Deep Dive into the SEC's Settlement with R&R Donnelly on Cybersecurity Controls

What’s the real cost of keeping corporate misconduct hidden? In this episode of Corruption, Crime and Compliance, Michael Volkov explores how the DOJ's recent declinations highlight the risks and rewards of voluntary self-disclosure. By examining two key cases, Michael illustrates how companies can avoid prosecution through cooperation but still face significant penalties, like disgorgement. The episode underscores the importance of transparency and robust compliance programs in navigating DOJ enforcement strategies.Key Points Covered:Declinations Explained: While DOJ declinations allow companies to avoid criminal charges, they require disgorgement of illegal profits.Boston Consulting Group Case: BCG reported bribery violations related to securing contracts in Angola. The company earned a declination by cooperating with DOJ, firing involved employees, and enhancing compliance. Total disgorgement: $14.4 million.Hitachi Cable (Proterial) Case: Hitachi Cable disclosed fraudulent safety violations in its motorcycle brake hoses. The company’s proactive disclosure and internal reforms led to a declination. Disgorgement: $15.1 million, with partial credit for prior payments.The Risk of Concealment:  Companies that hide misconduct face higher penalties. Voluntary disclosure offers the potential for leniency through declinations.DOJ’s Corporate Compliance Focus: DOJ continues to push for transparency and proactive corporate compliance, using declinations as a tool to incentivize self-reporting and improve internal controls.Resources:Michael Volkov on LinkedIn | TwitterThe Volkov Law Group

How will the DOJ's new corporate whistleblower pilot program reshape the enforcement of corporate criminal conduct? In this episode of Corruption, Crime, and Compliance, Michael Volkov explores the Department of Justice's (DOJ) new corporate whistleblower pilot program, highlighting its potential impact on corporate criminal enforcement. The program, which mirrors aspects of the SEC’s whistleblower program, is designed to incentivize individuals to report misconduct by offering financial rewards. The program is significant for privately held companies and financial institutions not covered by the SEC, marking a notable shift in DOJ's approach to corporate compliance and enforcement.You’ll hear him discuss:DOJ’s Whistleblower Pilot Program: The DOJ introduced a three-year whistleblower pilot program that offers financial rewards to individuals who provide original information leading to significant criminal or civil forfeitures. This program, effective from August 1, 2024, mirrors aspects of the SEC’s program but is specifically tailored to corporate criminal enforcement.Non-Appealable Rewards: Unlike the SEC’s program, decisions made under the DOJ’s whistleblower program are not appealable, minimizing litigation risks for the DOJ.Focus on Privately Held Companies: The program significantly impacts privately held companies and non-public financial institutions, areas previously not covered by the SEC’s whistleblower program. This shift increases risks for these entities, particularly in cases involving foreign bribery, money laundering, and healthcare fraud related to private insurers.Incentives for Internal Reporting: The program introduces a 120-day window for companies to act on internal reports of misconduct. If companies fail to take action within this period, whistleblowers can report directly to the DOJ, potentially earning financial rewards, while companies risk losing potential non-prosecution agreements.Implications for Corporate Compliance: The new whistleblower program pressures companies to enhance their ethics and compliance programs. Companies must now navigate the risks associated with delayed reporting and the potential for whistleblowers to bypass internal controls in favor of DOJ reporting.Impact on DOJ Enforcement: The program is expected to bolster DOJ’s corporate enforcement actions by encouraging more reports of misconduct, particularly in areas not previously covered by similar programs. However, the adequacy of the reward fund to incentivize significant whistleblower reporting remains uncertain.Resources:Michael Volkov on LinkedIn | TwitterThe Volkov Law GroupWhistleblower Awards Pilot Program

A New York federal district judge handed down a significant decision dismissing much of the SEC's securities fraud enforcement action against SolarWinds arising from its claims relating to SolarWinds' cybersecurity policies and disclosure of a significant cyberattack against the SolarWinds' network. In this episode of Corruption, Crime, and Compliance, Michael Volkov discusses the significant dismissal of most of the SEC's securities fraud claims against SolarWinds by a New York federal district court. The case highlights the ongoing challenges in balancing cybersecurity disclosures with regulatory requirements, and the implications this ruling might have for future SEC enforcement actions.You’ll hear him discuss:Judge's Decision: The court ruled that the SEC's claims were overly reliant on hindsight and speculation, particularly regarding SolarWinds’ early-stage disclosure during the investigation of cyber incidents.Pre- and Post-Sunburst Disclosures: While the court upheld charges related to SolarWinds' pre-Sunburst cybersecurity statements, it dismissed the SEC’s claims about the company’s post-Sunburst disclosures, finding them not misleading under the circumstances.Internal Controls vs. Cybersecurity: The court rejected the SEC's attempt to apply internal accounting controls provisions to cybersecurity policies, marking a significant limitation on the SEC's enforcement scope.Implications for SEC's Approach: This decision contradicts the SEC's previous stance in cases like R.R. Donnelly, potentially influencing future SEC actions regarding cybersecurity and internal controls.Broader Impact: The ruling may affect how cybersecurity risks are reported and how companies manage their disclosure obligations, particularly in light of potential appeals and further litigation by the SEC.Resources:Michael Volkov on LinkedIn | TwitterThe Volkov Law Group

Have you heard of the recent controversies around Boeing 737 MAX and its safety? Have you wondered what is being done about the concerns around it? In this episode of Corruption, Crime, and Compliance, Michael Volkov delves into the latest developments in the Boeing 737 MAX case, highlighting the recent plea agreement proposed by the Department of Justice (DOJ). The Boeing 737 MAX case took another dramatic turn. On July 24, 2024, the Department of Justice filed with the United States District Court for the Northern District of Texas a proposed plea agreement with Boeing. Under the Plea Agreement, Boeing will plead guilty to the original Information filed in 2021 with the Deferred Prosecution Agreement ("DPA"). The discussion focuses on Boeing's alleged failure to implement adequate compliance measures, leading to significant risks and violations, and the ongoing legal and ethical implications of the case. Tune in to hear a detailed analysis of the complexities and legal ramifications of Boeing’s recent plea agreement and what it means for corporate compliance and accountability.You’ll hear him talk about:Certification Issues: Boeing failed to ensure its 737 MAX certifications were accurate, risking false certifications to the FAA.DOJ Plea Deal: Boeing agreed to plead guilty to conspiracy to defraud the U.S., facing opposition from victims' families who find the resolution insufficient. The plea agreement, which has been filed under Federal Rule Criminal Procedure 11(c)(1)(C), requires the Court to approve and accept the deal. The Court can reject the plea deal and require the parties to renegotiate the terms.Victims’ Rights: The proposed resolution has been controversial because of the opposition of the families of the victims, who have opposed the plea agreement and general disposition of DOJ's investigation and prior resolutions as insufficient to vindicate the public interest and their rights as victims of Boeing's malfeasanceCompliance Failures: Boeing breached its DPA by not implementing effective compliance controls, particularly in safety and quality processes.Independent Monitor: Boeing will be monitored for three years and must invest $455 million in compliance and safety improvements.Ongoing Challenges: Boeing’s anti-fraud measures still have gaps, with broader implications for industries where safety is critical.Resources:Michael Volkov on LinkedIn | TwitterThe Volkov Law Group

How does the SEC's recent settlement with R.R. Donnelly & Sons Company impact internal controls for cybersecurity incidents? In this episode of Corruption, Crime, and Compliance, Michael Volkow discusses a significant decision by the SEC involving a $2.1 million settlement with RR Donnelly & Sons Company (RRD) related to a 2021 ransomware attack. The SEC's decision marks the first time it applied its internal controls enforcement authority to cover cybersecurity policies and procedures, representing a substantial expansion of its enforcement reach.The SEC criticized RRD for failing to prioritize the review of security alerts and implement an effective workflow for escalating such reports. This oversight led to delayed detection and response to the cyber attack, during which hackers exfiltrated 70 gigabytes of data, including personal and financial information tied to 29 clients.You’ll hear him talk about:The importance of robust internal controls to ensure prompt investigation and escalation of potential cybersecurity incidents.The need for companies to allocate sufficient resources and personnel to monitor and respond to third-party security alerts.The SEC's critique of RRD's internal incident response policies, particularly the lack of clear lines of responsibility and efficient workflows.The dissenting opinions within the SEC regarding the broad application of internal controls to cybersecurity, highlighting the need for specific guidance on reasonable cybersecurity controls.Resources:Michael Volkov on LinkedIn | TwitterThe Volkov Law GroupSEC settlement

Is your HR department rolling their eyes at compliance? Does your company have a non-retaliation policy? The report, based on over 1,000 global responses, reveals growing maturity in compliance programs but notable gaps, such as only 61% having a hotline and 55% having a non-retaliation policy. Join us on this week’s Corruption Crime and Compliance to learn how cross-functional relationships are strong with data privacy and risk but weak with HR and finance. Michael Volkow highlights NavX's report, showing compliance's high engagement in processes like reputational harm and data breaches but often being involved late in mergers and acquisitions. Learn that common compliance issues include privacy, cybersecurity, and regulatory demands. The report also covers ESG programs and the need for better third-party risk management - tune in to hear more!You’ll hear him talk about:How compliance is often brought in late during mergers and acquisitions, with 20% of respondents noting no engagement in these processes.Notable gaps that include only 61% of organizations having a hotline or whistleblower internal reporting channel and only 55% having a non-retaliation policy.How the report shows progress in the maturity of compliance programs, with half of the respondents rating their programs in the top two tiers of maturity.Compliance having strong relationships with data privacy and risk functions, but experiencing significant resistance from HR and finance departments.Half of the organizations experiencing at least one compliance issue in the past three years, with privacy and cybersecurity being the most common issues.Two-thirds of boards receiving periodic compliance reports, but one-third do not, highlighting a need for improved board engagement in compliance matters.Resources:Michael Volkov on LinkedIn | TwitterThe Volkov Law GroupNavex State of Risk and Compliance Report

Is the progress itself enough to consider the battle won? Are the ongoing scandals casting a shadow over the hard work against corruption? Despite challenges (such as limited resources due to the ongoing war) and recent scandals (such as overpriced eggs for the military), Ukraine maintains multiple institutions committed to transparency and integrity, crucially supported by international partnerships aimed at enhancing its anti-corruption infrastructure.Listen to this conversation between Michael Volkov and Halyna Senyk in which they focus on Ukraine's anti-corruption efforts amidst the backdrop of its ongoing war with Russia. Halyna Senyk, an expert from the CEELI Institute, details Ukraine's progress since 2014, highlighting the establishment of key anti-corruption agencies and reforms and how, over 10 years, it moved from 144 to 104 place in the Transparency International Corruption Perception Index.You can listen to how, despite these advancements, Senyk acknowledges persistent challenges, including recent setbacks and scandals that have tested the country's resolve.You’ll hear them discuss:Historically pervasive and deeply rooted corruption at various levels of government and the reality of society that remains a critical challenge. Despite reforms and the establishment of anti-corruption agencies, the implementation and effectiveness of these measures are often undermined by systemic issues.The conflict with Russia that started in 2014 leading to military, economic, and social destabilization. This conflict has strained Ukraine's resources and governance capabilities, posing obstacles to effective governance and reform efforts.The volatile political landscape in Ukraine is characterized by frequent changes in leadership and political alliances that hamper consistent policy implementation and reform progress.The ongoing conflict and systemic corruption and how they contribute to economic challenges, including reduced investor confidence, economic uncertainty, and financial strain on public institutions.Ukraine's geopolitical position and how relations with neighboring countries and international allies, particularly with regard to Russia and the European Union, influence its ability to implement reforms and receive international support effectively.ResourcesHalyna Senyk on LinkedInEmail: [email protected] Institute (Central and Eastern European Law Initiative)Michael Volkov on LinkedIn | TwitterThe Volkov Law Group

Bryn Sedlacek, Vice President and Product Manager at Aravo, joins us on the podcast to discuss third-party risk management focusing on holistic risks and unified visibility. In a wide-ranging discussion, Mike Volkov and Bryn Sedlacek discuss the challenges in implementing a third-party risk management program that captures holistic risks and maintains a consistent, unified line of sight across the organization's risk profile. They focus on sanctions, capturing the source and ultimate destination of products/services and including those in screening, leveraging how to handle conflict minerals as a model, and how data intelligence providers can help. Additionally, Bryn discusses unified visibility, which provides comprehensive visibility to executives and decision-makers across risk domains and performance. Finally, they discuss InfoSec risk with third parties, where to start, and the future of risk - technology and alternative risk strategies. Join Michael and Bryn as they navigate the complexities of compliance in today's corporate landscape.Bryn discusses how crucial it is to start with a realistic approach to building a compliance program and continually improve compliance programs to mitigate risks effectively.Having a platform like Arvao’s is valuable for companies as it is highly configurable and tailored to meet the unique needs of each client’s business structure and risk management requirements.The partnership between IT and cyber security in a compliance program is vital for addressing cybersecurity risks effectively within organizations. It is a growing trend for IT and cyber security to focus on collaboration and meeting the unique needs of each department.Unified visibility across different risk domains and third-party activities is essential for making informed decisions and managing risks effectively. Continuous monitoring and auditing are crucial in compliance programs, with a risk-based approach to optimize resources and ensure proactive risk management.Sanctions compliance is a growing area of focus, requiring proactive monitoring, risk-based approaches, and continuous updates to mitigate risks effectively.ResourcesBryn Sedlaceck on the WebEmail: [email protected] Volkov on LinkedIn | TwitterThe Volkov Law Group

In this episode of Corruption, Crime and Compliance, we delve into the complex world of sanctions compliance and enforcement. In this new era of aggressive sanctions enforcement, companies have to understand the red lines that define where criminal and civil enforcement risk increases. In contrast to the history of FCPA enforcement, DOJ and OFAC have provided helpful guidance to alert companies where risks are likely to increase. Join host Michael Volkov as he navigates the intricate landscape of voluntary disclosures, criminal and civil enforcement risks, and the evolving strategies of regulatory agencies like OFAC and the Department of Justice.Hear Michael discuss:Sanctions enforcement involves a mix of civil and criminal line drawing.On the civil side, OFAC has explained that sanctions violations can be found based on strict liability with aggravating factors that turn the actor's state of mind. Third-party liability for distributors extends to situations where a principal company knew or reasonably should have known that products sold to a third party were intended for shipment to a prohibited entity or individual or a prohibited country. Third-party liability for violations occurring in a company's supply chain requires companies to break down its supply chain and learn the sourcing for all companies in its supply chain. It is clear that a failure to examine and assess your supply chain can lead to civil liability. In defining where criminal enforcement picks up on the culpability spectrum, DOJ and OFAC have defined potential criminal conduct based on the term "willful," meaning when an actor knew that its conduct was wrong but did not necessarily know the specific law that her/she was violating. Applying the "you know it when you see it" standard, companies have to weigh the evidence of surrounding circumstances to determine if an individual actor or actors possessed the requisite intent. Criminal enforcement determination will turn on the attribution of individual conduct to a company based on respondeat superior principles -- that is, whether the conduct was committed in the course of an individual's duties and in furtherance of a legitimate business purpose. Enforcement examples to track where the precise line falls between criminal and civil are few—a good start is by reviewing a meaningful record of DOJ enforcement actions against sanctions violations. The situation is akin to the early days of aggressive FCPA enforcement, where enforcement and settlement cases were reviewed for important precedents and explanations. DOJ's record here is about to be defined and companies, commentators and trade compliance professionals will be reading tea leaves and looking for patterns.ResourcesMichael Volkov on LinkedIn | TwitterThe Volkov Law Group

LRN has issued another important report. In its latest report, The 2024 Benchmark of Ethical Culture Report, LRN has focused on the critical issue of corporate culture. LRN is a pacesetter and the leader in reliable studies on complex ethics and compliance issues. If not properly promoted or maintained, a defective culture can lead to serious misconduct, government investigation, reputational damage, and collateral harm. On the other hand, a positive and effective culture is a company's most valuable intangible asset, as it is tied directly to increased financial performance and sustainable growth. Over the past few years, business leaders have embraced what compliance and governance professionals already knew: companies with strong ethical cultures outperform other companies with weaker cultures. Employees at ethical companies are more productive, more satisfied, less likely to seek a new job, and more committed to the company's mission.Hear Michael discuss:LRN's 2024 Benchmark of Ethical Culture Report underscores the importance of ethical culture in driving financial performance and reducing misconduct rates.Generation Z shows a higher tolerance for unethical conduct, with nearly a quarter admitting to engaging in such behavior to get the job done.Hybrid workers who alternate between working from home and the office exhibit lower rates of misconduct and are more likely to report observed misconduct due to increased job satisfaction.Organizations with strong ethical cultures outperform those with moderate to weak cultures by at least 50% across various business performance measures.Employees at companies with strong ethical cultures are 1.5 times more likely to report observed misconduct, emphasizing the value of a positive work environment.Senior leaders often have more favorable perceptions of their organization's culture than middle management and frontline workers, highlighting the need for consistent messaging.LRN's research shows that nearly 70% of the variance in business performance is linked to an organization's ethical culture, emphasizing the critical role of culture in success.ResourcesLRN’s 2024 Benchmark of Ethical Culture ReportMichael Volkov on LinkedIn | TwitterThe Volkov Law Group