Tag: SEC

Categories
Daily Compliance News

Daily Compliance News: September 5, 2024 – The Botched Investigation Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • ENRC seeks $290MM from SFO for a botched investigation. (WSJ)
  • Another round of SEC enforcement actions for off-channel communications.  (WSJ)
  • Biden to block Japanese takeover of US Steel. (Bloomberg)
  • Corruption pushing Africans to immigrate. (Al Jazeera)

For more information on the Ethico Toolkit for Middle Managers, available at no charge by clicking here.

Categories
Daily Compliance News

Daily Compliance News: September 3, 2024 – The Fictional Company Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • A Nigerian tech boss fined $250MM for a fictional company. (FT)
  • How much did Stewart Health Care pay its agent? (OCCRP)
  • 9 people have died from a listeria outbreak, so far. (NYT)
  • HP to go after Lynch’s widow. (Reuters)

For more information on the Ethico Toolkit for Middle Managers, available at no charge by clicking here.

Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending August 24, 2024

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week.

Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • Corruption in the OIG? (The Hill)
  • Menendez resigns from the Senate. (AP)
  • Putin was shocked to find corruption in Russia. (Newsweek)
  • SEC censorship? (FT)
  • What to do about workplace assassins? (NYT)
  • Santos pleads guilty.  (WSJ)
  • TD Bank reserves $2.6 billion for the AML fine.  (WSJ)
  • An ex-Vitol trader pleads guilty. (Law360)
  • Mike Lynch’s body was found. (FT)
  • Michael Lewis issues mea culpa on SBF. (WaPo)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day, here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: August 20, 2024 – The No ‘X’ in Brazil Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • X suspends business in Brazil. (BBC)
  • State AGs seek triple damages against Live Nation. (Reuters)
  • Carl Icahn agrees to a $2 million SEC fine. (NYT)
  • Does the IRS even want whistleblowers? (WaPo)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Corruption, Crime and Compliance

Deep Dive into The SEC’s Settlement with R&R Donnelly on Cybersecurity Controls

How does the SEC’s recent settlement with R.R. Donnelly & Sons Company impact internal controls for cybersecurity incidents?

In this episode of Corruption, Crime, and Compliance, Michael Volkov discusses a significant decision by the SEC involving a $2.1 million settlement with RR Donnelly & Sons Company (RRD) related to a 2021 ransomware attack.

The SEC’s decision marks the first time it has applied its internal controls enforcement authority to cover cybersecurity policies and procedures, representing a substantial expansion of its enforcement reach.

The SEC criticized RRD for failing to prioritize the review of security alerts and implement an effective workflow for escalating such reports. This oversight led to delayed detection and response to the cyber attack, during which hackers exfiltrated 70 gigabytes of data, including personal and financial information tied to 29 clients.

You’ll hear him talk about:

  • The importance of robust internal controls to ensure prompt investigation and escalation of potential cybersecurity incidents.
  • The need for companies to allocate sufficient resources and personnel to monitor and respond to third-party security alerts.
  • The SEC’s critique of RRD’s internal incident response policies, particularly the lack of clear lines of responsibility and efficient workflows.
  • The dissenting opinions within the SEC regarding the broad application of internal controls to cybersecurity, highlight the need for specific guidance on reasonable cybersecurity controls.

Resources:

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

SEC settlement

Categories
Great Women in Compliance

Great Women in Compliance: Jane Norberg – What’s New with Whistleblowing

In today’s episode, Lisa Fine speaks with Jane Norberg, a partner at Arnold & Porter. Jane is also the former Chief of the Office of the Whistleblower at the SEC, and she is one of the people who built that office into what it is today, both as Chief and before that, Deputy Chief. She is one of the leading voices on the whistleblower process, and an advisor to organizations in building best practices for organizations to address concerns.

In March, Deputy Attorney General Lisa Monaco announced a pilot program to compensate whistleblowers who report “significant corporate or financial misconduct” of which the DOJ was not aware. Jane talks about the SEC program and how it has succeeded. She also explains the similarities and differences between the not-yet-enacted DOJ program and the SEC program. Jane provides her perspective and insight as to why she thinks there is a delay from the DOJ as the initial 90 days have passed and how funding, staffing and other factors may contribute.

