In the wake of the horrific attacks in Paris earlier this month, government and intelligence officials pointed a finger at end-to-end encryption (E2EE) and how it enabled attackers to “go dark” — in other words, become invisible to law enforcement.
This is only the latest development in a years-old encryption debate between intelligence officials and Silicon Valley: Should tech companies give intelligence agencies back-door access to encrypted devices and networks, or hold their ground on strong encryption to protect their customers’ right to privacy? Even before the attacks rekindled the public safety vs. privacy debate, earlier this month a panel of experts from both sides of the argument weighed in on the pros and cons of E2EE at the Advanced Cybersecurity Center’s conference in Boston.
One panelist, FBI General Counsel James Baker, stressed that there is no perfect technical solution to the public safety vs. privacy debate. He added that it’s up to legislators and individual technology companies to decide how far they want to enable government surveillance.
“Under what set of circumstances do the people want that to happen? What do you want us to do, and what risks are you willing to take on all sides of the equation?” Baker asked the audience, which mostly consisted of information security professionals.
He added that Congress remains behind in addressing the problem as well.
“Current legislative thinking is unsatisfactory in balancing all these types of risks,” Baker said. “It’s about creating laws that effectively enable the government to obtain the results of surveillance in a way that’s consistent with our constitutional rights.”
At present, the FBI is offering two solutions for its “going dark” dilemma: Split-key encryption (data can only be decrypted by combining several keys) or encryption via “key escrow” (one key out of many is stored by a government agency).
Eric Wenger, director of cybersecurity, privacy and global affairs at Cisco, argued that these solutions are insufficient for tech companies. He said that they gave the public a mixed message: “We want you to use really strong encryption, but we just want a way to break into it,” he said.
Wenger also questioned whether the FBI and other law enforcement entities needed access to encrypted data for every investigation. With kidnapping cases, for instance, unencrypted geolocation data from a suspect’s device could prove to be the most important piece of information to move the investigation forward.
“We need to tease these problems apart and get to the things that are really the most meddlesome for law enforcement,” Wenger said.
Fellow panelist Susan Landau, a security policy professor at WPI, agreed, saying the encryption conversation is complex and needs to be considered on a case-by-case basis. This would require changing how local and federal law enforcement conduct investigations, however, and would likely come with considerable costs, she said.
“It’s complicated. It takes time. But I find myself in the position of actually supporting extra funding and saying, ‘Look, we’re talking about securing everybody and making investigations more expensive — or the reverse,'” she said.
But reservations around split-key encryption, key-escrow encryption and other proposals that facilitate government surveillance doesn’t mean that technology companies don’t care about public safety, Wenger insisted.
“I want [the FBI’s Baker] to be able to get what he’s entitled to get, but the problem is at what cost?” he said.
Head to SearchCompliance to read more about the panelists’ take on end-to-end encryption.
(This blog post was written by Diane K. Carlisle, executive director of content at ARMA International.)
Day by day, effective information governance (IG) is made more urgent and more complicated by disruptive technologies and new business models that are rocketing throughout organizations. Many companies are still in the early stages of solving such digital-age challenges as big data and the bring-your-own-device (BYOD) model, but advanced technologies continue to emerge. The Internet of Things (IoT), for instance, is a phenomenon that offers profound business opportunities while carrying great risk.
In a 2015 white paper titled “Internet of Things: Privacy and Security in a Connect World,” the FTC defined IoT as “the ability of everyday objects to connect to the Internet and to send and receive data.”
Examples include cameras that permit users to post pictures online with one click; automated systems that let users turn lights on and off remotely; and sensors in storage systems that can detect RFID data in order to manage inventory more efficiently. The IoT umbrella also includes such wearable devices as bracelets that track and share your workout data and heart implants that monitor and transmit health information.
The business benefits — and detriments — of IoT
Many companies hope the IoT will enhance productivity and generate new business models and revenue sources. Typically, IoT devices collect data and flow it to other devices. Some smart televisions, for example, can detect whether anyone in the room is actually watching the screen and transmit that information to other smart devices. Companies then use the data to negotiate ad rates, or to target products or other programs for that household.
