Do you ever wonder how the biggest technology companies navigate the complexities of board recruitment, compliance culture, and international expansion? Join us for an engaging conversation with our remarkable guest, Jack Bensimon, a highly respected, seasoned securities law expert. In our discussion, we decode the benefits and challenges of hiring a dedicated compliance officer and the pivotal role of directors and officers liability insurance. We also delve into the impact of technology on cybersecurity and privacy.
Taking the conversation to a global level, Jack shares his extensive knowledge and experience on preparing for international expansion. He provides an in-depth understanding of technology, data protection, and cybersecurity regulations in various countries, such as Taiwan, South Korea, and Japan. We scrutinize the essentiality of having appropriate resources, effective compliance programs and comprehend the risks of international business. Further, we discuss the importance of building a trust factor when hiring resources overseas and the role of local insurance. Join us to expand your horizons and gain valuable insights into the world of international business expansion.
Do you ever wonder how the biggest technology companies navigate the complexities of board recruitment, compliance culture, and international expansion? Join us for an engaging conversation with our remarkable guest, Jack Bensimon, a highly respected, seasoned securities law expert. In our discussion, we decode the benefits and challenges of hiring a dedicated compliance officer and the pivotal role of directors and officers liability insurance. We also delve into the impact of technology on cybersecurity and privacy.
Taking the conversation to a global level, Jack shares his extensive knowledge and experience on preparing for international expansion. He provides an in-depth understanding of technology, data protection, and cybersecurity regulations in various countries, such as Taiwan, South Korea, and Japan. We scrutinize the essentiality of having appropriate resources, effective compliance programs and comprehend the risks of international business. Further, we discuss the importance of building a trust factor when hiring resources overseas and the role of local insurance. Join us to expand your horizons and gain valuable insights into the world of international business expansion.
Welcome to this episode of Security Market Watch. I'm your host, josh Bruning, and I'm here with the hurricane Maggie. The hurricane Dylan, who is my wonderful co-host, and, maggie, it is really good to see you Every time you come to these. You are such a busy person that by the time you get into one of these, these episodes, I feel like you're all fired up from your your daily life.
Speaker 1:Yeah, you're involved in so much man, Maggie, I've got to do a whole show. It's just you, but thank you for being here. And our guest today is Jack Ben Simon. Now, Jack, I can introduce you, but I think that you'll do a better job at introducing yourself. I know in a lot of podcasts people go well, this is my job. I don't want to tell you what you do, so can you tell us what it is that you do?
Speaker 3:Absolutely. First of all, thanks for having me on your podcast. Good to see Maggie and Josh, as usual. So my background is in law, in securities law, and so we focus on regulatory compliance, mainly for financial regulated entities, and that includes banks, broker dealers, investment banks, asset managers, money service businesses, money transmitter licenses and it basically spans three areas securities law, privacy law and anti-money laundering compliance. We deal with a lot of technology companies, including cybersecurity companies, including fintechs. You can't ignore compliance Compliance straddles public companies, private companies. So that's what we're doing. We're very focused on those three things and we don't claim to be a jack of any trades.
Speaker 1:Well, I've got a lot of questions about this SEC rule that's coming up. I don't know if you know a whole lot about that, but I would love to talk to you about that. So that's all the buzz in cybersecurity, but today it's going to be Maggie's show. Maggie's got all the questions, and so I'm going to sit back, relax and enjoy the show.
Speaker 2:Oh well, thank you, I'll take that spread. Well, I've got lots of questions. Obviously, we've talked a lot about regulatory compliance, and one of the biggest things that I'm somewhat already seeing a trend with a lot of our podcast shows is how do we bridge cybersecurity technology and regulatory compliance. A lot of times these departments are like this it's hard to find a really good CCO. One of the biggest things that we're seeing is CFOs or CIOs covering the compliance piece when that wasn't necessarily their specialty. So can you speak a little bit to that, what challenges you're seeing and how it would be a good way for us to bridge that gap?
Speaker 3:So, first of all, tone starts at the top, starts at the very, very top and it starts with the board. So the board has to build a culture of compliance and it starts there and that starts with technology. It starts with basically dealing with their business model and so it starts with board recruitment. So you want to recruit board members that understand technology, the role of cybersecurity and how they can mitigate their risk. So when you mentioned hiring CFOs and CIOs that can take on the compliance component, that is a dangerous task, mainly because, unless they have expertise in that area which is rare it's already enough to understand the financial regulations, especially if you're a public company. It's already enough to understand that, as Josh mentioned, there's new regulations by the SEC and cybersecurity. That's enough on its own, and so to add the compliance function is often a mistake. So it's very important that these companies have a dedicated compliance person and, as you said, a chief compliance officer, which is really someone who, I would say at least 10, 15 years experience, understands public company rules, understands if you're in the financial space, what regulations apply to you, what statutory legislation that's going to apply to your business, etc. So that is a whole career path on its own, and so the need to combine that with a financial career path or with a technology career path is quite dangerous and it adds a lot of exposure to the firm. Not only that, but these companies often have to have directors and officers liability insurance. That's a whole other component, which is the insurance component, and so recruiting these board directors is a challenge in this environment, because they realize that the exposure is greater and that the rules and regulations in the game are changing almost by the month.
Speaker 3:If you're looking at the fintech space, if you look at the cryptocurrency space, the SEC is now really clamping down on these crypto exchanges, particularly in the US.
Speaker 3:So you have all these headwinds that are combined and it elevates the exposure and, I would say, the profile of that chief compliance officer position and, as you correctly said as well, there's a shortage of these people in the marketplace and they're commanding a market premium, so it's getting more costly for firms to hire these folks, sometimes returning to a fractional CCO role, which is another way that these companies can save money. But it's also important that these compliance folks understand the role of technology and where it fits into the whole matrix, and so, when it comes to cybersecurity, especially if you're accompanying the fintech space or even in the asset management space, you're going to be subject to potential hacks and compromising the privacy and information of your clients. That's a big, big deal for regulators, so this is not something that should be taken lightly, and you want to have a dedicated compliance person that is working intricately and, I would say, extensively with these technology units and, in some cases, with the finance units, to make sure that there's these gaps are being bridged.
Speaker 2:I love that answer. I cannot agree enough with what you just said and I want to go back to something that you mentioned and I'm going to use a topic that's really already come up two more times. Since our last recording, I have been speaking with government entities both state, municipalities, federal government and one of the biggest things that we're seeing is IT CIOs even IT directors, anything from small to large, are not experienced enough in cybersecurity and they're asking cybersecurity to present to their boards. So think about the risk there. But also, when you're talking about hiring board of directors, that in and of itself very few firms specialize in that there are so many boxes that need to be checked to even make board qualifications to be a board member. Is there any advice that you could give us as far as especially from a recruiting standpoint or cybersecurity standpoint people hiring that we could do to maybe just close some of these concerns, because it's really it's like we're doing all this extra work for nothing if we're not even going to be complying out the gate.
Speaker 3:Thank you, so there's a couple of components that the first thing is very important to bifurcate IT and cybersecurity they're not one another the same. They're two very different roles, very different specialties, very different skill set. And so when you're recruiting a board of directors, when you're looking to fill the slate, for example, if you're looking for a technology person, for example, for IT, someone who's in cybersecurity is not necessarily going to fill that slate. It's not going to be necessarily appropriate. However, if you're looking for a board of directors with cybersecurity expertise, hiring somebody in IT is not going to fill that slate either. So what you're looking for is someone that has direct experience in your industry vertical, dealing with the challenges and obstacles that they're normally part and parcel of.
Speaker 3:So, for example, we saw we talked about this, maggie before Equifax, the Equifax Data Privacy League, which was a significant leak a couple of years ago and that exposed some of their cybersecurity vulnerabilities. And, of course, we had a massive data protection integrity leak, which means that they had to get rescue teams on board. There were press releases that were made, et cetera. So having a board of director in that space that has direct experience in that vertical, where privacy and information and privacy integrity is so critical to their business. That's something that boards should be looking for and, by the way, they're not easy to find. I'm not suggesting in any way that they're easy to find, but it's worth the time and effort to try to recruit these people.
