Tag: SEC

Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending February 24, 2024

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  1. Alexei Navalny was killed in prison. (Bloomberg)
  2. Ohio residents paid the price for FirstEnergy corruption.  (Ohio Capital Journal)
  3. More child labor in the US. (NYT)
  4. A former head of the Bank of China was arrested for corruption. (NikkeiAsia)
  5. The Shadow Insider Trading case goes to trial.  (WSJ)
  6. Former Stericycle executive to plead guilty. (WSJ)
  7. Morgan Stanley is accused of using fake job titles. (FT)
  8. The Wells Fargo Consent Order was terminated. (WaPo)
  9. Deliberations begin in the NRA corruption trial. (The Guardian)
  10. If you can’t answer the question, don’t sit for an interview. (BBC)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Everything Compliance

Everything Compliance – Episode 129, The Tribute to Navalny Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quintet of Jonathan Armstrong, Jonathan Marks, Matt Kelly, Karen Woody, and Jay Rosen, all hosted by Tom Fox.

  1. Jonathan Armstrong talks about the most recent speech by the new SFO director. He rants about Julian Assange’s inane claims to be a journalist.
  2. Matt Kelly discusses the regulation of AI and looks at the new DFS regs around it. He shouts out to Alexei Navalny, who was murdered for his fight against corruption in Russia.
  3. Karen Woody takes a deep dive into the Panuwat trial and the concept of shadow insider trading. She rants about the senseless gun culture in America.
  4. Jonathan Marks discusses the state criminal charges in the FirstEnergy corruption scandal but then evolves into an epic rant, which he continues in Shout Outs and Rants about failures in corporate governance, internal controls, and gun violence in America. He really outdid himself this week.
  5. Jay Rosen looks at the dearth of DOJ-mandated monitorships and proposes a new concept, the self-monitorship. He shouts out the movie Love on the Spectrum and the Bill Bradley interview.
  6. Tom Fox shouts out to Ben Affleck for his DunKing Super Bowl commercial.

The members of the Everything Compliance are:

Jay Rosen: Jay can be reached at Jay.r.rosen@gmail.com

Karen Woody is one of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

Matt Kelly, founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

Jonathan Armstrong is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

Jonathan Marks can be reached at jtmarks@gmail.com.

The host, producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Daily Compliance News

Daily Compliance News: February 15, 2024 – The Lock The Doors Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • Elon Musk says Delaware has ‘locked the doors’. (Reuters)
  • OECD at 25.  (The Hill)
  • The SEC is bracing for litigation over climate change regs. (WSJ)
  • $130MM paid to creditors in the Mozambique Tuna Bond corruption scandal. (Spotlight on Corruption)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Compliance Into the Weeds

Compliance into The Weeds: Down The Rabbit Hole on SEC Enforcement Waivers

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt go down a rabbit hole regarding the SEC waiving penalties for messaging app violations.

The Securities and Exchange Commission (SEC) has been making headlines for its crackdown on broker dealers who violate record-keeping rules by using off-channel messaging apps like WhatsApp or Snapchat. This has led to hefty fines, yet the SEC has been granting waivers to these same firms, allowing them to continue operating in the securities world. This paradoxical approach has raised eyebrows, including those of Tom Fox and Matt Kelly. Fox finds the SEC’s actions both curious and concerning. He believes that if a waiver program exists, it should be publicly announced and the reasons for granting waivers should be transparent to ensure appropriate scrutiny. Kelly, on the other hand, expresses surprise and disappointment at the lack of transparency from the SEC, suggesting that the waiver program and its reasons should be made clear to the public. Find out more in this fascinating edition of Compliance into the Weeds.