Organizations are eager to pursue IoT because they stand to benefit dramatically from using the information they collect through it. For example, smart meters can help utility companies reduce the costs of manual meter reading and can monitor and predict resource usage at peak times. This information helps them ensure adequate supplies to meet customer demand. It might also help them justify rate hike requests to public utility commissions. The technology helps customers understand their power usage so they can make beneficial changes.
But there are down sides as well.
Such data generation and aggregation present big challenges in the governance of information because the IoT intensifies the volumes of data, the variety of sources and how it is dispersed. IoT devices spread immeasurable volumes of data to other connected devices, some of which may be external to an organization’s infrastructure and therefore beyond its sphere of information security. Thus, organizations that turn to the IoT for business advantage must be prepared for the associated information risks — especially when it comes to privacy and security.
Chief among the IG concerns and potential risks is the organization’s duty to protect customer privacy. Customer identification and banking information is linked to that smart meter, and the customers may be skeptical of the organization’s ability to protect that information from unauthorized use. And of course, managing and protecting such large volumes of information are challenging for most companies.
Providing adequate security for the information throughout its capture, transmittal, and storage requires financial resources that management may not have anticipated. Information is vulnerable at any of these points. And as the sensitivity of the data and functionality increases, consumers’ concerns about privacy protection may increase as well. Consumers may be more sensitive about banking information transmitted through Apple Pay than they are about their consumption of electricity. Take it a step further and think of the “smart home.” The security measures must be extremely effective to prevent unauthorized access.
These are but a few examples. In short, the IoT world is changing rapidly and it’s easy to foresee an overwhelming volume of data entering the corporate environment.
Planning for IoT initiatives
With that said, organizations must address the full scope of IG considerations as they implement IoT applications. In the following list are steps they can take to plan for IoT initiatives:
- Convene an IoT implementation team: It should include representatives from IT, RIM (records and information), legal and the relevant business units. If your organization has an IG steering committee, this would suggest a natural fit. Otherwise, convene a collaborative team to understand the benefits and risks and to make decisions on the implementation, considering all the factors involved.
- Conduct a risk assessment: Depending on the specific application, the organization may be taking on a greater degree of information-related risk.
- Make a plan: An IoT initiative must be taken seriously. Build the plan around specific business goals and strategies. Establish benchmarks and metrics to evaluate the success or failure of the initiative.
- Integrate regulatory and compliance requirements. These requirements will continue to apply, regardless of how information is captured.
- Assess the impact of IoT on the retention/disposition policy and schedule. You will be greatly lengthening the retention period for some types of information. Make sure you can delete the information when the retention period has expired and that the necessary retention schedule modifications are made.
- Ensure that IT has the capacity to deal with the additional volumes of information. The growth in data that requires storage can quickly overwhelm an organization. Such volumes can hinder business efficiencies, make e-discovery more costly and jeopardize the defensibility of legal holds.
While the IoT trend can be overwhelming, a sound IG program can give your organization a head start on addressing the challenges that come along with the opportunities.
The building blocks for a sound IG program are the Generally Accepted Recordkeeping Principles® developed by ARMA International, a thought-leader on IG. These Principles — Accountability, Transparency, Integrity, Protection, Compliance, Availability, Retention, Disposition — work together to foster a collaborative approach that ensures information is treated as an asset, protected in compliance with all regulations, and disposed of according to a legally defensible retention plan.
Accompanying the Principles is the IG Maturity Model, which defines characteristics of various levels of recordkeeping programs. It’s an assessment tool you can use to evaluate your IG program against the Principles. It helps you identify the gaps between your current situation and your desirable level of maturity for each principle. More information on both the Principles and the Maturity Model are available on the ARMA website.
The collaborative IG approach and conformity to the Principles will ensure maximum information security and a sound, holistic IG program that will prepare your organization for virtually any information-related challenge.
Diane K. Carlisle, IGP, CRM, is executive director of content at ARMA International, a not-for-profit professional association and authority on governing information as a strategic asset.
In recent regulatory compliance news, the Federal Reserve Chairwoman testified before a House panel that very large U.S. banks still experience “substantial” GRC management failures; recent research casts doubt on the effectiveness of new compensation “clawback” rules proposed under the Dodd-Frank Act.
Fed Chair: Big firms still face regulatory compliance issues
The leader of the Federal Reserve has rebuked very large U.S. banks for persistent regulatory compliance and risk management breakdowns, but also suggested legislation to lighten the regulatory burden on midsized firms.
Last week during a three-hour testimony in front of the House Financial Services Committee, Fed Chairwoman Janet Yellen said that although the largest financial firms the Fed regulates have improved governance, internal controls and risk management since the 2008 financial crisis, they still undergo “substantial compliance and risk management issues.” Yellen said the Fed is prepared to require very large firms to make considerable changes to their businesses if these banks’ “living wills” — or plans that detail how they would dismantle operations during bankruptcy — don’t pass muster with the Fed.
Yellen also said the Fed is open to tweaking its regulatory regime to help regional banks with more than $50 billion in assets. Under the Dodd-Frank Act, these banks are accountable to more stringent rules than those with fewer assets. However, she pushed back against a bill proposed by the House that would dictate criteria for which of these firms would face tougher rules. Instead, Yellen requested that the Fed have the flexibility to modify the rules.
Study: Execs tend to refuse restatements if their pay is incentive-based
New research shows that compensation clawback rules proposed under the Dodd-Frank Act might not be as effective as proponents anticipate in influencing companies to fix faulty financial statements. Under the new rules, which will likely be adopted later this year, issuing these restatements will initiate the “clawback,” or return, of financial executives’ inappropriate bonuses.
The research, published by Accounting Review this month, concluded that senior executives (mainly CFOs, controllers and treasurers) are less likely to agree to fix faulty financial statements when most of their compensation is incentive-based. Jonathan S. Pyzoha, an assistant professor of accountancy at Miami University, conducted a study to determine whether executives from 112 public financial companies negotiate more firmly with auditors to fully avoid a restatement if their incentive-based pay is at stake.
Attorneys that work with companies considering restatements believe that clawbacks are not among their principal concerns, according to MarketWatch. However, Pyzoha’s research shows that this is not the case for executives with the bulk of their pay being incentive-based. He found that these executives were less amenable to fixing financial statements if the restatement was proposed by a “low quality” auditor — with quality based on the auditor’s time and experience in the field. However, he also found that executives were more open to restatements if the proposal came from a high-quality auditor.
Pyzoha advised companies to have their audit committee’s financial experts play a greater role in the restatement process to counterbalance these executives’ influence.
This week, Goldman Sachs agreed to pay a $50 million fine to settle a case in which a former employee leaked confidential information from the New York Fed. Also in the news: Bristol-Myers Squibb and other pharma companies face foreign bribery probes; a study found that earnings misstatements are “contagious”; and an extensive investigation of Wal-Mart’s operations in Mexico has found little wrongdoing.
Goldman Sachs faces $50 million fine, criminal charges for ex-banker
A former Goldman Sachs’ banker is pleading guilty to federal criminal charges, a rarity on Wall Street. Last year, the banker allegedly obtained confidential documents from an employee at the Federal Reserve Bank of New York, one of Goldman’s regulators, and shared that information with his team. Both the Goldman banker and the New York Fed worker will accept a plea deal that could put them behind bars for up to a year, anonymous sources briefed on the matter told The New York Times.
Both men were fired after the leak. Goldman Sachs representatives said that once the company discovered the leak, it immediately notified regulators and began an investigation. Still, under a settlement with the Department of Financial Services, the bank is expected to pay a penalty of $50 million and come up against new constraints for handling sensitive regulatory information. According to the NYT, Goldman will also have to acknowledge that it failed to sufficiently supervise the former banker.
More pharma companies to be probed for foreign bribery
In the wake of Bristol-Myers Squibb’s settlement of foreign bribery charges with the federal government earlier this month, more pharmaceutical companies may be put under the microscope.
New York-based pharmaceutical company Bristol-Myers Squibb agreed to pay a $14 million penalty to settle U.S. Securities and Exchange Commission (SEC) charges that it violated the Foreign Corrupt Practices Act (FCPA) by bribing healthcare providers in China in exchange for prescription sales.
Now, according to Forbes, AstraZeneca, Eli Lilly, GlaxoSmithKline, Novartis, Novo Nordisk, Sanofi, Teva Pharmaceutical Industries Ltd., UCB and probably other pharmaceutical companies will reportedly be investigated for FCPA violations. The U.S. Department of Justice also plans to beef up its enforcement staff and resources dedicated to “high-impact” foreign bribery cases.
Study: Earnings misstatement is infectious
A study that examined 2,376 financial restatements made by companies between 1997 and 2008 found that firms are more likely to misstate their own earnings after another company in their industry or region publicly announced a restatement. However, when a misstating firm was penalized by the SEC, faced lawsuits, or media reports surfaced regarding their malpractices, their peers did not imitate misconduct, the study discovered. This finding, the authors said, suggests the “deterrent effects of enforcement activity.”
The study, which was published by the American Accounting Association, did not identify particular companies, but uncovered that when larger and higher-profile firms manipulated their earnings, misconduct was more likely to be copied by others in their industry. The study also found that imitation stopped during the years between 2003 and 2005, likely due to enforcement actions related to the Sarbanes-Oxley (SOX) Act. The trend resurfaced between 2006 and 2008, possibly because “the sting associated with SOX has worn off,” the authors said.
Wal-Mart bribery probe turns up little proof of major violations
A high-profile federal investigation of Wal-Mart Stores’ operations in Mexico will likely end up becoming a smaller case than investigators had anticipated, sources familiar with the matter told The Wall Street Journal.
While the three-year probe of corruption allegations remains ongoing, the work is approaching completion and the case could be settled with a fine and no criminal charges. The investigation was launched by the U.S. Department of Justice after articles by the NYT described alleged bribes paid by the retailer to get permits to build stores in Mexico. The articles also detailed how company executives allegedly terminated an internal inquiry into the questionable payments. The federal investigation, however, found evidence that contradicted some of the claims made in the NYT articles.
In part one of this blog post, we unpack the drivers behind the surge of demand on compliance investments and skilled staff, including new agencies that take a behavior-based approached to regulation, as well as an expansion in their powers. In part two, we talk about how compliance officers can help transform their organization into one that is conduct-risk-aware.
Compliance functions now have considerable influence on the board and its decision-making process, according to Roger Miles, behavioral risk lead at Thomson Reuters. The majority of boards (74%) now have an increased focus on conduct risk, and the chief risk officers or heads of compliance in 70% of organizations directly report to the board on conduct risk.
Compliance practitioners should seize this opportunity to lead “the transformation that regulators are looking for, to help build and promote a responsive business culture that encourages intelligent, behaviorally aware risk taking and decision making,” wrote Miles.
To jumpstart this transformation, Miles advises compliance officers to encourage all staff to work “risk-aware.” This means educating everyone in the organization about why good conduct is good for the business, and that poor conduct comes with a wide range of costs beyond fines — including negative effects on customers.
“Conduct breaches are not just about paying fines in your local jurisdiction. They have wider business impacts on capital (prudential reporting, capital adequacy, brand value, share premium, cost of borrowing) and ultimately on the ability of the business to maintain self-determination (strategic governance and control),” he said in an email.
While conduct breaches come with obvious business costs such as the possibility of a senior manager getting suspended as a result of a violation, they may also bring unexpected damages.
“Businesses hit by a major conduct-related enforcement may also find themselves the targets of shareholder activism, boardroom coups and hostile takeover,” Miles said.
Miles also encourages compliance leaders to take a look at the current state of their compliance training programs, and making sure that training content is up to date. They should also add new training programs on behavioral risk awareness and new conduct regulations in the company’s jurisdiction.
While this could involve requesting more resources from the board, Miles said that “the signs are this will be more sympathetically heard than in the past.”
Boards of directors are increasingly seeing the value of regulatory compliance, as the past year has seen a worldwide spike in compliance spending and the hiring of skilled compliance staff, according to data collected by intelligence firm Thomson Reuters.
In North America, 60% of firms report that they expect a “significant increase” in compliance investments from 2015 to 2016. For instance, one of these firms, HSBC, expects year-over-year spending on compliance to increase by 300%, to $750 million.
Firms also expect to dedicate a considerable amount of time and staff to compliance processes and procedures. Twenty percent anticipate committing between four to seven hours on compliance per week (up 1% from 2013), and 21% expect more than seven hours (up from 18% in 2013).
