IT Compliance Advisor


July 31, 2015  4:43 PM

Finance firms spend millions on compliance, but lack long-term strategy

Fran Sales Fran Sales Profile: Fran Sales
Chief Compliance Officer, Compliance, Dodd-Frank, Financial firms, Financial industry, GRC strategy, regulatory compliance

Numerous regulations were introduced worldwide to make financial services institutions more resilient following the monetary crisis of 2007 to 2008. Now, these regulations, which global management consulting firm Accenture collectively calls global structural reform (GSR), are having an impact on how companies target spending: More than half of financial institutions expect to invest $200 million to revamp their business models so they can meet GSR regulation requirements, according to Accenture’s 2015 Global Structural Reform Study. The report’s authors said that while the investments are a step in the right direction as these organizations strive to build resilience in the wake of the crisis, their focus is more on complying with the demands of GSR regulations like Dodd-Frank and Basel III than on strategies to stay competitive in the long term.

The study is based on a survey of 131 global banking, insurance and capital market institutions. Fifty-six percent of these institutions reported planning to spend $100 million or more on technology expenditures related to GSR, and another 56% anticipate $100 million or more in non-technology spending to comply with GSR. Nearly one-third of those surveyed expect to spend at least $500 million on GSR expenditures.

These significant investments are justified, wrote the study’s authors, considering that only about 21% of these organizations have achieved compliance with key GSR regulations. Furthermore, respondents expect an increase in the number of full-time employees dedicated to business changes to meet GSR requirements: 61% plan to dedicate 100 or more full-time employees to technology changes, and 69% will add non-technological employees.

Despite the heavy compliance focus, there are organizations making strides in thinking strategically about GSR by revamping their business processes and product suites. For example, 57% of respondents indicated they will tailor their geographic footprint, and half plan to divest geographic units or relocate their headquarters or business units. The authors believe these moves could lead these organizations to consider new technologies or operational models that are not as costly or risk- and capital-intensive. Moreover, 48% said they are doubling down on their core competencies over the next two years to achieve market-driven specialization, while 62% are planning to launch new products or services over the next two years.

Although compliance officers are relatively new to the leadership table, they must strike a balance between adding strategic value to their organization and meeting the requirements of GSR regulations, said Samantha Regan, one of the authors of the study and a lead in Accenture’s regulation and compliance practice.

“It is important that strategic changes to the organization — such as changing where and how a firm conducts its business or leveraging new, more sophisticated technologies and digital applications — are implemented in incremental stages and are in line with the changes the firm is undertaking for regulatory purposes,” she said in an email.

Compliance officers and their firms can achieve this by crafting a clear roadmap that first tackles the minimum regulatory requirements and eventually supports enhanced capabilities and evolving business models to help them compete in their target markets, said Regan.

“Compliance professionals who can keep pace with this changing ecosystem, partner with the front office and help the organization effectively meet changing regulatory [and] customer demands will be integral in driving competitive advantage,” she added.

July 22, 2015  8:39 PM

Dodd-Frank creators discuss the law’s impact; SEC leads FIFA bribery probe

Fran Sales Fran Sales Profile: Fran Sales
Compliance, Dodd-Frank, grc, SEC

Five years after the Dodd-Frank Act was enacted, the creators of the law contemplate the wide-ranging legislation’s impact on the financial and banking industries. Also in recent GRC news: The SEC heads a civil probe into public companies potentially involved in the FIFA bribery scandal, and critics voice concerns regarding the SEC’s use of in-house judges in administrative cases.

Creators of Dodd-Frank law reflect on its history

This week marked the fifth anniversary of the Dodd-Frank Act of 2010, the sweeping U.S. federal law that overhauled regulatory processes in the financial and banking sectors. There is continuing debate over the law’s merits: Advocates argue it makes banks less risky, while critics claim it hurt smaller banks and crippled the economy. The legislation’s sponsors, former Sen. Christopher Dodd and former Rep. Barney Frank, recently sat down with The Wall Street Journal to discuss its impact.

Dodd and Frank discussed what they consider the most significant impact the law made, and one aspect that they would change. Other points they touched on were why they believe the legislation has made the financial system safer; how confident they are about the death of “too big to fail” institutions; and the concerns about Dodd-Frank driving more financial activity into the less-supervised shadow banking system.

