By Derek Smith Jr
Those who don’t know the language of cybersecurity may think the topic is foreign. However, compliance professionals should not forget that conversations about compliance, dripping in apparently infinite acronyms, can also sound foreign to those unfamiliar with the subject.
Our lives are increasingly dependent on the internet, so it is now crucial to be proactive and vigilant about protecting ourselves and our organizations from cyber threats. For the avoidance of doubt, and for the purposes of this article, cyber hygiene and cybersecurity are not synonymous but are interrelated. Cyber hygiene refers to methods and actions that computer users take to maintain the integrity of their systems and increase the security of their online activities, whereas cybersecurity is the process of preventing cyberattacks on systems, networks and programs, therefore exceeding the practices of the computer user only.
This article will briefly underline steps that the modern compliance leader should play to enhance their organization’s cyber hygiene.
Implement a cybersecurity maturity and risk assessment
As I noted in a previous article, entitled “What’s in your risk assessment?”: “Risk assessments allow businesses to strategically identify, assess and prepare for any danger, hazards and other potential disasters that could derail business goals and objectives.” Based on this position, an assessment should be completed on the governance and leadership structure surrounding cyber risk management. Then, an evaluation of the cyber hygiene culture of the organization should be performed. Additionally, an examination and testing of the business continuity framework as it relates to cyber risk should be completed. Finally, a gap analysis between the framework and practice of your organization versus what is required legally.
Collaborate “people and processes”
The management of cybersecurity requires a cross-functional approach because it is an enterprise-wide issue. Based on the cyber risk assessments performed, the development of a sustainable remediation plan to address deficiencies should be designed with enterprise-wide input. This integrated approach instead of siloed approach enables compliance to use its strong systemic reach across the organization to facilitate meaningful and effective plans that are automatically agreed to by key stakeholders.
Develop robust compliance testing frameworks
A successful ethics and compliance program must incorporate testing and monitoring. Testing and monitoring — as well as the data which is collected — provide stakeholders with relevant information that can be relied upon by regulators, boards, senior management and internal and external customers. According to Deloitte, this step is crucial to building a world-class compliance program. Every level of an organization should be subject to compliance testing. By designing your compliance testing framework, deficiencies in controls can be quickly identified, assessed and addressed.
Conclusion
In short, the compliance function must now play a much more integral role in any organization’s cross-functional cybersecurity program to ensure these efforts are properly risk-assessed, enterprise-wide, consistent with regulatory requirements, deeply infused into the cyber-consciousness of stakeholders and effectively monitored.
Derek Smith Jr is a governance, risk and compliance professional of more than 20 years with a record of leadership, innovation and mentorship. His career has been fortified by holding strategic positions at a TerraLex member law firm, a Wolfsburg Group member bank and a Big 4 accounting firm. Smith is a certified anti-money laundering specialist (CAMS) and the compliance officer and MLRO for CG Atlantic’s family of companies (member of Coralisle Group Ltd) for The Bahamas and Turks and Caicos.
