Blogs
Through the GRC Lens – November-December 2019
- Audit Management
- 14 January 20
3 min read
The Changing Winds of Compliance
As compliance teams strive to manage new regulations and technological advancements, here are some of the trends and headlines that made compliance news in November and December.
In the face of changing business models, as well as new risks and dynamic global ecosystems, compliance as a discipline is rapidly evolving. Stakeholders rely on compliance teams to not only protect their organizations against regulatory penalties and legal liabilities, but to also strengthen reputation and credibility with customers. As compliance officers seek to demonstrate and enhance the value delivered to their organizations, the following are some key considerations.
New Regulations
While 2020 began with a focus on data privacy, here are some updates on other areas of compliance that made the headlines:
- Data Privacy: This month, the CCPA came into effect giving customers more control over their data. However, in a study by Ethyca, only 12% of 85 respondents believed they had achieved an adequate state of compliance readiness for the emerging regulated privacy landscape.An article in Forbes suggested that “Rather than looking at CCPA compliance as a chore, look at it as an opportunity to innovate your business practices and seek ways to regain a first-party relationship with your customers.”
- Payment Security: Payment security compliance declined for the second year in a row in 2019, according to Verizon’s 2019 Payment Security Report. The report also pointed out that a compliance program without proper controls to protect data has a more than 95% probability of not being sustainable and is more likely to be a potential target of a cyberattack.
- Banking and Finance – As the financial services industry continues to grapple with regulatory complexities, many are turning to regtech solutions to enable and support their compliance efforts. The goal isn’t just to avoid non-compliance penalties but to strengthen trust and credibility with customers. The report, ‘Hooked: RegTech Reliance in Capital Markets Compliance’ by Greenwich Associates states that 63% of firms recognize that reputation protection is the core purpose of compliance.
- Communication – Compliance teams are also struggling to keep pace with electronic communication channels, with 45% saying they are in constant catch-up mode rather than proactive mode, when it comes to electronic communication compliance, according to a report by Smarsh.
- Technology: The use of AI in regulatory compliance is helping both regulators and businesses. A recent Deloitte poll stated that nearly half (48.5%) of C-suite and other executives at organizations that use AI expect to increase AI use for risk management and compliance efforts in the year ahead. But only 21.1% of respondents report that their organizations have an ethical framework in place for AI use within risk management and compliance programs.
Compliance is now a key topic of discussion at the executive level, and is also a strong part of core business strategy. Newer technologies like AI and advanced analytics are helping compliance teams deliver value to the business in the digital age.
Compliance Week’s second annual technology survey highlighted that, ‘’companies are moving along the technological maturity curve in qualitative and quantitative ways today’’. According to the survey, companies are willing to spend more in 2019 than they were even a few years ago to build a more robust technology-enabled compliance function. Nearly, a quarter (23%) of compliance practitioners said their technology budget is much larger today than it was three years ago.
As compliance teams strive to do more with less, the emergence of new technologies will not only improve efficiency and cost-effectiveness, but will also enable teams to derive quick, meaningful insights from data to make well-informed decisions.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens – September 2019
- Compliance Management
- 04 October 19
4 min read
Rethinking Cybersecurity in a Disruptive Age
With an increasing number of attacks in the market, despite more sophisticated cybersecurity solutions, many cybersecurity reports and surveys highlight why organizations need to rethink their cyber strategy and what’s in store for the future. – Here is what the media headlined through the GRC lens in September.
As attackers get more relentless with the volume and speed of their attacks, cybersecurity defense must safeguard all possible points of the attack surface. A recent survey of internal auditors published in City AM, found – cybersecurity, regulatory change, and digitalization to be the top three risks faced by businesses across Europe. The shortage of cybersecurity talent exacerbates the cybersecurity problem in a complicated enterprise environment.
Increasing cybersecurity resources
According to CISO Magazine, cybersecurity has emerged as a primary investment priority for financial firms in the United Kingdom. Reports from a survey conducted by Lloyds Bank states that cybercrimes have jumped to the fourth position from the eighth place since 2018. Banks in UK are increasing their budget allocation to enhance cybersecurity capabilities at their organization, Computer Business Review reported.
In another survey conducted by Infosys, targeting 867 senior executives representing 847 firms from 12 industries, with annual revenues over US$500 million across US, Europe, Australia and New Zealand (ANZ), reported that almost half (48%) of corporate boards and 63% of business leaders of surveyed enterprises are actively involved in cybersecurity strategy discussions.
While organizations have started to invest in building an efficient cybersecurity management and mitigation program, they still continue to face difficulty juggling priorities.
The Cyber Roadblock
A recent study conducted by BitSight, revealed that every two in five (38%) companies stated that they’ve lost their businesses due to lack of cybersecurity capabilities. An article by Forbes, ‘The Gap Between Strong Cybersecurity And Demands For Connectivity Is Getting Massive’, states, “…More devices and less adequate resources mean the attack surface continues to grow. “Every second that it takes to respond to an attack after it’s been deployed can have a huge impact on the business, be it in terms of man hours spent or sales, and reputation lost.”, states SC Magazine.
Even as enterprises invest in resources and tools to strengthen cybersecurity, why does it continue to be an Achilles heel for so many? The month of September revealed a few of the reasons:
- Human error is a big risk – 99% of email attacks rely on victims clicking links
Proofpoint’s Annual Human Factor Report, states that out of the vast majority of attacks, 99%, require some level of human input to execute – making individual users the last line of defense.
2. Businesses haven’t made it as much of a priority as it should be – Businesses are bypassing security to get to market quicker
A recent article by ITProPortal, highlights a research from Outpost24 which concludes that 34% of organizations bypass security to get products out to market faster. Almost two thirds (64%) of the respondents said they believe their customers could easily be breached, as a result of unpatched vulnerabilities in their organization’s products.
3. Third parties aren’t being monitored sufficiently
This month, thousands of resumes were exposed in a third-party breach that originated from monster.com, but the company denied any responsibility, saying – the client “owns the data.” According to CPO Magazine, “Though Monster.com’s denial of responsibility is legally acceptable under United States federal law, it puts the company at odds with the standard data protection requirements of a number of other nations.” This is yet another example of third-party risks being a great cybersecurity risk multiplier.
Cybersecurity is a complex problem with no easy solutions. Enterprises need to act quickly as the costs of data breaches are increasing at an alarming rate. According to Dark Reading, “The cost of breaches will rise by two-thirds over the next five years, exceeding an estimated $5 trillion in 2024, primarily driven by higher fines as more jurisdictions punish companies for lax security.” Juniper predicts that data breach costs will grow at 11% each year. The Ponemon Institute’s “Cost of a Data Breach” report, sponsored by IBM, pegs growth at 12% between 2014 and 2019.
Stepping up the cyber game
Unfortunately, 2019 was the year of data breaches with some record setting fines faced by companies like Equifax, British Airways and Marriott. The good news is that progress is being made:
1. Cybersecurity decisions involving the C-Suite:
Companies are fortifying their cyber strategies in alignment with business objectives. Defending threats requires the C-suite support, more than ever now. According to CPO Magazine, it’s important for security teams to make business leaders aware of the quickly shifting threat landscape.
2. Companies Are Forming Cybersecurity Alliances:
Over the last few years, cybersecurity alliances are being formed between tech-focused companies to support each other aimed at changing the ways companies deal with cybersecurity vulnerabilities and renegotiating the social contract between states and their citizens. The exchange of information is an effort to raise the collective level of cybersecurity, shape overall security practices, and speed the adoption of security technologies.
3. Artificial Intelligence Is Changing the Cyber Security Landscape and Preventing Cyber Attacks:
New advances in tech hold great promise to build cyber resilience. An article in Entrepreneur highlights how AI is a boon in cybersecurity, by stating, “Developers are using AI to enhance biometric authentication and get rid of its imperfections to make it a reliable system… AI-ML can detect and track more than 10,000 active phishing sources and react and remediate much quicker than humans can… AI-based systems proactively look for potential vulnerabilities in organizational information systems.”
Rethinking cybersecurity strategies has become imperative. With the changing landscape of cyber defense and new tools in the market, enterprises need to focus on building a holistic cybersecurity approach to deliver an effective awareness training and layered defense strategy. A strategy that provides enterprise wide visibility to better protect the company and its customers in a more efficient and proactive manner.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens: March 2019
- Compliance Management
- 04 April 19
3 min read
Introduction
Google runs into trouble yet again with regulators in the EU, the SEC accuses Volkswagen of carrying out “a massive fraud,” and the FTC launches an inquiry into the privacy practices of large internet service providers — see March 2019 through the GRC lens.
