Regulatory financial reform: impact of Dodd-Frank Act on it compliance.
Information Technology ("IT") is an essential component in financial business transactions and ranges from hardware, such as computers and databases, to applications, such as trading and reporting systems. (1) Data maintained in these systems are critical to bank operations, including regulatory and financial reporting, that impact financial statements. (2) System failures and disruptions may lead to financial misstatements resulting in shareholders and investors obtaining inaccurate information, which can lead to potential securities violations and law suits. (3)
As a result of the 2008 financial crisis, Congress passed The Wall Street Reform and Consumer Protection Act (4) ("Dodd-Frank Act") for financial regulatory reform in July 2010. The Dodd-Frank Act is complex and requires more transparency, communication, and disclosure by banks. (5) For example, the Federal Reserve is now responsible for overseeing and gathering data from financial firms in order to stabilize the market when necessary. (6) However, this reform will be impossible without incorporating IT compliance standards to ensure complete and reliable information and data. (7) Although many banks currently have IT controls in place, these controls must be enhanced in order mitigate substantial risks. Furthermore, weak system controls can result in fines, lawsuits, disruption in the market, or even the collapse of a company. Hence, with an increase in financial data requirements and the importance of information accuracy, a strong IT control environment and strict IT policies are essential to mitigate financial and legal risks.
II. LEGISLATIVE HISTORY OF FINANCIAL REGULATIONS
A. Financial Regulations--Historical Context
The financial industry is governed by many regulatory agencies including the Federal Reserve System (8) ("Fed"), U.S. Securities and Exchange Commission (9) ("SEC"), Financial Industry Regulatory Authority (10) ("FINRA"), and U.S. Commodity Futures Trading Commission (11) ("CFTC"). Financial companies are required to strictly comply with financial regulations, which were first introduced in the Securities Act of 1933 (12) ("1933 Act"). The 1933 Act was primarily concerned with public offerings of securities to prevent fraud and federally regulate the financial industry in response to the 1929 stock market crash that occurred during the Great Depression. (13) One year later, the government enacted the Securities Exchange Act of 1934 (14) ("1934 Act"), primarily governing the secondary trading market and establishing the SEC. (15) Furthermore, the Banking Act of 1933 (16) ("Glass-Steagall Act") was enacted to reform banking control issues and established the Federal Deposit Insurance Corporation ("FDIC"). (17) However, in 1999, Congress passed the Financial Services Modernization Act (18) ("Gramm-Leach-Bliley Act"), repealing part of the Glass-Steagall Act.(19) Another major federal legislation that passed was the Sarbanes-Oxley Act of 2002 (20) ("SOX"). This was in response to the fraudulent activities by major corporations such as Enron (21) and WorldCom. (22) SOX Section 404 addresses internal control reporting for both financial and non-financial companies. (23) As part of this internal control assessment, public firms were required to identify financial and IT risks and deficiencies, which materially impacted the firms' financial statements, and mitigate those risks with adequate controls. (24) Many companies spent a lot of resources to comply with SOX, especially with Section 404. (25) These companies hired accounting firms, such as PricewaterhouseCoopers (26) and Ernst and Young, (27) to assist in complying with SOX Section 404. (28)
Enron, a large publicly held energy company, collapsed for many reasons, but one of the biggest reasons was a lack of government oversight and auditing for fraud. (29) This resulted in the criminal indictment of Enron executives and the loss of life savings for over 4,000 employees. (30) Arthur Andersen, one of the "Big 5" Accounting firms at the time, audited Enron. (31) Although accounting firms audited companies' books and records, there was less government oversight of the entire process. This lack of oversight not only contributed to the fall of a major corporation, but it also created an awareness of the importance of government regulation.
As a result of the Enron crisis, the Federal Government enacted SOX in 2002, and it revamped financial regulations and corporate governance. (32) Companies were required to completely overhaul their financial and IT practices to comply with SOX standards, primarily SOX Section 404, "Management Assessment of Internal Controls." (33) This affected not only financial controls, but also IT controls, such as physical and logical access, change management, problem management, and application processing integrity. (34) Although these regulatory changes took much time and money to implement, they resulted in more transparency and public confidence, setting the stage for broader government oversight of publicly held companies.
Additionally, the Federal Financial Institution Examination Council ("FFIEC') is a government agency
empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions. (35)
Banks may also refer to Control Objectives for Information and Related Technologies (36) ("COBIT"), an IT governance framework that provides a standard IT policy as best practice. (37) Also, the National Institute of Standards and Technology (38) ("NIST") is responsible for developing standards and guidelines for the implementation of controls for information systems under the Federal Information Security Management Act (39) ("FISMA"). (40) Similar measures were adopted in other countries. For example, the United Kingdom's Financial Services Authority (41) ("FSA") was created in 1997 to oversee the British financial market. (42)
B. Financial Regulations--Today
Although companies had IT controls, SOX was critical in setting up the framework to enforce stricter IT controls in companies, but it did not solve all problems. Even after being SOX compliant, companies still faced application access and data retention issues. The Computer Security Institute (43) ("CSI") and the Federal Borough of Investigation (44) ("FBI") conducted a survey indicating that 90 percent of organizations "detected computer security breaches within the past 12 months" and "80 percent acknowledged financial losses due to computer security breaches" and "44 percent quantifies their financial losses for a total of $455,848,000 in losses among 223 respondents." (45)
Similar to the 1933 Act and SOX, the Dodd-Frank Act calls for more government oversight of companies and has even further changed the financial industry landscape. (46) The sub-prime mortgage crisis led to the government bailout of AIG, (47) the government conservatorships of Fannie Mae (48) and Freddie Mac (49), and the collapse of Lehman Brothers, (50) one of the largest firms on Wall Street at the time. This resulted in President Obama signing the Dodd-Frank Act. (51)
The Dodd-Frank Act mandates specific information technology requirements (52) and calls for greater transparency and disclosure, (53) resulting in further development and use of technology to collect and distribute information. (54) Hence, the Dodd-Frank Act will inevitably impact how financial institutions manage IT compliance.
