Making sense of compliance and governance
Whether it is one big Sarbanes-style law, or by many tiny amendments, compliance is here to stay. Don't let it faze you, says Rob Buckley.
The crash of the financial markets in 2008 following the bankruptcy of financial services firm Lehman Brothers prompted one of the biggest government bailouts of banks and insurance companies in history. Trillions of dollars around the world were poured into scores of companies to keep them – and, in turn, the rest of the world's economies – afloat. Countries such as the UK and, in particular, Greece are still feeling the effects of the collapse and the debt they built up to fund the bailouts – and will do so for years to come.
‘Never again' was heard in almost every country affected. The over-leveraging of assets in unregulated markets had brought the world to its knees, causing mass unemployment, recession and bankruptcies. So, greater regulation of banks and other financial services companies has been the pledge of governments worldwide, including the UK coalition.
However, on this issue, it seems no government wants to be ‘first to market' with swingeing new regulations, if it causes financial services companies to leave their shores. The UK's Financial Services Act 2010 had already been passed by parliament and received royal assent on 8 April, but its changes are relatively small and the Financial Services Authority (FSA) is still consulting with companies on how it will be enforced.
Only the US has the clout to impose unilateral regulation on the markets, so, as with Sarbanes-Oxley (‘SOX') in 2002, the US is likely to be the first major country to propose compliance legislation of the severity suggested. The EU and others are then likely to follow suit.
“It's not clear exactly what such legislation will look like,” says Craig Carpenter, VP of marketing for information risk specialist Recommind. “At a minimum, new legislation is likely to require added layers of scrutiny and reporting by information security professionals, somewhat like a ‘Sarbanes-Oxley II'. There is also a high likelihood that such legislation will incorporate more data protection requirements, including bigger fines for loss of data, especially personally identifiable information.”
However, Carpenter says that any ‘Son of SOX' law is going to be broader and have a bigger impact on information security professionals in the US. “SOX didn't change the way they went around on a daily basis. This could, since it has transparency and reporting requirements for the financial industry and those close to it that are going to be a lot broader than most anticipate. Whereas SOX was ‘let's prevent fraud', this is going to be like that – but on steroids.”
Outside the US, rather than wholesale change from one large piece of legislation, financial services and other organisations are more likely to face multiple pieces of legislation, usually pertaining to data loss and greater transparency.
“There is a large range of regulation relating to the financial services sector that has recently come into force, or is about to be introduced – or being considered for introduction – by the European Commission,” says Chris Pickles, head of marketing, financial markets and wholesale banking at BT Global Services. “These include MiFID, the Capital Requirements Directive, the Money Laundering Directive and the Market Abuse Directive. These will have direct relationships to risk management and thereby to information management and information security.”
In some cases, Pickles says, the impact can be direct, such as the requirement for the organisation to record and archive voice conversations so they can be used as part of compliance procedures and regulatory investigation. Voice conversations will also need to be integrated into the IT infrastructure, since MiFID means purchase fulfilment now has to be done in the order in which purchases arrived, no matter what the medium used.
More importantly, organisations have to be able to prove this, so audit logs and archives will need to be handled accordingly. But, as in the US, data loss laws are probably going to be the area of most change. In the UK, although most of its requirements have remained the same, recent changes to the Data Protection Act have meant that the maximum fine that can be imposed on an organisation for losing or mishandling personal data is now £500,000. According to Recommind's Carpenter, the UK Information Commissioner's Office is mainly going to be policing larger companies, thanks to the relatively meagre resources allocated to it.
In addition, this is going to be in response to public breaches and notifications of breaches, rather than through any investigative process.
Indeed, Carpenter says it's unlikely ICO boss Chris Graham would be interested in hearing from smaller companies or of examples of breaches at smaller companies. “If you have a hotline where someone can ring up to inform you of breaches and you don't have the resources to investigate, you'll open yourself up to attack – it'll be worse than if you hadn't had the hotline at all.”
