Wearable fitness tracker company Fitbit recently announced that its devices are now HIPAA-compliant, broadening the types of businesses it aims to work with. Also in recent GRC news: CFOs report widespread earnings misrepresentation; SEC proposed changes to its administrative proceedings.
Fitbit wearables now HIPAA-compliant
Fitbit Inc. announced earlier this month that its wearable activity trackers now provide HIPAA compliance capabilities. The certification means Fitbit can extend its Fitness Wellness program to HIPAA-covered entities, including corporate wellness partners, health plans and self-insured businesses. The company will also be able to enter into Business Associate Agreements with these entities.
With its HIPAA compliance announcement, Fitbit reps say the company aims to serve more businesses while still securing customers’ most sensitive data. Much of the information tracked by Fitbit devices fall under HIPAA’s definition of protected health information, such as medical history and health insurance data. Information such as names, phone numbers and email addresses are also covered by HIPAA.
Ars Technica reporter Valentina Palladino predicts that the HIPAA certification will make Fitbit’s Fitness Wellness program more attractive to businesses. In addition to Geico, Quicken Loans and other existing corporate customers, Fitbit recently announced a deal to offer activity trackers to Target Corp.’s 335,000 U.S. employees.
Survey: CFOs believe 20% of firms misreport earnings
A recent survey found that many CFOs believe earnings misrepresentation is prevalent among firms. In a poll of 375 CFOs, researchers from Emory University, Duke University and Columbia University found that CFOs believe 20% of firms intentionally misrepresent earnings at any given time, even while these firms observe accounting principles and regulations. Most cases of misrepresentation involve earnings overstatement, but another one-third of firms under-report their earnings or reverse previous overstatements.
The CFOs also gave audit committees a low ranking among a list of factors that could influence earnings quality. “I think you can fool them, but what the audit committee is essentially going to ask is whether the CEO and controller are basically honest people who are going to report faithfully,” said one CFO in a supplemental interview the authors conducted in addition to the main study. The Securities and Exchange Commission‘s (SEC) enforcement process garnered an even lower ranking.
SEC makes moves to update rules governing administrative proceedings
Last week, the SEC made two announcements regarding how it conducts its administrative processes. These announcements arrive in the midst of growing complaints around the fairness of these processes, such as the SEC’s moves to file more administrative proceedings with in-house judges.
In one announcement, the Commission said it voted to propose changes to rules that govern its administrative proceedings. The goal is to modernize the rules to include provisions such as adjusting the timing of proceedings, in some cases extending the time before a hearing takes place. The changes would also allow parties to take depositions of witnesses as part of discovery and require parties to submit filings electronically and redact certain sensitive information in those filings.
According to the SEC, these proposals will simplify the requirements for seeking an SEC review of an initial decision, and offer greater transparency into the timing of the SEC’s decisions in these requests.
In another announcement, the Commission said it is overhauling its internal tribunal, an in-house court that includes federal judges, former SEC officials and business groups. The new set of rules would give defendants in cases sent to the SEC’s own judges similar legal protections provided in federal court, including giving defendants eight months to prepare for a trial as opposed to the current four months; and allowing them to obtain sworn testimony from witnesses and others before a trial.
The Second U.S. Circuit Court last week decided that whistleblowers who report internally before going to the SEC are covered by Dodd-Frank’s anti-retaliation rules. In other recent GRC headlines: New rules that address algorithmic trading risks are imminent, and a survey found that boards of directors are looking for more risk management input from senior management.
Second Circuit: Internal whistleblowers protected by Dodd-Frank
In an opinion that bolsters the U.S. Securities and Exchange Commission’s stance on the subject, a divided Second Circuit Court of Appeals panel decided that employees who report company misconduct internally are protected by rules to prevent whistleblower retaliation under the Dodd-Frank Act.
The decision addresses the conflict between a Dodd-Frank subsection that defines what a whistleblower is and another that addresses who is protected by the law’s anti-retaliation provisions. Describing the circumstances under which Dodd-Frank was passed, the Second Circuit opined that because of “the realities of the legislative process … it is not at all surprising that no one noticed that the new subdivision [that addresses anti-retaliation protections] and the definition of ‘whistleblower’ do not fit together neatly.” The panel ruled that the conflict is ambiguous enough to warrant deference to the SEC’s interpretation.