Google Is Fined $1.7 Billion in the EU for Antitrust Violations
Google ran into fresh trouble with European regulators over its unfair advertising rules and was fined $1.7 billion in March, bringing the total cost of penalties incurred by the search giant in the continent to over $9 billion.
The latest enforcement action from the European Union (EU) relates to the unfair terms that the Silicon Valley titan imposed on companies that used its search bar on their websites in Europe, reported The New York Times.
According to The Guardian, the terms of the Google contract stopped publishers from placing search ads from the tech giant’s competitors on their results pages, and forced them to reserve the most profitable spaces for Google’s own ads. The contract also required companies to seek a written approval before making changes to how rival ads were displayed.
Volkswagen Is Accused of Large-Scale Fraud by the SEC
The US Securities and Exchange Commission (SEC) filed a lawsuit last month accusing the German carmaker and its former CEO, Martin Winterkorn, of defrauding American investors in the emissions test scandal that engulfed the company four years ago.
The lawsuit alleged that the company made misleading claims about its financial health and the environmental impact of its technology in order to sell securities to investors at inflated prices, reported CNN.
The German carmaker admitted in 2015 to cheating on emission tests with the use of special software in its vehicles and paid a hefty price of $33 billion in fines and other penalties.
The FTC Will Look into the Privacy Practices of Broadband Providers
In a surprise move last month, the Federal Trade Commission (FTC) announced that it would look into the privacy practices of large internet service providers (ISPs) such as AT&T, Verizon, T-Mobile, and others.
According to The Verge, the watchdog has asked broadband providers to share details about the kind of customer data they collect and the reason for doing so. The FTC was also said to be interested in knowing whether the data was shared with third parties, and if consumers could opt out of the data collection.
The announcement of the inquiry into ISPs comes as privacy advocates raise concerns over the companies’ data collection practices that could lead to a new form of targeted advertising, similar to that of Facebook and Google.
The Perspective
Massive fines and other regulatory actions making headlines every other day only go to show that companies still seem to be floundering in their efforts to cope with heightened regulatory scrutiny targeted at their business practices.
Silicon Valley giants such as Google currently face a reckoning over their anti-trust practices in the EU which has established itself as an aggressive tech watchdog, influencing regulatory polices around the world. Meanwhile, the Volkswagen scandal is another reminder of the far-reaching consequences of compliance violations that could threaten a company’s brand reputation and market capitalization.
As privacy concerns escalate, the FTC’s move against broadband companies is only the beginning of a new era of intensifying scrutiny of data collection practices across industries.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens: 2018 — A Year in Review
- Compliance Management
- 16 January 19
5 min read
A litany of disruptions and corporate scandals in 2018 showed that while making profits, organizations will be held responsible for their actions in an increasing shift towards more ethical business practices
Last year did not turn out to be great for businesses: there were mounting data privacy concerns around the globe; cyberattacks continued to hobble cities and disrupt business operations in the US; and Brexit uncertainty left UK industries worried. Meanwhile, shocking bank and corporate scandals sparked renewed regulatory interest in Europe, India, and Japan.
Amidst these larger issues, several new laws and regulations came into effect, adding to the complexity of an already challenging business landscape.
With so much that happened over the past year, here are some of the events and stories that stood out:
1. Marriott’s Colossal Data Breach
The hotel chain’s disclosure of a massive data breach in November, which revealed the personal details of hundreds of millions of guests, saw the company’s stock price plummet by 5.6%. The security incident, reportedly perpetrated by state-sponsored Chinese hackers, made its way onto the list of the largest ever data breaches in history, coming second only to Yahoo’s 2013 incident where the personal information of 3 billion users was stolen.
As more details of the incident emerged, original estimates of its impact were revised: Marriott said that it had identified “approximately 383 million records as the upper limit” for the total number of people affected by the breach. However, the revised figure was still greater than that of the 2017 attack on Equifax, the consumer credit reporting agency, in which the driver’s license and Social Security numbers of roughly 145.5 million Americans were compromised.
Marriott’s breach revealed sensitive information such as the passport details of its guests which the company later admitted were unencrypted, making them an easy target for hackers.
Due to strict data privacy laws such as the European Union’s (EU’s) General Data Protection Regulation (GDPR) — which also applies to organizations located outside of the EU if they handle the personal information of EU citizens — Marriott could reportedly face a fine of up to $990 million in the region.
