IT Compliance Advisor

November 18, 2015  3:40 PM

Beyond BYOD: How new tech is driving digital information governance

Ben Cole Ben Cole Profile: Ben Cole
Information governance, Internet of Things, iot

(This blog post was written by Diane K. Carlisle, executive director of content at ARMA International.)

Day by day, effective information governance (IG) is made more urgent and more complicated by disruptive technologies and new business models that are rocketing throughout organizations. Many companies are still in the early stages of solving such digital-age challenges as big data and the bring-your-own-device (BYOD) model, but advanced technologies continue to emerge. The Internet of Things (IoT), for instance, is a phenomenon that offers profound business opportunities while carrying great risk.

In a 2015 white paper titled “Internet of Things: Privacy and Security in a Connect World,” the FTC defined IoT as “the ability of everyday objects to connect to the Internet and to send and receive data.”

Examples include cameras that permit users to post pictures online with one click; automated systems that let users turn lights on and off remotely; and sensors in storage systems that can detect RFID data in order to manage inventory more efficiently. The IoT umbrella also includes such wearable devices as bracelets that track and share your workout data and heart implants that monitor and transmit health information.

The business benefits — and detriments — of IoT

Many companies hope the IoT will enhance productivity and generate new business models and revenue sources. Typically, IoT devices collect data and flow it to other devices. Some smart televisions, for example, can detect whether anyone in the room is actually watching the screen and transmit that information to other smart devices. Companies then use the data to negotiate ad rates, or to target products or other programs for that household.

Organizations are eager to pursue IoT because they stand to benefit dramatically from using the information they collect through it. For example, smart meters can help utility companies reduce the costs of manual meter reading and can monitor and predict resource usage at peak times. This information helps them ensure adequate supplies to meet customer demand. It might also help them justify rate hike requests to public utility commissions. The technology helps customers understand their power usage so they can make beneficial changes.

But there are down sides as well.

Such data generation and aggregation present big challenges in the governance of information because the IoT intensifies the volumes of data, the variety of sources and how it is dispersed. IoT devices spread immeasurable volumes of data to other connected devices, some of which may be external to an organization’s infrastructure and therefore beyond its sphere of information security. Thus, organizations that turn to the IoT for business advantage must be prepared for the associated information risks — especially when it comes to privacy and security.

Chief among the IG concerns and potential risks is the organization’s duty to protect customer privacy. Customer identification and banking information is linked to that smart meter, and the customers may be skeptical of the organization’s ability to protect that information from unauthorized use. And of course, managing and protecting such large volumes of information are challenging for most companies.

Providing adequate security for the information throughout its capture, transmittal, and storage requires financial resources that management may not have anticipated. Information is vulnerable at any of these points. And as the sensitivity of the data and functionality increases, consumers’ concerns about privacy protection may increase as well. Consumers may be more sensitive about banking information transmitted through Apple Pay than they are about their consumption of electricity. Take it a step further and think of the “smart home.” The security measures must be extremely effective to prevent unauthorized access.

These are but a few examples. In short, the IoT world is changing rapidly and it’s easy to foresee an overwhelming volume of data entering the corporate environment.

Planning for IoT initiatives

With that said, organizations must address the full scope of IG considerations as they implement IoT applications. In the following list are steps they can take to plan for IoT initiatives:

  • Convene an IoT implementation team: It should include representatives from IT, RIM (records and information), legal and the relevant business units. If your organization has an IG steering committee, this would suggest a natural fit. Otherwise, convene a collaborative team to understand the benefits and risks and to make decisions on the implementation, considering all the factors involved.
  • Conduct a risk assessment: Depending on the specific application, the organization may be taking on a greater degree of information-related risk.
  • Make a plan: An IoT initiative must be taken seriously. Build the plan around specific business goals and strategies. Establish benchmarks and metrics to evaluate the success or failure of the initiative.
  • Integrate regulatory and compliance requirements. These requirements will continue to apply, regardless of how information is captured.
  • Assess the impact of IoT on the retention/disposition policy and schedule. You will be greatly lengthening the retention period for some types of information. Make sure you can delete the information when the retention period has expired and that the necessary retention schedule modifications are made.
  • Ensure that IT has the capacity to deal with the additional volumes of information. The growth in data that requires storage can quickly overwhelm an organization. Such volumes can hinder business efficiencies, make e-discovery more costly and jeopardize the defensibility of legal holds.

While the IoT trend can be overwhelming, a sound IG program can give your organization a head start on addressing the challenges that come along with the opportunities.