Speaker 3:There are the various outlets that you can find that have this kind of expertise, but finding that expertise is extremely important. You want to mitigate those risks and, as well, it's very important for example, when you're getting the D&O insurance, the director's of the liability insurance when you have these kind of folks on board, it does give the insurance company some more comfort. That if an event were to take place you know, call like a Black Swan event, like what happened to Equifax that there are proper escalation protocols that are going to be implemented to mitigate the risk even further Because that's what insurance companies want to see as well that there's going to be a proper Band-Aid protocol and assessment being done while this is being placed and also after the event takes place as well, in terms of a post-ad hoc analysis. Absolutely.
Speaker 1:I know I said it at the same time, but you know I like to talk and ask questions.
Speaker 2:You asked questions.
Speaker 1:Okay, and I got to cut in here. So one of the issues with the updated SEC rule is that, from a CISO perspective and what a lot of security heads are worried about is that the SEC is taking the responsibility. As compared to the earlier rule or the earlier publication, they're taking a lot of the burden off of the board and they're putting it onto the CISO right, which they wanted to see. The opposite, they wanted to see the pressure to be on the board and that relieves the CISO, because the CISO is already I mean, it's already a thankless job and they're up to their necks in pressure from everybody, right? So, from the insurance perspective, do you think that that pressure is still on the board? Or like, if we're looking at the SEC rule, we're looking at pressure from the insurance company and we're looking at pressure from customers, partners, let alone the business itself? Is that pressure like? Is it too much pressure on the CISO, is it too much pressure on the security function, or is there some relief that the board can provide?
Speaker 3:So there's a couple things attached to that. First of all, I'm not entirely surprised that the SEC has ruled that way, because they have ruled very similar in the financial space when it comes to what they call CEO attestation for broker-dealers and asset managers and the like, and so they're putting it on the onus and the CEO to provide for that attestation, particularly for public companies, on signing on the financial statements, for example, we saw this with Sarbanes-Oxley or the CEO attestation very, very big, and so that put less pressure on the board and more pressure on the CEO. So I'm not entirely surprised at this output, the issue around pressure with the CEO and whether or not it's justified. So there's a couple strands. So when an event takes place, there is what they call corporate fiduciary responsibility in corporate law and so, particularly if it's a public company, that falls under securities law and corporate law and so the board of directors has a fiduciary responsibility. If there was, let's say, a privacy violation or a cyber security attack and thousands of accounts were compromised in terms of data, there is a responsibility for the board to take action, provide escalation protocols, etc. So there is that board obligation. However, there is also the CSO obligation as management, as executive management to make sure that all those controls were mitigated beforehand, that the policies and procedures were in place, that as much of the risk aversion or the most of the risk could have been stripped out prior to the event and that when the event took place there was proper implementation, remediation afterwards. So, in other words, there is a dual responsibility and, I would say, dual liability in these cases.
Speaker 3:However, if you're looking at strictly from a strict liability perspective, as far as like a form of corporate law perspective, it always starts with the board and, as I say now, this is saying the buck stops and starts with the board. Now, some would say the buck starts and stops with the CEO. That's as well you know, because it percolates from top to down. But more importantly, it starts with the board. And so if you don't have an effective board, if you don't have the proper slate of directors, if you don't have the proper composition of a board, you know if the board has five people and three or finance one compliance nobody in technology, then you know you're going to be exposed.
Speaker 3:You have major exposure there. So it's in. The other issue is the the enter, the working relationship communication between the CISO and the board. Typically, the CISO reports to the CEO, the CEO reports to the board. You want to have a symbiotic relationship between the CISO CEO and the board so that there's a fundamental understanding in terms of what those security obligations are for the CISO and how those risks are being properly remediated, where they're documented. Especially if you're a public company, that sticks on significantly more importance because you now have to comply with public company rules, which is under the SEC and the exchange rules, as well as corporate law statutes and securities law statutes, which are very on risk to manage.
