This week Infosecurity attended a presentation hosted by Cordery, which featured anti-corruption and compliance speaker Tom Fox. He explained that he “tries to help companies design and implement a best practice compliance program”, and helps companies do in-house work around compliance.
Hosted by Jonathan Armstrong, Fox cited a number of areas in the session including companies he has formerly worked for, and began by talking about the introduction of class action laws. Fox claimed that in the USA these were driven by two things: a lack of government oversight and regulation (compared to the UK) in commerce that left the door open for lawyers to sue for class action damages and money-driven instances where a plaintiff’s lawyers can reap huge amounts of money for class action suits.
Asked by Armstrong how much of a heavy handed compliance regime the FCPA (Foreign Corrupt Practices Act) had, Fox claimed that since 2004 there has been “significant enforcement”, but he could not say that there has been less corruption - but much more compliance.
He said that since the FCPA was passed in 1977, until 2004 there were between five and 10 actions in that time, and since then “there was an explosion.”
One area that Fox focused on was the Sarbanes Oxley Act, which he claimed was created directly by the Enron and WorldCom cases “and that is one of the steps that led to the compliance professional within organizations.”
This was because of two basic requirements: that officers must certify financial statements and effective internal controls.
He said: “So that really made compliance really important in organizations, and Enron led to that and the corruption at Enron was just ‘old fashioned greed’ and cooking the books to make the company look like it was making money when it wasn’t.”
Fox said that while Sarbanes Oxley requires certification on internal controls, he believed that the 2002 Act was also introduced partly in response to 9/11 as the Bush administration was looking for a law that it could enforce on borders and movement of arms.
Asked by Armstrong if that era was one of governments winning or corporations surrendering, Fox said that it was neither as every senior Enron executive who went to trail “was guilty of everything and it was a long pain-staking three-year investigative process for the trials in 2005-2006, and that event of trials had an effect on other businesses such as Arthur Anderson which was not charged with accounting fraud, but with destruction of documents.”
Fox claimed that the “success” of Enron led to a new model of compliance for businesses and enforcement for government, and “no company has gone to trial since.”
Fox also focused on a number of other cases such as Volkswagen, Walmart, Wells Fargo and even Harvey Weinstein, and said that often people want to see senior executives resigning and ultimately after cases like Enron and WorldCom, there was a “pushback” from businesses.
This session, while not focused purely on day to day cybersecurity trends, was very interesting considering how the current state of compliance has been created, what businesses are now having to comply with and with just over six months until the GDPR becomes law, what reality there is for business compliance.