Operationalizing Compliance - A Powerful Antidote for Data Security
25 October 2016
Regulatory risk management is challenging. Although many corporations have successfully moved their compliance management systems forward, the struggle continues to effectively and/or efficiently operationalize compliance with applicable rules and regulations. Just when you think you're in good shape, regulations change, and sometimes your organization changes as well. Failure to maintain a compliance program that keeps pace with them can lead to trouble.
A few years back, Morgan Stanley Smith Barney thought their compliance program was in decent shape. That is, until sensitive customer information was hacked and subsequently offered for sale.
Eventually, the Securities Exchange Commission stepped in and the firm was fined $1M in penalties for failing to adopt written policies and procedures reasonably designed to protect customer data. Between 2011 and 2014, an employee of the firm accessed and transferred data from approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties. The employee was convicted on criminal charges, and given 36 months probation and a $600,000 restitution order.
Smaller firms are just as vulnerable to overlook a sturdy security policy that includes an effective regulatory risk management program. Last year, R.T. Jones Capital Equities Management was censured and fined $75,000 after it failed to establish required cybersecurity policies and procedures in advance of a data breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.
$180 Million in Penalties
Mega International Commercial Bank of Taiwan was recently required to pay a $180 million penalty for violating New York’s anti-money laundering laws. Mega Bank must correct violations by engaging an independent monitor to address serious deficiencies within the bank’s compliance program and implementing effective anti-money laundering controls. According to a statement from the New York State Department of Financial Services, compliance staff failed to review surveillance monitoring filter criteria designed to detect suspicious transactions. The organization also stated that “numerous documents relied upon in transaction monitoring were not translated to English from Chinese, precluding effective examination by regulators.”
Failure to comply also caused The U.S. Federal Deposit Insurance Corporation to update cybersecurity policies after a 2015 data breach in which a former employee kept copies of sensitive information on how banks would handle bankruptcy. The mandate came down from FDIC Chairman Martin Gruenberg after the incident, and some earlier breaches, raised congressional attention and jeopardized his agency's confidence as a major U.S. banking regulator that keeps confidential data on America’s biggest banks.
Control Privileged Activity
"Less than 5 percent of organizations were tracking and reviewing privileged activity in 2015," said Felix Gaehtgens, research director at Gartner. "The remainder is, at best, controlling access and logging when, where and by whom privileged access takes place — but not what is actually done. Unless organizations track and review privileged activity, they risk being blindsided by insider threats, malicious users or errors that cause significant outages."
The percentage is likely to grow as the SEC is boosting its expectations for corporate compliance officers to put more fidelity for data security policies in place.
In September 2015, the SEC issued a warning that compliance officers could be charged for negligently conducting their duties, putting more pressure on organizations to fully implement operational compliance controls and addressing vulnerable data and information that hasn't been addressed.
While it sounds straight forward, instituting controls throughout the enterprise is complex. Operational controls are cumbersome and overwhelming to implement, particularly in organizations with a dispersed workforce and business units in different geographical locations. Plus, the volume of sensitive data within regulated industries is growing.
Demand for Risk Compliance and Governance to Grow by 19%
The research firm Technavio indicates that it sees enterprise information management - which encompasses all facets of regulatory risk compliance and governance - to grow by 19% per year as companies realize that regulatory compliance is a growing reality.
According to the research, "organizations are subject to follow regulatory requirements to manage corporate data. Governments worldwide are enforcing acts and policies such as Sarbanes–Oxley Act (SOX) in the US, the Health Insurance Portability and Accountability Act (HIPAA) in the US, and data breach notification laws that companies need to comply for conducting business effectively. "
Technavio urges collaboration to accomplish corporate goals and integrating different departments and geographic locations by "employing enterprise information management tools, for what they call "a powerful antidote by means of collaboration through portal structures."
Also consider international standard setter for banks, the Basel Committee on Banking Supervision, which issued BCBS 239, Principles for Effective Risk Data Aggregation and Reporting, requiring the largest banks in the world to adopt sound data governance and IT infrastructure. Although effective January 2016, many reported expectations to be materially non-compliant by the effective date.
Best practices to manage your growing challenge of risk management for enterprise information and data include:
- A Single Platform - to seamlessly manage all regulatory documents with internal and external parties across all business units, geographies and technologies.
- Operational Controls - systematically create and store metadata for your regulatory documents to evidence accuracy, completeness and timeliness:
- Documents shared, with whom and when – evidencing business decisions and escalations
- Activity reports at the group, user, workspace, folder and document levels
- Comments accompanying documents
- Information Security - to include encryption at rest, in use and in motion
- Enterprise Standards - to enforce best practices for collection, creation, review and distribution of regulatory documents
Former SEC Commissioner, Luis Aguilar said it well in a statement last year: "Chief Compliance Officers (CCOs), of course, should not be expected to do it alone. To state the obvious, an effective compliance program must necessarily start at the top. A company’s senior leadership should be strong advocates for a robust and enduring culture of compliance; such a culture fosters an environment where everyone understands the firm’s core values of honesty and integrity. CCOs are an essential and integral part of this process—but they cannot be expected to do it alone and need to be supported."
Interested in learning more about how Intralinks can help operationalize your compliance program? Visit our business solution for Regulatory Risk Management.
Jim Romeo is a journalist based in Chesapeake, Virginia, with a focus on business and technology. He is an engineer by background and education, and has written for numerous publications including SC Magazine, Security Magazine and TechTarget, among others. He is also the author of two books.