2. Danske Bank’s $227 Billion Money Laundering Scandal
Denmark’s largest lender and one of Europe’s most prestigious banks, Danske Bank, made headlines in 2018 when it found itself in the middle of one of the world’s biggest money laundering scandals. The issue involved over $227 billion in suspicious payments flowing through the bank’s Estonian branch. And the reason? A string of governance failures dating all the way back to 2007.
As news of the money laundering scandal made landfall, the bank’s shares fell as much as 11% and its market value dropped by about 40%, making it the worst performer in the Bloomberg index of European financial stocks. The incident reportedly scared off investors who were upset that a scandal of such magnitude could take place under the management’s watch.
The bank’s woes were not over yet as regulators in Denmark and the US announced that they were investigating the lender. As investigators tried to get to the bottom of the massive scandal, numerous arrests were made. According to some estimates, Danske Bank could face fines as high as $8 billion.
3. Wells Fargo’s Whopping $2.09 Billion Fine
Misdeeds over a decade ago that eventually contributed to the financial crisis came back to haunt Wells Fargo as regulators came down hard on the bank in 2018.
The lender had allegedly issued mortgage loans that it knew were based on incorrect income details, causing investors, including federally-insured financial institutions, to lose billions of dollars from investing in mortgage-backed securities that contained Wells Fargo loans. To settle these claims, the bank agreed to pay a massive fine of $2.09 billion.
Earlier the bank was fined $1 billion for insurance and mortgage abuses for charging as many as 570,000 clients for car insurance they didn’t need.
Not surprisingly, the bank’s earnings and reputation were affected as it tried to rein in its “reckless, unsafe, and unsound practices.”
4. Silicon Valley’s Trial by Fire
In a year of rising geopolitical risks, the usually high-flying tech hub was forced to defend its policies and practices as it fell out of favor with regulators and even employees over its handling of issues ranging from data privacy, sexual harassment, and election interference to its plans to bow to censorship demands from foreign governments.
From the trial by fire that ensued, few Silicon Valley giants escaped unscathed: Facebook’s Cambridge-Analytica fiasco sent the company’s stocks tumbling and wiped out more than $119 billion off its market cap. The company was also fined $645,000 in the UK for failing to protect the data of UK citizens and $11 million in Italy over data misuse. The social media giant’s year of woes continued as it disclosed the largest ever data breach in its 14-year history and faced intense scrutiny from regulators around the world over its alleged role in election interference and in fueling violence.
Google was found guilty of violating anti-trust laws in the EU and was fined a record $5 billion. Employee activism at Google also threw a wrench into many of the company’s future plans — a bid for a Pentagon AI defense project and a decision to introduce a censored search engine in China were thwarted by employees who did not want the tech giant to stray from its ideals. Employees also staged protests from Google offices around the world and forced the company to revise its policy on sexual harassment after reports emerged that the company had protected male senior executives against credible allegations of sexual harassment.
Uber had its fair share of troubles as it struggled to win over regulators in London — its most lucrative European market — after they cancelled its license to operate in the region.
Reflections
Businesses paid a heavy price for non-compliance, both in terms of fines as well as reputational loss. Hopefully, organizations will take note of the lessons learnt from these episodes — that the cost of non-compliance far outweighs the cost of compliance, and that there are financial benefits to investing in thorough due diligence programs.
Here’s to a brighter, more compliant 2019.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens: November
- Compliance Management
- 12 December 18
3 min read
Introduction
Marriott’s massive data breach, Nissan chairman Carlos Ghosn’s arrest, and the CEO exit of Walmart’s India acquisition — here’s a round-up of November’s top GRC news headlines.
Marriott Discloses One of the Biggest Data Breaches in History
November saw yet another data breach. This time, it was the hospitality industry that fell victim to hackers — Reuters reported that a data breach at one of Marriott International’s M&A ventures, Starwood properties, may have exposed the personal details of up to 500 million guests.
The colossal breach — second only to Yahoo’s 2013 incident that saw the personal information of three billion users stolen — included sensitive details such as passport numbers and payment-card numbers in addition to addresses and travel details, reported the Journal.
In an investigative report from the Journal, security experts weighed in on the data breach saying that Marriott could have done more to investigate a 2015 incident to find hackers that lurked in their systems.
