Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending December 9, 2023

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day, here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
From the Editor's Desk

From The Editor’s Desk – November and December, 2023 in Compliance Week

Welcome to From the Editor’s Desk, a podcast where co-hosts Tom Fox and Kyle Brasseur, EIC at Compliance Week unpack some of the top stories that have appeared in Compliance Week over the past month, look at top compliance stories upcoming for the next month, talk some sports and generally try to solve the world’s problems.

 Tom Fox and Kyle Brasseur are back. In this edition, Brasseur believes that organizations need to prioritize data analytics and data-driven compliance to meet the expectations of regulatory bodies like the Department of Justice (DOJ). He emphasizes the importance of implementing data analytics components in compliance programs and the role of the chief compliance officer in setting the tone for the compliance department. Brasseur’s perspective underscores the evolving nature of compliance practices and the need for organizations to adapt to regulatory changes. Join Tom Fox and Kyle Brasseur on this episode of the From the Editor’s Desk podcast to delve deeper into these insights.

Highlights Include:

  • FCPA Settlements: Insurance Brokers
  • Lifecore Biometrics Declination
  • Bianace
  • OpenAI, Sam Altman and Corporate Governance
  • Inside the Mind of the CCO
  • NFL corporate culture and firing of Frank Reich
  • NBA In-Season Tournament
  • 2023 NCAA Game of the Century-UM Beats OSU

 Resources

Kyle Brasseur on LinkedIn

Compliance Week

Categories
Daily Compliance News

Daily Compliance News: December 8, 2023 – The Serpico at 50 Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition:

  • SEC Chief Accountant on what bothers him. (WSJ)
  • Should OpenAI change its corporate structure? (WSJ)
  • ABC boosts democracy. (Brookings)
  • Serpico at 50. (The Guardian)
Categories
Daily Compliance News

Daily Compliance News: December 7, 2023 – The No Harm But A Foul Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. all from the Compliance Podcast Network. Each day we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition:

  • SCT is poised to make discrimination claims easier. (WaPo)
  • Existential moment at Dealbook Summit. (NYT)
  • Gensler warns against AI washing. (WSJ)
  • Qatargate update. (Politico)
Categories
Daily Compliance News

Daily Compliance News: December 6, 2023 – The Trump Corruption Playbook Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. all from the Compliance Podcast Network. Each day we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition:

  • Leadership lessons from Sam Altman. (Bloomberg)
  • Trump has a playbook for 2nd term corruption. (The Atlantic)
  • NDAs get trickier. (WSJ)
  • Tesla whistleblower says cars are not safe. (BBC)

Categories
Blog

Argentieri on the Use of Data Analytics

Last week, Nicole Argentieri, acting assistant attorney general for the Criminal Division, speaking at the ACI National FCPA reported that the Department of Justice (DOJ) is stepping up its own use of data analytics to identify instances of corporate misconduct, and will boost its cooperation with overseas law enforcement to bring more anti-corruption cases as well. The DOJ and the Securities and Exchange Commission (SEC) are increasingly focusing on data analytics for corporate compliance, signaling higher expectations for larger companies. Both agencies have successfully utilized data analytics in various areas, such as securities and healthcare fraud, and are actively improving their own capabilities in this field.

The DOJ has been using data analytics to uncover cases of corporate misconduct, including violations of the Foreign Corrupt Practices Act (FCPA). Acting Assistant Attorney General Nicole Argentieri, highlighted the department’s efforts to improve its data analytics game and its use of analytics to find cases of corporate misconduct. She stated, “I’d like to now turn to our use of data. In the Criminal Division, we too are going above and beyond in our effort to combat white collar crime. We are not just waiting for companies to self-report, or witnesses to come forward, or for anomalies to reveal themselves on a one-off basis. Let me be the first to tell you that we have proactively used data to generate FCPA cases, and we’ve only just gotten started.” While the DOJ has successfully prosecuted individuals for FCPA violations using data analytics, there is yet to be a high-profile corporate FCPA violation case that has arisen from the department’s own data analytics.

On the other hand, the SEC has a dedicated data analytics team called the EPS team, which has uncovered cases of accounting fraud and insider trading. The SEC’s data-rich environment and lower burden of proof on the civil side have allowed them to successfully prosecute cases using data analytics. This demonstrates that regulators can effectively utilize data analytics to identify corporate misconduct.

