New York Cybersecurity Regs to Take Effect March 1

The state of New York is implementing sweeping new regulations designed to protect insurers, banks and others from the growing wave of electronic security breaches which are making headlines and causing headaches across the financial services industry.

The new rules, slated to take effect March 1, mandate that insurers, banks and other financial services institutions regulated by the Department of Financial Services (DFS) establish and maintain a cybersecurity program. In addition to setting program standards, the 12-page document also provides definitions for companies as well as laying out “Transitional Periods” of 180 days to two years for companies to comply with different parts of the conditions and parameters of the regulations.

Entities must create and maintain written policies, requiring board-level or equal approval, setting out the company’s cybersecurity plan. Companies also must designate a chief information security officer (CISO), either in-house or third-party, who will be required to report annually to the company’s board. The rules call for stress testing of systems and periodic risk assessment and for the inclusion of third party service providers in a company’s cybersecurity plan.

The regulations will be published in the New York State register on March 1 and lay out the Department’s logic in establishing the new standards. According to the document:

“The New York State Department of Financial Services (DFS) has been closely monitoring the ever-growing threat posed to information and financial systems… Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances… It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs.”

New York’s regulatory framework is the first of its type in the nation, according to a release from the Governor’s office.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Governor Andrew M. Cuomo said in the statement. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

Under development since 2014, proposed new regulations were first published in September 2016, followed by a 45-day comment period. Updated proposed regulations were then published in December 2016, followed by a 30-day period for comments. Then in December, N.Y. state delayed implementing the rules and subsequently adjusted some requirements to reflect input from the industry, which asserted the rules were burdensome and said they would need more time to comply.

In addition to these accommodations, DFS took measures not to burden smaller businesses by establishing limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end assets.

According to the statement from the Governor’s office, the new regulations mandate:

• Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization

• Risk-based minimum standards for technology systems including access controls, data protection that includes encryption, and penetration testing

• Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events

• Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS

While cybersecurity has become an outsized concern for many business as high-profile breaches have played out in the media, sometime drawing in millions of consumers and costing companies millions of dollars in addition to precious reputational damage, many businesses remain under—or unprepared—for the challenges posed by cyber threats.

Indeed, The Hiscox Cyber Readiness Report 2017 surveyed managers and IT specialists at 3,000 small to large companies in the U.S., U.K. and Germany and found that just over half, 53%, of businesses are ill-prepared to deal with cyber-attacks. The study ranked companies from novice to expert in four key areas: strategy, resourcing, technology and process. Only 30% qualified as “expert” in their overall cyber readiness, of which 49% were U.S.-based companies.

Bribery and Corruption: What’s the best approach?

On Feb. 17, Samsung empire’s heir Lee Jae-yong was arrested on corruption and bribery charges connected to a nationwide political scandal in South Korea. While this is unlikely to directly impact the global tech behemoth in day-to-day matters, it is important to investigate how firms and governments can work together more successfully to combat white collar crime and corruption.

An international affair
The fight against bribery and corruption has historically been led by the United States, the first country to implement tough legislation with the Foreign Corrupt Practices Act of 1977. The federal law was enacted to address accounting transparency requirements and to make bribery of foreign government officials illegal.

Europe is not far behind with a range of legislation designed to prosecute and punish corporate crime. Other emerging market governments are finally cracking down as well, holding both domestic and foreign businesses and their senior management, to account.

Tackling bribery and corruption requires prosecutors and regulators that are properly equipped to investigate and deal with complex factual and legal issues. It also requires a judiciary that is impartial and can operate without political interference.

The United Kingdom’s Bribery Act of 2010 is a good example of tough new legislation that regulators and prosecutors can rely upon when investigating such crimes. It has extra-territorial reach both for U.K. companies operating abroad and for overseas companies with a presence in the U.K. It also introduced a new strict liability offence for companies and partnerships of failing to prevent bribery.

The law is not enough
Unfortunately however, even the best legal framework in the world is insufficient on its own.

Companies need to understand exactly how to go about preventing unlawful behavior, particularly in new and distant markets that their headquarters may not clearly understand. Ultimately, the real responsibility and accountability remains with the business to ensure compliance.

Countries with robust criminal and anti-corruption laws might be able to prosecute those individuals or businesses that commit offences within or outside the jurisdiction but the problem will continue until international businesses rigorously apply universal global standards to tackle corruption across emerging markets.

It’s Still about the culture
In short, this issue is about corporate culture. The following are fundamental steps for fine-tuning your organization’s approach to corruption:

• Develop a culture through education, where turning a blind eye to unlawful activity is not an option. Staff should feel comfortable with speaking out if they see anything potentially suspicious. Anti-bribery and corruption training needs to be repeated and made relevant to the day-to-day scenarios employees at different levels might face.

• The tone must be set at the top. For instance it can be useful to educate your firm’s directors with formal governance training, such as from the Institute of Directors (IoD) in London. This level of top-level attention to corporate compliance programs, including training, should be the norm.

• Proper dialogue needs to be established with regulators—not just a one-way stream of new laws and compliance requirements. A regulator should seek the views of those it is regulating. This two-way approach really does work.

Greenberg, New York State Settle Long-Running Civil Case

One of Wall Street’s longest-running dramas closed Feb. 10 as New York State and Maurice “Hank” Greenberg finally ended a legal clash which began in 2005 under the stewardship of then Attorney General Elliot Spitzer.

Former American International Group, Inc. CEO Greenberg and the Attorney General’s office reached a settlement over accusations that the company engaged in fraudulent transactions to boost reserves and hide losses.

