Security Market Watch
Understanding Disaster Response in the Financial Industry Ft. Securities Law Expert, Jack Bensimon
Are you ready to understand the vital role of disaster recovery planning and the importance of cybersecurity in today's digital age? Join hosts Maggie Dillon and Josh as they sit down with Jack Bensimon, who walks us through a disaster recovery manual in a way that's easy to grasp. Jack helps us understand the necessity of preparing for potential disasters, and the crucial role insurance coverage plays in safeguarding businesses. We also delve into the implications of disasters on business continuity and the probable duration of these situations.
Shifting gears, we discuss the growing significance of outsourcing cybersecurity. We highlight the benefits of risk diversification and Jack shares his insights on the differences between IT and cybersecurity, introducing us to the world of corporate governance. As we wrap up, we touch on a rather sensitive topic - personal liability in the financial industry. We explore the complex landscape of the SOX regulation, and the personal attestations expected from public company CEOs and CFOs. We also weigh the prospects of personal liability for mid-level and lower managers should they be involved in severe financial fraud. Tune in for a comprehensive discussion on disaster recovery planning, cybersecurity, and personal liability.
Are you ready to understand the vital role of disaster recovery planning and the importance of cybersecurity in today's digital age? Join hosts Maggie Dillon and Josh as they sit down with Jack Bensimon, who walks us through a disaster recovery manual in a way that's easy to grasp. Jack helps us understand the necessity of preparing for potential disasters, and the crucial role insurance coverage plays in safeguarding businesses. We also delve into the implications of disasters on business continuity and the probable duration of these situations.
Shifting gears, we discuss the growing significance of outsourcing cybersecurity. We highlight the benefits of risk diversification and Jack shares his insights on the differences between IT and cybersecurity, introducing us to the world of corporate governance. As we wrap up, we touch on a rather sensitive topic - personal liability in the financial industry. We explore the complex landscape of the SOX regulation, and the personal attestations expected from public company CEOs and CFOs. We also weigh the prospects of personal liability for mid-level and lower managers should they be involved in severe financial fraud. Tune in for a comprehensive discussion on disaster recovery planning, cybersecurity, and personal liability.
Welcome to this episode of Security Market Watch, the show that goes straight to the source for market insights and analysis. Today, maggie Dillon and I are here with Jack Ben Simon once again. If you remember from our show with Jack, jack is the regulatory. What are you, Jack? Are you a Jack of all trades?
Speaker 2:No, we're definitely a Jack of all trades. We're very narrowly focused on securities regulatory compliance and, in particular, securities law, privacy law and anti-money laundering compliance. So those are the three main areas focusing on financial regulations or financial entities and, recently, healthcare health tech companies.
Speaker 1:Check out that episode with Jack Ben Simon. I think it was two or three episodes ago. We can put it in the show notes in the description. Check it out, maggie. How are you doing?
Speaker 3:I'm in the dream. It's always great when we have reoccurring guests on. I know today we're going to focus a little bit on some very particular areas, so let's jump right into it. The first thing that I thought of when we were talking prior to hitting record, we were talking about disaster recovery planning. There's a lot of things that are going on in the world. The first thing that I thought of was the issue of what's going on with Hawaii, for instance. They've had one of our islands has taken a massive hit. There are a lot of resources being pumped out. This is obviously a state of the United States. It's not necessarily going to be another country. So I want to walk through this with you. You've been in this industry for many years. In this instance, if we're looking at bridging cyber and the financial implications from a disaster recovery plan, what advice would you give? What have you seen in this and this is just an example. If there's other examples you want to bring up what would you advise people with these types of situations?
Speaker 2:So, at start with a very high level, let's start with the 50,000 foot level, which is to have what's called a disaster recovery plan, a disaster recovery manual, if you will. That includes a series of controls that could be automated versus manual controls as to how you're going to deal with these types of disasters. Take in range in anything from current hurricane of Dahlia to earthquakes, to floods, to all kinds of other potential disasters where your internal mechanism something as simple as gaining access to data, gaining access to client information, or even potentially calling a colleague or getting on a Zoom call with your colleague is going to be compromised. So what the DRP manual does essentially is it acts and serves as a control mechanism as to if and when this happens. We all know that at some point it's going to happen, right, whether it's a pandemic or whether it's an actual disaster or whatever the case is. The actual studies are very clear it's going to happen at some point and depending on where the jurisdiction is. So you should have preparation plan and that's what the disaster recovery plan is effectively. So, at a high level, it's a manual that depending on your industry vertical. So, for example, if you're in financial services, let's say you're a broker dealer or you are an asset manager.