Jane and Lisa also discuss the SEC reporting process, how tips come in globally from over 100 countries, and the importance of the Whistleblower program to deter and stop wrongdoing.  This goes along with the statistics that indicate that 80% of whistleblowers raise concerns internally, most frequently to the person’s manager most often go to management, not to the Ethics and Compliance teams or the helplines. To that end, Jane provides practical advice to make sure that E&C teams are providing the right training for managers to identify issues and raise them appropriately.

Supporting ethical decision-making is critical for every organization, but providing training to those who may hear concerns is a key component of that. While practitioners think about this for company culture, Jane provides insight on the larger picture of how our internal work is related to the larger scope of whistleblower reporting.

Topics Include:

  • Jane’s integral role as Chief of the SEC Office of the Whistleblower
  • The DOJ pilot whistleblower program and the SEC program and the distinctions
  • Global Impact of the SEC Whistleblower Program
  • Practical advice for E&C professionals building and managing hotlines

Resources

Join the Great Women in Compliance community on LinkedIn here.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Major Cybersecurity Incidents and Regulatory Challenges

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the dismissal of the SEC’s enforcement action against Solar Winds and CrowdStrike cybersecurity failures.

Tom and Matt begin with UnitedHealth’s costly ransomware attack, a federal judge’s ruling against the SEC’s lawsuit over SolarWinds’ cybersecurity practices, and CrowdStrike’s flawed software update impacting global corporations.

The episode explores the regulatory challenges of enforcing effective cybersecurity controls and the implications for companies and their compliance programs. The discussion highlights the need for better IT general controls and the role of different stakeholders, including Congress, regulatory agencies, and audit firms, in addressing these cybersecurity risks.

Key Highlights:

  • UnitedHealth Ransomware Attack Breakdown
  • SolarWinds Cybersecurity Lawsuit
  • Regulatory Challenges and Implications
  • Operational Risk Management and IT Controls
  • Call to Action for Compliance and Audit Professionals

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending July 20, 2024

Welcome to 10 For 10, the podcast which brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes hear about the stories every compliance professional should be aware of from the prior week.

Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • Does Amazon Prime Day cause injuries?   (WaPo)
  • Deutsch Bank flouted accounting rules. (FT)
  • Senator Robert Menendez is guilty.  (WSJ)
  • Carlos Watson was found guilty. (Bloomberg)
  • The mayor of Venice is under investigation for corruption.   (ABCNews)
  • An ex-Goldman banker pleads not guilty to bribery and corruption charges.   (WSJ)
  • Nigeria refuses to release Binance compliance professionals. (Bloomberg)
  • The judge tosses the SEC suit against Solar Winds. (Law360)
  • A Chinese tycoon was convicted of fraud in US.   (BBC)
  • An ex-Segantii Capital Management employee was alleged to be accused of ‘disreputable conduct’. (FT)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day, here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

Compliance into the Weeds: The Convergence of Cybersecurity and Internal Controls

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into a recent SEC enforcement action involving RR Donnelley, where a cyber breach was characterized as an internal control

In this episode, we discuss how criminal activities in cyberspace are outpacing regulatory measures and the law’s ability to keep up. The conversation touches on the idea that access controls for valuable corporate assets, whether financial data or sensitive information, are becoming indistinguishable in the eyes of cybercriminals. The discussion includes a thought-provoking perspective on merging cybersecurity and anti-money laundering functions, as both deal with improper electronic transactions. The core concern is not just the breach itself, but also the prevention of data exfiltration.

Key Highlights:

  • Corporate Jewels: Money vs. Data
  • Cybersecurity and Anti-Money Laundering
  • Improper Electronic Transactions
  • Focus on Data Exfiltration
  • Conclusion: Preventing Data Theft

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Navigating the New Frontier: SEC’s Enforcement Action on RR Donnelley and its Implications for Compliance

In the ever-evolving compliance landscape, the recent enforcement action by the Securities and Exchange Commission (SEC) against RR Donnelley is a significant case study. This incident underscores the importance of robust cybersecurity measures and highlights the SEC’s expanding reach into areas traditionally viewed outside its purview. As compliance professionals, understanding the intricacies of this case is crucial for adapting to the dynamic regulatory environment. Matt Kelly and I took a deep dive into the enforcement action in a recent Compliance into the Weeds episode.

