Fewer Sleepless Nights for Compliance Executives

Improved compliance programs, sufficient resources and board access have meant fewer concerns about personal liability for compliance executives, according to a study by DLA Piper.

In its 2017 Global Compliance & Risk Report, DLA Piper found that 67% of chief compliance officers surveyed said they were at least somewhat concerned about their personal liability and that of their CEOs, which was down from 81% in 2016. And 71% said they made changes to their compliance programs based on recent regulatory events, up from just 21% a year earlier. The study found that globally the compliance function is becoming more independent and prominent in large organizations.

There still remains room for improvement, however, most notably in compliance’s relationship with boards of directors. Directors, surveyed for the first time, were more uneasy, with 82% expressing at least some concern about personal liability. “This is likely related to other findings that show lingering kinks in communications channels and a persistent lack of training for directors. Together, these findings indicate that the relationship between the compliance function and boards needs work—despite efforts taken by organizations to upgrade their compliance program,” DLA Piper said.

In 2016, 77% of compliance executives said they had sufficient resources, clout and board access to support their ability to effectively perform their jobs. This year the number rose to 84% who said they felt that way. The improvement is possibly a reflection of the increased percentage of respondents who had the resources to make changes to their compliance program, compared to 2016, according to the survey.

While more respondents said they are increasingly able to affect change, obtain the resources they need and access senior leadership, however, a larger number said their budget was not high enough to accomplish their goals, from 28% in 2016 to 38%.

Boards had a different view, with 53% of directors agreeing strongly that their compliance group had sufficient resources, clout and board access. This was compared to just 29% of CCOs, which could indicate that CCOs are not effectively communicating their needs, the company said.

Of concern was that many directors appear to be receiving inadequate reporting and training on compliance matters. About a quarter of both CCOs and board members said the compliance function at their organization reports to the board less than once per quarter.

Of training, the report said that in light of a perceived heightened liability exposure for directors, it is puzzling that 44% of director respondents said they hadn’t received any training on compliance issues. Given evolving compliance standards and regulations—such as new Securities and Exchange Commission guidance on conflict minerals and updated DOJ guidance on corporate fraud—it’s arguable that training is more important than ever. Failure to engage in training could amount to a breach of fiduciary duty.

Almost half of respondents, 46%, identified monitoring as the weakest part of their compliance program. Monitoring, however, is particularly important in managing third-party risk, as regulators remain focused on violations related to third parties and as companies struggle to manage sprawling global organizations, DLA Piper said.

Top tools companies use to rate their compliance program:

Financial Services IT Overconfident in Breach Detection Skills

Despite the doubling of data breaches in the banking, credit and financial sectors between 2014 and 2015, most IT professionals in financial services are overconfident in their abilities to detect and remediate data breaches. According to a new study by endpoint detection, security and compliance company Tripwire, 60% of these professionals either did not know or had only a general idea of how long it would take to isolate or remove an unauthorized device from the organization’s networks, but 87% said they could do so within minutes or hours.

When it comes to detecting suspicious and risky activity, confidence routinely exceeded capability. While 92% believe vulnerability scanning systems would generate an alert within minutes or hours if an unauthorized device was discovered on their network, for example, 77% said they automatically discover 80% or less of the devices on their networks. Three out of 10 do not detect all attempts to gain unauthorized access to files or network-accessible file shares. When it comes to patching vulnerabilities, 40% said that less than 80% of patches are successfully fixed in a typical cycle.

The confidence but lack of comprehension may reflect that many of the protections in place are motivated by compliance more than security, Tripwire asserts.

“Compliance and security are not the same thing,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “While many of these best practices are mandated by compliance standards, they are often implemented in a ‘check-the-box’ fashion. Addressing compliance alone may keep the auditor at bay, but it can also leave gaps that can allow criminals to gain a foothold in an organization.”

Check out more of the study’s findings below:

financial services cyber risk management

65% of Businesses Unprepared For Email-Based Cyber Threats

In a recent threat report, cloud email management company Mimecast warned they had seen a 55% increase in whaling attacks over the past three months. As we reported in this month’s Risk Management cover story “The Devil in the Details,” social engineering fraud schemes like whaling (which is phishing that targets higher-profile employees and executives) resulted in a total losses of more than $1.2 billion worldwide between October 2013 to August 2015. According to the Mimecast Business Email Threat Report 2016, released yesterday, IT security professionals clearly recognize the risk, with 64% of respondents in the new saying they see email as a major cybersecurity threat to their business. Yet only 35% feel confident about their level of preparedness against data breaches, while 65% feel ill-equipped or too out of date to reasonably defend against the risk.

