Regulatory compliance is not a brand-new topic, nor indeed is it a new challenge, for businesses. It’s a necessary governance overhead that organisations of all sizes have grappled with for some time, particularly those in highly-regulated sectors, such as insurance and financial services. However, the rise in importance of cyber security assurance has for organisations brought a heightened criticality to being compliant.
There are a number of regulations that businesses need to conform to, whether mandated by the Financial Conduct Authority (FCA), a risk management framework such as the IASME Gold Standard, ISO 27001, or a regulation protecting data privacy such as the Europe Union’s General Data Protection Regulation – GDPR – which came into force on 25 May 2018. The consequences of getting compliance wrong can be severe – mandatory financial penalties, loss of revenue, painful cyber security breaches. According to communications solutions provider Verizon, in the 10 years since it has produced its PCI Compliance Report on payment-card security, not one of the organisations which suffered a disclosed data breach was ‘fully-compliant’ at the time the incident occurred.
COMPLIANCE IS ABOUT BUSINESS CHANGE
The first lesson in the reduction of the strain of compliance is understanding that the procedure is far from a box-tick exercise that can be undertaken once, then forgotten about. It is an ongoing commitment: it evolves in alignment with changes in the market, as well as changes in businesses.
Responsible organisational leaders know that the governance of compliance is a necessary requirement; but there is sometimes somewhat of a lack of clarity over who within the organisation is responsible for ensuring that it is properly undertaken. In some organisations this responsibility ends-up batted around between IT departments and legal departments, whereas arguably compliance management should be a shared ownership. More commonly these days, the board/c-suite-level executive will take the lead and ensure that compliance responsibilities are correctly assigned to the appropriate chief officership.
In the first two quarters of 2018, Pulsant commissioned research on questions around cyber security and compliance, in which 202 IT decision-makers, business executives and compliance officers at UK businesses in diverse industries were surveyed (by research firm Censuswide).
Called The State of IT Compliance – Exploring Attitudes and Approaches to the Compliance Challenge, the resultant report revealed that most executives (69%) polled said that complying with IT regulations for cyber security and data privacy was ‘very important’ to their business (accounting for at least 17% of their annual IT budgets). However, 28% apparently do not know which specific cyber security regulations their business had to comply with.
About a third of IT decision-makers surveyed declare that achieving IT compliance is now the responsibility of the c-suite
Forty-three per cent of those surveyed said that managing compliance with IT regulations was a ‘major challenge’. Other challenges involved in compliance were time and resources, the cost and getting ‘management buy-in and support’.
Reported problems in getting the board’s support for IT compliance are perhaps surprising, given the increasing number of corporate hacks and data leaks that have attracted global media coverage − and dented several high-profile company reputations – in recent times.
The Pulsant research is in line with other research on IT compliance and cyber security. For example, a report by the UK government – FTSE 350 Cyber Governance Health Check Tracker Report – published in 2017, found that more than half – 54% – of the UK’s top 350 companies stated that cyber risk is one of the top risks faced by their business operations. But only 31% of boards polled there report that they got comprehensive information about cyber risks (up from 21% in 2015-2016). Moreover, the majority had not been trained in how to cope with a cyber security risk incident.
There seems to be somewhat of a disconnect between what many company leaders are saying about IT compliance – it is a priority for boardrooms – and what companies are doing – some directors still admit to patchy knowledge of IT compliance. However, Pulsant’s research found that 55% of organisations surveyed have between one and five full-time staff dedicated to compliance management; and 26% said they had the equivalent of less than one full-time employee responsible for compliance. One reason for the modest numbers of compliance staff in many companies may simply be because it is hard to find hires with the requisite skills, and the personnel shortage pushes up their salary expectations (so fewer, but better-remunerated, staff).
Escalating cyber threats, new data regulations – such as the aforementioned GDPR, plus electronic IDentification, Authentication and trust Services (eIDAS), Payment Card Industry Data Security Standard (PCI DSS) – along with pending uncertainty over Brexit (e.g., will it hamper recruitment of EU IT workers?) increased demand (and, again, salaries) for skilled IT compliance staff: all add-up to an estimable challenge for the company head honchos.
Most business executives questioned for The State of IT Compliance said that they had the right skills (or access to skills) to cope with IT compliance. Ninety-two per cent said that they had the right skills to deal with compliance − whether their own staff or by using a supplier, or a combination of both.
IT compliance is no longer just an IT matter. Data and IT systems cover all an organisation’s departments (finance, sales, marketing, ‘risk’ departments), people and procedures. People are key to IT compliance. They need to know exactly how their actions affect the compliance processes, what they should be doing (and not doing), and the consequences of non-compliance.
Some aver that the most effective approach to compliance is to have initiatives championed at board level. As mentioned earlier, board-level support is not always forthcoming − 22% of respondents in the State of IT Compliance research reported that management support and buy-in was a challenge in their organisation – but that figure is certainly an improvement of what might have been expected just five years ago.
It also leads to another key question in the compliance journey, which is: who, ultimately, in an organisation is responsible for IT compliance in the 202 companies surveyed for The State of IT Compliance?
The quest for compliance is an organisational initiative that touches all areas of the business: its people, its technology and its processes. The key to success in achieving compliance, and indeed in maintaining it, depends in large part on employees. From an IT compliance perspective, employees need to know exactly how their actions affect the compliance processes, what they should be doing (and not doing) and what the consequences of non-compliance are. When it comes to who, specifically, is responsible, The State of IT Compliance shows that it’s the IT department that is predominantly responsible for compliance (55%), with other roles having some responsibility too (security manager 29%; dedicated compliance officer/manager (where they exist) 26%; risk manager 20%).
However, 33% of IT decision-makers declare that achieving IT compliance is ‘the responsibility of the c-level’ (c-suite). Concerningly, perhaps, the lack of management support cited by respondents perhaps highlights a gap between what is needed and what is actually taking place.
Some of the viewpoints in the industry are speculate that these fines could also be extended to director or c-level chief officer
Whatever the challenges of getting the right compliance staff, one thing is evident: a company’s board will take the flak if their organisations’ IT systems are successfully hacked (‘successfully’ from the hacker’s viewpoint, that is) or if sensitive data they hold is leaked accidentally.
In the UK, mitigating cyber risks is a ‘fiduciary’ duty (a legal responsibility) for company boards, as outlined by the Companies Act 2006. A board’s failure to understand and mitigate cyber risk, for example by failing to implement appropriate cyber security measures, could ‘equate to a breach of these duties’, says global law firm Norton Rose Fulbright in a thought leadership article, ‘Cyber risk and directors’ liabilities: an international perspective’.
Internationally, there are other countries – they include Germany and the United States – which place similar legal duties on company boards. There is also the possible likelihood of shareholder/investor litigation to follow a successful, publicly-disclosed cyber attack incident.
‘At a corporate level, most people are now aware that an adverse cyber incident can have significant consequences for an affected organisation,’ Norton Rose Fulbright points out: ‘Legal developments and shifts towards a more litigious culture relating to cyber risk and, in particular, the use of personal data in various jurisdictions, also mean that more litigation is being brought against organisations for matters that relate to cyber risk’.
It continues: ‘These increased risks can translate into personal liability for board members in a variety of ways… While the scale and severity of personal liability risks can vary across different jurisdictions, personal liability is possible in all jurisdictions’.
Norton Rose Fulbright points out the example of Germany: under German law, organisational directors can be held liable for breach of their duties, which include a duty to ensure that the IT infrastructure of a company is sufficiently protected in order to ensure the security of data and the avoidance of cyber risks. Directors are therefore obliged to ensure that they incorporate the necessary technical and organisational measures that are set out in the German Data Protection Act (‘Bundesdatenschutzgesetz’) and the German IT Safety Act (‘Bundessicherheits- und Informationstechnikgesetz’).
But does this mean that the board or c-level will become more directly involved in the implementation and governance of regulatory compliance? To be sure, liability will certainly play more of a part in that the board and c-level executives will have greater accountability (possibly even face penalties) should something go wrong.
A case in point is GDPR: stricter fines are being imposed on businesses if they are found to be out of compliance. But some viewpoints in the industry are speculating that these fines could also be extended to board director or c-suite chief officer. So, while there will not be more involvement in establishing these sets of controls, there will certainly be far more accountability around the ownership of them.
So, let’s take stock. Compliance is critical for businesses. Lack of compliance affects the bottom line, and stakeholder trust. In some industries, a failure to comply with rules can stop an organisation’s operations altogether. Consequently, it is a task that many, maybe all, organisations are now in the process of tackling.
That’s a good thing; question is, are they doing it as well as they think they are? Given the lack of understanding of IT compliance rules and steps to comply with them demonstrated by The State of IT Compliance and other studies, the answer, alas, is ‘no’. Boards need to improve their knowledge of IT compliance and explain more clearly how staff parts of a business can help. Technology such as cloud computing, automation, regulation technology (‘RegTech’) and Big Data/data analytics software can help companies comply with IT regulations quicker and more cheaply.
Improving IT compliance doesn’t necessarily mean spending more on cyber security and compliance staff. But it will often require company boards and c-suites to take a lead on the matter, educating themselves and all employees about the importance of protecting customer data, how to spot cyber threats, and what to do about them. As cyber threats proliferate, IT compliance is becoming as important a sign of corporate ‘healthiness’ as being able to verify a strong balance sheet or order pipeline.
Increased risks can translate into personal liability for boards in a variety of ways… Personal liability is possible in all jurisdictions
Going forward, it’s likely that there will be even more rules and regulations to be followed, and for boards/c-suites to keep aware of. As stated earlier, organisations already align to big frameworks, like the aforementioned ISO 27001 or FCA guidelines. But as frameworks themselves evolve, there are likely to be additional parameters and requirements to consider; especially when it comes to cloud, the prevalence of hybrid and multi-cloud deployments, and the migration of infrastructure in public clouds. The FCA, as an example, has already amended its framework to incorporate specific elements around outsourcing to the cloud. And it is also likely that other national/international regulatory bodies or frameworks will follow suit.
What this means for businesses is that maintaining IT/cyber security compliance into the 2020s is likely to be a little more challenging as the process turns more prescriptive. But with the right approach, processes and technology, achieving and maintaining compliance need not be an impossible task.
THE JOURNEY TO COMPLIANCE
So compliance is critical for businesses, that’s acknowledged; as is the fact that lack of compliance affects the bottom line, stakeholder trust and, in some industries, can stop organisations from operating. As a result, it is a requirement that many – if not all – organisations must tackle. But still the question remains: are they doing it as well as they think they are?
Given the lack of understanding of compliance frameworks demonstrated by the sample, perhaps the answer remains ‘no’. There could be a gap between what is now being done and what should actually be done. This is especially true when it comes to maintaining IT compliance. Compliance itself must keep pace with the rate of change within the business, in terms of innovation, new products and new services. Otherwise, organisations may miss out on capitalising on the benefits that cloud and new technologies actually deliver: i.e., staying compliant causes organisations to cede competitive edge.
What is clear from the State of IT Compliance research is that while managing and maintaining IT compliance is expensive, time-intensive and complex, businesses are trying to achieve it. Organisations are using a mixture of dedicated staff and technology to effectively manage IT compliance, but they are encountering significant challenges such as lack of budget, time, resources and skills – despite the fact they believe they have the means in place. However, The State of IT Compliance respondents did express a desire for better benefits from their tools and technologies, as well as a need for increased automation around the IT compliance process.
Overall, while it is clear that while IT compliance is being addressed, there is a definite need for the process of both achieving it and maintaining it to be optimised, streamlined, and made more effective and easier. This can be accomplished through the use of smarter and more intuitive tools and technologies, and automating processes, in order to gain the benefits that organisations are after, such as real-time alerts, better reporting and bringing all data sources together.
This is reflected in the emerging RegTech sector. RegTech is playing an increasingly important role in supplying organisations with the advanced solutions required to enable them to meet their escalating compliance needs. Regulation is one of a number of services to receive the ‘tech’ treatment in recent times, according to Deloitte: ‘As with FinTech, RegTech will mean different things to different people in this developing area’.
Increasing levels of regulation and more challenging regulatory expectation are ‘having significant operational impacts on firms requiring people-, process- and technology-based solutions,’ a report from Deloitte has said. ‘With respect to new legislation and regulations, this can create challenges around understanding, implementing and embedding the new requirements, whereas for existing legislation there can be challenges around understanding and managing the risks.’
While focused largely on the financial services market, RegTech has the potential to become a much-needed helping hand for businesses, especially as the regulatory world becomes more crowded and complex. Going forward, it’s reasonable to expect that there will be an increased demand for this type of technology that can optimise the compliance process, both from a management and maintenance point of view.
Words: Javid Khan, Chief Cloud Officer at Pulsant. Images: Shutterstock.