The insider threat today is not just about the security of your enterprise’s data. It’s also about knowing that your organization has developed the right policies and procedures to prevent inadvertent disclosures or blatant misuse of corporate computer resources from becoming a hole filled with legal quicksand.
Today’s regulatory environment is such that the stars are perfectly aligned for an example to be made of somebody—a company or government agency. And whoever the unfortunate soul is who sits atop the corporate chain of command at that time, he or she will wish they had taken the time to answer the following ten questions and implement the appropriate changes in their organization.
Question 1. What types of information must be protected by internal controls according to Sarbanes-Oxley?
Answer: Unauthorized disclosure of nonpublic data is a violation of federal securities laws. Information should be considered nonpublic if it isn’t widely disseminated to the general public, including electronic information. This information should be protected, but it should also be monitored to ensure it isn’t disclosed inappropriately.
Section 404 describes management’s responsibility for building internal controls around the safeguarding of assets related to the timely detection of unauthorized acquisition, use or disposition of an entity’s assets that could have a material effect on the financial statements. You need to demonstrate that you have the capabilities to monitor, detect and record electronic information disclosures.
Question 2. Since so much nonpublic information is communicated beyond e-mail based on the Simple Mail Transfer Protocol, how can we build internal controls to adequately detect the timely disclosure of information flowing over Web mail, chat or HTTP?
Answer: Management can’t ensure the truthfulness or accuracy of financial data if it doesn’t have the means to monitor the movement of sensitive information across the entire corporate network 24 hours a day, seven days a week.
Demand more from technology. New products are available that can monitor electronic disclosure of nonpublic information and aren’t limited to SMTP-based e-mail. These technologies can monitor, record and provide alerts on electronic disclosures by analyzing all information flowing over the corporate network from Web mail and chat to file transfer protocol and HTTP. This type of monitoring technology combined with a storage system that allows forensic searches into stored information can prove invaluable if an investigation is required.
Question 3. What are the penalties for exposing nonpublic information?
Answer: The use of nonpublic information concerning a company or any of its affiliates (a.k.a. “inside information”) in securities transactions (“insider trading”), may violate federal securities laws. Penalties can include:
- Exposure to investigations by the SEC.
- Criminal and civil prosecution.
- Relinquishing profits realized or losses avoided through use of the information.
- Penalties up to $1 million or three times the amount of any profits or losses, whichever is greater.
- Prison terms of up to 10 years.
Question 4. What action should a company take if nonpublic information is inappropriately exposed on its network?
Answer: If nonpublic information is inappropriately disclosed on your network, you must rapidly execute a response program to identify the extent of the exposure, assess the effect on the corporation and its customers, and notify all affected parties.
Section 409 of Sarbanes-Oxley mandates that companies publicly disclose additional information concerning material changes in the company’s financial condition or operations. While Sarbanes-Oxley contains many reporting requirements, real-time identification of material changes and disclosures (the consensus being 48 hours) is the most significant challenge.
Question 5. Who is personally liable if there is a compliance violation?
Answer: The CEO and the CFO must certify all financial statements filed with the SEC. The maximum penalty for Securities Exchange Act violations has increased to $5 million for individuals and $25 million for entities, as well as imprisonment of up to 20 years.
Section 802 of Sarbanes-Oxley states, “Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies or makes a false entry in any records, documents or tangible object with the intent to impede, obstruct or influence the investigation or proper administration of any department or agency of the United States… or contemplation of any such matter or case, shall be fined… imprisoned not more than 20 years, or both.”
Question 6. How long is the “reach back” on compliance violations?
Answer: Section 804 of Sarbanes-Oxley extends the statute of limitations in private securities fraud actions to the earlier of two years after the discovery of the facts constituting the violation or five years from the violation.
Question 7. Are there compliance strategies I can deploy to help prove due diligence if our company is investigated?
Answer: Today, an offensive rather than a defensive compliance program is important. Deploy strategies that provide you with the evidentiary support you need when things go wrong. New network security appliances designed to capture and record all electronic communication can provide forensic capabilities with automated reporting that corresponds to compliance needs. These solutions must be deployed within an overarching compliance strategy that aligns with the business to continuously:
- Identify and monitor risks.
- Establish effective internal controls.
- Test the validity of the controls.
- Support CEO and CFO certifications.
- Conduct third-party audits.
- Monitor for changes in risks, controls and compliance needs.
- Adjust proactively, as needed.
Question 8. What role should external auditors play in compliance?
Answer: The Public Company Accounting Oversight Board was created through the Sarbanes-Oxley Act to oversee the auditors of public companies. The board recently approved Auditing Standard No. 2, an audit of internal control over financial reporting conducted with an audit of financial statements. The new standard highlights the benefits of strong internal controls over financial reporting and furthers the objectives of Sarbanes-Oxley.
Question 9. Will I need to prevent electronic disclosures from occurring? Answer: No compliance program can ever prevent 100 percent of misconduct by corporate employees. Nor do the regulations state that you must prevent internal disclosures—including electronic disclosures—from happening. If investigated, you will need to show due diligence that you have the ability for an appropriate and rapid response to detect and deter misconduct that exposes your company to operational risk that may have a material effect on your business.
Question 10. What happens if I am investigated?
Answer: Compliance programs should be designed to detect the particular types of operational risks most likely to occur in a corporation’s lines of business.
Management must be able to answer two fundamental questions:
- Is the corporation’s compliance program well-designed?
- Does the corporation’s compliance program work?
Dan Verton is the vice president and executive editor of Homeland Defense Media, and the author of The Insider: A True Story.