As a result, companies are approaching the situation differently.
Some companies already increased IT budgets in anticipation of the Dodd-Frank Act, (55) while other companies did not hire more IT staff. (56) After the 2008 financial crisis, companies did not spend as much money on IT. (57) However, due to Title I of the Dodd-Frank Act, "firms are required to get their data in order and submit it to the SEC and Treasury department to show that they are not in danger of collapse or pose a risk to their counterparts and the overall financial system." (58) However, simply increasing budgets to hire IT staff and purchase hardware will not result in achieving compliance with the Dodd-Frank Act. All companies must enforce a stronger IT control environment to ensure that complete and accurate data is reported and disclosed to the public as well as regulatory agencies. Financial institutions are required to maintain an adequate control environment according to regulatory requirements, but current IT control environments will not be enough to comply with the Dodd-Frank Act.
III. IT CONTROLS--BEST PRACTICES
IT controls are about more than just the systems and encompass various areas such as data security, application security, problem management, change management, system operations, and application integrity. (59) Understanding IT controls, maintaining effective IT policies, and educating employees are key to mitigating risks and accomplishing the goal of complying with the Dodd-Frank Act.
A. Data Security
Data security is essential in keeping sensitive information confidential. (60) A company's firewall and passwords must be secure to prevent hackers from obtaining data and data should be encrypted. The infrastructure of a company is vital to maintaining confidentiality and privacy of its customers and employees. (61) Threats may come not only from external hackers, but also internally from the company's employees. (62) For example, an employee from Kodak tried to sell secret information to a competitor. (63) Although Kodak tried to mitigate this risk by segregating access to this data, this specific employee had full access. (64) Likewise, a researcher from IDEXX, Inc. was caught emailing trade secrets to a competitor. (65)
Many companies have also been exposed to losing sensitive client information on laptops. (66) For example, ING US Financial Services lost 13,000 public employee social security numbers and an Equifax employee lost their laptop that contained 2,500 employee social security numbers. (67) Employees may also backup sensitive information or store data on USB drives, which can be taken home, lost or stolen. Therefore, companies must encrypt data and mitigate data security risks.
B. Application Security
Application security involves passwords, user login requirements, and application entitlements. (68) There are minimum requirements that these controls should meet to be adequately secure. For example, password minimum requirements will help prevent unauthorized access to sensitive systems. (69) It is industry best practice that passwords should be alphanumeric and be at a minimum of eight characters long. (70) Passwords should also include a capital letter and no repeating characters. (71) Passwords should be changed every 90 days and should not be reused. (72) This will make it harder for hackers and inappropriate users to access applications.
Additionally, the level of access a user has to a system should be periodically reviewed. (73) System administrator access should be limited to a few users since these users would have full "read," "write," and "delete" access. (74) Also, depending on the application and the business process, segregation of duties is critical. (75) In order to reduce human error and maintain segregation of duties, companies have implemented more sophisticated applications. (76) Yet, the implementation of these systems alone is not the solution. Processes must be instilled into practice and reviews of the process must be performed to ensure that these processes are working effectively.
C. Change Management
Next, a change management process includes procedures for making application or database changes. (77) It is industry best practice to not allow developers access to the production environment. (78) Developers should be the only ones who make the changes to a system, and if they have access to production, then they can alter or obtain sensitive production data. (79) Once a change is created in the development environment, it should be tested in a testing environment. (80) There are many different tests that can be run. Usually, user acceptance testing should be performed where a user tests the change. (81) Once the user signs off on the change, management approves the change and a separate team moves the change into production. (82) This segregation of duties is important in order to mitigate risk.
There are also different types of changes that can be made.
Changes may be made to an application or a database. (83) Given the type of system that a change is being applied to, there may be different tools utilized to make the change. (84) However, the change management process would apply to all types of changes. (85) Minor changes may include bug fixes, adding a record or a field, and other smaller updates. Major changes may include system enhancements and functional updates. Minor changes may not require user acceptance testing, but major changes would require it. However, all changes need to be approved by management prior to implementation. (86) The level of the approval may depend on the level of the change.
D. System Operations
Additionally, controls should be implemented for system operations. This category is broad and encompasses many different areas. A problem management process not only entails a tool to track application problems, but it also prioritizes issues so they are resolved timely. (87) Without an efficient problem management process, a critical trading system may crash and not be quickly fixed, resulting in financial loss for the company. Since many processes are reliant on systems, and the systems rely on information from other systems in the workflow, one minor problem can have a huge impact on the company's operations.
For example, at the end of 2010, "the London Stock Exchange was hit by a technical glitch, which knocked out trading at Turquoise, one of its key trading platforms." (88) Although management indicated that it was due to human error, the issue "occurred as part of a crucial upgrade to the exchange's trading systems." (89) This could have been prevented with an effective change management process, to test the platform before it went live, and a problem management process, to quickly identify and resolve the issue.
E. Data Backup
Also, information should be backed up both on-site and offsite. (90) Companies should maintain data backups of e-mails and other hard and soft copy information in the event of a disaster. (91) For example, many companies were still able to function during the collapse of the World Trade Center because they stored copies of their data in a different location. (92) Although it may be costly, a company should take measures to mitigate these types of risks.