SEC leads new FIFA corruption investigation

The U.S. Securities and Exchange Commission (SEC) is leading a civil probe examining the actions of several companies linked to the recent FIFA bribery scandal, an unidentified source told Reuters.

The goal of the probe, which is in its early stages, is to investigate whether publicly traded companies involved in soccer contracts violated U.S. federal anti-bribery laws such as the Foreign Corrupt Practices Act (FCPA), and if enforcement action is needed. Although the FCPA largely applies to government corruption, the law contains corporate books and records keeping requirements that prohibit commercial bribery.

Critics challenge SEC’s in-house judicial process

The SEC itself is also under scrutiny, as the commission faces new criticism about its use of internal judges when it pursues cases rather than bringing them to Federal District Court. The passage of the Dodd-Frank Act first gave the SEC the option to file certain cases using its own administrative proceedings. Today, cases such as insider trading charges that in the past were typically pursued in a Federal District Court are more likely to be heard by the SEC during these in-house administrative proceedings.

Some detractors of the SEC’s administrative hearings — including Judge Jed Rakoff from the U.S. District Court for the Southern District of New York and the U.S. Chamber of Commerce — claim that they give the SEC an unfair advantage.

Peter J. Henning, a professor at Wayne State University Law School, argued in The New York Times that the debate goes further than that. There’s also the perception that the internal hearing process is in some ways flawed compared with federal court cases, and that it is inherently a “closed system in which the agency acts as both prosecutor and judge over the case,” Henning wrote. Some of these limitations, Henning said, include the following: Defendants are not granted pre-trial discovery rights and instead must rely on information gathered by the SEC; the initial decision in the proceedings is made by a judge employed by the SEC; and appeals must be heard by SEC commissioners before the cases can go to federal appeals court.

Henning proposes that the SEC compromise with critics of its administrative hearings by modestly expanding discovery rights. “The notion that the S.E.C. has gathered all the relevant information, and that a defendant cannot question witnesses in advance of a trial, goes against the view that each side should have the same opportunity to put on its case,” Henning wrote.


July 9, 2015  9:25 PM

SEC commissioner calls for expanded Reg SCI; PCI SCC updates P2P standard

Fran Sales Fran Sales Profile: Fran Sales
Compliance, cybersecurity, Data Encryption, Dodd-Frank, Financial regulations, grc, PCI, PCI DSS, regulatory compliance, SEC

SEC commissioner Luis Aguilar strongly urged his colleagues at a cybersecurity conference last month to push Reg SCI up on their priority lists, particularly in terms of widening the regulation’s coverage. Also in the news: The PCI Council updates its peer-to-peer encryption standard; the SEC proposes a rule that will enable companies to take back executive bonuses; and more.

SEC commissioner calls for Reg SCI expansion

The U.S. Securities and Exchange Commission commissioner is calling for the regulator to broaden the scope of Regulation Systems Compliance and Integrity (Regulation SCI), a rule that was passed last November to extend the SEC’s oversight to include the automated information systems of certain regulated entities, namely stock exchanges, plan processors, specific clearing agencies and alternative trading systems.

In a speech at the SINET Innovation Summit last month, Commissioner Luis Aguilar gave a sweeping speech on the challenges of tackling cybercrime. He spoke about the SEC’s “multifaceted” approach in meeting these challenges, including inspecting regulated entities and implementing new rules such as Reg SCI.

Aguilar (pictured left) praised several aspects of the rule: its risk-based approach, emphasis on helping entities develop procedures based on their unique risks, and mandates that require senior management and the board to be actively involved in cybersecurity. However, Aguilar also urged the SEC to expand its scope, because at the moment, it doesn’t cover many participants in the market, including over-the-counter market makers, stockbrokers and transfer agents. He added that this should be the SEC’s “top priority.”

In addition to improvements to Reg SCI, Aguilar entreated fellow commissioners to update the SEC’s guidelines so that public companies can better respond to cybersecurity incidents and provide “better and more timely information” on the specific risks and cyberattacks they face.

PCI Council updates P2P encryption standard

Last month, the Payment Card Industry Security Standards Council (PCI SSC) updated one of its eight security standards in response to feedback from early adopters in the market. The standard addresses point-to-point encryption (P2PE) tools, which encrypt account data in transit between the point of sale (POS) and the secure decryption environment.

According to PCI SSC, the update, which is laid out in the document PCI Point-to-Point Encryption Solution Requirements and Testing Procedures Version 2.0, provides more flexibility to P2PE solution providers, as well as to merchants that use P2PE. Specifically, the PCI SSC’s listings of validated P2PE solutions and applications will now include P2PE components, or services that fulfill particular P2PE requirements, to make it easier for these providers to develop PCI-compliant P2PE products for merchant customers. Additionally, P2PE v2 provides merchants more options on how to implement and manage P2PE technology: They can either manage P2PE tools for their POS locations, which includes enacting the rule’s requirements for separation of the two environments; or they can work with a P2PE solution provider to manage a PCI-compliant P2PE product based on their business needs.

New SEC rule to let companies “claw back” executive bonuses

A rule proposed by the SEC will enable companies that issue faulty financial statements to “claw back” their senior executives’ bonuses once those statements have been restated. The regulation will apply to companies listed on U.S. stock exchanges.

The proposed rule, required by the Dodd-Frank Act of 2010, targets executive bonuses (aka “incentive-based compensation”), the size and payment of which depend on whether a corporation meets or surpasses particular financial metrics. Currently, executives are allowed to keep their bonuses despite their companies correcting artificially inflated financial statements.

While current rules do allow companies to claw back compensation of CEOs or CFOs, the new rule will have a broader scope, including “any other person who performs policy-making functions for the company” in addition to senior officers, said the SEC. It will also apply to pay earned over the course of three years, versus one year under existing regulations.

Wells Fargo, Raymond James and LPL will pay $30M to overcharged clients

Wells Fargo & Co., Raymond James Financial Inc. and LPL Financial Holdings Inc., three of the largest brokerages in the U.S., will have to pay more than $30 million to clients they overcharged on mutual-fund sales, the Financial Industry Regulatory Authority (FINRA) announced Monday.

The wealth-management units of the three firms applied mutual-fund sales charges to the accounts of certain retirement-plan customers and charitable organizations, which should have been waived according to the Employee Income Security Act.

The three companies will not have to pay a fine, because they discovered the inappropriate charges themselves and reported the problems to FINRA. According to one regulator, the firms failed to adequately oversee the financial advisors selling the mutual funds because they didn’t provide them with “critical information and training.”


June 25, 2015  4:04 PM

Hackers had access to U.S. government data for a year

Fran Sales Fran Sales Profile: Fran Sales
Data breach, Data protection, Government IT, Hackers, mobile app security, NSA, Password hack

The U.S. government data breach announced last week began a year ago, giving the perpetrators plenty of time to access federal employees’ personal information, according to the NSA. Also in recent GRC news: A new bill would give Europeans the same data protection rights as American citizens, and a flaw in popular mobile apps could leave billions of data records vulnerable.

NSA: U.S. security clearance data hack began a year ago

The recently discovered breach into the security clearance computer system of the Office of Personnel Management (OPM) began a year ago, according to new information disclosed by the National Security Agency (NSA).

The substantial amount of time between the start of the breach in the summer of 2014 and its discovery earlier this month allowed hackers the ability to accomplish a far-reaching cyberattack, NSA general counsel Stewart Baker told The Washington Post.

Office of Personnel Management, OPM, Washington, D.C.

Office of Personnel Management in Washington, D.C.

The OPM’s security clearance network contains personal and financial information on millions of current, former and prospective federal employees.

The White House has not publicly disclosed whom they suspect executed the breach, but unidentified U.S. officials speculate the perpetrators were hackers sponsored by the Chinese government, according to the Post. Senior U.S. officials say that in the past 12 to 18 months, the Chinese government has started building large databases containing Americans’ information for counterintelligence purposes.

Bill extends U.S. data protection rights to Europeans

A bipartisan bill introduced last week in the U.S. Senate will, if passed, extend to Europeans the same rights American citizens have under the Privacy Act of 1974. The Senate bill would allow Europeans to take legal action against U.S. agencies that misuse their private data. Some members of the European Parliament said that the legislation will not only restore the trust of both American and European citizens in the wake of Edward Snowden’s revelations, but also kick off future data-sharing deals between the E.U. and U.S. governments, according to Politico.

One detail that needs to be cleared up before the bill is put to a vote is whether everyone in the EU — and not just citizens — would be covered under the new law.

