Linking Securities Regulation to the Regulation of Security John W.Bagby Prof.of IST PSU

Why Financial Regulation Generally Matters to IST/SRA eDocs Predominate eDocs Predominate targeted Wall St & Financial Systemic Stability targeted Wall St & Financial Systemic Stability DoD is 1 st Security Investment Target DoD is 1 st Security Investment Target 2 nd highest security investment & regulation target: financial system 2 nd highest security investment & regulation target: financial system All Publicly-Traded Cos Engage Financial Sys All Publicly-Traded Cos Engage Financial Sys Financial Transaction Security Affects All Financial Transaction Security Affects All

What/Why Securities Regulations? Protecting Integrity of Capital/Financial Mkts Protecting Integrity of Capital/Financial Mkts Financial System Critical to All Prosperity Financial System Critical to All Prosperity Securities Lawyers Securities Lawyers IPOs, Pvt.Place, Securities Fraud Litigation, etc. IPOs, Pvt.Place, Securities Fraud Litigation, etc. Accountants & Auditors (disclosure, attest) Accountants & Auditors (disclosure, attest) Management Consultants (conflicts of interest) Management Consultants (conflicts of interest) Control Wall Street Control Wall Street Repeated Financial Crises & Investor Abuse Repeated Financial Crises & Investor Abuse 1929, Great Depression, 2008 Financial Crisis 1929, Great Depression, 2008 Financial Crisis

Statement of the Problem Risk Assessment is Largely Unregulated Risk Assessment is Largely Unregulated Some Significant but Narrow Exceptions: Some Significant but Narrow Exceptions: Exception: ISO 31,000 a “family” of industry standards Exception: ISO 31,000 a “family” of industry standards E.g., Nuclear Power, FDAs Drug/Device Trials (NDA), SOX §404 Top Down Risk Assessment (PCAOB & SEC) E.g., Nuclear Power, FDAs Drug/Device Trials (NDA), SOX §404 Top Down Risk Assessment (PCAOB & SEC) Regulatory Failure Due to Failed Risk Assessment Regulatory Failure Due to Failed Risk Assessment Several Recent & Spectacular Regulatory Failures Several Recent & Spectacular Regulatory Failures Permitted Significant Societal Hazards Permitted Significant Societal Hazards Financial Engineering & Innovation Financial Engineering & Innovation Food & Drug Safety Food & Drug Safety Petroleum Exploration & Production Petroleum Exploration & Production Complex Computer-Controlled Vehicle Designs Complex Computer-Controlled Vehicle Designs

Govt Regulation, Acting Alone, Cannot Control Systemic Risk Traditional Financial Risk Management has only 3 narrow foci: Traditional Financial Risk Management has only 3 narrow foci: 1. Hedging Financial Risks 2. Insurance Markets & Insurance Industry Practice 3. Actuary Systemic Financial Risk Largely Left to FRB Systemic Financial Risk Largely Left to FRB Financial Risk Management Fragmentation Contributed to 2008 Financial Crisis Financial Risk Management Fragmentation Contributed to 2008 Financial Crisis Federal Functional Regulators All Involved: Federal Functional Regulators All Involved: Fed, Comptroller, FDIC, OTS, NCUAB, SEC, CFTC, states Fed, Comptroller, FDIC, OTS, NCUAB, SEC, CFTC, states

Incentives for Risk Analysis: a Layered Institutional Structure 1. Market Disciplines: capital, product, factor 2. Social Responsibility: Voluntary 3. Industry (Best) Practice 4. Industry Standards 1. Independent Conformity Assessment (e.g., audit, credit rating) 5. Self-Regulation 6. State Regulation 7. Federal Regulation 7. Federal Regulation 8. State Tort Liability 9. Federal Tort Liability 10. State Criminal Liability 11. Federal Criminal Liability

What is the Regulation of Security? Staunchly Laissez-Faire Domain: CSE,IST Staunchly Laissez-Faire Domain: CSE,IST Most Records now Electronic so IST/SRA Very Fully Implicated Most Records now Electronic so IST/SRA Very Fully Implicated Linking Diverse Bodies of Law & Practice to IT Linking Diverse Bodies of Law & Practice to IT Risk Analysis Component of Security Protection Risk Analysis Component of Security Protection Law Increasingly Implies Risk Analysis Law Increasingly Implies Risk Analysis

Securities Laws Impose Systemic Security Control Internal Control Requirement Internal Control Requirement Foreign Corrupt Practices Act (FCPA) Foreign Corrupt Practices Act (FCPA) Security for Financial Privacy Required Security for Financial Privacy Required Graham/Leach/Bliley (G/L/B) Graham/Leach/Bliley (G/L/B) Internal Control for Electronic Records Internal Control for Electronic Records Sarbanes-Oxley (SOX a/k/a SourBox) Sarbanes-Oxley (SOX a/k/a SourBox) Risk Assessments Required Risk Assessments Required Dodd-Frank (D-F) Dodd-Frank (D-F)