RR Donnelley, a company historically known for its printing services and later for marketing services, faced an SEC enforcement action in November 2021 due to a cybersecurity breach. Hackers accessed and copied confidential corporate customer data, which was later posted on the dark web. The SEC’s main contention was that Donnelley failed to disclose this breach to investors promptly and had inadequate internal controls over its IT systems. Ultimately, the company was fined $2.1 million.

The SEC’s enforcement action was based on the premise that Donnelley’s cybersecurity measures were insufficient, leading to unauthorized access to its IT assets. Specifically, the SEC utilized provisions related to internal control over financial reporting to impose sanctions even though no direct accounting fraud or economic loss occurred. This approach represents a novel application of the SEC’s powers, using internal accounting control clauses to address cybersecurity issues.

Matt believes that the SEC’s enforcement hinged on the idea that poor cybersecurity equates to poor internal controls over assets. The SEC interpreted the Exchange Act to mean that access to a company’s assets, whether data or financial, should be controlled and authorized by management. Matt noted in his blog post that the statutory authority for that statement flows from the Exchange Act of 1934, which established the Securities and Exchange Commission and the anti-fraud securities laws we use today. The text of the Exchange Act states that companies must devise and maintain a system of internal accounting controls “sufficient to provide reasonable assurances” on four points:

  • Transactions executed according to management authorization;
  • Transactions are appropriately recorded;
  • Access to assets is permitted only according to management authorization;
  • Recorded accountability for assets is reconciled with existing assets.

The hackers’ ability to access Donnelley’s IT systems without authorization was viewed as a failure of these internal controls.

This interpretation broadens the scope of what compliance professionals must consider under the umbrella of internal controls. Traditionally, internal controls were seen in the context of financial reporting and safeguarding physical assets, most usually cash or cash equivalent. However, it is not simply cash as the only assets these requirements cover but all other corporate assets. Moreover, this case suggests that digital assets and the controls around them are equally critical.

Another critical aspect of the case was the failure to disclose the breach promptly. According to the SEC, Donnelley’s IT security team was aware of the breach but did not quickly escalate it to senior management. It took an external party’s notification for the CISO and senior executives to become fully aware and take action.

This scenario underscores the importance of having robust internal communication channels and protocols to ensure that significant cybersecurity incidents are promptly reported to senior management. Moreover, it highlights the need for transparency with investors regarding such breaches, aligning with the SEC’s mandate to protect investor interests.

Compliance professionals must now consider cybersecurity an integral part of internal control systems. Ensuring that IT systems are secure and that access to digital assets is tightly controlled should be a priority. This involves regular audits of cybersecurity measures, continuous monitoring of IT systems, and implementing robust access control mechanisms.

The case also highlights the necessity of clear and effective disclosure practices. Compliance teams should ensure that there are well-defined procedures for reporting cybersecurity incidents internally and disclosing them to investors when necessary. This might include setting up rapid response teams and informing senior management immediately of significant breaches.

Given the technical nature of cybersecurity, collaboration between compliance and IT departments is essential. Compliance officers should work closely with CISOs and IT security teams to understand potential risks and ensure appropriate controls are in place. This partnership is vital for creating a comprehensive compliance strategy that addresses traditional financial risks and emerging digital threats.

The SEC’s approach, in this case, signals that regulators are willing to use existing frameworks to address new types of risks. Compliance professionals should prepare for increased scrutiny and be proactive in ensuring their organizations meet regulatory expectations. This may involve regular training, staying updated with regulatory changes, and conducting thorough risk assessments.

The RR Donnelley case serves as a wake-up call for compliance professionals, emphasizing the need to adapt to an evolving regulatory landscape. By broadening the scope of internal controls to include cybersecurity and enhancing disclosure practices, compliance teams can better protect their organizations and meet regulatory expectations. Collaboration with IT and staying vigilant about regulatory trends will be vital to navigating this new frontier in compliance. Perhaps more ominously, Matt, in another blog post on the United Healthcare cyber-attack in Q1 2024, asked, ” If the SEC applied that theory of enforcement against Donnelley, shouldn’t that same theory now be applied against UnitedHealth? At this point, we should discuss exactly how UnitedHealth’s breach happened. Change Healthcare had not implemented multi-factor authentication on a critical computer server, which allowed attackers to use stolen employee credentials to gain access. In other words, UnitedHealth had allowed poor access control on a critical system.”

In other words, Watch This Space.