Unsurprisingly, Marriott will face scrutiny from regulators around the world. A fine in Europe may be likely with the European Union’s tough new data protection law, GDPR.
Nissan’s Chairman Carlos Ghosn Is Arrested in Japan for Under-reporting His Earnings
In a shocking downfall for one of the automotive industry’s most powerful and admired leaders, Nissan’s chairman Carlos Ghosn was arrested in Japan on allegations of under-reporting his earnings for several years. Mr. Ghosn was widely hailed as Nissan’s savior when he rescued the company from near-bankruptcy and created the Renault-Nissan-Mitsubishi alliance, making it effectively the world’s largest carmaker. Reports suggest that Mr. Ghosn may have violated Japanese securities law by deferring compensation.
The incident has sent shockwaves rippling through an industry that is facing an economic downturn, a global trade war, and the shift to electric cars. Mr. Ghosn’s arrest also comes at a time when executive pay is being questioned by the public and regulators.
CEO of Walmart’s Big Bet in India Resigns Over Allegations of Sexual Misconduct
The chief executive of Flipkart, Walmart’s latest acquisition, stepped down in November following an internal probe into allegations of “serious personal misconduct”.
Coming along the heels of the departure of Flipkart’s other founder, Sachin Bansal, from the company, the news of Binny Bansal’s exit took many by surprise. The Wall Street Journal reported that Walmart opened an investigation into Mr. Bansal’s conduct after a former employee came forward with claims that he had sexually assaulted her in 2016.
The incident was also apparently not disclosed by Mr. Bansal during the negotiations to sell Flipkart to Walmart. Though Walmart’s internal investigation did not find any evidence to corroborate the complaint against Mr. Bansal, it is said to have revealed poor judgement calls from the former CEO that included the hiring of two private security firms at the end of 2016, “to make this matter go away.”
November’s Takeaways
Despite scandals such as Facebook’s Cambridge Analytica, organizations seem to be left wanting in their detection and response time to data privacy issues. The Marriott incident is the latest in a spate of cyberattacks to hit businesses after the British Airways hack and goes to show that no industry is safe from bad actors looking to steal personal information.
The Carlos Ghosn incident highlights the need for thorough due diligence and compliance programs that can help ensure both adequate awareness of local laws and regulations, as well as adherence to them.
And in the light of movements such as #MeToo and Time’s Up, Walmart’s episode with Flipkart’s CEO is another reminder that for corporate leaders, the line between their private and professional lives is often blurry, and they can be held accountable for their actions in both.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens: October
- GRC
- 06 November 18
3 min read
Introduction
Google’s failure to disclose a data breach, California’s tough new laws on corporate governance and net neutrality, and Silicon Valley’s #MeToo — here’s a round-up of October’s top GRC news headlines.
Google Fails to Disclose a Data Breach
At the height of Facebook’s Cambridge Analytica scandal, when the social media giant faced widespread backlash for its misuse of personal data, another Silicon Valley giant found that it had inadvertently exposed the private data of hundreds of thousands of users through its relatively lesser known social network.
Fearing that the disclosure of such a breach would immediately invoke comparisons to Facebook’s disastrous liaison with Cambridge Analytica, and prompt scrutiny from regulators, the tech giant instead chose to quietly fix the issue.
But things didn’t quite go as planned: a damning report by The Wall Street Journal in October revealed that a software glitch in Google’s social network, Google+, gave developers access to the personal data of nearly half a million users, including full names, email addresses, birth dates, gender, profile photos, places lived, occupation, and relationship status. The report also mentions an internal memo from Google which talked about the possible repercussions that the company would face if the breach was disclosed.
Following the revelation, Google announced a host of privacy reforms which also involved the shutdown of the consumer version of Google+.
Though Google said that it found no evidence that users’ personal data was misused in the Google+ glitch, even going into details in its blog post, the incident raises questions about how transparent the tech giant was in handling the entire episode.
California Forges Ahead with Tough New Laws on Corporate Governance and Net Neutrality
In a seeming reversal of the trend of deregulation, California signed two new bills into law on corporate governance and net neutrality, setting an important precedent for the country.
According to The New York Times, the new law on corporate governance requires all publicly held companies headquartered in California to have at least one woman on their boards by the end of 2019 and a minimum of two or three women (depending on the size of their boards) by 2021. The Los Angeles Times reported that companies that fail to comply will face fines of $100,000 for a first violation and $300,000 for a second or subsequent violation.