Key Highlights:

  • SEC Sanctions for Off-Channel Messaging Violations
  • SEC Enforcement and Waivers for Internal Violations
  • Cracking down on Off Channel Communications
  • The Need for Public Announcements in SEC Enforcement

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Solar Winds Under GDPR: Corporate Responsibility and Risks in Data Protection

The General Data Protection Regulation (GDPR) has significantly changed how organizations handle data protection and privacy. It emphasizes the importance of transparency and honesty in disclosing data breaches and vulnerabilities. In a recent episode of the podcast Life with GDPR, Tom Fox and Jonathan Armstrong from Cordery Compliance discussed the topic of corporate responsibility and risks in data protection, with a particular focus on the SolarWinds case.

To recap, in late 2023, the SEC filed a lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach, bringing the issue of executive liability in cybersecurity disclosures to the forefront. The lawsuit raised important questions about the personal liability of senior executives for inaccurate risk disclosures and has potential implications for other industries under US securities law.

The 2020 breach, orchestrated by Russian hackers, targeted SolarWinds’ software, Orion, and exposed highly sensitive information. The hackers gained access to SolarWinds and planted spyware in the Orion program. SolarWinds then distributed an update to its corporate customers, unknowingly spreading the Russian spyware. This allowed the hackers to access the highest levels of the US government and major corporations.

The SEC’s lawsuit against SolarWinds and Tim Brown focused on the poor disclosures about the company’s information security throughout 2018, 2019, and 2020. While SolarWinds publicly claimed to have good cybersecurity, internal communications revealed that employees were aware of the company’s cybersecurity issues and considered them a mess. This discrepancy between internal knowledge and external disclosures formed the basis of the SEC’s allegations.

The SEC complaint alleged that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

Beyond this SEC enforcement action, there were other implications as well. One key takeaway from the episode is the pressure on corporate leaders, including CISOs, Data Protection Officers, and Compliance Officers, to disclose data breaches promptly. While GDPR offers some protection to Data Protection Officers, they are not entirely exempt from liabilities. The SolarWinds case serves as a reminder of the need for specific and timely disclosure of breaches and the importance of addressing system vulnerabilities.

The risks associated with data breaches are not limited to regulatory fines. Litigation risks are a significant concern for organizations, with shareholders and whistleblowers potentially seeking legal action. The episode highlights the importance of transparency and not misrepresenting information to regulators. Misrepresentations can lead to severe consequences for individuals in positions of responsibility within corporations.

Budget constraints can also hinder the timely fixing of vulnerabilities, ultimately leading to breaches. Organizations need to take proactive measures to identify and address vulnerabilities promptly. Realistic resource assessments are crucial to ensuring that adequate resources are allocated to data protection efforts. Additionally, having adequate insurance protection, such as Directors and Officers (D&O) insurance, can help protect individuals in positions of responsibility from potential liabilities.

The episode also emphasizes the need for organizations to consider the impact on their stock exchange filings when deciding whether to disclose a data breach. The decision to admit a violation of a stock exchange can be challenging and depends on factors such as materiality. Organizations need to assign a dedicated team to consider these factors, mainly when engaged in transactions like mergers and acquisitions or fundraising.

Transparency and honesty are key principles in data protection and privacy. Audit reports and investigation findings must be acted upon promptly to address vulnerabilities. Emails and other forms of communication can serve as evidence in legal proceedings, highlighting the importance of careful communication within organizations.

The potential for litigation is significant in data breach cases. Shareholders may seek legal action if they believe the value of their stock has been affected. Whistleblowers, incentivized by various jurisdictions, may also come forward with information. This highlights the need for organizations to maintain a culture of transparency and integrity and for individuals to review their remuneration packages to avoid conflicts of interest.

In conclusion, GDPR, corporate responsibility, and risks in data protection are interconnected. Organizations must prioritize transparency, honesty, and timely disclosure of breaches and vulnerabilities. Proactive measures, realistic resource assessments, and adequate insurance protection are crucial to mitigating risks. By considering the impact on stock exchange filings and maintaining a culture of integrity, organizations can navigate the challenges associated with data protection and privacy in the GDPR era.

