Learning Dynamics Joins Career Partners International to Elevate the Talent Development and Career Transition Market in Connecticut

Career Partners International (CPI) is pleased to announce that Learning Dynamics has met the rigorous qualifications to become a CPI firm, bringing their expertise and strong reputation in the Hartford, Connecticut region.  CPI has over thirty years of outplacement and talent development experience, inviting into the global CPI Partnership only those firms who meet our high standards of quality coaching services and client engagement.

“It is our pleasure to welcome Learning Dynamics to Career Partners International.  At CPI we take pride in offering the world’s most effective talent development and career transition services.  Learning Dynamics’ coaches have decades of real-world experience and are proven to meet and exceed our high delivery standards.  They partner with their customers and take the time to understand their unique needs, making them a perfect fit for our organization,” says Doug Matthews, President and CEO of Career Partners International.

Learning Dynamics takes a flexible approach to talent development by offering customized programs in formats that best fit their clients’ workplace.  This high-tech, high-touch approach mirrors CPI’s approach to coaching.  “We are delighted to have been selected as a CPI partner firm.  Our team is very much looking forward to collaborating with the CPI staff and the other firms who are part of the CPI family,” said Jim DeMaio, President of Learning Dynamics.

The post Learning Dynamics Joins Career Partners International to Elevate the Talent Development and Career Transition Market in Connecticut appeared first on CPIWorld.

How Does Your Cybersecurity Posture Stack Up To That Of Your Peers?

It’s one thing to know the status of your organization’s cybersecurity defenses, and quite another to know whether they’re enough to protect your business on the virtual battlefield. You can’t prepare a real-world security posture without knowing these three things:

  • Where your company stands in relation to your industry peers;
  • How your defenses have improved (or not) over time; and
  • Which emerging threats are rising.

In other words, context is everything.

Most organizations focus their cybersecurity reporting on tactical matters, such as how much money has been spent, how the dollars were invested, goals that have been met (or missed), and how many threats have been identified and neutralized. While those data points are meaningful to those who are on the cybersecurity front lines, additional data inputs are necessary for board members to understand the business implications of the company’s cybersecurity posture.

When you begin asking the organization you oversee to provide the kinds of benchmarking context outlined above, you may find executives are challenged to give you the answers you need to make informed decisions.

The Answers You Don’t Need

Below are two typical responses you might receive when asking how you stack up against your peers’ security practices, and why they fall short of delivering the context you need.

  1. We patched X number of vulnerabilities. While it is always important to know the organization is keeping patches up to date, this information alone won’t give you the full picture of where the organization stands. You need to understand if your critical assets are protected against threats that are currently in the wild—that is, being actively utilized by bad actors.
  2. We have everything secured in the cloud. Keeping applications patched and updated is your organization’s responsibility, not the cloud provider’s. Therefore, it’s incumbent upon directors to ensure they have access to ongoing comparative studies. Directors should ask for studies comparing the security of cloud versus traditional assets, year-to-year security progress, and compliance with regulations governing privacy and security, such as the EU General Data Protection Regulation. While receiving assurances that security measures exist in the cloud is nice, this alone tells you very little about how secure your company—and its vendors—happens to be.

The Answer You Need 

“Here is our report on our security progress over the past three years. This shows how we are remediating the most dangerous vulnerabilities on our most critical assets. We’re now able to predict in advance which vulnerabilities are likely to be attacked and deploy our resources accordingly. We can track the progress different regions and business units are making in reducing their cyber exposure. Plus we have insight into how our cyber exposure compares with industry peers.”

This is the answer you seek. It gives you the detail and context you need to make informed decisions about your organization’s cybersecurity strategy.

The only way you’ll know if your security efforts and investments are paying off—or if your company has just been lucky—is to measure your progress. It’s vitally important to measure the state of your cybersecurity investment and policy by business unit, geography, and asset type. Security progress reports are best when they’re updated regularly. Your company’s cyber exposure will change over time due to a variety of factors, including mergers and acquisitions, changes in business models, and the deployment of new technologies. In other words, everything changes fast and your progress reports need to keep pace with organizational change.

Benchmarking will show you where your company stands in comparison to industry peers. If a comparative ranking with industry peers finds you in the bottom quartile, you probably need to commit more budget and resources to come up to industry standard and achieve average protections. If your company ranks in the top quartile, you likely don’t need to increase your budget or buy much. The point is, your decisions should be based on data and not a guess.

