactly how UnitedHealth’s breach happened. Change Healthcare had not implemented multi-factor authentication on a critical computer server, which allowed attackers to use stolen employee credentials to gain access. In other words, UnitedHealth had allowed poor access control on a critical system.”

In other words, Watch This Space.