The Evolving Partnership: Compliance and Cybersecurity (Part I of IV)
If you ask corporate board members and senior executives to list their number one risk (other than financial operations), the answer in today’s risk environment is clear – cybersecurity and data privacy. The rapid elevation of this risk is reflected in weekly headlines announcing ransomware, cyber-attacks and data breaches. In NAVEX’s recent State of Compliance Survey, one in three respondents indicated their company had experienced at least one attack/data breach in the last three years.
Companies that have experienced a cyber-attack are forever changed. The board and senior executive team quickly find religion. But are we really surprised? When FCPA enforcement was ramping up, companies caught in the cross hairs quickly found religion. As much as CCOs seek to educate companies on the importance of proactive risk mitigation strategies, boards and senior executives continue to cling to a reactive approach.
When it comes to cybersecurity and data protection, board members and senior executives have a steep learning curve – it is imperative to learn the risks, the technologies, and risk mitigation strategies. Chief Information Security Officers recognize the importance of bringing everyone up to speed and establishing a system of enterprise risk management around information technology and security.
In charting this new path, CISOs and Chief Compliance Officers are coming together in new ways. CCOs are excellent partners – CCOs have line of sight across the organization, are familiar with risk assessment principles, implement policies and procedures, and can deliver important training and education programs.
Employees understand the significance of cyber-security and data privacy in the workplace. Employees want to avoid a cyber incident and know from the news and their own experience the dangers of hackers. To mitigate internal threats to cyber and data, employees need to be educated on hacker techniques and the latest set of risks. Overall, employees have to implement a set of best practices for password protection, avoidance of phishing and other scams, false vendor schemes and proper information security hygiene.
CISOs can leverage CCOs for their knowledge of governance, risk management and training and audit principles. In many companies, CISOs operate as second-class governance functions, partly because board members and senior executives do not know how to execute enterprise governance strategies in this area.
Corporate boards are evolving in this area. Some boards are adding cyber experts to their boards, and if the SEC’s cybersecurity rules are adopted, every board will be required to add such expertise and disclose the board’s cyber capabilities and experience.
It is important to remember that at least 50 percent of cyber or data breaches are the result of an internal actor – either intentional or through negligence. A disgruntled employee can wreak havoc by circumventing data security controls to steal trade secrets or data, or even cause a serious breach. In some cases, employees may fall victim to a phishing email because of a failure to identify the situation and take basic precautionary steps.
To the extent that cyber risks are created by internal employee behavior, CCOs are natural experts in developing strategies to mitigate such risks and monitoring employee behavior. Indeed, CCOs may have in place various procedures that can be expanded to include basic cyber risks. CISOs and CCOs should look for these kinds of opportunities.
First, CCOs know how to design controls and can work with CISOs to ensure that employees are unable to circumvent internal information access controls. Also, CCOs are able to work with the same team and security to ensure that physical security of sensitive data processing and storage operations, if on site as opposed to the cloud, is properly secured and access is closely monitored and protected.
Second, CCOs are excellent at designing and conducting training programs. Working with the CISO team, CCOs can ensure proper training of employees on cybersecurity issues, conducting real-time training to ensure employees identify and properly avoid falling for a phishing scheme, assessing the training program objectives and improving any training program.
Third, one third of cyber and data events are caused by third parties. CCOs and CISOs have started working together to include cyber risks as part of an overall third-party risk management program.
Finally, CCOs know how to conduct risk assessments, design controls to mitigate the risks, measure the performance of the controls, and conduct testing and auditing of the program.