Mobile app flaw could leave billions of records vulnerable

German security researchers have discovered a flaw in the way thousands of popular mobile apps store information online, leaving about 56 million pieces of unprotected data vulnerable to attackers. The exposed information includes passwords, addresses and location data. Researchers declined to name the vulnerabile applications, but said they include popular ones available from the Apple and Google app stores.

The issue lies in the way most mobile app developers authenticate users when storing their data online. Most app developers use a default option that allows hackers easy access to the app — and a user’s private data, the security researchers reported.

“In almost every category we found an app which has this vulnerability in it,” Siegfried Rasthofer, one of the researchers, told Reuters. Those categories include messaging, gaming, social networking and bank transfer apps. The researchers predicted that the number of records affected will likely be in the billions.

Feds probe Cardinals for hacking into private Astros network

The FBI and the U.S. Department of Justice are investigating officials from the St. Louis Cardinals for hacking into the private computer system of the Houston Astros to steal information on Astro players. Data stored in the Astros’ internal network included trade discussions, player evaluations and scouting methods.

Law enforcement officials believe a Cardinals staffer accessed the Astros database by trying out passwords that Jeff Luhnow — a former Cardinals executive who is now an Astros general manager — used during his stint in St. Louis. Federal officials are uncertain on who committed the act.

Experts say that while cyberespionage is common among U.S. companies, this is the first known occurrence in the professional sports world. It could also result not only in disciplinary measures by Major League Baseball, but also criminal charges for the violation of the Computer Fraud and Abuse Act of 1986, a federal law.


June 12, 2015  6:27 PM

Panel offers C-level temperature on security as IoT gains steam

Ben Cole Ben Cole Profile: Ben Cole

(This blog post was written by Aislyn Fredsall, an editorial assistant for the TechTarget CIO media group through Northeastern University’s co-op program.)

Is security no longer a major concern for the Internet of Things? Judging from an IoT panel discussion during the 2015 MIT Sloan CIO Symposium, this statement might not be as outlandish as it sounds.

The panel, titled “The Internet of Things: Challenges for a Connected World,” focused on some of the issues facing IoT, including the development of IoT technology and the obstacles of introducing it in the enterprise. Unsurprisingly, security was also among the problems discussed.

“Security’s huge and just like the rest of IT, no one is investing enough in it,” said Michael Chui, a partner of the McKinsey Global Institute and former CIO of the City of Bloomington, Ind. “IoT both increases the attack surface, or creates more vectors, [and] increases the consequences of a breach.”

But besides a few superficial references, the discourse did not actually focus on security until members of the audience specifically asked about it. It is possible that the panel planned to talk about IoT security and just did not get to it within the allotted time, but the fact that security was not a priority discussion topic is telling.

While no one would argue that security is no longer a problem at all for IoT, maybe it is not as big of an issue as it once was.

Fellow panelist Richard Soley, executive director of the Industrial Internet Consortium, placed importance on IoT security when he described how “one of the first two groups created” for the Industrial Internet Consortium was “focused on creating security use cases and applying those security use cases to all the test beds that we develop.”

However, Soley also downplayed how much progress is still needed regarding IoT security by suggesting that it is a problem that can never completely be solved. He voiced this sentiment with his mantra of “it’s going to happen” concerning security breaches.

“First of all, we need to preface any answer [about IoT security] with: It’s going to happen,” he said. “It doesn’t make sense to say we’re not going to do this because of increasing attack surface. It’s going to happen.”

Soley made it clear that breaches are inevitable but that this is not a reason to avoid or postpone adopting IoT technology. In fact, the inevitability should be embraced with IoT adoption.

“The point is we’re going to take advantage of Internet technology because it’s cheap and because we have ubiquitous connectivity,” Soley said. “If we’re going to provide any kind of data privacy we’re going to have to solve the security issues, but you’re never going to get them 100% [solved] and you shouldn’t expect to get them 100% because we don’t have it in the physical world either.”

At least for Soley, it seems that security was not discussed more during the panel because there was nothing new to say on the topic. Enterprises don’t need to develop new security innovations to confront the problems they’re facing with IoT security; they just need to fully utilize already available technology.

“I think that current security technology is perfectly up to the task; it’s just that most of us don’t bother,” he said.

Aislyn Fredsall is an editorial assistant for the TechTarget CIO media group through Northeastern University’s co-op program. She is currently in her third year at Northeastern, where she studies English.