Want to learn more about understanding vulnerabilities in the context of business risk? Read the Vulnerability Intelligence Report from Tenable Research.

Five Questions to Ask When Considering an Outplacement Provider

Leading organizations realize that providing outplacement services shows respect to their former employees, improves retention and engagement with those who remain, and protects their employer brand.  I have yet to meet a decision maker who is not concerned with how business decisions, such as mergers, acquisitions and downsizings, affect their people, making outplacement programs even more valuable.  But, more and more, the conversations about outplacement are centered on the inability to evaluate an appropriate provider.

Outplacement is not a one-size-fits-all service. To ensure a proper fit for both company and vendor, consider the following questions:

What services are provided? Having a knowledgeable professional to partner with and to help guide your employee through unfamiliar territory can greatly reduce his or her search time if the consultant is offering more than talk therapy. Ask about help with resumes, LinkedIn, creating a professional brand, networking scripts, interviewing, job search strategy, career change, starting a business, etc. Ask the potential firm if there will be group sessions, classes, webinars, and trainings as well.

How are services delivered? Many career transition firms are moving to a mainly virtual platform. Virtual coaching can be beneficial for rural workers who don’t have easy access to a coach, and these services are typically are less costly. But, if you are outplacing more seasoned workers or if your exiting employees have not utilized a high-tech platform in their roles, the virtual platform can be intimidating and anxiety provoking. Make sure that the services will be delivered in a way that is familiar and comfortable for your exiting employees.  Most workers find major benefits to direct interaction with their coach.

What are the coaches’ backgrounds? Your exiting employees are diverse. You’ll want to choose a firm that offers a diverse and relatable coaching bench. Ask about the firm’s talent. Are they certified? Do they understand your industry? Are they geographically located in a way that allows them to have knowledge about your employees’ target markets?

Does the firm have connections? Connections are critical to the job search process. Your exiting employees will be encouraged to network. Ask questions to determine if the firm can offer connections to recruiters, hiring managers, and decision makers. Survey the tools, technology, and employees to ensure that you are putting your exiting employees in the best possible position to secure their next roles.

Do you want a vendor or a partner? Choosing an organization to handle your outplacement needs is like deciding on car insurance. Some of us just want the bare minimum, and some of us want comprehensive coverage. If you’re asking what the very least amount of coverage looks like, there are companies that will partner with you in that way. If you are looking for a partner who knows your needs, goals and values and will provide comprehensive care in planning, delivery and reporting of your career transition services, you will find organizations that will provide you that level of service. In evaluating providers, you should consider your end goal.

Choosing an outplacement provider should be done with care. Simply reviewing a proposal may not give you all of the information that you need to enter knowledgeably into a contract. Your potential provider should take time to meet with you, answer the above questions and thoroughly understand your needs. You may find it beneficial to reconnect with your current advisor and reassess the relationship on an annual basis. Remember that the level of service that the provider offers can impact your relationship with your employees and your consumers. Choose wisely!


Written by Andrea Holyfield, Consulting Manager at CPI Partner Warren Averett Workplace

The post Five Questions to Ask When Considering an Outplacement Provider appeared first on CPIWorld.

Anticipating Disruptive Innovation and Digital Transformation

To stay competitive and relevant in a rapidly changing business landscape, organizations in every industry must navigate an increasingly disruptive, technology-enabled environment. Companies that do not address and embrace new and emerging technologies will be less competitive or may even face obsolescence. Netflix and Uber Technologies disrupted traditional business models by rethinking the way in which service delivery occurred, tapping into new technology capability to empower customers.

Given these challenges to companies, what does innovation mean in this era of digital transformation? Innovation now involves finding the right problems worth solving; building new offerings, business models, and experiences; and generating value at scale for customers.

Furthermore, the rapid digital transformation of advanced technologies such as blockchain, robotic process automation (RPA), and artificial intelligence (AI) now portend similar effects in industries from financial services and healthcare to communications and manufacturing. Boards must become knowledgeable about these digital disruption trends in order to be able to conduct meaningful oversight that management can use successfully as the company embraces new technologies.