The building blocks for a sound IG program are the Generally Accepted Recordkeeping Principles® developed by ARMA International, a thought-leader on IG. These Principles — Accountability, Transparency, Integrity, Protection, Compliance, Availability, Retention, Disposition — work together to foster a collaborative approach that ensures information is treated as an asset, protected in compliance with all regulations, and disposed of according to a legally defensible retention plan.

Accompanying the Principles is the IG Maturity Model, which defines characteristics of various levels of recordkeeping programs. It’s an assessment tool you can use to evaluate your IG program against the Principles. It helps you identify the gaps between your current situation and your desirable level of maturity for each principle. More information on both the Principles and the Maturity Model are available on the ARMA website.

The collaborative IG approach and conformity to the Principles will ensure maximum information security and a sound, holistic IG program that will prepare your organization for virtually any information-related challenge.

Diane K. Carlisle, IGP, CRM, is executive director of content at ARMA International, a not-for-profit professional association and authority on governing information as a strategic asset.

November 12, 2015  8:51 AM

Fed Chair says regulatory compliance problems persist at large banks

Fran Sales Fran Sales Profile: Fran Sales
Audit and compliance, CFO, Compliance, Dodd-Frank, Finance, Financial firms, Financial industry, grc, GRC strategy, regulatory compliance, Risk management

In recent regulatory compliance news, the Federal Reserve Chairwoman testified before a House panel that very large U.S. banks still experience “substantial” GRC management failures; recent research casts doubt on the effectiveness of new compensation “clawback” rules proposed under the Dodd-Frank Act.

Fed Chair: Big firms still face regulatory compliance issues

The leader of the Federal Reserve has rebuked very large U.S. banks for persistent regulatory compliance and risk management breakdowns, but also suggested legislation to lighten the regulatory burden on midsized firms.

Last week during a three-hour testimony in front of the House Financial Services Committee, Fed Chairwoman Janet Yellen said that although the largest financial firms the Fed regulates have improved governance, internal controls and risk management since the 2008 financial crisis, they still undergo “substantial compliance and risk management issues.” Yellen said the Fed is prepared to require very large firms to make considerable changes to their businesses if these banks’ “living wills” — or plans that detail how they would dismantle operations during bankruptcy — don’t pass muster with the Fed.

Federal Reserve, Chairwoman, Chair Janet Yellen, photo, wikimedia

Federal Reserve Chair Janet Yellen [Source: Wikimedia]

Yellen also said the Fed is open to tweaking its regulatory regime to help regional banks with more than $50 billion in assets. Under the Dodd-Frank Act, these banks are accountable to more stringent rules than those with fewer assets. However, she pushed back against a bill proposed by the House that would dictate criteria for which of these firms would face tougher rules. Instead, Yellen requested that the Fed have the flexibility to modify the rules.

Study: Execs tend to refuse restatements if their pay is incentive-based

New research shows that compensation clawback rules proposed under the Dodd-Frank Act might not be as effective as proponents anticipate in influencing companies to fix faulty financial statements. Under the new rules, which will likely be adopted later this year, issuing these restatements will initiate the “clawback,” or return, of financial executives’ inappropriate bonuses.

The research, published by Accounting Review this month, concluded that senior executives (mainly CFOs, controllers and treasurers) are less likely to agree to fix faulty financial statements when most of their compensation is incentive-based. Jonathan S. Pyzoha, an assistant professor of accountancy at Miami University, conducted a study to determine whether executives from 112 public financial companies negotiate more firmly with auditors to fully avoid a restatement if their incentive-based pay is at stake.

Attorneys that work with companies considering restatements believe that clawbacks are not among their principal concerns, according to MarketWatch. However, Pyzoha’s research shows that this is not the case for executives with the bulk of their pay being incentive-based. He found that these executives were less amenable to fixing financial statements if the restatement was proposed by a “low quality” auditor — with quality based on the auditor’s time and experience in the field. However, he also found that executives were more open to restatements if the proposal came from a high-quality auditor.

Pyzoha advised companies to have their audit committee’s financial experts play a greater role in the restatement process to counterbalance these executives’ influence.

October 29, 2015  12:27 PM

Goldman Sachs faces $50 million fine to settle document leak case

Fran Sales Fran Sales Profile: Fran Sales
Compliance, Finance, Financial regulations, grc, regulatory compliance, SEC, SOX

This week, Goldman Sachs agreed to pay a $50 million fine to settle a case in which a former employee leaked confidential information from the New York Fed. Also in the news: Bristol-Myers Squibb and other pharma companies face foreign bribery probes; a study found that earnings misstatements are “contagious”; and an extensive investigation of Wal-Mart’s operations in Mexico has found little wrongdoing.

