The Issue of Compliance - Itís Here and Itís Expanding!
by Melisa LaBancz-Bleasdale - IT Journalist - Thursday, 8 April 2004.
"The key is to be able to uncover wrong-doing inside of the company and cooperate with law enforcement and regulatory authorities to limit corporate liability. You donít often know whether someoneís committing fraud, misappropriating company assets, or stealing your intellectual property until itís happened. You have choices though you can find out itís happened after youíve suffered a huge loss, or you can intercept it when itís happening. You donít want to find out 2 years from now that someone in finance has been placing millions of dollars in offshore bank accounts," says Victor.

It was my understanding that the executives of these corporations are culpable for what occurs under their watch. It is actually more nuanced than that, and it is these nuances that underscore the importance of having a cohesive response plan in place.

As Victor illustrates, "First of all, the things that you have been seeing since 1999 (Enron, Tyco, etc.), involved executives who were actively taking part in the fraud of their companies, and were therefore held responsible. However, under Sarbox executives are culpable in that the CEOs and CFOs are signing off on the financial statements, essentially saying that they have evaluated the companyís internal controls and they are effective. If it turns out that they didnít have good internal controls, they are going to be held accountable for having misstated the truth. I donít want to tie it only to executives though. The Board of Directors and the audit committee, specifically, are tasked with being able to investigate complaints about corporate fraud and accounting problems. Certainly the Board has a responsibility as well. To the extent that complaints are coming in, and the company is unable to investigate them effectively, unable to uncover whatís going on, and at the same time the CEOs and CFOs are signing off that they have an adequate control structure, I think those executives are at great risk."

What about the companies that arenít necessarily large enough to report their finances to the SEC? Isnít it important to implement an incident response process and be in compliance with these regulations?

"Depending on the industry, there are other regulatory structures that are in place requiring companies to be able to self-investigate and cooperate with law enforcement. If you look at regulations under Graham-Leach-Bliley (GLBA), which apply to the finance industry, one of the requirements of a response program is to be able to make adequate reports to law enforcement. Clearly a company needs to be able to collect evidence and cooperate under those regulations. The same is true under HIPAA. We then have state regulations as well, such as Californiaís SB1386 which deals with self-disclosure. There are a variety of laws on a per-industry-basis that apply," answers Victor.

I asked Victor what his impression was of compliance-related changes within various organizations, "I think what is important is the trend. If you go back six years, you could have given a talk titled ĎInformation security regulation is on its way.í Now, itís here, and itís expanding. You have it touching public companies under Sarbox, affecting the health-care industry with HIPPA and the financial industry with GLBA. You have anti-identity theft statutes such as SB1386, which is now primarily Californian, but is being looked at on a national level. The trend is to increase information security regulations, increase requirements for self-investigation and employ the ability to mitigate liability."

Compliance issues are not an American-only concern. John Weigelt, Strategic Security Advisor for Microsoft Canada states, "When I speak to clients about security-related issues, they are also very focused on compliance issues. While the Personal Information Protection Electronic Documents Act (PIPEDA) remains a primary concern for Canadian businesses, I have found that many clients are equally occupied trying to address U.S. legislation such as Sarbanes-Oxley."


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th