As compliance teams strive to manage new regulations and technological advancements, here are some of the trends and headlines that made compliance news in November and December.
In the face of changing business models, as well as new risks and dynamic global ecosystems, compliance as a discipline is rapidly evolving. Stakeholders rely on compliance teams to not only protect their organizations against regulatory penalties and legal liabilities, but to also strengthen reputation and credibility with customers. As compliance officers seek to demonstrate and enhance the value delivered to their organizations, the following are some key considerations.
While 2020 began with a focus on data privacy, here are some updates on other areas of compliance that made the headlines:
Compliance is now a key topic of discussion at the executive level, and is also a strong part of core business strategy. Newer technologies like AI and advanced analytics are helping compliance teams deliver value to the business in the digital age.
Compliance Week’s second annual technology survey highlighted that, ‘’companies are moving along the technological maturity curve in qualitative and quantitative ways today’’. According to the survey, companies are willing to spend more in 2019 than they were even a few years ago to build a more robust technology-enabled compliance function. Nearly, a quarter (23%) of compliance practitioners said their technology budget is much larger today than it was three years ago.
As compliance teams strive to do more with less, the emergence of new technologies will not only improve efficiency and cost-effectiveness, but will also enable teams to derive quick, meaningful insights from data to make well-informed decisions.
With an increasing number of attacks in the market, despite more sophisticated cybersecurity solutions, many cybersecurity reports and surveys highlight why organizations need to rethink their cyber strategy and what’s in store for the future. – Here is what the media headlined through the GRC lens in September.
As attackers get more relentless with the volume and speed of their attacks, cybersecurity defense must safeguard all possible points of the attack surface. A recent survey of internal auditors published in City AM, found – cybersecurity, regulatory change, and digitalization to be the top three risks faced by businesses across Europe. The shortage of cybersecurity talent exacerbates the cybersecurity problem in a complicated enterprise environment.
According to CISO Magazine, cybersecurity has emerged as a primary investment priority for financial firms in the United Kingdom. Reports from a survey conducted by Lloyds Bank states that cybercrimes have jumped to the fourth position from the eighth place since 2018. Banks in UK are increasing their budget allocation to enhance cybersecurity capabilities at their organization, Computer Business Review reported.
In another survey conducted by Infosys, targeting 867 senior executives representing 847 firms from 12 industries, with annual revenues over US$500 million across US, Europe, Australia and New Zealand (ANZ), reported that almost half (48%) of corporate boards and 63% of business leaders of surveyed enterprises are actively involved in cybersecurity strategy discussions.
While organizations have started to invest in building an efficient cybersecurity management and mitigation program, they still continue to face difficulty juggling priorities.
A recent study conducted by BitSight, revealed that every two in five (38%) companies stated that they’ve lost their businesses due to lack of cybersecurity capabilities. An article by Forbes, ‘The Gap Between Strong Cybersecurity And Demands For Connectivity Is Getting Massive’, states, “…More devices and less adequate resources mean the attack surface continues to grow. “Every second that it takes to respond to an attack after it’s been deployed can have a huge impact on the business, be it in terms of man hours spent or sales, and reputation lost.”, states SC Magazine.
Even as enterprises invest in resources and tools to strengthen cybersecurity, why does it continue to be an Achilles heel for so many? The month of September revealed a few of the reasons:
Proofpoint’s Annual Human Factor Report, states that out of the vast majority of attacks, 99%, require some level of human input to execute – making individual users the last line of defense.
2. Businesses haven’t made it as much of a priority as it should be – Businesses are bypassing security to get to market quicker
A recent article by ITProPortal, highlights a research from Outpost24 which concludes that 34% of organizations bypass security to get products out to market faster. Almost two thirds (64%) of the respondents said they believe their customers could easily be breached, as a result of unpatched vulnerabilities in their organization’s products.
3. Third parties aren’t being monitored sufficiently
This month, thousands of resumes were exposed in a third-party breach that originated from monster.com, but the company denied any responsibility, saying – the client “owns the data.” According to CPO Magazine, “Though Monster.com’s denial of responsibility is legally acceptable under United States federal law, it puts the company at odds with the standard data protection requirements of a number of other nations.” This is yet another example of third-party risks being a great cybersecurity risk multiplier.
