Call us today @ (518) 692-2494

ACLI Legal

Technology is The Topic at ACLI Legal and Compliance Meeting

Coeur D’Alene, Idaho

As I traveled back from the beautiful city of Coeur D’Alene, Idaho after the ACLI Legal and Compliance Meeting, I was struck by how the topics have changed recently. At this year’s conference, the DOL rule was certainly present as a topic, but not nearly so much in the foreground as it has been in recent years. Technology, on the other hand, was at least part of every session.

Cybersecurity not only had its own session: it also crept into almost all the others in one way or another. Innovation was equally prominent, as the need to innovate made its way into most conversations. Frustrations with the challenges of regulatory efforts to both allow and restrict innovation were also on many lips.

There were no clear solutions to the challenges posed by these issues, but it was clear that internal legal and compliance efforts, as well as regulatory resources, are being pulled and strained by both. It is an interesting and demanding time. So many more meetings and discussions are to be had as we, collectively as an industry, begin to do more than merely identify the issue, but we continue to dig in and do the work.

Cybersecurity : Recent Conference Perspective

It is unlikely that any insurance industry conference in 2015 and beyond will omit a session on cybersecurity. I have attended many sessions already. What fascinates me more than the subject matter itself is that each one is significantly different from the others. I have attended sessions that I can barely understand because they are so technical, and others that barely go beyond a mere warning that we all need to be careful about online and network security. I try to approach each session with an open mind and few expectations so that I can get the most out of it, no matter what the focus.

At the ACLI Legal and Compliance Section Annual Meeting, there were two sessions on cybersecurity. Both were general sessions and each had a different focus.

At the first, specifically titled “Cybersecurity”, John Walsh, a partner at Sutherland, made a strong point of avoiding technical jargon. He emphasized the changing nature of the risk from one based in criminal activity to today’s cybersecurity risk that is solely for the purpose of disruption. His point was that criminals want to get paid and therefore to find them it is possible to follow the money. When disruption is the goal, there may not be a money trail to follow. He also spoke of the politics of cybersecurity, indicating that there was actual bipartisan congressional action on this issue, e.g. HR 1560 (Protecting Cyber Networks Act) and S-754 (Cybersecurity Information Sharing Act of 2015). Walsh’s view was that we may see actual legislation pass that will be signed by President Obama on this issue.

From there, Walsh focused on the SEC/FINRA efforts to both build expertise and pursue exams while that happens and the significance of reports issued by both agencies. FINRA issued Report on Cybersecurity Practices was designed to help firms respond to the risk of cyberattacks as well as attacks themselves appropriately, while the SECs risk alert was based on exams of 57 broker-dealers and 49 RIAs. Both of these were issued in February of this year. Walsh’s focus was on the Legal and Compliance role in cybersecurity, saying it is the same as in all compliance issues: preventative, detective, corrective and predictive. He suggested compliance questions such as: Who is running the security program? What are their credentials and expertise? What standards are they assessing against? How often is testing happening? What are the checks and balances in place? Are there reasonable policies and procedures in place? These are familiar questions and from a compliance perspective, that is the appropriate role. He reiterated that we in compliance do not have to be engineers to be effective in our positions. But we need to be active and keep digging for information. Finally, he warned of the culture clash between engineers and compliance. Engineers often respond that they followed procedures. Compliance’s role is to ask if those procedures are reasonable.

This session was extremely valuable because of the focus on compliance as compliance and the very clear ways that were provided for compliance to add significant and unique value to enterprise efforts on cybersecurity.