Day: September 26, 2025

Categories
Creativity and Compliance

Creativity and Compliance – Using Creativity to Market Compliance

Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – they all take creativity. Join Tom Fox and Ronnie Feldman on the award-winning Creativity and Compliance. Ronnie’s company, Learning and Entertainment, leverages the entertainment devices people use to consume information in their everyday, non-work lives and applies them to important topics related to compliance and ethics. It is not only about being funny. It is about changing the tone of your compliance communications and messaging to make your compliance program, policies, and resources more accessible.

Today, Tom and Ronnie discuss the importance of addressing the marketing and PR issues in ethics and compliance programs in this episode of ‘Creativity and Compliance.’ Ronnie introduces his new white paper titled ‘Ethics and Compliance has a Marketing and PR Problem,’ emphasizing the need to revamp compliance programs by adopting marketing strategies. Key strategies discussed include creating a positive brand identity, gaining and maintaining attention, building and nurturing relationships, leveraging influencer status, and measuring the right metrics. Examples and anecdotes illustrate these concepts and practical applications.

Key highlights:

  • Marketing and Compliance: A New Approach
  • Creating a Voice Identity and Brand
  • Gaining and Maintaining Attention
  • Building and Nurturing Relationships
  • Becoming an Influencer
  • The Importance of Measurement

Resources:

Ronnie

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Creativity and Compliance was recently honored as one of the Top 35 Podcasts on Creativity by Feedspot.

Categories
Data Driven Compliance

Data Driven Compliance – Fraud vs. Compliance Risk Assessments: Understanding Key Differences and Best Practices

Welcome to Season 2 of the award-winning Data Driven Compliance. In this new season, we will look at the new Failure to Prevent Fraud offense. Join host Tom Fox as we explore this new law and how to comply with it through the lens of data-driven compliance. KonaAI sponsors this podcast and is joined by Jonathan Marks from BDO.

Today, we look at the distinctions between fraud risk assessments and compliance risk assessments. Despite initial similarities in risk control and governance, the two are fundamentally different in purpose, methodology, and impact. We also explore how compliance risk assessments ensure organizations follow laws, regulations, and policies, while fraud risk assessments focus on identifying, assessing, and prioritizing potential fraudulent activities. Key elements, including fraud schemes, concealment techniques, conversion motivations, and red flags, are discussed. Additionally, we emphasize the need for specialized skills and experience in conducting these assessments and highlight the role of continuous improvement in strengthening organizational resilience against both compliance and fraud risks.

Key highlights:

  • Understanding Fraud Risk Assessments
  • Key Elements of Fraud Schemes
  • Identifying and Evaluating Red Flags
  • Connecting Red Flags to Controls
  • Compliance Risk Assessments Explained
  • Differences Between Compliance and Fraud Risk Assessments

Resources:

BDO

Jonathan Marks on LinkedIn

konaAI, a Covasant company

Click here for konaAI White Paper Rethinking Compliance: Practical Steps for Adapting to the UK’s New Fraud Legislation

Connect with Tom Fox on LinkedIn

Categories
AI Today in 5

AI Today in 5: September 26, 2025, The Of Mice and AI Edition

Welcome to AI Today in 5, the newest edition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI, so start your day, sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5, all from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest related to AI.

Top AI stories include:

  • India and Venezuela sign AI pact. (Coingeek)
  • Little difference between the neural networks of mice and AI. (TechXplore)
  • xAI snags the US government. (NYT)
  • 85% of execs expect compliance gains with AI. (PYMNTS)
  • AI could accelerate clinical gains. (MIT News)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com.

Categories
From the Editor's Desk

From the Editor’s Desk – Compliance Week’s Insights and Reflections for September and into October 2025

In this episode of ‘The Editor’s Desk’ podcast, hosts Tom Fox and Aaron Nicodemus delve into key compliance issues featured in Compliance Week.

Tom and Aaron discuss top stories from Compliance Week in September, and provide a preview of upcoming content and events. They delve into a three-part case study on Lafarge’s bribery payments to terrorist groups in Syria, exploring its implications for companies operating in high-risk regions. They also discuss a resurfaced case study involving Jeffrey Epstein, JPMorgan Chase, and Deutsche Bank. The episode also highlights Ruth Prickett’s report on digital wallets in Europe, as well as the related compliance and data privacy issues. Additionally, they cover trends in FCPA enforcement, healthcare compliance with a focus on the FCA, immigration issues, and the importance of proactive compliance programs. The episode wraps up with insights into the upcoming ‘Inside the Mind of the CCO‘ survey and the January conference on AI and data analytics in compliance.

