The role of compliance in third-party risk management is critical to ensure the organization meets its fiduciary responsibility to safeguard data. Here’s why.
As large corporate data breaches continue to grab new headlines, corporations are becoming more willing to listen to managers and consultants who insist that controlling third-party risk is an area that requires significant investment. What should also be discussed, however, is a corresponding investment in your corporate compliance department, because all the paper plans and corporate policies in the world won’t save the Board of Directors if there isn’t a demonstrated effort to conduct proper oversight and sufficient monitoring and controlling activities.
It is simply time, in this age of Internet of Things (IoT), to realize that the U.S. capital markets are under attack at every level, every second of every day. Senior executives and board members, many of whom are still from the aging baby boomer generation, have been slow to listen to advisors who warn about electronic intrusion by hostile actors into their systems. They have little understanding of the complexity and interconnectedness of the technology that runs their company, so they defer responsibility to the CIO or CTO, but too rarely will they also pass along a corresponding budget that allows for a truly reinforced defense against intrusion.
Amazingly, the Securities and Exchange Commission rules do not require the BOD of publicly traded companies to form Risk or Compliance committees!
What is even worse is that too many companies expect their technical staff to be responsible for monitoring their meager efforts at cyber security without oversight. Immediately there are conflicts of interest and the proverbial “fox guarding the henhouse” dynamics created.
As time marches on, regulators have realized that a cyber attack is somewhat like death. It is not a matter of if; it is only a matter of when, an attack will occur. And when an attack happens (and it will happen at some point), a company’s defense is only as effective as the weakest point in the overall network. Thus, the focus on third-party risk, and increased efforts by regulators to make corporate board members and officers personally liable when they have not taken sufficient care to protect against harm from cyber-attacks.
Regardless of any cyber-insurance a corporation may have been able to secure to protect the corporate assets from being depleted when there is an event, corporate board members and officers are being held accountable for what they did not do to mitigate the harm caused by cyber-attacks.
The Fox and Hen Discussion
When companies finally get on board with putting in technical barriers designed to prevent intrusion, they have put some of their money where their mouth is, but they still haven’t really gotten into the groove of protecting their company, their employees, and their customers. As stated earlier, they are prone to just looking for the technical team to monitor and maintain an electronic defense system. If the defense system fails, the people responsible are now expected to identify the failure, evaluate the seriousness, and report it to their superiors. This is a highly flawed implementation because it does not consider multiple factors.
First, it ignores the fact that it is never a good idea to have responsible parties (IT) as the only ones monitoring and controlling such important protections. There must be a separation of powers. Someone outside of the IT department must be tasked to conduct periodic reviews of the performance of the electronic barriers through testing, and it cannot be left to the annual financial audit team to conduct it.
Second, when assumptions are made that a strong electronic defense system (firewalls, encryption, security credentials, etc.) are all that is required, they have ignored the reason why most technology fails… the human factor. No matter how sophisticated a system is, no matter how strong the encryption program, there is always someone who will take a short cut out of laziness, ignorance, or just plain old fashioned defiance to follow rules they perceive interfere with their ability to work efficiently.
Third, regulators have been advocating for (and winning) the ability to hold individual officers and board members accountable for avoidable breaches. In two recent (2019) high-profile cases involving Yahoo and Equifax, officers and directors were targeted for breach of fiduciary duty related to the compromise of customer data as the result of data breaches. This means that owners, officers, and directors of companies need to be more diligent in directing and monitoring their organization’s efforts.
Breaches of fiduciary duty will most often be listed as exclusions from coverage for Director and Office (D&O) insurance policies, leaving the directors and officers to pay their own legal fees, as well as any fines or penalties assessed by regulators, and also leaves them subject to possible criminal charges, which makes them subject to the U.S. Sentencing Guidelines utilized by the Department of Justice.
Simply stated, regulators and the Department of Justice are not going to allow corporate leadership to ignore their duty, because the harm to the American people is simply too great, and the cost to the U.S. economy and national security are too high.
The Ultimate Role of Compliance in Third-Party Risk Management
Companies need to take a true enterprise approach to their overall security and privacy programs. Third-party risk is especially important, because it has become virtually impossible to conduct any type of business without exposing corporate networks and facilities to intrusion through electronic means. A comprehensive plan to monitor and control third-party risk must include extensive use of the compliance department as impartial monitors capable of conducting the investigation and analysis required when corrective actions are required to close gaps that leave an organization vulnerable.
Third-party risk should not be delegated solely to contract administrators, account executives, IT managers or sales associates. These resources should work in collaboration with the compliance team to ensure proper oversight and monitoring of third-party risk.
When compliance resources are properly utilized, they generate trust. Trust that leadership is focused on the protection of the organization’s assets and resources (including their employees and customers), and trust that employees will follow prescribed policies and procedures when conducting their duties. When there is mutual trust, organizational performance elevates.
Compliance professionals have the expertise to develop the framework that documents the organization’s policies from the Board of Directors (“BOD”) and correlates them to procedures at the department and employee level, creating linkage between every function performed and the corporate policy that governs it. Further, the department is equipped (when properly resourced) to monitor and analyze compliance within the framework and provide reporting to senior management and the BOD on a periodic basis throughout the year.
Regular monitoring and reporting on a prescribed schedule is the verification required to maintain the trust required to run an efficient and socially responsible organization. It can also provide directors and officers with the peace of mind that they have met their fiduciary duty and have mitigated the likelihood of personal liability in connection with their leadership.
It is critical that as business becomes more and more reliant on technology and big data to drive their analysis and strategies, they properly resource and rely on their compliance professionals to ensure they are meeting their fiduciary responsibility to safeguard data from unintended disclosure and compromise.
About Reba Leonard
Reba Leonard is a Compliance Executive with 35 years of progressive leadership experience in financial services, insurance, and the military. She has worked in the Insurance industry as a Compliance and Government Affairs Executive, focusing on health insurance, the Affordable Care Act, and self-funded employer health plans. She has knowledge and experience in HIPAA and HITECH compliance, CCPA and other privacy laws, FTC and FCC regulations on CAN/SPAM and telemarketing rules, and Advertising regulations. In the Financial Services industry, she has worked in Compliance, Business Development, Strategic Planning, Accounting, Project Management, Six Sigma, PCI Compliance, OFAC, BSA, and FCRA.
To learn more about how ThirdPartyTrust can help you streamline your TPRM program, request your free trial now:
