ESG is no longer in vogue. But its issues still are.
Almost none of the nearly 200 attendees at Compliance Week’s Third Party Management summit this week said they’re currently working on ESG when informally surveyed. The show-of-hands results marked a dramatic reversal from even just a couple years ago, surprising even attendees in the room.
Regulators and investors increasingly say boards of directors need more expertise to ensure they can respond to fast-changing politics, policy, and technology that threaten to undermine their businesses. In the U.K., government officials say boards need to think more about cyber. In the EU, they need to prepare for the Corporate Sustainability Reporting Directive (CSRD). Speaking at Compliance Week’s Third-Party Risk Management summit, Boards of the Future director Vera Cherepanova says that directors need to think broadly, rather than in specialties.
Global supply chains are constantly in flux: crucial vendors could suddenly go bankrupt, fail to produce key components without warning, or even lose your firm’s data in a breach. The result has drawn ever more attention to third-party risk management as a critical element of many businesses.
The world is rapidly changing. The European Union is stepping up rules and enforcement, while the United Kingdom is charting its own course. And now the United States is taking a third tack, with unclear regulation enforcement under a mercurial Donald Trump’s second term as president underway.
The Federal Trade Commission has ordered web hosting company GoDaddy to implement a “robust” information security program following at least three data breaches that the agency said were aided by lax cybersecurity measures.
Cybersecurity has become one of the most important parts of business operations, particularly as companies face a data breach, attack, or disruption of service. But the impact this responsibility is having on cyber pros needs more attention.
The U.K. government wants directors and boards of directors to become more actively involved in cybersecurity risks facing public and private companies, as the world faces “alarming” threats from criminal gangs and malicious nation-states.
Though many organizations take cybersecurity seriously, the U.K. government says they do not place management of cyber risks high enough in their governance structures.
Many small organizations within the Defense Industrial Base are struggling to meet the rigorous requirements validated through the Cybersecurity Maturity Model Certification, writes Thomas Graham, CISO at Redspin. If you haven’t been tracking it closely, CMMC was finalized in October, with an effective date of December 16, 2024.
Yet another government contractor has been slapped with a fine by the Department of Justice for applying lax cybersecurity defenses on sensitive government data.
Compliance teams should expect more support from their organization’s internal audit functions. That is the clear message from the Institute of Internal Auditors, the global body of national affiliated internal audit institutes, which has just put into action its new Global Internal Audit Standards.
