MARCH 27, 2020 BY TOM FOX

In today’s edition of Daily Compliance News:

  • Spy on your subordinate, lost your bonus. (WSJ)
  • Boeing’s financial crisis was of its own making. (WashingtonPost)
  • State of Texas issues quarantine mandates for domestic travelers. (com)
  • America now first in number of coronavirus cases. (WSJ)

Innovation can come in various forms for an organization. Innovation can appear in a structural form. You can move compliance more deeply into your organization with new or different structures. One I have seen have success is a Compliance Committee more closely tied to the geographic market in the field or the Regional Compliance Committee.

All of this works to adds a dimension not often seen or even discussed in the compliance profession. The accountability and oversight down to the regional level and the compliance monitoring, reviewing, assessing and recommending that is deemed to be necessary will provide additional endorsements up through the organization that it is actually doing compliance. In compliance, it is execution where the rubber meets the road. A Regional Compliance Committee can provide your compliance program a unique structure to perform these functions.

 Three key takeaways:

  1. Innovation can occur in structural changes to your compliance function.
  2. A Regional Compliance Committee puts compliance closer to the ground in geographic regions outside the U.S.
  3. A Regional Compliance Committee facilitates execution of your compliance program.

Welcome to a  sponsored podcast series where I am exploring how to navigate risk from the Committee on Foreign Investment in the United States (CFIUS), sponsored by K2 Intelligence Financial Integrity Network (K2 Intelligence FIN). Over this five-part series I will visit with David Holley and Him Das the co-leads of CFIUS Advisory Practice at K2 Intelligence FIN. We will consider navigating the CFIUS process through using business intelligence to identify CFIUS threats and vulnerabilities, using a proactive approach to navigate the CFIUS process, compliance frameworks for risks under CFIUS and effective monitoring for CFIUS. Today, in Episode 4, I visit with David Holley on the CFIUS and cyber risk and access control.

How does CFIUS weigh a cyber risk?

Holley said that this is an area which is getting more attention from CFIUS. There are a number of ways in which cyber security and cyber risks can be implicated within a transaction that has potential national security concerns. The first is how the transaction may affect US capability and capacity. This would include considering such questions as if a transaction goes through will it lead to a reduction in US employment, with the critical cyber skills?  Will the transaction impact US production of goods necessary safeguard or national security? The next consideration would be sensitive data on US citizens. Would the transaction lead or allow potential exploitation of sensitive data by foreign entities and governments? Additionally, would the transaction exacerbate cyber security vulnerabilities or allow a foreign government to gain new capabilities to engage in a malicious cyber activities or cyber mischief against the US?

Holley believes that in such cases, “it would be paramount to understand the identities of the potential investors, their track records of compliance with US laws, the identities of their other clients or JV or other business partners and the processes and procedures they have in place for maintaining confidentiality, aggregating client information and other cybersecurity safeguards.” Another example would be transactions that involve critical technologies or components of critical technologies and the ability of the foreign investors to gain access to that or other material, nonpublic information. Here Holley pointed to the example of Qualcomm Inc.

Steps companies can take

Here it all begins with due diligence. A company should undertake cyber risk assessments to understand the risks and controls in place to prevent a cybersecurity breach. This could be some kind of a hack, a malicious insider, or some other loss. An organization should be prepared to demonstrate measures in place to confidentially maintain proprietary information, trade secrets, confidential information, and personally identifiable information. The cyber risk assessment should also consider whether their cybersecurity plans are current and robust.

Beyond this initial cyber risk assessment, any plan proffered to CFISU should address known vulnerabilities in a target company’s network, including those that may have been exploited previously and remediated over the past five years. The key is to understand (1) to the extent that there was a breach or was a compromise in the target’s network and (2) what has the organization done about it? Is there a plan in place to prevent the occurrence again and have lessons been learned as far as resources and focus on cyber risk?

Holley said another area of inquiry will be what the combined network infrastructure will look like. Some of the questions in this area could include: Does the cybersecurity plan anticipate ways in which the acquirer will connect to the target’s networks? And what does that system look like? What is the data storage going to look like? How will the networks interact? What types of vulnerabilities come out of that combination? For certain organizations, a cybersecurity plan would look to see whether the identities of any clients, such as federal agencies with whom the target has contracts, are present. An organization should have those relationships mapped so CFIUS can fully understand the relationship.

 A compliance framework for cyber risks and access control

Holley said, “when we talk about a cyber security compliance framework, we’re looking to understand the systems by which the organization direction controls security governance dictates the accountability framework and provides oversight to ensure that risks are adequately mitigated.” Holley believes are there are five areas CFIUS will, most generally, closely consider. First is the cybersecurity strategy and goals of how cyber security risks relate to critical business operations. Second, has the organization identified all the cybersecurity needs, developed objectives and applied key performance indicators (KPIs) to determine resources, risk appetite, and other requirements? Is the compliance framework standardized so there is predictability and response, through a repeatable process. Third, are there enforcement of cybersecurity requirements and accountability in terms of the addressing negative behaviors and reinforcing positive behaviors. Fourth, is there senior management leadership and oversight?

The fifth and final area is continuous improvement or updating of the compliance framework. This ties into the remediation plan which CFIUS may require going. Holley concluded that an entity must demonstrate that it is ready to manage the day to day cyber risks and other security requirements of the target organization. It could involve a monitor, which will be the subject of our fifth and final podcast in this series.

Join us tomorrow where we conclude by looking at effective monitoring for CFIUS.

For more information on K2 Intelligence Financial Integrity Network and their CFIUS Advisory Services practice, click here.

Welcome to the newest addition to the Compliance Podcast Network, Compliance and Coronavirus. As the Voice of Compliance, I wanted to start a podcast which will help to bring both clarity and sanity to the compliance practitioner and compliance profession during this worldwide health and healthcare crisis. In this episode, I am joined by Matt Kelly, the coolest guy in compliance, who is maintaining his coolness during the coronavirus crisis. Matt is also the founder of Radical Compliance. He talks about the downslope of the coronavirus curve and risks associated with this part of the health crisis.

Matt has multiple posts the coronavirus health crisis on Radical Compliance. Check out his blog post The Downslope Risks of COVID-19, for more information on the topic of this podcast.  

This podcast is sponsored by SAI Global. To learn how you can protect your business operations and workforce during these uncertain times, visit saiglobal.com/risk for free resources, expert guidance, and industry-leading technology.

Richard Lummis and Tom Fox begin a four-part series on leadership lessons from George Washington. We will look at lessons from Washington’s colonial and frontier period, focusing on the French and Indian War, leadership lessons from Washington’s generalship of the Continental Army, his leadership in both the Continental Congress and Constitutional Convention and we will end with leadership lessons from both terms of Washington’s presidency. In this first episode, we consider the leadership lessons learned by Washington in his colonial and frontier period and how his failures during the French and Indian War influenced his later leadership.

Highlights of this podcast include:

  1. Introduction into Washington’s early life.
  2. Washington’s Ambition and the Battle of Jumonville Glen.
  3. Battle of Fort Necessity and Washington’s surrender.
  4. Massacre of Braddock’s troops by the Iroquois.
  5. What did Washington learn from these experiences?