Advanced digital technologies bring with them both opportunities and challenges for boards. Consider the following strategies when the organization evaluates or adopts any new, potentially disruptive technology:

  • Overcome technology anxiety. Directors and executives who either lack knowledge of disruptive technologies—or lack confidence in their knowledge—stand to allow their companies to lag behind or fall into a state of stasis. This is something no organization can afford in this age. Management can feel threatened or uncertain about jobs surrounding the adoption of advanced technologies. Concerns can arise around the lack of historical evidence and case studies to demonstrate the technology’s value. Management must be confident and equipped to explain how the tools will support the existing workforce, rather than cannibalizing their talents. To support this mindset and approach, the board needs to support and approve major policies focused on empowering management with knowledge around advanced technologies.
  • Reduce fragmentation while achieving enterprise-wide consistency in adoption. Organizations tend to assign value and evaluate impact as disconnected activities. In a world where value is created by technology across the enterprise, value and impact should be assigned as part of a cohesive business strategy that embraces advanced technology. Neglecting to do so creates knowledge and skills gaps between teams, causing inefficient business processes and ineffective or sporadic performance, rather than fully functioning, optimized operations. Boards must go beyond fiduciary responsibilities to take a more active role by challenging management constructively on how new technologies fit into the overall organization’s strategic plan.
    Management may focus too narrowly on addressing a problem through technology for a small group of individuals and lose sight of the larger application of the technology, resulting in a varied impact across the organization. The board can provide clear guidance and ensure balance by reinforcing a consistent, enterprise-wide, business-change approach to technology adoption.
  • Manage the pace of technological change. The adoption of advanced technologies demands teams that are agile in nature. This process can potentially leave legacy business units behind. For example, blockchain technology can be used to identify the location of any transaction, file, entity, or product at any given time. However, information changes in a data-driven age, expanding quickly and exponentially, which can have a cascading impact on how the organization currently uses the technology. Digital technologies demand organizations to be both agile and adaptable to the new ways of doing business. The board must promote digital innovation when it comes to doing things faster, better, and more efficient. The board must also monitor the pace of innovation to ensure the organization can best manage the change while meeting strategic objectives.
  • Define evolving responsibilities and accountabilities. Adoption of advanced technologies can create knowledge gaps and roles changes. For instance, when an organization implements RPA for a particular process, the digital resource (robot) and the human workforce each may have responsibilities to support or execute an element of the process. In order to provide sound oversight of the changes to a business unit, the board must ask management for clearly defined roles, responsibilities, and accountabilities affected by or involving an advanced technology’s adoption and use.

While the board isn’t tasked with the hard work of managing through digital transformation, its members must be cognizant of the policies and decisions made to ensure they aren’t driven by legacy assumptions. Directors must ask the right questions about the technology as well as the broader questions about the company’s information technology (IT) strategy. This, in turn, requires that board directors, senior management, and IT use a shared language to discuss IT performance. Deeper board involvement can serve as a mechanism to cut through company politics and focus management on the large, integrated technology investments needed as digital weaves ever further into the fabric of today’s businesses.


Waqqas Mahmood is director of advanced technology and innovation for the advisory, tax, and assurance firm Baker Tilly.

Moving to the Cloud with Confidence: What to Ask CISOs to Ensure Security

As the pace of innovation pushes business to move faster, companies are increasingly moving more of their information technology (IT) infrastructure into the cloud. Cloud services allow IT departments to scale and leverage specialized software as a service (SaaS) offerings. But what does this mean for security?

In a recent report from Gartner, executives cite cloud computing as a leading concern for risk. The executives surveyed fear data loss and data breach due to unauthorized access or downtime on the part of providers. However, business leaders also find the benefits of the cloud far outweigh any perceived disadvantages, contributing to double-digit year-to-year growth in cloud services, according to Gartner. Indeed, for some companies, a move to the cloud is integral to staying competitive.

Keeping the benefits and challenges of the cloud in mind will help board members best prepare relevant questions for chief information security officers (CISOs). This, in turn, will ensure that your company maintains a strong security posture around cloud services.

