(This is only a summary. Click on the headline to view the entire article at Corporate Compliance Insights and participate in the discussion.)
Dissatisfaction with social policies, unhappiness with public services and benefits, and anxiety about the future are spreading across the developed world. Only 20 percent of people living in OECD countries (the world’s advanced economies) believe that they are able to easily access public benefits, and 70 percent want their governments to play a greater role in protecting their social and economic security.
These are the findings of a recent OECD Risks That Matter survey of over 22,000 people in 21 OECD countries—including the United States, Canada, Germany, and France, among others—between the ages of 18 and 70. According to the report’s authors, “The perception of a disconnect between government and the people has become a common theme in OECD countries in recent years.”We Want More Government Help …
One of the most striking findings of the survey was that a substantial number of those polled expressed an appetite for more government services and assistance to the underprivileged.
When asked whether “the government should be doing less, more, or the same to ensure your economic and social security,” more than 70 percent of respondents, on average, answered “more.” The only two countries where a majority of respondents did not answer with “more” were France and Denmark, which the report identifies as having “highly developed social protection systems” and “generous social policies,” respectively.… and Higher Taxes on the Rich
Many endorsed the idea of imposing higher taxes on wealthier citizens. In response to the question, “Should the government tax the rich more than they currently do in order to support the poor?” 68 percent of respondents answered “yes or definitely yes.” Even in Estonia, the country with the biggest share of respondents answering “no or definitely no,” there was still a majority who answered “yes.”What Are People Most Worried About?
The survey’s respondents identified several different key areas of concern—which shift significantly according to the time horizon. In the short term, the most common concern was that the respondent—or someone in their immediate family—would become ill or disabled within the next two years. Although older respondents were most likely to list this, over 40 percent of the youngest respondents, aged 20 to 24 years old, identified falling ill as one of their top three short-term concerns.
When considering a longer time horizon—looking out more than a decade into the future—people listed financial security as the top concern.A Sense of Injustice
Across the OECD, respondents viewed the allocation of public resources with a sense of injustice. “The majority of respondents to the Risks That Matter survey feel government does not listen to the views of people like them when designing policy and believe they are not getting a fair deal on social benefits,” write the report’s authors.
But the authors also highlight some counterintuitive findings that complicate these conclusions: “The perception that government does not listen actually seems to increase (not decrease) with education and income, and is greater among women than among men. In other words, controlling for other factors, women, highly educated respondents, and respondents from high-income households are more likely to feel that government does not incorporate the views of people like them when designing or reforming public benefits.”
Any solution will have to involve a thorough audit of where public perception and government benefits fail to align, concludes Stefano Scarpetta, the director of employment, labor and social affairs at the OECD. “Policies cannot reach their full potential if people feel they cannot fully access benefits and services when needed.”
NAVEX Global’s Hotline benchmark report (here) is an excellent annual report which helps companies to understand how well their hotline and incident management system is operating. The survey is based on over 1 million reports from 2,738 customers.The NAVEX report also is based on all types of reporting avenues, including hotlines and web-based systems.
Interestingly, NAVEX noted that overall reporting rates remained consistent with 2016 and 2017 levels. Given the increased focus on reporting and the increase concern surrounding sexual misconduct, I expected reporting rates to increase in this year’s report.
To increase reporting levels, companies should consider a variety of strategies, including new communications and messaging programs to underscore the importance of reporting concerns. Also, to minimize the role that fear of retaliation may create in reducing reporting, companies should re-emphasize their policy and commitment to prevent any form of retaliation against employees who report their concerns.
The NAVEX Global report underscored the benefits of expanding an incident reporting system to include sources of concerns beyond hotline and web-based reporting. Specifically, companies that include other sources achieved 64 percent more reports than organizations that limit reporting to hotlines and web-based reporting. Reports from these other sources were substantiated at a much higher rate (59 percent) than hotlines and web-based systems. NAVEX noted that reporting surrounding harassment and discrimination increased. Over the last three years, employee reporting of such concerns has increased, and it is expected that the next year will also see an increase. As noted by NAVEX, between 2016 and 2018, reports of harassment increased by 18 percent, and between 2017 and 2018, reports of harassment increased by 8.5 percent. This trend reflects the rise of the #MeToo movement.
NAVEX also observed that the rates of follow-up communications by anonymous reporters fell significantly from 32 to 20 percent. This trend reflects a curious drop in commitment by anonymous reports to continue communications after the initial report. Only 10 percent of follow up communications involved additional information relating to the complaint (e.g. additional witness, further explanation of allegation).