June 11, 2015  4:51 PM

U.S. government breach could have accessed private citizens’ data

Fran Sales Fran Sales Profile: Fran Sales
Apple, Apple iOS, cybersecurity, Data breach, Data privacy, Hack, Safe Harbor

U.S. officials say the recent hack of government computer systems affects 4 million current and former federal employees, but the breach could have impacted private citizens, too. Also in the news: Apple hyped new privacy protections as it updates Siri, while U.S. and EU officials moved closer to Safe Harbor revisions.

Concern for private citizens’ data after U.S. government hack

U.S. officials announced last week that hackers breached the computer system of the Office of Personnel Management (OPM) in December 2014, compromising the personal information of about 4 million current and former federal employees. The intrusion is the largest known U.S. federal data breach in recent years, according to The Washington Post.

The U.S. government suspects that the breach was sponsored by the Chinese government, but China has denied its involvement. The hackers’ goal was to use the stolen personal data to recruit spies, access weapon plans and obtain other confidential information.

Sources told ABC News that federal investigators are now looking into whether the hack affected more than just the reported 4 million former and current employees, including private citizens who have never worked for the U.S. government.

At the G7 Summit in Germany earlier this week, President Barack Obama said that his administration will strengthen the nation’s cyberdefenses in the wake of the breach. “In the case of state actors, they’re probing for intelligence or in some cases trying to bring down systems in pursuit of their various foreign policy objectives,” he said at a news conference at the summit. He also encouraged Congress to pass cybersecurity legislation.

Apple updates Siri, extols user privacy

At Apple’s Worldwide Developers Conference (WWDC) earlier this week, the company unveiled new “Siri” personal assistant features, including capabilities to scour through emails, correlate contacts and extract contextual data from private texts.

Despite how reliant these services are on user data, Apple VP of software engineering Craig Federghi stressed that the company keeps culled data as anonymous as possible and does not share it with third parties. He also said that Apple isolates that data to the user’s device, and that all the information stays under the user’s control.

“All of this is done on-device and it stays on-device under your control. We don’t mine your email, your photos or your contacts,” Federghi said during a speech at the WWDC. He also underscored that Apple has never used search queries to mine personal emails or photos, or to build user profiles.

U.S., EU officials move forward on Safe Harbor revisions

After allegations surfaced that American companies were spying on European citizens, U.S. and European Union officials announced they are finally closing in on updating the Safe Harbor agreement, according to The Wall Street Journal. Safe Harbor is a 15-year-old pact that regulates the way that U.S. companies export and handle European citizens’ personal data.

European officials are giving the U.S. another month to reach an accord on reforming the pact. EU Justice Commissioner Vera Jourova told the WSJ that disagreements remain between the two sides, particularly around the extent of how U.S. security authorities are legally allowed to access consumer data collected by U.S. companies.


June 5, 2015  5:11 PM

Data as currency: Balancing risk vs. reward

Ben Cole Ben Cole Profile: Ben Cole
Compliance, Data-security, Information governance

(This blog post was written by Jeff Whited, senior manager of education development at ARMA International.)

By leveraging big data as an asset, organizations are tapping new business efficiencies and revenue streams. Credit card companies, for instance, sell data on customers’ buying habits. Healthcare systems aggregate data on treatment regimens and outcomes in an effort to trim costs. Urban planners and other constituencies use government information to advance their goals.

But organizations that allow their data stores to grow into “big data” — which Gartner Inc. defines as “high-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making” — must be vigilant in protecting that data against the privacy concerns of customers, patients and the public at large.

Every few months the headlines scream about a massive data breach— the Home Depot, Target, Anthem and Sony incidents come easily to mind. While it’s tough to account for the reputational damage of such breaches, the actual dollar costs are often graspable. According to an October 2014 article by Brian Nichols of The Motley Fool, Target’s stock fell 7.5% in the first year after the breach was made public. In the first six months, Target’s costs related directly to the security breach hit $378 million.

By retaining vast quantities of data– including so-called dark data, which Gartner defines as “information assets that organizations collect, process and store in the course of their regular business activity, but generally fail to use for other purposes”–organizations are increasing the opportunities for personally identifiable information (PII) to be exposed.

So, it becomes a matter of balancing the risk of retaining big data vs. the reward of monetizing it.