Speaker 2:One of the key things you want to make absolutely sure of is that there's going to be ongoing continuing operation of your business during this kind of a disaster, and so how is that going to take place? So you want to make sure that, whether you have software mechanisms or you have certain hardware mechanisms, where are you storing your information? Is it in the cloud, or is it on Amazon or elsewhere? How is that taking place? And then, within that, another component we should probably talk about is insurance. What kind of insurance do you have to make sure that, if and when this happens and there are losses, potentially, that those losses are properly covered for? And then, of course, there's the other piece, which is cybersecurity, which is a natural piece here, which is, during a disaster like this, given that there may not be the best electricity, there may not be the best wire formations, etc. How are you protecting the integrity of your data within the existing cybersecurity mechanisms that you have?
Speaker 2:And so that component, that cybersecurity component alone, should be intricately embedded into the disaster recovery planning. And that's going to depend on the scope of your cybersecurity protective mechanisms. That's going to depend on your vendor outsourcer you may have one or two or three different cybersecurity outsource companies Really depends on the scope of that cybersecurity operation and the scope of your risk exposures. So, as part of the DRP, what's really important is the risk assessment. So what comes out of that risk assessment is what are your key risk exposures when there is a disaster? How are those risks being properly mitigated and remediated? Who's responsible for what and where? And this is all diagrammatically documented in the DRP. So if Maggie Dillon was the Chief Cybersecurity Officer, what are her responsibilities along the pendulum during a disaster? What are Josh's responsibilities if he was the CEO of the company? So there's clearly delineated roles and responsibilities with contact numbers etc.
Speaker 2:All this should be clearly laid out in the DRP, because the last thing you want are surprises. Surprises add to risk, they add to uncertainty and they also add to ancillary costs and they also don't give a lot of comfort to insurance companies. So the other thing with an insurance company will ask for is they'll ask for do you have a disaster recovering planning manual? And so they will look at the manual and they will see how it's laid out. Do they have the proper controls? Do they have the proper Accountabilities? Do they have the word charts in there. And, by the way, just as a side note, they'll also look at BCP, which I know is not really in focus here, which is the business continuity plan, which is, how is the business going to continue during the formation of a disaster? Because we don't sometimes we don't know how long this disaster is going to take. It could take 10 days, it could take 20 days, it could take 40 days. We really don't know. So we have to plan for those contingencies. So let's start with who's the author of this kind of a manual, and typically this manual is started by, I would say, in some way, compliance. It works with legal, it works with cybersecurity personnel, it works with IT personnel and certainly with management, in terms of delineating who's responsible for what, when and where and how and how things are going to be carried out, and also, within that is an emergency response plan.
Speaker 2:So Let me explain that it doesn't necessarily mean like a hurricane. It could be something like if we take the example of Equifax. A number of years ago, equifax had a major data security leak and there were many, many individual accounts that were affected. These were, you know, people who had entrusted Equifax with very sensitive financial information, credit risk ranking information, etc. And there was a major data leakage and a result I believe that was a hack into their systems, very serious hack.
Speaker 2:So they then had to task their emergency response team, which probably includes, in some ways, an outdoors PR firm or, in the case of Equifax, because of its size and investor relations firm, and they then have to deal with this disaster right.
Speaker 2:So it's not a natural disaster, it's more like a PR disaster because it was a major data privacy leak and breach. So then they get tasked in terms of when do they roll out a press release? How do they plan how to deal with the public and communicate with the public? At what point do they engage their auditors, depending on the materiality threshold? At what point do they engage legal counsel to make sure that everything is properly worded and phrased and and and the proper Languages there and it's a single plane language that the average John Q public, when it goes out into the public, understands what's taking place, the impact on their account, if any, and the short long-term implications for shareholders. So all of this can be embedded should be embedded in a disaster recovery plan, because it only includes the natural physical disasters. That includes other disasters which are, as I say, hacks into their systems, which can often be a result of insufficient cybersecurity protection, insufficient cybersecurity controls and, in some ways, you know, obviously gaps in vulnerabilities and the systems where that data could have been accessed to.
Speaker 3:I Want to focus on something that you said that really one of hone in on here. If we're looking at more small to medium-sized companies and, for instance, they're involved in a disaster like this Equifax, obviously I would expect them to have backup firms, these types of things with a company that large. Is it common practice and this might sound like a silly question, but I feel like a lot of people would ask this, especially small to medium-sized business owners in cyber security. Should it be, in your opinion, common to add a second backup cybersecurity company should things completely fail, and work that into a disaster recovery plan, obviously bringing in outside vendors and and who covers what duties from a project management standpoint? But that almost feels like it should be standard practice and I feel like it isn't. Am I accurate in saying that or could you give us a little?
