The Compliance Podcast Network welcomes The Ethics Movement podcast, co-hosted by Tom Fox, the Compliance evangelist and the Voice of Compliance and Philip Winterburn, Chief Strategy Officer at Convercent. In Season One of this podcast series we will focus on coronavirus and how it’s going to impact the world of ethics and compliance. That impact continues to unfold daily, with the long-term implications shrouded in fog. One podcast season may not even last long enough to see where we end up—but it gives us some time to map out the possibilities.

Trust: what is it, how do you build it, how does it flow downward and upward? What does it say to your workforce when you don’t trust them? While companies deal with the fallout of coronavirus and COVID-19, these questions have become more pertinent than ever.

The Ethics Movement is a Convercent Podcast.

 

Welcome to a  sponsored podcast series where I am exploring how to navigate risk from the Committee on Foreign Investment in the United States (CFIUS), sponsored by K2 Intelligence Financial Integrity Network (K2 Intelligence FIN). Over this five-part series I will visit with David Holley and Him Das the co-leads of CFIUS Advisory Practice at K2 Intelligence FIN. We will consider navigating the CFIUS process through using business intelligence to identify CFIUS threats and vulnerabilities, using a proactive approach to navigate the CFIUS process, compliance frameworks for risks under CFIUS and cyber risks and access controls under CFIUS. Today, in this concluding Episode 5, I visit with Him Das on effective monitoring and compliance officer solutions for CFIUS.

What is a monitorship and how does it work?

Generally, a monitor is used to assess and oversee a company’s compliance with relevant laws and regulatory actions. It can also be in respect to a written agreement with a prosecutor, such as the Department of Justice or with a regulatory agency, through a Deferred Prosecution Agreement (DPA), Non-Prosecution Agreement (NPA), Cease and Desist Order or other court approved regulatory Directive. Monitors can help organizations comply with a CFIUS mitigation agreements on an ongoing basis as well as help to assess compliance programs and internal controls to address help, remediate and avoid future problems. Ultimately, a monitor should be able to ensure, for both the government and the company, that whatever the mitigation agreement is, or the regulatory directive might be, it is complied with going forward. Moreover, Das believes, “it’s just important to have a strong and effective monitor who understands both the business as well as the regulatory demands.”

What does a monitorship look like under CFIUS?

Like every monitorship, the breadth and scope of one under CFIUS will depend on the circumstances. It could be for national security risks, mitigation requirements, changes to the transaction, the overall structure of the transaction or oversight mechanism. A monitorship can refer to the compliance framework to implement a Mitigation Agreement or an Order issued by CFIUS or even the President. The goal of any oversight mechanism or compliance framework is to “help the organizations comply with the requirements and to ensure there is effective trust, understanding and oversight being undertaken by the companies involved in the transaction. The US government led agencies for CFIUS that are monitoring and ensuring compliance with the mitigation agreement or CFIUS order have confidence that is being implemented.”

CFIUS, through a monitor, can require compliance policies and procedures across a full range of issues that might implicate the entire business. Das noted, “It might include cyber risk or access controls, the elements of the transaction, how data is held and even the appointment of additional personnel such as a security officer or a compliance officer. CFIUS could reach upward and require an independent Board member who is a US national, charged with overseeing the implementation of the compliance procedures that are in place. Once again, the monitor could oversee all of this going forward for a specific time frame.”

Preparation for a monitorship

We conclude by looking at what a company might do to prepare for a monitorship. Das said that parties to the CFIUS process need to be prepared to dedicate the resources and personnel to be able to work with a monitor and effectively implement the requirements imposed by CFIUS and overseen by the monitor. If you know your organization is deficient in areas of compliance, as diverse as information technology, cybersecurity or export controls or other areas. Das acknowledged, “it may have a fairly significant impact in terms of how the company does business from a day to day perspective” but it is better to start “sooner rather than later”.