The increasing focus on data analytics by the DOJ and SEC has implications for companies. The better a company is at data analytics, the more pressure it may face for voluntary self-disclosure of misconduct. Good data analytics can bring risks or incidents of misconduct to light, and once they are discovered, companies cannot ignore them. The 2023 Evaluation Of Corporate Compliance Programs (2023 ECCP) instructs prosecutors to inquire about a company’s use of data analytics in identifying misconduct. This puts pressure on companies to proactively address and disclose any misconduct they uncover through data analytics.

This also means that data analytics in the compliance function has moved from cutting edge to best practice. It soon may mean simply table stakes for compliance. In the 2020 ECCP, the DOJ mandated the compliance function have access to all corporate data and be able to break through data siloes in their organizations. Any company which does not have a data analytics capability may be in for a long road to hoe if the DOJ or SEC comes knocking.

However, not all companies have sophisticated data analytics programs in place. The DOJ recognizes that smaller firms may not have the same level of resources and expects a certain level of sophistication tailored to a company’s size. Larger companies, especially Fortune 500 companies, are expected to have more sophisticated data analytics capabilities, including business intelligence units and advanced technology. The expectations for more sophisticated analytics are higher for these companies.

The Bank of America CFPB enforcement action case serves as a reminder of the importance of data analytics in corporate compliance. Bank of America had the necessary data and tools to build an analytics program, but they failed to effectively utilize it, leading to compliance issues. This case highlights the need for companies to not only have data analytics capabilities but also to ensure they are properly implemented and maintained. (Matt Kelly took a deep dive into the BoA enforcement action in this week’s edition of Compliance into the Weeds.)

While data analytics can be a powerful tool for corporate compliance, there are challenges associated with its use. Companies must navigate the tradeoffs involved in balancing different factors, such as the level of sophistication required, resource allocation, and the potential risks of self-disclosure. Additionally, companies must consider the potential criticism they may face if they fail to effectively utilize their analytics tools in the event of a major compliance violation.

Argentieri’s speech highlighted the DOJ’s (and SEC’s) increasing focus on data analytics for corporate compliance highlights the importance of this tool in identifying and addressing corporate misconduct. Companies, especially larger ones, are expected to enhance their data analytics capabilities and may face increased pressure for voluntary self-disclosure. However, companies must also navigate the challenges and tradeoffs associated with data analytics to ensure effective compliance and mitigate risks.

Categories
Everything Compliance

Everything Compliance – Episode 125 – The Post – Thanksgiving Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of, Jonathan Armstrong, Matt Kelly, Karen Woody, and Jay Rosen all hosted by Tom Fox, joining us on this episode of our fan-fav Shout Outs and Rants section.

1. Matt Kelly says the US Supreme Court Code of Ethics is already broken. Kelly has a book review shout-out to Peter Cappelli for his book Our Least Important Asset.

2. Karen Woody takes a deep dive into the SEC enforcement action against Solar Winds and its current CISO. She shouts out to Megan Rapinoe and Ali Krieger who both retired from professional soccer for their great careers and leading lights of social justice.

3. Jonathan Armstrong talks about David Cameron returning to the UK government and the need to eliminate sleaze in government. He rants about sliced salami announcements by politicians.

4. Jay Rosen looks at the ongoing corruption scandal in Santa Clara County CA, involving the former sheriff and the alleged sale of concealed carry permits. He shouts out to Giles Martin, son of Sir George Martin, for his remastering of the Beatles’ Red and Blue albums.

The members of the Everything Compliance are:

•       Jay Rosen– Jay is Vice President of Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks can be reached at jtmarks@gmail.com.

The host and producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Daily Compliance News

Daily Compliance News: November 30, 2023 – The Go F-Yourself Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance related stories to start your day. Sit back, enjoy a cup of morning coffee and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership or general interest for the compliance professional.

  • How to avoid becoming ‘old’ at work. (FT)
  • Will SCt gut SEC enforcement? (Reuters)
  • Salt Lake City Olympic corruption scandal, 25 years later. (Salt Lake Tribune)
  • Elon Musk tells advertisers who disagree with him to ‘F-off’. (NYT)
Categories
Blog

SEC, Solar Winds and Compliance

The recent SEC lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach, has brought the issue of executive liability in cybersecurity disclosures to the forefront. This case sheds light on the culture of deception within SolarWinds, where lower-level employees struggled to communicate the severity of cybersecurity issues to management. The lawsuit raises important questions about the personal liability of senior executives for inaccurate risk disclosures and has potential implications for other industries.

The 2020 breach, orchestrated by Russian hackers, targeted SolarWinds’ software, Orion, and exposed highly sensitive information. The hackers gained access to SolarWinds and planted spyware into the Orion program. SolarWinds then distributed an update to its corporate customers, unknowingly spreading the Russian spyware. This allowed the hackers to gain access to the highest levels of the US government and major corporations.

The SEC’s lawsuit against SolarWinds and Tim Brown focuses on the poor disclosures about the company’s information security throughout 2018, 2019, and 2020. While SolarWinds publicly claimed to have good cybersecurity, internal communications revealed that employees were aware of the company’s cybersecurity issues and considered them a mess. This discrepancy between internal knowledge and external disclosures forms the basis of the SEC’s allegations.

The SEC complaint alleges that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

The case raises important questions about the responsibility and liability of senior executives for misleading disclosures. In this instance, the focus is on the former CISO, Tim Brown, who is facing civil penalties and potential trial. The SEC is seeking to bar him from serving at publicly traded companies. However, the case also raises questions about the CEO’s potential liability. In SolarWinds’ case, the former CEO, Kevin Thompson, who did not have a cybersecurity background, may have relied on assurances from the CISO regarding the company’s cybersecurity risks and disclosures.

The issue of executive liability in cybersecurity disclosures is complex. Should senior executives be held accountable for inaccurate assurances provided by their subordinates, especially in areas where they may not have expertise? Security is a complex matter, and executives may rely on the expertise of others to make informed decisions. However, this case highlights the potential consequences of such reliance and the need for executives to ensure accurate and transparent disclosures.

The SEC’s lawsuit against SolarWinds and Tim Brown also raises broader questions about the liability of executives in charge of risk, such as compliance officers. If executives are given assurances that turn out to be incorrect, where does the liability lie? This case could have implications beyond the cybersecurity realm and may impact how executives approach risk disclosures in various industries.

Balancing the need for accurate risk disclosures with the challenges of understanding complex cybersecurity issues is a tradeoff that executives must navigate. The case highlights the importance of fostering a culture of transparency and effective communication within organizations. It also emphasizes the need for executives to stay informed and engaged in areas of risk, even if they do not have direct expertise.

Moving forward, organizations should consider implementing the NIST framework for cybersecurity to effectively defend against cyber threats. This framework provides a comprehensive approach to managing and mitigating cybersecurity risks. By following best practices and ensuring accurate risk disclosures, organizations can reduce the likelihood of facing legal action and protect their stakeholders.

In the SEC Press Release Gurbir S. Grewal, Director of the SEC’s Division of Enforcement said “We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company. Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.” Finally,  “Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

In conclusion, the SEC’s lawsuit against SolarWinds and Tim Brown brings executive liability in cybersecurity disclosures into focus. The case highlights the importance of accurate and transparent risk disclosures and raises questions about the responsibility of senior executives. Executives must balance the need for accurate disclosures with the challenges of understanding complex cybersecurity issues. By fostering a culture of transparency and implementing best practices, organizations can mitigate risks and protect their stakeholders.

Categories
Compliance Into the Weeds

Compliance into the Weeds: SEC Sues Solar Winds and CISO

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more thoroughly, looking for some hard-hitting insights on sanctions compliance. Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into the recent SEC Civil Complaint against Solar Winds and its CISO, Timothy Brown, for undisclosed failures in the company’s cybersecurity compliance program disclosures prior to, during, and after the infamous Solar Winds data hack.

The recent SEC lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach has sparked a critical conversation about executive liability in cybersecurity disclosures. Matt views this lawsuit as a significant development that raises essential questions about the personal liability of senior executives for inaccurate or misleading disclosures about cybersecurity risks. He emphasizes the potential implications this case could have for other executives in charge of trouble, such as compliance officers.

Tom underscores the concerns regarding the accuracy and transparency of SolarWinds’ cybersecurity disclosures. He highlights the evidence of a culture of deception within the company and the need to hold executives accountable for inaccurate disclosures. Join Tom Fox and Matt Kelly as they delve deeper into this topic in the latest episode of the Compliance into the Weeds podcast.

 Key Highlights:

  • Liability of Senior Executives in Cybersecurity
  • SolarWinds’ Orion Software: Russian Government Cyberattack
  • Personal Liability for Misleading Cybersecurity Disclosures
  • Implementing Relevant Controls for Cybersecurity

 Resources:

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn