Ryan Rohlfsen Leads Conference on Corporate Compliance, Corruption, and Cyber Crime
Litigation & Enforcement partner Ryan Rohlfsen, co-chair of Ropes & Gray’s global anti-corruption and international risk practice, co-led Global Investigations Review inaugural “GIR Live Chicago” conference exploring emerging trends in corporate compliance across the digital space.
Government officials including Lorinda Laryea, Acting Chief, Criminal Fraud Division, Department of Justice; John Lausch, U.S. Attorney for the Northern District of Illinois; Steven Dollear, Chief of National Security and Cybercrime Section, U.S. Attorney’s Office, Northern District of Illinois; and Eric Shiffman, Deputy Special Agent in Charge, Federal Bureau of Investigation joined prominent corporate compliance leaders for the day-long conference in June.
Key takeaways from panel discussions include:
Expectations Around Mobile Devices: Policies, Ownership, Uses, Monitoring, Investigations, and Government Cooperation
- Companies should draft, implement, and test robust data retention policies that consider the increased use of non-traditional business communication channels, some of which are ephemeral in nature and thus present unique challenges. With vigorous policies in place, companies are better prepared to respond to government inquiries and protect themselves from potential internal threats.
- Proactive data retention policies and procedures can be challenging for compliance professionals to implement, especially for companies with bring-your-own-device (BYOD) programs. BYOD may save costs associated with providing company-issued devices but also present challenges with preserving and collecting corporate data from those devices.
- Employee trust is paramount. Compliance professionals should exercise caution in requesting access to personal devices, and policies should clearly outline the parameters and purposes for personal device data inquiries.
Maintaining Effective Compliance Functions
- Uniform messaging and action by leadership is key when promoting company values, culture, and compliance. Compliance professionals should foster a self-sustaining culture where employees feel motivated to both follow policies and report issues. Data compiled from company-wide surveys can be an effective tool to evaluate employee understanding and willingness to follow company policies.
- In light of Dodd-Frank’s significant whistleblower bounties, publicly traded companies should carefully consider whether to self-report whistleblower information to government authorities.
Emerging Trends and Practices in the Digital Space
- Business email is now the most common cyber intrusion risk for companies, followed by supply chain attacks and credential harvesting. Attacks are often state sponsored by countries like China and Russia.
- Companies with a response plan in place are better positioned to prevent and swiftly react to a cyber intrusion. The plan should include risk mitigation, address network vulnerabilities, and include tools to assess damage. If a cyber intrusion affects third parties, the plan should also include a notification system. Companies should proactively test these response plans on a regular basis to ensure they are prepared.
- With the rise of complex cryptocurrency, blockchain, and NFT cyber fraud schemes, companies should also consider integrating government contact information into their cyber attack response plans.