Backups are also necessary to recover lost data for legal discovery purposes. (93) Data retention has become an important issue in electronic discovery matters. (94) For example, Morgan Stanley was sued for $100M in damages for failing to provide clients with evidence important to arbitration cases. (95) Also, Morgan Stanley paid the SEC $15 million to settle an investigation regarding potential violation of e-mail retention rules. (96)
E-mails are usually automatically backed up through e-mail backup systems. However, it is difficult to prevent individuals from e-mailing sensitive information outside the company. It is possible to scan e-mails through systematic programs based on key words or phrases, (97) but it is more important to make sure employees are educated and aware of IT policies. (98)
In certain cases, companies are advised to maintain and store more information than they currently save. For example, there was a hearing held by the House Judiciary Subcommittee on Jan. 25, 2011, where the Deputy Assistant Attorney General for the Criminal Division indicated that Internet companies are not storing enough information for authorities. (99) Therefore, given the risk of losing sensitive information, data should be backed up.
F. Application Integrity
Furthermore, application integrity controls include system edit and validation checks and data completeness and accuracy around external and internal data transmissions. (100) System edit and validation controls include alphanumeric fields depending on the data input, application screen notifications for confirmations or errors, and system calculations built in to the code.
Data transmission controls are an integral part of processing. (101) As one system sends information to other systems, that data is used to process different commands. (102) In anti-money laundering processing, employee, human resource ("HR"), client, and investor data are screened against various lists including, a global watch list, to identify fraudulent individuals or terrorists. (103) Also, financial institutions are required to screen transactions for suspicious activity according to the U.S. Patriot Act. (104) The completeness and accuracy of the data used for these screenings is critical to prevent fraud and potential fines from the Financial Crimes Enforcement Network (105) ("FinCEN") and other government agencies.
G. Data Centers
A data center should also be securely maintained in order to protect databases, systems, and servers. (106) If a server, database, or network goes down, the company may not be able to continue to perform business activities. Sensitive data may be lost and timely processing of transactions may not occur. (107) Hence, companies should have a business continuity plan and a technical repository plan to recover systems in such an event. (108)
IV. IT CONTROL ISSUES
A. Actual Practice
It is difficult to always enforce industry best practices. This may be due to system limitations or budget constraints. Moreover, industry best practices are just "best practices." IT policies may differ from company to company and each industry may follow different best practices. Companies may determine that their IT policies are adequate or even more stringent than other companies' policies. However, this may result in inconsistencies among companies.
Even with IT policies based on federal regulations and best practices in place, companies still face fraud issues as well. In 2008, a Societe Gendrale (109) (SocGen) market trader exposed the company to a $7.2 billion loss by "exceeding his trading limits and [making] fraudulent transactions involving European index futures." (110) Although the French trader, Jerome Kerviel ("Kerviel"), was convicted and sentenced to three years in prison, SocGen also "admitted to management failures and weaknesses in its risk control systems." (111) The bank did not follow up on a "deficient" internal audit report in 2008 regarding the Kerviel's trading activities. (112) Kerviel created fictitious trades on the trading systems since late 2006, and although the banks "'controls identified from time to time problems with the trader's portfolio,'" the false trades were not easily detectable. (113) SocGen management should have addressed the weaknesses identified in the audit and monitored threats at an "enterprise-wide" level. (114) Applications may be implemented to help detect potential issues, but controls may be ineffective or nonexistent within the workflow of underlying processes. Hence, even with financial regulations, audits, and an IT control environment, there were not enough safeguards to prevent Kerviel's activities. (115)
Furthermore, although the same guidelines may be referenced, management determines the implementation of IT controls. However, since IT is a back office function, many times it does not get the full attention and priority of management. Instead, front office, money-producing functions, like trading and wealth management, may be on the top of management's priority list. Management may be aware of the importance of IT, but often this urgency is not realized until a SocGen type incident occurs.
B. Government Oversight
Some financial reform advocates believe that regulators should be given broad authority to strictly oversee financial institutions. (116) "A common diagnosis for our current ills is that financial regulators were too fragmented, inadequately informed, and lacked sufficient authority to effectively oversee the activities of large conglomerate banks." (117) However, others believe that a "financial overhaul" is not the right course of action. (118)
In 2009, President Obama's proposed financial regulatory reform giving the Fed expanded powers, and also "creat[ing] new federal agencies and offices charged with financial regulatory matters." (l19) The Financial Regulatory Reform proposal by the White House, called for "eliminating both the Office of Thrift Supervision and the Office of the Comptroller of the Currency, and merging their respective functions into a single National Bank Supervisor." (120)
The financial industry is one of the most technologically advanced industries, and continues to adopt new technology and develop new solutions to risk management problems. (121) Yet, rapid advancements and global interdependencies in the industry cause significant problems for the Government, responsible for maintaining well-functioning markets. (122) Consolidating government agencies may not be the answer to mitigating risks.
Continuing to rely on current agencies may also not provide a resolution to ensure that companies maintain sound IT processes. The United States Government Accountability Office ("GAO") found that the SEC had control weaknesses mainly due to not implementing an information security program. (123) Additionally, the SEC did not report all identified IT risks to management, and application access was not secured to restrict sensitive information. (124) Furthermore, the Department of Homeland Security ("DHS") has the responsibility to coordinate cyber security efforts with the private sector. (125) However, the GAO found that the DHS has not been able to fully achieve this task. (126)
A. IT Recommendations
Companies must first, as many companies have already done, increase their IT budget. (127) Without financial resources, it will be very difficult to implement new IT security processes. At the very least, companies must ensure that they have adequate resources to handle the workload. Although the Dodd-Frank Act mandates more disclosure, (128) this does not necessarily mean that it is better to store more data. In order to make sure that the data is correct and relevant, companies must clean up the data. (129) Initially, overhead and expenses will be high to comply with the Dodd-Frank Act, but in the long run, companies will save more money and have less issues resulting from IT risks.
Banks also need to continue to communicate how they are implementing stricter IT controls with other banks. By sharing different IT practices and policies, banks will be able to more effectively comply with the Dodd-Frank Act and quickly identify IT control weaknesses.
In a technology assessment study, the GAO indicated that the responsibility to ensure IT security lies with the "critical infrastructure owner." (130) However, simply providing a "cybersecurity framework" is not enough. Organizations must invest in research and development to prevent vulnerabilities from IT threats. (131) The GAO embraces this objective and provides a research strategy for accomplishing it.
[I]t is critical that cyberspace security research efforts are prioritized across all sectors to ensure that national goals are addressed. Accordingly, the National Strategy to Secure Cyberspace recommended that the Office of Science and Technology Policy (OSTP) coordinate the development of an annual cybersecurity research agenda that includes near-term (1-3 years), mid-term (3-5 years), and long-term (5 years or longer) goals. (132) Investing in research and development of IT security will help identify new ways to mitigate future risks as technology advances. A comprehensive plan to progress out of recessions with government leading collectively in this strategic direction will further encourage people to trust and enter financial markets.
B. Regulatory Recommendations
Stricter IT security standards and more government oversight are required. Currently, many companies have different IT policies and while the FFIEC and other organizations provide guidance to enforce a standard across organizations, this guidance is broad and focuses on general IT controls. More government oversight may put a strain on financial institution, but history has shown us that this is necessary for the stabilization of our financial markets. (133) Furthermore, IT standards must be applied consistently across all organizations, both public and private. Chief Information Officers ("CIOs") from both public and private sectors have different concerns. (134) "The responsibilities of private sector CIOs resemble those of government CIOs, except in the areas of strategic planning, enterprise architecture, and collection, dissemination and disclosure of information." (135) These differences may make it more difficult for IT security standards to be consistently applied. However, financial regulatory reform is key to establishing a strong foundation while utilizing technology to enhance current processes. (136)
This goal may be achieved by implementing a single federal IT security oversight agency for all public and private organizations. Rather than impacting only publicly traded companies, the agency would oversee the enforcement of IT policies of privately held companies that meet a certain threshold (e.g. assets under management, number of employees, type of industry, etc.). However, a Federal IT agency regulating how to implement IT controls will not succeed. There is a risk of creating a monopoly or favoring one application or software over another. For example, if one company uses PeopleSoft (137) to manage its human resources, but another company uses SAP, (138) who would decide the system to be used? The government should not determine which technological platforms to utilize. Hence, while the Government may determine the standards through a single authoritative IT agency, there must be a limit to the extent of the Government's power over the companies as well.
Banks are required to comply with federal regulations, but these controls are implemented differently for each bank possibly due to the different systems and types of businesses. Some companies may enforce IT controls in a particular way due to the industry type or size of the company. Hence, it will not be an easy task to identify and tailor these regulations for each company. Instead, the regulations must address security issues for each industry.
Yet, regulations alone will not resolve the issue. (139) Implementing IT regulations will set the rules for companies, but the regulations will not prevent financial market issues from occurring. For example, government regulations and oversight were not enough to prevent the biggest market crash of this century. (140) SocGen's losses and the collapse of Lehman further underscore the importance of governmental oversight. It will be impossible to prevent all fraudulent activities, but it is with financial regulations, such as the Dodd-Frank Act, and IT regulations that the Government can mitigate these risks.
Companies are primarily concerned with making money by lowering costs and maximizing profits. However, companies cannot operate efficiently without trust from the market (141) and their consumers. (142) With the Dodd-Frank Act requiring further disclosure and transparency, companies' reliance on information will be the main source of this trust.
There can be no compromise over the overarching IT standards that every organization should follow. Government oversight mitigates the risk of banks failing to implement adequate IT controls, but companies working together to consistently enforce strict IT controls will also change the face of IT compliance on Wall Street and the global financial market.
IT security evolves as technology advances, and the financial industry is constantly adapting to new market conditions. (143) History has shown that financial regulation alone cannot entirely prevent recessions or fraudulent activities from occurring. The 1933 and 1934 Acts were in response to the 1929 stock market crash, and SOX was enacted due to the financial meltdown of WorldCom and Enron. Yet, there are still problems in the financial regulatory strategy as seen through previous fraud issues such as SocGen, the collapse of Lehman Brothers, and the sub-prime mortgage crisis that shook the very foundation of the U.S. and global economies. It was a reminder that banks that were "too big to fail" (144) were in fact too big to not fail.
The Dodd-Frank Act provides further regulations for the financial industry, but companies need further guidance on how to comply with this regulation. Although IT control best practice standards exist, (145) they provide nothing more than guidance. Hence, the Government must continue to increase oversight of both public and private organizations regarding IT compliance. The impact of inadequate IT security could be catastrophic as seen with companies throughout history, especially in recent times. New rules and law may temporarily alleviate these concerns, but enforcement of these laws will be critical. There may be high short-term overhead costs, but the goal of mitigating IT risks will be successfully achieved and consistently enforced with continued guidance and communication among companies.
The economic progression of the recession and growth cycles will still continue and cannot be stopped by IT security regulations. However, stricter IT regulations will mitigate the impact of a recession and maximize the growth of our economy. Through the Dodd-Frank Act, requiring valid and reliable data, companies will need to systematically implement a strategy to face this challenging task.