Cybersecurity is a complex problem with no easy solutions. Enterprises need to act quickly as the costs of data breaches are increasing at an alarming rate. According to Dark Reading, “The cost of breaches will rise by two-thirds over the next five years, exceeding an estimated $5 trillion in 2024, primarily driven by higher fines as more jurisdictions punish companies for lax security.” Juniper predicts that data breach costs will grow at 11% each year. The Ponemon Institute’s “Cost of a Data Breach” report, sponsored by IBM, pegs growth at 12% between 2014 and 2019.
Unfortunately, 2019 was the year of data breaches with some record setting fines faced by companies like Equifax, British Airways and Marriott. The good news is that progress is being made:
1. Cybersecurity decisions involving the C-Suite:
Companies are fortifying their cyber strategies in alignment with business objectives. Defending threats requires the C-suite support, more than ever now. According to CPO Magazine, it’s important for security teams to make business leaders aware of the quickly shifting threat landscape.
2. Companies Are Forming Cybersecurity Alliances:
Over the last few years, cybersecurity alliances are being formed between tech-focused companies to support each other aimed at changing the ways companies deal with cybersecurity vulnerabilities and renegotiating the social contract between states and their citizens. The exchange of information is an effort to raise the collective level of cybersecurity, shape overall security practices, and speed the adoption of security technologies.
3. Artificial Intelligence Is Changing the Cyber Security Landscape and Preventing Cyber Attacks:
New advances in tech hold great promise to build cyber resilience. An article in Entrepreneur highlights how AI is a boon in cybersecurity, by stating, “Developers are using AI to enhance biometric authentication and get rid of its imperfections to make it a reliable system… AI-ML can detect and track more than 10,000 active phishing sources and react and remediate much quicker than humans can… AI-based systems proactively look for potential vulnerabilities in organizational information systems.”
Rethinking cybersecurity strategies has become imperative. With the changing landscape of cyber defense and new tools in the market, enterprises need to focus on building a holistic cybersecurity approach to deliver an effective awareness training and layered defense strategy. A strategy that provides enterprise wide visibility to better protect the company and its customers in a more efficient and proactive manner.
Google runs into trouble yet again with regulators in the EU, the SEC accuses Volkswagen of carrying out “a massive fraud,” and the FTC launches an inquiry into the privacy practices of large internet service providers — see March 2019 through the GRC lens.
Google ran into fresh trouble with European regulators over its unfair advertising rules and was fined $1.7 billion in March, bringing the total cost of penalties incurred by the search giant in the continent to over $9 billion.
The latest enforcement action from the European Union (EU) relates to the unfair terms that the Silicon Valley titan imposed on companies that used its search bar on their websites in Europe, reported The New York Times.
According to The Guardian, the terms of the Google contract stopped publishers from placing search ads from the tech giant’s competitors on their results pages, and forced them to reserve the most profitable spaces for Google’s own ads. The contract also required companies to seek a written approval before making changes to how rival ads were displayed.
The US Securities and Exchange Commission (SEC) filed a lawsuit last month accusing the German carmaker and its former CEO, Martin Winterkorn, of defrauding American investors in the emissions test scandal that engulfed the company four years ago.
The lawsuit alleged that the company made misleading claims about its financial health and the environmental impact of its technology in order to sell securities to investors at inflated prices, reported CNN.
The German carmaker admitted in 2015 to cheating on emission tests with the use of special software in its vehicles and paid a hefty price of $33 billion in fines and other penalties.
In a surprise move last month, the Federal Trade Commission (FTC) announced that it would look into the privacy practices of large internet service providers (ISPs) such as AT&T, Verizon, T-Mobile, and others.
According to The Verge, the watchdog has asked broadband providers to share details about the kind of customer data they collect and the reason for doing so. The FTC was also said to be interested in knowing whether the data was shared with third parties, and if consumers could opt out of the data collection.
The announcement of the inquiry into ISPs comes as privacy advocates raise concerns over the companies’ data collection practices that could lead to a new form of targeted advertising, similar to that of Facebook and Google.
Massive fines and other regulatory actions making headlines every other day only go to show that companies still seem to be floundering in their efforts to cope with heightened regulatory scrutiny targeted at their business practices.
