Former FBI Director James Comey kicked off Compliance Week’s 16th annual National Conference on Tuesday by speaking candidly about a variety of risk and compliance matters, including the importance of a strong ethical culture in the coming post-pandemic “boom times” and why federal intervention might be necessary in response to cyber-attacks against systemically important institutions that are either unable or unwilling to do what it takes to protect themselves.
“I find it infuriating in 2021 that a systemically important enterprise can be taken offline by a ransomware attack, given [ransomware] has been with us for more than a decade,” Comey said, referencing the May 7 cyber-attack against Colonial Pipeline that temporarily halted the company’s operations.
While Comey said he does not know what federal intervention should look like, he emphasized it was needed. “If you don’t have the backup systems in place in anticipation of a ransomware attack, you are incompetent,” he said. “Regulators need to insist that systemically important actors in any industry are not incompetent.”
“The lessons of the Enron era may feel like 20 years ago … but they’re going to become real again.”
He also said it is a mistake for companies to think of cyber-risk as separate and apart from personnel risk. “If you’re thinking of cyber-risk as different than personnel risk, you’re not thinking about it in a way that is going to keep your enterprise safe,” he said. It is not just about having robust cyber-security controls—it is also about giving your employees the knowledge they need to prevent and detect those threats. All compliance risks overlap, because they all have to do with the activities and conduct of people, he said.
Chief ethics and compliance officers have an especially difficult job right now, Comey said, because of the “populous wind” blowing on both sides of the political spectrum in the United States—a tense wind of public discourse, a palpable feeling in the air of people being fed up and wanting to see more individuals being held accountable for their misdeeds.
While those feelings are understandable, Comey said, “people have merged that with, ‘We can’t trust big companies. We can’t trust these big institutions.’ I think it becomes all the more important for you and your leadership to understand the danger in that and the responsibility that it brings to all of you.”
Moreover, the current environment places even greater pressure on the part of enforcement agencies to respond aggressively when people run afoul of the rules, or are perceived to run afoul, Comey added. For companies and culpable individuals, that means the risk of enforcement increases as well.
Comey reminded practitioners that having the right training and following rules doesn’t mean you have a healthy culture of compliance. “You’re missing what culture is,” he said. “Understanding it and shaping it is the key to avoiding engagement with a regulator or prosecutor.”
One way ethics and compliance professionals can stress culture is to “tell them scary stories. Tell them the story of Enron,” Comey said. Additionally, it helps to learn from the best practices of your competitors and how they promote culture from within, he said.
Speaking of Enron, Comey sees a potential repeat of the business environment that led to the company’s widespread fraud and eventual collapse in the early 2000s. It’s a lesson he hopes won’t need to be repeated.
“The lessons of the Enron era may feel like 20 years ago … but they’re going to become real again,” he warned.
Protecting corporate culture will become even more important as new environmental, social, and governance (ESG) issues arise and evolve. A particularly pressing matter today is diversity, equity, and inclusion, as well as employees’ well-being.
While the issues that society cares about and focuses on may change over time, today’s environment of “forced transparency is not going to go away,” Comey said. It is no longer possible for any company to do anything in secret anymore, he said. “The world is watching.”