Goldman Sachs faces $50 million fine, criminal charges for ex-banker

A former Goldman Sachs’ banker is pleading guilty to federal criminal charges, a rarity on Wall Street. Last year, the banker allegedly obtained confidential documents from an employee at the Federal Reserve Bank of New York, one of Goldman’s regulators, and shared that information with his team. Both the Goldman banker and the New York Fed worker will accept a plea deal that could put them behind bars for up to a year, anonymous sources briefed on the matter told The New York Times.

Both men were fired after the leak. Goldman Sachs representatives said that once the company discovered the leak, it immediately notified regulators and began an investigation. Still, under a settlement with the Department of Financial Services, the bank is expected to pay a penalty of $50 million and come up against new constraints for handling sensitive regulatory information. According to the NYT, Goldman will also have to acknowledge that it failed to sufficiently supervise the former banker.

More pharma companies to be probed for foreign bribery

In the wake of Bristol-Myers Squibb’s settlement of foreign bribery charges with the federal government earlier this month, more pharmaceutical companies may be put under the microscope.

New York-based pharmaceutical company Bristol-Myers Squibb agreed to pay a $14 million penalty to settle U.S. Securities and Exchange Commission (SEC) charges that it violated the Foreign Corrupt Practices Act (FCPA) by bribing healthcare providers in China in exchange for prescription sales.

Now, according to Forbes, AstraZeneca, Eli Lilly, GlaxoSmithKline, Novartis, Novo Nordisk, Sanofi, Teva Pharmaceutical Industries Ltd., UCB and probably other pharmaceutical companies will reportedly be investigated for FCPA violations. The U.S. Department of Justice also plans to beef up its enforcement staff and resources dedicated to “high-impact” foreign bribery cases.

Study: Earnings misstatement is infectious

A study that examined 2,376 financial restatements made by companies between 1997 and 2008 found that firms are more likely to misstate their own earnings after another company in their industry or region publicly announced a restatement. However, when a misstating firm was penalized by the SEC, faced lawsuits, or media reports surfaced regarding their malpractices, their peers did not imitate misconduct, the study discovered. This finding, the authors said, suggests the “deterrent effects of enforcement activity.”

The study, which was published by the American Accounting Association, did not identify particular companies, but uncovered that when larger and higher-profile firms manipulated their earnings, misconduct was more likely to be copied by others in their industry. The study also found that imitation stopped during the years between 2003 and 2005, likely due to enforcement actions related to the Sarbanes-Oxley (SOX) Act. The trend resurfaced between 2006 and 2008, possibly because “the sting associated with SOX has worn off,” the authors said.

Wal-Mart bribery probe turns up little proof of major violations

A high-profile federal investigation of Wal-Mart Stores’ operations in Mexico will likely end up becoming a smaller case than investigators had anticipated, sources familiar with the matter told The Wall Street Journal.

While the three-year probe of corruption allegations remains ongoing, the work is approaching completion and the case could be settled with a fine and no criminal charges. The investigation was launched by the U.S. Department of Justice after articles by the NYT described alleged bribes paid by the retailer to get permits to build stores in Mexico. The articles also detailed how company executives allegedly terminated an internal inquiry into the questionable payments. The federal investigation, however, found evidence that contradicted some of the claims made in the NYT articles.

October 15, 2015  4:15 PM

What’s compliance worth to the business?

Fran Sales Fran Sales Profile: Fran Sales
board, Chief Compliance Officer, Compliance, grc, risk

In part one of this blog post, we unpack the drivers behind the surge of demand on compliance investments and skilled staff, including new agencies that take a behavior-based approached to regulation, as well as an expansion in their powers. In part two, we talk about how compliance officers can help transform their organization into one that is conduct-risk-aware.

Compliance functions now have considerable influence on the board and its decision-making process, according to Roger Miles, behavioral risk lead at Thomson Reuters. The majority of boards (74%) now have an increased focus on conduct risk, and the chief risk officers or heads of compliance in 70% of organizations directly report to the board on conduct risk.

Compliance practitioners should seize this opportunity to lead “the transformation that regulators are looking for, to help build and promote a responsive business culture that encourages intelligent, behaviorally aware risk taking and decision making,” wrote Miles.

To jumpstart this transformation, Miles advises compliance officers to encourage all staff to work “risk-aware.” This means educating everyone in the organization about why good conduct is good for the business, and that poor conduct comes with a wide range of costs beyond fines — including negative effects on customers.

“Conduct breaches are not just about paying fines in your local jurisdiction. They have wider business impacts on capital (prudential reporting, capital adequacy, brand value, share premium, cost of borrowing) and ultimately on the ability of the business to maintain self-determination (strategic governance and control),” he said in an email.