The Second Circuit’s ruling diverges from an earlier ruling by the Fifth Circuit, a disagreement that the majority opinion of the Second Circuit’s panel acknowledged. According to Bloomberg law reporter Catherine Foti, the Second Circuit’s opinion makes it likely that the Supreme Court will decide whether to extend Dodd-Frank’s anti-retaliation protections to internal whistleblowers.
New rules on the horizon to control high-frequency trading risks
The Commodity Futures Trading Commission (CFTC) is working on proposals to contain risks stemming from the use of algorithmic, or high-frequency, trading, which accounts for 70% of the volume in futures markets. CFTC chairman Timothy Massad said in a speech that the proposed rules also aim to minimize disruptions and unfairness that are the result of algorithmic trading processes.
Massad added that algorithmic trading has changed how the CFTC performs its regulatory role, with enforcement now requiring a greater investment in IT, analytics and experienced staff. These investments are shared among the CFTC, self-regulatory organizations and the National Futures Organization.
The proposals, which will be issued for comment this fall, will also likely include requirements for software and hardware development, as well as cybersecurity protections. The CFTC has already put some rules into effect to address the risks associated with increased automated futures trading, including requirements that trading hardware and software infrastructure be regularly tested before going live.
Majority of boards seek more risk management involvement from senior management
Sixty percent of surveyed boards of directors are seeking more involvement in risk oversight from their senior management teams, according to a study commissioned by the American Institute of CPAs and the Chartered Institute of Management Accountants. However, the survey also found that less than 35% of these organizations have a formal risk management program in place. The study, which surveyed more than 1,300 executives worldwide, also found the following:
- 70% of those surveyed do not describe their organization’s risk management oversight as “mature.”
- Less than 40% of organizations are satisfied with how risk exposure is reported to senior management.
- Only 46% of boards at U.S.-based companies assign risk oversight duties to a board committee, while 70% of company boards in regions outside the U.S. do so.
- Only 44% of U.S. organizations have internal management-level risk committees in place, while more than 60% of organizations in regions outside the U.S. do so.
A report accompanying the survey findings acknowledges that the overall risk environment is challenging for organizations, but adds that there are barriers that hinder the effectiveness of enterprise-wide risk oversight. The report suggests some ways organizations can improve, including conducting an assessment of the organization’s current risk management approach, and boards approaching senior management to articulate current risk approaches so they can assess the company’s efficacy in monitoring emerging risk.
Lawyers say Apple CEO Tim Cook may have flouted the Securities and Exchange Commission’s fair-disclosure regulation when he sent a CNBC correspondent an email containing company performance information. In other GRC news from the past few weeks: Charles Schwab is fined $2 million for capital deficiencies; a court ruling reinforced the FTC’s cybersecurity authority; and new malware targeting jailbroken iOS phones stole more than 225,000 Apple users’ credentials.
Apple’s Tim Cook may have infringed SEC disclosure rule
A private email Apple CEO Tim Cook sent to CNBC reporter Jim Cramer last week may have violated federal fair-disclosure rules, reported MarketWatch.
The email, which was read on air and later tweeted by CNBC, contained a mid-quarter update on Apple’s performance that reported an increase in iPhone activations in recent weeks and predicted strong business growth in the Chinese market. Cook also said that in the past two weeks, the Apple App Store saw its best performance of the year in China.
Lawyers told MarketWatch that the email could have violated Securities and Exchange Commission’s Regulation Fair Disclosure (Regulation FD), which stipulates how public companies can disclose company information to certain individuals or entities. The media is typically exempt from Regulation FD, but CNBC’s Cramer is also co-manager of a portfolio that has a long position at Apple. The SEC has declined to comment, but lawyers predicted that SEC will, at the very least, investigate the context of the private exchange.
FINRA fines Charles Schwab $2 million
Charles Schwab & Co. was fined $2 million for capital deficiencies and related supervisory failures, the Financial Industry Regulatory Authority (FINRA) announced last week.
