The woes of companies in the financial services sector may elicit little sympathy in today’s world, but it’s difficult not to feel a twinge for managers at Migdal, the multinational Israeli insurance and finance firm.
The plethora of governance, risk and compliance (GRC) regulations in the different jurisdictions where Migdal operates meant that at one point it had to comply with more than 50 different edicts. These included many at international level, such as the Basel Accords and ISO standards, others applying regionally, such as the EU’s Markets in Financial Instruments Directive (MiFID), and still more individual national rules.
More than 200 personnel were devoted to compliance. This not only imposed a large cost, but it also irritated managers in the core business departments, who felt they were being asked to spend too much time providing compliance staff with information.
The solution for Migdal, recommended by PricewaterhouseCoopers, was GRC software that would automate much of the process. There are numerous such tools on the market – more than 40, according to Mosaic Security Research – and their approach varies widely. They cover audit, risk management, compliance and policy management as well as one of the keys for companies operating across national boundaries: regulatory change management.
Regulatory requirements may be a blessing as well as a burden, as they force companies to address governance, risk and compliance issues, and improve their information security
Ideally, any such system will take in information on new regulations from content providers, automatically recognise which of the business’s GRC policies are affected, and dispatch updates to managers responsible for the processes involved.
It may not always be easy to justify such an investment. As with compliance in any field of the enterprise, GRC systems can be seen as merely an expense, albeit one offset by a reduction – though never a total elimination – in staffing requirements.
However, the attention demanded by GRC will only grow. That is especially true as newer applications and technologies, such as e-commerce and the cloud, further complicate the data flows between the business and the outside world, making transnational connections commonplace, and as governments move to regulate these in further detail.
Regulatory requirements may be a blessing as well as a burden, as they force companies to address GRC issues and improve their information security. Indeed, though the return on investment may be portrayed by doubters as nothing – GRC systems will not add a penny to revenue, after all – the return is also everything, because GRC is fundamental to the life of the business.
CASE STUDY
Hacking headache
The perils of lax information security for international businesses were well illustrated by the 2011 hacking of Sony’s PlayStation Network. Details of nearly 80 million PlayStation gamers’ accounts, including personal information, were stolen when intruders gained access to Sony’s systems, forcing the company to turn off the network for about three weeks.
The lessons learnt were, in part, about crisis management. For example, Sony was criticised for not admitting the scale of the data theft soon enough. However, the company also earned the disapproval of authorities in several jurisdictions, illustrating how the repercussions of an information security snafu in an international business can go far beyond the actual breach.
The Information Commissioner investigated in Britain, while in Canada the Privacy Commissioner did the same; in the United States, Sony was summoned to a congressional hearing. Law suits against several of Sony’s country-specific operations underlined that businesses can also be vulnerable in the courts of more than one country when things go wrong.
Whether better governance, risk and compliance (GRC) practices or systems would have saved Sony its discomfiture is debatable. No system that connects to the outside world, as the PlayStation Network necessarily had to, can be totally secure. But the company’s experience stands as a reminder that information security regulations are not just abstractions to be endured – infringing them can have real consequences.