Andrew Yu, J.D. Candidate, Rutgers School of Law--Newark, 2013; B.S. Management Science Information Systems, Rutgers Business School, 2004. Currently working at Morgan Stanley as a Director in the Compliance Assessment Group. Previously worked at Morgan Stanley as an Investment Management Internal Audit Manager and at PricewaterhouseCoopers as an Associate in Systems Process Assurance.
* Statements and opinions expressed in this note are those of the author, and do not reflect the views of the publisher, editors, or the author's past, current, and future employers.
(1.) IT (Information Technology) Definition, TECHTERMS.COM, http://www.techterms.com/definition/it (last visited Mar. 10, 2011).
(2.) M. Christine McMahon, Regulatory Compliance and Information Technology, EDUCAUSE EVOLVING TECHN. COMM. (2008), available at http://net.educause.edu/ir/library/pdf/DEC0804.pdf.
(3.) Mark S. Beasley & J. Gregory Jenkins, The Relation of Information Technology and Financial Statement Fraud, 4 J. FORENSIC ACCT. 217, 217-18 (2003).
(4.) Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Star. 1376 (2010).
(5.) Id; see also Implementing the Dodd-Frank Wall Street Reform and Consumer Protection Act: Hearing Before the Comm. on Banking, Housing, and
Urban Affairs (Sept. 30, 2010) (statement of Ben S. Bernanke, Chairman, U.S. Fed. Reserve) ("testify[ing] about the Federal Reserve's implementation of the Dodd-Frank Act.").
(6.) Saule Omarova & Adam Feibelman, Risks, Rules, and Institutions." A Process for Reforming Financial Regulation, 39 U. MEM. L. REV. 881,888 (2009).
(7.) See Greg MacSweeney, Dodd-Frank's Impact on IT, WALL ST. & TECH., Feb. 08, 2011, http://www.wallstreetandtech.com/regulatorycompliance/229200184.
(8.) BD. OF GOVERNORS OF THE FED. RESERVE SYS. (Mar. 08, 2011), http://www.federalreserve.gov/.
(9.) U.S. SEC. & EXCR. COMM'N (Mar. 08, 2011), http://www.sec.gov/.
(10.) FIN. INDUS. REGULATORY AUTH. (Mar. 08, 2011), http://www.finra.org/.
(11.) U.S. COMMODITY FUTURES TRADING COMM. (Mar. 08, 2011), http://www.cftc.gov/index.htm.
(12.) Securities Act of 1933, Pub. L. No. 111-229, 48 Star. 74, available at http://www.sec.gov/about/laws/sa33.pdf.
(13.) Securities Act of 1933, CORNELL UNIV. L. SCH., http://www.law.cornell.edu/wex/securities act of 1933/ (last visited Mar. 08, 2011); see also Securities Laws, Rules, Regulations and Information, SECLAW.com, available at http://www.seclaw.com/secrules.htm (last visited Mar. 08, 2011).
(14.) Securities Exchange Act of 1934, Pub. L. No. 111-257, 48 Star. 881, available at http://www.sec.gov/about/laws/sea34.pdf.
(15.) How the SEC Protects Investors, Maintains Market Integrity, and Facilitates Capital Formation, U.S. SEC. & EXCH. COMM'N, http://www.sec.gov/about/whatwedo.shtml (last visited Mar. 08, 2011).
(16.) Banking Act of 1933, Pub. L. No. 73-66, 48 Stat. 162.
(17.) Who is the FDIC?, FED. DEPOSIT INS. CORP., http://www.fdic.gov/about/learn/symbol/WhoistheFDIC.pdf (last visited Mar. 08, 2011).
(18.) Financial Services Modernization Act of 1999, Pub. L. No. 106-102, 113 Stat. 1338.
(19.) Allowing the consolidation of a commercial bank, investment bank, and insurance company.
(20.) Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745.
(21.) See Marc Hodak, The Enron Scandal (Slides), Soc. Sci. RES. NETWORK (2007), available at http://papers.ssrn.com/so13/papers.cfm?abstract_id=991044.
(22.) WorldCom filed for bankruptcy due to fraud and accounting scandals. Dennis R. Beresford et al., Report of Investigation, Special Investigative Committee of the Board of Directors of WorldCom, Inc., U.S. SEC. & EXCH. COMM'N, at *1, Mar. 31, 2003, available at http://www.sec.gov/Archives/edgar/data/723527/000093176303001862/dex991.ht m. The fraud was due to management misconduct, but "continued as long as it did due ... inadequate audits by Arthur Andersen; and a financial system whose controls were sorely deficient." Id.
(23.) See SOX [sections] 404.
(25.) U.S. CHAMBER OF COM., COST OF SOX 404 SURVEY 4 (2007), available at http://www.uschamber.com/reports/cost-sox-404-survey. 89.8% of the companies who responded to the survey were public companies. Id. at 5. 24.7% of the companies were from the financial services industry. Id. at 6.
(26.) PRICEWATERHOUSECOOPERS (Mar. 08, 2011), http://www.pwc.com/us/en/index.jhtml.
(27.) ERNST & YOUNG (Mar. 08, 2011), http://www.ey.com/.
(28.) See U.S. CHAMBER OF COM., supra note 25, at 7. Publicly traded companies are required to maintain internal controls and processes for financial reporting. See SOX [sections] 404. These controls and processes need to be documented and tested for control effectiveness. Id.
