Cyber-security is often viewed with suspicion, even fear, by compliance officers. Why is that?
For one, at most companies it is easy for compliance officers to pass off cyber-security issues as someone else’s problem. Large- and mid-sized organizations have an entire department laser-focused on managing cyber-security concerns, while smaller companies often have one person versed in the subject.
Cyber-security discussions can sound like a foreign language to those who don’t understand the terms. It can be intimidating. But let’s not forget that discussions on compliance issues, with their seemingly endless array of acronyms, can also sound like a foreign language to the uninitiated.
David Martin is the chief compliance officer of Benchmark Investments, a New York City broker-dealer with about $5 billion in assets under its control. In a panel discussion at Compliance Week’s virtual Cyber-Risk & Data Privacy Summit on Thursday, Martin said compliance officers tend to compartmentalize cyber-security because they don’t understand it. Cyber-security doesn’t have direct relevance to his area of expertise, which is complying with laws and regulations on securities.
And with cyber-security, “the more you learn, the more scared you get,” he said. He manages to beat back that fear by cultivating a network of people, both inside and outside his organization, to whom he can pose his cyber-security questions.
What’s most important for compliance officers is to understand the risks that breaches and hacks pose to their organizations, not the technical manner of how those breaches occur. Expertise in the technical aspects of cyber-security is not required to understand those risks.
John Ritchie, board member and audit committee chair at Massachusetts-based Acacia Communications, said compliance officers should view cyber-security issues through the prism of risk. When speaking to the board or your superiors about cyber-security, he said, talk about the risks it poses to the future of your organization.
“Focusing on cyber-security gives you the opportunity to bring up the risk,” he said. “It’s an opportunity to educate your team on the risk, and then push the culture of risk deeper into the organization.”
What’s less important to the board are the technical details of how a hack happens, said George Finney, chief information security officer at Southern Methodist University in Dallas.
“You want to break down the risks. The board will want to know what you’re doing in non-technical terms,” he said, adding that cyber-security conversations “can get scary, confusing, and down in the weeds very quickly.”
What the board needs to understand is the damage a hack could cause, whether your organization’s processes are somehow deficient, and what steps should be taken to prevent an attack. There should also be a clear plan in place for what happens after an attack, including steps taken to limit the damage, keep the business operating, and make the proper notifications in the proper timeframe to company executives, regulators, and other affected parties like customers and vendors.
Regulated entities and publicly traded companies can lose value or customers quickly if they are seen to have significant cyber-security deficiencies, Ritchie said.
“Cyber-security is a compliance issue for any regulated entity,” he said. The risks posed by breaches and hacks “are, ultimately, compliance risks related to cyber-security,” he added.
Compliance officers should also be able to convey to all employees the importance of following the firm’s cyber-hygiene policies and procedures. They don’t have to understand every detail of how a cyber-attack occurs in order to create and foster a culture of compliance with cyber-security protocols within their organization.
In this regard, corporate culture is key, Finney said.
If your firm has a culture that regularly grants exemptions or encourages workarounds to policies and procedures or implements policies and procedures that don’t match real-world demands of your workplace, they are much less likely to be effective. Attempting to encourage compliance through fear won’t make up for the deficiencies of a poor corporate culture, Finney said.
Instead, implement realistic policies and procedures that will reduce your company’s vulnerabilities to hacking, phishing, and other cyber-threats. Have conversations about why the cyber-security policies of your company are built the way they are and how it is in everyone’s best interest that they be followed.
“Be willing to have a conversation,” he said. “You build a culture as a community working together toward a common goal.”