NAVEX reported that the average case closure time fell to a median of 40 days, which was an improvement over last year’s report. This is a positive development but still represents an opportunity for improvement. This figure includes “routine” human resource matters. Ideally, for routine matters, a 30-day time period for case closures should be a target.
The subject matter of employee reports is divided into five categories: (1) accounting, auditing, and financial reporting; (2) business integrity; (3) HR, diversity, and workplace respect; (4) environmental, health and safety; and (5) misuse, misappropriation of corporate assets.
Over the last nine years, the percentage distribution of complaints among the five categories has been roughly the same, with the vast majority (approximately 70 percent) of all reports falling into the HR, diversity and workplace respect category.
NEW YORK — “Incident Response and Recovery” was the theme of the National Cyber Security Alliance (NCSA) and Nasdaq Cybersecurity Summit on April 17. Security and risk professionals from the Department of Homeland Security (DHS) and various companies and organizations convened at the Nasdaq Marketsite to discuss methods that focus on resilience and recovery following a cyber attack or data breach.
NCSA Executive Director Kelvin Coleman led the fireside chat with Matthew Travis, deputy director for the DHS’ Cybersecurity and Infrastructure Security Agency (CISA). The timing of Travis’ appearance was unique, considering that Kirstjen Nielsen–formerly the secretary of Homeland Security and Travis’ director–recently resigned from her post on April 7. While that announcement grabbed widespread attention due to her involvement with the humanitarian and immigration crisis at the U.S.-Mexico border, it also has major impacts for the country’s efforts to counteract cyberrisk and data breaches. Last September, Nielsen announced the formation of the National Risk Management Center (NRMC), an initiative focused on defending critical infrastructure from cyberattacks and providing a single point of access to the full range of government activities to defend against cyber threats.
“There is no doubt [Nielsen] was the most cyber-savvy secretary the department’s ever had. She brought real bonafide domain expertise in cybersecurity to the department,” Travis said. He added that the creation of CISA is her legacy and that the relationship with Kevin McAleenan, the new acting secretary of homeland security, has been harmonious.
Travis reminded attendees that its partnerships with the private sector were crucial and that CISA regularly monitors national critical functions such as elections, electrical grids and financial transactions, which he said are the “big things that drive our economy.” He also said that companies can leverage CISA resources immediately after a breach as a supplement to the FBI’s criminal investigation.
“We’re going to help you understand exactly what happened and help you recover the data and mitigate some of the impact. The private sector firms do that very well, but the difference is that…[CISA] is free,” he said. “That is where we would like to work with owners and operators, when there is an event, to help them get back on their feet as soon as possible.”
Additionally, Coleman and Travis discussed that though CISA is not part of the intelligence community, it does have access to the intelligence collection and monitors trends that can be used to warn private sector companies of cyberrisks. He cited the recent Domain Name System (DNS) infrastructure hijacking campaign that CISA warned about in February—in which at least 40 different organizations across 13 different countries were compromised—as an example of the agency taking steps to alert both the public and private sectors.“When we issue technical alerts or emergency directives,” Travis said, “[we] communicate to our stakeholders what to look out for.” How to Reduce Uncertainty After A Breach
In the next session, panelists agreed that even when companies use new technologies to remedy security flaws and migrate data to cloud storages, new vulnerabilities occur. Dr. Michael Siegel, principal research scientist and director of cybersecurity at the Sloan School of Management at the Massachusetts Institute of Technology (MIT), said that the old adage of risks being rooted in people continue to be prophetic.
“It’s always been about people and things that sit in our systems for a long time,” he said. “You’ve heard this since the 2000s and it’s still true, and even more true today.”
Should a business find itself in a situation where ransom is being demanded for intangible assets and information, Siegel advised that then is not the time when stakeholders should first decide whether they’d be willing to pay.
“They should know whether they’d pay ransomware because they have [presumably] done tabletop exercises…that will be absolutely essential because any time you wait and indecision will be [catastrophic],” he said. “You have to have practiced it in advance. You can build a scenario-generator and run it through a classroom.”
Companies can also learn from breaches, if tracking is implemented within their code, noted Tyler Shields, vice president of strategy for Sonatype, and open source governance platform. “The ability to track your code from creation to deployment—that entire life cycle—needs to be instrumented so that when a breach occurs you know what component was affected, where it came from, who implemented it and what protections were in place.”Incident Response Recovery Beyond IT
The final session panelists agreed that holistic approaches were essential for successful responses and recovery periods. Internal and external communications should be well thought-out and designating a person or team to handle them sets the appropriate company precedent. Lisa Plaggemier, chief evangelist at Infosec and NCSA board member said that, for example, while a company’s lawyers are critical during these times, they might not be the best communicators.
“Lawyers, when they write for communications, tend to sound more scary than reassuring,” she said. “You want to have collaborations and have that communications person in the room with them.”
When it comes to crisis communication, Plaggemeir advocated that employees—especially those who detected the incident—should be armed with talking points for traditional and social media outlets to avoid data leakage.
“We want to make sure we equip those people so that the rumor mill doesn’t start flying and we don’t end up with communications that are out of our control,” she said.
Dovetailing on that notion, moderator Andrew Derboben, senior director of security operations at Nasdaq was quick to mention reputation risk. He said another way to reduce data leakage and misrepresentations in the media—which can further harm a company’s reputation in the aftermath of a breach—is to arm all company employees with a brief script on what to say to anyone, even just passersby making small talk.
“Don’t even have them say ‘no comment,’” Derboben said. “Point them to the experts who have all the data. Because if we’re missing a key piece of information and it’s not communicated properly it could determine how an article will be written.”
The incoming chief of New York’s top financial services regulator called cybersecurity “the number one threat facing all industries and governments globally” during a speech on Friday, April 12, 2019 at the Association of the Bar of the City of New York.
Linda Lacewell, acting superintendent of the New York State Department of Financial Services (“DFS”), made her remarks at an event focused on insurance regulation and they come at a time when the state’s sweeping cybersecurity regulation — initially implemented more than two years ago — is now in full force. Lacewell, a former federal prosecutor, was nominated in January 2019 by New York Governor Andrew Cuomo to head DFS, which oversees banking and insurance in the state. Lacewell was Cuomo’s chief of staff. Her confirmation has not yet been scheduled.
As a regulator, DFS is widely considered the most powerful state banking regulator in the country because of the number of banks with a presence in New York — including foreign banks — that fall under DFS’s watch. Although the agency has civil — not criminal — authority, it has levied more than $9 billion in civil fines since 2011.
Lacewell replaces Maria Vullo, who left the agency two months ago, and is widely credited with getting the state’s cybersecurity regulation in place more than two years ago and heading its phased implementation over the past two years.
So what does this change at the top mean for DFS’s cybersecurity enforcement? Lacewell’s comments on Friday, the themes she discussed, and her own background might provide some clues for financial institutions that fall under the agency’s watchful eye.
- Cybersecurity will likely be a priority. In her remarks, Lacewell called cybersecurity “the number one threat facing all industries and governments globally.” In asking the question, “how do we deal with cyber?” Lacewell noted DFS’s leading role in cybersecurity regulation and hinted that cyber will continue to be a top priority for DFS saying, “we’ve got to do the hard work,” and suggested that DFS–regulated companies should place cyber issues at the top of their risk agendas.
- Compliance will take center stage. In no uncertain terms, Lacewell made clear that the compliance function for financial institutions should be placed front and center. In Lacewell’s words, “[c]ompliance is not some kind of back-office backwater; compliance needs to be at the center of everything your institutions do.” Lacewell explained her view that regulated entities need to think hard about their compliance efforts and — with respect to cyber and beyond — ensure robust execution and meaningful risk mitigation plans to deliver on what Lacewell sees as “what we owe to all consumers.”
- Consumers will come first. One of the main themes of her speech was the focus on protecting the consumer. She said that “the consumer is at the center of everything we do” and “we can’t leave the consumer out of the equation.” Lacewell’s remarks revealed a fully formed approach to regulation and enforcement — shaped by her experience as a federal prosecutor and in the New York Attorney General’s Office — focused on the well-being of the state’s consumers. Lacewell told the room that consumer-focused industry practices are “not inconsistent with being a profitable enterprise.” How this view will play out at DFS remains to be seen, but Lacewell’s consumer — focused ethos and explicit link between corporate compliance and consumers may be telling as to how DFS will evaluate compliance and enforcement issues arising from DFS’s cyber regulation, especially as it affects consumers.
- Big data and complex technology will be an enforcement focus. “Big data — it’s a risk and opportunity,” she said. Although Lacewell’s comments about big data were made in the context of using big data to make underwriting decisions for insurance companies, the tenor of her comments suggested that her interest might not be limited to underwriting decisions. Will she look at big data in the context of cybersecurity and the way such information is stored and transmitted to ensure that it is properly safeguarded? “We have a lot of work to do in the tech industry and that’s going to be a big focus for us,” she said.
- The healthcare industry may garner DFS attention. Throughout her career, Lacewell said she has focused on the healthcare industry, from both an enforcement and legislative perspective. While in the New York governor’s office, she worked to reshape the healthcare industry in the state including the establishment of a nonprofit healthcare organization. She stressed her view that the health insurance industry in New York is still in need of extensive reforms to maximize protections and benefits for all New Yorkers. Lacewell’s priorities at DFS are, no doubt, still taking shape, but her professional history suggests a level of familiarity and interest in healthcare companies, which will likely include safeguarding protected healthcare information.
It is always challenging to predict an agency’s regulatory priorities and expectations, especially in a new administration. But with Lacewell’s prosecutorial background, her strong commitment to consumer protection, and her admonition that cybersecurity is the “number one” threat facing industry today, it seems like a good bet that her administration will focus on issues at the intersection of cyber and consumer protection. As to the agency’s other priorities, we will need to wait and see.
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.
In this five-part podcast series, sponsored by Affiliated Monitors, Inc. (AMI); I am joined by AMI Managing Director Rod Grandon. We consider the responsibility of federal contractors to maintain their status as “Responsible Contractors” and explore the benefits of having an effective compliance and business ethics program to not only increase business efficiencies and profitability [...]
The post Federal Contractor Responsibility: Part 4-Why Are We Still Talking About This? appeared first on Compliance Report.
Average Say on Pay support in 2018 declined to the lowest level observed since 2012, driven by an increase in the number of companies receiving vote support below 70%. Shareholder engagement increased on environmental proposals; other environmental, social, and governance (ESG) topics; Board diversity; and the use of GAAP versus non-GAAP performance metrics in compensation program design. Shareholders will continue pushing companies to adopt and disclose formal policies on these topics in 2019 and may vote critically in Say on Pay and Director elections if they feel companies are not sufficiently responsive. A politicized external environment and the growing attention to wealth inequality will also influence companies and introduce further messaging challenges during the second year of the CEO Pay Ratio disclosures.Prediction 1: Russell 3000 average Say on Pay vote support will continue to decline.
Shareholders will vote more critically when casting Say on Pay votes in 2019, and average vote support will decline for a second consecutive year. Shareholders will continue to push company leadership on a broader range of governance issues this year, and we expect that Say on Pay voting will be used as an indirect mechanism for shareholder activism.
Corporate culture is integral to business success, and its role in banking has attracted considerable attention since the financial crisis of 2007 and 2008. For example, Fahlenbrach, Prilmeier and Stulz (2012) found banks that performed poorly in the 1998 crisis also performed poorly in the recent crisis. This persistence is consistent with a culture explanation. Egan, Matvos, and Seru (2018) found many financial advisors repeatedly engage in misconduct, but they seem to suffer little career consequences because some firms don’t seem to mind.
As a finance professor at Duke University, I study how culture affects firms and what they can do to shape it. In a research study with John Graham, Campbell Harvey, and Shiva Rajgopal, we surveyed 1,348 corporate executives and found that 90 percent believed that culture was important at their firms while 92 percent said improving their firm’s culture would increase the value of the company. But only 16 percent of firms said their culture was where it needed to be, and it wasn’t clear that these executives even knew how to change that.
On April 3, 2019, Senator (and Democratic Presidential contender) Elizabeth Warren announced proposed legislation—dubbed the “Corporate Executive Accountability Act”—that would effect a dramatic change in white collar criminal law by permitting prosecution of corporate executives for negligent conduct. Under traditional criminal law principles, defendants must typically have at least knowledge with respect to the conduct that constitutes the crime. However, under Senator Warren’s proposed law, executives of large companies could be criminally prosecuted (and fined and/or jailed if convicted) if they are found to have acted negligently in failing to prevent criminal acts committed by the companies they supervise. The bill is unlikely to be enacted, but it nonetheless represents a significant policy indication from a Presidential candidate.
In an op-ed published in The Washington Post in parallel to the bill’s announcement, Senator Warren expressed the view that “[i]t’s time to reform our laws to make sure that corporate executives face jail time for overseeing massive scams.”  In her words, the bill would “expand criminal liability to any corporate executive who negligently oversees a giant company causing severe harm to U.S. families.” She predicts that “[i]f top executives knew they would be hauled out in handcuffs for failing to reasonably oversee the companies they run, they would have a real incentive to better monitor their operations and snuff out any wrongdoing before it got out of hand.”