Where is the pressure is coming from?
One driver that’s increasing demand for compliance specialists is pressure from the influx of new regulatory initiatives created after the 2008 financial crash, according to Roger Miles, behavioral risk lead at Thomson Reuters. Regulators are looking beyond transaction data organizations produce internally and instead define violations based on human behavior.
“A key feature of this revolutionary approach … is that it looks beyond the dry theory of economic utility toward a real-life, empirical view of human interactions, the ‘what actually happens’ view of financial markets,” wrote Miles in a whitepaper titled “What’s Compliance Worth?”
Regulators that follow this behavior-based regulation approach examine firms’ processes, decision making and how they design systems for employees. Moreover, they look at how these organizations behave in financial markets and how they interact with their customers in real time.
This regulatory approach has not only increased compliance costs, but regulatory fines as well. According to research by Thomson Reuters, cumulative fines for conduct-related offenses are projected to surpass $20 billion globally — and will continue to grow.
Another factor is that regulators are expanding their powers. Local agencies, for example, are extending their reach beyond their jurisdiction and target sector. Additionally, there has been an increase in regulatory initiatives that impact multiple sectors or territories. Some examples are Basel III, Foreign Account Tax Compliance Act and the Foreign Corrupt Practices Act.
Furthermore, there’s been a rise in local regulatory schemes that are subsequently copied by agencies in other jurisdictions, such as “clawbacks,” or recovery of inappropriate compensation and bonuses, and examining senior managers’ personal responsibility for criminal behavior. In the U.S., for example, “the SEC is currently staffing up with behaviorally aware enforcers headhunted from other jurisdictions,” Miles said over email.
In response to this increase in enforcement actions, compliance staffs’ dockets are getting longer. Their tasks must now include, at the very least, the following:
- Protecting senior management against regulatory risk and managing regulatory relationships;
- Providing evidence to management and the board on appropriate compliance actions and developing reporting mechanisms;
- Managing the convergence of compliance, internal audit and risk functions; and
- Keeping abreast of new requirements of conduct risk regulations and create their firm’s own definition of what “good conduct” is.
In part two of this blog post, find out how compliance practitioners should take the lead in transforming their organization into one that is conduct-risk-aware.
Wearable fitness tracker company Fitbit recently announced that its devices are now HIPAA-compliant, broadening the types of businesses it aims to work with. Also in recent GRC news: CFOs report widespread earnings misrepresentation; SEC proposed changes to its administrative proceedings.
Fitbit wearables now HIPAA-compliant
Fitbit Inc. announced earlier this month that its wearable activity trackers now provide HIPAA compliance capabilities. The certification means Fitbit can extend its Fitness Wellness program to HIPAA-covered entities, including corporate wellness partners, health plans and self-insured businesses. The company will also be able to enter into Business Associate Agreements with these entities.
With its HIPAA compliance announcement, Fitbit reps say the company aims to serve more businesses while still securing customers’ most sensitive data. Much of the information tracked by Fitbit devices fall under HIPAA’s definition of protected health information, such as medical history and health insurance data. Information such as names, phone numbers and email addresses are also covered by HIPAA.
Ars Technica reporter Valentina Palladino predicts that the HIPAA certification will make Fitbit’s Fitness Wellness program more attractive to businesses. In addition to Geico, Quicken Loans and other existing corporate customers, Fitbit recently announced a deal to offer activity trackers to Target Corp.’s 335,000 U.S. employees.
Survey: CFOs believe 20% of firms misreport earnings
A recent survey found that many CFOs believe earnings misrepresentation is prevalent among firms. In a poll of 375 CFOs, researchers from Emory University, Duke University and Columbia University found that CFOs believe 20% of firms intentionally misrepresent earnings at any given time, even while these firms observe accounting principles and regulations. Most cases of misrepresentation involve earnings overstatement, but another one-third of firms under-report their earnings or reverse previous overstatements.
The CFOs also gave audit committees a low ranking among a list of factors that could influence earnings quality. “I think you can fool them, but what the audit committee is essentially going to ask is whether the CEO and controller are basically honest people who are going to report faithfully,” said one CFO in a supplemental interview the authors conducted in addition to the main study. The Securities and Exchange Commission‘s (SEC) enforcement process garnered an even lower ranking.
SEC makes moves to update rules governing administrative proceedings
Last week, the SEC made two announcements regarding how it conducts its administrative processes. These announcements arrive in the midst of growing complaints around the fairness of these processes, such as the SEC’s moves to file more administrative proceedings with in-house judges.
In one announcement, the Commission said it voted to propose changes to rules that govern its administrative proceedings. The goal is to modernize the rules to include provisions such as adjusting the timing of proceedings, in some cases extending the time before a hearing takes place. The changes would also allow parties to take depositions of witnesses as part of discovery and require parties to submit filings electronically and redact certain sensitive information in those filings.
According to the SEC, these proposals will simplify the requirements for seeking an SEC review of an initial decision, and offer greater transparency into the timing of the SEC’s decisions in these requests.
In another announcement, the Commission said it is overhauling its internal tribunal, an in-house court that includes federal judges, former SEC officials and business groups. The new set of rules would give defendants in cases sent to the SEC’s own judges similar legal protections provided in federal court, including giving defendants eight months to prepare for a trial as opposed to the current four months; and allowing them to obtain sworn testimony from witnesses and others before a trial.
The Second U.S. Circuit Court last week decided that whistleblowers who report internally before going to the SEC are covered by Dodd-Frank’s anti-retaliation rules. In other recent GRC headlines: New rules that address algorithmic trading risks are imminent, and a survey found that boards of directors are looking for more risk management input from senior management.
Second Circuit: Internal whistleblowers protected by Dodd-Frank
In an opinion that bolsters the U.S. Securities and Exchange Commission’s stance on the subject, a divided Second Circuit Court of Appeals panel decided that employees who report company misconduct internally are protected by rules to prevent whistleblower retaliation under the Dodd-Frank Act.
The decision addresses the conflict between a Dodd-Frank subsection that defines what a whistleblower is and another that addresses who is protected by the law’s anti-retaliation provisions. Describing the circumstances under which Dodd-Frank was passed, the Second Circuit opined that because of “the realities of the legislative process … it is not at all surprising that no one noticed that the new subdivision [that addresses anti-retaliation protections] and the definition of ‘whistleblower’ do not fit together neatly.” The panel ruled that the conflict is ambiguous enough to warrant deference to the SEC’s interpretation.
The Second Circuit’s ruling diverges from an earlier ruling by the Fifth Circuit, a disagreement that the majority opinion of the Second Circuit’s panel acknowledged. According to Bloomberg law reporter Catherine Foti, the Second Circuit’s opinion makes it likely that the Supreme Court will decide whether to extend Dodd-Frank’s anti-retaliation protections to internal whistleblowers.
New rules on the horizon to control high-frequency trading risks
The Commodity Futures Trading Commission (CFTC) is working on proposals to contain risks stemming from the use of algorithmic, or high-frequency, trading, which accounts for 70% of the volume in futures markets. CFTC chairman Timothy Massad said in a speech that the proposed rules also aim to minimize disruptions and unfairness that are the result of algorithmic trading processes.
Massad added that algorithmic trading has changed how the CFTC performs its regulatory role, with enforcement now requiring a greater investment in IT, analytics and experienced staff. These investments are shared among the CFTC, self-regulatory organizations and the National Futures Organization.
The proposals, which will be issued for comment this fall, will also likely include requirements for software and hardware development, as well as cybersecurity protections. The CFTC has already put some rules into effect to address the risks associated with increased automated futures trading, including requirements that trading hardware and software infrastructure be regularly tested before going live.
Majority of boards seek more risk management involvement from senior management
Sixty percent of surveyed boards of directors are seeking more involvement in risk oversight from their senior management teams, according to a study commissioned by the American Institute of CPAs and the Chartered Institute of Management Accountants. However, the survey also found that less than 35% of these organizations have a formal risk management program in place. The study, which surveyed more than 1,300 executives worldwide, also found the following:
- 70% of those surveyed do not describe their organization’s risk management oversight as “mature.”
- Less than 40% of organizations are satisfied with how risk exposure is reported to senior management.
- Only 46% of boards at U.S.-based companies assign risk oversight duties to a board committee, while 70% of company boards in regions outside the U.S. do so.
