In a downturn economy like the one we’re living in today, it makes sense for CFOs to pull the purse strings tight, hold down expenditures, or cut budgets outright. But that doesn’t mean every department should simply try to do more with less.
Risk management and compliance are critical business capabilities that deserve adequate attention and resources in the current climate. An organization with weak risk management and compliance capabilities invites risks and regulatory trouble, but a strong compliance program can help a business thrive.
In this article, we’ll explain why your organization should increase its risk management and compliance budget in 2021.
1. Regulators Want to See That Compliance Programs Are “Adequately Resourced For the Company’s Risk Profile”
When a compliance violation has been discovered by regulators, the first thing they look for is whether the business has a well-documented, current, and effective compliance program. The U.S. federal sentencing guidelines state that when a corporation has been convicted of a crime, the two factors that mitigate the ultimate punishment of the organization are: “(1) the existence of an effective compliance and ethics program; and (2) self-reporting, cooperation, or acceptance of responsibility. ”
In June 2020, the Department of Justice posted a round of new revisions to its “Evaluation of Corporate Compliance Programs” guidance. The update describes and clarifies what new items prosecutors may consider in the areas of risk management, policies and procedures, training and communications, mergers and acquisitions, and more in the evaluation of corporate compliance programs.
New language has been added to reflect how the Criminal Division evaluates a company’s risk profile; it states that prosecutors will make a “reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”
Revised language directs prosecutors to ask companies whether their compliance program is “adequately resourced and empowered to function effectively”.
Reading between the lines, that means regulators want to see that you have enough people with the right skill set to run your compliance program, a sufficient set of tools to operate and maintain your compliance program, and enough resources devoted to making continuous improvements to your program — all in line with your risk profile.
2. Regulators Have Put Companies On Notice to Create Third-Party Risk Management (TPRM) Programs
At this time, regulators have concluded that organizations cannot maintain an effective compliance program unless they’re doing sufficient due diligence and ongoing monitoring of the third parties they work with.
The DOJ’s updated “Evaluation of Corporate Compliance Programs” guidance released in June 2020 mentions third parties 33 times. Specific to third parties, the updated DOJ guidance tells prosecutors to consider “whether the company knows… the risks posed by third-party partners.” Another TPRM-related question added to the new guidance relates to ongoing monitoring: “Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?”
If you haven’t been paying much attention to your third parties to date, the DOJ has made it clear that paying attention isn’t optional.
It makes sense that the DOJ has put out updated guidance on this particular area, as organizations are developing and maintaining more and more third-party relationships each year. A large organization may work with more than 10,000 third parties in a given year, according to a new survey from Compliance Week and Aravo. Yet, most organizations don’t take third-party risks all that seriously.
The same survey also found that 83 percent of organizations are not conducting ongoing monitoring or due diligence on all of their third parties. Meanwhile, 33 percent of all respondents said their TPRM programs aren’t adequately resourced and 27 percent said they didn’t have a team dedicated to TPRM.
If you are among the 33 percent without an adequately resourced TPRM program, your compliance program is out of line with the DOJ’s guidance.
And if getting into regulatory trouble isn’t worrisome enough, you should know that third parties are often the root cause of disruptive incidents that jeopardize a company’s reputation. In a 2016 global survey of 170 firms conducted by Deloitte, 87 percent of survey respondents said they faced a disruptive incident with third parties in the last 2-3 years. Of those who experienced a third-party incident, 26.2 percent suffered reputational damage, 23 percent violated regulatory requirements, and 20.6 percent experienced a breach of sensitive data.
Staying in compliance with GDPR and CCPA Requires Third-party Oversight
Moving forward, we predict organizations with lax compliance programs will face a greater risk of experiencing regulatory infractions and reputational damage.
Why? Because newer privacy laws like the GDPR and the CCPA hold companies responsible for privacy and security slips of their third parties. These laws grant consumers a limited private right of action against unauthorized access and exfiltration, theft, or disclosure of certain types of personal information, including the right to seek statutory damages.
Although the CCPA came into effect in January 2020, legal cases were filed as early as February against companies that allegedly lost consumers’ personal information, even though that personal information was hosted by a third-party application.
On February 3, Bernadette Barnes, a California resident who shopped at Hanna Andersson (a children’s clothing store), and her attorney used CCPA as the legal basis to bring a class action complaint to the U.S. District Court against Hanna Anderson, LLC. and Salesforce.com. They filed the complaint after Barnes learned that hackers had scraped customer names, payment card numbers, and other personal information from Hanna Anderson’s e-commerce platform. The complaint alleges that the hacked data, which was found for sale on the dark web, was hosted by Salesforce on its e-commerce platform. It also alleges that the e-commerce platform was infected with malware, which is what led to the data breach.
3. Governments and Enterprises Expect Vendors to Demonstrate Cybersecurity Maturity With Independent Audits and Certifications
Is your organization planning to enter new markets or verticals next year? If so, you may not have a choice but to invest more in cybersecurity, third-party attestations, and compliance certification programs. This is especially true if you want to conduct business with the U.S. government.
In the fall of 2020, the Department of Defense (DOD) rolled out its new Cybersecurity Maturity Model Certification (CMMC) program, a program that requires companies to demonstrate CMMC-level practice and process effectiveness, governance, and cybersecurity maturity with independent audits and certification as a “pre-qualification” requirement prior to contract award. It is likely to create a ripple effect and become a widely adopted cybersecurity standard for all future U.S. and international commercial and government businesses.
The DOD had previously allowed their suppliers and contractors to self-attest that they were maintaining a cybersecurity program that protects Controlled Unclassified Information and Federal Contract Information. But the DOD saw that many organizations have not made the required information protection investments, do not have the necessary cybersecurity skills or maturity, and do not perceive themselves as likely targets.
The DOD response intended to reduce the exfiltration of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) exfiltration is to increase cybersecurity requirements, non-compliant penalties, and supply chain enforcement for defense contractors, including many in the aerospace industry. The culmination of this is the CMMC, a new requirement for all DOD contracts starting in the fall of 2020.
“The CMMC Is a key element of the DOD’s overall strategy to facilitate an industry-wide cultural shift with significant and far-reaching impacts, not least of which are elevated penalties for non-compliance — including the loss of current and future DOD business, personal and corporate liability, and negative corporate brand impact,” says Jerry Fleishman, VP of Regulatory Business Advisory for CORTAC Group.
4. Delaying investment in the short-term may drive up the total costs of compliance in the long-haul
If your organization relies on manual processes and ad-hoc tools (e.g., Excel, file storage systems, project management systems, email) to get compliance work done today, and you need to meet additional regulatory requirements next year, making an upfront investment in supportive tools is the smart choice. Otherwise, the total costs you will incur in the next few years in order to meet your compliance obligations will likely end up being greater than you’d projected.
Why might this be the case?
First, using spreadsheets to run your compliance program simply doesn’t scale. If your organization needs to go through multiple cybersecurity-related audits each year and the compliance team tracks the requirements, controls, and to-dos’ in Excel, the risk of making errors and missing important issues is quite high.
Second, given that different cybersecurity standards (e.g., HIPAA, NIST SP 800-53, PCI DSS, SOC 2, CMMC) have some degree of overlap, you can save time and effort if you cross-map the controls first and take time to see how much of your existing program can be leveraged to fulfill a new compliance standard. However, it is extremely difficult to cross-walk controls between different cybersecurity frameworks in Excel — so the crosswalk exercise isn’t typically done.
If your compliance team doesn’t have visibility into the overlapping requirements across different security/compliance frameworks, they will repeat the same work multiple times (e.g., collecting evidence that would satisfy a control for PCI, ISO 27001, and SOC 2 three separate times). Control owners end up testing the same control multiple times (for multiple assessments) because they don’t realize that particular control is common across multiple security standards.
A 2020 report from Coalfire and Omdia found that for the majority of organizations, growing compliance obligations are now consuming 40 percent or more of IT security budgets and threaten to become an unsustainable cost. This is primarily due to the fact that organizations have more and more compliance frameworks they need to adhere to, and they’re duplicating effort from framework to framework.
These inefficiencies in compliance management have an insidious effect. Security and compliance teams have a finite amount of time and resources to achieve their objectives. The more time security and compliance teams have to spend more time on administrative and repetitive tasks just to meet their existing compliance obligations, the less time they have for all other important tasks, such as:
- Investigating security alarms
- Testing controls on high risk areas
- Implementing new tools to better identify threats and prioritize their work
- Training employees to be more security conscious
- Talking to business units to understand what’s changing in the business and how those changes may create new risks or amplify existing threats
- Updating security policies and operating procedures in response to those changes.
When you deploy compliance operation software to minimize the time spent on manual, repetitive activities and create streamlined workflows, compliance and security teams are able to get the time back to focus on making improvements to your risk management program.
Last but not least, investing in compliance technology now can save you from a much bigger cost down the road: Losing valuable knowledge when a key member of your compliance team leaves the company.
Now that all of us have adjusted to a new reality of remote work due to the pandemic, employers have started to broaden their candidate searches to consider remote candidates they wouldn’t have considered just a year ago. This means that skilled professionals have more opportunities than ever to jump ship. At this moment, we have to be prepared to see some attribution in compliance and cybersecurity teams.
If a key member of your compliance team were to quit, and records of corporate compliance and audit-related activities weren’t tracked well or documented in an accessible format, their departure could leave you with headaches and unexpected expenses.
5. Compliance Can Create a Competitive Advantage
If you’re operating in a crowded market and you want to gain an edge over the competition, running effective risk management and compliance program can give you that edge.
When you use a risk management framework to guide your cybersecurity and compliance activities, continuously monitor your environment, and make improvements as you go, you are building a safer, more resilient organization. You can avoid the disruptive incidents others have experienced and use your compliance program as a selling point.
Research suggests companies that incorporate risk management into their business strategy see better growth and increased profit margins while improving their ability to provide a better customer experience. A PwC US report that surveyed more than 1,200 senior executives and board members revealed that 55 percent of companies who embraced risk management recorded increased profit margins; 41 percent achieved annual profit margins of +10 percent.
In fact, 87 percent of risk leaders said they’re investing in improving their organization’s resiliency programs.
6. CEOs Could Face Jail Time for IoT Attacks by 2024
Cyber-attacks can do more damage than simply causing the loss of companies’ IP, trade secrets, and sensitive customer information or service outages. They can also lead to human fatalities. In those cases, leaders won’t be able to plead ignorance or hide behind insurance policies.
Gartner, the analyst firm, predicted that as many as 75 percent of business leaders could be held liable by 2024 due to increased regulations around so-called “Cyber-physical systems” (CPSs) such as IoT and operational technology (OT).
Gartner defines CPSs as “engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world, including humans.” For instance, a medical device could be hijacked to prevent life-saving medicine from being dispensed, or a connected car could be remotely directed to crash.
Gartner asserted that the financial impact of such attacks on CPSs resulting in fatalities could reach as much as $50 billion by 2023.
“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, research vice president at Gartner.
“In the US, the FBI, NSA, and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”
As such, leaders must become aware of the scale of CPS investment in their organizations, understand the risks CPSs represent and allocate budget appropriately in order to secure these systems.