Speaker 2:I want to kind of switch gears a little bit and talk a little bit about international spreads companies going to get a much more global footprint. You're very well internationally traveled. You've done a lot of business outside of the United States. This also adds another level of risk to what we're talking about as companies grow. I personally believe if you're going to go and hire a CISO, you need to hire a CCO at the same time. If you're going to go globally, it makes zero sense to not do that, especially being at 3.5 million deficit on a cybersecurity level. What advice would you give to companies willing to do that, wanting to really spread their wings and go anywhere out of the United States?
Speaker 3:Yeah, that's a great question, For the simple reason that firms are going global right now. There's much more to their domestic marketplaces than there is, and so there's bigger bags to be had internationally. When you go ahead internationally, for example, we had a client, a major financial institution client, with billions in their management. We had set them up in several countries in Asia and what we have discovered was, for example, in countries like Taiwan, south Korea, japan, there are very nuanced technology, data protection, data privacy and cybersecurity requirements, particularly in the financial institution space.
Speaker 3:When I say nuanced, I'm talking about the letter of the law. I'm talking about very specific prescriptive rules and regulations that allow for very little discretion. So what that means is that when you're going into these jurisdictions, you want to make absolutely sure that you have the proper resources, you got the proper compliance programs in place, you fully understand the universe of risks that are involved, everything from low, medium, high, how you're documenting those risks, whether it's software or otherwise and to the compliance point that you have a proper compliance resource, whether it's a manager of compliance or a CCO, but someone understands the local rules of regulations and how the manuals, for example, are going to comport with the technology requirements, because the technology requirements cannot be separated from the regulatory compliance requirements.
Speaker 3:They almost go hand in hand, because if you have a data protection breach or you have a data integrity breach or you have some of these other types of breaches on the cybersecurity fund in Asia, for example, regulators are not shy about finding foreign companies, and I tell the story all the time if we have one of our resources in Japan, he's an excellent securities lawyer, both trained in the US and Japan. Incidentally, which is very rare, that tells the story of a well-known British asset manager. They got licensed in Japan and they ran a mock of Japanese securities rules and regulations. The Japanese regulators sent them various notices to attend to.
Speaker 3:Hearing that they ignored all the notices and there were various violations as an asset manager and essentially after about two years, the Japanese regulator called the UK regulator, called the FCA, the Financial Conduct Authority and blew the whistle on them. Basically said you have a rogue player on your hands. Well, the FCA got so peeved they essentially took the action of revoking the license of the UK asset manager in the UK. So what that means is a very important lesson there, very instructive lesson, that regulatory arbitrage is real.
Speaker 3:The regulatory environment is very close knit. People talk and your behavior and compliance in one jurisdiction can affect your business, licensing and registration in your home jurisdiction. So they were out of business Without a license to operate in the UK. They had a couple billion under management. They were out of business. So this is a classic example of when you're going to these countries, when you're talking about cybersecurity and technology and data protection and human laundering, compliance, et cetera, that it's not a nice to have to comply with their rules and regulations. It's not a cultural nice to have, it's a must. It's a must. And they are not shy about imposing penalties, fines and other regulatory nuances that would penalize the firm and also, quite frankly, the brand and the reputation of the company.
Speaker 2:So obviously it makes sense to have somebody on territory in another country that knows the culture, that knows the language and everything. My first thought and Josh agree with me on this from a cybersecurity standpoint, we got a little trust issues, all right. How do we work that in? How do we gain trust of someone we've never met in a totally new territory, we've never worked?
Speaker 1:That's an excellent question.
Speaker 3:Another question Like anything else, trust takes time. It takes time to build, and you want to make sure that you're dealing with credible resources. Who've done this before? Been there, done that, perhaps? Have worked for financial institutions? We conduct professional background checks. We do this all the time Civil background checks, criminal background checks. We check out their references. So it's a whole process. Right, it's a whole due diligence process.
Speaker 3:But the most important thing is where have they done this before? Which type of firms? What were the size of the firms? What was their assets and their management? What was their business model? Have they done this for a similar type of company that we're now entrusting them to your point, maggie, with really critical core assets of the company? And so you want to take your time there.