- Only 44% of U.S. organizations have internal management-level risk committees in place, while more than 60% of organizations in regions outside the U.S. do so.
A report accompanying the survey findings acknowledges that the overall risk environment is challenging for organizations, but adds that there are barriers that hinder the effectiveness of enterprise-wide risk oversight. The report suggests some ways organizations can improve, including conducting an assessment of the organization’s current risk management approach, and boards approaching senior management to articulate current risk approaches so they can assess the company’s efficacy in monitoring emerging risk.
Lawyers say Apple CEO Tim Cook may have flouted the Securities and Exchange Commission’s fair-disclosure regulation when he sent a CNBC correspondent an email containing company performance information. In other GRC news from the past few weeks: Charles Schwab is fined $2 million for capital deficiencies; a court ruling reinforced the FTC’s cybersecurity authority; and new malware targeting jailbroken iOS phones stole more than 225,000 Apple users’ credentials.
Apple’s Tim Cook may have infringed SEC disclosure rule
A private email Apple CEO Tim Cook sent to CNBC reporter Jim Cramer last week may have violated federal fair-disclosure rules, reported MarketWatch.
The email, which was read on air and later tweeted by CNBC, contained a mid-quarter update on Apple’s performance that reported an increase in iPhone activations in recent weeks and predicted strong business growth in the Chinese market. Cook also said that in the past two weeks, the Apple App Store saw its best performance of the year in China.
Lawyers told MarketWatch that the email could have violated Securities and Exchange Commission’s Regulation Fair Disclosure (Regulation FD), which stipulates how public companies can disclose company information to certain individuals or entities. The media is typically exempt from Regulation FD, but CNBC’s Cramer is also co-manager of a portfolio that has a long position at Apple. The SEC has declined to comment, but lawyers predicted that SEC will, at the very least, investigate the context of the private exchange.
FINRA fines Charles Schwab $2 million
Charles Schwab & Co. was fined $2 million for capital deficiencies and related supervisory failures, the Financial Industry Regulatory Authority (FINRA) announced last week.
FINRA found Charles Schwab net-capital deficient by up to $775 million on three occasions between May 15, 2014, and July 1, 2014. The deficiency stemmed from cash inflows that surpassed the amounts the financial firm could invest with its existing facilities. According to FINRA, Charles Schwab consequently transferred $1 billion to its parent company for overnight investment that was approved as an unsecured loan by the company’s Treasury group.
FINRA representatives said that Charles Schwab did not have any established procedures that required its Treasury group to consult its regulatory reporting group or to prevent the former from approving unsecured transfers that could lead to net-capital deficiencies.
A Charles Schwab representative told The Wall Street Journal that the company self-identified the issue and immediately reported it, as well as implemented revised procedures and processes.
U.S. appeals court asserts FTC’s corporate cybersecurity powers
The Third U.S. Court of Appeals ruled that the FTC could proceed with a lawsuit against Wyndham Worldwide Corp. that alleges the hotel chain is partly responsible for three payment card data breaches that occurred between 2008 and 2010. The FTC claims that the breaches have led to more than $10 million in fraud losses, and that Wyndham failed to implement reasonable protections against data theft, such as firewalls and updated security software. Wyndham challenged the FTC’s claims, arguing that the agency’s allegations are government overreach. All three judges on the court panel disagreed, and the decision reinforces the FTC’s authority to regulate business cybersecurity in the absence of comprehensive data security legislation. The FTC has exercised this authority by pursuing enforcement actions in more than 50 data security cases, according to the WSJ.
Malware steals 225,000 Apple users’ credentials
A new malware called KeyRaider has successfully stolen the credentials of more than 225,000 Apple users. The theft has been dubbed by representatives of security company Palo Alto Networks as the “largest known Apple account theft caused by malware,” affecting users in 18 countries.
The malware targets jailbroken iOS devices. The attacker added KeyRaider to two jailbreak tweaks, which he or she claimed will let users download non-free apps without purchase from the Apple App Store.
According to Palo Alto Networks, these tweaks hijacked users’ app purchase requests and downloaded stolen accounts or purchase receipts. Palo Alto said the tweaks have been downloaded by more than 20,000 users. KeyRaider was also integrated in ransomware to disable unlocking operations, even if the user entered the correct password or passcode.