While conduct breaches come with obvious business costs such as the possibility of a senior manager getting suspended as a result of a violation, they may also bring unexpected damages.

“Businesses hit by a major conduct-related enforcement may also find themselves the targets of shareholder activism, boardroom coups and hostile takeover,” Miles said.

Miles also encourages compliance leaders to take a look at the current state of their compliance training programs, and making sure that training content is up to date. They should also add new training programs on behavioral risk awareness and new conduct regulations in the company’s jurisdiction.

While this could involve requesting more resources from the board, Miles said that “the signs are this will be more sympathetically heard than in the past.”

October 15, 2015  4:13 PM

As regulatory wave swells, boards put new focus on compliance functions

Fran Sales Fran Sales Profile: Fran Sales
Chief Compliance Officer, Compliance, grc, regulatory compliance, risk

Boards of directors are increasingly seeing the value of regulatory compliance, as the past year has seen a worldwide spike in compliance spending and the hiring of skilled compliance staff, according to data collected by intelligence firm Thomson Reuters.

In North America, 60% of firms report that they expect a “significant increase” in compliance investments from 2015 to 2016. For instance, one of these firms, HSBC, expects year-over-year spending on compliance to increase by 300%, to $750 million.

Firms also expect to dedicate a considerable amount of time and staff to compliance processes and procedures. Twenty percent anticipate committing between four to seven hours on compliance per week (up 1% from 2013), and 21% expect more than seven hours (up from 18% in 2013).

Where is the pressure is coming from?

One driver that’s increasing demand for compliance specialists is pressure from the influx of new regulatory initiatives created after the 2008 financial crash, according to Roger Miles, behavioral risk lead at Thomson Reuters. Regulators are looking beyond transaction data organizations produce internally and instead define violations based on human behavior.

“A key feature of this revolutionary approach … is that it looks beyond the dry theory of economic utility toward a real-life, empirical view of human interactions, the ‘what actually happens’ view of financial markets,” wrote Miles in a whitepaper titled “What’s Compliance Worth?”

Regulators that follow this behavior-based regulation approach examine firms’ processes, decision making and how they design systems for employees. Moreover, they look at how these organizations behave in financial markets and how they interact with their customers in real time.

This regulatory approach has not only increased compliance costs, but regulatory fines as well. According to research by Thomson Reuters, cumulative fines for conduct-related offenses are projected to surpass $20 billion globally — and will continue to grow.

Another factor is that regulators are expanding their powers. Local agencies, for example, are extending their reach beyond their jurisdiction and target sector. Additionally, there has been an increase in regulatory initiatives that impact multiple sectors or territories. Some examples are Basel III, Foreign Account Tax Compliance Act and the Foreign Corrupt Practices Act.

Furthermore, there’s been a rise in local regulatory schemes that are subsequently copied by agencies in other jurisdictions, such as “clawbacks,” or recovery of inappropriate compensation and bonuses, and examining senior managers’ personal responsibility for criminal behavior. In the U.S., for example, “the SEC is currently staffing up with behaviorally aware enforcers headhunted from other jurisdictions,” Miles said over email.

In response to this increase in enforcement actions, compliance staffs’ dockets are getting longer. Their tasks must now include, at the very least, the following:

  • Protecting senior management against regulatory risk and managing regulatory relationships;
  • Providing evidence to management and the board on appropriate compliance actions and developing reporting mechanisms;
  • Managing the convergence of compliance, internal audit and risk functions; and
  • Keeping abreast of new requirements of conduct risk regulations and create their firm’s own definition of what “good conduct” is.

In part two of this blog post, find out how compliance practitioners should take the lead in transforming their organization into one that is conduct-risk-aware.

September 30, 2015  5:37 PM

Fitbit achieves HIPAA compliance, targets more corporate customers

Fran Sales Fran Sales Profile: Fran Sales
CFO, grc, HIPAA, HIPAA Compliance, regulatory compliance, SEC, Wearable devices

Wearable fitness tracker company Fitbit recently announced that its devices are now HIPAA-compliant, broadening the types of businesses it aims to work with. Also in recent GRC news: CFOs report widespread earnings misrepresentation; SEC proposed changes to its administrative proceedings.

Fitbit wearables now HIPAA-compliant

Fitbit Inc. announced earlier this month that its wearable activity trackers now provide HIPAA compliance capabilities. The certification means Fitbit can extend its Fitness Wellness program to HIPAA-covered entities, including corporate wellness partners, health plans and self-insured businesses. The company will also be able to enter into Business Associate Agreements with these entities.

