Compliance
Problems today
- Too many standards, frameworks, laws, regulations and acts
- Don’t know which, how, or when to apply
- Many overlap and are contradictory
- More money is not better protection
- Should not become a “protocol” or just annual “checklist”
Need to change mindset from:
"Doing what we're required"
¯
"Doing what we should do"
to innovate and protect the company
Cyber Negligence = Criminal Matter
U.S. Department of Justice (Criminal Division)
Issued new guidance (June 2020) to prosecutors of white-collar crime to assessing whether a company complied with its own risk management program.
Prosecutors will asses...
“the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision”
To promote corporate behavior...
“to implement an adequate and effective corporate compliance program or to improve an existing one.”
- To encourage dynamic compliance to fit changing circumstances
- To develop a risk management process
- Support a risk-tailored resource allocation
- Facilitate updates and revisions and subject risk assessment to periodic dynamic reviews
- Develop a process for tracking and coordinating changes in its risk management program based on its experience
- Implement risk-based training and communications
“Fundamental questions“ for prosecutors
1. “Is the corporation’s compliance program well designed?“
- Risk Assessment
- Policies and Procedures
- Training and Communications
- Confidential Reporting Structure and Investigation Process
- Third Party Management
- Mergers and Acquisitions (M&A)
2. “Is the program being applied earnestly and in good faith?“
Is the program adequately resourced and empowered to function effectively?
- Commitment by Senior and Middle Management
- Autonomy and Resources
- Incentives and Disciplinary Measure
3. “Does the corporation’s compliance program work“ in practice?
- Continuous Improvement, Periodic Testing, and Review
- Investigation of Misconduct
- Analysis and Remediation of Any Underlying Misconduct
Cyber Laws, Regulations and Acts (Select)
- Brazilian General Data Protection Act (LGPD)
- California Consumer Privacy Act (CCPA)
- Children's Online Privacy Protection Act (COPPA)
- Continuous Diagnostics & Mitigation (CDM)
- Corporate Information Security Accountability Act (CISAA)
- Criminal Justice Information Services (CJIS)
- Customs-Trade Partnership Against Terrorism (C-TPAT)
- Data Security & Breach Notification Act
- Electronic Fund Transfer Act, Regulation E (EFTA)
- Fair and Accurate Credit Transactions Act (FACTA)
- Family Educational Rights and Privacy Act (FERPA)
- FDA regulations on electronic records and Electronic Signatures (ERES) - 21 CFR § 11.1(a)
- Federal Information Security Management Act (FISMA)
- Federal Risk and Authorization Management Program (FedRAMP)
- Federal Rules of Civil Procedure (FRCP)
- Financial Industry Regulatory Authority (FINRA 17a-4)
- Free and Secure Trade Program (FAST)
- General Data Protection Regulation (EU / GDPR)
- Gramm-Leach-Bliley Act (GLBA) - 16 CFR § 314.1 Section 501(b)
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
- Payment Card Industry Data Security Standard (PCI DSS)
- Personal Information Protection and Electronic Documents Act (Canada / PIPEDA)
- Protection of Personal Information Act (S. Africa / POPI)
- Sarbanes-Oxley Act (SOX)
- Society for Worldwide Interbank Financial Telecommunication Customer Security Controls (SWIFT CSC)
- State Data Breach Laws – All 50 states + D.C., Guam, PR, Virgin Islands
Let us help you improve your cybersecurity compliance