Silicon Valley giants such as Google currently face a reckoning over their anti-trust practices in the EU which has established itself as an aggressive tech watchdog, influencing regulatory polices around the world. Meanwhile, the Volkswagen scandal is another reminder of the far-reaching consequences of compliance violations that could threaten a company’s brand reputation and market capitalization.
As privacy concerns escalate, the FTC’s move against broadband companies is only the beginning of a new era of intensifying scrutiny of data collection practices across industries.
Last year did not turn out to be great for businesses: there were mounting data privacy concerns around the globe; cyberattacks continued to hobble cities and disrupt business operations in the US; and Brexit uncertainty left UK industries worried. Meanwhile, shocking bank and corporate scandals sparked renewed regulatory interest in Europe, India, and Japan.
Amidst these larger issues, several new laws and regulations came into effect, adding to the complexity of an already challenging business landscape.
With so much that happened over the past year, here are some of the events and stories that stood out:
1. Marriott’s Colossal Data Breach
The hotel chain’s disclosure of a massive data breach in November, which revealed the personal details of hundreds of millions of guests, saw the company’s stock price plummet by 5.6%. The security incident, reportedly perpetrated by state-sponsored Chinese hackers, made its way onto the list of the largest ever data breaches in history, coming second only to Yahoo’s 2013 incident where the personal information of 3 billion users was stolen.
As more details of the incident emerged, original estimates of its impact were revised: Marriott said that it had identified “approximately 383 million records as the upper limit” for the total number of people affected by the breach. However, the revised figure was still greater than that of the 2017 attack on Equifax, the consumer credit reporting agency, in which the driver’s license and Social Security numbers of roughly 145.5 million Americans were compromised.
Marriott’s breach revealed sensitive information such as the passport details of its guests which the company later admitted were unencrypted, making them an easy target for hackers.
Due to strict data privacy laws such as the European Union’s (EU’s) General Data Protection Regulation (GDPR) — which also applies to organizations located outside of the EU if they handle the personal information of EU citizens — Marriott could reportedly face a fine of up to $990 million in the region.
2. Danske Bank’s $227 Billion Money Laundering Scandal
Denmark’s largest lender and one of Europe’s most prestigious banks, Danske Bank, made headlines in 2018 when it found itself in the middle of one of the world’s biggest money laundering scandals. The issue involved over $227 billion in suspicious payments flowing through the bank’s Estonian branch. And the reason? A string of governance failures dating all the way back to 2007.
As news of the money laundering scandal made landfall, the bank’s shares fell as much as 11% and its market value dropped by about 40%, making it the worst performer in the Bloomberg index of European financial stocks. The incident reportedly scared off investors who were upset that a scandal of such magnitude could take place under the management’s watch.
The bank’s woes were not over yet as regulators in Denmark and the US announced that they were investigating the lender. As investigators tried to get to the bottom of the massive scandal, numerous arrests were made. According to some estimates, Danske Bank could face fines as high as $8 billion.
3. Wells Fargo’s Whopping $2.09 Billion Fine
Misdeeds over a decade ago that eventually contributed to the financial crisis came back to haunt Wells Fargo as regulators came down hard on the bank in 2018.
The lender had allegedly issued mortgage loans that it knew were based on incorrect income details, causing investors, including federally-insured financial institutions, to lose billions of dollars from investing in mortgage-backed securities that contained Wells Fargo loans. To settle these claims, the bank agreed to pay a massive fine of $2.09 billion.
Earlier the bank was fined $1 billion for insurance and mortgage abuses for charging as many as 570,000 clients for car insurance they didn’t need.
Not surprisingly, the bank’s earnings and reputation were affected as it tried to rein in its “reckless, unsafe, and unsound practices.”
4. Silicon Valley’s Trial by Fire
In a year of rising geopolitical risks, the usually high-flying tech hub was forced to defend its policies and practices as it fell out of favor with regulators and even employees over its handling of issues ranging from data privacy, sexual harassment, and election interference to its plans to bow to censorship demands from foreign governments.
From the trial by fire that ensued, few Silicon Valley giants escaped unscathed: Facebook’s Cambridge-Analytica fiasco sent the company’s stocks tumbling and wiped out more than $119 billion off its market cap. The company was also fined $645,000 in the UK for failing to protect the data of UK citizens and $11 million in Italy over data misuse. The social media giant’s year of woes continued as it disclosed the largest ever data breach in its 14-year history and faced intense scrutiny from regulators around the world over its alleged role in election interference and in fueling violence.
Google was found guilty of violating anti-trust laws in the EU and was fined a record $5 billion. Employee activism at Google also threw a wrench into many of the company’s future plans — a bid for a Pentagon AI defense project and a decision to introduce a censored search engine in China were thwarted by employees who did not want the tech giant to stray from its ideals. Employees also staged protests from Google offices around the world and forced the company to revise its policy on sexual harassment after reports emerged that the company had protected male senior executives against credible allegations of sexual harassment.
Uber had its fair share of troubles as it struggled to win over regulators in London — its most lucrative European market — after they cancelled its license to operate in the region.
Businesses paid a heavy price for non-compliance, both in terms of fines as well as reputational loss. Hopefully, organizations will take note of the lessons learnt from these episodes — that the cost of non-compliance far outweighs the cost of compliance, and that there are financial benefits to investing in thorough due diligence programs.
Here’s to a brighter, more compliant 2019.
Marriott’s massive data breach, Nissan chairman Carlos Ghosn’s arrest, and the CEO exit of Walmart’s India acquisition — here’s a round-up of November’s top GRC news headlines.
November saw yet another data breach. This time, it was the hospitality industry that fell victim to hackers — Reuters reported that a data breach at one of Marriott International’s M&A ventures, Starwood properties, may have exposed the personal details of up to 500 million guests.
The colossal breach — second only to Yahoo’s 2013 incident that saw the personal information of three billion users stolen — included sensitive details such as passport numbers and payment-card numbers in addition to addresses and travel details, reported the Journal.
In an investigative report from the Journal, security experts weighed in on the data breach saying that Marriott could have done more to investigate a 2015 incident to find hackers that lurked in their systems.
Unsurprisingly, Marriott will face scrutiny from regulators around the world. A fine in Europe may be likely with the European Union’s tough new data protection law, GDPR.
In a shocking downfall for one of the automotive industry’s most powerful and admired leaders, Nissan’s chairman Carlos Ghosn was arrested in Japan on allegations of under-reporting his earnings for several years. Mr. Ghosn was widely hailed as Nissan’s savior when he rescued the company from near-bankruptcy and created the Renault-Nissan-Mitsubishi alliance, making it effectively the world’s largest carmaker. Reports suggest that Mr. Ghosn may have violated Japanese securities law by deferring compensation.
The incident has sent shockwaves rippling through an industry that is facing an economic downturn, a global trade war, and the shift to electric cars. Mr. Ghosn’s arrest also comes at a time when executive pay is being questioned by the public and regulators.
The chief executive of Flipkart, Walmart’s latest acquisition, stepped down in November following an internal probe into allegations of “serious personal misconduct”.
Coming along the heels of the departure of Flipkart’s other founder, Sachin Bansal, from the company, the news of Binny Bansal’s exit took many by surprise. The Wall Street Journal reported that Walmart opened an investigation into Mr. Bansal’s conduct after a former employee came forward with claims that he had sexually assaulted her in 2016.
The incident was also apparently not disclosed by Mr. Bansal during the negotiations to sell Flipkart to Walmart. Though Walmart’s internal investigation did not find any evidence to corroborate the complaint against Mr. Bansal, it is said to have revealed poor judgement calls from the former CEO that included the hiring of two private security firms at the end of 2016, “to make this matter go away.”
Despite scandals such as Facebook’s Cambridge Analytica, organizations seem to be left wanting in their detection and response time to data privacy issues. The Marriott incident is the latest in a spate of cyberattacks to hit businesses after the British Airways hack and goes to show that no industry is safe from bad actors looking to steal personal information.
The Carlos Ghosn incident highlights the need for thorough due diligence and compliance programs that can help ensure both adequate awareness of local laws and regulations, as well as adherence to them.
And in the light of movements such as #MeToo and Time’s Up, Walmart’s episode with Flipkart’s CEO is another reminder that for corporate leaders, the line between their private and professional lives is often blurry, and they can be held accountable for their actions in both.
Google’s failure to disclose a data breach, California’s tough new laws on corporate governance and net neutrality, and Silicon Valley’s #MeToo — here’s a round-up of October’s top GRC news headlines.
At the height of Facebook’s Cambridge Analytica scandal, when the social media giant faced widespread backlash for its misuse of personal data, another Silicon Valley giant found that it had inadvertently exposed the private data of hundreds of thousands of users through its relatively lesser known social network.
Fearing that the disclosure of such a breach would immediately invoke comparisons to Facebook’s disastrous liaison with Cambridge Analytica, and prompt scrutiny from regulators, the tech giant instead chose to quietly fix the issue.
But things didn’t quite go as planned: a damning report by The Wall Street Journal in October revealed that a software glitch in Google’s social network, Google+, gave developers access to the personal data of nearly half a million users, including full names, email addresses, birth dates, gender, profile photos, places lived, occupation, and relationship status. The report also mentions an internal memo from Google which talked about the possible repercussions that the company would face if the breach was disclosed.
Following the revelation, Google announced a host of privacy reforms which also involved the shutdown of the consumer version of Google+.
Though Google said that it found no evidence that users’ personal data was misused in the Google+ glitch, even going into details in its blog post, the incident raises questions about how transparent the tech giant was in handling the entire episode.
In a seeming reversal of the trend of deregulation, California signed two new bills into law on corporate governance and net neutrality, setting an important precedent for the country.
According to The New York Times, the new law on corporate governance requires all publicly held companies headquartered in California to have at least one woman on their boards by the end of 2019 and a minimum of two or three women (depending on the size of their boards) by 2021. The Los Angeles Times reported that companies that fail to comply will face fines of $100,000 for a first violation and $300,000 for a second or subsequent violation.
The law on net neutrality affecting the telecom industry requires internet providers to maintain a level playing field, and bans the practice of prioritizing some sites and services over others. However, a recent report in The Washington Post suggests that this law may be temporarily on hold.
The new laws come after the Golden State adopted another law on data privacy, keeping up with the European Union’s (EU’s) tough new data protection regulation, GDPR.
Fresh on the heels of its data breach, Google found itself in the midst of another controversy. An article appeared in The New York Times detailing how the tech giant protected male senior executives against claims of sexual harassment while paying them millions in exit packages and keeping quiet about the allegations. One of these executives was Andy Rubin, the creator of the now famous Android software.
Unsurprisingly, the news did not sit well with Google employees who staged coordinated walk-outs from Google offices around the world to protest the company’s perceived leniency towards sexual harassment, igniting an internal #MeToo movement.
Speaking at The New York Times DealBook conference, Google’s CEO, Sundar Pichai, apologized, saying that “moments like this show we didn’t always do it right.”
Meanwhile, Reuters reported that Uber’s top deal maker, Cameron Poetzscher, resigned after allegations of prior sexual misconduct against him were revealed, sparking a fresh debate on how Silicon Valley giants handle sexual harassment allegations from women.
Ever since Facebook’s Cambridge Analytica scandal, companies around the world have been wary of intense scrutiny around data privacy issues. Google’s handling of the incident with its social network, and the resulting reputational impact show that being proactive and transparent with customers and regulators is a better road for businesses to take when faced with a security incident.
Silicon Valley’s #MeToo movement also shines an uncomfortable spotlight on the governance practices of tech giants. It shows how legacy corporate governance practices such as “handling things quietly” will be called into question as the cultural zeitgeist shifts towards more ethical business practices.
And while regulations will continue to drive corporate governance to a large extent, employee and customer activism will become an equally important driver of change.
With a major data privacy scandal involving Facebook, a crippling ransomware attack on the City of Atlanta in the US, and a $2 billion fraud at Punjab National Bank in India, we take a look at some of the biggest news stories that have dominated the GRC space in the first few months of 2018.
Mark Zuckerberg, Facebook’s CEO, recently testified before Congress on the alleged harvesting of personal data by Cambridge Analytica – a third-party data analytics firm – to influence the 2016 US elections.
The scandal, which reports say involved the personal data of more than 70 million Americans, has led to a public outcry, prompted #deletefacebook, and shaved off over $80 billion from the company’s stock value since the incident was uncovered. The social media giant may also be at risk of hefty fines for possibly violating an FTC privacy deal.
With public trust in Facebook diminishing, the company has had to postpone the launch of its smart speaker for a “better time.”
After WannaCry and NotPetya last year, cyber-attacks have intensified – this time, it was the City of Atlanta in the US that was the victim. The attackers, who reportedly hobbled several internal and public services, demanded a ransom payment in bitcoins in exchange for unlocking systems. The incident was serious enough for the FBI to get involved in the investigation.
According to a New York Times report, the attack has unnerved security experts. One security intelligence analyst noted that attackers are constantly learning from their mistakes, and evolving their code before launching the next assault. With growing concerns around these issues, it isn’t surprising that the US has devoted $380 million of its spending bill to election cybersecurity.
The news of how one of India’s richest men, who until recently was on Forbes’ billionaire list, defrauded the country’s second largest state-run bank of over $2 billion, sent shockwaves across the Indian banking sector. Nirav Modi, a diamond jeweler, and his uncle, Mehul Choksi, reportedly colluded with Punjab National Bank (PNB) officials to get credit through fraudulently issued papers. But how did one of the largest frauds in recent banking history in India go undetected for over 6 years?
As the story unfolded, reports emerged of how auditors failed to detect the scam for a long time with multiple audits failing to raise an alarm. The fall-out of the scam has led to the creation of the National Financial Reporting Authority (NFRA), a new watchdog for the auditing profession with sweeping powers to act against erring auditors or auditing firms.
A massive breach of trust at one of the biggest names in Silicon Valley, also a reputed social media giant, has led to public outrage, and highlighted yet again the importance of better controls for data privacy and data protection. As concerns grow over the use of personal data by companies, there are calls for more extensive data privacy laws. Europe appears to be leading the way with the General Data Protection Regulation (GDPR), but it remains to be seen if the US will follow suit.
With cyber-attacks continuing to exploit system vulnerabilities, holding governments ransom, and threatening to override democracy, there will be a renewed focus on cybersecurity and the protection of critical systems.
Meanwhile, in emerging Asian markets such as India, recently plagued by scandals and scams, we are likely to see the beginning a new era of not just regulations, but also of increased scrutiny and enforcement.
The OpRisk North America conference was disrupted by an operational risk — a late season snow storm that has snarled transportation and complicated travel plans in the mid-Atlantic and Northeast, but most attendees and speakers chose to go forward, and I’m glad they did since conference has given me a big ‘aha’ on emerging risks.
In almost every session presenters and the audience have cyber risks as the dominant operational risks. While for years, GRC experts have highlighted that with the increasing dependence of business models on digital technologies, cyber risks and cybersecurity strategies would become a critical element of strategic business planning. Well, now those forecasts by experts have proven out, and chief risk officers are incorporating cyber risks into their risk management strategies.
Cyber compliance is also emerging as a critical discipline of overall enterprise compliance management. From a regulatory standpoint, with the emergence of digital business models, businesses are also grappling with increased oversight from regulators. Almost all U.S. states have data breach notification laws. The first state to regulate data breach reporting was California which requires notification of consumers for any breach that affects more than 500 customers. Maryland requires notification if even just one customer is affected. The U.S. SEC was an early mover, requiring that public companies report material cybersecurity incidents.
These new rules at federal and state levels have led to greater transparency of cybersecurity. Now, broader, more encompassing state-level cybersecurity laws are rolling out. New York was the first mover in 2017 with the Department of Financial Services Cybersecurity Regulation, and in 2018 many more states are passing legislation to codify the National Association of Insurance Commissioner’s new Model Data Security Law.
More privacy regulations should be expected as well. Political abuse of user behavioral and profile information gathered by the new tech giants like Facebook goes back at least to the 2012 election cycle in the US, and has been brought into the limelight with the Cambridge Analytica scandal. The new European General Data Protection Regulation (GDPR) was already slated to go into effect in May 2018. No doubt, now, European authorities will be analyzing GDPR to see if it adequately addresses the abusive practices of Cambridge Analytica, and in the US, the Federal Trade Commission is investigating. Notably the scandal opens up a whole new front on the challenges of third party information risks, that is, customer risks — ensuring that buyers of information analytical services are not abusing those services.
All of these recent regulatory developments, political intrigues, and corporate scandals must have been in the minds of attendees and speakers at OpRisk when they were polled on their top emerging risks. Disruptive technology tied with cyber risks for the number one position at 47% each. All other emerging risks paled in comparison.
My big ‘aha!’ — Chief risk officers are sensing a vicious cyclone of disruptive technology, conduct risks, and cyber risks. Disruptive technology is being adopted at a faster than sustainable rate — it’s being pushed into service before the lessons from early adopters can be shared with other enterprises. Advanced automation also requires fewer people, but these people are also enabled through disruptive technology that when abused either intentionally or through ignorance or negligence, can wreak tremendous havoc. The technology is also being pushed out at such a pace that the cyber vulnerabilities are not fully known and addressed — presenting all kinds of opportunities for malicious actors to act at scales never before possible. Inevitably there are going to be problems, and it’s up to CEOs and CROs to act together to ensure that their organizations are not caught up in this vicious cyclone.
The need for artificial intelligence (AI) in IT governance, risk and compliance (GRC) is growing quickly. As companies expand their digital footprints, cybersecurity vulnerabilities worsen due to an increased amount of data being produced from IT security monitoring and performance tools.
At its recent Ignite 2017 conference, Microsoft revealed its plans for further incorporating artificial intelligence (AI) into its various offerings. For example, the company is embedding AI in Excel to assist with automatic determination of different types of entries – Excel will be able to go beyond automatically differentiating between text and numbers to being able to identify the type of text utilized. Since the program will be able to better identify types of text – for example, differentiating between objects, corporations and people – it also will be able to discover relationships within and between data sets.
A recent report issued by MetricStream found that AI has already taken the step of improving the discovery of data relationships in governance, risk and compliance (GRC). For instance, if a risk assessor creates a link of a risk to a business objective, an auditor identifies a relation of a risk to a control, and an IT security manager identifies a link between a control and an IT asset, an analyst now can evaluate the relationships between IT assets, risks and controls and business objectives. Over time, through machine learning, a GRC system leveraging AI could begin to distinguish these relationships on its own, and thereby augment the discovery of linkages between data objects and make suggestions to human end users of the system. Further, rather than waiting for a human analyst to evaluate the relationships and trends, an AI-backed GRC solution could utilize cognitive computing to continuously analyze the data objects for any changes that could lead to greater risks or control failures – any detected threats to the ability to achieve business objectives would automatically alert human analysts for deeper evaluation.
Within an IT GRC context, the need for AI is growing quickly. As companies expand their digital footprints, cybersecurity vulnerabilities worsen due to an increased amount of data being produced from IT security monitoring and performance tools. In response to this, vendors have begun augmenting threat-monitoring tools with AI; the potential for discovering patterns of security vulnerabilities and IT asset performance can be significantly enhanced by the incorporation of this technology. However, AI still requires human analysis of the reports from those assets. Applying machine learning, GRC solutions can learn from the human analysis and then continuously monitor for the emergence of high-risk vulnerabilities, thus catching them and, through cognitive computing, orchestrate corrective action that can prevent a major incident or failure.
How far is the GRC industry from deploying solutions augmented by AI? Perhaps not that far. According to a recent survey conducted by GARP, a risk professionals association, 15 percent of their risk management organizations are already using AI. However, just 4.6 percent say that it plays a significant role in risk management. Certainly, if compliance and audit professionals were surveyed, the numbers would be even smaller. Still, with new tools emerging from industry giants like Microsoft that enable developers to incorporate AI capabilities into Excel-based solutions, there will be a lot of experimentation over the next two to three years, and GRC solutions that incorporate AI will play a major role in the industry in the near future.
Corporate Compliance Insights is a wholly owned subsidiary of Conselium Executive Search, the global leader in compliance search.
This article was originally published by Corporate Compliance Insights and can be read here: Can AI Be the Next Step in GRC’s Evolution?
New tools and technologies help companies in their drive to improve performance, cut costs and grow their businesses but as companies adopt cloud services in greater numbers and refine internal processes for development and operations, security considerations must be front and center.
As companies rapidly adopt Cloud with a DevOps approach to rapid response to business they must revisit security plans to confirm they are still effective in preventing and handling cyberattacks, making adjustments where needed. In certain industry segments this situation becomes more acute with Internet of Things (IoT) due to the nature of how these are operated and traditionally secured. To succeed at this, companies need to create the right environment for a cybersecurity culture and utilize automation technologies to protect and preserve data, operations and applications.
Cyberattacks are increasing in number and sophistication. For many security professionals and heads of business it is no longer a case of if something will happen, but when. In fact, according to Alert Logic and Crowd Research Partners, over half of cybersecurity professionals expect there to be successful cyberattacks on their organization in the next year.
Consequently, a third intend to increase security spend on cloud infrastructure and over a quarter on cloud applications. With 40 percent citing a lack of security awareness among employees as an obstacle to stronger cybersecurity, it’s little wonder that 23 percent plan to up their spend on training and education.
Cyberattack prevention will continue to be a two-pronged approach – top-down and bottom-up. Top-down, compliance mechanisms must be implemented, including rigorous security level classification of data and applications and governance to secure certifications. Bottom-up, appropriate tools and technologies for intrusion detection must be in place.
Internal processes are changing. Cloud services and DevOps are converging to bring about the rapid release of value to the business. Previously, companies sourced storage and information-sharing infrastructure and had to add software and applications. Now, services come loaded with pre-built components and applications such as database solutions.
This is convenient, often cost-effective and efficient but what does it mean for security? Companies have to rethink InfoSec, questioning whether the mechanics of yesteryear are still relevant or if they need to be refined.
As companies make their adjustments we can expect to see an increased focus on building ‘zero trust’ systems with more segmentation within the model and access security even within the network perimeter. In addition, the zero trust way of thinking will be added to Secure Software Development Lifecycle (SSDLC).
When the correct application of security protocols is left to individual users, the security of business data and applications depends on staff knowledge and training being up to date. Checks and balances, for example around taking appropriate action according to a data set’s security classification are largely people dependent and this is a potential weak spot for all organizations.
Wherever dependencies such as these exist, assumptions should never be made. This goes for the responsibilities of cloud service provision as much as for internal training practices. All too often assumptions are made over security when contracting for cloud services and this is contrary to InfoSec due diligence.
With the number and regularity of high profile data breaches we see, it would perhaps be forgivable to think that companies simply cannot prevent the most persistent of hackers from getting in. That they should instead focus efforts on containing intrusions, so that they can’t progress beyond the entry point to access, copy, destroy or otherwise compromise data.
In this, there is some comfort that detection intelligence is improving. According to PwC, 42 percent of those that detected a security incident in 2008 didn’t know the source of it; this has now fallen to below ten percent.
Effective handling of a cyberattack depends on effective planning. This means having in place a method for quickly identifying that an attack has occurred and a plan that can be swiftly put into action to isolate the issue and prevent further spread.
With the risk of cyberattacks being so high, there can be no excuse at all for not having thorough, and tested, disaster recovery and business continuity management plans. These must include a strategy for crisis communications to minimize reputational and brand damage.
Technologies that constantly scan for network vulnerabilities support swift action in the event of data or infrastructure compromise. Understanding what is needed, and the optimal level of investment it will take to protect valuable assets comes down to knowing the system’s architecture and thoroughly assessing risk levels.
Automation of as much InfoSec as possible makes detection, system shut-down and plan instigation more rapid and effective. With attacks increasing, and becoming more sophisticated, organizations need to invest in their disaster recovery and threat intelligence systems.
Evolution in how businesses deliver their services externally keeps raising the bar on cyberattack mitigation. The IoT, which is steadily creeping into many areas of our lives, is a case in point. This is a growth area, with the number of connected homes in the US experiencing a 31 percent compound annual growth rate according to McKinsey, and 29 million connected homes forecast in 2017.
The depth of connectivity we are now becoming used to introduces security considerations into areas where they haven’t existed before, including utilities provision and the operation and maintenance of private vehicles.
As companies take advantage of technology and process advances to change the way they design, deliver and operate, and as they incorporate connectivity into more services delivered to customers, they must be extra vigilant over cybersecurity.
To prevent cyberattacks and handle them should they occur, they must plan well, understand their system’s architecture and take advantage of the tools and technologies that support damage limitation. Companies that fail to do this may well fail to protect their brand and reputation and consequently their short-term performance levels and long-term future.
The original article was published by CloudTweaks here.