Global Featured Wired

This Week in FCPA-Episode 125 – the Heading Back to World Series edition

FCPA Compliance & Ethics -

The Boston Red Sox storm into the World Series after defeating the Houston Astros in the ALCS. Will the team with the best record in baseball take home the trophy this year? Jay and Tom (well really just Jay) hit the highlights from the Sox 4-1 shellacking of Houston. Tom takes his medicine as they [...]

The post This Week in FCPA-Episode 125 – the Heading Back to World Series edition appeared first on Compliance Report.

Reforming Director’s Long-Term Duties in the EU

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by Claire Jeffwitz and Filip Gregor, Frank Bold, on Saturday, October 20, 2018 Editor's Note: Claire Jeffwitz is a solicitor based in the UK and and Filip Gregor is Head of Responsible Companies at Frank Bold. This post is based on a Frank Bold paper by Ms. Jeffwitz and Mr. Gregor. Related research from the Program on Corporate Governance includes Socially Responsible Firms by Alan Ferrell, Hao Liang, and Luc Renneboog (discussed on the Forum here).

The European Commission has taken up the debate on the obligations of company directors and will be analysing if they should be clarified at an EU level. This commitment is included in their Action Plan on Sustainable Finance [1] aimed at transforming Europe’s economy and financial system into a sustainable one. The Commission seeks to attenuate short-term pressure from capital markets on corporations that force directors to disregard opportunities and risks stemming from long-term sustainability considerations.

Although it is universally agreed that directors’ obligations are to act in the interests of the company, there exists a lack of clarity over what these “interests” are in practice or who they are owed to. In this context, Frank Bold has published the paper entitled Redefining directors’ duties in the EU to promote long-termism and sustainability, which outlines recommendations to clarify directors duties, integrate sustainability in these duties and recognise legally corporate governance arrangements that protect company’s social mission.


SEC Shareholder Proposal Panel – Take Action!

Corporate Governance -

The November 15 SEC Roundtable on the Proxy Process will include me on the SEC Shareholder Proposal Panel. Public announcement with instructions for submitting comments. I will only have a few minutes at the Roundtable. What should I emphasize? Where should I stay in DC? Take Action: Readers of know far more than I do. Please email your suggestions […]

The post SEC Shareholder Proposal Panel – Take Action! appeared first on Corporate Governance.

Sign Up for November 8, 2018 NAVEX Global Ethics and Compliance Virtual Conference

Corruption, Crime & Compliance Blog -

November 8, 2018

Sign Up HERE

NAVEX Global has announced  its annual Ethics and Compliance Virtual Conference.   The schedule of sessions and speakers is here.

The ECVC is the world’s largest compliance-focused conference. Created for professionals across Ethics and Compliance, Legal, Human Resources, Audit, Risk Management and Corporate Training, this online event is your best resource to learn the top issues and best practices affecting your workplace today.

This year’s ECVC addresses  focuses on how you can put the ideals of ethics and compliance into practice—through regulatory scrutiny, leadership improvements, program enhancements and delivering quantifiable proof of success.

Please sign up and attend!!!

The post Sign Up for November 8, 2018 NAVEX Global Ethics and Compliance Virtual Conference appeared first on Corruption, Crime & Compliance.

Tissues, Towels, TVs and Consistency

The Compliance & Ethics Blog -

By Adam Turteltaub I see scenes like the one in the picture a lot.  A message from a hotel about being green and saving the environment, placed right in front of ten tissues turned into a lovely origami-esque flower that I’ll end up having to throw away just to get a usable one to […]

Data Breaches Taking Slightly Longer To Detect, Study Finds

Risk Management Monitor -

Despite rising global awareness of data breaches in various industries, organizations experienced an increase in the number of days to identify a data breach over the last fiscal year. According to a new study conducted by the Ponemon Institute and published by IBM, it takes an average of 197 days for a company to identify a breach – up six days from 2017 – and an average of 69 days to contain it (which also showed a three-day increase from 2017).

“We attribute the increase in days to the growth in the use of IoT devices, extensive use of mobile platforms, increased migration to the cloud and compliance failures,” study authors said in 2018 Cost of Data Breach Study: Impact of Business Continuity Management.

This year’s study included 2,634 employees from 477 companies in 17 industries in 13 countries and two regions. The study found that the average total cost of a data breach in 2018 is $3.86 million; $1.45 million is attributable to the most-costly component, which is lost business cost. The least expensive component is data breach notification at $0.16 million.