Speaker 3:We have developed relationships, for example, placement agents, distribution agents, in many of these countries in Asia, where we've worked with them before, and now it's a question of okay, so does this fit and make sense, given the nature of the client, given the nature of the service that you're offering and the nature of the level of protection that you're providing Now, at the same time, depending on the jurisdiction and depending on what you're looking to do there in terms of your offering, et cetera. You may want to get local insurance, so in other words, you may have an insurance provider domestically, but it also may make sense to get additional layers of protection by getting insurance in that jurisdiction, just in case you know, stuff comes down the pike. But look like anything else, whether it's locally or abroad, you want to be working with folks that have pedigree, they have a history, and those are the folks that we look for, and so it takes time, it takes acumen, as well as making sure you're asking the right questions and conducting thorough background checks.
Speaker 2:So let's say we're an investor, I'm an investor, josh is an investor. We want to invest in startup cybersecurity companies and we know that we want to make sure we're extremely compliant with the goal of going global, having that large footprint. And if not, you know we see companies they'll sell off, but they want to have a good portfolio so when they're ready to sell, they can have that global foot put ready to go. As you know, something to look sexy for anyone who wants to purchase the company. What advice would you give to investors?
Speaker 3:Well, a couple of things. First of all, when you're investing in a company, you obviously want to make sure that you understand management of their business model, et cetera. But as they go abroad, there are two key considerations to make sure that there's proper compliance. One is understanding the business case of going into these jurisdictions. For example, you may have, let's say, $10 billion under management and your product is mainly retail focused. That doesn't necessarily mean that your product is going to be successful in Taiwan. You have to understand the structure of the market. You have to understand where the demand is coming from, the retail space. Are there competing products in your area, in Taiwan, for example? Now, taiwan, remember, is not as well-developed as, for example, the Japanese market. The Japanese market is an extremely well-developed, sophisticated market, so that market may make more business sense as far as looking at it from a competitive perspective, doing a SWOT analysis, et cetera. The next thing that we tell our clients is the regulatory case. What is the regulatory case Once the business case has been satisfied? What is the regulatory case? We're going into this jurisdiction. In other words, what are the barriers to entry? How cost prohibitive is it? For example we've probably talked about this before Dubai.
Speaker 3:Dubai is becoming a more of a financial center, financial repository. We'll call it haven, even a tax haven, although they've imposed now a 2% tax on corporations. But it is cost prohibitive to get set up in Dubai. It's not like setting up a Delaware corporation you pay $400, one or two days later you have a Delaware corporation. That's not the case in Dubai. It can cost anywhere from $40,000 to $50,000 to have the right board of directors on board, to get the proper articles of formation, articles of incorporation and other constating documents. So again, it really depends. So there is the business case, so the regulatory case.
Speaker 3:Yeah, bearish entry have come down in Dubai. However, in terms of the business case, does that market make sense? There's something like 20 top sovereign wealth funds in Dubai with a minimum of, let's say, $10 million each. But how are you going to track those pools of capital? Maybe your product is commoditized in attracting those pools of capital. So that's why we start with the business case, then the regulatory case, because the regulatory case may prove that maybe there are instrumental, instrumentable barriers to entry. It's cost prohibitive and also that there may be very uncertain regulation coming about. So, for example, if you're a crypto company and you have all the cybersecurity controls in place and you want to go into a country like Japan. Well, japan is very crypto friendly, but highly regulated, extremely highly regulated. So that has to fit in with corporate culture and your short and long term business plans. So those are the two main considerations that we advise clients in.
Speaker 2:Fantastic man.
Speaker 3:I wish we could go further.
Speaker 2:I know you've got a hard stop.
Speaker 3:I wish you could as well. We'll have to continue at another point.
Speaker 1:And I appreciate your time here, jack, and again anybody who is. If you're an investor and you're interested in regulatory compliance services, better call Jack. You know there's better call Saul, but I'm going to say better call Jack.
Speaker 3:Thanks for your number of pleasure.
Speaker 1:Yes, thank you so much. Thank you, maggie. Thank you again and thank you, dear listener or viewer. Thank you for tuning in to this episode of Security Market Watch. Follow us on Instagram YouTube. You can catch me on LinkedIn, linkedincom slash Josh Bruning, and if you check out our YouTube channel, please hit like and subscribe. Thanks a lot, thank you.