Categories
Blog

Pre-taliation Protection Extends to Third Parties

The Securities and Exchange Commission (SEC) has been cracking down on companies that engage in pre-taliation, imposing increasing fines. This was evident in the recent case of JP Morgan,  which faced an $18 million sanction for including a pre-taliation clause in their contracts. This enforcement action highlighted companies’ importance in addressing pre-taliation risk by implementing contract language that protects individuals’ rights to report misconduct. Matt Kelly and I recently had the chance to take a deep dive into the decision in a recent episode of Compliance into the Weeds.

Corey Schuster, co-chief of the Asset Management Unit in the SEC Division of Enforcement, said in an SEC Press Release, “Whether retail or otherwise, must be free to report complaints to the SEC without interference. Those drafting or using confidentiality agreements must ensure that they do not include provisions impeding potential whistleblowers.” Gurbir Grewal, Director of the SEC Enforcement Division, added,  “Whether in your employment contracts, settlement agreements or elsewhere, you simply cannot include provisions that prevent individuals from contacting the SEC with evidence of wrongdoing.” Matt noted in his blog post on the case, “SEC enforcement against pre-taliation is not exactly news, since the agency has been filing such cases since 2016 — but until now, those enforcement actions have always been about companies using pre-taliation clauses in contracts with employees. Now we have our first case over pre-taliation against customers — and it came with the biggest pre-taliation fine we’ve ever seen.”

Pre-taliation occurs when a company restricts individuals from speaking out about corporate misconduct to regulators. While previous pre-taliation cases primarily focused on restrictions placed on employees, the JP Morgan securities case marked a significant shift. For the first time, the SEC sanctioned a company for imposing a pre-taliation clause on customers. This expands the range of individuals who may fall victim to pre-taliation and underscores the need for companies to be vigilant in their compliance efforts.

Companies must understand that pre-taliation clauses are problematic, regardless of whether they are included in employment contracts, settlement agreements, or elsewhere. The SEC has clarified that provisions preventing individuals from contacting the SEC with evidence of wrongdoing are unacceptable. Compliance officers must conduct regulatory assessments to understand applicable laws and review contracts for problematic language.

The fines imposed by the SEC for pre-taliation cases have been increasing over time. In the case of JP Morgan securities, the $18 million sanction was the largest fine ever seen for a simple fix. The remediation action required in these cases is relatively straightforward: companies must delete the problematic language from their agreements and inform anyone who signed the old language that they are free to report misconduct to the SEC or any other regulator. While the mechanics of executing this remediation may be challenging for large organizations with contracts stored in different data warehouses, the basic idea remains the same.

It is worth noting that in most pre-taliation cases, companies rarely enforce the pre-taliation clauses. They often become an afterthought, and it is only years later that companies realize their mistake and attempt to rectify it. The SEC’s message is clear: companies must proactively identify and correct problematic language in their contracts to avoid facing significant fines.

The CBRE pre-taliation enforcement action serves as an example of effective remediation practices. CBRE swiftly identified and corrected problematic clauses, updated its code of conduct, and provided training on SEC rules to its compliance team. This proactive approach helped them avoid more severe penalties and garnered praise from the SEC. Here, Kelly noted,

  • Within one month of learning about the SEC investigation, revising all its U.S. severance agreement templates to assure compliance was followed by an audit of similar agreements worldwide, reviewing some 300 templates used by CBRE affiliates in 54 countries.
  • We are updating the CBRE Code of Conduct to add new language against pre-taliation.
  • Training more than 50 members of the compliance team globally on the Rule 21F-17 language added to all relevant templates;
  • They were undertaking a mandatory re-certification process, where more than 100,000 employees worldwide certified that they had reviewed the updated Code of Conduct and attested to their understanding that they were always free to bring concerns to regulators without any advanced notice to CBRE.

Compliance officers face the challenge of balancing various factors when addressing pre-taliation risk. They must consider the impact of state laws, federal whistleblower protection laws, and securities laws that may apply to their company. Conducting a regulatory assessment and thoroughly reviewing contracts can help identify potential areas of concern.

