Embed Size (px)
Citation preview
Linking Securities Linking Securities Regulation to the Regulation to the
Regulation of SecurityRegulation of Security
John W.BagbyJohn W.Bagby
Prof.of ISTProf.of IST
PSUPSU
Why Financial Regulation Why Financial Regulation Generally Matters to IST/SRA Generally Matters to IST/SRA
eDocs Predominate eDocs Predominate 9.1.1 targeted Wall St & Financial 9.1.1 targeted Wall St & Financial
Systemic Stability Systemic Stability DoD is 1DoD is 1stst Security Investment Target Security Investment Target
22ndnd highest security investment & regulation highest security investment & regulation target: financial systemtarget: financial system
All Publicly-Traded Cos Engage Financial SysAll Publicly-Traded Cos Engage Financial Sys
Financial Transaction Security Affects AllFinancial Transaction Security Affects All
What/Why Securities Regulations?What/Why Securities Regulations?
Protecting Integrity of Capital/Financial Protecting Integrity of Capital/Financial MktsMkts Financial System Critical to All ProsperityFinancial System Critical to All Prosperity
Securities Lawyers Securities Lawyers IPOs, Pvt.Place, Securities Fraud Litigation, etc.IPOs, Pvt.Place, Securities Fraud Litigation, etc.
Accountants & Auditors (disclosure, attest)Accountants & Auditors (disclosure, attest) Management Consultants (conflicts of interest)Management Consultants (conflicts of interest)
Control Wall Street Control Wall Street Repeated Financial Crises & Investor AbuseRepeated Financial Crises & Investor Abuse 1929, Great Depression, 2008 Financial Crisis 1929, Great Depression, 2008 Financial Crisis
Statement of the ProblemStatement of the Problem Risk Assessment is Largely UnregulatedRisk Assessment is Largely Unregulated Some Significant but Narrow Exceptions: Some Significant but Narrow Exceptions:
Exception: ISO 31,000 a “family” of industry standardsException: ISO 31,000 a “family” of industry standards E.g., Nuclear Power, FDAs Drug/Device Trials (NDA), E.g., Nuclear Power, FDAs Drug/Device Trials (NDA),
SOX §404 Top Down Risk Assessment (PCAOB & SEC)SOX §404 Top Down Risk Assessment (PCAOB & SEC)
Regulatory Failure Due to Failed Risk AssessmentRegulatory Failure Due to Failed Risk Assessment Several Recent & Spectacular Regulatory Failures Several Recent & Spectacular Regulatory Failures
Permitted Significant Societal Hazards Permitted Significant Societal Hazards Financial Engineering & InnovationFinancial Engineering & Innovation Food & Drug SafetyFood & Drug Safety Petroleum Exploration & ProductionPetroleum Exploration & Production Complex Computer-Controlled Vehicle Designs Complex Computer-Controlled Vehicle Designs
Govt Regulation, Acting Alone, Govt Regulation, Acting Alone, Cannot Control Systemic RiskCannot Control Systemic Risk
Traditional Financial Risk Management has Traditional Financial Risk Management has only 3 narrow foci:only 3 narrow foci:1.1. Hedging Financial RisksHedging Financial Risks
2.2. Insurance Markets & Insurance Industry Practice Insurance Markets & Insurance Industry Practice
3.3. Actuary Actuary Systemic Financial Risk Largely Left to FRB Systemic Financial Risk Largely Left to FRB Financial Risk Management Fragmentation Financial Risk Management Fragmentation
Contributed to 2008 Financial Crisis Contributed to 2008 Financial Crisis Federal Functional Regulators All Involved: Federal Functional Regulators All Involved:
Fed, Comptroller, FDIC, OTS, NCUAB, SEC, CFTC, statesFed, Comptroller, FDIC, OTS, NCUAB, SEC, CFTC, states
Incentives for Risk Analysis: a Incentives for Risk Analysis: a Layered Institutional StructureLayered Institutional Structure
1.1. Market Disciplines: capital, product, factorMarket Disciplines: capital, product, factor2.2. Social Responsibility: Voluntary Social Responsibility: Voluntary 3.3. Industry (Best) PracticeIndustry (Best) Practice4.4. Industry Standards Industry Standards
1.1. Independent Conformity Assessment (e.g., audit, Independent Conformity Assessment (e.g., audit, credit rating)credit rating)
5.5. Self-Regulation Self-Regulation 6.6. State Regulation State Regulation 7.7. Federal Regulation Federal Regulation 8.8. State Tort Liability State Tort Liability 9.9. Federal Tort Liability Federal Tort Liability 10.10. State Criminal LiabilityState Criminal Liability11.11. Federal Criminal LiabilityFederal Criminal Liability
What is the Regulation of Security?What is the Regulation of Security?
