Editor’s Note: This news story is part of SearchSecurity.com's "Eye on" series that brings together various perspectives...
on security topics throughout the year from SearchSecurity and its sister sites. In the month of June the series examines CISO management issues.
NATIONAL HARBOR, Md. – Regardless of whether an organization is in the financial industry, if it doesn’t already have a committee to monitor and assess the implications of the Dodd-Frank Act, then its compliance program may already be falling behind.
At the 2011 Gartner Security & Risk Management Summit, that was a key message delivered Monday by French Caldwell, Gartner Research vice president, and John Bace, research vice president in Gartner’s Compliance Risk and Leadership group.
The Dodd-Frank Wall Street Reform and Consumer Protection Act was signed into law by President Barack Obama last July to close the legal loopholes that contributed to the financial crisis of 2007-2010 and provide more regulation and oversight of the financial industry.
Many mistakenly think the law only applies to financial institutions, Bace said, but it applies to all publicly held companies. He said the intent of Congress was to create a legal mechanism through which it would be possible to dissect the business operations of an organization that may be about to fail and negatively affect the economy.
“Many of the financial institutions that were the root causes of the financial crisis literally were deemed too big to fail,” Bace said. “Congress didn’t want another failure that could undermine the financial vitality of the United States and have an impact on the world economy.”
Many of the financial institutions that were the root causes of the financial crisis literally were deemed too big to fail.
John Bace, research vice president, Gartner’s Compliance Risk and Leadership group
Dodd-Frank, like the Sarbanes-Oxley Act, comes with plenty of compliance gotchas, the speakers said, several of which enterprise security and compliance managers should give scrutiny.
It includes whistleblower incentives to encourage employees to provide the Securities and Exchange Commission (SEC) with information on fiduciary wrongdoing at their companies. Specifically, in cases where the amount of a potential financial fraud tops $1 million, a whistleblower could collect a bounty that equal as much as 30% of the amount of the fraud.
“So don’t report it right away,” Caldwell said sarcastically. “Wait until it gets up over $1 million so you can get your 30%!” The law, Bace noted, prevents enterprise compliance professionals from cashing in, but others in IT are eligible. As a result, enterprise security and compliance pros may face new headaches if it’s perceived they have an incentive to spy on each other, or worse, to Caldwell’s point, may ignore malfeasance until it’s worth their while to report it.
The law also has a “clawback” provision, which essentially forces CEOs and CFOs to reimburse their companies for incentive-based compensation received in periods in which financial reports are later restated. It also lowers the bar in a variety of ways that make it easier to prove when corporate executives attempt to perform fraud, and introduces anti-business and corruption guidelines that shine a brighter spotlight on unusually high financial commission sums.
These and many other Dodd-Frank details have the SEC and 10 other government agencies hard at work crafting nearly 400 rule-making efforts to define how the law’s provisions will be implemented, Caldwell said, a process that will take years.
To that end, Caldwell said, each enterprise should have a compliance bureau or panel group that is tasked with not only monitoring how Dodd-Frank is implemented and will affect the organization, but also to provide feedback on rules as they’re being developed.
“When the rules go up for public comment, anyone can provide feedback to regulators, even businesses,” Caldwell said.
Unfortunately, said Bace, it’s unclear whether Dodd-Frank will ultimately address the root causes of the financial crisis. He noted that Congress passed Dodd-Frank instead of waiting for the results of the Financial Crisis Inquiry Commission, which was formed in May 2009 to investigate the causes of the crisis and make legislative recommendations, though ultimately the commission failed to reach a consensus determination.
“This is why we’re dealing with the [large] amounts of regulations and such,” Bace said. “They never even got to the root cause of the problems that occurred.”
Tom Sinnott, a Chicago-based attendee representing a large marketplace exchange organization, said his firm has already set up a Dodd-Frank compliance bureau to monitor its rules. He said the team includes technical, legal, finance and business representatives.
He said the enterprise is ready to handle the new regulations, but the expected postponement of the July implementation of a wide swath of the Dodd-Frank regulations takes the pressure off. Either way, Sinnott said, the law “is not going to dramatically change” the compliance controls the company has in place.
Still, for most companies, Sinnott said, simply keeping track of Dodd-Frank compliance will come with a hefty price tag. “There’s no good formula” to determine how much it’ll cost, he said, “but it should be significant.”