Benefits of the Cloud

Economies of scale, specialized expertise around particular solutions, speed to market, and many other benefits have contributed to the cloud’s rapid growth. The benefits include:

  • Flexibility. The cloud offers the ability to scale infrastructure according to need without large capital and operational expenditures. In other words, companies don’t have to buy new servers and maintain them and their environment to increase capacity, or keep them around when they aren’t needed anymore.
  • Affordability. Cloud services provide a low cost of entry for new functions, making it possible for companies to try new processes and business models, running experiments with a smaller upfront investment.
  • Talent. The hardware and security components of the IT stack used by cloud service providers are often maintained by top talent in the industry. For example, Amazon Web Services (on which many providers depend) recruits some of the best talent in the world for its data centers and security operations centers.
  • Speed. This includes both quicker implementation and quicker updates. New functionality gets rolled out through SaaS solutions faster using fewer internal resources. The software update process is also handled by the vendor, requiring little to no effort from the customer.
  • Interoperability. Integrating disparate SaaS solutions is usually simpler than integrating on-premises solutions.
  • Protection. Because cloud services reside in remote locations—and have backups—separate from the companies using them, they help protect data from natural disasters and other local events.

Challenges of the Cloud

Despite the advantages, however, cloud services do come with risks. These spring from services being hosted separately from a customer company’s own IT and security infrastructure. The risk factors include:

  • Shadow IT. The very ease and speed of implementation for cloud services lead to one of the risk factors. Software acquired by groups making their own purchases via credit card runs the risk of bypassing the security team, as do cloud-based apps created by those groups.
  • Black box syndrome. Services using proprietary systems may or may not meet best security standards while remaining opaque to scrutiny by in-house security teams.
  • Outages. Cloud services may also go down, rendering data and important functions unavailable at crucial times with no control over corrective measures.
  • Fragmentation. More systems, applications, and instances mean less expertise for any individual system, thereby increasing management complexity.

Managing the Risks

Companies can mitigate the risks associated with moving to the cloud with the right approach. Ask your CISO: “Are these in place at our company?”

  • Vendor assessments. Are we interviewing cloud vendors to ensure robust security on their end? Are we interviewing a representative sampling of some of their customers to verify past performance?
  • Hybrid cloud-and-premises systems. Cloud services may go down, but local redundancy can help. Do we use hybrid systems that maintain local backups and functionality for critical systems?
  • Checks and balances for the shadow IT. Are we flagging or preventing purchases of cloud services so security staff can evaluate them before trusting important data and functions to them?
  • Regulatory compliance. Are we taking full responsibility for and ensuring compliance with regulations even when using outside systems (for example, through enforceable language in our contracts with vendors)?
  • Trust maintenance. Are we prioritizing our relationships with customers and suppliers rather than letting these relationships suffer at the expense of moving quickly?

Cloud services offer many benefits. As Gartner reports, the cloud “has become a solution for issues that have plagued organizations and overtaxed IT departments for years.” If boards ask their CISOs the right types of questions in the evaluation process, they can consider and mitigate the risks and address any concerns. This will allow their companies to move functions and data to the cloud as securely as possible.


Corey E. Thomas is CEO of Rapid7. Read more of his insights here

Note These Trends When Reviewing Your D&O Liability Insurance

Directors and officers increasingly face personal exposure from litigation risk, regulatory investigations, and shareholder activism, but the right program of directors and officers (D&O) liability insurance can reduce such exposure. Every director should periodically review his or her company’s D&O insurance program to confirm that it provides the broadest scope of coverage available in the always-evolving D&O insurance market.

Standard D&O policies provide a single policy limit that is shared among three types of coverage:

  • Side A, for the directors and officers when they are not indemnified by the company or not otherwise insured;
  • Side B, for reimbursement of the company when it indemnifies directors and officers; and
  • Side C, for certain claims against the company itself. In the public company context, “Side C” coverage for the company is usually limited to “Securities Claims,” while private company D&O insurance covers companies for a broader variety of claims.

D&O insurance should be considered together with the company’s indemnification obligations. Most companies provide indemnification for their directors and officers that is broader than coverage available under D&O insurance, and a company’s indemnification obligation is uncapped. D&O insurance, on the other hand, is subject to exclusions and a policy limit. That said, D&O insurance protects the company’s balance sheet by covering most of the company’s indemnification obligations (under Side B), and D&O insurance is available to protect directors and officers in certain cases when the company is unable to indemnify them.

The D&O insurance market continues to evolve rapidly. The following are some of the latest trends in the industry.

