Fewer Sleepless Nights for Compliance Executives

Improved compliance programs, sufficient resources and board access have meant fewer concerns about personal liability for compliance executives, according to a study by DLA Piper.

In its 2017 Global Compliance & Risk Report, DLA Piper found that 67% of chief compliance officers surveyed said they were at least somewhat concerned about their personal liability and that of their CEOs, which was down from 81% in 2016. And 71% said they made changes to their compliance programs based on recent regulatory events, up from just 21% a year earlier. The study found that globally the compliance function is becoming more independent and prominent in large organizations.

There still remains room for improvement, however, most notably in compliance’s relationship with boards of directors. Directors, surveyed for the first time, were more uneasy, with 82% expressing at least some concern about personal liability. “This is likely related to other findings that show lingering kinks in communications channels and a persistent lack of training for directors. Together, these findings indicate that the relationship between the compliance function and boards needs work—despite efforts taken by organizations to upgrade their compliance program,” DLA Piper said.

In 2016, 77% of compliance executives said they had sufficient resources, clout and board access to support their ability to effectively perform their jobs. This year the number rose to 84% who said they felt that way. The improvement is possibly a reflection of the increased percentage of respondents who had the resources to make changes to their compliance program, compared to 2016, according to the survey.

While more respondents said they are increasingly able to affect change, obtain the resources they need and access senior leadership, however, a larger number said their budget was not high enough to accomplish their goals, from 28% in 2016 to 38%.

Boards had a different view, with 53% of directors agreeing strongly that their compliance group had sufficient resources, clout and board access. This was compared to just 29% of CCOs, which could indicate that CCOs are not effectively communicating their needs, the company said.

Of concern was that many directors appear to be receiving inadequate reporting and training on compliance matters. About a quarter of both CCOs and board members said the compliance function at their organization reports to the board less than once per quarter.

Of training, the report said that in light of a perceived heightened liability exposure for directors, it is puzzling that 44% of director respondents said they hadn’t received any training on compliance issues. Given evolving compliance standards and regulations—such as new Securities and Exchange Commission guidance on conflict minerals and updated DOJ guidance on corporate fraud—it’s arguable that training is more important than ever. Failure to engage in training could amount to a breach of fiduciary duty.

Almost half of respondents, 46%, identified monitoring as the weakest part of their compliance program. Monitoring, however, is particularly important in managing third-party risk, as regulators remain focused on violations related to third parties and as companies struggle to manage sprawling global organizations, DLA Piper said.

Top tools companies use to rate their compliance program:

Workforce Drug Positivity Rate Highest Since 2004

Workforce use of illicit drugs across the board—including cocaine, marijuana and methamphetamine—has climbed to the highest rate in 12 years, a study by Quest Diagnostics found.

Overall positivity in urine drug testing among the combined U.S. workforce in 2016 was 4.2%, a 5% relative increase over last year’s rate of 4%—the highest annual positivity rate since 2004 (4.5%), according to an analysis of more than 10 million workforce drug test results.

“This year’s findings are remarkable because they show increased rates of drug positivity for the most common illicit drugs across virtually all drug test specimen types and in all testing populations,” Barry Sample, senior director of science and technology at Quest Diagnostics Employer Solutions, said in a statement. “Our analysis suggests that employers committed to creating a safe, drug-free work environment should be alert to the potential for drug use among their workforce.”

The positivity rate in urine testing for cocaine increased for the fourth consecutive year in the general U.S. workforce and for the second consecutive year in the federally-mandated, safety-sensitive workforce. Cocaine positivity increased 12% in 2016, reaching a seven-year high of 0.28%, compared to 0.25% in 2015 in the general U.S. workforce, and 7% among federally-mandated, safety-sensitive workers to 0.28% from 0.26% in 2015.

Marijuana positivity continued to climb in both the federally-mandated, safety-sensitive and general U.S. workforces. In oral fluid testing, which detects recent drug use, marijuana positivity increased nearly 75%, from 5.1% in 2013 to 8.9% in 2016 in the general U.S. workforce. Marijuana positivity also increased in both urine testing (2.4% in 2015 versus 2.5% in 2016) and hair testing (7.0% in 2015 versus 7.3% in 2016) in the same population. Among the federally-mandated, safety-sensitive workforce, which only uses urine testing, marijuana positivity increased nearly 10% (0.71% in 2015 versus 0.78% in 2016), the largest year-over-year increase in five years.

In Colorado and Washington, the first states in which recreational marijuana use was legalized, the overall urine positivity rate for marijuana outpaced the national average in 2016 for the first time since the statutes took effect. The national positivity rate for marijuana in the general U.S. workforce in urine testing increased 4% (2.4% in 2015 compared to 2.5% in 2016).

Positivity for amphetamines (which includes amphetamine and methamphetamine) continued a year-over-year upward trend, increasing more than 8% in urine testing in both the general U.S. and federally-mandated, safety-sensitive workforces compared to 2015. According to Quest, this rise over the past decade has been driven primarily by amphetamine use, including certain prescription drugs such as Adderall.

After four straight years of increases, in 2016, urine testing positivity for heroin held steady in the general U.S. workforce and declined slightly among federally-mandated, safety-sensitive workers.

Positivity for prescription opiates—including hydrocodone, hydromorphone and oxycodones—declined in urine testing among the general U.S. workforce. Oxycodones have seen four consecutive years of declines, dropping 28% from 0.96% in 2012 to 0.69% in 2016. Hydrocodone and hydromorphone both showed double-digit declines in both 2015 and 2016 (0.92% in 2015 to 0.81% in 2016) and (0.67% in 2015 to 0.59% in 2016), respectively.

This decline may be due to the fact that state and federal authorities have made efforts in the past few years to place tighter controls on opiate prescribing in order to address the opioid crisis.

North Korea Now Suspected in Ransomware Attack

The massive cyberattack that has struck businesses, government agencies and citizens in more than 150 countries may be tied to hackers affiliated with North Korea. Called WannaCry, the ransomware encrypts the victim’s hard drive and demands a ransom of about $300 in the virtual currency bitcoin.

According to the Washington Post:

Several security researchers studying “WannaCry” on Monday found evidence of possible connections to, for instance, the crippling hack on Sony Pictures Entertainment in 2014 attributed by the U.S. government to North Korea. That hack occurred in the weeks before Sony released a satiric movie about a plot to kill North Korean leader Kim Jong Un.

The New York Times reported that the malicious software, based on a vulnerability included in the National Security Agency tools published by the Shadow Brokers hacker group, was distributed via email. The ransomware takes advantage of vulnerabilities in Microsoft Windows systems, generating the largest ransomware attack to date. Although the flaw was patched by the company months ago, the wide spread of the attack illustrates how many users fail to update their software. Institutions and government agencies affected included the Russian Interior Ministry, FedEx in the United States and Britain’s National Health Service.

Organizations are advised to save their data and take other measures to avoid being hacked. Kroll said that while the particular ransomware variation involved in hundreds of thousands of incidents has now been rendered largely harmless, its cyber security and investigations team “strongly recommends that organizations recognize that a small change in the malware code could reactivate it. So action should be taken in conjunction with your technology unit to reduce your risk and prepare for inevitable future similar attacks. If the malware has entered your network, it has the ability to spread—and spread rapidly.”

According to Kroll:

  • Obsolete versions of Microsoft Windows are particularly vulnerable. We understand that there may be very specific circumstances that require you to use versions that are no longer supported, but now is the time to revisit the topic. See if there is any way you could use a supported operating system running a virtual version of the operating system you need.
  • Microsoft has been working to roll out updates that can fix the underlying security weakness that this malware exploits. You should make sure that both your personal and business machines running Windows are updated. We know that many people don’t want to take the time to close out all their files and restart their computers to allow updates to occur, but this is an important defense against the WannaCry ransomware. As an indicator of how serious the threat is, note that Microsoft has even released a security patch for the old Windows XP system. Please take steps to assure that all relevant machines running the Windows operating system are updated.
  • Organizations that don’t have well-thought-out backup and recovery plans are also very vulnerable. Management should be asking if there is a plan to assure that all important files are backed up in a way that will prevent a ransomware infection from attacking both the primary files and the backups.

President Trump ordered homeland security adviser Thomas P. Bossert to coordinate a government response to the spread of malware and find out who was responsible. According to the Times:

“The source of the attack is a delicate issue for the United States because the vulnerability on which the malicious software is based was published by a group called the Shadow Brokers, which last summer began publishing cybertools developed by the National Security Agency.”

Government investigators, while not publicly acknowledging that the computer code was developed by American intelligence agencies, say they are still investigating how the code got out. There are many theories, but increasingly it looks as though the initial breach came from an insider, perhaps a government contractor.

In a report, How to Protect Your Networks from Ransomware, the U.S. government recommends that users and administrators take preventative measures, including:

  • Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.
  • Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.
  • Set anti-virus and anti-malware programs to conduct regular scans automatically.
  • Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.

Make Your Hurricane Preparations Now

With the Atlantic hurricane season’s official start on June 1, the time to check your buildings and existing contingency plans—or start a new one—is now, during hurricane preparedness week.

For 2017, Colorado State University’s hurricane research team predicts slightly below-average activity of hurricanes making landfall, with a forecast of 11 named storms, four hurricanes, and two major hurricanes.

The 2016 season is seen as a wakeup call, as 15 named storms and seven hurricanes formed in the Atlantic Basin—the largest number since 2012. Among the hurricanes was Matthew, a Category 4, which devastated Haiti, leaving 546 dead and hundreds of thousands in need of assistance. After being downgraded to a Category 2, Matthew pummeled southeast coastal regions of the U.S., with 43 deaths reported and widespread flooding in several states.

Here are 10 preparedness steps offered by FEMA:

The Insurance Institute for Business & Home Safety (IBHS) warns that small businesses are especially vulnerable. Of businesses closed because of a disaster, at least one in four never reopens.

IBHS offers these steps for preparing a business for hurricane season:

  1. Have your building(s) inspected and complete any maintenance needed to ensure your building can stand up to severe weather.
  2. Designate an employee to monitor weather reports and alert your team to the potential of severe weather.
  3. Review your business continuity plan and update as needed, including employee contact information. If you do not have a business continuity plan, consider IBHS’ free, easy-to-use business continuity plan toolkit for small businesses.
  4. Remind employees of key elements of the plan, including post-event communication procedures and work/payroll procedures. Make sure all employees have a paper copy of the plan. Review emergency shutdown and start-up procedures, such as electrical systems, with appropriate personnel, including alternates.
  5. If backup power such as a diesel generator is to be used, test your system and establish proper contracts with fuel suppliers for emergency fuel deliveries.
  6. Re-inspect and replenish emergency supplies inventory, since emergency supplies are often used during the offseason for non-emergency situations.
  7. Test all life safety equipment.
  8. Conduct training/simulation exercises for both your business continuity and emergency preparedness/response plans.

Interstate Restoration has a day-by-day list of steps for business storm preparation, based on NOAA recommendations. They include research, planning and documenting, gathering emergency supplies, checking insurance coverage and supply chain and finalizing your plan.