With its HIPAA compliance announcement, Fitbit reps say the company aims to serve more businesses while still securing customers’ most sensitive data. Much of the information tracked by Fitbit devices fall under HIPAA’s definition of protected health information, such as medical history and health insurance data. Information such as names, phone numbers and email addresses are also covered by HIPAA.

Source: Fitbit

Ars Technica reporter Valentina Palladino predicts that the HIPAA certification will make Fitbit’s Fitness Wellness program more attractive to businesses. In addition to Geico, Quicken Loans and other existing corporate customers, Fitbit recently announced a deal to offer activity trackers to Target Corp.’s 335,000 U.S. employees.

Survey: CFOs believe 20% of firms misreport earnings

A recent survey found that many CFOs believe earnings misrepresentation is prevalent among firms. In a poll of 375 CFOs, researchers from Emory University, Duke University and Columbia University found that CFOs believe 20% of firms intentionally misrepresent earnings at any given time, even while these firms observe accounting principles and regulations. Most cases of misrepresentation involve earnings overstatement, but another one-third of firms under-report their earnings or reverse previous overstatements.

The CFOs also gave audit committees a low ranking among a list of factors that could influence earnings quality. “I think you can fool them, but what the audit committee is essentially going to ask is whether the CEO and controller are basically honest people who are going to report faithfully,” said one CFO in a supplemental interview the authors conducted in addition to the main study. The Securities and Exchange Commission‘s (SEC) enforcement process garnered an even lower ranking.

SEC makes moves to update rules governing administrative proceedings

Last week, the SEC made two announcements regarding how it conducts its administrative processes. These announcements arrive in the midst of growing complaints around the fairness of these processes, such as the SEC’s moves to file more administrative proceedings with in-house judges.

In one announcement, the Commission said it voted to propose changes to rules that govern its administrative proceedings. The goal is to modernize the rules to include provisions such as adjusting the timing of proceedings, in some cases extending the time before a hearing takes place. The changes would also allow parties to take depositions of witnesses as part of discovery and require parties to submit filings electronically and redact certain sensitive information in those filings.

According to the SEC, these proposals will simplify the requirements for seeking an SEC review of an initial decision, and offer greater transparency into the timing of the SEC’s decisions in these requests.

In another announcement, the Commission said it is overhauling its internal tribunal, an in-house court that includes federal judges, former SEC officials and business groups. The new set of rules would give defendants in cases sent to the SEC’s own judges similar legal protections provided in federal court, including giving defendants eight months to prepare for a trial as opposed to the current four months; and allowing them to obtain sworn testimony from witnesses and others before a trial.

September 16, 2015  5:21 PM

Court rules that Dodd-Frank protects internal whistleblowers

Fran Sales Fran Sales Profile: Fran Sales
boards, Dodd-Frank, grc, GRC management, SEC, Senior management, Stock market

The Second U.S. Circuit Court last week decided that whistleblowers who report internally before going to the SEC are covered by Dodd-Frank’s anti-retaliation rules. In other recent GRC headlines: New rules that address algorithmic trading risks are imminent, and a survey found that boards of directors are looking for more risk management input from senior management.

Second Circuit: Internal whistleblowers protected by Dodd-Frank

In an opinion that bolsters the U.S. Securities and Exchange Commission’s stance on the subject, a divided Second Circuit Court of Appeals panel decided that employees who report company misconduct internally are protected by rules to prevent whistleblower retaliation under the Dodd-Frank Act.

The decision addresses the conflict between a Dodd-Frank subsection that defines what a whistleblower is and another that addresses who is protected by the law’s anti-retaliation provisions. Describing the circumstances under which Dodd-Frank was passed, the Second Circuit opined that because of “the realities of the legislative process … it is not at all surprising that no one noticed that the new subdivision [that addresses anti-retaliation protections] and the definition of ‘whistleblower’ do not fit together neatly.” The panel ruled that the conflict is ambiguous enough to warrant deference to the SEC’s interpretation.

united states, court of appeals, second circuit

U.S. Court of Appeals for the Second Circuit (Wikipedia)

The Second Circuit’s ruling diverges from an earlier ruling by the Fifth Circuit, a disagreement that the majority opinion of the Second Circuit’s panel acknowledged. According to Bloomberg law reporter Catherine Foti, the Second Circuit’s opinion makes it likely that the Supreme Court will decide whether to extend Dodd-Frank’s anti-retaliation protections to internal whistleblowers.

New rules on the horizon to control high-frequency trading risks

The Commodity Futures Trading Commission (CFTC) is working on proposals to contain risks stemming from the use of algorithmic, or high-frequency, trading, which accounts for 70% of the volume in futures markets. CFTC chairman Timothy Massad said in a speech that the proposed rules also aim to minimize disruptions and unfairness that are the result of algorithmic trading processes.