Staunchly Laissez-Faire Domain: Staunchly Laissez-Faire Domain: CSE,ISTCSE,IST
Most Records now Electronic so Most Records now Electronic so IST/SRA Very Fully ImplicatedIST/SRA Very Fully Implicated
Linking Diverse Bodies of Law & Linking Diverse Bodies of Law & Practice to IT Practice to IT
Risk Analysis Component of Security Risk Analysis Component of Security ProtectionProtection Law Increasingly Implies Risk AnalysisLaw Increasingly Implies Risk Analysis
Securities Laws Impose Systemic Securities Laws Impose Systemic Security Control Security Control
Internal Control RequirementInternal Control Requirement Foreign Corrupt Practices Act (FCPA)Foreign Corrupt Practices Act (FCPA)
Security for Financial Privacy RequiredSecurity for Financial Privacy Required Graham/Leach/Bliley (G/L/B)Graham/Leach/Bliley (G/L/B)
Internal Control for Electronic RecordsInternal Control for Electronic Records Sarbanes-Oxley (SOX a/k/a SourBox) Sarbanes-Oxley (SOX a/k/a SourBox)
Risk Assessments Required Risk Assessments Required Dodd-Frank (D-F) Dodd-Frank (D-F)
FCPAFCPA
BackgroundBackground
RequirementsRequirements
EnforcementEnforcement
Internal Control Internal Control
FCPAFCPA BackgroundBackground
SeeSee: Prof.Mike Koehler @ Butler Univ. : Prof.Mike Koehler @ Butler Univ. http://http://www.fcpaprofessor.comwww.fcpaprofessor.com
70s-era Foreign (bribe) Pmts by US Corps70s-era Foreign (bribe) Pmts by US Corps Response to Watergate scandalResponse to Watergate scandal
Prohibits Bribes to Gain Foreign BusinessProhibits Bribes to Gain Foreign Business Required Maintenance of Accurate Books & Required Maintenance of Accurate Books &
Records to Limit Bribery OpportunitiesRecords to Limit Bribery Opportunities Implement System of Internal ControlImplement System of Internal Control
Other Related MandatesOther Related Mandates ““Grease” payments exception Grease” payments exception Flurry of Compliance Activities; Now AnticorruptionFlurry of Compliance Activities; Now Anticorruption Treadway CommissionTreadway Commission Cohen Commission (AICPA)Cohen Commission (AICPA)
Recommended Management Reports on Internal ControlsRecommended Management Reports on Internal Controls
What is “Internal Control?”What is “Internal Control?”