Speaker 2:Good business practice. That is the very good business practice. I don't believe it's standard practice.
Speaker 2:From our experience, it is very useful to have a second party or even a third party, but backup cybersecurity expertise. Because the reality is that companies who blend their IT and cybersecurity rolled in one Often can miss the mark and there are many, many blind spots that they're going to miss. And so by having a third party outsourced firm, they're less likely to incur that margin of error. And the reality is also that when there are things happening internally within the company there's, it's focused strictly on the dynamics within the company, but if it's out first or third party vendor, they're not likely to be in the same jurisdiction, they're not likely to be affected by the same hurricane and this you know similar disasters. So we have risk diversification and so that company is still probably at some level able to monitor where your gaps are, your vulnerabilities, even while this whole disaster is taking place. So that's another decided advantage is that you have diversification of jurisdiction diversification by state and diversification by even these specific risk factors disaster. The likelihood of a disaster affecting four or five, six states at the same time is pretty remote. So you have that. So the short and long answer to your question is that in our experience, we do not see that as standard practice. We do see that as a standard practice as adding that in, and often in terms of a cost mechanism, there are efficiencies that can be short up. Instead of having that internally, because we discussed this before in the previous show that IT security and cybersecurity are not the same and they're very different functions. They really should be bifurcated, and I know we talked about the corporate governance piece and finding board members that this all comes back to corporate governance at some level, and that is that the board is ultimately on the hook when these things happen. And so if you don't have these mechanisms in place, like a DRP, like a third party cybersecurity vendor, that can mitigate the risk and provide effective and efficient remediation during a disaster, which is really important that the timing of the remediation is often can be more important than the absolute remediation, because you can have a perfect plan but it can only get executed four months from now. Well, that's not going to really help much.
Speaker 2:If you're dealing with multiple stakeholders now, you may be dealing with shareholders or with a public company. You may be dealing with credit agencies credit agencies. You may be dealing with government agencies, regulatory agencies, potentially agencies that deal with privacy breaches or AML breaches or otherwise. But at the end of the day, you're dealing with sensitive, private, sensitive customer data relating to know your customer information and in the case of Equifax, that is your golden nugget. I mean, at the end of the day, you're entrusted with that information and you're in the data business. At the end of the day, if you're in Equifax, you are in the data business and if your crown jewel is being compromised, you want to make sure you have those controls in place, not just the backup but perhaps the secondary and tertiary, to make sure that those level of risk exposure should come in, especially given the scope and size of a company like Equifax. And at the end of the day, there's really only two providers in that space. They pretty much monopolize the space. I believe those two control about 80% of the market.
Speaker 1:Quick question Only because I'm a little bit, I'm a little ditzy after work, so quick when you say a backup security company, or are we talking about a backup MSSP or MSP, mssp, managed service providers? Are we talking about backup lawyers?
Speaker 2:No, no so let me clarify that. That's a good point. I'm really referring to more of an MSP. I'm talking about a third party vendor that is completely extricated from the company. It's not. It really is a vendor. They're not employees. They're completely external and independent and they are tasked to monitor the risks on an ongoing weekly, monthly, quarterly, semiannually, et cetera, so that when a disaster takes place, they're presumably removed from that state ideally several states removed and so they then can take on responsibilities to start mitigating, identifying what those risks are, so that there's further prevention of more damages.
Speaker 2:Because if this ever went to court for example, if there were shareholders or an agency or clients, for example, or groups of entities that were going to sue the company for negligence, one of the things as a test the courts would look at is, once you identify there was bleeding, what did you take to further prevent, further believing right To stop additional bleeding?
Speaker 2:If the answer is, well, it took us two months to get things in order and then we did this, that and the other.
Speaker 2:That's not going to work very favorably, but if you had an emergency response, that and you had a second tier vendor and potentially even a third tier cybersecurity vendor, they then can see that you already had these measures in place before it took place, and so, when it took place, you had professionals on board to manage those risks in a way that they deemed to be the most efficient and most, I would say, proficient, and making sure that the bleeding is stopped.
Speaker 2:So what we're trying to say here is that courts do not have a standard of perfection. They don't expect companies just generally speaking from a corporate law perspective to have perfect controls, perfect standards and to behave in ways that resemble a perfect entity. They have a standard of reasonableness, and so what that means is that so long as the company is seen especially the board, is seen to take reasonable measures before, during and after a disaster, those are the most important components that go into assessing damages, assessing the negligence, assessing who's at fault for this, that and the other. So those are the key things that those courts are going to be looking at.
Speaker 1:I'm curious at what point you companies have to, at what point is the legal system really start to take over? Because I'm thinking there's some companies who might, you know, experience a breach and the court system can't tackle everybody that's experiencing a breach all the same time. So is it? Is it delineated by, by vertical, by sector? There's certain sectors that get in trouble a lot faster, is it? Or is it the size of the company? Small companies slip through the cracks, you know, because if I'm a small business and I'm listening to this, the next thing I'm gonna think is does this affect me? Am I gonna need a jack-ben-simon in my Corner of the ring in case I get, in case I get breached? So if you can give us a little bit, that's a fair question.
Speaker 2:So a couple things. One is the courts are always a last mechanism. They're always a last like. If you can settle this out of court, if you can settle this in arbitration or mediation or at least through Talking to the senior management on the board, it's a last resort. It's a very expensive resort, it's drawn out, it could affect the brand. It has, you know, very, very severe implications. So that's the first thing.
Speaker 2:The second thing is this tends to be more sensitive in areas like the financial industry. So, for example, if you're a bank, if you're a broker dealer, if you are an asset manager or even a payment processor, like in the money service business or money transmittal, is because you're dealing with very sensitive information and that is your game, though those are your key crown jewels. So, to answer a question about personal liability, I think it's a very, very fair question because in them, in the securities industry, if you are the chief compliance officer of an asset manager let's say a registered investment advisor with the SEC or a Finra broker dealer under the Finra regime Then if you're a chief compliance officer, there are cases where, depending on the extent of what took place in the exposures, you can be personally liable. Now again, there are various litmus tests that a regulator would look at and one of the things they would look at is did you have Controls in place, the proper controls in place, so that when something like this takes place, a disaster, that you guys are ready to roll out, implement and execute the DRP? If the answer is no, then you have a higher level of liability. Then then the regulators are not that kind or soft, I should say, in terms of not imposing penalties.
Speaker 2:Same thing with the CEO of a Finra broker dealer or of the registered investment advisor they actually sign attestation forms annually that they, that they agree and adhere and they believe that all the controls are in place. It's an annual attestation that a CEO and a CCO signs, typically once a year a minimum. So, as your question, yes, there can be that personal liability both to the CEO and the CCO if the regulators deem that that the standard of reasonableness was breached, not the standard of perfection, the standard of reasonableness Okay, which is to say, they did not take reasonable measures and even when it took place, they didn't take the reasonable measures as far as hiring further expertise, hiring a disaster recovery plan team or an emergency response team, etc. So if there is personal liability, it often can be significant.
Speaker 2:I mean, I've seen cases where the SEC Just recently actually a very, very recent case there was a CCO that worked for a bank and there were a number of very material and Kimani laundering breaches and they felt that this CCO was was was responsible. In other words, they didn't have the controls in place and she was flying several million dollars for these, essentially personally okay. Now she ended up hiring a law firm to defend the claims, to defend the securities regulators. That alone is gonna cost at least a million, a million and a half, and you know, here's the challenge. Anytime you try to litigate against a regulator, you're up against some major disadvantages, the most important being time, because the regulator has all the time in the world. You don't, as a defendant, right.
Speaker 1:Well, I'm sorry, there's a point to it. In that case, what triggered the? I'm not using the correct legal terms here, I'm sure, but what triggered the litigation? Was it a customer that said, hey, you know, I want to pressure you? Well, there were a number of things.
Speaker 2:There were. I think what happened was the regulator came in, they realized that they had very weak AML controls, anti-money laundering controls. And so the first question is how did we get here? Was it as a result of the previous incumbent, the current incumbent? Was this something that was systematic within the company? The tone started to top and then percolate downwards. How did we get here Right? So they look at the journey, they look at the sort of the last four, five, six, seven years, and then they look at this person as the CCO and say, okay, since this person started, what did they do to implement AML controls? That would have been reasonably expected of this person's role as a CCO? And so you know again, industry standards, regulators have certain expectations as to what they would expect the company to have, et cetera. So it's the top person in the compliance area, the CCO, that is gonna in this case they're more of that responsibility. And they came to the conclusion that it was this individual's locus or nexus of obligations to get that work done. And it wasn't done, not even at a level that would have been satisfactory. So now they're gonna spend a couple of years in the courts.
Speaker 2:Obviously there's, you know, a reputational impact for that individual. So the point I'm trying to make is that there's personal potential liability for the CEO in the financial industry, particularly for asset managers and broker-dealers, as well as for the CCO. I have not seen that liability in other industry verticals like healthcare, like health tech, or even in the MSB and the money service business. I have not seen that, and one of the main reasons, I believe, is because they are not signing personal attestations that are required in the securities industry. So then you have to sign that attestation. Remember the days of Starbines-Oxley? This was after Enron and we had those frauds. Well, what came out of that from Starbines-Oxley was that the CEO and the CFO still to this day, as a public company, you have to personally attest to all the financial controls are in order, and if you attest, if you sign that attestation, and it turns out there's a financial fraud, bezel, mint or otherwise you're on the hook. Yep, you're going down.
Speaker 2:So you're going down with the flames, and so that's another reason why we talked about last session. It's becoming more difficult to find directors on boards who are okay with taking on this kind of liability. Now they're not signing attestation forms per se, but it just goes to extend the point of when you're in certain industry verticals like financial services that are so highly regulated. They are now requiring these people to sign these attestation forms, particularly public companies. For every public company under the Starbines-Oxley, you have to sign this attestation form, and if you don't, they follow up on it and they get suspicious and they conduct their own investigation. But you're on the hook.
Speaker 3:I have a question. So let's say we have a huge project that's being implemented and we're talking to high level project coordinators, program managers, things of this nature. They're reporting budgets, financial projections, things of this that could obviously go up to a CCO that's going to be signing these attestation forms. What are they doing on the little guy end of these project managers who are putting these financials together? Are they held liable? Is there any type of typical standard process companies should be doing for that type of situation?
Speaker 2:So what I've seen is, look, it would have to be egregious. I mean really obviously egregious for I will say, a non-executive mid manager or lower level manager to being the nexus of liability, because the courts and the regulators believe that it's the senior executives who take on the risk. They obviously are compensated with higher pay and options, whatever else. It's the senior executive management's responsibility to handle that and obviously they're relying on the integrity of information coming from other managers etc. But that is their responsibility, that is the executive's responsibility. So I have not seen, I've seen very, very little liability and, as I said, unless it's egregious and it's obvious embezzlement and outright fraud. And it would have to be egregious, but it's mainly coming, it's mainly leveled against the executives and it's the CFO, the CEO sorry, cfo CEO and in financial services, the CCO and the CEO.
Speaker 2:But for public companies and this is another thing you know, when you're a CFO of a publicly traded company, you take on a fair amount of liability. You're relying on all these people in finance to essentially making sure that the integrity of information is what it is and if it's not, you know you have a lot of potential personnel liability. Now that doesn't mean that if you have a team of 20 and you know there's three or four rogue players and you took reasonable steps to look into the behavior and actions of those three or four rogue players and despite all that, you were still given bad information and hence the financials were affected. Again, the courts are going to look at that right, because you took reasonable measures yourself. So again, there isn't a standard of perfection, but it's unlikely, from what I've seen it use from the SEC's perspective, that they're going to level the fines against the mid-level managers etc. It's really it's the executives.
Speaker 1:Jack Ben Simon. Thank you, Thank you, thank you, thank you. I know you got a run, so we'll wrap it up there. And, maggie, anything any last you know. 10 second thoughts.
Speaker 3:Sure, I just. I'm really glad that we have you on the show, because you talk about things I don't normally hear about just through the news, or these are the types of meat and potatoes that we really need to bring out to the public, because these are questions I would never have even thought of if I hadn't even had been a part of this. So thank you very much. Hopefully other people connected with it.
Speaker 2:We're happy to drop on our experience and really just explain it in simple, plain language, like a fireside chat, if which is what we're having.
Speaker 1:How can people find you?
Speaker 2:They can find us, jayben Simon, at blacksonediagnosticscom, or our website is blacksonediagnosticscom.
Speaker 1:Maggie, how can people find you?
Speaker 3:LinkedIn. Also, come follow us on YouTube, which is under Security Market Watch for our podcast, same under the newsletter. On LinkedIn and also Instagram, you'll find us.
Speaker 1:We are everywhere where you find us. We're on the moon. If you can't find us, it's your fault, because we're out there. I'm.
Speaker 2:Josh Bruni. Thank you, thanks for watching.
Speaker 1:Thank you, bye.