  1. Offsetting costs from shareholder activism. Shareholder activists continue to be active in the market and aggressive in pursuing directors and officers for perceived mismanagement, entrenchment, and/or alleged breaches of fiduciary duties. In the course of an activist campaign or proxy fight, activists frequently make demands of the directors or the company that trigger coverage under D&O insurance. Depending on the nature of the communications with the activist, the entire policy limit may be implicated; in other cases, D&O insurance sublimits are available to defray a portion of the defense costs. Shareholder activism defense counsel can assist directors and companies in considering whether a company’s D&O insurance is available to offset some of the costs of defense, whether during an activist campaign or as part of an activism preparedness exercise. 
  1. Expanding coverage for government investigations. Coverage under D&O insurance for government investigations continues to evolve rapidly. Most D&O policies cover directors when they are the targets of such investigations, but policy language should be carefully reviewed each year to ensure the broadest possible coverage for directors. Many D&O policies also provide limited coverage for a “pre-claim inquiry,” when a regulatory body requests an interview of a director in the course of an investigation of the company. It is also increasingly common for D&O policies to provide some amount of investigations coverage for the company itself. This coverage can include, for example, recognition of retroactive erosion of the retention in the event of a later-filed securities lawsuit involving the same matter and/or coverage for the company when directors are simultaneously targeted in an investigation. 
  1. Optimizing D&O insurance coverage for bankruptcy risk. Normally, directors and officers have two sources of funds available for the defense of claims against them: (1) indemnification from the company and (2) D&O insurance. If the company is insolvent or bankrupt, however, indemnification from the company has little to no value. Ideally, D&O insurance protects directors and officers and their personal assets from claims brought by company shareholders or creditors. Directors and officers planning for bankruptcy contingency may consider Side A difference-in-conditions (DIC) coverage because it cannot be rescinded, it offers more flexibility than traditional Side A coverage, and it provides excess and broader protections for company directors.
  1. Negotiating sublimits. Sublimits are policy enhancements that provide retention-free (i.e., first-dollar) coverage for specified events, up to a small percentage of the overall policy limit—usually between $50,000 and $250,000. Policyholder advocates sometimes view sublimits as a way for insurers to carve out items from the coverage provided by the larger policy limit. While this may be true, these sublimits can also provide significant value for companies. For example, we have seen the following sublimits triggered frequently:
    • Derivative Demand Investigation Costs. Upon receiving a derivative demand or suit, the board may commence investigation by a special litigation committee. D&O insurance policies frequently provide sublimits for the costs of these investigations. Recently, excess D&O insurers have agreed to add sublimits to their own policies for these costs, meaning that a second, smaller “tower” of D&O insurance may be available to offset these costs.
    • Books and Records. Historically, D&O insurers of public companies have refused to cover the costs of defending a books and records inspection demand because the demand is not a “Securities Claim.” Recently, D&O insurers have been adding coverage for these costs to their policies. The most common approach is to add the defense costs associated with a books and records demand to the derivative demand investigation costs sublimit described above. When combined with sublimits from excess insurers, these sublimits can be very useful, especially because books and records demands are being litigated more frequently. Other D&O insurers will add coverage for books and records demand defense costs into the larger policy limit if there is a concurrent “Securities Claim” against the company.
    • Crisis coverage. Crisis event sublimits facilitate company responsiveness to high-pressure events. For example, a company’s negative earnings announcement, the loss of a key executive, or the threat of a regulatory investigation are typical triggers of the crisis coverage sublimit.

Understanding your company’s D&O insurance program is critical to managing your own risk profile as well as your company’s risk profile. Every director should periodically review his or her company’s D&O insurance program, ideally with the assistance of an experienced broker and outside counsel.

Sarah Mitchell is of counsel and Mustafa Abdul-Jabbar is an associate at Vinson & Elkins LLP. All thoughts expressed here are their own. 

Civility in the Workplace: Don’t Take it for Granted

With over thirty years of experience in talent development and career transition services, Career Partners International (CPI) has provided clients with the tools to navigate through decades of change in the workplace. Despite the best preparations, new challenges continually emerge for HR and Management teams.

Join us for the CPI Webinar Series on December 11th, to discuss civility in the workplace at a time when it has relevance in relation to the lessons we are absorbing from the #MeToo movement.  In our world today, this complex subject continues to be front of mind for employers and employees, changing the dynamics and cultures of many organizations.  As an expert in this critical subject, Gary Cormier will be presenting “Workplace Civility on a Continuum” to assist professionals in beginning to address this difficult topic.