General procedures for a well-managed, General procedures for a well-managed, well-functioning Business, Govt or Not-Forwell-functioning Business, Govt or Not-For
Components includeComponents include Accomplish missionAccomplish mission Produce accurate, reliable dataProduce accurate, reliable data Comply with laws & corporate/entity policyComply with laws & corporate/entity policy Results: economical/efficient use of resourcesResults: economical/efficient use of resources Safeguard Assets
G/L/BG/L/B
BackgroundBackground
RequirementsRequirements
Enforcement Enforcement
Financial PrivacyFinancial Privacy
Financial PIFI Security Requirements Financial PIFI Security Requirements
PIFI Data Security Standards PIFI Data Security Standards
GLB §504 Requires Agencies to Collaborate in GLB §504 Requires Agencies to Collaborate in Developing Consistent Data Security RegimesDeveloping Consistent Data Security Regimes Fed. SEC, OCC, FTC, Treasury, FDIC, OTS, NCUA Fed. SEC, OCC, FTC, Treasury, FDIC, OTS, NCUA
FTC “Safeguards Rule” Imposes Standards for FTC “Safeguards Rule” Imposes Standards for Safeguarding Customer Information Safeguarding Customer Information Regulated financial institutions must develop, Regulated financial institutions must develop,
implement & maintain reasonable, administrative, implement & maintain reasonable, administrative, technical & physical safeguards to protect the technical & physical safeguards to protect the security, confidentiality & integrity of customer security, confidentiality & integrity of customer information information
Flexible: need be appropriate to institution’s size & Flexible: need be appropriate to institution’s size & complexity complexity
PIFI Data Security Standards PIFI Data Security Standards
Designate Data Security Employee(s) Designate Data Security Employee(s) Perform Risk Assessment, at least Perform Risk Assessment, at least
evaluate risks in:evaluate risks in: Employee training & management Employee training & management Information systems, including, Information systems, including, inter aliainter alia
Network & software design Network & software design Information processing, storage, Information processing, storage,
transmission & disposal transmission & disposal Detecting, preventing & responding to Detecting, preventing & responding to
attacks, intrusions or system failures attacks, intrusions or system failures
PIFI Data Security StandardsPIFI Data Security Standards
Design & Implement Safeguards to Control Design & Implement Safeguards to Control Risks IdentifiedRisks Identified
Regularly Test & Monitor Effectiveness of Key Regularly Test & Monitor Effectiveness of Key ControlsControls Evaluate & adjust as in light or as dictated by Evaluate & adjust as in light or as dictated by
changing business conditions or other material changing business conditions or other material circumstance circumstance
Select & Retain Reasonable Service Providers Select & Retain Reasonable Service Providers Impose these risk management obligations Impose these risk management obligations
on service providers *(old SAS70, now SSAE on service providers *(old SAS70, now SSAE 16)16)
SEC 17 CFR 248.30SEC 17 CFR 248.30
Less Specific than FTC or HIPPA StandardsLess Specific than FTC or HIPPA Standards Require Financial Institutions w/in SEC Require Financial Institutions w/in SEC
Jurisdiction to:Jurisdiction to: Adopt policies & procedures, reasonably Adopt policies & procedures, reasonably
designed to designed to Insure security & confidentiality of customer Insure security & confidentiality of customer
recordsrecords Protect against anticipated threats or hazards Protect against anticipated threats or hazards Protect against unauthorized access or use Protect against unauthorized access or use
that could result in substantial harm or that could result in substantial harm or inconvenience inconvenience
SOXSOX
BackgroundBackground
RequirementsRequirements
EnforcementEnforcement
Controls become ITControls become IT
Frameworks & Standards Frameworks & Standards
SourBoxSourBox
Section 302Section 302 Requires CEO & CFO Certify Financial ReportsRequires CEO & CFO Certify Financial Reports
Quarterly & Annual Quarterly & Annual Criminal Fines &/or Jail Time for ViolatorsCriminal Fines &/or Jail Time for Violators
Section 404Section 404 Management responsible to Acknowledge Management responsible to Acknowledge
Responsibility Internal ControlResponsibility Internal Control Management Responsible: Annual Assessment Management Responsible: Annual Assessment
of Internal Controlsof Internal Controls
Some Guiding FrameworksSome Guiding Frameworks
Some Guiding FrameworksSome Guiding Frameworks
These ARE Principles-Based StandardsThese ARE Principles-Based Standards Seemingly Financial for AccountantsSeemingly Financial for Accountants Actually System Design for IT & Risk Analysis Actually System Design for IT & Risk Analysis
IT Infrastructure Library (ITIL)IT Infrastructure Library (ITIL) 9 Firms9 Firms COSO Internal Control FrameworkCOSO Internal Control Framework CobiT® Compliance CobiT® Compliance ISO 17799-Security Standard for IT ISO 17799-Security Standard for IT
Now ISO 27,000 SeriesNow ISO 27,000 Series NIST Risk Assessment Framework NIST Risk Assessment Framework
Dodd-FrankDodd-Frank Risk Analyses RequiredRisk Analyses Required 848 page long, exceedingly complex848 page long, exceedingly complex
Systemic Risk TargetedSystemic Risk Targeted Capital Markets Capital Markets
Hedge Funds & Private EquityHedge Funds & Private Equity Swap Dealers & Major Swap ParticipantsSwap Dealers & Major Swap Participants Derivatives & SecuritizationDerivatives & Securitization
Financial InstitutionsFinancial Institutions Insurance IndustryInsurance Industry Nonbank Financial CompanyNonbank Financial Company Minimum Capital, Margin, Recordkeeping and Disclosure Minimum Capital, Margin, Recordkeeping and Disclosure Proprietary Trading (Volcker Rule) Proprietary Trading (Volcker Rule)
Consumer Protection & Mortgage Markets (retail, wholesale)Consumer Protection & Mortgage Markets (retail, wholesale) Corporate Governance & Executive CompensationCorporate Governance & Executive Compensation Misc. Congo “Conflict Minerals” (gold, tin, tungsten)Misc. Congo “Conflict Minerals” (gold, tin, tungsten) Alt: Conflicts, Controls & TransparencyAlt: Conflicts, Controls & Transparency
DoddFrank: ConflictsDoddFrank: Conflicts
““Skin in the Game” credit risk Skin in the Game” credit risk retention retention
Whistleblower Bounties enhanced Whistleblower Bounties enhanced (SEC) (SEC)
Compensation Consultants & Compensation Consultants & Committee Independence Committee Independence
Volcker Rule (Insured Institution Volcker Rule (Insured Institution Proprietary Trading Ban)Proprietary Trading Ban)
Credit Rating Agency RegulationCredit Rating Agency Regulation
DoddFrank: ControlsDoddFrank: Controls New Regulators & Regulatory PowersNew Regulators & Regulatory Powers
Financial Stability Oversight Council (FSOC) Financial Stability Oversight Council (FSOC) Bureau of Consumer Financial Protection (BCFP) Bureau of Consumer Financial Protection (BCFP) All Federal Functional Regulators All Federal Functional Regulators
Compensation Compensation Comp. Committees & Consulting Contracts Comp. Committees & Consulting Contracts Exec & Golden Para “Say-on-Pay” (non-binding) Exec & Golden Para “Say-on-Pay” (non-binding) ClawbackClawback
Risk Committees for Non-BanksRisk Committees for Non-Banks Orderly Insolvency Resolution “2 big 2 fail” Orderly Insolvency Resolution “2 big 2 fail” Derivatives Markets Mechanisms (Swap Derivatives Markets Mechanisms (Swap
Dealers & Participants, Clearance, Market Dealers & Participants, Clearance, Market Mechanisms) Mechanisms)
DoddFrank: Transparency DoddFrank: Transparency
Disclosure of Golden Parachutes Disclosure of Golden Parachutes (merger compensation)(merger compensation)
Acquisition Disclosure Timetables Acquisition Disclosure Timetables ShortenedShortened
Executive (Trader) Compensation Executive (Trader) Compensation DisclosuresDisclosures
Asset Backed Security (asset & loan Asset Backed Security (asset & loan levels) levels)
Derivatives Markets Transparency Derivatives Markets Transparency
Confluence of Security DisciplinesConfluence of Security Disciplines
Sarbanes-Oxley
InternalControls
•Books•Record-keeping
•Financials•Market Integrity
Investors
USA Patriot
SecurityInfra-
structureNat’l
SecurityPeople
Institutions
Privacy Laws Security PII Privacy Subject Individuals
Trade Secret Law
Reasonable Secrecy
IPTradeSecrets Owners
Impetus Control device
Objects Underlying (In)tangible
Protected Beneficiary
