Categories
Innovation in Compliance

Innovation in Compliance: Travis Howerton on Revolutionizing Compliance – Integrating Automation for Digital Transformation

Innovation comes in many areas and compliance professionals need to not only be ready for it but embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast.

In this episode, Tom welcomes back, Travis Howerton, a co-founder of RegScale, the sponsor for this episode, to take a deep dive into automating compliance solutions for the digital transformation of compliance.

Howerton advocates for the integration of automation in compliance to keep pace with rapid technological advancements, thereby maintaining competitiveness and efficiency. Through digitizing regulations by using the latest standards and forming strategic partnerships, Howerton and RegScale are transforming traditional compliance from a manual, burdensome task into an automated, streamlined process, thereby redefining the role of compliance professionals as key contributors to secure and innovative operations.

We discuss the three pillars of cybersecurity: confidentiality, integrity, and availability. While much focus is placed on safeguarding confidentiality to protect sensitive information, the speaker highlights that integrity issues pose a significant threat, particularly in sensitive industries like healthcare and critical infrastructure. Compromised integrity can lead to dire physical consequences, making it the most concerning aspect of cybersecurity.

Key Highlights:

  • Introduction to Cybersecurity’s Three-Legged Stool
  • Focus on Confidentiality in Cybersecurity
  • The Critical Importance of Data Integrity
  • Real-World Implications of Integrity Issues
  • The Sleepless Nights of a Cybersecurity Analyst

Resources:

Travis Howerton on LinkedIn

RegScale

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Corruption, Crime and Compliance

Deep Dive into The SEC’s Settlement with R&R Donnelly on Cybersecurity Controls

How does the SEC’s recent settlement with R.R. Donnelly & Sons Company impact internal controls for cybersecurity incidents?

In this episode of Corruption, Crime, and Compliance, Michael Volkov discusses a significant decision by the SEC involving a $2.1 million settlement with RR Donnelly & Sons Company (RRD) related to a 2021 ransomware attack.

The SEC’s decision marks the first time it has applied its internal controls enforcement authority to cover cybersecurity policies and procedures, representing a substantial expansion of its enforcement reach.

The SEC criticized RRD for failing to prioritize the review of security alerts and implement an effective workflow for escalating such reports. This oversight led to delayed detection and response to the cyber attack, during which hackers exfiltrated 70 gigabytes of data, including personal and financial information tied to 29 clients.

You’ll hear him talk about:

  • The importance of robust internal controls to ensure prompt investigation and escalation of potential cybersecurity incidents.
  • The need for companies to allocate sufficient resources and personnel to monitor and respond to third-party security alerts.
  • The SEC’s critique of RRD’s internal incident response policies, particularly the lack of clear lines of responsibility and efficient workflows.
  • The dissenting opinions within the SEC regarding the broad application of internal controls to cybersecurity, highlight the need for specific guidance on reasonable cybersecurity controls.

Resources:

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

SEC settlement

Categories
Compliance Into the Weeds

Compliance into the Weeds: Major Cybersecurity Incidents and Regulatory Challenges

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the dismissal of the SEC’s enforcement action against Solar Winds and CrowdStrike cybersecurity failures.

Tom and Matt begin with UnitedHealth’s costly ransomware attack, a federal judge’s ruling against the SEC’s lawsuit over SolarWinds’ cybersecurity practices, and CrowdStrike’s flawed software update impacting global corporations.

The episode explores the regulatory challenges of enforcing effective cybersecurity controls and the implications for companies and their compliance programs. The discussion highlights the need for better IT general controls and the role of different stakeholders, including Congress, regulatory agencies, and audit firms, in addressing these cybersecurity risks.

Key Highlights:

  • UnitedHealth Ransomware Attack Breakdown
  • SolarWinds Cybersecurity Lawsuit
  • Regulatory Challenges and Implications
  • Operational Risk Management and IT Controls
  • Call to Action for Compliance and Audit Professionals

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Uncovering Hidden Risks

Ep 11 – Cybersecurity 101: What are the Three Pillars of a Robust Strategy

Cybersecurity is not just a defensive strategy; it can be a powerful driver of an organization’s success. In this episode, host Erica Toelle talks to Nashid Shaker, AVP, Information and Cyber Security Strategy at Canadian Western Bank Financial Group, and Antonio Maio, Managing Director at Protiviti, about how to tactically create a cybersecurity strategy that aligns with business goals, fosters trust, and enables innovation. Nash is an experienced and innovative cybersecurity leader passionate about orchestrating secure digital transformations that fuel growth, leveraging a multidisciplinary background in strategic planning and cybersecurity.

In This Episode, You Will Learn:

  • When it’s time to re-evaluate your cybersecurity strategy
  • What cybersecurity leaders should think about today to prepare for a future that will use AI.
  • Predictions for cybersecurity in the next 2–4 years.

Some Questions We Ask:

  • What is the top risk that organizations tend to overlook?
  • What are some tips for how cybersecurity leaders should engage with the C-suite?
  • Can cybersecurity contribute to an organization’s bottom line or mission?

Resources:

View Nash Shaker on LinkedIn

View Antonio Maio on LinkedIn

View Erica Toelle on LinkedIn

Related Microsoft Podcasts:               

Listen to: Afternoon Cyber Tea with Ann Johnson 

Listen to: Security Unlocked

Listen to: Security Unlocked: CISO Series with Bret Arsenault

Discover and follow other Microsoft podcasts at microsoft.com/podcasts

Connect with the Compliance Podcast Network at:

LinkedIn: https://www.linkedin.com/company/compliance-podcast-network/
Facebook: https://www.facebook.com/compliancepodcastnetwork/
YouTube: https://www.youtube.com/@CompliancePodcastNetwork
Twitter: https://twitter.com/tfoxlaw
Instagram: https://www.instagram.com/voiceofcompliance/
Website: https://compliancepodcastnetwork.net/

Categories
Compliance Week Conference Podcast

Compliance Week 2024 Speaker Preview Podcasts – Michael Rinard on the Intersection of Compliance and IT

In this episode of the Compliance Week 2024 Speaker Preview Podcasts series, Michael Rinard discusses his panel presentation at Compliance Week 2024, “Opportunities at the Intersection of Compliance and IT.” Some of the issues he will discuss in this podcast and his presentation are:

  • Compliance, CISOs, and Cyber security
  • Getting Board engagement
  • Seeing old friends, meeting new friends, and learning about new best practices at Compliance Week 2024.

I hope you can join me at Compliance Week 2024. This year’s event will be held April 2-4 at the Westin Washington, DC, Downtown. The line-up is first-rate, with some top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event, offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 19th year, join 500+ compliance, ethics, legal, and audit professionals who gather to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. Compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs, among many others, to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders, and ethics and compliance visionaries.
  • Hear from 80+ respected cross-industry practitioners, including CEOs, CCOs, regulators, federal officials, and practitioners, to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from panels on leadership, fraud detection, confronting regulatory change, abiding by cross-border rules and regulations, and the always-favorite fireside chats.
  • Bring actionable takeaways from various session types, including cyber, AI, Compliance, Board obligations, data-driven compliance, and many others, to your program for you to listen, learn, and share.
  • Compliance Week aims to arm you with information, strategy, and tactics to transform your organization and career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. As an extra benefit to listeners of this podcast, Compliance Week is offering a $200 discount on the registration price. Enter the discount code TFOX2024 for $200 off.

The Compliance Podcast Network produces the Compliance Week 2024 Preview Podcast series. Compliance Week sponsors this series.

Categories
FCPA Compliance Report

FCPA Compliance Report – John Gebauer and John Van Der Wal on Implementing Comprehensive Strategies for Regulatory Rule Compliance

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes John Gebauer, Chief Regulatory Officer at COMPLY, and John Van Der Wal, Senior Director, Compliance Advisory at COMPLY.

John Gebauer and John Van Der Wal are seasoned professionals in the financial industry, each with over three decades of experience and a focus on regulatory changes and compliance challenges. Gebauer believes that there is a need for stricter controls and requirements in the ESG space. He emphasizes the importance of firms having the necessary documents and procedures to back up their claims of being ESG advisors. Van Der Wal shares a similar perspective. He stresses the need for more controls and requirements in ESG advising, the importance of vendor due diligence, and the potential of AI and machine learning technologies in preventing inappropriate activity. Both Gebauer and Van Der Wal highlight the importance of staying up-to-date with changing rules and regulations in the financial industry. Join Tom Fox, John Gebauer, and John Van Der Wal on this episode of the FCPA Compliance Report to delve deeper into these insights.

Key Highlight:

  • Compliance Consulting Expert: John Gebauer
  • Private Fund Reform Rule: Addressing Industry Concerns and Improving Practices
  • Comprehensive Approach for Rule Implementation
  • Cybersecurity Measures to Prevent Insider Trading
  • The Impact of Cybersecurity Regulations on Finance

Resources:

John Gebauer on LinkedIn

COMPLY

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

October 19, 2022 the Holcim Paid Terrorists Edition

In today’s edition of Daily Compliance News:

·       More Austrian corruption unfolding. (FT)

·       Cybersecurity tops CIO agendas. (WSJ) 

·       Holcim pleads guilty to making payments to terrorists. (Bloomberg)

·       Meta forced to sell Giphy. (NYT)

Categories
Compliance Into the Weeds

DFS Fines Carnival Cruise Lines for Cyber Failures

Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. In this episode, we deep dive into the recent New York Department of Financial Services enforcement action against Carnival Cruise Lines for failures in its cybersecurity reporting obligations.  Highlights include:

·      Why is Carnival Cruise Lines subject to the DFS?

·      What violations occurred?

·      Why were there false certifications?

·      What were the tactical cyber security violations?

·      Were they material?

·      Lessons for the compliance professional.

Resources

Matt in Radical Compliance

Categories
Blog

Why Cybersecurity Will Never Be the Same After the Russian Invasion

After the Russian invasion of Ukraine, the world of business will never be the same again. Deputy Attorney General (DAG) Lisa Monaco recently said that the world’s “geopolitical landscape is more challenging and complex than ever. The most prominent example is of course Russia’s invasion of Ukraine.” It is “nothing less than a fundamental challenge to international norms, sovereignty and the rule of law that underpins our society.” This is even more so in the current business climate.
Over this five-part series, I will consider how business will never again be the same and how a confluence of events of events has changed business forever. I am joined in this exploration by Brandon Daniels, Chief Executive Officer (CEO) of Exiger. We will explore the irrevocable changes in Supply Chain, trade and economic sanctions, anti-corruption, cyber-security and environmental, social and governance (ESG). In Part 4, we continue to explore the changes wrought by the Russian invasion of Ukraine, in the realm of cybersecurity.
The Russian invasion of Ukraine gave everyone else an understanding of how serious cybersecurity really was from a defense perspective and not just from a corporate risk management perspective. According to Daniels, it drove home the clear message in cybersecurity that the United States is in a non-kinetic war with Russia and China. Over the past decade the theft of intellectual property (IP) through cybercrime has steadily increased but Russia and China are essentially “showering the US with attacks” and specifically Russia is attempting to compromise “US facilities and technologies since the crisis” began.
A second and equally important point on cybersecurity, is how interconnected it is to commerce. Countries such as Russia and China are clearly using both state and non-state businesses to further the ambitions of the state. These attacks have been particularly prevalent in supply chain where 80% of the largest cyber-attacks that have occurred, have been supply chain attacks. This means that you may have integrated some software into your organization through a vendor, but somewhere earlier in that software development, in that vendor’s purchasing of under underlying software capabilities, there was a malicious piece of software that was planted by a state-owned actor, a non-state actor or a criminal network. This interconnectedness between third party and supply chain, risk management and cyber risk management was made so much more explicit from the Russian invasion of Ukraine.
Daniels pointed out that companies may have “vendors that are owned one to two degrees away by Russian oligarchs and those Russian oligarchs might be using the fact that we use their software one to two degrees away as an entry point to steal classified information about what the US government is doing in” an area such as critical infrastructure. Once again, the nature of cybersecurity and its interconnectedness with third party and supplier risk management, was “another revelation that came out of this crisis and this conflict.”
One of the continuing themes from the Russian invasion of Ukraine is the interconnectedness of risks which will never be the same. Some of these we have previously explored such as supply chain, trade and economic sanctions and anti-bribery and anti-corruption. There are others such as crypto and ESG as well. This can all lead to a perception of complexity which could overwhelm risk management and other business professions thinking through how to manage these risks.
Daniels suggested an approach which assesses your vendors in their environment for four quadrants of risk: operational, foreign ownership, financial health and reputational risk. After you have established your risk appetite you will need to assess every vendor on an individual and singular basis. You should have a process where each vendor coming through your company’s pipeline follows an onboarding process that manages to your risk appetite and then monitors for risks that could pull a vendor above your risk threshold. If a vendor falls outside of your risk appetite for any of these key areas, you should review the use of that vendor in more detail.
There are other risk profiles you should consider. One is industry risk, which means what critical industries are you relying upon. Daniels noted that a cloud hosting company should be concerned with computing resources, bandwidth, power, or fiber optic resources. He said, “Don’t try to boil the ocean, just look at your critical industries and see where you might have issues that are coming up that could be problematic” for your industry.
Finally, another key risk area to consider is jurisdictional risk. This means reviewing the locations of your facilities. Daniels said, “I look at where my top or most critical products are being manufactured. Again, if I’m a cloud hosting company, it might be the microelectronics that I use to power computing resources, to determine where the concentration of manufacturing locations.” But the key is to take it in bite size chunks by company, industry, and jurisdiction, and then monitor so you can at least maintain a reactive posture on upcoming events. By doing so this enables your company to do continuous maturing and evolution thereby increasing complexity and efficacy to continuously improve that program to start to work towards proactive risk management.

Categories
This Week in FCPA

Episode 293 – the Ukraine Hangs On edition


As Ukraine hangs on from the Russian invasion, Jay is on assignment so fan fav Kristy Grant-Hart joins this week as a co-host with Tom to look at some of the week’s top compliance and ethics stories from the impact of the Ukrainian crisis in the Ukraine Hangs On edition. 
Stories

  1. What Russia invasion means for companies and compliance. Tom with a series in the FCPA Compliance and Ethics Blog. Matt Kelly in Radical Compliance.
  2. Dick Cassin says sanctions may lead to more corruption in the FCPA Blog.
  3. Jaclyn Jaeger looks at supply chain disruption and issues in Compliance Week (sub req’d)
  4. Matthew Murray asks if Putin invaded Ukraine to advance corruption, in GAB.
  5. Chasing oligarchs’ money, from the Washington Post.
  6. The Swiss approach to Ukraine crisis. Mark Pieth in Risk and Compliance Europe.
  7. Mike Volkov focuses on new and evolving sanctions, in Corruption Crime and Compliance.
  8. Economic nationalism and corporate governance. Martin Geller, in Harvard Law School Forum on Corporate Governance.
  9. Illicit finance and High-value art. Sullivan & Cromwell lawyers in Compliance and Enforcement.
  10. The invasion and cybersecurity. Jonathan Armstrong in Cordery Compliance.

Podcasts and More

  1. In March on The Compliance Life, I visit with Audrey Harris, Managing Director at AMI, formerly CCO at BHP. In Part 1, she discusses her academic background and early professional career.
  2. On the FCPA Compliance Report, Tom has a 2-part series with Trade Compliance guru Matt Silverman on the full extent of possible Russia sanctions (Part 1) and the corporate response you need to make (Part 2).
  3. Tom and Loren Steffy look energy issues and fallout from the Russian invasion in Greetings and Felicitations.
  4. Tom and Matt Kelly take a deep dive into the compliance weeds about the Russian invasion on Compliance into the Weeds.
  5. Silvia Surman devotes the entire week to Russian trade sanctions and economic issues in The Compliance Kitchen.
  6. Tom celebrates Texas Independence Day and the anniversary of the Alamo in a podcast with Don Frazier, Executive Director of the Texas Institute at Schreiner University on The Hill Country Podcast.

Tom Fox is the Voice of Compliance and can be reached at tfox@tfoxlaw.com. Kristy Grant-Hart is Compliance Kristy and can be reached at kgranthart@sparkcompliance.com.