Palo Alto researchers followed a trail of distributed malware samples that led them to the command-and-control server in which the stolen data is located. They found that the server itself contains vulnerabilities that expose user data, including a SQL vulnerability that the researchers were able to hack into.
(This blog post was written by Diane K. Carlisle, executive director of content at ARMA International.)
So, your attempt to manage the governance, risk, and compliance (GRC) program with a series of complex spreadsheets leaves you in a state of massive depression. You’ve decided the obvious solution is to purchase a piece of software so you can easily track and monitor all your compliance issues. Simple enough, right?
While we’d all like to believe that technology is the magic answer to our woes, there are many factors to consider before you can make a wise software purchasing decision. You must have a clear understanding of organizational compliance requirements, internal business processes, and existing tools to avoid purchasing and implementing software only to find that you still have gaps and vulnerabilities in your compliance program.
The information governance/compliance intersection
The most stringent tests of an organization’s compliance with its internal and external requirements come through third parties, such as an agency regulator or — in the case of litigation — the opposing counsel or a judge. At the heart of these types of inquiry is that third parties need to judge the organization’s actions, or inactions, and the impact they have on compliance.
An organization’s compliance requirements spring from a complex array of legislation, regulation, industry expectations, and its own voluntary commitments regarding how it will conduct business. While the requirements for each organization will vary significantly, all organizations need a reliable means of demonstrating compliance with these requirements. That demonstration nearly always takes the form of documentation — and this is where compliance intersects with information governance.
A planning framework for information governance
An organization that can demonstrate it has established policies and procedures, a way to measure its compliance with them, and a plan for improving its compliance in areas that need it can show that it takes its compliance obligations seriously. These companies will typically fare better with auditors and judges than those that take a more ad hoc approach.
For organizations in the ad hoc category, ARMA International has two invaluable tools that can help them position themselves in the former category. They can use the Generally Accepted Recordkeeping Principles® (Principles) to develop an information governance framework, and the Information Governance Maturity Model (Maturity Model), which is based on the Principles, to assess its program, plan for improvements, and measure its progress.
The Principles framework defines the characteristics of a holistic information governance program and the essential hallmarks of effective records and information management, which is the foundation for information governance. There are eight Principles, each thoroughly explained on the ARMA International website.
The benefits of information governance
The Principles make it clear that to achieve reliable results, the organization must hold individuals accountable for their defined recordkeeping responsibilities. It also must put into place policies, procedure, and tools that apply throughout the records and information life cycle.
Adopting this framework and implementing the defined recordkeeping controls creates an information governance program that will:
- Serve as a guide to planning: The Principles specify key controls that will help the organization achieve compliance. These controls contribute to authentic records and information that can be relied upon for both business decisions and compliance requirements. Without these program elements in place, records may be incomplete, inaccurate or missing all together.
- Provide an objective means for measuring progress and sufficiency: A key part of the Principles framework is the Maturity Model mentioned earlier. This five-level metrics model is used to measure the maturity of the information governance program and identify gaps that can leave the organization vulnerable. Once the organization establishes this baseline, it can use the Maturity Model on an iterative basis to show progress improvement over time.
- Demonstrate a conscious focus on recordkeeping: The courts are not holding organizations to a standard of perfection. But they do want to see evidence that the organization is addressing issues as they arise. Even better, this information governance framework will help the organization pre-empt problems by guiding it in taking proactive steps to improve processes and technology tools.
- Prepare the organization for “pop up” audits: When there is consistent attention to recordkeeping policies and procedures and an appropriate use of tools, an organization needs not fear the “pop up” — or a surprise audit.
Governance and compliance: A natural collaboration
Information governance is central to an organization’s ability to demonstrate compliance with both internal and external requirements. The Principles framework provides a means to gain a solid understanding of the organization’s compliance requirements. There may already be software that can be adapted for compliance purposes, or new software may still be needed. But with a better understanding of the records and information management program, you can ensure that the new software complements what is already in place.
Diane K. Carlisle, IGP, CRM, is executive director of content at ARMA International, a not-for-profit professional association and authority on governing information as a strategic asset.