“Our cyber-security is under attack and we depend on technology, and email in particular, in all aspects of business. So it’s very disconcerting to see that while we might appreciate the danger, many companies are still taking too few measures to defend themselves against email-based threats in particular,” said Peter Bauer, chief executive officer of Mimecast. “As the cyber threat becomes more grave, email attacks will only become more common and more damaging. It’s essential that executives, the C-suite in particular, realize that they may not be as safe as they think and take action. Our research shows there is work still to be done to be safe and we can learn a lot from the experience of those that have learnt the hard way.”

Even the most secure companies feel the most at risk of these scams. Of the top 20% of organizations that feel most secure, 250% are more likely to see email as their biggest vulnerability. Those who feel most confident about guarding against the risk are 2.7 times more likely to have a C-suite that is extremely or very engaged in email security. Among the IT security managers who feel most prepared, five out of six say that their C-suite is engaged with email security, Mimecast reports. However, of all IT security managers who were polled, only 15% say their C-suite is extremely engaged in email security, while 44% say their C-suite is only somewhat engaged, not very engaged, or not engaged at all.

The firm also had some insight on best budgeting against the risks of phishing. Those who feel better prepared to handle email-based threats also allocate higher percentages of their IT security budgets toward email security, the firm found, with these IT security managers allocating 50% more of their budgets to email security compared to managers who were less confident in their readiness. Mimecast found 10.4% of the total IT budget toward email security is the ideal intersection between email security confidence and spend.

To reduce the threat of whaling, Mimecast recommends that companies:

  • Educate your senior management, key staff members and finance teams on this specific type of attack. Don’t include whaling in a general spear-phishing awareness campaign—single out this style of attack for special attention to ensure key staff remain vigilant.
  • Carry out tests within your own business. Build your own whaling attack as an exercise to see how vulnerable your staff are.
  • Use technology where possible. Consider an inbound email stationery that marks and alerts readers of emails that have originated outside of the corporate network.
  • Consider subscribing to domain name registration alerting services so you are alerted when domains are created that closely resemble your corporate domain. Consider registering all available TLDs for your domain, although with the emergence of generic TLDs (gTLD) this may not be scalable.
  • Review your finance team’s procedures; consider revising how payments to external third parties are authorized. Require more than single sign-off, or perhaps use voice or biometric approval only with the requestor to ensure validity of the request.

Check out the infographic below for more on business email threats:

mimecast business email threats

Risk Link Roundup

Link Roundup

Here are a few recent articles that highlight issues impacting the world of risk and insurance, including blogs and articles about FIFA corruption, whistleblower programs—both pro and con—and the supply chain in outer space.

Iran, Russia Reject Idea of Joint Oil Output Cuts with Saudi Arabia
Reuters: Oil-producing countries looked unlikely to reach a deal to lift languishing prices at a meeting on Friday after Iran, Iraq and Russia swiftly rejected a surprise proposal that appeared to have been floated by Saudi Arabia.

16 Additional FIFA Officials Indicted for Racketeering Conspiracy and Corruption
U.S. Department of Justice: A 92-count superseding indictment was unsealed earlier today in federal court in Brooklyn, New York, charging an additional 16 defendants with racketeering, wire fraud and money laundering conspiracies, among other offenses, in connection with their participation in a 24-year scheme to enrich themselves through the corruption of international soccer.

Are Whistleblower Reward Programs Really a Good Idea?
FCPA Blog: Since the start of the SEC whistleblower program in 2011, the agency has awarded $54 million to 22 whistleblowers “who provided the SEC with unique and useful information that contributed to a successful enforcement action.”

Yes, We Need Whistleblower Rewards
FCPA Blog: Congress could not have been any clearer in its statutory design. Nor the SEC any more outspoken in its revitalized approach to government enforcement. Whistleblower rewards work.

Supply Chain Challenges in Space Exploration
OPS Rules Blog: Space supply chains are low demand and highly schedule driven. This might seem to be in contrast to commercial supply chains, which deal with high volume and compressed lead times. But applying the principles governing the commercial fast paced supply chains to the space supply chain can make it more agile and cost efficient.