Gary Cormier joins us from Harvard University as a Senior Human Resources and Organizational Development Consultant.  This foundational session will explore the business case for workplace civility as well as the implications of incivility. It will help identify uncivil, inappropriate, negative, or bullying behaviors in the workplace and what can be done to mitigate them.  Finally, the session concludes with ways to make civility part of your organization’s overall culture.

The CPI webinar is on December 11th at 11:00 AM EST, all Managers and HR Professionals are welcome to join.  Registration is free and open to the entire CPI network.  Gary will deliver a thirty-minute presentation with time after for Q&A.  Registration is now open.

The post Civility in the Workplace: Don’t Take it for Granted appeared first on CPIWorld.

The Secret Ingredient for Powerful Board Assessments

Maybe you talk too much during board meetings. Maybe you don’t talk enough. Maybe you harp on topics your fellow directors are tired of hearing about, or perhaps you only chime in during discussions about your area of expertise and they wish you would contribute more.

But how do you know if no one tells you?

In PwC’s 2018 Annual Corporate Director’s Survey, 45 percent of directors said they think at least one of their fellow board members should be replaced. Half of those think two or more colleagues need to go. This is not a new trend. These numbers have hardly changed over the past few years, which tells us that boards are underperforming even as new technologies, disruption, and shareholder activists are demanding they step it up.

The most common criticisms directors have about each other is that they overstep the boundaries of their oversight role or don’t challenge management enough. The directors in our survey also said some members’ interaction styles hurt board dynamics, while others lack essential skills or seem to be slipping because of advanced age.

No matter the issue, much of this discontent could be alleviated if more boards were willing to give each other one thing: constructive feedback. Only 31 percent of the directors in our survey said their board conducts individual director assessments, and there are several reasons why.

The first is tradition. Directors simply haven’t gotten into the habit of giving each other regular feedback. The second is avoidance. Telling someone how well they are (or aren’t) performing isn’t the easiest thing to do. Another factor is that individual assessments aren’t required—just an evaluation of the board’s overall performance. The annual board assessment requirement for NYSE-listed companies doesn’t specify how to do them, which is why so many end up being a check-the-box exercise.

Most of us don’t change without a precipitating event, and many boards lack the impetus to change their culture from one of go-along collegiality to transparency and honest feedback. If the chair were to suddenly announce the board was going to start conducting individual assessments, directors would likely worry that board leadership is trying to clean house. That can create all kinds apprehension and resentment you don’t want.

But here’s the opportunity: as boards seek to diversify their composition to include more women and people of color, or specific skill sets like digital or cybersecurity, they’ve had to expand their selection criteria beyond retired CEOs and those who sit on multiple boards. As a result, many directors now joining boards don’t have the same level of boardroom experience as their predecessors and often could use help to grow into the role.

Board leaders can use this as a trigger for change. For example, I was advising a board the other day that was going through a refreshment and onboarding two directors that had never served on a board. My suggestion was to use that opportunity to change the board culture by starting an individual feedback process that the entire board could participate in.

Directors should also keep in mind that the motivation for the board to institute individual director assessments should be to create a high-performance culture, not a vehicle for pushing people out. For the same reason that companies give employees annual performance reviews, directors need to know what their fellow board members appreciate about them and where they need to improve. An added benefit of this process is that directors who refuse to adjust won’t be as surprised when they are asked to go.

Other factors to consider:

  • Who should conduct the assessment? Assessments can be led by the board chair, the lead director, the nominating and governance committee, or a third-party facilitator. Any of these choices is fine, although I suggest that boards hire a third party to conduct the assessment every few years to provide greater impartiality and an outside view.
  • What methods should we use? Many assessments include a combination of questionnaires, facilitated discussions, and individual interviews. For individual director assessments, I recommend that whoever is leading the assessment gather feedback from each director about the other members and then share that feedback in one-on-one discussions.
  • What do we do now? Assessments are worthless without follow-up. Boards should use the information they’ve gathered about the performance of their committees and individuals to create action plans, then track their progress on addressing the areas of improvement.

The payoff for these efforts, despite the hard work involved, will be a better performing board and, consequently, a higher-performing company. With the right process, honest participation, and appropriate follow-through, directors might even find themselves agreeing with the adage, “Feedback is a gift.”

First SEC ‘Red Flags’ Enforcement Case Spotlights Board’s Role

A recent U.S. Securities and Exchange Commission (SEC) enforcement action punishing a financial firm for its subpar data security practices—the agency’s first-ever use of its “red flags” rule—called out the company’s board of directors for its failure to “administer and oversee” the program.