Ponemon also included a framework for measuring the cost of mega breaches, which are breaches involving at least 1 million compromised records. There is also a special analysis of the cost to recover from a data breach.

Some notable findings include:

  • The average cost per compromised record at the surveyed organizations was $148 in fiscal year 2018, up from $141 in 2017 but down from $158 in 2016.
  • The larger the data breach, the less likely the organization will have another breach in the next 24 months.
  • Healthcare organizations took an average of 55 days to detect a breach, but 1,037 days to contain it.

To download IBM’s survey, click here.

System Director of Audit, Compliance and Organizational Ethics (Cincinnati, OH)

Corporate Compliance Insights -

Job description There are many ways to define excellence. For us at The Christ Hospital, it’s all about our patients…And making healthcare what they want it to be. Accessible. Personal. Affordable. Our commitment to exceptional outcomes, affordable care and the finest patient experiences is recognized yearly with numerous awards from leading healthcare organizations and publications. The post System Director of Audit, Compliance and Organizational Ethics (Cincinnati, OH) appeared first on Corporate Compliance Insights.

(This is only a summary. Click on the headline to view the entire article at Corporate Compliance Insights and participate in the discussion.)

Chief Compliance Officer (Dallas, TX)

Corporate Compliance Insights -

Job description ## Job Description The University of North Texas System is composed of the UNT System Administration (UNTS Administration), headquartered in Dallas, and three universities, the flagship University of North Texas in Denton, the University of North Texas Health Science Center in Fort Worth, and the University of North Texas at Dallas (UNT Dallas). The post Chief Compliance Officer (Dallas, TX) appeared first on Corporate Compliance Insights.

(This is only a summary. Click on the headline to view the entire article at Corporate Compliance Insights and participate in the discussion.)

SEC Issues Report of Investigation on Cyber-Related Frauds Perpetrated Against Public Companies

Program on Compliance and Enforcement, New York University School of Law -

by Robert W. Downes, John Evangelakos, Nader A. Mousavi, Nicole Friedlander, and Sarah M. Cravens

Public Companies Should Implement Sufficient Internal Controls to Avoid Becoming Victims of Cyber-Related Frauds and to Comply With the Exchange Act Summary

On October 16, the SEC issued a report on an investigation into whether nine public issuers that were victims of cyber-related frauds may have violated Sections 13(b)(2)(B)(i) and (iii) of the Exchange Act by failing to have a sufficient system of internal accounting controls to provide reasonable assurances that those frauds were detected and prevented.

The issuers, which the SEC stated represent a variety of industries, were victims of two types of “business email compromise” scams that resulted in mostly unrecovered losses ranging from $1 million to over $45 million.

While the SEC determined not to pursue enforcement actions against the issuers under investigation, it issued its report of investigation to make issuers aware that the cyber-related threats exist and concluded that all companies should reassess the sufficiency not only of existing internal controls, but also of policies and procedures that ensure employee compliance with controls.


The Securities Exchange Act of 1934 (the “Exchange Act”) requires public companies to maintain internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with and access to company assets is only permitted with “management’s general or specific authorization.”[1]  In the course of its investigation, the Securities and Exchange Commission (the “SEC”) sought to determine whether the controls of nine public issuers were sufficient to comply with these obligations.[2]

Each issuer was the victim of one of two types of scams known as “business email compromises.”  The first type involved perpetrators who used spoofed email addresses to pose as company executives in emails sent to company finance personnel.  In the emails, the perpetrators directed the finance personnel to work with a purported outside attorney identified in the email, who then directed them to cause large sums of money to be transferred to foreign bank accounts controlled by the perpetrators.  The emails generally used real law firm and attorney names, but the contact details in fact connected the personnel with an impersonator and co-conspirator.  The emails also described purported time-sensitive requests, mentioned the need for confidentiality of the transfers, provided minimal details, and sometimes falsely implied that the transactions involved government oversight, including the coordination or supervision of  the SEC.  Even though all of the issuers did business internationally, the emails often described foreign transactions that were out of the ordinary for the particular issuer.  The email recipients were typically mid-level employees who ordinarily would have had no involvement in the purported transactions, and rarely communicated with the executives being spoofed.

The second type of scam involved perpetrators who hacked into the email accounts of issuers’ vendors.  Posing as a vendor, these perpetrators inserted illegitimate payment requests and payment processing details into electronic communications for otherwise legitimate transaction requests.  The perpetrators corresponded with issuers’ unsuspecting procurement personnel to obtain information about purchase orders and invoices.  The perpetrators then requested that the procurement personnel initiate changes to the vendors’ banking information, attaching doctored invoices reflecting the new, fraudulent account information, and the procurement personnel relayed that information to accounting personnel responsible for maintaining vendor data.  As a result, the issuers made payments on outstanding invoices to foreign accounts controlled by the perpetrators. 

Many issuers remained unaware of these schemes, some of which continued over significant periods of time, until the schemes were uncovered as a result of third-party actions, including detection by a foreign bank or law enforcement agency, or by a vendor who complained of non-payment of invoices.  The SEC noted that the schemes were often successful largely because employees either did not understand or did not follow the issuers’ internal control procedures. As a result, the issuers as a group lost and did not recover nearly $100 million, even though they had specific information about the foreign bank accounts that received the wired funds. 

Notably, even with the relevant wire transfer confirmations, money transferred in these schemes may be difficult or impossible to recover by U.S. issuers or law enforcement.  The money is typically transferred and dissipated quickly through foreign accounts in the names of shell corporations or false identities created by the perpetrators.  Further, the perpetrators often transfer the funds to foreign jurisdictions that are unlikely to cooperate with U.S. law enforcement requests for evidence or asset recovery.

Observations and implications

The SEC noted that email scams like the ones investigated here have caused business losses of over $5 billion since 2013, which according to the Federal Bureau of Investigation (“FBI”) is greater than losses caused by any other type of cyber-related crime.[3]  The FBI has also found that the threat of email scam losses has grown over time.[4]  As such, the SEC strongly emphasized the importance of maintaining internal accounting controls that are sufficient to provide reasonable assurances that financial transactions are authorized by management.[5]  Although the SEC determined not to pursue enforcement action in these matters, the report of investigation makes it clear that the SEC expects issuers to calibrate their internal controls to address the risks of cyber-related frauds.  Because the scams commonly targeted “human vulnerabilities that rendered the control environment ineffective,”[6] the SEC also instructed companies to view employee training as a critical aspect of control implementation.  All companies are advised to re-assess the sufficiency of internal accounting controls, especially those relating to foreign transactions, as well as the completeness of employee education protocols.


[1] 15 U.S.C. §§ 78m(b)(2)(B)(i), (iii).

[2] See SEC, Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements (Oct. 16, 2018) (“SEC Report”). See also SEC, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, at 18 (Feb. 21, 2018) (“[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws.”).

[3] See FBI, 2017 Internet Crime Report at 12, 21(PDF: 2.44 MB) (May 7, 2018).  

[4] See FBI, Public Service Announcement: Business E-Mail Compromise: E-Mail Account Compromise: The 5 Billion Dollar Scam (May 4, 2017) (“The BEC/EAC scam continues to grow, evolve, and target small, medium, and large businesses. Between January 2015 and December 2016, there was a 2,370% increase in identified exposed losses.”).

[5] The degree of assurance necessary is one “as would satisfy prudent officials in the conduct of their own affairs.” 15 U.S.C. § 78m(b)(7).

[6] SEC Report at 5.

Robert W. Downes, John Evangelakos, and Nader A. Mousavi are partners; Nicole Friedlander is special counsel, and Sarah M. Cravens is an associate at Sullivan & Cromwell LLP.


The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.

Adventures in Compliance – The Empty House and Imagination

FCPA Compliance & Ethics -

This podcast series returns to one my favorite themes for every Chief Compliance Officer (CCO), compliance professional and compliance program: Sherlock Holmes. In Adventures in Compliance, I consider themes from the short stories found in Holmes storiesto illustrate broader application to components of a best practices compliance program. Today, I consider the theme of imagination [...]

The post Adventures in Compliance – The Empty House and Imagination appeared first on Compliance Report.

Proxy Access Proposals

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by Stephen T. Giove, Arielle L. Katzman and Daniel Yao, Shearman & Sterling LLP, on Friday, October 19, 2018 Editor's Note: Stephen T. Giove is partner and Arielle L. Katzman and Daniel Yao are associates at Shearman & Sterling LLP. This post is based on their Shearman memorandum. Related research from the Program on Corporate Governance includes Private Ordering and the Proxy Access Debate by Lucian Bebchuk and Scott Hirst (discussed on the Forum here).

In our fourth annual review of proxy access practices, we explore recent developments relating to adopt” and “fix-it” shareholder proposals, headline and key second-tier terms and amendments to adopted by-laws.

Proxy Access—The March Forward Continues but at a Slower Pace

The proxy access adoption trend continued in 2018, although at a more modest pace. An additional 53 companies adopted proxy access by-laws in the first six months of 2018 compared to 87 in the first six months of 2017. In total, well over 500 companies, and over two-thirds of the S&P 500, have adopted proxy access by-laws. While the New York City Comptroller and other prolific shareholder proponents, including John Chevedden and James McRitchie, submitted fewer proxy access shareholder proposals in 2018 than in 2017, the volume of proxy access proposals was still substantial as compared to other corporate governance proposals. After three extremely active years, it appears that proxy access no longer leads the list of governance topics of shareholder


Weekly Roundup: October 12-18, 2018

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by , on Friday, October 19, 2018 Editor's Note: This roundup contains a collection of the posts published on the Forum during the week of October 12-18, 2018. Were Reports on the Demise of the Universal Proxy Premature?
Posted by Cydney Posner, Cooley LLP, on Friday, October 12, 2018 Tags:  SEC Sanctions Investment Firm for Inadequate Cybersecurity and Identity Theft Prevention Policies
Posted by Sabastian V. Niles, Marshall L. Miller, and Jeohn Salone Favors, Wachtell, Lipton, Rosen & Katz , on Friday, October 12, 2018 Tags:  Statement at Open Meeting on Re-Opening Comment Period for Capital, Margin, and Segregation Requirements for Security-Based Swap Dealers and Major Security-Based Swap
Posted by Hester M. Peirce, U.S. Securities and Exchange Commission, on Saturday, October 13, 2018 Tags:  Statement on Commission Action Regarding Capital, Margin, and Segregation Requirements for Security-Based Swap Dealers and Major Security-Based Swap Participants and Capital Requirements for Broker-Dealers
Posted by Kara M. Stein, U.S. Securities and Exchange Commission, on Saturday, October 13, 2018 Tags:  Opening Statement at the SEC Open Meeting
Posted by Jay Clayton, U.S. Securities and Exchange Commission, on Saturday, October 13, 2018 Tags:  The CEO Pay Ratio: Data and Perspectives from the 2018 Proxy Season
Posted by Deb Lifshey, Pearl Meyer & Partners, LLC., on Sunday, October 14, 2018 Tags:  Shareholder Activism: 1H 2018 Developments and Practice Points
Posted by Gail Weinstein, Warren S. de Wied, and Philip Richter, Fried, Frank, Harris, Shriver & Jacobson LLP, on Sunday, October 14, 2018 Tags:  How Common is a Female CEO-CFO Duo?
Posted by Megan Von Duhn, Equilar, Inc., on Monday, October 15, 2018 Tags:  The Twilight of Enhanced Scrutiny in Delaware M&A Jurisprudence
Posted by Iman Anabtawi (UCLA), on Monday, October 15, 2018 Tags:  Lessons From the CBS-NAI Dispute: The Applicability of Rule 14c-2 and the 20-day Waiting Period to Stockholder Actions by Written Consent
Posted by Victor Lewkow, Paul M. Tiger, and Gloria B. Ho, Cleary Gottlieb Steen & Hamilton LLP, on Monday, October 15, 2018 Tags:  Shedding Light on Diversity-Based Shareholder Proposals
Posted by Angelo Martinez, Equilar, Inc., on Tuesday, October 16, 2018 Tags:  Semi-Public Offerings? Pushing the Boundaries of Securities Law
Posted by Usha R. Rodrigues (University of Georgia), on Tuesday, October 16, 2018 Tags:  The California Board Diversity Requirement
Posted by Thomas Ivey, Leif King and Sonia Nijjar, Skadden, Arps, Slate, Meagher & Flom LLP, on Tuesday, October 16, 2018 Tags:  Disclosure of the CEO Pay Ratio: Potential Impact on Stakeholders
Posted by Joseph Bachelder and Andy Tsang, McCarter & English LLP, on Wednesday, October 17, 2018 Tags:  Managing Reputation: Evidence from Biographies of Corporate Directors
Posted by Ian D. Gow (The University of Melbourne), Aida Sijamic Wahid (University of Toronto), and Gwen Yu (University of Michigan), on Wednesday, October 17, 2018 Tags:  Additional Lessons from the CBS-NAI Dispute: The Limitations of “Street Name” Ownership in Effectively Exercising Stockholder Rights
Posted by Christopher E. Austin, Paul M. Tiger and Max A. Wade, Cleary Gottlieb Steen & Hamilton LLP, on Wednesday, October 17, 2018 Tags:  Mandated Gender Diversity for California Boards
Posted by Howard Dicker, Lyuba Goltser and Erika Kaneko, Weil, Gotshal & Manges LLP, on Thursday, October 18, 2018 Tags:  Revealing Corporate Financial Misreporting
Posted by Quinn Curtis (University of Virginia), Dain C. Donelson (University of Texas), and Justin Hopkins (University of Virginia), on Thursday, October 18, 2018 Tags:  Making Sense of the Current ESG Landscape
Posted by Peter Atkins, Marc Gerber and Richard Grossman, Skadden, Arps, Slate, Meagher & Flom LLP, on Thursday, October 18, 2018 Tags: 

Proceed with Caution When Using Artificial Intelligence

Corporate Compliance Insights -

Challenges with Insights in Excel Artificial intelligence can be a very good thing, but organizations must not jump in blindly. Incisive CEO Diane Robinette discusses potential risks associated with the new artificial intelligence capabilities in Excel. Artificial Intelligence (AI) is a hot topic. It’s the shiny new thing that people can’t seem to get enough The post Proceed with Caution When Using Artificial Intelligence appeared first on Corporate Compliance Insights.

(This is only a summary. Click on the headline to view the entire article at Corporate Compliance Insights and participate in the discussion.)

These Three Organizational Vulnerabilities Put Critical Infrastructure At Risk

BRINK News -

When it comes to cybersecurity functions and the people who manage risk within critical infrastructure, it’s important to have a holistic understanding of prominent vulnerabilities and their potential impact, as well as opportunities for risk reduction from the standpoint of organizational culture and alignment.

The cybersecurity of critical infrastructure is a shared responsibility of system operators, control engineers, information technology staff, and cybersecurity professionals, among others. This shared ownership is incredibly helpful, but it also creates challenges that can result in unmanaged risk, including differing perspectives on operational priorities, interpretations of compliance requirements, and vastly different views on risk itself.

Vulnerability can easily be introduced in a few ways. One occurs at the seams between business units: specifically, at the hand-off points and at points where a defined responsibility assignment matrix is not established. Another happens when alignment on direction cannot be agreed upon across committees. This impacts the employees lower in the hierarchy of an organization and misaligns organizational goals that support company objectives. The last example is a byproduct of regulatory compliance, specifically in the era of multiple similar standards and the translation between how they are written and how they are implemented.

Hand-Off Points

Most critical infrastructure facilities are designed, built, and transitioned into production by third parties. Often, when constructing new assets such as power plants, substations, and manufacturing facilities, the third party will leverage the same designs approved by the original equipment manufacturer at each installation. This not only includes the specifications of the facilities themselves, but also the cyber systems used to control and monitor the critical infrastructure they house.

What this leaves is the same exact footprint of network devices, servers and control systems, creating a well-known map any attacker can follow. Additionally, many manufacturers of large industrial machinery provide remote monitoring of the asset, as well as remote control from their centralized control room. That connectivity creates a backdoor to the control network and the systems running the operations.

When workflows are not developed to show the specific hand-offs, significant vulnerability is introduced from basic functions like systems administration. An adversary using a known blueprint now has reduced the level of complexity to compromise and increased the attack surface targeting the people and gaps between teams.

For example, a malicious actor could target a published request for proposal (RFP). RFPs often contain detailed descriptions of how systems work, who is responsible for them in production, why the project has been approved for bidding and what the company wants to accomplish from the project. By using this information, a targeted social engineering campaign can be created to take advantage of the weaknesses inferred through the RFP description. Countering this threat surface is seemingly not very difficult: Simply avoid including a significant level of depth in the RFP, and instead, provide information via vetted scoping calls with vendors. Still, many RFPs are published with a great deal of sensitive information included.

Decision by Committee

Decision by committee occurs all the time. One business unit wants to go one way, and another wants to go the other. This is a standard condition in almost every industry. However, when making tactical decisions on how to design, integrate, and operate critical infrastructure, it can create vulnerabilities when the left hand doesn’t know what the right hand is doing.

We can break system design down into three functions: architecture, engineering, and operations. Each of these critical business functions has their own unique set of responsibilities that are generally well-defined. Effective architects understand the business and where technology can be used to improve efficiency. Engineers understand many of the same things architects do, but have a much deeper view of how to make the technologies work together. Operations has a deep understanding of how the technology works and knows exactly where the problems are.

Technology alone will never be the solution; only by people working together will risk be managed and exposure to cyberattacks reduced.

Cyber vulnerability can be reduced when these three functions agree on problems and are equally invested in the outcomes.

When bringing these three functions together to develop a new system design, make improvements to an existing one, or talk about what is and isn’t working well, it’s critical to have agreement on the problems and how those map to the business needs of the technology. When you don’t have that alignment, trust erodes, attitudes form, and silos occur. This is incredibly detrimental to the overall cybersecurity of technology.

An example of how this can create unmanaged cyber risk is in the design of a new software application used to house telemetry data. An all too common scenario is when software is designed to use old and outdated versions of Java. While Java is an easy-to-learn programming language, the software developers need to ensure they are coding to the latest versions and are not designing in antiquated functions that will be dependent on an older version of the java runtime environment. When easy-to-exploit java vulnerabilities are inducted to a control system network, it again lowers the bar an adversary must pass once they have gotten their code into a control network.


Compliance obligations are enforceable and can lead to real-world impact, especially when it comes to operating critical infrastructure. There are cyber-focused business and financial controls originating from SOX, payment processing controls from PCI, and critical infrastructure controls coming from NERC CIP and TSA, as well as other cyber and privacy standards like HIPAA and GDPR. This creates a logistical minefield of different control mappings, overlapping standards, and the self-assessed applicability to technology systems.

One of the hardest, most stressful things to do is prepare for an audit. Whether the compliance framework digs deep into cybersecurity or just touches the surface, the people doing the preparation are highly motivated and very focused. During the time between audits, those same people are constantly gathering evidence and ensuring the compliance records are kept up-to-date.

Now, introduce multiple compliance obligations, each having their own narrowly focused applicability to technology systems, and you immediately create an inventory of systems that fall under compliance, as well as an inventory that does not. The inventory that does not is often left to whatever cyber controls exist natively or are implemented by an astute administrator, but what this approach lacks is a base level of protection applied throughout. A better approach is to map all cyber compliance obligations to a recognized framework that allows compliance to become a byproduct of following best practices.

Multiple competing compliance objectives create vulnerabilities when you have systems left exposed because technology teams do not apply best practices to systems that have no organization compliance requirements. This again lowers the bar an adversary needs to pass in order to compromise systems. The best way to counteract this issue is to develop a best-practices approach to cybersecurity, where technology requirements and configurations are clearly defined and balanced between usability and security.

Managing cyber risk is no different than managing other types of risk. It simply must be a team sport where people work together, talk to one another, align on problems that create risk, create shared views on risk tolerance, and, above all else, hold each other accountable.

As the security of critical infrastructure continues to gain more time in the spotlight, we cannot forget about the fundamentals of working together to solve common problems. Technology alone will never be the solution; only by people working together will risk be managed and exposure to cyberattacks reduced.


Subscribe to Hong Kong Loss Prevention Association 香港防損協會 aggregator - Global Featured Wired

HKLPA (@the_hklpa) Tweets

RT @LPmag: Making the Most of Loss Prevention Resources 1 week 3 days ago
RT @leadingincontxt: #Ethical #leaders seek mutual good. #csr #leadership #culture 1 week 4 days ago
RT @IBEUK: * New IBE Blog * IBE's researcher, Linn Byberg, asks how you interview for #ethics. It's not just a question of et… 2 weeks 19 hours ago
RT @LPmag: The future of facial recognition technology will see increased demand and a growing market. 2 weeks 19 hours ago 3 months 2 days ago
RT @leadingincontxt: How do we help young people become #ethical #leaders? #culture 4 months 1 week ago
RT @SecurityInsured: The latest Security Insured News! #cybersecurity #edmonton 4 months 1 week ago
RT @IBEUK: Let #GDPR test your ethical temperature. Communicate the importance of the ethical usage of personal data, the atti… 4 months 2 weeks ago
RT @RSAFraud: This is what happens when fraudsters move from the Dark Web to social media. 4 months 2 weeks ago
RT @leadingincontxt: Leaders: Can You Control Ethics? 4 months 3 weeks ago