As businesses try to get to grips with an ever growing list of regulations, could the legislators actually be doing them a favour? By Mark Mayne.
I fought the law, and the law won - wise words indeed from The Clash, and the logic is indisputable. However, in the world of business compliance, not everything is black and white: what does your business need to comply with, and how? Will the process be a hindrance or a business boon? These are the issues facing every company in the wake of regulations such as the US-centric Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), Basel II, and the UK's Freedom of Information Act, to name but a few. So how are businesses facing up to the compliance challenge?
First, size is key. Organisations tend to deal with compliance based on their scale. Smaller companies may not be fully aware of legislative problems, especially when crossing international boundaries, and are likely to receive fair warning from a regulator before punitive action is taken. In contrast, larger enterprises not only have a dedicated legal department to flag up any impending legislative problems, they also have a much larger exposure to risk if any unforeseen issues arise.
"The law is the law, and there's no whitewash," says Simone Seth, principal consultant at the Information Security Forum (ISF) global team. "But larger corporations can take the decision not to comply with certain aspects and simply eat the fine. This is standard practice in some financial institutions - the fine amount is set aside at the beginning of a project, in case (the organisation) is caught red-handed."
The financial sector has been among the hardest hit by new regulations, a trend that began in the US and is having an increasing impact on the UK. Chris Yeo, compliance manager at UK-based online broker Hoodless Brennan, believes that most of the legislation has been welcomed, if not always internationally.
"I think that SOX has actually driven some US companies to list in the UK to avoid the compliance headache," he says. "That said, from a UK perspective, most of the regulations detail best practice, so it's hard to argue with them. I certainly think that the process we've been through has been very beneficial, as it's improved our procedures and solidified many aspects of customer care that we regarded as essential anyway."
Yeo's attitude reflects the positive spin on compliance, which is that businesses undertaking a compliance audit are forced to take stock of their position, internally and externally, and then produce a company-wide action plan to ensure that both business development concerns and any ongoing legal issues are solved. The theory is that this should result in a company that is more informed, streamlined and self-aware, and, therefore, more competitive.
When medical systems supplier Creganna Medical Services had to upgrade its customer relationship management (CRM) legacy system, it took a technology-led approach to ensure compliance. "Our old CRM system just didn't meet the new regulations," explains Aiden Dempsey, the company's IT director. "The new one does, and it has also given us some very useful business benefits. For example, the old system was very easy to change, without considering the internal knock-on effects. The replacement is still flexible, but is much more formalised, making us really consider whether a change is actually necessary. We can also document any alterations in a very structured manner."
However, Scott Parsons, an associate at Armana Security, thinks this whole positive spin on compliance has been somewhat inverted by vendors. "Compliance is an interesting market driver, but I think it should be seen as an add-on rather than a central plank," he cautions. "Productivity should be the initial driver for business solutions, then compliance. Even when you're talking about ISO compliance (such as 27001), which is a great standard for gaining a competitive edge, and having something to sell to the customer, you shouldn't lose sight of the genuine business case."
The ISO 27001 international standard for information security management systems is a growing success story, according to IT governance author and consultant Alan Calder. "An increasing number of organisations are taking this up, and the Information Commissioner's Office accepts that companies reaching this standard have done their best to secure customers' personal data," he claims. "It's recognised as an attempt to follow the Data Protection Act and sends a positive message to consumers and staff alike. The UK public sector is gradually being forced to conform to it, and it will be a de facto security standard for business within 18 months."
It's not all good news, though. Calder admits that even a standard such as ISO 27001, which isn't legally binding, takes serious investment and effort to get right. "The first thing I ask people who attend my seminars is: 'Is your CEO committed to this?'. If the answer's no, then I tell them: 'You may as well resign.' People who go into ISO certification with the attitude that it'll be easy are the ones who find it hardest," he warns. "You're easily looking at 18 to 24 months of serious business change, across the organisation."
Aside from industry standards, UK businesses face a raft of legal regulation, some passed down by the European Union, some homegrown. The resulting melting-pot can be confusing. Parsons thinks the situation is dire. "Legal experts will spend hours debating the various bits of legislation, such as Data Protection, Freedom of Information and Regulation of Investigatory Powers Acts, and each individual will come to a different conclusion," he laments. "On top of that, you have the business's interpretation. For example, a client recently asked whether his company could be held liable for not storing customer communications records if it had a policy of deleting email every 90 days. I would always advocate trying to comply with both the letter and spirit of the law. "
However, getting a clear picture of these two elements can be a problem, as Mark Rayden, product development and technical services manager at Hoodless Brennan points out. "The key to compliance is a to have systematic approach to the issue. This does require manpower, however, and certainly increased UK regulation has cost us more, if nothing else simply in staff hours."
Sometimes, despite a company's best efforts, unexpected things can happen, as Dempsey discovered during Creganna's last external audit. "We were surprised by some of the regulatory bodies' attitudes," he recalls. "They really didn't look at the new systems in the detail we expected. I assumed they would want to know everything about the way in which they had been implemented, but no - it was almost a paper-based exercise."
Chain of command
Both Creganna and Hoodless Brennan have taken a proactive approach to compliance and instituted solid processes to manage future changes and stay on top of changing legislation.
Rayden goes into more detail: "We're pretty happy with the practical security side of our network, and we regularly pen test it. For any changes to be made that are out of the ordinary, though, we have now set up a data protection committee which has to agree them. The committee has five senior company managers in it, each is tasked with keeping up with the latest legal position in their area and informing the rest of the committee."
A new technical approach to increased regulation is an updated CRM solution that not only stores and indexes all customer email traffic, but also all voice conversations. "In the event of a customer complaint," Rayden explains, "we have to be able to produce all communications to prove we acted in the customer's best interest. Archiving phone conversations has enabled us to comply with the letter of this regulation."
Creganna has also established formal responsibility for compliance, with Dempsey the man in the hot seat. "Following on from the technical solution, we've instituted a change management process, and I now have a quality function in that I'll be responsible for ensuring future compliance," he says.
Although both companies have appointed managers in charge of future compliance, only Hoodless Brennan has created a stand-alone position. Parsons thinks this is representative: "In a medium to large enterprise, we're increasingly seeing governance departments, which will have responsibility for compliance as well as risk management. I'd expect to see at least a compliance manager in big companies, while smaller companies often amalgamate the role with that of IT manager, for example."
Put a stop to scare tactics
So has compliance been overhyped? Many vendors and consultants are keen to point out the serious consequences of non-compliance, such as lack of consumer trust or huge fines. Seth at the ISF thinks this is an extreme view. "In my experience, the regulations aren't intended to be punitive," she says. "In most cases, I've seen companies given a lot of slack in compliance terms, with any issues being clearly indicated and allotted extended timescales. Of course, if companies seem insincere in their attempts to comply, regulators will act, but this is very rare."
Parsons agrees: "Initially businesses were frightened by compliance, and seminars on the subject were avidly attended by newly appointed compliance managers. However, much of the vendor advice and hype in the early days was too generic, and companies realised this very quickly."
Nevertheless, smaller companies often only find out about legislative issues when vendors draw their attention to it. "Many big companies are very switched on, and they're almost pulling us through the door, but we're still having to educate a lot of businesses," says Kosten Metreweli, vice-president, marketing, at Tideway Systems. "I think about three quarters of companies still need some compliance education and information from us." Other established information channels include the media and peers.
And still new regulations keep rolling in. The latest worry for the financial sector is the Markets in Financial Instruments Directive (MiFID), a regulation that originated in Europe and is now being adapted by the FSA for the UK market. Rayden thinks this is being exploited by some. "Certainly some consultants are cashing in on concerns about MiFID, even though the actual standard has not been set yet."
Another important new standard is PCI DSS, which companies that process or store credit card information should be aware of (see box). Seth thinks this could have serious consequences for those that ignore it. "The ramifications of failing to comply with PCI 1.1 on deadline are severe," she warns. "I think this is one instance where fears over compliance really are justified. If you depend on credit card transactions for your revenue, and you fail PCI, then your business is destroyed. I also think people will find it very hard to float through this one - the card companies will be tough, and it's a pass or fail situation."
Many businesses are responding to compliance with measured, practical, process-driven steps. Others may not be so disciplined and, in the long term, this will make compliance more and more complicated. As business security becomes directed as much by regulation as by the need to defeat criminal attacks, companies that fail to produce a focused response to both will encounter problems. A lack of business organisation in the present could be fatal in the future.
HAVE WE GONE TOO FAR?
Smaller companies in the US and the UK claim that compliance has overstepped the mark, and that overly stringent regulations such as SOX and PCI DSS are hampering their competitiveness. But Simone Seth of the ISF global team thinks that businesses shouldn't panic.
"Of course companies will complain that the regulations are too hard," she says. "However, I think there is some small truth in this. Certainly in the US, regulators can react fiercely to a disaster (such as WorldCom) and end up with legislation that is too harsh. I think that regulators will become more realistic when it comes to the increasing understanding of technology."
The UK suffers more directly from conflicting regulations. Well-publicised examples such as the European Convention on Human Rights versus the Regulation of Investigatory Powers Act have raised public awareness of the so-called grey areas in current digital security legislation.
In some cases, smaller businesses are expected to ignore regulations anyway, such as in the case of PCI. "I think only the highest-rated companies will take measures to conform to PCI" predicts Scott Parsons, security associate at Armana Security. "I believe PCI is the next security stage after chip and pin, though; its adoption should help fight fraud."
NEW RULES: PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is the latest compliance kid on the block. A standard led by MasterCard and Visa, it details security requirements for merchants and transaction processors that store, process or transmit credit-card-holder data.
In theory, all companies that handle credit cards should comply with the 12 requirements of the latest standard (1.1) by 30 June 2007 or face fines in excess of EUR100,000 (£67,000) per incident.
PCI breaks merchants down into four categories. Level one merchants, who process more than six million card transactions annually, are required to submit to a detailed onsite assessment each year, as well as quarterly vulnerability scans. Those at levels two and three are allowed to self-assess once a year, while the standard is optional for level-four merchants, processing less than 20,000 transactions per year.
Recent research from The Logic Group showed that only 3% of large UK businesses are fully PCI DSS compliant, although 85% of companies are aware of the imminent standard. Industry experts have raised concern over the lack of businesses preparation. Dr David Taylor, vice-president, data security strategies, at Protegrity, said: "There's no room for half-measures - businesses that handle large volumes of card transactions will have to comply 100%. Many companies held off to see if the latest incarnation of the standard would be easier - of course this is not the case. There is a lot of catching up to do."