What is the role of compliance in battling cyber risk?

Cross-Industry Compliance Leadership Summit eyes the intersection of two disciplines

“It’s called the cloud,” Deloitte & Touche LLP Principal Julie Bernard remarked. “It’s not called the vault. Keep that in mind.”

Bernard and Deloitte & Touche LLP Managing Director Susan Ameel moderated a session at Deloitte Advisory’s recent Cross-Industry Compliance Leadership Summit about the ways compliance and cyber security meet, and how the executives responsible for those areas might benefit by coordinating their efforts.

Many of the industries most subject to cyber attacks are also among the ones that have the most sophisticated regulatory and compliance obligations. Financial services, energy and utility companies, health care organizations, defense and aerospace – they all have to safeguard their own sensitive data, their customers’ information, or both.

Bernard noted that according to one study, 89 percent of data breaches have a financial or espionage motive.1 Many of those breaches involve insiders, and much of the data lost includes personal information such as Social Security numbers and dates of birth.

Organizations can’t repair losses like that just by changing a credit card number. Confidences they have pledged to maintain have been broken. That’s a good argument for compliance leaders and cyber security leaders to work in sync. The question is, do they?

Business Line Information Security Officer Mike Leking of U.S. Bank, a former Department of Homeland Security (DHS) official, was a featured panelist at the summit. He said building that kind of partnership takes “handholding, communications, and feedback.”

“Cyber security and information security needs to be embedded into the culture of an organization,” Leking said. “It’s not just something you do during cybersecurity awareness month.”

Leking noted that in his work at DHS, he learned incident management was a frequent weak spot – that some organizations proceed as if they expect never to be hacked, when it’s actually a matter of “when,” not “if.” Threats can come from professional criminals, “hacktivists” fighting for a cause, or from nation-states and terror organizations. Or they can come from a teenager just looking for a challenge. The internal awareness and controls that compliance uses can also help detect and deter those threats.

Other participants in the summit, representing a variety of industries, offered varying assessments of how well they were engaging with their security counterparts:

  • “Partnership is critical” among leaders and teams with different but complementary skillsets
  • Compliance teams can help cyber teams detect and prioritize threats and direct resources where they’re needed most
  • Employee monitoring and control of system access is an area both functions can cooperate on; so are potential red flags such as employees facing termination, but only if the right people share the right information
  • Compliance and cyber security teams can work together to identify “back doors” to complex protective systems – such as a health information terminal that won’t let users copy data, but which doesn’t prevent anyone from photographing the screen

In some cases, Susan Ameel pointed out, cyber and compliance teams can find shared satisfaction in one approach to potentially damaging data: destroy it. But that can be easier said than done.

Another area that concerns both compliance and security leaders is the activity of third parties. The first question may be which unit is responsible for the relationship – be it business unit, information technology, legal, or another? Others said they make vendors and other third parties complete long questionnaires about their security practices, or sign agreements promising a certain standard of performance. But just as a company cannot contract its own fiduciary responsibilities to another, the cyber security buck stops at home as well.

All participants in the summit discussion acknowledged the stakes are high.

“The defenders have to be right 100 percent of the time, so it’s an uneven playing field,” one compliance chief said. Another noted, “One single click can significantly impact the future of an organization.”

And Bernard recalled desperate times she has witnessed first-hand: “I’ve been involved in cases of the devaluation of a company so they could be bought by a Chinese company for a quarter of a billion dollars less than they should have been, all based on an external threat,” she said. “That’s the freak-out. What if someone got into your systems and changed your financials so that you disappeared overnight?”

1Verizon’s 2016 Data Breach Investigations Report, available at http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s