Intersection of Compliance with IT in Business

“Sotheby’s maintains compliance policies and procedures that govern data collection, storage, maintenance, destruction, sharing with third parties, and security”

Another factor contributing to the success and effectiveness of Sotheby’s cyber compliance program is that the compliance team works closely with the IT team and our chief technology officer to formulate and set standards governing, among other things, the safe use of mobile devices for business purposes, data access controls, and confidentiality.  In addition to maintaining detailed and robust policies setting forth our information security practices and procedures, Sotheby’s compliance team delivers regular, relevant targeted training to all staff, management and the Board of Directors on these subjects. 

We conduct live training sessions in which we reinforce the message that cybersecurity is important to our clients, shareholders and our company, and we address specific practices and behaviors that we expect staff to abide by in order to protect the data we hold.  For instance, we not only review our incident response plan with relevant managers and staff, but we have also conducted “table top” exercises where we have worked through how we would handle a breach.  This type of training and education is in place to enhance our preparedness to swiftly act and to contain a cyber-breach event should one occur. In addition to taking appropriate precautions with, documents and verbal communications and with the art work and other extraordinary objects that Sotheby’s handles on a daily basis, we stress the need to apply special care to digital and electronic communications taking place over the internet and voicemail. When using Sotheby’s technology, or when using personally owned technological devices for Sotheby’s business, Sotheby’s requires staff to adhere to our password requirements and rules prohibiting unauthorized downloading of applications or email attachments. 

On those occasions when Sotheby’s works with third parties, we take steps to conduct due diligence into their technology security practices, and to secure enforceable representations that there will be ongoing security maintained.  We expect any third party to apply equally stringent cyber-security standards as we do.

The use of technological social media has brought another sea change in behavior in the last decade.  At Sotheby’s, we encourage our employees to participate responsibly on Social Media channels, and to be responsible in the use of online tools in a way that is consistent with all Sotheby’s policies. Regardless of where staff accesses the Internet via Sotheby’s systems or on personal computers, the obligation to protect all confidential information about clients, the Company, and employees must be respected. 

At Sotheby’s the Compliance and Business Integrity Department also works hand in glove with our IT Department to coordinate our approach to technology and compliance, as we recognize that it takes both strong IT systems and a strong culture of compliance to create a business environment that is protected from cyber and data loss threats.