According to the Nichols article, Target has spent at least $100 million to protect itself from future attacks by investing in a new technology infrastructure with enhanced security measures.

Such a step is reasonable, of course. But the best tools and technologies are worth little if they’re not part of a carefully planned initiative. The smartest way to address these security issues is to implement an enterprise-wide information governance (IG) program that is aligned with the organization’s mission, goals and culture. Such a strategic initiative brings together senior stakeholders to make sure the organization’s data is governed in a manner that increases business efficiencies and complies with all laws and regulations.

At the heart of good IG is good recordkeeping, and therefore the senior records manager must be a key player in the IG initiative. Also vital to the program are compliance officers to help ensure the recordkeeping practices are satisfying the demands of such laws as Sarbanes-Oxley for the financial industry and the Health Insurance Portability and Accountability Act; IT executives to provide the right tools and to help effect proper protection policies; legal counsel to help assure the defensibility of the program; and senior managers from the business units to provide realistic guidance on how the information is created and used.

Organizations wishing to monetize their big data should work to mitigate the security risks by implementing an IG program that treats records as the strategic assets they really are. Such a program will help identify gaps in the business processes, minimize legal and compliance risk, and potentially save enormous sums of money in discovery and litigation.

Jeff Whited is senior manager of education development at ARMA International, a not-for-profit professional association and authority on governing information as a strategic asset.


May 28, 2015  1:31 PM

Wall Street, small banks still plagued by regulatory compliance enforcement

Fran Sales Fran Sales Profile: Fran Sales
Banking industry, Chief Compliance Officer, Compliance, Dodd-Frank, Financial fraud, Financial industry, Financial regulations, grc, regulatory compliance

If recent headlines are any indication, Wall Street banks and other financial institutions continue to garner poor marks when it comes to regulatory compliance: Earlier this month, several major global banks pleaded guilty to federal accusations regarding the rigging of foreign exchange rates. Also in recent GRC news: Finance professionals believe unethical behavior persists in Wall Street, and foreign companies don’t view the chief compliance officer role as important.

Five large global banks charged of foreign currency manipulation

Last week, four major global banks pleaded guilty to U.S. Department of Justice charges of conspiring to manipulate foreign exchange rates. Traders at Barclays, Citigroup, JPMorgan Chase and the Royal Bank of Scotland created online chat rooms to collude over the price-fixing scheme that took place from at least 2007 to 2013.

Another large bank, UBS, was also accused of manipulating foreign currencies. Although it was not criminally charged for the wrongdoing, the bank’s nonprosecution agreement stemming from a previous manipulation of a financial benchmark was voided.

The five banks agreed to pay $5.6 billion in penalties.

The lack of government oversight, combined with pressure to wrest profits out of a market that is generally less profitable than others, laid the framework for this scheme, reported The New York Times. In the wake of the 2008 financial crisis, Congress passed rules to better regulate Wall Street trading operations, but the Treasury Department exempted parts of the foreign market from these new rules, according to NYT.

The regulatory divide has begun to narrow in the aftermath of the rigging scandal, with financial regulators monitoring currency trading at higher levels than other fixed businesses, NYT reported.

Community banks face more enforcement actions

The number of enforcement actions against banks and credit unions rose 30% from Q4 of 2014 to Q1 of 2015, according to the Banking Compliance Index from compliance services provider Continunity. Sixty percent of these actions were taken against institutions with assets of $250 million or less, almost 20% more than in the previous quarter.

This increase in regulatory oversight is due to two factors, reported The Wall Street Journal: more Dodd-Frank rules coming into effect, and greater emphasis on Basel III anti-money laundering violations. Pam Perdue, Continuity’s executive vice president of regulatory operations, told WSJ that a lack of familiarity with Dodd-Frank rule changes, coupled with external pressures to stay competitive, are causing these small banks to cut corners, particularly in compliance.

Survey: Unethical culture persists in Wall Street

Despite new regulations such as Dodd-Frank and increased regulatory scrutiny of Wall Street firms, a recent study has found that many financial professionals in the U.S. and U.K. believe unethical behavior and wrongdoing persist in the workplace.

A survey conducted by law firm Labaton Sucharow LLP found that about 47% of the 1,200 respondents think it is likely that their competitors have engaged in illegal or unethical activity to gain a competitive edge, a 39% jump from 2012. Over one-third of survey respondents who make at least $500,000 annually reported witnessing, or knowing firsthand about, wrongdoing in the workplace.