In conclusion, the SEC’s increasing fines for company pre-taliation highlight the importance of compliance and the need for companies to address pre-taliation risk. Companies must eliminate pre-taliation clauses from their contracts and ensure individuals can report misconduct to regulators. Companies can mitigate the risk of facing significant fines and reputational damage by taking proactive measures and conducting thorough assessments.

Categories
Life with GDPR

Life With GDPR: Episode 104 – Solar Winds and Your Mother – Tell The Truth

Tom Fox and Jonathan Armstrong, renowned experts in cyber security, co-host the award-winning Life with GDPR. In this episode, they look at the continued fallout from the Solar Winds data breach.

In the complex world of data protection, the General Data Protection Regulation (GDPR) has placed a spotlight on the importance of transparency, honesty, and corporate responsibility. Experts Tom Fox and Jonathan Armstrong bring their unique perspectives to this topic, shaped by their extensive experience in compliance and data protection. Fox emphasizes the potential legal consequences for corporate leaders who fail to disclose vulnerabilities or engage in dishonest practices, while Armstrong highlights the increasing pressure on individuals and corporations to disclose data breaches, with regulators focusing more on individual liability. Both stress the importance of transparency, the potential for litigation, and the role of whistleblowers.

Join Fox and Armstrong as they delve deeper into these issues on this episode of the Life with GDPR podcast.

Key Takeaways:

  • The Importance of Truthfulness in GDPR
  • The Importance of Transparency in Data Breaches
  • Legal risks in data breaches and cybersecurity
  • The Impact of Budget Constraints on Vulnerability Fixes

 Resources:

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here. Check out the Cordery Data Breach Academy here.

Connect with Tom Fox

●      LinkedIn

Connect with Jonathan Armstrong

●      Twitter

●      LinkedIn

Categories
Compliance Into the Weeds

Compliance Into The Weeds: Pre-Taliation is Illegal as to All

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into the recent SEC enforcement action for pre-taliation against JPMorgan and what it means for whistleblower programs going forward.

The Securities and Exchange Commission (SEC) has been ramping up fines for companies found guilty of retaliation, as evidenced by the recent JP Morgan securities case, which resulted in an $18 million sanction. This development underscores the importance of compliance and the need for companies to protect individuals’ rights to report misconduct. Tom views this as a significant shift, expanding the range of individuals who may be affected by retaliation claims. He predicts a broader legal discussion and increased protection for those who bring claims related to misconduct. Matt emphasizes the need for companies to be proactive in preventing retaliation. He points out that enforcement has been increasing since 2016 and that companies should already be aware that they cannot restrict employees from reporting wrongdoing to the SEC. Join Tom Fox and Matt Kelly as they delve deeper into this topic on the Compliance into the Weeds podcast.

Key Highlights:

  • The underlying facts
  • Expanding Retaliation Risk in Corporate Settings
  • Retaliation Clauses and Whistleblower Protection
  • CBRE’s Swift Remediation Efforts and SEC Settlement

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 21 – Managing Your Third Parties

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation, and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area that the DOJ specifically articulated in the 2023 ECCP that companies need to consider.

Managing your third parties is where the rubber meets the road in your overall third-party risk management program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are the easy steps. Managing the relationship is where the real work begins.

Three key takeaways:

1. Have a strategic approach to third-party risk management.

2. Rank third parties based upon a variety of factors, including compliance and business performance, length of relationship, benchmarking metrics, and KPIs for ongoing monitoring and auditing.

3. Managing the relationship is where the real work begins.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 20 – The Third Party Risk Management Process

The DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management that will fulfill the DOJ requirements as laid out in the 2023 FCPA Resource Guide, 2nd edition, and in the Hallmarks of an Effective Compliance Program. The five steps in the lifecycle of third-party management are:

1. Business Justification by the Business Sponsor.

2. Questionnaire to Third-party.

3. Due Diligence on the Third Party.

4. Compliance Terms and Conditions, including payment terms.

5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

1. Use the full 5-step process for third-party management.

2. Make sure you have business development involvement and buy-in.

3. Operationalize all steps going forward by including business unit representatives.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.