Greenberg, who was chairman and CEO of AIG from 1967 until his ouster in 2005 and now serves as chairman and CEO of C.V. Starr & Co., will pay some $9 million to end his role in the saga. Also, Howard Smith, former AIG CFO and Greenberg’s lieutenant will pay $900,000 to settle the charges stemming from two alleged transactions designed to misrepresent company finances.

This included a $500 million deal in the year 2000 with reinsurer General Re, part of businessman Warren Buffet’s Berkshire Hathaway Inc., to pad AIG’s loss reserves. Greenberg allegedly initiated the Gen Re deal with a call to the company’s CEO.

The two former AIG leaders were also said to be involved in a deal with Capco Reinsurance Co., which masked a $210 million underwriting loss as an investment loss.

The sums paid by the men are related to performance bonuses earned from 2001 to 2004, according to New York Attorney General Eric Schneiderman, who inherited the long-running conflict. Schneiderman sought to ban the men from the securities industry and from serving as directors and officers of public companies as part of the settlement, which ultimately did not include these provisions.

Schneiderman had previously dropped a $6 billion damage claim against Greenberg and others, once a class action settlement was approved in 2013 under which Greenberg paid $115 million to AIG shareholders.

A 2009 settlement with the U.S. Securities and Exchange Commission over charges related to AIG‘s accounting saw Greenberg pay $15 million and Smith $1.5 million to the agency.

Late last year Greenberg and the Attorney General’s office turned to mediation after trial testimony had already begun in state court. The mediation, which ultimately produced the settlement, was run by alternative dispute resolution specialist Kenneth Feinberg.

The finale to the case was perhaps more of a whimper than a bang, with settlements hardly headline-grabbing and no one admitting to much more than accounting slips.

In a press release from the N.Y. State Attorney General’s Office, Schneiderman sounded a triumphant tone. “Today’s agreement settles the indisputable fact that Mr. Greenberg has denied for 12 years: that Mr. Greenberg orchestrated two transactions that fundamentally misrepresented AIG’s finances,” Schneiderman said in the statement. “After over a decade of delays, deflections, and denials by Mr. Greenberg, we are pleased that Mr. Greenberg has finally admitted to his role in these fraudulent transactions and will personally pay $9 million to the State of New York.”

Greenberg, who was unapologetic, in his statement said, “The Gen Re transaction was done for the purpose of increasing AIG’s loss reserves, and the Capco transaction was done for the purpose of converting underwriting losses into investment losses. I knew these facts at the time that I initiated, participated in and approved these two transactions…As a result of these transactions, AIG’s publicly-filed consolidated financial statements inaccurately portrayed the accounting, and thus the financial condition and performance for AIG’s loss reserves and underwriting income.”

The pundits had their say as well, split as to what it all meant.

“The taxpayers of New York State should be furious,” said the Wall Street Journal’s Paul Gigot, editorial page editor. “The $9 million fine amounts to pin money for Mr. Greenberg…It won’t come close to covering the state’s costs for pursuing the case over so many years…The real lessons of the Greenberg case start with the absurd lengths that progressive prosecutors will go to punish capitalists they don’t like,” Gigot said.

Mr. Greenberg’s lawyer David Bois called the deal with the Attorney General a “nuisance settlement,” according to the New York Times.

Others were less forgiving of Mr. Greenberg. “Just because he hasn’t pled guilty to fraud doesn’t mean he’s been vindicated,” David Schiff, a former insurance analyst who followed AIG, told the Times.

Business Interruption Seen as Top Risk Globally

A survey of more than 1,200 risk managers and corporate insurance experts in over 50 countries identified business interruption as the top concern for 2017. According to the sixth annual Allianz Risk Barometer of top business risks, this is the fifth successive year that business interruption has been seen as the biggest risk.
top-10-risks

“Companies worldwide are bracing for a year of uncertainty,” Chris Fischer Hirs, CEO of AGCS said in a statement. “They are concerned about rather unpredictable changes in the legal, geopolitical and market environment around the world. A range of new risks are emerging beyond the perennial perils of fire and natural catastrophes and require re-thinking of current monitoring and risk management tools.”

While natural disasters and fires are what businesses fear most, non-damage events such as a cyber incident, terrorism or political violence resulting in denial of access are moving higher up on the scale, according to the report. These types of incidents can cause large loss of income to companies, without actual physical loss.

The second concern, market developments, could result from stagnant markets or M&As, or from digitalization and use of new technologies.

Cyberrisk, third on the list of perils, has jumped up from 15th place in just four years. Cyber was identified as the second concern in the United States and Europe.

According to Allianz:

The results indicate that cyber risk occupies a significant portion of a company’s exposure map. The risk now goes far and beyond the issue of privacy and data breaches. A single incident, be it a technical glitch, human error or an attack, can lead to severe business interruption, loss of market share and cause reputational damage. Of the top 10 global risks in the 2017 Allianz Risk Barometer, a cyber incident could be a potential root cause or trigger for 50% of them. In addition, the toughening of data protection regulation regimes around the world is also contributing to this risk being at the forefront of risk managers’ minds, as penalties for non-compliance are increasingly severe.

Fourth on the list, natural catastrophes added up to $150 billion in total economic losses in 2016—with insured losses accounting for $42 billion of those losses—up from $28 billion in 2015, according to the report. Businesses also are more concerned about the impact of climate change and increasing weather volatility year-on-year.

Trump outlook for 2017

“Opportunities and challenges,” says Ludovic Subran, head of Euler Hermes Economic Research and deputy chief economist of Allianz research. “Companies which are domestic, either a regional multinational or national, will benefit. However, the business environment for large multi-national corporations who do have global, strongly regionally diversified business models will be more challenging. Stronger regional interests will make the lives of companies more complicated as there will be increasing protectionist regulation.”