The Tribune

Those who do not know the language of cyber security may think the topic is foreign. Compliance professionals should not forget that conversations about compliance, dripping in apparently infinite acronyms, can also sound foreign to those unfamiliar with the subject.

Our lives are increasingly dependent on the Internet, so it is now crucial to be proactive and vigilant about protecting ourselves, and our companies, from cyber threats. For the avoidance of doubt, and for the purposes of this article, cyber hygiene and cyber security are not synonymous but are inter-related.

Cyber hygiene refers to methods and actions that computer users take to maintain the integrity of their systems, and increase the security of their online activities. Whereas cyber security is the process of preventing cyber-attacks on systems, networks and programs, thereby exceeding the practices of the computer user only. This article will briefly underline steps that the modern compliance leader should take to enhance their company’s cyber hygiene.

Implement a cyber security maturity and risk assessment

As I noted in a previous article, risk assessments allow businesses to strategically identify, assess and prepare for any danger, hazards and other potential disasters that could derail their goals and objectives. Based on this position, an assessment should be completed on the governance and leadership structure surrounding cyber risk management. Then, an evaluation of the company’s cyber hygiene culture should be performed. Additionally, an examination and testing of the business continuity framework as it relates to cyber risk should be completed. Finally, a gap analysis between the framework and practice of your company versus what is required legally.

Collaborate on people and processes

The management of cyber security requires a cross-functional approach because it is an enterprise-wide issue. Based on the cyber risk assessments performed, the development of a sustainable remediation plan to address deficiencies should be designed with enterprise-wide input. This integrated, instead of siloed, approach enables compliance to use its strong systemic reach across the company to facilitate meaningful and effective plans that are automatically agreed to by key stakeholders.

Develop robust compliance testing frameworks

A successful ethics and compliance programme must incorporate testing and monitoring. Testing and monitoring, as well as the data that is collected, provide stakeholders with relevant information that can be relied upon by regulators, boards, senior management and internal and external customers. According to Deloitte, this step is crucial to building a world-class compliance programme. Every level of a company should be subject to compliance testing. By designing your compliance testing framework, deficiencies in controls can be quickly identified, assessed and addressed.

Conclusion

In short, the compliance function must now play a much more integral role in any company’s cross-functional cyber security programme to ensure these efforts are properly risk assessed, enterprise-wide; are consistent with regulatory requirements; deeply infused into the cyber consciousness of stakeholders; and effectively monitored.

NB: About Derek Smith Jr

Derek Smith Jr. has been a governance, risk and compliance professional for more than 20 years. He has held positions at a TerraLex member law firm, a Wolfsburg Group member bank and a ‘big four’ accounting firm. Mr Smith is a certified anti-money laundering specialist (CAMS), and the compliance officer and money laundering reporting officer (MLRO) for CG Atlantic’s family of companies (member of Coralisle Group) for The Bahamas and Turks & Caicos.