Linking Securities Regulation to the Regulation of Security
Linking Securities
Regulation to the
Regulation of Security
John W.Bagby
Prof.of IST
PSU
Why Financial Regulation
Generally Matters to IST/SRA
eDocs Predominate
9.1.1 targeted Wall St & Financial
Systemic Stability
DoD is 1 st Security Investment Target
2 nd highest security investment & regulation target: financial system
All Publicly-Traded Cos Engage Financial Sys
Financial Transaction Security Affects All
What/Why Securities Regulations?
Protecting Integrity of Capital/Financial Mkts
Financial System Critical to All Prosperity
Securities Lawyers
IPOs, Pvt.Place, Securities Fraud Litigation, etc.
Accountants & Auditors (disclosure, attest)
Management Consultants (conflicts of interest)
Control Wall Street
Repeated Financial Crises & Investor Abuse
1929, Great Depression, 2008 Financial Crisis
Statement of the Problem
Risk Assessment is Largely Unregulated
Some Significant but Narrow Exceptions:
Exception: ISO 31,000 a “family” of industry standards
E.g., Nuclear Power, FDAs Drug/Device Trials (NDA), SOX
§ 404 Top Down Risk Assessment (PCAOB & SEC)
Regulatory Failure Due to Failed Risk Assessment
Several Recent & Spectacular Regulatory Failures
Permitted Significant Societal Hazards
Financial Engineering & Innovation
Food & Drug Safety
Petroleum Exploration & Production
Complex Computer-Controlled Vehicle Designs
Govt Regulation, Acting Alone,
Cannot Control Systemic Risk
Traditional Financial Risk Management has only 3 narrow foci:
1.
Hedging Financial Risks
2.
3.
Insurance Markets & Insurance Industry Practice
Actuary
Systemic Financial Risk Largely Left to FRB
Financial Risk Management Fragmentation
Contributed to 2008 Financial Crisis
Federal Functional Regulators All Involved:
Fed, Comptroller, FDIC, OTS, NCUAB, SEC, CFTC, states
Incentives for Risk Analysis: a
Layered Institutional Structure
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Market Disciplines: capital, product, factor
Social Responsibility: Voluntary
Industry (Best) Practice
Industry Standards
1.
Independent Conformity Assessment (e.g., audit, credit rating)
Self-Regulation
State Regulation
Federal Regulation
State Tort Liability
Federal Tort Liability
State Criminal Liability
Federal Criminal Liability
What is the Regulation of Security?
Staunchly Laissez-Faire Domain: CSE,IST
Most Records now Electronic so IST/SRA
Very Fully Implicated
Linking Diverse Bodies of Law & Practice to IT
Risk Analysis Component of Security
Protection
Law Increasingly Implies Risk Analysis
Securities Laws Impose Systemic
Security Control
Internal Control Requirement
Foreign Corrupt Practices Act (FCPA)
Security for Financial Privacy Required
Graham/Leach/Bliley (G/L/B)
Internal Control for Electronic Records
Sarbanes-Oxley (SOX a/k/a SourBox)
Risk Assessments Required
Dodd-Frank (D-F)
Background
Requirements
Enforcement
Internal Control
FCPA
FCPA
Background
See : Prof.Mike Koehler @ Butler Univ. http://www.fcpaprofessor.com
70s-era Foreign (bribe) Pmts by US Corps
Response to Watergate scandal
Prohibits Bribes to Gain Foreign Business
Required Maintenance of Accurate Books & Records to Limit Bribery Opportunities
Implement System of Internal Control
Other Related Mandates
“Grease” payments exception
Flurry of Compliance Activities; Now Anticorruption
Treadway Commission
Cohen Commission (AICPA)
Recommended Management Reports on Internal Controls
What is “Internal Control?”
General procedures for a well-managed, well-functioning Business, Govt or Not-For
Components include
Accomplish mission
Produce accurate, reliable data
Comply with laws & corporate/entity policy
Results: economical/efficient use of resources
Safeguard Assets
G/L/B
Background
Requirements
Enforcement
Financial Privacy
Financial PIFI Security Requirements
PIFI Data Security Standards
GLB § 504 Requires Agencies to Collaborate in
Developing Consistent Data Security Regimes
Fed. SEC, OCC, FTC, Treasury, FDIC, OTS, NCUA
FTC “Safeguards Rule” Imposes Standards for
Safeguarding Customer Information
Regulated financial institutions must develop, implement & maintain reasonable, administrative, technical & physical safeguards to protect the security, confidentiality & integrity of customer information
Flexible: need be appropriate to institution’s size & complexity
PIFI Data Security Standards
Designate Data Security Employee(s)
Perform Risk Assessment, at least evaluate risks in:
Employee training & management
Information systems, including, inter alia
Network & software design
Information processing, storage, transmission & disposal
Detecting, preventing & responding to attacks, intrusions or system failures
PIFI Data Security Standards
Design & Implement Safeguards to Control Risks
Identified
Regularly Test & Monitor Effectiveness of Key
Controls
Evaluate & adjust as in light or as dictated by changing business conditions or other material circumstance
Select & Retain Reasonable Service Providers
Impose these risk management obligations on service providers *(old SAS70, now SSAE 16)
SEC 17 CFR 248.30
Less Specific than FTC or HIPPA Standards
Require Financial Institutions w/in SEC
Jurisdiction to:
Adopt policies & procedures, reasonably designed to
Insure security & confidentiality of customer records
Protect against anticipated threats or hazards
Protect against unauthorized access or use that could result in substantial harm or inconvenience
SOX
Background
Requirements
Enforcement
Controls become IT
Frameworks & Standards
SourBox
Section 302
Requires CEO & CFO Certify Financial Reports
Quarterly & Annual
Criminal Fines &/or Jail Time for Violators
Section 404
Management responsible to Acknowledge
Responsibility Internal Control
Management Responsible: Annual Assessment of
Internal Controls
Some Guiding Frameworks
Some Guiding Frameworks
These ARE Principles-Based Standards
Seemingly Financial for Accountants
Actually System Design for IT & Risk Analysis
IT Infrastructure Library (ITIL)
9 Firms
COSO Internal Control Framework
CobiT® Compliance
ISO 17799-Security Standard for IT
Now ISO 27,000 Series
NIST Risk Assessment Framework
Dodd-Frank
Risk Analyses Required
848 page long, exceedingly complex
Systemic Risk Targeted
Capital Markets
Hedge Funds & Private Equity
Swap Dealers & Major Swap Participants
Derivatives & Securitization
Financial Institutions
Insurance Industry
Nonbank Financial Company
Minimum Capital, Margin, Recordkeeping and Disclosure
Proprietary Trading (Volcker Rule)
Consumer Protection & Mortgage Markets (retail, wholesale)
Corporate Governance & Executive Compensation
Misc. Congo “Conflict Minerals” (gold, tin, tungsten)
Alt: Conflicts, Controls & Transparency
DoddFrank: Conflicts
“Skin in the Game” credit risk retention
Whistleblower Bounties enhanced (SEC)
Compensation Consultants & Committee
Independence
Volcker Rule (Insured Institution
Proprietary Trading Ban)
Credit Rating Agency Regulation
DoddFrank: Controls
New Regulators & Regulatory Powers
Financial Stability Oversight Council (FSOC)
Bureau of Consumer Financial Protection (BCFP)
All Federal Functional Regulators
Compensation
Comp. Committees & Consulting Contracts
Exec & Golden Para “Say-on-Pay” (non-binding)
Clawback
Risk Committees for Non-Banks
Orderly Insolvency Resolution “2 big 2 fail”
Derivatives Markets Mechanisms (Swap Dealers
& Participants, Clearance, Market Mechanisms)
DoddFrank: Transparency
Disclosure of Golden Parachutes (merger compensation)
Acquisition Disclosure Timetables
Shortened
Executive (Trader) Compensation
Disclosures
Asset Backed Security (asset & loan levels)
Derivatives Markets Transparency
Impetus
Sarbanes-
Oxley
USA
Patriot
Trade Secret
Law
Privacy Laws
Confluence of Security Disciplines
Control device
Interna l
Control s
Security
Reasonable
Secrecy
Objects
•
Books
• Recordkeeping
Infrastructure
IP
Security PII
Underlying
(In)tangible
Protected
•
Financials
•
Market
Integrity
Nat’l
Security
Trade
Secrets
Beneficiary
Investors
People
Institutions
Owners
Privacy
Subject
Individuals
