By every meaningful measure, 2014 was a year of significant accomplishment across all of the agency’s areas of responsibility. The year was highlighted by the completion of several transformative rulemakings, including new policy reforms to address faults exposed during the financial crisis and initiatives to better address vulnerabilities in the resiliency and integrity of our markets. It was also an unprecedented year in enforcement, in terms of the number of cases and, more importantly, their subject matter. We made important strides in our review and action plans for optimizing the structure of our equity and fixed income markets, enhancing our risk supervision of the asset management industry and bolstering the effectiveness of public company disclosure. We also significantly strengthened our examination coverage of market participants. But, as always, we have more to do and expect a very busy 2015.
Posts Tagged ‘Risk management’
It has been two and a half years since the Financial Stability Oversight Council (FSOC) designated select financial market utilities (FMUs) as “systemically important.” These entities’ respective primary supervisory agencies have since increased scrutiny of these organizations’ operations and issued rules to enhance their resilience.
As a result, systemically important FMUs (SIFMUs) have been challenged by a significant increase in regulatory on-site presence, data requests, and overall supervisory expectations. Further, they are now subject to heightened and often entirely new regulatory requirements. Given the breadth and evolving nature of these requirements, regulators have prioritized compliance with requirements deemed most critical to the safety and soundness of financial markets. These include certain areas within corporate governance and risk management such as liquidity risk management, participant default management, and recovery and wind-down planning.
The changing business landscape, technological advances, and significant risks such as cybersecurity continue to present opportunities and challenges for companies today. Directors will want to take a fresh and critical look at their boardroom agenda to ensure it is meeting today’s needs.
PwC’s 2014-2015 edition of Key considerations for board and audit committee members, an annual publication from PwC’s Center for Board Governance, can help enhance the quality of board and management discussions in the coming year.
Here are some highlights:
“By the time you hear thunder, it’s too late to build the ark.”
In November 2014—just two weeks after Admiral Michael Rogers, director of the National Security Agency, testified to the House Intelligence Committee that certain nation-state actors had the capability of “infiltrating the networks of industrial-control systems, the electronic brains behind infrastructure like the electrical grid, nuclear power plants, air traffic control and subway systems”—Sony Pictures announced it had experienced a major cyber-attack, one many sources believe was likely perpetrated by or on behalf of a nation-state. This destructive cyber-attack was a game-changer for corporate America because it became clear that hackers are not simply focused on credit card numbers or personal information. Indeed, the attack on Sony was designed to steal the Company’s intellectual property, disseminate personal emails of high-ranking executives, and destroy Sony servers and hard drives, rendering them useless.
This post highlights what we believe to be the most significant developments during 2014 for financial institutions with respect to U.S. Bank Secrecy Act/anti-money laundering (“BSA/AML”) and U.S. sanctions programs, including sanctions administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), and identifies significant trends. The overarching trend that is likely to continue for the foreseeable future is an intense focus on BSA/AML and sanctions compliance by multiple government agencies, combined with increasing regulatory expectations and significant enforcement actions and penalties.
“If this incident [Sony] isn’t a giant wake-up call for U.S. corporations to get serious about cybersecurity, I don’t know what is. I’ve done more than two dozen speaking engagements around the world this year, and one point I always try to drive home is that far too few organizations recognize how much they have riding on their technology and IT operations until it is too late. The message is that if the security breaks down, the technology stops working—and if that happens the business can quickly grind to a halt. But you would be hard-pressed to witness signs that most organizations have heard and internalized that message, based on their investments in cybersecurity relative to their overall reliance on it.”
— Author Brian Krebs, Dec. 20, 2014.
“For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.”
— Professor Bruce Schneier, Dec. 19, 2014.
Without a doubt, the last month in the world of cyber security has been tumultuous. It has now been confirmed that two companies in the United States have potentially been the subject of cyber-terrorism. Servers have been taken down or wiped out. Businesses have been significantly disrupted. Personally identifiable employee information has been shoveled by the pound onto Internet credit card “market” sites. The cyber security world has changed. And two of the most respected men in cyber security have both iterated similar messages: it is time for U.S. corporations to take this stuff seriously.
U.S. public companies face a host of challenges as they enter 2015. Here is our list of hot topics for the boardroom in the coming year:
- 1. Oversee strategic planning in the face of uneven economic growth and rising geopolitical tensions
- 2. Oversee cybersecurity as hackers seek to infiltrate even the most sophisticated information security systems
- 3. Assess the impact of advances in technology and big data on the company’s business plans
- 4. Cultivate shareholder relations and assess company vulnerabilities as activist investors target more companies
- 5. Consider the impact of M&A opportunities
- 6. Oversee risk management as newer and more complex risks emerge
- 7. Ensure appropriate board composition in light of increasing focus on diversity, director tenure and board size
- 8. Explore new trends in reducing corporate health care costs
- 9. Set appropriate executive compensation
- 10. Ensure the company has a robust compliance program as the SEC steps up its enforcement efforts and whistleblowers earn huge bounties.
“The scope of [the Sony Pictures Entertainment (SPE)] attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public…. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”
— Remarks by Kevin Mandia, “Sony Investigator Says Cyber Attack ‘Unparalleled’ Crime,” Reuters, December 7, 2014. 
“The days of the IT guy sitting alone in a dark corner are long gone. Cybersecurity has become an obvious priority for C-Suites and boardrooms, as reputations, intellectual property and ultimately lots of money are on the line.”
— Priya Ananda, “One Year After Target’s Breach: What Have We Learned?” November 1, 2014. 
“Resiliency is the ability to sustain damage but ultimately succeed. Resiliency is all about accepting that I will sustain a certain amount of damage.”
— NSA Director and Commander of U.S. Cyber Command Admiral Mike Rogers, September 16, 2014. 
We have definitively learned from the past few months’ worth of catastrophic cyber security breaches that throwing tens of millions of dollars at “preventive” measures is simply not enough. The bad guys are too far ahead of the malware curve for that.  We have also learned that there are no such things as quick fixes in the cyber security world. Instead, the best approach is a holistic approach: basic blocking and tackling such as password protection, encryption, employee training, and strong, multi-faceted intrusion detection systems  really trump reliance on a “50 foot high firewall” alone. But there are also two more things that are critical to a holistic cyber security approach: a strong, well-practiced Incident Response Plan (IRP), and, as Admiral Rogers noted above, the concept of cyber-resiliency, i.e., the ability to take your lumps, but continue your business operations unabated.
In this post, we tackle two questions: (1) What are the essential elements of a Cyber IRP? and (2) Why are IRPs so important to your organization?
The challenges that directors of public companies face in carrying out their duties continue to grow. The end goal remains the same, to oversee the successful, profitable and sustainable operations of their companies. But the pressures that confront directors, from activism and short-termism, to ongoing shifts in governance, to global risks and competition, are many. A few weeks ago we issued an updated list of key issues that boards will be expected to deal with in the coming year (accessible at this link: The Spotlight on Boards, and discussed on the Forum here). Highlighted below are a few of the more significant issues and trends that we believe directors should bear in mind as they consider their companies’ priorities and objectives and seek to meet their companies’ goals.
Today [November 19, 2014], the Commission considers adopting Regulation Systems, Compliance, and Integrity (or Regulation SCI). These rules and amendments are intended to establish a foundational regulatory framework for the technological market infrastructure that has become increasingly intertwined with the functioning of our securities markets. The rules being considered for adoption today represent a clear improvement over the proposed version, which offered only a hollow promise that our markets would be safer, more resilient, and more stable.