FINRA found Charles Schwab net-capital deficient by up to $775 million on three occasions between May 15, 2014, and July 1, 2014. The deficiency stemmed from cash inflows that surpassed the amounts the financial firm could invest with its existing facilities. According to FINRA, Charles Schwab consequently transferred $1 billion to its parent company for overnight investment that was approved as an unsecured loan by the company’s Treasury group.
FINRA representatives said that Charles Schwab did not have any established procedures that required its Treasury group to consult its regulatory reporting group or to prevent the former from approving unsecured transfers that could lead to net-capital deficiencies.
A Charles Schwab representative told The Wall Street Journal that the company self-identified the issue and immediately reported it, as well as implemented revised procedures and processes.
U.S. appeals court asserts FTC’s corporate cybersecurity powers
The Third U.S. Court of Appeals ruled that the FTC could proceed with a lawsuit against Wyndham Worldwide Corp. that alleges the hotel chain is partly responsible for three payment card data breaches that occurred between 2008 and 2010. The FTC claims that the breaches have led to more than $10 million in fraud losses, and that Wyndham failed to implement reasonable protections against data theft, such as firewalls and updated security software. Wyndham challenged the FTC’s claims, arguing that the agency’s allegations are government overreach. All three judges on the court panel disagreed, and the decision reinforces the FTC’s authority to regulate business cybersecurity in the absence of comprehensive data security legislation. The FTC has exercised this authority by pursuing enforcement actions in more than 50 data security cases, according to the WSJ.
Malware steals 225,000 Apple users’ credentials
A new malware called KeyRaider has successfully stolen the credentials of more than 225,000 Apple users. The theft has been dubbed by representatives of security company Palo Alto Networks as the “largest known Apple account theft caused by malware,” affecting users in 18 countries.
The malware targets jailbroken iOS devices. The attacker added KeyRaider to two jailbreak tweaks, which he or she claimed will let users download non-free apps without purchase from the Apple App Store.
According to Palo Alto Networks, these tweaks hijacked users’ app purchase requests and downloaded stolen accounts or purchase receipts. Palo Alto said the tweaks have been downloaded by more than 20,000 users. KeyRaider was also integrated in ransomware to disable unlocking operations, even if the user entered the correct password or passcode.
Palo Alto researchers followed a trail of distributed malware samples that led them to the command-and-control server in which the stolen data is located. They found that the server itself contains vulnerabilities that expose user data, including a SQL vulnerability that the researchers were able to hack into.
(This blog post was written by Diane K. Carlisle, executive director of content at ARMA International.)
So, your attempt to manage the governance, risk, and compliance (GRC) program with a series of complex spreadsheets leaves you in a state of massive depression. You’ve decided the obvious solution is to purchase a piece of software so you can easily track and monitor all your compliance issues. Simple enough, right?
While we’d all like to believe that technology is the magic answer to our woes, there are many factors to consider before you can make a wise software purchasing decision. You must have a clear understanding of organizational compliance requirements, internal business processes, and existing tools to avoid purchasing and implementing software only to find that you still have gaps and vulnerabilities in your compliance program.
The information governance/compliance intersection
The most stringent tests of an organization’s compliance with its internal and external requirements come through third parties, such as an agency regulator or — in the case of litigation — the opposing counsel or a judge. At the heart of these types of inquiry is that third parties need to judge the organization’s actions, or inactions, and the impact they have on compliance.
An organization’s compliance requirements spring from a complex array of legislation, regulation, industry expectations, and its own voluntary commitments regarding how it will conduct business. While the requirements for each organization will vary significantly, all organizations need a reliable means of demonstrating compliance with these requirements. That demonstration nearly always takes the form of documentation — and this is where compliance intersects with information governance.
A planning framework for information governance
An organization that can demonstrate it has established policies and procedures, a way to measure its compliance with them, and a plan for improving its compliance in areas that need it can show that it takes its compliance obligations seriously. These companies will typically fare better with auditors and judges than those that take a more ad hoc approach.
For organizations in the ad hoc category, ARMA International has two invaluable tools that can help them position themselves in the former category. They can use the Generally Accepted Recordkeeping Principles® (Principles) to develop an information governance framework, and the Information Governance Maturity Model (Maturity Model), which is based on the Principles, to assess its program, plan for improvements, and measure its progress.