Resources:

Aaron Nicodemus on LinkedIn

Compliance Week

Categories
Compliance Tip of the Day

Compliance Tip of the Day – The Mock Audit

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week, we have a 5-part series on audits adjacent to compliance, and today, in this concluding Part 5, we consider the Mock Audit.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition, which was recently released by LexisNexis. It is available here.

Categories
Daily Compliance News

Daily Compliance News: September 26, 2025, The Quantum Trading Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, including compliance, ethics, risk management, leadership, or general interest, relevant to the compliance professional.

Top stories include:

  • A RadioShack Ponzi scheme. (Bloomberg)
  • Former French President Sarkozy received a 5-year sentence. (BBC)
  • Healthcare compliance, the FCA, and AKS. (Reuters)
  • Quantum trading on the bond market. (FT)
Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 60 – The Dispatches Edition

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

 Stories this week include:

  • A former Navy No. 2 was sentenced to 6 years for corruption.  (NBC)
  • BCG employees to take Humanitarian Principles training. (FT)
  • DOJ is about to cut loose the Binance monitor. (Bloomberg)
  • Trump calls for the end of quarterly reporting for public compliance.  (NYT)
  • First AI CCO.  (BBC)
  • Dispatches from the SCCE Conference – Radical Compliance
  • Trump and Europe Are at Odds Over How to Sanction Russia – WSJ
  • What Compliance Leaders Need to Know Ahead of Crucial DOJ Data Security Program Deadline – Corporate Compliance Insights
  • The Rush to Return to Office is Stalling – WSJ
  • Florida man clings to back of moving UPS truck to avoid deputies after Lowe’s shoplifting attempt: officials – FOX Orlando 35

Connect with the Hosts:

Prove Your Worth

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Fox on Podcasting

Fox on Podcasting – From Jerry Springer to Podcasting: Reena Friedman-Watts Dynamic Career Journey

Join Tom Fox as he explores the world of podcasting, and get ready to be inspired to start your own podcast. In this episode, Tom welcomes Reena Friedman-Watts, fellow podcaster and co-host of the upcoming podcast conference Speke Fest Houston.

Reena discusses her fascinating career trajectory, which began with her work at NPR during college, continued with her stint on the Jerry Springer show, and ultimately led to her involvement in the world of podcasting and television production. Reena shares her experiences in the entertainment industry, her transition to podcasting with her show ‘Better Call Daddy,’ and how she crafts compelling interviews. They also discuss her upcoming event, Speke Fest Houston, highlighting the unique venue, event details, and the diverse lineup of speakers. Reena concludes with some of her memorable interviews and the invaluable lessons learned along the way.

Key highlights:

  • Reena’s Professional Journey Begins
  • From Jerry Springer to Hollywood
  • Transition to Reality TV and Family Life
  • Launching a Podcast and Memorable Interviews
  • Speke Fest Houston: A Unique Podcasting Event 

Resources:

Reena Friedman Watts on LinkedIn

Speke Fest-Night of the Living Pod

Better Call Daddy Podcast

Artwork

Elaine Capers

Art by Elaine

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Cybersecurity Oversight at the Boards

Cybersecurity risk is no longer a back-office IT issue. It is a board-level governance priority, a regulatory compliance challenge, and a reputational minefield. From ransomware attacks to regulatory enforcement actions, the stakes have never been higher. In an article in the Harvard Law School Forum on Corporate Governance, titled “Risk Management and the Board of Directors,” the review focused on the NACD’s 2025 survey. It showed that over three-quarters of boards now discuss the material and financial implications of cyber incidents. While that is progress, awareness alone is not enough.

For compliance professionals, the message is unmistakable: cybersecurity oversight is now a central pillar of governance. In this post, I will explore the evolving regulatory landscape, lessons from enforcement actions, and practical steps compliance teams can take to help boards discharge their responsibilities effectively.

A National Priority with Global Reach

Cybersecurity has moved to the top of national agendas. The Biden Administration’s 2023 National Cybersecurity Strategy set the tone, and the Trump Administration’s 2025 Executive Order reinforced it, emphasizing protections against foreign cyber threats and secure technology practices. But this is not just a U.S. issue. The EU’s GDPR, California’s CCPA, Virginia’s CDPA, and Illinois’s biometric data laws all impose sweeping obligations with high-stakes enforcement. Settlements under Illinois’s biometric privacy law alone have reached into the hundreds of millions.

For compliance professionals, this expanding patchwork of regulation means that cyber oversight cannot be siloed by geography or business unit. Boards must ensure management understands and complies with both domestic and international requirements.

The SEC Steps into the Spotlight

If boards needed any reminder of their cyber responsibilities, the SEC has provided it. In 2023, the SEC finalized disclosure rules requiring companies to report material cyber incidents on Form 8-K within four business days (subject to limited delays approved by the Attorney General). Companies must also disclose in their 10-Ks their processes for identifying and managing cyber risks, the material impacts of prior incidents, and, critically, the board’s role in oversight.