FCPA Background Background Requirements Requirements Enforcement Enforcement Internal Control Internal Control

FCPA Background Background See: Prof.Mike Butler Univ. See: Prof.Mike Butler Univ s-era Foreign (bribe) Pmts by US Corps 70s-era Foreign (bribe) Pmts by US Corps Response to Watergate scandal Response to Watergate scandal Prohibits Bribes to Gain Foreign Business Prohibits Bribes to Gain Foreign Business Required Maintenance of Accurate Books & Records to Limit Bribery Opportunities Required Maintenance of Accurate Books & Records to Limit Bribery Opportunities Implement System of Internal Control Implement System of Internal Control Other Related Mandates Other Related Mandates “Grease” payments exception “Grease” payments exception Flurry of Compliance Activities; Now Anticorruption Flurry of Compliance Activities; Now Anticorruption Treadway Commission Treadway Commission Cohen Commission (AICPA) Cohen Commission (AICPA) Recommended Management Reports on Internal Controls Recommended Management Reports on Internal Controls

What is “Internal Control?” General procedures for a well-managed, well-functioning Business, Govt or Not-For General procedures for a well-managed, well-functioning Business, Govt or Not-For Components include Components include Accomplish mission Accomplish mission Produce accurate, reliable data Produce accurate, reliable data Comply with laws & corporate/entity policy Comply with laws & corporate/entity policy Results: economical/efficient use of resources Results: economical/efficient use of resources Safeguard Assets

G/L/B Background Background Requirements Requirements Enforcement Enforcement Financial Privacy Financial Privacy Financial PIFI Security Requirements Financial PIFI Security Requirements

PIFI Data Security Standards GLB §504 Requires Agencies to Collaborate in Developing Consistent Data Security Regimes GLB §504 Requires Agencies to Collaborate in Developing Consistent Data Security Regimes Fed. SEC, OCC, FTC, Treasury, FDIC, OTS, NCUA Fed. SEC, OCC, FTC, Treasury, FDIC, OTS, NCUA FTC “Safeguards Rule” Imposes Standards for Safeguarding Customer Information FTC “Safeguards Rule” Imposes Standards for Safeguarding Customer Information Regulated financial institutions must develop, implement & maintain reasonable, administrative, technical & physical safeguards to protect the security, confidentiality & integrity of customer information Regulated financial institutions must develop, implement & maintain reasonable, administrative, technical & physical safeguards to protect the security, confidentiality & integrity of customer information Flexible: need be appropriate to institution’s size & complexity Flexible: need be appropriate to institution’s size & complexity

PIFI Data Security Standards Designate Data Security Employee(s) Designate Data Security Employee(s) Perform Risk Assessment, at least evaluate risks in: Perform Risk Assessment, at least evaluate risks in: Employee training & management Employee training & management Information systems, including, inter alia Information systems, including, inter alia Network & software design Network & software design Information processing, storage, transmission & disposal Information processing, storage, transmission & disposal Detecting, preventing & responding to attacks, intrusions or system failures Detecting, preventing & responding to attacks, intrusions or system failures

PIFI Data Security Standards Design & Implement Safeguards to Control Risks Identified Design & Implement Safeguards to Control Risks Identified Regularly Test & Monitor Effectiveness of Key Controls Regularly Test & Monitor Effectiveness of Key Controls Evaluate & adjust as in light or as dictated by changing business conditions or other material circumstance Evaluate & adjust as in light or as dictated by changing business conditions or other material circumstance Select & Retain Reasonable Service Providers Select & Retain Reasonable Service Providers Impose these risk management obligations on service providers *(old SAS70, now SSAE 16) Impose these risk management obligations on service providers *(old SAS70, now SSAE 16)

SEC 17 CFR Less Specific than FTC or HIPPA Standards Less Specific than FTC or HIPPA Standards Require Financial Institutions w/in SEC Jurisdiction to: Require Financial Institutions w/in SEC Jurisdiction to: Adopt policies & procedures, reasonably designed to Adopt policies & procedures, reasonably designed to Insure security & confidentiality of customer records Insure security & confidentiality of customer records Protect against anticipated threats or hazards Protect against anticipated threats or hazards Protect against unauthorized access or use that could result in substantial harm or inconvenience Protect against unauthorized access or use that could result in substantial harm or inconvenience

SOX Background Background Requirements Requirements Enforcement Enforcement Controls become IT Controls become IT Frameworks & Standards Frameworks & Standards