Massad added that algorithmic trading has changed how the CFTC performs its regulatory role, with enforcement now requiring a greater investment in IT, analytics and experienced staff. These investments are shared among the CFTC, self-regulatory organizations and the National Futures Organization.

The proposals, which will be issued for comment this fall, will also likely include requirements for software and hardware development, as well as cybersecurity protections. The CFTC has already put some rules into effect to address the risks associated with increased automated futures trading, including requirements that trading hardware and software infrastructure be regularly tested before going live.

Majority of boards seek more risk management involvement from senior management

Sixty percent of surveyed boards of directors are seeking more involvement in risk oversight from their senior management teams, according to a study commissioned by the American Institute of CPAs and the Chartered Institute of Management Accountants. However, the survey also found that less than 35% of these organizations have a formal risk management program in place. The study, which surveyed more than 1,300 executives worldwide, also found the following:

  • 70% of those surveyed do not describe their organization’s risk management oversight as “mature.”
  • Less than 40% of organizations are satisfied with how risk exposure is reported to senior management.
  • Only 46% of boards at U.S.-based companies assign risk oversight duties to a board committee, while 70% of company boards in regions outside the U.S. do so.
  • Only 44% of U.S. organizations have internal management-level risk committees in place, while more than 60% of organizations in regions outside the U.S. do so.

A report accompanying the survey findings acknowledges that the overall risk environment is challenging for organizations, but adds that there are barriers that hinder the effectiveness of enterprise-wide risk oversight. The report suggests some ways organizations can improve, including conducting an assessment of the organization’s current risk management approach, and boards approaching senior management to articulate current risk approaches so they can assess the company’s efficacy in monitoring emerging risk.

September 2, 2015  5:52 PM

Apple CEO Tim Cook’s email may have violated SEC disclosure rules

Fran Sales Fran Sales Profile: Fran Sales
Apple, Apple iOS, Compliance, cybersecurity, Cybersecurity legislation, Data security breaches, FTC, grc, Information security, malware, Mobile security, Palo Alto Networks, SEC

Lawyers say Apple CEO Tim Cook may have flouted the Securities and Exchange Commission’s fair-disclosure regulation when he sent a CNBC correspondent an email containing company performance information. In other GRC news from the past few weeks: Charles Schwab is fined $2 million for capital deficiencies; a court ruling reinforced the FTC’s cybersecurity authority; and new malware targeting jailbroken iOS phones stole more than 225,000 Apple users’ credentials.

Apple’s Tim Cook may have infringed SEC disclosure rule

A private email Apple CEO Tim Cook sent to CNBC reporter Jim Cramer last week may have violated federal fair-disclosure rules, reported MarketWatch.

The email, which was read on air and later tweeted by CNBC, contained a mid-quarter update on Apple’s performance that reported an increase in iPhone activations in recent weeks and predicted strong business growth in the Chinese market. Cook also said that in the past two weeks, the Apple App Store saw its best performance of the year in China.

Lawyers told MarketWatch that the email could have violated Securities and Exchange Commission’s Regulation Fair Disclosure (Regulation FD), which stipulates how public companies can disclose company information to certain individuals or entities. The media is typically exempt from Regulation FD, but CNBC’s Cramer is also co-manager of a portfolio that has a long position at Apple. The SEC has declined to comment, but lawyers predicted that SEC will, at the very least, investigate the context of the private exchange.

FINRA fines Charles Schwab $2 million

Charles Schwab & Co. was fined $2 million for capital deficiencies and related supervisory failures, the Financial Industry Regulatory Authority (FINRA) announced last week.

FINRA found Charles Schwab net-capital deficient by up to $775 million on three occasions between May 15, 2014, and July 1, 2014. The deficiency stemmed from cash inflows that surpassed the amounts the financial firm could invest with its existing facilities. According to FINRA, Charles Schwab consequently transferred $1 billion to its parent company for overnight investment that was approved as an unsecured loan by the company’s Treasury group.

FINRA representatives said that Charles Schwab did not have any established procedures that required its Treasury group to consult its regulatory reporting group or to prevent the former from approving unsecured transfers that could lead to net-capital deficiencies.

A Charles Schwab representative told The Wall Street Journal that the company self-identified the issue and immediately reported it, as well as implemented revised procedures and processes.

U.S. appeals court asserts FTC’s corporate cybersecurity powers

A federal court ruled last week that companies that fail to provide customers with adequate safeguards against cybertheft can be sued by the Federal Trade Commission (FTC).

The Third U.S. Court of Appeals ruled that the FTC could proceed with a lawsuit against Wyndham Worldwide Corp. that alleges the hotel chain is partly responsible for three payment card data breaches that occurred between 2008 and 2010. The FTC claims that the breaches have led to more than $10 million in fraud losses, and that Wyndham failed to implement reasonable protections against data theft, such as firewalls and updated security software. Wyndham challenged the FTC’s claims, arguing that the agency’s allegations are government overreach. All three judges on the court panel disagreed, and the decision reinforces the FTC’s authority to regulate business cybersecurity in the absence of comprehensive data security legislation. The FTC has exercised this authority by pursuing enforcement actions in more than 50 data security cases, according to the WSJ.

Malware steals 225,000 Apple users’ credentials

A new malware called KeyRaider has successfully stolen the credentials of more than 225,000 Apple users. The theft has been dubbed by representatives of security company Palo Alto Networks as the “largest known Apple account theft caused by malware,” affecting users in 18 countries.

The malware targets jailbroken iOS devices. The attacker added KeyRaider to two jailbreak tweaks, which he or she claimed will let users download non-free apps without purchase from the Apple App Store.

According to Palo Alto Networks, these tweaks hijacked users’ app purchase requests and downloaded stolen accounts or purchase receipts. Palo Alto said the tweaks have been downloaded by more than 20,000 users. KeyRaider was also integrated in ransomware to disable unlocking operations, even if the user entered the correct password or passcode.

Palo Alto researchers followed a trail of distributed malware samples that led them to the command-and-control server in which the stolen data is located. They found that the server itself contains vulnerabilities that expose user data, including a SQL vulnerability that the researchers were able to hack into.

August 27, 2015  6:49 PM

Information governance key to compliance automation success

Ben Cole Ben Cole Profile: Ben Cole
Compliance, grc, Information governance

(This blog post was written by Diane K. Carlisle, executive director of content at ARMA International.)

So, your attempt to manage the governance, risk, and compliance (GRC) program with a series of complex spreadsheets leaves you in a state of massive depression. You’ve decided the obvious solution is to purchase a piece of software so you can easily track and monitor all your compliance issues. Simple enough, right?

While we’d all like to believe that technology is the magic answer to our woes, there are many factors to consider before you can make a wise software purchasing decision. You must have a clear understanding of organizational compliance requirements, internal business processes, and existing tools to avoid purchasing and implementing software only to find that you still have gaps and vulnerabilities in your compliance program.

The information governance/compliance intersection

The most stringent tests of an organization’s compliance with its internal and external requirements come through third parties, such as an agency regulator or — in the case of litigation — the opposing counsel or a judge. At the heart of these types of inquiry is that third parties need to judge the organization’s actions, or inactions, and the impact they have on compliance.

An organization’s compliance requirements spring from a complex array of legislation, regulation, industry expectations, and its own voluntary commitments regarding how it will conduct business. While the requirements for each organization will vary significantly, all organizations need a reliable means of demonstrating compliance with these requirements. That demonstration nearly always takes the form of documentation — and this is where compliance intersects with information governance.

A planning framework for information governance

An organization that can demonstrate it has established policies and procedures, a way to measure its compliance with them, and a plan for improving its compliance in areas that need it can show that it takes its compliance obligations seriously. These companies will typically fare better with auditors and judges than those that take a more ad hoc approach.

For organizations in the ad hoc category, ARMA International has two invaluable tools that can help them position themselves in the former category. They can use the Generally Accepted Recordkeeping Principles® (Principles) to develop an information governance framework, and the Information Governance Maturity Model (Maturity Model), which is based on the Principles, to assess its program, plan for improvements, and measure its progress.

The Principles framework defines the characteristics of a holistic information governance program and the essential hallmarks of effective records and information management, which is the foundation for information governance. There are eight Principles, each thoroughly explained on the ARMA International website.

The benefits of information governance

The Principles make it clear that to achieve reliable results, the organization must hold individuals accountable for their defined recordkeeping responsibilities. It also must put into place policies, procedure, and tools that apply throughout the records and information life cycle.

Adopting this framework and implementing the defined recordkeeping controls creates an information governance program that will:

  • Serve as a guide to planning: The Principles specify key controls that will help the organization achieve compliance. These controls contribute to authentic records and information that can be relied upon for both business decisions and compliance requirements. Without these program elements in place, records may be incomplete, inaccurate or missing all together.
  • Provide an objective means for measuring progress and sufficiency: A key part of the Principles framework is the Maturity Model mentioned earlier. This five-level metrics model is used to measure the maturity of the information governance program and identify gaps that can leave the organization vulnerable. Once the organization establishes this baseline, it can use the Maturity Model on an iterative basis to show progress improvement over time.
  • Demonstrate a conscious focus on recordkeeping: The courts are not holding organizations to a standard of perfection. But they do want to see evidence that the organization is addressing issues as they arise. Even better, this information governance framework will help the organization pre-empt problems by guiding it in taking proactive steps to improve processes and technology tools.
  • Prepare the organization for “pop up” audits: When there is consistent attention to recordkeeping policies and procedures and an appropriate use of tools, an organization needs not fear the “pop up” — or a surprise audit.

Governance and compliance: A natural collaboration

Information governance is central to an organization’s ability to demonstrate compliance with both internal and external requirements. The Principles framework provides a means to gain a solid understanding of the organization’s compliance requirements. There may already be software that can be adapted for compliance purposes, or new software may still be needed. But with a better understanding of the records and information management program, you can ensure that the new software complements what is already in place.

Diane K. Carlisle, IGP, CRM, is executive director of content at ARMA International, a not-for-profit professional association and authority on governing information as a strategic asset.

August 19, 2015  5:52 PM

SEC greenlights Dodd-Frank pay-ratio rule, backs internal whistleblowers

Fran Sales Fran Sales Profile: Fran Sales
Compliance, Dodd-Frank, Financial industry, grc, Regulations, regulatory compliance, SEC, Whistleblower

The U.S. Securities and Exchange Commission (SEC) announced this month that it has approved a contentious pay-ratio rule first introduced by the Dodd-Frank Act five years ago. Also in recent regulatory news: The SEC reiterated its stance on protecting internal whistleblowers and is fighting to redefine its regulatory role on Wall Street.

SEC approves CEO pay disclosure rule

Earlier this month, the SEC voted to adopt an executive pay-ratio disclosure requirement that was first introduced under the Dodd-Frank Act when it was approved by Congress in 2010. The provision will require public companies to disclose their chief executives’ yearly compensation in proportion with employees’ median earnings.

The requirement is highly controversial, and its adoption was delayed for years because opponents argued that the rule’s supporters wanted to shame CEOs instead of illuminate pay gaps. They also contended that implementing the rule will needlessly drain companies’ resources.

U.S. Securities and Exchange Commission, Wikipedia, SEC, image

U.S. Securities and Exchange Commission, Wikipedia

“Here we are, on the cusp of adopting a nakedly political rule that hijacks the SEC’s disclosure regime to once again effect social change desired by ideologues and special interest groups,” said SEC Commissioner Daniel Gallagher, one of the rule’s opponents, in a statement.

However, proponents such as Economic Policy Institute President Lawrence Mishel said the rule is an important step toward greater corporate transparency.

SEC extends Dodd-Frank protections to internal whistleblowers

The SEC also released guidance about how to interpret whistleblower rules under the Securities Exchange Act of 1934. The document bolsters the agency’s viewpoint that whistleblowers who report misconduct internally before informing the SEC are protected by the employment retaliation protections provided by the Dodd-Frank Act.

The guidance is at odds with recent court rulings on Dodd-Frank’s vague language on what constitutes a “whistleblower” and who is entitled to the whistleblower protection rules, reported The Wall Street Journal. The law’s whistleblower provisions provide retaliation protections to those who report wrongdoing to the SEC, but the agency maintains that this extends to those who first report violations internally. The agency’s recently released guidance is meant to give whistleblowers greater clarity about the SEC’s stance on the matter, as well as give whistleblowers more confidence they will be protected when reporting internally, Jordan Thomas, a partner at Labaton Sucharow LLP, told WSJ.

“The SEC is sending clear message to the whistleblowers, companies and courts about the scope of its authority to prosecute cases involving retaliation against whistleblowers,” he said.

To redefine role, SEC ramps up pursuit of high-profile cases

The SEC is also ramping up efforts on high-profile cases that could revamp its role as a Wall Street regulator. The trend comes as SEC detractors claim that the agency is not assertive enough in its enforcement against prominent wrongdoers, and is instead too focused on low-profile cases, according to The New York Times.

These high-profile cases include the following: pending charges in an investigation involving insider trading and cybersecurity; pending investigations into insider trading activity by golfer Phil Mickelson and sports gambler William T. Walters; and a pending investigation into Wall Street’s employment of the children of China’s political elite.

The Times reported the SEC’s progress comes during a slowdown of criminal investigation into insider trading activity in New York due to a recent court ruling that makes it more difficult for federal prosecutors to pursue these cases.

Massachusetts Senator Elizabeth Warren, the U.S. Chamber of Commerce and law professors are among those critics that have called on the agency to be more aggressive when pursuing criminal investigations against Wall Street.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: