Compliance risk management. Now, I know what you’re thinking. “Finally! Some flashy, provocative content!”
Okay. Maybe that’s a stretch.
But compliance is a critical aspect of company growth. Every company that operates in the cloud or gathers personal data is subject to international, national, and state laws. So whether you are a three-person entity or a global empire, you should be thinking about compliance risk management. This article provides some basic ideas on how you can build an effective compliance risk management system.
Start a compliance risk assessment program early.
As startups get going, CTOs typically focus on scaling the business as fast as possible, so compliance tends to get pushed to the back burner or forgotten altogether. Though not always an immediate priority, compliance is best when introduced early. A smaller company has fewer risks to assess, making the task of building an organized way of identifying and addressing compliance concerns much easier. As the company grows, the essential elements of the compliance program are already there; the CTO can build upon a sturdy foundation. Though getting a program off the ground can absorb close to 50% of a CTO’s time, that commitment will decrease significantly over time.
It’s helpful to remember that building a program for compliance risk assessment is an opportunity for CTOs. By taking the lead, the CTO can increase their profile and extend their influence. Because compliance does not live in a vacuum, a CTO can stand out as a cross-department facilitator, connecting one department with another, creating synergy and improving efficiency. With great communication, the CTO can produce quality compliance risk assessment measures and increase their value to the company.
Hire a cybersecurity compliance attorney.
The first step for a CTO looking to build a compliance risk assessment program is to hire a cybersecurity compliance attorney. A skilled attorney will examine and present the legal obligations specific to each company. One advantage of hiring a lawyer at this stage is confidentiality; any risks brought to your attention will be contained. Confidentiality becomes more difficult the moment you add a non-legal, outside entity to your compliance structure, but these risks can be minimized through contractual confidentiality agreements.
After receiving advice from an attorney, the next step is to hire a technical consultant. These experts make observations about compliance at the technical level, providing specific advice based on the company’s technological processes. The final step for initiating a compliance risk assessment program is to introduce a third-party auditor. Third-party auditors are outside entities that use a standardized assessment process to rate and report a company’s privacy, security, and other compliance measures. The most common third-party auditing tool is the SOC 2, which is described more below.
The SOC 2 has become the industry standard third-party report. Many companies skip the compliance attorney or technical consultant, hoping to get a SOC 2 in the hands of potential customers as soon as possible. This is likely a mistake. The attorney and technical consultant may provide invaluable feedback about compliance risks and failures that could be corrected before the SOC 2 is completed, resulting in a better report to deliver to consumers.
As the company grows, the compliance team grows.
When a company starts to take on bigger clients, compliance becomes a function of growth. The CTO has to promise and deliver better privacy and security to satisfy a wider customer base. For example, third-party partners may demand that your company has industry-standard insurance, privacy safeguards, and security measures. Without these provisions, your company is not only putting itself at risk, it is eliminating potential customers.
As the compliance risk assessment program grows, it will need additional human support beyond an attorney and the CTO. Larger companies hire intermediaries, such as Compliance Directors or CSOs, to provide communication between in-house legal departments and management or human resources teams. As the CTO decreases their daily involvement, the Director of Compliance picks up duties that go beyond security and privacy issues. Parallel issues such as agency, licensing, financial compliance, and legal compliance are under the care of the Director as well. Some additional responsibilities may include insurance agreements, approving vendor and customer contracts, and company audits and evaluations.
Identify critical compliance risk assessment tools.
In order to avoid overwhelming compliance limitations, the CTO can narrow down some of the most critical compliance risk tools. The most basic tool is cybersecurity insurance, which covers failures related to data breaches, business interruption, and network damage. Contractual agreements are another simple tool. The CTO can offload risk to a third-party through legal agreements such as a standard security addendum. This kind of disclosure of security and privacy policies creates a sense of shared responsibility and shifts responsibility to the consumer or the user.
Policies are additional tools for CTOs, and it is important to note that international and select U.S. state laws now require distinct privacy and security policies. The security policy provides details on how systems are protected from an outside attack or from inappropriate access across departments. The privacy policy governs how the organization will collect, use, and disclose customer data, which generally applies to employee conduct within the organization.
Measure your risk.
The basic compliance risk assessment program must be able to identify and measure risk before it happens. When done properly, a measuring risk will protect decision-makers, ensuring that qualified leaders make the riskiest decisions. Those individuals make business decisions and look for alternatives to mitigate risk.
One way to accomplish this is to implement a scoring system using this formula:
Likelihood of Breach x Impact of Breach = Risk
Using a basic scoring system gives a CTO a way to measure risk. The higher the score, the greater the risk. Risks that are numerically high can be sent to upper management so that risks that can affect the entire company are addressed by those with the authority to impact the entire company.
Invest in the SOC 2.
The SOC 2 is the gold standard for information security audits. It can prove a company’s security posture in tech. Any company that stores information in the cloud should have a SOC 2. The SOC 2 is regulated by an independent community. Independent firms comply with governance from the American Institute of Certified Professional Accountants (AICPA) to provide qualitative reports of an organization’s compliance measures. The SOC 2 is not a specific checklist of requirements. Instead, it provides opportunities for companies to demonstrate how and to what extent they protect their data.
Security is the main element of the SOC 2. It focuses on network and application firewalls, two-factor authentication, and intrusion detection. These controls are particularly relevant when data is stored in the cloud. Another element of the SOC 2 is processing integrity, which is a high-level assessment of authenticity. Auditors get an inside look at what the data collection, storage, and disclosure processes are and how they work, down to the code level. This information stays confidential when industry-standard NDAs are used.
Confidentiality is another element of the SOC 2. Confidentiality is an assessment of the company’s own standards for information security. The SOC 2 provides an opportunity for the company to define, control, and demonstrate its confidentiality policies. The last elements are availability and privacy. Availability assesses the ability of the company to handle performance in a disaster or breach situation. Privacy assesses how personal information is collected, retained, and disclosed. This includes the company’s privacy policy, data log reviews, and encryption.
Encourage the culture of compliance risk assessment.
Remember that a single risk assessment in any one stage of growth is not enough; compliance is not a single, procedural step. Examining the impacts on privacy and security is an ongoing part of development and production.