SourBox Section 302 Section 302 Requires CEO & CFO Certify Financial Reports Requires CEO & CFO Certify Financial Reports Quarterly & Annual Quarterly & Annual Criminal Fines &/or Jail Time for Violators Criminal Fines &/or Jail Time for Violators Section 404 Section 404 Management responsible to Acknowledge Responsibility Internal Control Management responsible to Acknowledge Responsibility Internal Control Management Responsible: Annual Assessment of Internal Controls Management Responsible: Annual Assessment of Internal Controls

Some Guiding Frameworks

These ARE Principles-Based Standards These ARE Principles-Based Standards Seemingly Financial for Accountants Seemingly Financial for Accountants Actually System Design for IT & Risk Analysis Actually System Design for IT & Risk Analysis IT Infrastructure Library (ITIL) IT Infrastructure Library (ITIL) 9 Firms 9 Firms COSO Internal Control Framework COSO Internal Control Framework CobiT® Compliance CobiT® Compliance ISO Security Standard for IT ISO Security Standard for IT Now ISO 27,000 Series Now ISO 27,000 Series NIST Risk Assessment Framework NIST Risk Assessment Framework

Dodd-Frank Risk Analyses Required Risk Analyses Required 848 page long, exceedingly complex 848 page long, exceedingly complex Systemic Risk Targeted Systemic Risk Targeted Capital Markets Capital Markets Hedge Funds & Private Equity Hedge Funds & Private Equity Swap Dealers & Major Swap Participants Swap Dealers & Major Swap Participants Derivatives & Securitization Derivatives & Securitization Financial Institutions Financial Institutions Insurance Industry Insurance Industry Nonbank Financial Company Nonbank Financial Company Minimum Capital, Margin, Recordkeeping and Disclosure Minimum Capital, Margin, Recordkeeping and Disclosure Proprietary Trading (Volcker Rule) Proprietary Trading (Volcker Rule) Consumer Protection & Mortgage Markets (retail, wholesale) Consumer Protection & Mortgage Markets (retail, wholesale) Corporate Governance & Executive Compensation Corporate Governance & Executive Compensation Misc. Congo “Conflict Minerals” (gold, tin, tungsten) Misc. Congo “Conflict Minerals” (gold, tin, tungsten) Alt: Conflicts, Controls & Transparency Alt: Conflicts, Controls & Transparency

DoddFrank: Conflicts “Skin in the Game” credit risk retention “Skin in the Game” credit risk retention Whistleblower Bounties enhanced (SEC) Whistleblower Bounties enhanced (SEC) Compensation Consultants & Committee Independence Compensation Consultants & Committee Independence Volcker Rule (Insured Institution Proprietary Trading Ban) Volcker Rule (Insured Institution Proprietary Trading Ban) Credit Rating Agency Regulation Credit Rating Agency Regulation

DoddFrank: Controls New Regulators & Regulatory Powers New Regulators & Regulatory Powers Financial Stability Oversight Council (FSOC) Financial Stability Oversight Council (FSOC) Bureau of Consumer Financial Protection (BCFP) Bureau of Consumer Financial Protection (BCFP) All Federal Functional Regulators All Federal Functional Regulators Compensation Compensation Comp. Committees & Consulting Contracts Comp. Committees & Consulting Contracts Exec & Golden Para “Say-on-Pay” (non-binding) Exec & Golden Para “Say-on-Pay” (non-binding) Clawback Clawback Risk Committees for Non-Banks Risk Committees for Non-Banks Orderly Insolvency Resolution “2 big 2 fail” Orderly Insolvency Resolution “2 big 2 fail” Derivatives Markets Mechanisms (Swap Dealers & Participants, Clearance, Market Mechanisms) Derivatives Markets Mechanisms (Swap Dealers & Participants, Clearance, Market Mechanisms)

DoddFrank: Transparency Disclosure of Golden Parachutes (merger compensation) Disclosure of Golden Parachutes (merger compensation) Acquisition Disclosure Timetables Shortened Acquisition Disclosure Timetables Shortened Executive (Trader) Compensation Disclosures Executive (Trader) Compensation Disclosures Asset Backed Security (asset & loan levels) Asset Backed Security (asset & loan levels) Derivatives Markets Transparency Derivatives Markets Transparency

Confluence of Security Disciplines Sarbanes- Oxley Interna l Control s Books Record- keeping Financials Market Integrity Investors USA Patriot Security Infra- structure Nat’l Security People Institutions Privacy Laws Security PII Privacy Subject Individuals Trade Secret Law Reasonable Secrecy IP Trade Secrets Owners Impetus Control device Objects Underlying (In)tangible Protected Beneficiary