A £500,000 fine will be large enough to bankrupt many a small business, so the full amount is unlikely ever to be used against any but the largest companies. “The ICO will take consideration of the sector and financial resources of organisations,” says Peter Gooch, head of Deloitte's privacy team. “It's not going to hit a small charity with a half million pound fine – the purpose isn't to impose undue financial hardship.” In the case of large companies in financial services, the ICO is more likely to defer to the FSA anyway, since the fines which that body can impose are much greater and more likely to affect large organisations, which could potentially shrug off even the full ICO fine.
Around the world, however, breaches are regarded differently. Germany has recently changed its laws to enforce greater privacy and to oblige organisations that lose personal data to disclose the fact; there are ‘huge' fines for those found breaking the law.
Similar obligations apply in individual states of the US, including Massachusetts and California. Massachusetts in particular, as well as requiring organisations to disclose when they've lost personal data, demands that any organisation that stores personal data on its residents have specific security controls in place, including encryption of personal information. Because of the way the US legal system works, that in effect means any company wishing to trade anywhere in the US has to behave according to the Massachusetts law on this issue.
“There's a domino effect,” says Sushila Nair, product manager at the managed security solutions group of BT Global Services. “Other US states are debating the same thing, and so is Europe.”
Rob Warmack, senior director of international marketing for Tripwire, says that the presence of disclosure laws in the US has made data breaches a boardroom issue, since no CEO wants the brand damage that a breach now results in. “Disclosure is the largest issue. In the US, everyone knows about a breach, and the CEO really doesn't want to read about himself in the morning paper.”
The debate in Europe is slow, however, with little sign of an EU disclosure law seeing the light of day in the next 18 months. Carpenter says that although there is US disenchantment with EU disclosure laws, the only organisations petitioning for change are enterprises.
Global compliance pressures are also coming from the credit card companies, whose PCI DSS guidelines mandate what kind of security technology and measures should be in place at any organisation that handles credit card data. Anyone handling this data needs to abide by the PCI DSS guidelines or else they can potentially be fined or forbidden from taking credit card orders. In the US, it's the credit card companies, such as Visa, that are imposing fines directly – as much as £200,000 per month last year – and certain security officers have been fired as a result.
However, in the UK and Europe, which is under the auspices of the likes of Visa Europe, fining has been delegated to the banks, which have had a lighter touch, mainly because the banks' own terms and conditions for merchants didn't allow them to impose any harsher penalties. But this lighter touch has started to become heavier of late, says Tripwire's Warmack: as terms and conditions have slowly been updated with customers, so banks have been able to impose more punitive fines when breaches have occurred.
All tiers of companies that handle credit card data should, in theory, be PCI DSS-compliant already. However, this was also true in 2005 and subsequent years, with Visa Europe and others continually putting back the deadline. With few being publicly punished as a result, PCI DSS wasn't taken as seriously as it should have been.
The PCI does expect everyone now to be compliant with PCI DSS 1.2 by September, but James Carnie at managed services company eLINIA says that having a roadmap showing how the organisation intends to become compliant should be sufficient in most cases. However, where an organisation isn't compliant and chooses to use ‘compensating controls' – alternatives to the specifications that they say makes the organisation secure all the same – these mustn't be a fudge designed to avoid compliance, since that will result in fines in the event of a breach.
Becoming compliant can be hard. Many companies think they are compliant and only those who conduct a large enough number of transactions will be audited for compliance. It's only if a breach occurs that they find out that their security doesn't quite meet the standards set. Benj Hosack, director at Foregenix, says that while those companies that do enough credit card transactions per month to qualify as ‘tier one' companies have largely become compliant, many of those in tiers two and three, particularly new arrivals such as web hosting sites, have yet to become compliant and may not even be aware they need to be. “Most businesses don't have a full handle on where their card data is,” Hosack says.
However, there are some tier one holdouts, principally those with large legacy systems that would be hard to update. Carnie says that PCI and bank fines are not sufficient to cause tier one companies to become compliant and, as a result, discriminate against smaller companies. “It's easier for tier one companies to pay the fines than it is for them to become compliant.”
Changes are planned for PCI DSS that will be introduced as part of v1.3 of the specification in October of this year. These will largely be to adjust to changes in attack vectors by hackers. Christopher Jenkins, security business manager at Dimension Data, says that the expectation is that there will be greater clarification of certain issues, rather than anything too radical. The scanning of networks for card data is probably the biggest change to be expected, he says, but other moves might include specs around the security of point-of-sale terminals, encryption and when to use two-factor authentication. But, Jenkins says, there “shouldn't be anything to wake people up or scare them”.
There will always be more compliance legislation – and security people are going to have to keep up with it. But even after the biggest financial crisis since the Great Depression, coordinated changes to compliance around the world are unlikely. Instead, small changes in different countries and the compliance requirements of different industry bodies are more likely to affect how you conduct business. You'll still have a handful of balloons to manage...
Changing the mindset, not just the processes
Meeting compliance regulations in the future is likely to mean not just a change in processes, but a change in mindset, according to Craig Carpenter, VP of marketing at information risk specialist, Recommind.
“Assume you'll have to report on everything and have complete transparency for the regulators,” he says. “Plan for that. It may not happen this year, but that's the right approach to take to it.”
It's likely that future compliance legislation is going to be focused on what companies offer to sell to customers. “You need to work from the perspective that five years from now, someone is going to look back at what you're doing today and asking, ‘Why did they do this? Was it legal, ethical?' You need to prove in hindsight that what you're doing now is legal, ethical and above board.”
He says the best way security professionals can help with this is by making sure they apply their current perspective of what they're doing in their daily jobs already to this area. “How are the product's marketing materials and sales materials being tracked? What do we know about what is being communicated? What policies are in place? This is bread and butter to what security people do.”
With compliance professionals, security staff should look at the kinds of information request they might get from regulators. “If the ICO wants to know how you handle information about employees who have left the firm, how would you respond? Who would respond, how long would it take you – and could you do it cost-effectively?”
Carpenter says that while banks can be “pretty good” at this, companies in other industries, such as insurance, don't necessarily have processes in place, despite also being regulated.
That's where technology can help. GRC (government, regulation and compliance) software from the likes of SAP, Oracle, Archer Technologies and RSAM can help to put in place information stores of common questions, as well as workflows and processes needed for compliance. Some may include event monitoring systems as well as other systems for preventing breaches of compliance regulation. However, with the average GRC deal costing $250,000, according to Forrester analyst Christopher McClean, this might well be out of the budget of any but the most regulated companies.
“Software can be a traffic cop or a safety net,” says Carpenter. “Even with the best employees in the world, you still have to show you have the systems in place. Whether you have 30,000, 50,000 or 100,000 staff, you're still likely to have rogue employees, so you need vigilant networks.” At the very least, encryption is going to be increasingly important for many data types.
However, training and changes in attitude by employees are far more important. Carpenter cites the approach of HSBC, which allows its employees to use social media at work. “It's not how you communicate – that's irrelevant. It's what you're communicating. If we can't help you understand what you should and shouldn't be doing, the method is irrelevant.”
The UK coalition's view of compliance
Few would have predicted a Liberal Democrat alliance with the Conservatives as the outcome of the UK general election. But with both parties working together in a coalition and their plans for legislation published, it is clear some changes to compliance and governance are on the way.
On banking, the coalition's policy document (http://programmeforgovernment.hmg.gov.uk/) says that the Government “will reform the banking system to avoid a repeat of the financial crisis, to promote a competitive economy, to sustain the recovery and to protect and sustain jobs… We will take steps to reduce systemic risk in the banking system and will establish an independent commission to investigate the complex issue of separating retail and investment banking in a sustainable way; while recognising that this will take time to get right, the commission will be given an initial time-frame of one year to report.”
On consumer protection, the Government says “we need to promote more responsible corporate and consumer behaviour through greater transparency” and that it “will introduce stronger consumer protections, including measures to end unfair bank and financial transaction charges”.
As for businesses in general, the policy document states: “We will end the culture of ‘tick-box' regulation, and instead target inspections on high-risk organisations through co-regulation and improving professional standards” and “we will impose ‘sunset clauses' on regulations and regulators to ensure that the need for each regulation is regularly reviewed.”
So if anything, regulation and compliance are likely to decrease for some companies in the short term. Banks might be on the receiving end of some compliance legislation, but not for a year at least.
For information security professionals, overall the effects of the change in government on compliance and government regulations are likely to be minimal. Stuart Okin, managing director of Comsec UK, says that despite the proposals, the chances of anything happening in the short term are small. “I don't think they'll break up the banks – that's not something the UK can do on its own.” With ten per cent of GDP coming from financial services, he says the Government is also unlikely to jeopardise that.
Okin sees few changes in compliance coming through. Instead, the new FSA guidelines are most likely to affect businesses in the financial sector. “We've already put a new series of infosec guidelines out there. Hopefully, the auditors and regulators will be working to those.” But he does predict that retention laws for small and medium business will be getting “easier and lighter”.
Longer term, though, Okin doesn't rule out the possibility that the Government will propose more changes. “Infosec is not likely to be the top of the budget considerations. However, Baroness Neville-Jones (minister for security) understands the importance of this area, given her background. Longer term, assuming no further polls, then there could be support for further investment and additional leadership in the infosec arena.”
Setting borders to clouds
At first, putting your data in the cloud sounds like a great idea. You don't have to worry about infrastructure, security, maintenance or any of the other costs and issues that in-house data storage requires. However, since the data is in ‘the clouds' – that is, location unknown – this can cause problems from the point of view of compliance and regulation.
Ed Callacher, security and networking divisional leader at Bell Micro, says the biggest problem with the cloud is that someone else controls the data, and even though regulations such as PCI DSS apply, there are no standards for cloud providers. “The biggest challenge with any kind of cross-border work is finding out what data you have and where it is, and what security policies they have.”
Handing data over to a third party won't protect you if there is a breach or a failure to comply with legislation. Although there have been few test cases, compliance legislation applies to the organisation that owns the data, not who stores it.
So before moving data to the cloud, it's important to ask providers whether they secure to UK and other standards, such as PCI DSS, if personal data is being stored. Callacher says that ISO accreditation would be a definite selling-point in a cloud provider. If compliance legislation requires certain degrees of resilience and reliability, that also needs to be addressed before outsourcing to the cloud.
Something that will affect multinationals in particular is location. US government data cannot leave the US, so a cloud provider needs to have a data centre in the US. With different EU and US laws on personal data, even with the advent of the so-called ‘Safe Harbour' agreement, movement of data between the EU and US or to other countries needs to be considered carefully. Indeed, many advise even multinationals to silo data in the country in which it was obtained to avoid inadvertent breaches of the laws in both the country where the data was obtained and the country in which it is stored.
“People talk about the benefits of cloud,” says Craig Carpenter, VP of marketing for IRM firm Recommind, “because with the cloud, it becomes irrelevant which system you're running on or where the database sits. But that goes counter to US data and EU privacy laws: you must care where data is sitting and how it is handled. Even with email archiving, you need to have a different email archive in France from the one you have in Germany or the UK. You need to have Chinese walls – not even really walls, more like translucent curtains.”
Backups also need to be considered, since although a data centre might be in the US, a backup data centre might be in another country – and in the event of a disaster, the cloud provider might move the data to that centre, putting the customer in breach of compliance regulations. The converse – a backup data centre in the US – also presents another issue: the US Treasury department will have legal access to that data once it's inside the country's borders and the data will also be governed by the laws of the individual US states, provided personal data related to those states is contained in the data.
Callacher says that sales negotiations need to include discussions of what to do in the event of a breach. “It should be like a disaster recovery plan: in the event of a breach, which people need to be informed?” There should be an appreciation of the different risks involved with specific types of data, so the loss of a personal photo on an email attachment should be regarded less seriously than the loss of credit card data.