While corporate boards are charged with the general oversight of business risks including cyber risks, it’s far from the norm for a data security regulation to draw a straight line to the boardroom. The SEC’s “red flags rule” does just that and places direct responsibility on corporate boards. In an enforcement order against Voya Financial Advisors, the Iowa-based investment advisory arm of Voya Financial, the commission used the rule to censure the asset management firm for allowing hackers to roam freely though its customer information. The hackers were able to access social security numbers, account balances, and even details of client investment accounts, according to the commission.

This should set off alarm bells for every financial firm and board of directors under the SEC’s watch. It’s likely that most companies are not in compliance with the rule and, given the agency’s increased focus on cybersecurity, this should be their wake-up call to quickly get such a program in place.

Five years ago, the SEC adopted the rule, formally called the “Identify Theft Red Flags Rule,” which requires investment firms to pay attention to identity theft by developing and implementing a written program to “detect, prevent and mitigate” identity theft and fraud, and to provide “red flags” or other warning signs when hackers might be trying to steal customer information or customer identities. The rule also requires that a firm’s board of directors or senior leadership administer the program. But until recently, the SEC did not enforce the rule.

The SEC’s charge against Voya implies that the company’s conduct was so egregious that it might explain the agency’s decision to finally make use of its “red flags” rule. During a six-day window in 2016, cybercriminals impersonated Voya’s independent investment representatives—the largest segment of the firm’s work force—by calling the Voya help line and asking that their passwords be reset.  Even though some of the telephone numbers used by the hackers were already flagged in Voya’s system as being associated with fraud, the callers still made it past security and were able to convince Voya’s help line to reset their passwords and provide new passwords over the phone, according to the SEC.

The intruders used the new passwords to gain access to the personal information of 5,600 customers, the SEC alleged, and then used the customer information to create new online customer profiles and identities and to pour through thousands of account records.

Without so much as triggering a fraud alert, hackers were able to change a legitimate customer’s phone number and address of record, which meant account statements and confirmations would be re-routed from legitimate customers to the hackers. In several instances, the SEC said, hackers used a “@yopmail.com” address, a disposable email service that lets users create an email address, review incoming emails, and then destroy everything.

Voya had an identity theft program in place since 2009 but the program was not updated, nor was it approved by the firm’s board of directors or senior leaders, as is required. Instead, the program languished, was ignored by Voya’s security team and fell far below the requirements of the regulation.

Although Voya did not admit or deny liability in the SEC settlement, the commission deemed the firm’s violation of the red flags rule as “willful.”

“VFA’s [Voya Financial Advisors] board of directors or a designated member of VFA’s management did not administer and oversee the Identity Theft Prevention Program, as required by the Identity Theft Red Flags Rule,” concluded the SEC.

In the settlement, the SEC ordered that Voya clean up a laundry list of data security issues and also mandated that it engage a consultant to monitor its compliance with the red flags rule. This is also a first time the SEC has ordered use of an independent monitor to police compliance with the red flags rule.

Yet it’s likely that few firms and even fewer boards are aware of the rule. Many firms and their leaders are familiar with the SEC’s general data security rule and its guidance to public companies about disclosing cybersecurity risks and data breaches, but the red flags rule—for all its timeliness and importance—has flown under the proverbial radar screen.

Over the past few years, the SEC has made scrutiny of companies’ cybersecurity practices a priority. Earlier this year, the agency updated guidance to public companies, telling them to beef up cybersecurity risk factors and data breach disclosures. And in April, the SEC pursued its first-ever cybersecurity enforcement action over the massive Yahoo! data breach after it was learned that the company sat on news for more than two years that hackers had made off with the personal information of more than 500 million users. Altaba, the company that has since purchased Yahoo, was fined $35 million for the tardy disclosure.

With the SEC toughening its stance on data security issues, corporate leaders and board members should treat the Voya case as an object lesson and ensure that their identity theft programs are up-to-date and align with the particular cybersecurity risks that face their organization. Although Voya was only hit with a symbolic $1 million fine, it’s doubtful that the SEC will be as forgiving in the future.


Craig A. Newman is a partner with Patterson Belknap Webb & Tyler LLP, the New York law firm, and chair of its Privacy and Data Security Practice. All thoughts are his own.