The Principles framework defines the characteristics of a holistic information governance program and the essential hallmarks of effective records and information management, which is the foundation for information governance. There are eight Principles, each thoroughly explained on the ARMA International website.
The benefits of information governance
The Principles make it clear that to achieve reliable results, the organization must hold individuals accountable for their defined recordkeeping responsibilities. It also must put into place policies, procedure, and tools that apply throughout the records and information life cycle.
Adopting this framework and implementing the defined recordkeeping controls creates an information governance program that will:
- Serve as a guide to planning: The Principles specify key controls that will help the organization achieve compliance. These controls contribute to authentic records and information that can be relied upon for both business decisions and compliance requirements. Without these program elements in place, records may be incomplete, inaccurate or missing all together.
- Provide an objective means for measuring progress and sufficiency: A key part of the Principles framework is the Maturity Model mentioned earlier. This five-level metrics model is used to measure the maturity of the information governance program and identify gaps that can leave the organization vulnerable. Once the organization establishes this baseline, it can use the Maturity Model on an iterative basis to show progress improvement over time.
- Demonstrate a conscious focus on recordkeeping: The courts are not holding organizations to a standard of perfection. But they do want to see evidence that the organization is addressing issues as they arise. Even better, this information governance framework will help the organization pre-empt problems by guiding it in taking proactive steps to improve processes and technology tools.
- Prepare the organization for “pop up” audits: When there is consistent attention to recordkeeping policies and procedures and an appropriate use of tools, an organization needs not fear the “pop up” — or a surprise audit.
Governance and compliance: A natural collaboration
Information governance is central to an organization’s ability to demonstrate compliance with both internal and external requirements. The Principles framework provides a means to gain a solid understanding of the organization’s compliance requirements. There may already be software that can be adapted for compliance purposes, or new software may still be needed. But with a better understanding of the records and information management program, you can ensure that the new software complements what is already in place.
Diane K. Carlisle, IGP, CRM, is executive director of content at ARMA International, a not-for-profit professional association and authority on governing information as a strategic asset.
The U.S. Securities and Exchange Commission (SEC) announced this month that it has approved a contentious pay-ratio rule first introduced by the Dodd-Frank Act five years ago. Also in recent regulatory news: The SEC reiterated its stance on protecting internal whistleblowers and is fighting to redefine its regulatory role on Wall Street.
SEC approves CEO pay disclosure rule
Earlier this month, the SEC voted to adopt an executive pay-ratio disclosure requirement that was first introduced under the Dodd-Frank Act when it was approved by Congress in 2010. The provision will require public companies to disclose their chief executives’ yearly compensation in proportion with employees’ median earnings.
The requirement is highly controversial, and its adoption was delayed for years because opponents argued that the rule’s supporters wanted to shame CEOs instead of illuminate pay gaps. They also contended that implementing the rule will needlessly drain companies’ resources.
“Here we are, on the cusp of adopting a nakedly political rule that hijacks the SEC’s disclosure regime to once again effect social change desired by ideologues and special interest groups,” said SEC Commissioner Daniel Gallagher, one of the rule’s opponents, in a statement.
However, proponents such as Economic Policy Institute President Lawrence Mishel said the rule is an important step toward greater corporate transparency.
SEC extends Dodd-Frank protections to internal whistleblowers
The SEC also released guidance about how to interpret whistleblower rules under the Securities Exchange Act of 1934. The document bolsters the agency’s viewpoint that whistleblowers who report misconduct internally before informing the SEC are protected by the employment retaliation protections provided by the Dodd-Frank Act.
The guidance is at odds with recent court rulings on Dodd-Frank’s vague language on what constitutes a “whistleblower” and who is entitled to the whistleblower protection rules, reported The Wall Street Journal. The law’s whistleblower provisions provide retaliation protections to those who report wrongdoing to the SEC, but the agency maintains that this extends to those who first report violations internally. The agency’s recently released guidance is meant to give whistleblowers greater clarity about the SEC’s stance on the matter, as well as give whistleblowers more confidence they will be protected when reporting internally, Jordan Thomas, a partner at Labaton Sucharow LLP, told WSJ.
“The SEC is sending clear message to the whistleblowers, companies and courts about the scope of its authority to prosecute cases involving retaliation against whistleblowers,” he said.
