Lock on digital screen


What is the role of compliance in battling cyber risk?

Cross-Industry Compliance Leadership Summit eyes the intersection of two disciplines

Bernard and Deloitte & Touche LLP managing director Susan Ameel moderated a session at Deloitte Advisory’s recent Cross-Industry Compliance Leadership Summit about the ways compliance and cyber security meet, and how the executives responsible for those areas might benefit by coordinating their efforts.

January 31, 2017 | Cross Industry

“It’s called the cloud,” Deloitte & Touche LLP principal Julie Bernard remarked. “It’s not called the vault. Keep that in mind.”

Many of the industries most subject to cyber attacks are also among the ones that have the most sophisticated regulatory and compliance obligations. Financial services, energy and utility companies, health care organizations, defense and aerospace—they all have to safeguard their own sensitive data, their customers’ information, or both.

Bernard noted that according to one study, 89 percent of data breaches have a financial or espionage motive.1 Many of those breaches involve insiders, and much of the data lost includes personal information such as Social Security numbers and dates of birth.

Organizations can’t repair losses like that just by changing a credit card number. Confidences they have pledged to maintain have been broken. That’s a good argument for compliance leaders and cybersecurity leaders to work in sync. The question is, do they?

Business Line information security officer Mike Leking of US Bank, a former Department of Homeland Security (DHS) official, was a featured panelist at the summit. He said building that kind of partnership takes “handholding, communications, and feedback.”

“Cybersecurity and information security need to be embedded into the culture of an organization,” Leking said. “It’s not just something you do during cybersecurity awareness month.”

Leking noted that in his work at DHS, he learned incident management was a frequent weak spot—that some organizations proceed as if they expect never to be hacked when it’s actually a matter of “when,” not “if.” Threats can come from professional criminals, “hacktivists” fighting for a cause, or from nation-states and terror organizations. Or they can come from a teenager just looking for a challenge. The internal awareness and controls that compliance uses can also help detect and deter those threats.

Other participants in the summit, representing a variety of industries, offered varying assessments of how well they were engaging with their security counterparts:

  • “Partnership is critical” among leaders and teams with different but complementary skill sets
  • Compliance teams can help cyber teams detect and prioritize threats and direct resources where they’re needed most
  • Employee monitoring and control of system access is an area both functions can cooperate on; so are potential red flags such as employees facing termination, but only if the right people share the right information
  • Compliance and cybersecurity teams can work together to identify “back doors” too complex protective systems—such as a health information terminal that won’t let users copy data, but which doesn’t prevent anyone from photographing the screen

In some cases, Susan Ameel pointed out, cyber and compliance teams can find shared satisfaction in one approach to potentially damaging data: Destroy it. But that can be easier said than done.

Another area that concerns both compliance and security leaders is the activity of third parties. The first question may be which unit is responsible for the relationship—be it business unit, information technology, legal, or another? Others said they make vendors and other third parties complete long questionnaires about their security practices, or sign agreements promising a certain standard of performance. But just as a company cannot contract its own fiduciary responsibilities to another, the cybersecurity buck stops at home as well.

All participants in the summit discussion acknowledged the stakes are high.

“The defenders have to be right 100 percent of the time, so it’s an uneven playing field,” one compliance chief said. Another noted, “One single click can significantly impact the future of an organization.”

And Bernard recalled desperate times she has witnessed first-hand: “I’ve been involved in cases of the devaluation of a company so they could be bought by a Chinese company for a quarter of a billion dollars less than they should have been, all based on an external threat,” she said. “That’s the freak-out. What if someone got into your systems and changed your financials so that you disappeared overnight?”

1 Verizon’s 2016 Data Breach Investigations Report, available at http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Site-within-site Navigation. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?