Tag: SEC

Categories
Compliance Into the Weeds

Compliance into the Weeds: The Convergence of Cybersecurity and Internal Controls

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into a recent SEC enforcement action involving RR Donnelley, where a cyber breach was characterized as an internal control

In this episode, we discuss how criminal activities in cyberspace are outpacing regulatory measures and the law’s ability to keep up. The conversation touches on the idea that access controls for valuable corporate assets, whether financial data or sensitive information, are becoming indistinguishable in the eyes of cybercriminals. The discussion includes a thought-provoking perspective on merging cybersecurity and anti-money laundering functions, as both deal with improper electronic transactions. The core concern is not just the breach itself, but also the prevention of data exfiltration.

Key Highlights:

  • Corporate Jewels: Money vs. Data
  • Cybersecurity and Anti-Money Laundering
  • Improper Electronic Transactions
  • Focus on Data Exfiltration
  • Conclusion: Preventing Data Theft

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Navigating the New Frontier: SEC’s Enforcement Action on RR Donnelley and its Implications for Compliance

In the ever-evolving compliance landscape, the recent enforcement action by the Securities and Exchange Commission (SEC) against RR Donnelley is a significant case study. This incident underscores the importance of robust cybersecurity measures and highlights the SEC’s expanding reach into areas traditionally viewed outside its purview. As compliance professionals, understanding the intricacies of this case is crucial for adapting to the dynamic regulatory environment. Matt Kelly and I took a deep dive into the enforcement action in a recent Compliance into the Weeds episode.

RR Donnelley, a company historically known for its printing services and later for marketing services, faced an SEC enforcement action in November 2021 due to a cybersecurity breach. Hackers accessed and copied confidential corporate customer data, which was later posted on the dark web. The SEC’s main contention was that Donnelley failed to disclose this breach to investors promptly and had inadequate internal controls over its IT systems. Ultimately, the company was fined $2.1 million.

The SEC’s enforcement action was based on the premise that Donnelley’s cybersecurity measures were insufficient, leading to unauthorized access to its IT assets. Specifically, the SEC utilized provisions related to internal control over financial reporting to impose sanctions even though no direct accounting fraud or economic loss occurred. This approach represents a novel application of the SEC’s powers, using internal accounting control clauses to address cybersecurity issues.

Matt believes that the SEC’s enforcement hinged on the idea that poor cybersecurity equates to poor internal controls over assets. The SEC interpreted the Exchange Act to mean that access to a company’s assets, whether data or financial, should be controlled and authorized by management. Matt noted in his blog post that the statutory authority for that statement flows from the Exchange Act of 1934, which established the Securities and Exchange Commission and the anti-fraud securities laws we use today. The text of the Exchange Act states that companies must devise and maintain a system of internal accounting controls “sufficient to provide reasonable assurances” on four points:

  • Transactions executed according to management authorization;
  • Transactions are appropriately recorded;
  • Access to assets is permitted only according to management authorization;
  • Recorded accountability for assets is reconciled with existing assets.

The hackers’ ability to access Donnelley’s IT systems without authorization was viewed as a failure of these internal controls.

This interpretation broadens the scope of what compliance professionals must consider under the umbrella of internal controls. Traditionally, internal controls were seen in the context of financial reporting and safeguarding physical assets, most usually cash or cash equivalent. However, it is not simply cash as the only assets these requirements cover but all other corporate assets. Moreover, this case suggests that digital assets and the controls around them are equally critical.

Another critical aspect of the case was the failure to disclose the breach promptly. According to the SEC, Donnelley’s IT security team was aware of the breach but did not quickly escalate it to senior management. It took an external party’s notification for the CISO and senior executives to become fully aware and take action.

This scenario underscores the importance of having robust internal communication channels and protocols to ensure that significant cybersecurity incidents are promptly reported to senior management. Moreover, it highlights the need for transparency with investors regarding such breaches, aligning with the SEC’s mandate to protect investor interests.

Compliance professionals must now consider cybersecurity an integral part of internal control systems. Ensuring that IT systems are secure and that access to digital assets is tightly controlled should be a priority. This involves regular audits of cybersecurity measures, continuous monitoring of IT systems, and implementing robust access control mechanisms.

The case also highlights the necessity of clear and effective disclosure practices. Compliance teams should ensure that there are well-defined procedures for reporting cybersecurity incidents internally and disclosing them to investors when necessary. This might include setting up rapid response teams and informing senior management immediately of significant breaches.

Given the technical nature of cybersecurity, collaboration between compliance and IT departments is essential. Compliance officers should work closely with CISOs and IT security teams to understand potential risks and ensure appropriate controls are in place. This partnership is vital for creating a comprehensive compliance strategy that addresses traditional financial risks and emerging digital threats.

The SEC’s approach, in this case, signals that regulators are willing to use existing frameworks to address new types of risks. Compliance professionals should prepare for increased scrutiny and be proactive in ensuring their organizations meet regulatory expectations. This may involve regular training, staying updated with regulatory changes, and conducting thorough risk assessments.

The RR Donnelley case serves as a wake-up call for compliance professionals, emphasizing the need to adapt to an evolving regulatory landscape. By broadening the scope of internal controls to include cybersecurity and enhancing disclosure practices, compliance teams can better protect their organizations and meet regulatory expectations. Collaboration with IT and staying vigilant about regulatory trends will be vital to navigating this new frontier in compliance. Perhaps more ominously, Matt, in another blog post on the United Healthcare cyber-attack in Q1 2024, asked, ” If the SEC applied that theory of enforcement against Donnelley, shouldn’t that same theory now be applied against UnitedHealth? At this point, we should discuss exactly how UnitedHealth’s breach happened. Change Healthcare had not implemented multi-factor authentication on a critical computer server, which allowed attackers to use stolen employee credentials to gain access. In other words, UnitedHealth had allowed poor access control on a critical system.”

In other words, Watch This Space.

Categories
Blog

Supreme Court Rulings: A Compliance Perspective

Recently, the Supreme Court delivered several rulings that have caught the attention of compliance professionals. This blog post will dissect these rulings and explore their implications for corporate compliance. Matt Kelly and I took a deep dive into this week’s Compliance into the Weeds to see if you prefer the audio format.

  1. Jarkesy Decision: SEC and In-House Tribunals

The Jarkesy decision ruled that the SEC cannot use in-house tribunals for enforcement proceedings, mandating that cases be brought to federal court. This ruling is likely to have a minor impact from a compliance perspective. Here’s why:

Federal Court Preference: For severe charges under the Foreign Corrupt Practices Act (FCPA), the SEC has historically opted to bring cases to U.S. district courts. These cases typically involve criminal charges, and the SEC has not utilized in-house tribunals for FCPA enforcement in over a decade.

Corporate vs. Individual Defendants: The ruling primarily benefits defendants who can now have their cases heard in federal court instead of administrative tribunals. However, for corporate compliance officers, this distinction is largely irrelevant. Corporate cases are typically resolved in federal courts through settlements without the need for protracted legal battles.

  1. Loper Case: Overturning the Chevron Doctrine

The Loper case overturned the Chevron doctrine and is another landmark decision. The Chevron doctrine allowed courts to defer to agency interpretations of ambiguous statutes. Here’s what this means for compliance:

Guidelines vs. Rules: Compliance officers should understand that DOJ guidelines for effective compliance programs are just guidelines, not rules. These guidelines are not subject to Chevron’s deference and are regularly updated to reflect best practices.

Practical Impact: Eliminating Chevron’s deference might make it more challenging for agencies to introduce new rules without facing legal challenges. However, this does not directly impact existing guidelines or enforcement practices related to corporate compliance.

Increased Litigation Risk: Future regulations may face more scrutiny and litigation, potentially leading to increased enforcement of existing rules rather than creating new ones. Compliance professionals should prepare for more rigorous enforcement actions based on current regulations.

  1. Snyder Decision: Federal Anti-Corruption Law

The Snyder decision narrowed the scope of federal anti-corruption law, particularly concerning bribes paid to state and local officials. This ruling has some interesting implications:

Case Background: The case involved the former mayor of Portage, Indiana, who awarded a contract to a specific company and later received a $13,000 consulting fee as a reward. The Supreme Court ruled this as a gratuity rather than a bribe, complicating enforcement under federal anti-corruption laws.

Corporate Compliance Concerns: While this ruling applies to state and local officials, compliance officers must remain vigilant about maintaining clear anti-corruption policies. The ruling doesn’t directly affect the FCPA, which targets foreign officials, but highlights the importance of robust internal controls and transparent record-keeping.

Ethical Implications: Compliance programs should continue emphasizing ethical behavior and avoiding corruption, whether labeled as a gratuity or a bribe. The moral imperative against corruption remains unchanged despite legal nuances.

The recent Supreme Court decisions may not drastically alter corporate compliance programs’ day-to-day operations, but they highlight the evolving legal landscape that compliance professionals must navigate. Here are some key takeaways:

  1. Stay Informed: Regularly update your knowledge of legal developments and understand their potential impact on your compliance program.
  2. Focus on Ethics: Reinforce the ethical foundation of your compliance efforts. Emphasize that any corrupt behavior, whether technically legal or not, is unacceptable.
  3. Prepare for Increased Scrutiny: With the potential for more litigation around new regulations, ensure your compliance program is robust and well-documented. Be ready to demonstrate your commitment to ethical practices and effective compliance.
  4. Engage with Legal Experts: Work closely with legal counsel to interpret these rulings and adjust your compliance strategies accordingly. Legal guidance is crucial in navigating complex regulatory changes.

In conclusion, while the Jarkesy, Loper, and Snyder decisions may seem weighty, their direct impact on corporate compliance programs is limited. However, they serve as a reminder of the dynamic nature of compliance and the need for ongoing vigilance and adaptability. By focusing on ethical behavior and maintaining strong internal controls, compliance professionals can continue to safeguard their organizations against legal and reputational risks.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance: Episode 31— AI, Compliance and Crypto

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

In this episode of 2 Gurus Talk Compliance Podcast, hosts Kristy Grant-Hart and Tom Fox discuss AI’s role in unmasking whistleblowers, the latest fallout from cryptocurrency firms under SEC scrutiny, advancements in tracking sanctioned commodities, and the humorous mishap involving a Florida man and laxatives. They also delve into the implications of workplace violence prevention laws, BP’s new office relationship rules, and check in on corruption and legal developments involving figures like Bob Menendez and Benny Steinmetz. Ending on a lighter note, a Florida man finds himself in trouble after substituting opioids with laxatives.

Stories Include:

  • Tyson Foods CFO was suspended for drunk driving. (Bloomberg)
  • 5 takeaways from Menendez trial.(CNN)
  • FAA says greater oversight needed over Boeing.(NYT)
  • Terraform settles with SEC for $4.5bn.(FT)
  • Beny Steinmetz profile.(OCCPR)
  • The Double-Edged Impact of AI Compliance Algorithms on Whistleblowing (National Law Review)
  • BP Tightens Rules Over Office Relationships in Wake of Former CEO’s Departure (WSJ)
  • Keeping Sanctioned Russian Timber Out of the EU Is Tricky. This Nonprofit Has a Solution (WSJ)
  • New York Bill Would Provide Protections Against Workplace Violence for Retail Employees (Seyfarth)
  • Florida Man Steals Constipation Drugs Thinking They Were Opioids (Florida has a right to know) 

Resources:

Kristy Grant-Hart on LinkedIn

Spark Consulting

Prove Your Worth

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending June 8, 2024

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings you the compliance professional and the compliance stories you need to know to end your busy week. Sit back, and in 10 minutes, hear the stories every compliance professional should know from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • Chinese battery suppliers are tied to Ford and VW.  (WSJ)
  • SEC is closing its Salt Lake City office.  (WSJ)
  • The Wirecard boss loses his lawyer. (FT)
  • Standard Chartered is accused of funding terrorists. (BBC)
  • Toyota gets raided. (BBC)
  • Mike Lynch was acquitted.(NYT)
  • Private equity giants near settlements with SEC re: texting. (WSJ)
  • FAA wants systemic change at Boeing. (BBC)
  • Citgo 6 sue CITGO. (Houston Chronicle)

Click here for more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance.

You can check out the Daily Compliance News, which features four curated compliance and ethics stories each day, here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: June 6, 2024 – The D-Day 80th Anniversary Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • The SEC is closing its Salt Lake City office.  (WSJ)
  • Wirecard boss loses his lawyer. (FT)
  • Standard Chartered is accused of funding terrorists. (BBC)
  • Toyota gets raided. (BBC)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending June 1, 2024

Welcome to 10 For 10, the podcast which brings you the week’s Top 10 compliance stories in one podcast each week.

Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week.

Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week.

Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox.

Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • Menendez corruption caught in emails and texts. (Politico)
  • Are the Olympics a reputational risk?  (FT)
  • Virginia businesses were fined for hiring ‘whites only’.  (WaPo)
  • Boeing has a plan to fix safety issues. (NYT)
  • American Airlines sued for tossing 5 black men from a flight for ‘body odor’. (Reuters)
  • Need for audit reform in the UK. (FT)
  • US representatives call for reopening of Nigerian oil bloc OPL 245 investigation. (Nigerian Lawyer)
  • Private equity giants near settlements with SEC re: texting. (WSJ)
  • Mike Lynch says HP ‘panicked’.  (Law360)
  • Death penalty in a corruption case.  (South China Morning Post)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

You can check out the Daily Compliance News for four curated compliance and ethics related stories each day, here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: May 29, 2024 – The Near Settlement Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Private-Equity Giants Near Settlements With SEC Over Texting Violations (WSJ)
  • Malta ex-PM to face corruption charges. (US News & World Report)
  • FTX exec sentenced. (NYT)
  • Adam Neumann gives up on WeWork again. (NYT)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Daily Compliance News

Daily Compliance News: May 23, 2024 – The End of Car Wash Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance related stories to start your day. Sit back, enjoy a cup of morning coffee and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership or general interest for the compliance professional.

  • Can shareholders criticize companies (without being sued)? (WSJ)
  • Brazil Supreme Court throws out Car Wash convictions. (FT)
  • Ukraine makes progress in fight against corruption. (BBC)
  • SEC does not want crypto bill from Congress. (Reuters)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Daily Compliance News

Daily Compliance News: May 14, 2024 – The Roaring Kitty Returns Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • GameStop roars back. (BBC)
  • Senator Menendez trial begins. (WaPo)
  • Investment advisors must vet customers. (WSJ)
  • Bill Hwang lied. (This is my shocked face.) (Reuters)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.