(29.) Kurt Eichenwald & Diana B. Henriques, Enron's Many Strands: The Company Unravels; Enron Buffed Image to a Shine Even as It Rotted From Within, N.Y. TIMES, Feb. 10, 2002, available at http://query.nytimes.com/gst/fullpage.html?res=9A07E1DB133CF933A25751C0 A9649C8B63&ref=enron.
(30.) Shaheen Pasha, Skilling Sentence Likely to be a Long One, CNN, Oct. 23, 2006, available at http://money.cnn.com/2006/10/23/news/newsmakers/skilling_review/index.htm.
(31.) Cathy Booth Thomas, Called to Account, TIME, June 18, 2002, available at http://www.time.com/time/business/article/0,8599,263006,00.html.
(32.) SOX [sections] 404.
(34.) Ike Ugochuku, SOX 404 & IT Controls. IT Control Recommendations for Small and Mid-size Companies, TLK ENTERPRISE 1-3 (2006), available at http://www.tlkenterprise.com/sox.pdf.
(35.) FED. FIN. INST. EXAMINATION COUNCIL (Mar. 08, 2011), http://ithandbook.ffiec.gov.
(36.) COB1T Framework for IT Governance and Control, ISACA, http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx (last visited Mar. 08, 2011).
(38.) NAT'L INST. OF STANDARDS & TECH. (Mar. 08, 2011), http://www.nist.gov/index.html.
(39.) Federal Information Security Management Act of 2002, 44 U.S.C. [sections] 3541.
(40.) See Federal Information Security Management Act Implementation Project, NAT'L INST. OF STANDARDS & TECH., http://csrc.nist.gov/groups/SMA/fisma/index.html (last visited Mar. 08, 2011).
(41.) Fry. SERV. AUTH. (Mar. 08, 2011), http://www.fsa.gov.uk/ (last visited Mar. 08, 2011).
(42.) Renee M. Jones, Back to Basics." Why Financial Regulatory Overhaul is Overrated, 4 ENTREPRENEURIAL BUS. L.J. 391, 396 (2010).
(43.) COMPUTER SEC. INST. (Mar. 08, 2011), http://gocsi.com/.
(44.) FED. BUREAU OF INVESTIGATION (Mar. 08, 2011), http://www.fbi.gov/.
(45.) SANDRA SENFT & FREDERICK GALLEGOS, INFORMATION TECHNOLOGY CONTROL & AUDIT 22 (3rd ed. 2009).
(46.) Financial Regulatory Reform Update, PATTON BOGGS LLP 2-3 (July 21, 2010), available at http://www.pattonboggs.com/files/News/5f873a3d-8f27-4a92bb1a- 17ab54cd3291/Presentation/NewsAttachment/1050235c-f474-49af-8816-
(47.) See KATHLEEN C. ENGEL & PATRICIA A. MCCOY, THE SUBPRIME VIRUS: RECKLESS CREDIT, REGULATORY FAILURE, AND NEXT STEPS 105-06 (2011).
(48.) Id. at 99.
(50.) Id. at 105; see Lehman Brothers Files For Bankruptcy, Scrambles to Sell Key Business, CNBC, Sept. 15 2008, available at http://www.cnbc.com/id/26708143/Lehman_Brothers Files For Bankruptcy_Scr ambles to Sell_Key_Business.
(51.) Helen Cooper, Obama Signs Overhaul of Financial System, N.Y. TIMES, July 21, 2010, available at http://www.nytimes.com/2010/07/22/business/22regulate.html.
(52.) See Dodd-Frank Act [sections] 731(g) (requiring maintanence of daily trading records and audit trails); [sections] 733(f)(9) (requiring timely publication of trading information; [sections] 733(f)(14) (requiring system safeguards for swap execution facilities).
(53.) Keith H. Mullen, Dodd Frank Act Watch. Proposed SEC Rule Points to Great Transparency, LENDERS360 (Oct. 25, 2010), http://www.toughtimesforlenders.com/2010/10/articles/ technology/dodd-frankact-watch-proposed-sec-rule-points-to- greater-transparency/ (regarding assetbacked securities and commercial mortgage backed securities offerings).
(55.) Phil Albinus, Banks Cry Wolf Over IT Budgets, ADVANCED TRADING, Jan. 28, 2011, http://advanacedtrading.com/regulations/229200011.
(56.) See MacSweeney, supra note 7.
(58.) Albinus, supra note 55.
(59.) See FED. FIN. INST. EXAMINATION COUNCIL, IT EXAMINATION HANDBOOK: INFORMATION SECURITY (2006), available at http://ithandbook.ffiec.gov/ITBooklets/ FFIEC_ITBooklet_InformationSecurity.pd f[hereinafter FFIEC Information Security]; see also COBIT, supra note 36.
(60.) Elizabeth Rowe, Data Devolution. Corporate Information Security, Consumers, and the Future of Regulation." Trade Secrets, Data Security and Employees, 84 CHI.-KENT L. REV. 749, 749 (2010).
(61.) This also impacts privacy laws, which will not be discussed in this note.
(62.) Id. at 750.
(63.) Id. at 751-52.
(65.) Id. at 752-53.
(66.) Robert Ellis Smith, Commentary, Laptop Hall of Shame, FORBES, Sept. 07, 2006, available at http://www.forbes.com/ 2006/09/06/laptops-hall-of-shamecx_res_09071aptops.html.
(68.) See FFIEC Information Security, supra note 59 at 16-17.
(69.) Id. at 19-20.
(70.) Id. at 20-22.
(73.) Id. at 16.
(74.) Id. at 17-19.
(75.) Id. at 36; see also FED. FIN. INST. EXAMINATION COUNCIL, IT EXAMINATION HANDBOOK: OPERATIONS 10 (2004); available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Operations.pdf [hereinafter FF1EC Operations].
(76.) See FFIEC Operations, supra note 75, at 12-14.
(77.) Id. at 18.
(78.) See FFIEC Information Security, supra note 59, at A-12.
(80.) See FFIEC Operations, supra note 75, at 17-18.
(82.) See FED. FIN. INST. EXAMINATION COUNCIL, IT EXAMINATION HANDBOOK: DEVELOPMENT AND ACQUISITION 21-22 (2004), available at
http://ithandbook.ffiec.gov/ITBooklets/ FFIEC_ITBooklet_DevelopmentandAcquisition.pdf [hereinafter FFIEC Development].
(83.) Id. at 12.
(84.) Id. at 15-16.
(85.) See FFIEC Operations, supra note 75, at 18-19.
(86.) See FFIEC Development, supra note 82, at 23.
(87.) See FFIEC Operations, supra note 75, at 26-27.
(88.) Jeremy Grant & Philip Stafford, Problematic Path to Fastest Trades in London, FIN. TIMES, Jan. 11, 2011, available at http://www.ft.com/cms/s/0/9fc34162-1dbd-11e0-aa88-00144feab49a.html.
(90.) See FFIEC Information Security, supra note 59, at 53; see also FFIEC IT Examination Handbook Infobase--Appending G: Business Continuity Plan Components, FED. FIN. INST. EXAMINATION COUNCIL, http://ithandbook.ffiec.gov/it_booklets/business- continuity-planning/appendix-gbusiness-continuity-plan-components.aspx (last visited Mar. 08, 2011) [hereinafter FFIEC Business Continuity Plan].
(91.) See FFIEC Business Continuity Plan, supra note 90.
(92.) Caroline Humer, WTC Collapse Spotlights Need for Data Backup, CRN, Sep. 12, 2001, http://www.crn.com/news/channel-programs/18826906/wtccollapse- spotlights-need-for-data- backup.htm;j sessionid=D3olzlrlHbkC3sSzXgUZSA**.ecappj03.
(93.) See ALBERT J. MARCELLA & DOUG MENENDEZ, CYBER FORENSICS: A FIELD MANUAL FOR COLLECTING, EXAMINING AND PRESERVING EVIDENCE OF COMPUTER CRIMES 313 (2nd ed. 2008).
(95.) Morgan Stanley Faces Document Suit, CNN MONEY, May 7, 2005, http://money.cnn.com/2005/05/07/news/fortune500/morgan_stanley.dj/ index.htm.
(96.) See MARCELLA & MENENDEZ, supra note 93 at 313-15.
(97.) Id. at 159-60.
(98.) Id. at 336.
(99.) Thomas Claburn, Justice Department Wants ISPs to Store More Data, INFO. WEEK, Jan. 26, 2011, available at http://www.informationweek.com/news/storage/security/229100308?cid=RSSfeed _IWK_All; see Data Retention as a Tool for Investigating Internet Child Pornography and Other Internet Crimes. Hearing Before the Subcomm. on Crime, Terrorism, and Homeland Security of the H. Comm. on the Judiciary, 112th Cong. 1 (2011) (statement of Jason Weinstein, Deputy Assistant Att'y Gen., United States Dep't of Justice), available at http ://judiciary.house.gov/hearings/hearing112.html.
(100.) See FFIEC Information Security, supra note 59, at 2, A-15; FFIEC Operations, supra note 75, at 20.
(101.) See FFIEC Information Security, supra note 59, at 51-52; FFIEC Operations, supra note 75, at 20.
(102.) For example, payroll data is sent to both the Human Resources department, for validation, and the Payroll department, for payment processing.
(103.) See FINRA--Anti Money Laundering, FIN. INDUS. REGULATORY AUTH., http://www.finra.org/Industry/Issues/AML/(last visited Mar. 08, 2011).
(104.) See GOV'T ACCOUNTABILITY OFFICE, GAO-10-609T, BANK SECRECY ACT: FINCEN NEEDS TO FURTHER DEVELOP ITS FORM REVISION PROCESS FOR SUSPICIOUS ACTIVITY REPORTS (2010), available at http://www.gao.gov/new.items/d10609t.pdf.
(105.) FIN. CRIMES ENFORCEMENT NETWORK, U.S. DEP'T TREASURY (Mar. 08, 2011), http://www.fincen.gov/.
(106.) See FFIEC Information Security supra note 59, at 39-40.
(107.) See FFIEC Business Continuity Plan, supra note 90.
(109.) SOCIETE GENERALE GRP. (Mar. 08, 2011), http://www.societegenerale.com/en.
(110.) See Jim Bitterman, Report: Trader Had Drawn Red Flags, CNN, Jan. 29, 2008, http://www.cnn.com/2008/WORLD/europe/01/29/rogue.trader/; see also More than 140 Years of History, SOCIETE GENERALE GRP., http://www.societegenerale.com/en/nous-connaitre/notre-histoire/chronologie (last visited Mar. 08, 2011)(follow 1998-2009 section, then click "2008--The Kerviel Case").
(111.) Nicola Clark, Rogue Trader at Societe Generale Gets 3 Years, N.Y. TIMES, Oct. 5, 2010, available at http://www.nytimes.com/2010/10/06/business/global/06bank.html?pagewanted=l &_r=l&partner=rss&emc=rss.
(113.) Nicola Clark, Bank Outlines How Trader Hid His" Activities, N.Y TIMES, Jan. 28, 2008, available at http://www.nytimes.com/2008/01/28/business/worldbusiness/28bank.html?em&ex = 1201669200&en=9787a96b4e941d12&ei=5087%0A.
(114.) Amir Orad, Life After Societe Generale's Massive Rogue Trading Losses, ACTIMIZE PERSPECTIVES (Mar. 08, 2011), http://www.actimize.com/index.aspx?page=perspectivenews7.
(116.) Jones, supra note 42, at 391.
(117.) Id. at 394.
(118.) Id. at 391.
(119.) Id. at 399. But see Charles Pall, The Impact of President Obama's Fiscal Regulatory Reform Proposal on the Life Insurance Industry, 7 RUTGERS BUS. L.J. 211, 238 (2010) ("In particular, the potential for a new consolidated, prudential regulator draws a parallel with European experiences with large consolidated regulators.").
(120.) Pall, supra note 119, at 211 ("According to the provisions of the Dodd
Frank Wall Street Reform and Consumer Protection Act of 2010 (the Dodd-Frank Act) the Director of the newly created Consumer Financial Protection Bureau joins the membership of the Council, replacing the Director of the former Office of Thrift Supervision.").
(121.) U.S. GOV'T ACCOUNTABILITY OFFICE, GAO-05-325SP, 21ST CENTURY CHALLENGES: REEXAMINING THE BASE OF THE FEDERAL GOVERNMENT 28 (2005), available at http://www.gao.gov/new.items/d05325sp.pdf.
(123.) See U.S GOV'T ACCOUNTABILITY OFFICE, GAO-09-203, INFORMATION SECURITY: SECURITIES AND EXCHANGE COMMISSION NEEDS TO CONSISTENTLY IMPLEMENT EFFECTIVE CONTROLS (2009), available at http://www.gao.gov/new.items/d09203.pdf.
(125.) See U.S. GOV'T ACCOUNTABILITY OFFICE, GAO 09-835T, CYBERSECURITY: CONTINUED FEDERAL EFFORTS ARE NEEDED TO PROTECT CRITICAL SYSTEMS AND INFORMATION (2009), available at http://www.gao.gov/new.items/d09835t.pdf.
(127.) See Albinus, supra note 55.
(128.) See Bemanke, supra note 5.
(129.) Harry Pugh, Information Governance." A Practical Approach for the Dodd-Frank Era, WALL STREET & TECH. (Feb. 16, 2011), available at http://wallstreetandtech.com/articles/229216570.
(130.) See U.S. GOV'T ACCOUNTABILITY OFFICE, GAO-04-321, TECHNOLOGY ASSESSMENT: CYBERSECURITY FOR CRITICAL INFRASTRUCTURE PROTECTION 58 (2004), available at http://www.gao.gov/new.items/d04321.pdf.
(131.) See U.S. GOV'T ACCOUNTABILITY OFFICE, GAO-10-466, CYBERSECURITY KEY CHALLENGES NEED TO BE ADDRESSED TO IMPROVE RESEARCH AND DEVELOPMENT (2010), available at http://www.gao.gov/new.items/d 10466.pdf.
(133.) See supra section II(A). Federal regulations were passed to promote public trust in the financial market.
(134.) Caron Carlson, GAO Finds Public, Private Sectors Face Different IT Challenges, EWEEK (Oct. 11, 2005), http://www.eweek.com/c/a/ITManagement/GAO-Finds-Public-Private-Sectors-Face- Different_IT_Challenges/.
(135.) Id. Surveys indicate that "[p]rivate sector CIOs are more concerned with making IT contribute to the bottom line, while CIOs in the public sector struggle with organizational issues and limited resources ...." Id.
(136.) See DEP'T OF THE TREASURY, FINANCIAL REGULATORY REFORM, A NEW FOUNDATION: REBUILDING FINANCIAL SUPERVISION AND REGULATION 2, 70 (2009), available at http://www.treasury.gov/initiatives/Documents/FinalReport_web.pdf. As technology advances, financial transactions are occurring faster, allowing for less delay in trading. This is beneficial for consumers and companies, but as technology quickens transaction times, there is a possibility of more risk. Hence, a strong foundation in IT security controls will mitigate these risks and allow for companies to obtain maximum utilization.
(137.) PeopleSoft Enterprise Applications, ORACLE, http://www.oracle.com/us /products/applications/peoplesoft-enterprise/index.htm (last visited March 08, 2011). PeopleSoft is a human resource management system and customer relationship management tool used by many companies. Id.
(138.) Software Solutions by Line of Business, SAP, http://www.sap.com/lines-of-business/index.epx (last visited Mar. 08, 2011). SAP is an enterprise resource planning tool that allows companies to manage their data and communications. Id.
(139.) See Omarova & Feibelman, supra note 6, at 881-85 (discussing generally the need for financial market regulatory reform while noting the attendant shortcomings of such reform efforts).
(140.) See Hodak, supra note 21; Eichenwald & Henriques, supra note 29. More than half of companies complying with SOX expected that SOX 404 will do "very little" to help prevent material fraud. See U.S. CHAMBER OF COM., supra note 25, at 4.
(141.) If a public company.
(142.) For both public and private organizations.
(143.) See Bernanke, supra note 5.
(144.) Technical term in the financial industry. See Peter S. Goodman, Too Big to Fail?, N.Y. TIMES (July 20, 2008), available at http://www.nytimes.com/2008/07/20/weekinreview/20goodman.html.
(145.) See supra notes 35-36.
|Printer friendly Cite/link Email Feedback|
|Publication:||Rutgers Computer & Technology Law Journal|
|Date:||Sep 22, 2012|
|Previous Article:||The robotic arm went crazy! The problem of establishing liability in a monopolized field.|
|Next Article:||Forty-third selected bibliography on computers, technology and the law (January 2011 through December 2011).|