The law on net neutrality affecting the telecom industry requires internet providers to maintain a level playing field, and bans the practice of prioritizing some sites and services over others. However, a recent report in The Washington Post suggests that this law may be temporarily on hold.
The new laws come after the Golden State adopted another law on data privacy, keeping up with the European Union’s (EU’s) tough new data protection regulation, GDPR.
Silicon Valley Grapples with #MeToo
Fresh on the heels of its data breach, Google found itself in the midst of another controversy. An article appeared in The New York Times detailing how the tech giant protected male senior executives against claims of sexual harassment while paying them millions in exit packages and keeping quiet about the allegations. One of these executives was Andy Rubin, the creator of the now famous Android software.
Unsurprisingly, the news did not sit well with Google employees who staged coordinated walk-outs from Google offices around the world to protest the company’s perceived leniency towards sexual harassment, igniting an internal #MeToo movement.
Speaking at The New York Times DealBook conference, Google’s CEO, Sundar Pichai, apologized, saying that “moments like this show we didn’t always do it right.”
Meanwhile, Reuters reported that Uber’s top deal maker, Cameron Poetzscher, resigned after allegations of prior sexual misconduct against him were revealed, sparking a fresh debate on how Silicon Valley giants handle sexual harassment allegations from women.
The Low-Down
Ever since Facebook’s Cambridge Analytica scandal, companies around the world have been wary of intense scrutiny around data privacy issues. Google’s handling of the incident with its social network, and the resulting reputational impact show that being proactive and transparent with customers and regulators is a better road for businesses to take when faced with a security incident.
Silicon Valley’s #MeToo movement also shines an uncomfortable spotlight on the governance practices of tech giants. It shows how legacy corporate governance practices such as “handling things quietly” will be called into question as the cultural zeitgeist shifts towards more ethical business practices.
And while regulations will continue to drive corporate governance to a large extent, employee and customer activism will become an equally important driver of change.
Jump to Topic
Related Resources
Blogs
Growing Data Privacy Concerns, Continued Cyber-Attacks, and the Failure of Audits to Detect Frauds: Q1 of 2018 Ends on a Less-Than-Savory Note
- Audit Management
- 13 April 18
3 min read
Introduction
With a major data privacy scandal involving Facebook, a crippling ransomware attack on the City of Atlanta in the US, and a $2 billion fraud at Punjab National Bank in India, we take a look at some of the biggest news stories that have dominated the GRC space in the first few months of 2018.
The Data Privacy Conundrum: Facebook and Cambridge Analytica
Mark Zuckerberg, Facebook’s CEO, recently testified before Congress on the alleged harvesting of personal data by Cambridge Analytica – a third-party data analytics firm – to influence the 2016 US elections.
The scandal, which reports say involved the personal data of more than 70 million Americans, has led to a public outcry, prompted #deletefacebook, and shaved off over $80 billion from the company’s stock value since the incident was uncovered. The social media giant may also be at risk of hefty fines for possibly violating an FTC privacy deal.
With public trust in Facebook diminishing, the company has had to postpone the launch of its smart speaker for a “better time.”
Atlanta Cybersecurity Incident: Cyber-Attacks Continue to Grow More Potent
After WannaCry and NotPetya last year, cyber-attacks have intensified – this time, it was the City of Atlanta in the US that was the victim. The attackers, who reportedly hobbled several internal and public services, demanded a ransom payment in bitcoins in exchange for unlocking systems. The incident was serious enough for the FBI to get involved in the investigation.
According to a New York Times report, the attack has unnerved security experts. One security intelligence analyst noted that attackers are constantly learning from their mistakes, and evolving their code before launching the next assault. With growing concerns around these issues, it isn’t surprising that the US has devoted $380 million of its spending bill to election cybersecurity.
$2 Billion Punjab National Bank Fraud in India
The news of how one of India’s richest men, who until recently was on Forbes’ billionaire list, defrauded the country’s second largest state-run bank of over $2 billion, sent shockwaves across the Indian banking sector. Nirav Modi, a diamond jeweler, and his uncle, Mehul Choksi, reportedly colluded with Punjab National Bank (PNB) officials to get credit through fraudulently issued papers. But how did one of the largest frauds in recent banking history in India go undetected for over 6 years?
As the story unfolded, reports emerged of how auditors failed to detect the scam for a long time with multiple audits failing to raise an alarm. The fall-out of the scam has led to the creation of the National Financial Reporting Authority (NFRA), a new watchdog for the auditing profession with sweeping powers to act against erring auditors or auditing firms.
What Do They Mean for GRC?
A massive breach of trust at one of the biggest names in Silicon Valley, also a reputed social media giant, has led to public outrage, and highlighted yet again the importance of better controls for data privacy and data protection. As concerns grow over the use of personal data by companies, there are calls for more extensive data privacy laws. Europe appears to be leading the way with the General Data Protection Regulation (GDPR), but it remains to be seen if the US will follow suit.
With cyber-attacks continuing to exploit system vulnerabilities, holding governments ransom, and threatening to override democracy, there will be a renewed focus on cybersecurity and the protection of critical systems.
Meanwhile, in emerging Asian markets such as India, recently plagued by scandals and scams, we are likely to see the beginning a new era of not just regulations, but also of increased scrutiny and enforcement.
Jump to Topic
Related Resources
Blogs
The vicious cyclone of emerging risks – My big ‘aha!’ from OpRisk North America
- GRC
- 21 March 18
3 min read
Introduction
The OpRisk North America conference was disrupted by an operational risk — a late season snow storm that has snarled transportation and complicated travel plans in the mid-Atlantic and Northeast, but most attendees and speakers chose to go forward, and I’m glad they did since conference has given me a big ‘aha’ on emerging risks.
Cyber risks and cyber compliance
In almost every session presenters and the audience have cyber risks as the dominant operational risks. While for years, GRC experts have highlighted that with the increasing dependence of business models on digital technologies, cyber risks and cybersecurity strategies would become a critical element of strategic business planning. Well, now those forecasts by experts have proven out, and chief risk officers are incorporating cyber risks into their risk management strategies.
Cyber compliance is also emerging as a critical discipline of overall enterprise compliance management. From a regulatory standpoint, with the emergence of digital business models, businesses are also grappling with increased oversight from regulators. Almost all U.S. states have data breach notification laws. The first state to regulate data breach reporting was California which requires notification of consumers for any breach that affects more than 500 customers. Maryland requires notification if even just one customer is affected. The U.S. SEC was an early mover, requiring that public companies report material cybersecurity incidents.
These new rules at federal and state levels have led to greater transparency of cybersecurity. Now, broader, more encompassing state-level cybersecurity laws are rolling out. New York was the first mover in 2017 with the Department of Financial Services Cybersecurity Regulation, and in 2018 many more states are passing legislation to codify the National Association of Insurance Commissioner’s new Model Data Security Law.
Disruptive technology and conduct risks
More privacy regulations should be expected as well. Political abuse of user behavioral and profile information gathered by the new tech giants like Facebook goes back at least to the 2012 election cycle in the US, and has been brought into the limelight with the Cambridge Analytica scandal. The new European General Data Protection Regulation (GDPR) was already slated to go into effect in May 2018. No doubt, now, European authorities will be analyzing GDPR to see if it adequately addresses the abusive practices of Cambridge Analytica, and in the US, the Federal Trade Commission is investigating. Notably the scandal opens up a whole new front on the challenges of third party information risks, that is, customer risks — ensuring that buyers of information analytical services are not abusing those services.
All of these recent regulatory developments, political intrigues, and corporate scandals must have been in the minds of attendees and speakers at OpRisk when they were polled on their top emerging risks. Disruptive technology tied with cyber risks for the number one position at 47% each. All other emerging risks paled in comparison.
My big ‘aha!’ — Chief risk officers are sensing a vicious cyclone of disruptive technology, conduct risks, and cyber risks. Disruptive technology is being adopted at a faster than sustainable rate — it’s being pushed into service before the lessons from early adopters can be shared with other enterprises. Advanced automation also requires fewer people, but these people are also enabled through disruptive technology that when abused either intentionally or through ignorance or negligence, can wreak tremendous havoc. The technology is also being pushed out at such a pace that the cyber vulnerabilities are not fully known and addressed — presenting all kinds of opportunities for malicious actors to act at scales never before possible. Inevitably there are going to be problems, and it’s up to CEOs and CROs to act together to ensure that their organizations are not caught up in this vicious cyclone.
Jump to Topic
