It was my understanding that the executives of these corporations are culpable for what occurs under their watch. It is actually more nuanced than that, and it is these nuances that underscore the importance of having a cohesive response plan in place.
As Victor illustrates, "First of all, the things that you have been seeing since 1999 (Enron, Tyco, etc.), involved executives who were actively taking part in the fraud of their companies, and were therefore held responsible. However, under Sarbox executives are culpable in that the CEOs and CFOs are signing off on the financial statements, essentially saying that they have evaluated the companyís internal controls and they are effective. If it turns out that they didnít have good internal controls, they are going to be held accountable for having misstated the truth. I donít want to tie it only to executives though. The Board of Directors and the audit committee, specifically, are tasked with being able to investigate complaints about corporate fraud and accounting problems. Certainly the Board has a responsibility as well. To the extent that complaints are coming in, and the company is unable to investigate them effectively, unable to uncover whatís going on, and at the same time the CEOs and CFOs are signing off that they have an adequate control structure, I think those executives are at great risk."
What about the companies that arenít necessarily large enough to report their finances to the SEC? Isnít it important to implement an incident response process and be in compliance with these regulations?
"Depending on the industry, there are other regulatory structures that are in place requiring companies to be able to self-investigate and cooperate with law enforcement. If you look at regulations under Graham-Leach-Bliley (GLBA), which apply to the finance industry, one of the requirements of a response program is to be able to make adequate reports to law enforcement. Clearly a company needs to be able to collect evidence and cooperate under those regulations. The same is true under HIPAA. We then have state regulations as well, such as Californiaís SB1386 which deals with self-disclosure. There are a variety of laws on a per-industry-basis that apply," answers Victor.
I asked Victor what his impression was of compliance-related changes within various organizations, "I think what is important is the trend. If you go back six years, you could have given a talk titled ĎInformation security regulation is on its way.í Now, itís here, and itís expanding. You have it touching public companies under Sarbox, affecting the health-care industry with HIPPA and the financial industry with GLBA. You have anti-identity theft statutes such as SB1386, which is now primarily Californian, but is being looked at on a national level. The trend is to increase information security regulations, increase requirements for self-investigation and employ the ability to mitigate liability."
Compliance issues are not an American-only concern. John Weigelt, Strategic Security Advisor for Microsoft Canada states, "When I speak to clients about security-related issues, they are also very focused on compliance issues. While the Personal Information Protection Electronic Documents Act (PIPEDA) remains a primary concern for Canadian businesses, I have found that many clients are equally occupied trying to address U.S. legislation such as Sarbanes-Oxley."