Das reiterated that companies must dedicate the resources to implementing a monitoring and compliance framework. Equally important, “companies need to be prepared to create a positive environment to work with the monitor who will be assessing the company’s compliance program and compliance risks on a regular basis. The company needs to work to start off and maintain a positive relationship with the monitor as it can also turn into an adversarial one if it becomes a competitive relationship.” Das believes this means it is important for companies to find a monitor with experience, the ability to work with them in a broad range of environments that understands business imperatives, but also understand what the national security considerations.

A professional monitor is critical to fit these requirements so the company should use good judgement in the selection or recommendation process. However, the company must make sure from its position that it works very hard to keep the monitorship a positive one. Laying such groundwork before the monitor is formally appointed can go a long way to setting the expectations to be met during the monitorship and making it a successful one. Das said it all starts with “setting the tone from the top in terms of governance, delivered by the Board and by the senior management on down to the staff level. It requires appropriate risk assessment and risk and valuation. Also, in terms of new business lines, new technologies, new products, the geographic areas that the company might be entering. Communicate the message that ‘It’s going to work.’”

For more information on K2 Intelligence Financial Integrity Network and their CFIUS Advisory Services practice, click here.

As the GOP calls for Grandparents to first sacrifice themselves for the stock market and then be sacrificed to push up the economy, self-distancing Tom and hunter-gatherer Jay are back to consider some of the top compliance articles and stories which caught their eye this week.

  1. Mike Volvok says ethical business decisions are even more important now. In Corruption Crime and Compliance.
  2. Matt Kelly has a trilogy of articles on coronavirus. What are missing; A Tale from Frank; and 8 Objectives to Manage Pandemic Risks.
  3. Testing Compliance. A new approach by Brandon Garrett and Gregory Mitchell. Download the paper here.
  4. Coronavirus could make ESG more important. Kristin Broughton and Maitane Sardon in the WSJ Risk & Compliance Journal.
  5. Allen Overy poaches Jonathan Lopez and Billy Jacobson from Orrick. Inex Kagubare in GIR.
  6. What is time and attendance fraud in the time of coronavirus? Sara Kropf explains on Grand Jury Target.
  7. Mike Volkov talks about sanctions compliance in the era of Trump and the int’l financial war. In Navex Global’s Risk and Compliance Matters.
  8. More WOW moments in compliance. Geert Vermeulen in Risk & Compliance Platform Europe.
  9. Looking at incentives and compliance. Jeff Walker and Rebecca Kaplan in CCI.
  10. The Affiliated Monitors Expert Podcast joins the Compliance Podcast Network.
  11. Tom premiers a new podcast series, Compliance and Coronavirus.
  12. On the Compliance Podcast Network, Tom opens a new month by looking at the role of innovation in compliance on 31 Days to a More Effective Compliance Program. This week saw the following offerings: Monday-Using innovation to break through silos; Tuesday-Originating a compliance ecosystem; Wednesday-Moving Data Science the last mile; Thursday-the Regional Compliance Committee; Friday-Innovation in investigative due diligence. Note 31 Days to a More Effective Compliance Program now has its own iTunes channel. If you want to binge out and listen to only these episodes, click here. This month’s sponsor is Affiliated Monitors, Inc.

Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.

Welcome to a  sponsored podcast series where I am exploring how to navigate risk from the Committee on Foreign Investment in the United States (CFIUS), sponsored by K2 Intelligence Financial Integrity Network (K2 Intelligence FIN). Over this five-part series I will visit with David Holley and Him Das the co-leads of CFIUS Advisory Practice at K2 Intelligence FIN. We will consider navigating the CFIUS process through using business intelligence to identify CFIUS threats and vulnerabilities, using a proactive approach to navigate the CFIUS process, compliance frameworks for risks under CFIUS and effective monitoring for CFIUS. Today, in Episode 4, I visit with David Holley on the CFIUS and cyber risk and access control.

How does CFIUS weigh a cyber risk?

Holley said that this is an area which is getting more attention from CFIUS. There are a number of ways in which cyber security and cyber risks can be implicated within a transaction that has potential national security concerns. The first is how the transaction may affect US capability and capacity. This would include considering such questions as if a transaction goes through will it lead to a reduction in US employment, with the critical cyber skills?  Will the transaction impact US production of goods necessary safeguard or national security? The next consideration would be sensitive data on US citizens. Would the transaction lead or allow potential exploitation of sensitive data by foreign entities and governments? Additionally, would the transaction exacerbate cyber security vulnerabilities or allow a foreign government to gain new capabilities to engage in a malicious cyber activities or cyber mischief against the US?

Holley believes that in such cases, “it would be paramount to understand the identities of the potential investors, their track records of compliance with US laws, the identities of their other clients or JV or other business partners and the processes and procedures they have in place for maintaining confidentiality, aggregating client information and other cybersecurity safeguards.” Another example would be transactions that involve critical technologies or components of critical technologies and the ability of the foreign investors to gain access to that or other material, nonpublic information. Here Holley pointed to the example of Qualcomm Inc.

Steps companies can take

Here it all begins with due diligence. A company should undertake cyber risk assessments to understand the risks and controls in place to prevent a cybersecurity breach. This could be some kind of a hack, a malicious insider, or some other loss. An organization should be prepared to demonstrate measures in place to confidentially maintain proprietary information, trade secrets, confidential information, and personally identifiable information. The cyber risk assessment should also consider whether their cybersecurity plans are current and robust.

Beyond this initial cyber risk assessment, any plan proffered to CFISU should address known vulnerabilities in a target company’s network, including those that may have been exploited previously and remediated over the past five years. The key is to understand (1) to the extent that there was a breach or was a compromise in the target’s network and (2) what has the organization done about it? Is there a plan in place to prevent the occurrence again and have lessons been learned as far as resources and focus on cyber risk?

Holley said another area of inquiry will be what the combined network infrastructure will look like. Some of the questions in this area could include: Does the cybersecurity plan anticipate ways in which the acquirer will connect to the target’s networks? And what does that system look like? What is the data storage going to look like? How will the networks interact? What types of vulnerabilities come out of that combination? For certain organizations, a cybersecurity plan would look to see whether the identities of any clients, such as federal agencies with whom the target has contracts, are present. An organization should have those relationships mapped so CFIUS can fully understand the relationship.

 A compliance framework for cyber risks and access control

Holley said, “when we talk about a cyber security compliance framework, we’re looking to understand the systems by which the organization direction controls security governance dictates the accountability framework and provides oversight to ensure that risks are adequately mitigated.” Holley believes are there are five areas CFIUS will, most generally, closely consider. First is the cybersecurity strategy and goals of how cyber security risks relate to critical business operations. Second, has the organization identified all the cybersecurity needs, developed objectives and applied key performance indicators (KPIs) to determine resources, risk appetite, and other requirements? Is the compliance framework standardized so there is predictability and response, through a repeatable process. Third, are there enforcement of cybersecurity requirements and accountability in terms of the addressing negative behaviors and reinforcing positive behaviors. Fourth, is there senior management leadership and oversight?

The fifth and final area is continuous improvement or updating of the compliance framework. This ties into the remediation plan which CFIUS may require going. Holley concluded that an entity must demonstrate that it is ready to manage the day to day cyber risks and other security requirements of the target organization. It could involve a monitor, which will be the subject of our fifth and final podcast in this series.

Join us tomorrow where we conclude by looking at effective monitoring for CFIUS.

For more information on K2 Intelligence Financial Integrity Network and their CFIUS Advisory Services practice, click here.

Richard Lummis and Tom Fox begin a four-part series on leadership lessons from George Washington. We will look at lessons from Washington’s colonial and frontier period, focusing on the French and Indian War, leadership lessons from Washington’s generalship of the Continental Army, his leadership in both the Continental Congress and Constitutional Convention and we will end with leadership lessons from both terms of Washington’s presidency. In this first episode, we consider the leadership lessons learned by Washington in his colonial and frontier period and how his failures during the French and Indian War influenced his later leadership.

Highlights of this podcast include:

  1. Introduction into Washington’s early life.
  2. Washington’s Ambition and the Battle of Jumonville Glen.
  3. Battle of Fort Necessity and Washington’s surrender.
  4. Massacre of Braddock’s troops by the Iroquois.
  5. What did Washington learn from these experiences?