The following are some of the more worrying findings: About one in five respondents believe they must at least sometimes engage in illegal or unethical activity to be successful; 32% believe the existing compensation structures and bonus plans at their companies impel employees to “compromise ethics or violate the law”; and one-third of respondents think that the financial industry hasn’t improved since the 2008 financial crisis.

The report’s findings should be taken with caution, said Andrew Ross Sorkin of The New York Times, because Labaton Sucharow often represents whistleblowers in cases against financial institutions. Still, Sorkin pointed to concerns that were also voiced by William C. Dudley, the president of the Federal Reserve Bank of New York, in a speech last year: “The pattern of bad behavior did not end with the financial crisis, but continued despite the considerable public sector intervention that was necessary to stabilize the financial system.”

One big problem, said Sorkin, is that not many people who work in finance are willing to report bad actors, despite the whistleblower program developed by the Securities and Exchange Commission.

Large foreign companies forgo chief compliance officer

Although large U.S. companies and U.S. regulators both view the chief compliance officer (CCO) role as highly important, some large foreign companies don’t see the need for the position, WSJ reports. These foreign companies include Italian oil and gas company Eni S.p.A., Russian energy company OAO Gazprom and Japanese car manufacturer Toyota Motor Corp. Instead, Toyota and Eni have committees that handle compliance, and Gazprom distributes its internal compliance function among multiple divisions that report to various top managers.

Governance experts strongly advise companies to have a single individual overseeing compliance operations, according to WSJ, and some believe lacking a CCO makes companies vulnerable to more risk. Others disagreed, saying a coherent compliance program is what matters.


May 6, 2015  4:44 PM

SEC calls for more executive pay transparency; proposed law could allow hacked firms to keep mum

Fran Sales Fran Sales Profile: Fran Sales
Cell phones, CIO, Compliance, Customer data, Data breach disclosure, Data breach notification laws, Data privacy, Dodd-Frank, FBI, gps, Hacking, SEC, tracking

The Securities and Exchange Commission (SEC) is pushing to provide U.S. shareholders with better metrics to compare executive pay against company performance. In other GRC headlines from recent weeks: A new law moving through Congress could allow breached companies to keep intrusions under wraps; and the U.S. Justice Department plans to reveal details about secret phone tracking.

SEC votes on rules comparing executive pay and company performance

The SEC wants to give U.S. company shareholders more information on executive pay and company performance. The regulatory agency last week proposed new rules that would require companies to disclose the relationship between how their top executives are compensated and the companies’ financial returns. The rules, which would put into practice a requirement outlined in The Dodd-Frank Act, aim to provide greater transparency to the public and a better gauge for shareholders to compare pay and performance, according to the SEC’s press announcement.

The rules would also require companies to standardize how they report this information in their publicly filed annual proxy statements so that shareholders can better compare performance across various industries.

Some lawyers and compensation experts, however, view the new rules as unnecessary, reported The New York Times. Critics say that many corporations, especially banks, already compare executive compensation with performance in their proxy statements. Some also claim that the proposed rules intend to shame companies and their executives. “The real purpose of these rules was to embarrass corporate America,” Alan Johnson, managing director of New York consulting firm Johnson Associates, told the NYT.

Proposed law would let firms keep breaches under wraps

Proposals moving through both chambers of Congress would allow companies that have experienced a consumer data breach to withhold notifying customers if they believe that there’s no risk the breach would lead to serious identity theft or fraud. If there’s a reasonable chance a system intrusion could harm customers, however, companies will be required to quickly notify them.

If passed, the legislation would overrule existing state laws on notification, many of which require companies to inform customers of any unauthorized access of their personal data, according to The Wall Street Journal.

“Too much notification undercuts the value of useful notification,” a spokesman for Rep. Marsha Blackburn, a sponsor for one of the proposals, told the WSJ. The bill focuses on “what impacts consumers most, and that is identity theft and payment fraud,” the spokesman added.

This proposal comes at the heels of another bill making the rounds in Congress that has some privacy advocates up in arms. Last month, the House voted to pass cybersecurity legislation that would legally protect companies that share threat intelligence with the U.S. government.