The SEC has coupled disclosure mandates with enforcement actions. From Robinhood in 2025 (failure to implement identity theft protections) to SolarWinds in 2023 (alleged fraud and internal control failures), to Blackbaud’s ransomware misrepresentations and Morgan Stanley’s vendor monitoring failures, the Commission is signaling that cyber lapses are securities law violations. The key takeaway for compliance is that disclosures must be accurate, controls must be effective, and boards must demonstrate active oversight. Anything less may well invite regulatory scrutiny.

DOJ, FTC, and State Regulators Join In

The SEC is not alone. The DOJ has used the False Claims Act to address software vulnerabilities sold to government agencies. The FTC has pursued cases against GoDaddy and other providers for failing to implement adequate protections. The New York Department of Financial Services (NYDFS) has enforced its prescriptive cybersecurity rules since 2019, with actions as recent as August 2025. And globally, regulators like Ireland’s Data Protection Commission have issued blockbuster fines, such as the €530 million penalty against TikTok for unlawful data transfers.

The compliance implication is clear: multi-layered enforcement is now the norm. Cybersecurity and data privacy risks span agencies, jurisdictions, and statutes. Boards must assume that regulators will coordinate, cross-reference, and pursue failures aggressively.

Frameworks That Matter

With enforcement risk high, companies need a structured approach. The National Institute of Standards and Technology (NIST) framework has become the de facto benchmark, with its five core functions: identify, protect, detect, respond, and recover. Both the SEC and FTC endorse it, and boards should expect management to benchmark their programs against it.

At the governance level, the NACD’s Director’s Handbook on Cyber-Risk Oversight and guidance from the Cybersecurity & Infrastructure Security Agency (CISA) provide clear expectations: boards should not manage cyber risk, but they must oversee management’s handling of it.

Lessons from Enforcement Actions

Every enforcement case tells a story, and compliance professionals should use these as teaching tools:

  • Vendor Oversight Matters – Morgan Stanley’s Failure to Monitor Vendors Exposed Data from 15 Million Customers.. Boards must ensure that vendor cyber risk is integrated into their oversight.
  • Accurate Disclosures Are Non-Negotiable – SolarWinds and Blackbaud faced allegations of misrepresentation around breaches. Boards must verify that management’s cyber disclosures are truthful and complete.
  • Controls Must Be Tested – Robinhood’s identity theft control failures remind us that having policies on paper is not enough. Boards should require evidence that controls work in practice.

Practical Steps for Compliance Professionals

So how can compliance officers help boards meet their obligations in this complex cyber landscape? Four steps stand out:

1. Educate and Engage the Board

Boards need ongoing, tailored education on cyber risks. Compliance should arrange regular briefings from CISOs, external experts, and regulators. This ensures directors can ask informed questions and challenge management effectively.

2. Strengthen Incident Response Preparedness

An incident response plan is only as strong as its execution. Compliance must test plans through tabletop exercises, ensure disclosure obligations are understood, and coordinate with law enforcement and advisors. Boards should be briefed on lessons learned after every drill or real incident.

3. Integrate Cyber Risk into Enterprise Risk Management

Cyber risk cannot be isolated from strategy, finance, and operations. Compliance should help boards see cyber threats as part of enterprise risk management, aligned with business goals and resilience planning.

4. Monitor Third-Party and Supply Chain Risk

Vendors, cloud providers, and contractors are often the weak link. Compliance should implement due diligence, ongoing monitoring, and contract requirements that address cyber obligations. Boards should receive visibility into these risks and the company’s mitigation strategies.

Why This Matters for Boards and Compliance

Cybersecurity is not just an IT challenge; it is a governance imperative. Regulators, courts, and investors expect boards to demonstrate active, documented oversight. For compliance professionals, the mandate is to help boards meet that expectation with clarity, structure, and evidence.

The reality is stark that a single breach can devastate a company’s reputation, stock price, and stakeholder trust. But boards that embrace active oversight, guided by compliance professionals, can transform cybersecurity from a vulnerability into a competitive advantage.

Final Thoughts

The cyber landscape is evolving faster than most organizations can keep pace. But boards do not have the luxury of waiting. As recent regulations and enforcement actions demonstrate, oversight failures will be punished, sometimes harshly.

For compliance professionals, this is both a challenge and an opportunity. By educating boards, strengthening incident response, integrating cyber into enterprise risk, and addressing third-party exposures, compliance can elevate its role from policy enforcer to strategic partner.

The bottom line: Cybersecurity oversight is no longer optional. It is the frontline of governance, and compliance professionals are the essential guides helping boards navigate it.