To redefine role, SEC ramps up pursuit of high-profile cases
The SEC is also ramping up efforts on high-profile cases that could revamp its role as a Wall Street regulator. The trend comes as SEC detractors claim that the agency is not assertive enough in its enforcement against prominent wrongdoers, and is instead too focused on low-profile cases, according to The New York Times.
These high-profile cases include the following: pending charges in an investigation involving insider trading and cybersecurity; pending investigations into insider trading activity by golfer Phil Mickelson and sports gambler William T. Walters; and a pending investigation into Wall Street’s employment of the children of China’s political elite.
The Times reported the SEC’s progress comes during a slowdown of criminal investigation into insider trading activity in New York due to a recent court ruling that makes it more difficult for federal prosecutors to pursue these cases.
Massachusetts Senator Elizabeth Warren, the U.S. Chamber of Commerce and law professors are among those critics that have called on the agency to be more aggressive when pursuing criminal investigations against Wall Street.
The U.S. Justice Department is in the process of taking on a compliance specialist to help determine whether to prosecute companies charged with foreign bribery. Also in recent GRC news: Mead Johnson Nutrition Co. will pay the SEC $12 million to settle foreign bribery charges; and a Goldman Sachs unit will pay $1.8 million for failing to accurately report trade orders to the Financial Industry Regulatory Authority.
U.S. Justice Department hires compliance counsel
The U.S. Department of Justice (DOJ) will hire a compliance counsel to help prosecutors decide whether companies charged with foreign bribery are victims of rogue employees or are willfully turning a blind eye to compliance and should be prosecuted.
The hire is the DOJ’s response to concerns in the business community that some companies do not get enough credit for establishing solid compliance programs that try, but ultimately fail, to prevent foreign bribery acts by conducted by employees, reported The Wall Street Journal.
The new counsel has already been chosen and is being vetted. In addition to helping DOJ decide whether to prosecute bribery claims, the compliance specialist will also aid in determining appropriate fines and whether further monitoring is necessary, Andrew Weissman, chief of the fraud section of the DOJ, told the WSJ.
The compliance counsel will also assist the DOJ’s fraud division with other investigations, including healthcare and securities charges.
Mead Johnson will pay $12M in bribery settlement
Mead Johnson Nutrition Co., a global manufacturer of infant formula, will pay $12 million to settle U.S. federal civil charges alleging that the company’s Chinese subsidiary bribed doctors and other health professionals to recommend its flagship product, Enfamil.
The Securities and Exchange Commission (SEC), which announced the settlement last week, also alleged that the Chinese subsidiary paid health professionals to give Mead Johnson patient contact information to be used for marketing purposes.
The bribes added up to $2 million between 2008 and 2013 and generated about $7.8 million in profits for the manufacturer, according to the SEC. Mead Johnson failed to correctly record the payments, and lenient internal controls allowed the subsidiary to draw the bribes from “off-the-books slush funds,” said the head of the SEC’s foreign corrupt practices unit.
The SEC said that Mead Johnson conducted internal investigations to resolve the charges, and took corrective measures such as improving accounting controls and establishing a unit to monitor compliance.
Goldman Sachs to pay $1.8M for reporting negligence
The clearing and execution unit at Goldman Sachs Group Inc. must pay $1.8 million for failing to report “a substantial number” of details about its alternative trading system orders to a Financial Industry Regulatory Authority (FINRA) auditing system. The negligence occurred over a seven-year period.
Goldman Sachs didn’t confirm or deny the charges in reaching the civil settlement. A company spokesperson said Sachs reported many of the issues to FINRA, made voluntary moves to fix the problems and aided the FINRA investigation.
Further Goldman Sachs violations included sending inaccurate order data to FINRA for more than eight years and not implementing adequate controls to prevent infractions.
Numerous regulations were introduced worldwide to make financial services institutions more resilient following the monetary crisis of 2007 to 2008. Now, these regulations, which global management consulting firm Accenture collectively calls global structural reform (GSR), are having an impact on how companies target spending: More than half of financial institutions expect to invest $200 million to revamp their business models so they can meet GSR regulation requirements, according to Accenture’s 2015 Global Structural Reform Study. The report’s authors said that while the investments are a step in the right direction as these organizations strive to build resilience in the wake of the crisis, their focus is more on complying with the demands of GSR regulations like Dodd-Frank and Basel III than on strategies to stay competitive in the long term.
The study is based on a survey of 131 global banking, insurance and capital market institutions. Fifty-six percent of these institutions reported planning to spend $100 million or more on technology expenditures related to GSR, and another 56% anticipate $100 million or more in non-technology spending to comply with GSR. Nearly one-third of those surveyed expect to spend at least $500 million on GSR expenditures.
These significant investments are justified, wrote the study’s authors, considering that only about 21% of these organizations have achieved compliance with key GSR regulations. Furthermore, respondents expect an increase in the number of full-time employees dedicated to business changes to meet GSR requirements: 61% plan to dedicate 100 or more full-time employees to technology changes, and 69% will add non-technological employees.
Despite the heavy compliance focus, there are organizations making strides in thinking strategically about GSR by revamping their business processes and product suites. For example, 57% of respondents indicated they will tailor their geographic footprint, and half plan to divest geographic units or relocate their headquarters or business units. The authors believe these moves could lead these organizations to consider new technologies or operational models that are not as costly or risk- and capital-intensive. Moreover, 48% said they are doubling down on their core competencies over the next two years to achieve market-driven specialization, while 62% are planning to launch new products or services over the next two years.
Although compliance officers are relatively new to the leadership table, they must strike a balance between adding strategic value to their organization and meeting the requirements of GSR regulations, said Samantha Regan, one of the authors of the study and a lead in Accenture’s regulation and compliance practice.
“It is important that strategic changes to the organization — such as changing where and how a firm conducts its business or leveraging new, more sophisticated technologies and digital applications — are implemented in incremental stages and are in line with the changes the firm is undertaking for regulatory purposes,” she said in an email.
Compliance officers and their firms can achieve this by crafting a clear roadmap that first tackles the minimum regulatory requirements and eventually supports enhanced capabilities and evolving business models to help them compete in their target markets, said Regan.
“Compliance professionals who can keep pace with this changing ecosystem, partner with the front office and help the organization effectively meet changing regulatory [and] customer demands will be integral in driving competitive advantage,” she added.
Five years after the Dodd-Frank Act was enacted, the creators of the law contemplate the wide-ranging legislation’s impact on the financial and banking industries. Also in recent GRC news: The SEC heads a civil probe into public companies potentially involved in the FIFA bribery scandal, and critics voice concerns regarding the SEC’s use of in-house judges in administrative cases.
Creators of Dodd-Frank law reflect on its history
This week marked the fifth anniversary of the Dodd-Frank Act of 2010, the sweeping U.S. federal law that overhauled regulatory processes in the financial and banking sectors. There is continuing debate over the law’s merits: Advocates argue it makes banks less risky, while critics claim it hurt smaller banks and crippled the economy. The legislation’s sponsors, former Sen. Christopher Dodd and former Rep. Barney Frank, recently sat down with The Wall Street Journal to discuss its impact.
Dodd and Frank discussed what they consider the most significant impact the law made, and one aspect that they would change. Other points they touched on were why they believe the legislation has made the financial system safer; how confident they are about the death of “too big to fail” institutions; and the concerns about Dodd-Frank driving more financial activity into the less-supervised shadow banking system.
SEC leads new FIFA corruption investigation
The goal of the probe, which is in its early stages, is to investigate whether publicly traded companies involved in soccer contracts violated U.S. federal anti-bribery laws such as the Foreign Corrupt Practices Act (FCPA), and if enforcement action is needed. Although the FCPA largely applies to government corruption, the law contains corporate books and records keeping requirements that prohibit commercial bribery.
Critics challenge SEC’s in-house judicial process
The SEC itself is also under scrutiny, as the commission faces new criticism about its use of internal judges when it pursues cases rather than bringing them to Federal District Court. The passage of the Dodd-Frank Act first gave the SEC the option to file certain cases using its own administrative proceedings. Today, cases such as insider trading charges that in the past were typically pursued in a Federal District Court are more likely to be heard by the SEC during these in-house administrative proceedings.
Some detractors of the SEC’s administrative hearings — including Judge Jed Rakoff from the U.S. District Court for the Southern District of New York and the U.S. Chamber of Commerce — claim that they give the SEC an unfair advantage.
Peter J. Henning, a professor at Wayne State University Law School, argued in The New York Times that the debate goes further than that. There’s also the perception that the internal hearing process is in some ways flawed compared with federal court cases, and that it is inherently a “closed system in which the agency acts as both prosecutor and judge over the case,” Henning wrote. Some of these limitations, Henning said, include the following: Defendants are not granted pre-trial discovery rights and instead must rely on information gathered by the SEC; the initial decision in the proceedings is made by a judge employed by the SEC; and appeals must be heard by SEC commissioners before the cases can go to federal appeals court.
Henning proposes that the SEC compromise with critics of its administrative hearings by modestly expanding discovery rights. “The notion that the S.E.C. has gathered all the relevant information, and that a defendant cannot question witnesses in advance of a trial, goes against the view that each side should have the same opportunity to put on its case,” Henning wrote.
SEC commissioner Luis Aguilar strongly urged his colleagues at a cybersecurity conference last month to push Reg SCI up on their priority lists, particularly in terms of widening the regulation’s coverage. Also in the news: The PCI Council updates its peer-to-peer encryption standard; the SEC proposes a rule that will enable companies to take back executive bonuses; and more.
SEC commissioner calls for Reg SCI expansion
The U.S. Securities and Exchange Commission commissioner is calling for the regulator to broaden the scope of Regulation Systems Compliance and Integrity (Regulation SCI), a rule that was passed last November to extend the SEC’s oversight to include the automated information systems of certain regulated entities, namely stock exchanges, plan processors, specific clearing agencies and alternative trading systems.
In a speech at the SINET Innovation Summit last month, Commissioner Luis Aguilar gave a sweeping speech on the challenges of tackling cybercrime. He spoke about the SEC’s “multifaceted” approach in meeting these challenges, including inspecting regulated entities and implementing new rules such as Reg SCI.
Aguilar (pictured left) praised several aspects of the rule: its risk-based approach, emphasis on helping entities develop procedures based on their unique risks, and mandates that require senior management and the board to be actively involved in cybersecurity. However, Aguilar also urged the SEC to expand its scope, because at the moment, it doesn’t cover many participants in the market, including over-the-counter market makers, stockbrokers and transfer agents. He added that this should be the SEC’s “top priority.”
In addition to improvements to Reg SCI, Aguilar entreated fellow commissioners to update the SEC’s guidelines so that public companies can better respond to cybersecurity incidents and provide “better and more timely information” on the specific risks and cyberattacks they face.
PCI Council updates P2P encryption standard
Last month, the Payment Card Industry Security Standards Council (PCI SSC) updated one of its eight security standards in response to feedback from early adopters in the market. The standard addresses point-to-point encryption (P2PE) tools, which encrypt account data in transit between the point of sale (POS) and the secure decryption environment.
According to PCI SSC, the update, which is laid out in the document PCI Point-to-Point Encryption Solution Requirements and Testing Procedures Version 2.0, provides more flexibility to P2PE solution providers, as well as to merchants that use P2PE. Specifically, the PCI SSC’s listings of validated P2PE solutions and applications will now include P2PE components, or services that fulfill particular P2PE requirements, to make it easier for these providers to develop PCI-compliant P2PE products for merchant customers. Additionally, P2PE v2 provides merchants more options on how to implement and manage P2PE technology: They can either manage P2PE tools for their POS locations, which includes enacting the rule’s requirements for separation of the two environments; or they can work with a P2PE solution provider to manage a PCI-compliant P2PE product based on their business needs.
New SEC rule to let companies “claw back” executive bonuses
A rule proposed by the SEC will enable companies that issue faulty financial statements to “claw back” their senior executives’ bonuses once those statements have been restated. The regulation will apply to companies listed on U.S. stock exchanges.
The proposed rule, required by the Dodd-Frank Act of 2010, targets executive bonuses (aka “incentive-based compensation”), the size and payment of which depend on whether a corporation meets or surpasses particular financial metrics. Currently, executives are allowed to keep their bonuses despite their companies correcting artificially inflated financial statements.
While current rules do allow companies to claw back compensation of CEOs or CFOs, the new rule will have a broader scope, including “any other person who performs policy-making functions for the company” in addition to senior officers, said the SEC. It will also apply to pay earned over the course of three years, versus one year under existing regulations.
Wells Fargo, Raymond James and LPL will pay $30M to overcharged clients
Wells Fargo & Co., Raymond James Financial Inc. and LPL Financial Holdings Inc., three of the largest brokerages in the U.S., will have to pay more than $30 million to clients they overcharged on mutual-fund sales, the Financial Industry Regulatory Authority (FINRA) announced Monday.
The wealth-management units of the three firms applied mutual-fund sales charges to the accounts of certain retirement-plan customers and charitable organizations, which should have been waived according to the Employee Income Security Act.
The three companies will not have to pay a fine, because they discovered the inappropriate charges themselves and reported the problems to FINRA. According to one regulator, the firms failed to adequately oversee the financial advisors selling the mutual funds because they didn’t provide them with “critical information and training.”
The U.S. government data breach announced last week began a year ago, giving the perpetrators plenty of time to access federal employees’ personal information, according to the NSA. Also in recent GRC news: A new bill would give Europeans the same data protection rights as American citizens, and a flaw in popular mobile apps could leave billions of data records vulnerable.
NSA: U.S. security clearance data hack began a year ago
The recently discovered breach into the security clearance computer system of the Office of Personnel Management (OPM) began a year ago, according to new information disclosed by the National Security Agency (NSA).
The substantial amount of time between the start of the breach in the summer of 2014 and its discovery earlier this month allowed hackers the ability to accomplish a far-reaching cyberattack, NSA general counsel Stewart Baker told The Washington Post.
The OPM’s security clearance network contains personal and financial information on millions of current, former and prospective federal employees.
The White House has not publicly disclosed whom they suspect executed the breach, but unidentified U.S. officials speculate the perpetrators were hackers sponsored by the Chinese government, according to the Post. Senior U.S. officials say that in the past 12 to 18 months, the Chinese government has started building large databases containing Americans’ information for counterintelligence purposes.
Bill extends U.S. data protection rights to Europeans
A bipartisan bill introduced last week in the U.S. Senate will, if passed, extend to Europeans the same rights American citizens have under the Privacy Act of 1974. The Senate bill would allow Europeans to take legal action against U.S. agencies that misuse their private data. Some members of the European Parliament said that the legislation will not only restore the trust of both American and European citizens in the wake of Edward Snowden’s revelations, but also kick off future data-sharing deals between the E.U. and U.S. governments, according to Politico.
One detail that needs to be cleared up before the bill is put to a vote is whether everyone in the EU — and not just citizens — would be covered under the new law.
Mobile app flaw could leave billions of records vulnerable
German security researchers have discovered a flaw in the way thousands of popular mobile apps store information online, leaving about 56 million pieces of unprotected data vulnerable to attackers. The exposed information includes passwords, addresses and location data. Researchers declined to name the vulnerabile applications, but said they include popular ones available from the Apple and Google app stores.
The issue lies in the way most mobile app developers authenticate users when storing their data online. Most app developers use a default option that allows hackers easy access to the app — and a user’s private data, the security researchers reported.
“In almost every category we found an app which has this vulnerability in it,” Siegfried Rasthofer, one of the researchers, told Reuters. Those categories include messaging, gaming, social networking and bank transfer apps. The researchers predicted that the number of records affected will likely be in the billions.
Feds probe Cardinals for hacking into private Astros network
The FBI and the U.S. Department of Justice are investigating officials from the St. Louis Cardinals for hacking into the private computer system of the Houston Astros to steal information on Astro players. Data stored in the Astros’ internal network included trade discussions, player evaluations and scouting methods.
Law enforcement officials believe a Cardinals staffer accessed the Astros database by trying out passwords that Jeff Luhnow — a former Cardinals executive who is now an Astros general manager — used during his stint in St. Louis. Federal officials are uncertain on who committed the act.
Experts say that while cyberespionage is common among U.S. companies, this is the first known occurrence in the professional sports world. It could also result not only in disciplinary measures by Major League Baseball, but also criminal charges for the violation of the Computer Fraud and Abuse Act of 1986, a federal law.