U.S. Justice Department to divulge more on secret cellphone tracking

The U.S. Justice Department is pushing for more transparency over how secret cellphone tracking services are used. Justice officials told the WSJ that they have launched a review of how government agencies are deploying these technologies, which search for criminal suspects based on their cellphone location.

According to the WSJ, the FBI has been using the tracking devices for years without warrants. In recent months, they’ve started obtaining search warrants from judges to use the devices.

The announcement arrives in the midst of controversy over the Justice Department’s own use of such technology. For instance, some tracking devices are deployed in airplanes to scan the phones of thousands of U.S. citizens who aren’t targets of investigations, the WSJ reported last year. Furthermore, there were many occurrences in which law enforcement agencies within the Justice Department, such as the FBI and the Drug Enforcement Agency, did not obtain warrants before using these devices, according to the WSJ.


April 22, 2015  4:30 PM

Lawmakers race to pass cybersecurity bill; NSA wants front door into encrypted devices

Fran Sales Fran Sales Profile: Fran Sales
cybersecurity, Cybersecurity legislation, Data Encryption, Hackers, Health IT, Mobile encryption, NSA, NSA Data Collection

Much to the chagrin of privacy advocates, U.S. legislators have been pushing to pass a bill to improve cyberthreat intelligence sharing before discussing National Security Agency (NSA) surveillance reforms. In other recent news: Privacy proponents are also up in arms about an NSA proposal that would force tech companies to allow government access to encrypted consumer devices; and security experts warn about the increasing number of medical data thefts in recent years.

U.S. Congress hastens to pass cybersecurity bill ahead of NSA reform debate

U.S. lawmakers are rushing to pass a major cybersecurity bill before beginning the debate over reforming the National Security Agency’s surveillance programs. The NSA programs must be reauthorized by June 1. Backers of the security bill, which strives to improve companies’ cyberthreat information sharing with the government, insist that it is a separate issue from NSA surveillance. Privacy advocates, however, worry that the cybersecurity bill will allow the NSA to further collect American citizens’ sensitive data.

The cybersecurity bill is a joint effort between both the House of Representatives’ and the Senate’s intelligence committees, and appears to have garnered approval from Republicans, Democrats and the White House, The Hill reports. The Obama administration stated recently that it considers cybercrime a national emergency, and that information sharing programs are a major part of its cyberdefense strategy, according to The Wall Street Journal.

The House Intelligence Committee’s bill prohibits cyberthreat intelligence from going directly to the NSA, but privacy groups want NSA surveillance programs to be reformed before cybersecurity legislation passes to give the government more access to data, according to The Hill.

NSA director seeks front door access to encrypted devices

The debate over whether the U.S. government should have guaranteed access to encrypted data on U.S. consumer devices has reached another impasse. Adm. Michael S. Rogers, director of the NSA, is offering a “technical solution” to the problem, reported The Washington Post: legally requiring technology companies to create a digital key that can open any locked device to access the data inside, but splitting the key into pieces among multiple agencies so that not one entity could use it.

“I don’t want a back door. I want a front door. And I want the front door to have multiple locks,” Rogers said in a recent speech at Princeton University, where he outlined the proposal.

Law enforcement and intelligence officials who support the proposal warn that the growing use of data and device encryption could seriously obstruct criminal and national security investigations.

Members of the technology industry and privacy advocates, however, argue that granting government and law enforcement access to people’s private communications threatens their Constitutional right to free speech. Security experts also believe that the split-key approach creates weaknesses that hackers and foreign intelligence agencies can try to exploit. Opponents of the NSA’s proposal also argue that the scope of encryption technology usage has exceeded the reach of government control, according to the Post.

Medical data theft on the rise

The growth in the number of digital medical records has led to an increase in the theft of those records, industry experts say. This type of theft has also evolved, according to Dwayne Melancon, CTO of software company TripWire: Hackers previously stole payment card and bank information inside medical records, but now they target personal information, he told Marketplace.

Unlike payment card theft, victims of medical data theft often don’t find out that their data is for sale to the highest bidder until after a year or more has passed, healthcare information security expert Bernard Peter Robichau told Marketplace.

There’s also the risk that this stolen medical data could end up on predictive consumer scores. These scores use data collected by devices and apps to predict individuals’ likelihood to spend on healthcare, to commit fraud, to adhere to medication prescriptions and other data points highly sought after by many companies, reported Marketplace.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: