With an increasing number of attacks in the market, despite more sophisticated cybersecurity solutions, many cybersecurity reports and surveys highlight why organizations need to rethink their cyber strategy and what’s in store for the future. – Here is what the media headlined through the GRC lens in September.
As attackers get more relentless with the volume and speed of their attacks, cybersecurity defense must safeguard all possible points of the attack surface. A recent survey of internal auditors published in City AM, found – cybersecurity, regulatory change, and digitalization to be the top three risks faced by businesses across Europe. The shortage of cybersecurity talent exacerbates the cybersecurity problem in a complicated enterprise environment.
According to CISO Magazine, cybersecurity has emerged as a primary investment priority for financial firms in the United Kingdom. Reports from a survey conducted by Lloyds Bank states that cybercrimes have jumped to the fourth position from the eighth place since 2018. Banks in UK are increasing their budget allocation to enhance cybersecurity capabilities at their organization, Computer Business Review reported.
In another survey conducted by Infosys, targeting 867 senior executives representing 847 firms from 12 industries, with annual revenues over US$500 million across US, Europe, Australia and New Zealand (ANZ), reported that almost half (48%) of corporate boards and 63% of business leaders of surveyed enterprises are actively involved in cybersecurity strategy discussions.
While organizations have started to invest in building an efficient cybersecurity management and mitigation program, they still continue to face difficulty juggling priorities.
A recent study conducted by BitSight, revealed that every two in five (38%) companies stated that they’ve lost their businesses due to lack of cybersecurity capabilities. An article by Forbes, ‘The Gap Between Strong Cybersecurity And Demands For Connectivity Is Getting Massive’, states, “…More devices and less adequate resources mean the attack surface continues to grow. “Every second that it takes to respond to an attack after it’s been deployed can have a huge impact on the business, be it in terms of man hours spent or sales, and reputation lost.”, states SC Magazine.
Even as enterprises invest in resources and tools to strengthen cybersecurity, why does it continue to be an Achilles heel for so many? The month of September revealed a few of the reasons:
Proofpoint’s Annual Human Factor Report, states that out of the vast majority of attacks, 99%, require some level of human input to execute – making individual users the last line of defense.
2. Businesses haven’t made it as much of a priority as it should be – Businesses are bypassing security to get to market quicker
A recent article by ITProPortal, highlights a research from Outpost24 which concludes that 34% of organizations bypass security to get products out to market faster. Almost two thirds (64%) of the respondents said they believe their customers could easily be breached, as a result of unpatched vulnerabilities in their organization’s products.
3. Third parties aren’t being monitored sufficiently – An example: How Much Responsibility Should Monster.com Take for Third Party Data Breach?
This month, thousands of resumes were exposed in a third-party breach that originated from monster.com, but the company denied any responsibility, saying – the client “owns the data.” According to CPO Magazine, “Though Monster.com’s denial of responsibility is legally acceptable under United States federal law, it puts the company at odds with the standard data protection requirements of a number of other nations.” This is yet another example of third-party risks being a great cybersecurity risk multiplier.
Cybersecurity is a complex problem with no easy solutions. Enterprises need to act quickly as the costs of data breaches are increasing at an alarming rate. According to Dark Reading, “The cost of breaches will rise by two-thirds over the next five years, exceeding an estimated $5 trillion in 2024, primarily driven by higher fines as more jurisdictions punish companies for lax security.” Juniper predicts that data breach costs will grow at 11% each year. The Ponemon Institute’s “Cost of a Data Breach” report, sponsored by IBM, pegs growth at 12% between 2014 and 2019.
Unfortunately, 2019 was the year of data breaches with some record setting fines faced by companies like Equifax, British Airways and Marriott. The good news is that progress is being made:
1. Cybersecurity decisions involving the C-Suite:
Companies are fortifying their cyber strategies in alignment with business objectives. Defending threats requires the C-suite support, more than ever now. According to CPO Magazine, it’s important for security teams to make business leaders aware of the quickly shifting threat landscape.
2. Companies Are Forming Cybersecurity Alliances:
Over the last few years, cybersecurity alliances are being formed between tech-focused companies to support each other aimed at changing the ways companies deal with cybersecurity vulnerabilities and renegotiating the social contract between states and their citizens. The exchange of information is an effort to raise the collective level of cybersecurity, shape overall security practices, and speed the adoption of security technologies.
3. Artificial Intelligence Is Changing the Cyber Security Landscape and Preventing Cyber Attacks:
New advances in tech hold great promise to build cyber resilience. An article in Entrepreneur highlights how AI is a boon in cybersecurity, by stating, “Developers are using AI to enhance biometric authentication and get rid of its imperfections to make it a reliable system… AI-ML can detect and track more than 10,000 active phishing sources and react and remediate much quicker than humans can… AI-based systems proactively look for potential vulnerabilities in organizational information systems.”
Rethinking cybersecurity strategies has become imperative. With the changing landscape of cyber defense and new tools in the market, enterprises need to focus on building a holistic cybersecurity approach to deliver an effective awareness training and layered defense strategy. A strategy that provides enterprise wide visibility to better protect the company and its customers in a more efficient and proactive manner.
Now in its seventh year, the GRC Summit hosted by MetricStream is one of the biggest and most anticipated events for GRC practitioners around the world. This year, the summit was held on June 2-5 in Baltimore, Maryland, bringing together over 450 GRC and business leaders to talk about the latest trends and opportunities in GRC. It was an incredible four days of learning, discovery, and collaboration—topped off by an exclusive cruise, as well as a glittering awards ceremony.
Here are some of the top highlights from the summit:
In keeping with the theme of the summit—”Perform with Integrity™”—many of the speakers pointed out that financial performance is no longer the sole indicator of success. Trust is what really drives business today, and integrity is what drives trust.
MetricStream CEO, Mikael Hagstroem talked about building integrity by fostering a sense of compassion in the way we approach customers, the way we treat employees, and the way we shape the future of technology. “Successful performance—be it an individual level, an organizational level, or a global level—begins with a spark of passion that, when guided by integrity and compassion, helps us improve the human condition, and enable a higher quality of life,” he said.
MetricStream Chairman, Gunjan Sinha, emphasized the need to build purpose-driven organizations where doing good is as much of a priority as doing well. A strong sense of purpose, he predicted, is what will define the successful organizations of the future, along with a commitment to diversity, inclusion, empowerment of the front line, ethical data, and social conscious AI.
The former Chief Information Officer of the United States government (2015-17) described how “relentless digitization” is rapidly upending traditional analog business models. And with it, the notion of security and privacy by design is becoming more important than ever. Technology is moving faster than we’re prepared for, he cautioned. Do we understand the risks of new tools like AI and machine learning? How do we build good governance, accountability, and transparency around these new technologies? How do we keep humanity at the center of innovation? All key questions to consider.
Drawing on his experience as a member of the board and risk committee at Wells Fargo, as well as CEO Emeritus of Deloitte, Jim Quigley talked about why the work of GRC practitioners is so critical in helping boards and management teams make better strategic decisions in the midst of escalating “known unknowns” and “unknown unknowns.” He also emphasized the importance of building sustainable risk cultures. “The biggest driver of culture in any organization is observable behavior,” he said, quoting a colleague. “We want people to raise their hands and identify problems as quickly as possible.”
MetricStream’s Chief Technology Officer, Andreas Diggelmann, along with Chief Innovation and Cloud Officer, Vidyadhar Phalke, delved into the new technology innovations that are emerging across the whole chain of GRC. Chatbots, for instance, are being used to capture issue data from the first line of defense in a manner that is simple and engaging. Predictive analytics are being used in the second and third lines to anticipate and respond to potential emerging risks proactively. Machine learning tools are enabling executive teams to detect risk patterns, and understand optimal mitigation practices based on historical evidence. Essentially, the possibilities with technology are endless.
Co-founder of the AI Sustainability Center, Anna Felländer pointed out that in a data-driven world, AI is key to helping organizations build better operational efficiency and deeper client relationships. Yet, it also introduces many ethical risks around the misuse/ overuse of the technology as well as multiple biases. If we want to avoid these pitfalls, we need to start investing as much in the humanistic side of AI as the engineering side, she said. We need to shape a future where humans lead AI, not the other way around. We need to find ways of ensuring that technology doesn’t get ahead of regulation.
Many of the speakers emphasized the need to strengthen risk awareness at every level of the organization, right from the front lines to the boardroom. “Risk needs to be something that companies walk, talk, eat, and breathe every day,” said Kenneth Bacon, Member of the Board, Comcast, and Co-founder and Managing Partner, RailField Realty Partners. We need to have more risks and issues self-identified by the business rather than by internal audit or regulators, pointed out Sarah Dahlgren, Head of Regulatory Relations – Corporate Risk, Wells Fargo & Company. The more proactive the first and second lines of defense are in reporting risk data, the better informed and more confident the board and management team can be in their strategic decision-making processes.
Disruption is the only constant in business today, pointed out MetricStream’s Chief Operating Officer, Gaurav Kapoor. If we want to be prepared for the new risks around the corner, GRC programs have to be agile, he said. Other speakers talked about what agility entails. Raven Catlin, Former CAE and Industry Expert in Internal Audit and Risk Management, described how internal audit must be ready to embrace new tools, new skills, and new approaches to auditing. Michael Rasmussen, Chief GRC Pundit, GRC 20/20, highlighted the importance of integration and collaboration in building more agile GRC functions.
The much-anticipated GRC Journey awards ceremony, held on day 1 of the summit, recognized and honored MetricStream’s business partners, individuals, and customer organizations that have made significant strides on their GRC journey towards strengthening business performance. This year, there were 17 award recipients across five categories.
There were plenty of opportunities for attendees to connect, share with, and learn from with each other – be it the many interactive workshops and networking sessions, or the relaxed “happy hours.” Day 2 of the summit culminated in an exclusive cruise down Patapsco River which saw attendees letting loose and singing their hearts out at a Karaoke session.
A few weeks ago, MetricStream was awarded “GRC Product of the Year” at the 2019 Risk Technology Awards hosted by Risk.net. It was a strong validation of MetricStream’s mission to help organizations “Perform with Integrity™”. Through our GRC platform and solutions, customers are able to effectively understand and manage the interconnectedness of their risk environment, while deriving actionable risk insights for business decisions.
Over the past year, multiple financial services organizations have faced penalties and fines from regulators for facilitating money laundering, manipulating customer accounts, and mishandling security trading. Meanwhile, serious IT meltdowns and cybersecurity incidents have severely impacted brands and reputations. Added to that, operating markets and business models are continuously being disrupted.
To stay ahead of these risks—both “known” and “unknown”—in an increasingly hyperconnected, fast-changing world, organizations need timely risk insights that can help them make swifter and better business decisions. They need to be aware of how a potential incident enhance their risk exposure. These objectives are best achieved with a strong governance, risk, and compliance (GRC) foundation.
We believe that there are several factors that led to us winning GRC Product of the Year:
1. Support for Multiple Evolving GRC Roles
Chief Risk Officers (CROs), Chief Compliance Officers (CCOs), Chief Information Security Officers (CISOs), Chief Sourcing Officers (CSOs), and Chief Audit Executives (CAEs)—once limited in their roles—are increasingly being given a seat at the table with the power to influence strategy and decision-making. With this new power comes new obligations and challenges.
At MetricStream, we focus on addressing these challenges through our GRC platform, solutions, and apps. We thematically look at the core needs of each GRC persona—be it the CRO, CCO, CISO, CSO, or CAE—and provide tailored solutions to meet those needs. We also deliver specific content, workflows, and reports to help various personas make informed decisions that are aligned to their business objectives.
Our wide array of packaged apps, which can be enhanced with third-party applications, are designed to improve risk visibility and intelligence. Underlying these apps is our cloud-enabled, future-ready GRC platform that provides customers with long-term value throughout their GRC journey.
Our integrated GRC solution enables a high level of cohesiveness across core GRC components which, in turn, improves risk assessments, predictions, and mitigation. Organizations can effectively balance risks and rewards, make confident strategic decisions, and respond to the changes that occur within and outside their enterprise.
2. Balance Between Autonomy and Aggregation
At MetricStream, we understand that while the core requirements of GRC are more or less consistent across organizations, the processes, priorities, and needs of each organization are unique. Therefore, we offer flexible product alignment which allows customers to choose from multiple best-in-class, out-of-the-box GRC products that can be used along with third-party applications. Our apps and solutions provide agile risk reporting capabilities, while advanced analytics empower GRC practitioners to visualize large datasets within intuitive and interactive dashboards in real time.
3. Leadership in Addressing the Interconnectedness of Risk
The hyperconnectivity of markets has created both known and unknown dependencies and interconnections within and outside the enterprise. This, in turn, has increased the interconnectedness across different types of risks.
The MetricStream GRC Platform has been built to comprehend these risk relationships and to deliver contextual insights though the aggregation and analysis of risk information. Our customers have adopted the platform along with built-in best practices and modifications to identify, understand, quantify, and predict the multiple points of impact for any risk event.
4. Focus on Long-term Partnerships Based on Value Delivery
MetricStream is focused on being a long-term strategic partner to customers as they grow and transform along their GRC journey. Our GRC advisory framework and methodologies help organizations build a multi-year GRC vision and roadmap that augments value realization based on a “true platform” strategy.
Through our value discovery workshops, we enable customers to identify key value propositions that can be measured as outcomes throughout the design and implementation of their GRC programs. Our GRC Journey initiative adds a further advantage by helping customers understand the current and future state of their GRC programs, so that they can then re-engineer existing GRC processes for optimal business benefits.
***
As we continue to find new ways of enabling and supporting our customers, we’re deeply grateful to Risk.net for the recognition and award received. We look forward to continuously raising the bar on innovation, and delivering products that truly empower our customers to Perform with Integrity™.
Google runs into trouble yet again with regulators in the EU, the SEC accuses Volkswagen of carrying out “a massive fraud,” and the FTC launches an inquiry into the privacy practices of large internet service providers — see March 2019 through the GRC lens.
Google ran into fresh trouble with European regulators over its unfair advertising rules and was fined $1.7 billion in March, bringing the total cost of penalties incurred by the search giant in the continent to over $9 billion.
The latest enforcement action from the European Union (EU) relates to the unfair terms that the Silicon Valley titan imposed on companies that used its search bar on their websites in Europe, reported The New York Times.
According to The Guardian, the terms of the Google contract stopped publishers from placing search ads from the tech giant’s competitors on their results pages, and forced them to reserve the most profitable spaces for Google’s own ads. The contract also required companies to seek a written approval before making changes to how rival ads were displayed.
The US Securities and Exchange Commission (SEC) filed a lawsuit last month accusing the German carmaker and its former CEO, Martin Winterkorn, of defrauding American investors in the emissions test scandal that engulfed the company four years ago.
The lawsuit alleged that the company made misleading claims about its financial health and the environmental impact of its technology in order to sell securities to investors at inflated prices, reported CNN.
The German carmaker admitted in 2015 to cheating on emission tests with the use of special software in its vehicles and paid a hefty price of $33 billion in fines and other penalties.
In a surprise move last month, the Federal Trade Commission (FTC) announced that it would look into the privacy practices of large internet service providers (ISPs) such as AT&T, Verizon, T-Mobile, and others.
According to The Verge, the watchdog has asked broadband providers to share details about the kind of customer data they collect and the reason for doing so. The FTC was also said to be interested in knowing whether the data was shared with third parties, and if consumers could opt out of the data collection.
The announcement of the inquiry into ISPs comes as privacy advocates raise concerns over the companies’ data collection practices that could lead to a new form of targeted advertising, similar to that of Facebook and Google.
Massive fines and other regulatory actions making headlines every other day only go to show that companies still seem to be floundering in their efforts to cope with heightened regulatory scrutiny targeted at their business practices.
Silicon Valley giants such as Google currently face a reckoning over their anti-trust practices in the EU which has established itself as an aggressive tech watchdog, influencing regulatory polices around the world. Meanwhile, the Volkswagen scandal is another reminder of the far-reaching consequences of compliance violations that could threaten a company’s brand reputation and market capitalization.
As privacy concerns escalate, the FTC’s move against broadband companies is only the beginning of a new era of intensifying scrutiny of data collection practices across industries.
Silicon Valley giants face greater scrutiny from a new antitrust watchdog, UK companies under fresh pressure to include more women on their boards, and Europe uncovers deeper links in the Danske Bank money-laundering scandal — here’s February 2019 through the GRC lens.
Under pressure from the public and politicians to rein in the unchecked power of tech titans, the Federal Trade Commission (FTC) announced in February that it was launching a new task force to investigate potential antitrust violations in the tech sector, signaling tougher regulations for Silicon Valley.
“The role of technology in the economy and in our lives grows more important every day…it makes sense for us to closely examine technology markets to ensure consumers benefit from free and fair competition,” said FTC Chairman Joe Simons.
According to The Wall Street Journal, the task force will have a broad mission that includes re-examining past mergers and potentially unwinding deals that are found to be anti-competitive.
In a move to bolster gender diversity in the boardroom, the Investment Association (IA), a body that represents large asset managers in the UK, said that it would apply a red alert to FTSE 350 companies that have fewer than two women on their boards.
The alert known as “red top” represents the highest level of warning and is reserved for companies where shareholders should have the most serious concerns, reported Reuters. Companies with more than one woman on their boards but less than 25 percent overall would be issued an “amber top,” says the report.
The alert system serves as a guide to investors on whether a company is complying with best practices in key areas of governance such as executive pay and diversity.
An investigative report in February by Swedish media alleged that Swedbank handled $4.3 billion in suspicious flows linked to the Danske Bank scandal that shook European markets last year.
In the immediate aftermath of the report, the Swedish lender’s shares plunged 23% and wiped off $5.3 billion from its market value, says a Bloomberg article. The bank now faces joint investigations from Sweden and Estonian financial supervisors looking into the “very serious” allegations.
Bloomberg also reported that Swedbank’s CEO, Birgitte Bonnesen, failed to restore confidence in the bank in a conference call with analysts after the report came to light.
Scrutiny of anti-competitive practices in Silicon Valley is intensifying. As regulators and the larger public wise up to the business practices of tech behemoths, the need for the industry to transform itself based on a foundation of trust has never been greater.
The IA’s move in the UK is another step towards effective corporate governance practices. Although the body has no authority over how investors vote on company policies, the “red top” system is likely to direct more investors to those organizations that demonstrate a stronger commitment to diversity. FTSE 350 companies will have to do a better job of proactively including women in their leadership teams.
Swedbank’s scandal is another stark reminder that large-scale bank frauds have become all too common even with tough regulations in place. The financial services sector is likely to face renewed pressure from regulators seeking to keep them in line. What can make a difference to their credibility is a culture of compliance and integrity.
A Chinese tech giant faces criminal charges in the US, a major bank in India fires its CEO, and an embattled Silicon Valley titan beats Wall Street estimates — here’s January through the GRC lens.
Federal prosecutors unveiled a host of charges against Chinese telecom giant Huawei and its chief financial officer Meng Wanzhou in January. The prosecutors alleged that the company stole trade secrets, obstructed justice, and committed bank fraud in an effort to circumvent the sanctions against Iran.
In one indictment, prosecutors accused Huawei and its top financial officer of misleading banks and US investigators about its relationship with a longstanding affiliate in Iran, Skycom. According to reports, Huawei falsely claimed that it had sold off its interest in Skycom when in fact it controlled the company. Huawei’s American subsidiary then destroyed evidence and moved witnesses with knowledge of Skycom from the US back to China.
Another indictment by the prosecutors revolves around the theft of trade secrets related to a robotic device called “Tappy,” made by T-Mobile, according to The Wall Street Journal. The Wired reported that if Huawei is convicted of all charges, it faces problems bigger than just fines.
India’s second-largest private sector lender sacked its former managing director and CEO, Chanda Kochhar, after a panel found her guilty of violating the bank’s code of conduct and making inadequate disclosures.
According to reports, there was a lack of diligence from the former CEO in dealing with conflict of interest and due disclosure while sanctioning loans. The loan, to the tune of $425 million, was made to the Videocon group, allegedly quid pro quo.
Following the scandal, the country’s top economic regulator initiated a money-laundering probe against those involved, including Kochhar’s husband and the chairman of the Videocon group.
The former CEO will also have to return bonuses accumulated over 10 years.
Facebook proved naysayers wrong by posting a record $6.9 billion profit for the last three months of 2018 — a jump of 61% from the same period in 2017 and well ahead of Wall Street estimates, according to CNN.
Despite making headlines last year for scandals involving the spread of disinformation, mishandling of private data, and election meddling that invoked the ire of regulators around the world, the company seems to have surprisingly gained more users. According to estimates, 1.52 billion people use the social network every day, and 2.32 billion use it every month — both of which represent a 9% increase from 2017.
The strong results come after the company said that it expected its growth to slow as it spends more to improve the privacy and security of user data.
US regulators are tightening the reins on companies like Huawei that have been accused of compliance failures while trying to advance their own interests. Huawei’s latest indictments bear similarities to what happened to another Chinese telecom giant, ZTE, that admitted to violating US sanctions and ended up paying a whopping $1.9 billion in penalties, also while agreeing to replace its entire board and senior leadership, and open itself to US auditors.
According to reports, the same fate might await Huawei if the company is convicted. US financial institutions could be banned from doing business with the company — a move that is likely to have a significant impact on the telecom equipment provider’s bottom-line.
The ICICI Bank case highlights governance issues in developing economies like India. According to a report by The Hindu, global rating agency Standard and Poor’s (S&P) noted that developments around the case and the changing stance of the bank’s board of directors show “weak governance and transparency in the Indian banking sector.” However, the agency agreed that the board’s claw back of bonuses and benefits when a person is proved to be at fault is an important check that aids accountability and good leadership. More such measures are required in the country’s banking sector to avoid recurring scandals of a similar nature.
While Facebook’s endless crises do not seem to be hurting the company’s business for now, time will tell if the social media giant can sustain its growth in the long term as regulators begin to question its business practices. Data privacy laws like the European Union’s (EU’s) General Data Protection Regulation (GDPR) have already forced powerful tech companies to restructure their business models, while France’s latest tech tax is another indication that regulators are trying to rein in the unbridled power of the tech titans.
Last year did not turn out to be great for businesses: there were mounting data privacy concerns around the globe; cyberattacks continued to hobble cities and disrupt business operations in the US; and Brexit uncertainty left UK industries worried. Meanwhile, shocking bank and corporate scandals sparked renewed regulatory interest in Europe, India, and Japan.
Amidst these larger issues, several new laws and regulations came into effect, adding to the complexity of an already challenging business landscape.
With so much that happened over the past year, here are some of the events and stories that stood out:
1. Marriott’s Colossal Data Breach
The hotel chain’s disclosure of a massive data breach in November, which revealed the personal details of hundreds of millions of guests, saw the company’s stock price plummet by 5.6%. The security incident, reportedly perpetrated by state-sponsored Chinese hackers, made its way onto the list of the largest ever data breaches in history, coming second only to Yahoo’s 2013 incident where the personal information of 3 billion users was stolen.
As more details of the incident emerged, original estimates of its impact were revised: Marriott said that it had identified “approximately 383 million records as the upper limit” for the total number of people affected by the breach. However, the revised figure was still greater than that of the 2017 attack on Equifax, the consumer credit reporting agency, in which the driver’s license and Social Security numbers of roughly 145.5 million Americans were compromised.
Marriott’s breach revealed sensitive information such as the passport details of its guests which the company later admitted were unencrypted, making them an easy target for hackers.
Due to strict data privacy laws such as the European Union’s (EU’s) General Data Protection Regulation (GDPR) — which also applies to organizations located outside of the EU if they handle the personal information of EU citizens — Marriott could reportedly face a fine of up to $990 million in the region.
2. Danske Bank’s $227 Billion Money Laundering Scandal
Denmark’s largest lender and one of Europe’s most prestigious banks, Danske Bank, made headlines in 2018 when it found itself in the middle of one of the world’s biggest money laundering scandals. The issue involved over $227 billion in suspicious payments flowing through the bank’s Estonian branch. And the reason? A string of governance failures dating all the way back to 2007.
As news of the money laundering scandal made landfall, the bank’s shares fell as much as 11% and its market value dropped by about 40%, making it the worst performer in the Bloomberg index of European financial stocks. The incident reportedly scared off investors who were upset that a scandal of such magnitude could take place under the management’s watch.
The bank’s woes were not over yet as regulators in Denmark and the US announced that they were investigating the lender. As investigators tried to get to the bottom of the massive scandal, numerous arrests were made. According to some estimates, Danske Bank could face fines as high as $8 billion.
3. Wells Fargo’s Whopping $2.09 Billion Fine
Misdeeds over a decade ago that eventually contributed to the financial crisis came back to haunt Wells Fargo as regulators came down hard on the bank in 2018.
The lender had allegedly issued mortgage loans that it knew were based on incorrect income details, causing investors, including federally-insured financial institutions, to lose billions of dollars from investing in mortgage-backed securities that contained Wells Fargo loans. To settle these claims, the bank agreed to pay a massive fine of $2.09 billion.
Earlier the bank was fined $1 billion for insurance and mortgage abuses for charging as many as 570,000 clients for car insurance they didn’t need.
Not surprisingly, the bank’s earnings and reputation were affected as it tried to rein in its “reckless, unsafe, and unsound practices.”
4. Silicon Valley’s Trial by Fire
In a year of rising geopolitical risks, the usually high-flying tech hub was forced to defend its policies and practices as it fell out of favor with regulators and even employees over its handling of issues ranging from data privacy, sexual harassment, and election interference to its plans to bow to censorship demands from foreign governments.
From the trial by fire that ensued, few Silicon Valley giants escaped unscathed: Facebook’s Cambridge-Analytica fiasco sent the company’s stocks tumbling and wiped out more than $119 billion off its market cap. The company was also fined $645,000 in the UK for failing to protect the data of UK citizens and $11 million in Italy over data misuse. The social media giant’s year of woes continued as it disclosed the largest ever data breach in its 14-year history and faced intense scrutiny from regulators around the world over its alleged role in election interference and in fueling violence.
Google was found guilty of violating anti-trust laws in the EU and was fined a record $5 billion. Employee activism at Google also threw a wrench into many of the company’s future plans — a bid for a Pentagon AI defense project and a decision to introduce a censored search engine in China were thwarted by employees who did not want the tech giant to stray from its ideals. Employees also staged protests from Google offices around the world and forced the company to revise its policy on sexual harassment after reports emerged that the company had protected male senior executives against credible allegations of sexual harassment.
Uber had its fair share of troubles as it struggled to win over regulators in London — its most lucrative European market — after they cancelled its license to operate in the region.
Businesses paid a heavy price for non-compliance, both in terms of fines as well as reputational loss. Hopefully, organizations will take note of the lessons learnt from these episodes — that the cost of non-compliance far outweighs the cost of compliance, and that there are financial benefits to investing in thorough due diligence programs.
Here’s to a brighter, more compliant 2019.
8 Key Takeaways from the GRC Summit 2018 – London
The GRC Summit on Nov 12-13, 2018 provided a forum for business and government leaders from around the world to discuss, debate, and learn about the latest trends and best practices in GRC. Based on the theme “Preserve. Protect. Perform,” the summit featured a range of inspiring keynotes, expert talks, customer success stories, and panel discussions on topical issues such as Brexit, cyber resilience, corporate integrity, and culture.
The biggest driver of cyber risk? The emergence of a commodity market in hacking
A decade ago, if you wanted to hack into someone’s system, or even conduct a simple denial of service attack, you had to be reasonably skilled. Today, you can simply buy a tool—or better still, a managed service to do it for you at a very limited cost. This rapid rise of a commodity market in hacking has made it easier than ever for criminals, disgruntled employees, nation states, and other malicious actors to attack organizations and nations where it hurts most.
For more insights, watch this fascinating keynote by Robert Hannigan, Former Director of the UK’s Government Communications Headquarters (GCHQ).
GRC isn’t just about the mitigation of risk but about the preservation of trust
Traditional GRC may have been about policing the organization. But today it’s about empowering the first line of defense to be effective custodians of trust — equipping them with the knowledge and tools they need to take ownership of risks and to do the right thing. The key is to remember the 4 R’s: (1) Respect – Ensure that the three lines are working together towards the same objectives (2) Rapport – Empathize with the needs and challenges of the first line (3) Responsibility – Ensure that the three lines understand what they need to do and how to execute it transparently (4) Reflection – Take the time to step back and evaluate the approach.
To know more, watch this C-suite panel discussion on trust and integrity featuring business leaders from M&G Investment, UBS, and Intelligent Ethics.
Innovation without integrity is like motion without direction
For years, business success has been talked about in terms of the speed of innovation, or how quickly one can notch up billions of dollars in valuation. But in the race to get to the top, many employees report being pressurized to compromise standards. In fact, they often see questionable business practices being rewarded rather than punished. Fortunately, that is beginning to change as organizations come under greater scrutiny—not just from regulators and investors, but also from a larger hyperconnected society with tremendous computing and communication power at its fingertips. In this transparent world, values like integrity, trust, and alignment of profit with purpose will become increasingly critical to business success.
Find out more on what it means to perform with integrity in this keynote by MetricStream CEO, Mikael Hagstroem.
The pace of change will never be as slow as it is today
One of the biggest dilemmas that organizations face is how to keep up with the ever-accelerating pace of change and disruption without being blindsided by the associated risks. How do you enable faster processing of financial transactions without increasing data security vulnerabilities? How do you leverage open banking opportunities without worrying that a third party will misuse sensitive customer information? Agility and resilience hold the key. But achieving these objectives will require collaboration. Organizations, industries, suppliers, customers, public bodies, and governments must find a way to work together towards preparing for and responding to change in a way that benefits everyone.
To learn more about the changes and risks impacting organizations today, watch this panel discussion with risk leaders from Johnson Matthey, Infosys, Santander, and Equifax.
GRC must become a way of life
Employees need to be doing GRC without realizing it – that’s how deeply and intrinsically it must be embedded in corporate culture. While that may be easier said than done, the first step in the right direction is for assurance functions to start speaking the language of the business i.e. instead of talking specifically about risks and controls, focus on how GRC can improve business efficiency and productivity. Look at GRC through the lens of the first line. How will their daily routines be impacted by additional risk responsibilities? Is there a way to make GRC a seamless part of the front line’s daily tasks? These are important questions to consider if organizations want to build a truly risk-aware, well-governed, and compliant culture.
To know more, watch this panel discussion of GRC leaders preceded by a talk on GRC market trends and insights by MetricStream COO, Gaurav Kapoor.
Regardless of the outcome of Brexit, organizations will need to be prepared with a contingency plan
While the future of Britain’s relationship with the EU continues to be shrouded in uncertainty, what is evident is that the repercussions of a hard Brexit will likely be catastrophic unless organizations are prepared to counter these risks. That includes conducting scenario analyses to understand and address potentially adverse outcomes, while developing contingency plans to protect business interests. It also means tackling possible bottlenecks in the physical supply chain, as well as the financing and data supply chains. Yes, all these efforts will require significant investment, but think of them as an insurance policy for your organization.
For more insights, watch the Brexit panel discussion featuring experts from financial services, manufacturing, and the government.
Analytics and deep learning present a $9 trillion to $15 trillion opportunity
Artificial intelligence has finally come of age. However, the challenge now lies in scaling AI initiatives in a way that delivers optimal value. As complex as that might seem, there are best practices that organizations can follow. One is to ensure that the business has a well-defined and well-aligned AI objective and strategy with a clear understanding of where the monetary value lies. Another is to remember that AI isn’t just about technology but also about the right working practices and methods. And the third is to realize that data scientists alone don’t make a successful AI project – it takes a village to do AI well.
For the whole picture, watch this business leadership talk by Nicolaus Henke, Global Leader, Digital and Analytics, McKinsey.
Smart ledgers could be a boon for compliance
While ledgers have been in use for thousands of years, they have never arguably been as much a part of popular discourse as they are today, particularly with the advent of the blockchain and bitcoin. Smart ledgers—essentially multi-organizational databases with a super audit trail—hold significant potential not just for payments, but also for clinical trials, trade, and geostamping. Most importantly, they act as anti-cheating devices. And in that sense, they are exciting for compliance functions who can now use smart ledgers for a variety of purposes, ranging from regulatory reporting, to time-stamping, bench marking of shared data, and even as a “dropbox” for proof of compliance with the Senior Managers Regime.
Learn more about smart ledgers in this insightful keynote by Michael Mainelli, Chairman, Z/Yen.
Explore more videos and insights from the GRC summit here.
Marriott’s massive data breach, Nissan chairman Carlos Ghosn’s arrest, and the CEO exit of Walmart’s India acquisition — here’s a round-up of November’s top GRC news headlines.
November saw yet another data breach. This time, it was the hospitality industry that fell victim to hackers — The Wall Street Journal reported that a data breach at one of Marriott International’s M&A ventures, Starwood properties, may have exposed the personal details of up to 500 million guests.
The colossal breach — second only to Yahoo’s 2013 incident that saw the personal information of three billion users stolen — included sensitive details such as passport numbers and payment-card numbers in addition to addresses and travel details, reported the Journal.
In an investigative report from the Journal, security experts weighed in on the data breach saying that Marriott could have done more to investigate a 2015 incident to find hackers that lurked in their systems.
Unsurprisingly, Marriott will face scrutiny from regulators around the world. A fine in Europe may be likely with the European Union’s tough new data protection law, GDPR.
In a shocking downfall for one of the automotive industry’s most powerful and admired leaders, Nissan’s chairman Carlos Ghosn was arrested in Japan on allegations of under-reporting his earnings for several years. Mr. Ghosn was widely hailed as Nissan’s savior when he rescued the company from near-bankruptcy and created the Renault-Nissan-Mitsubishi alliance, making it effectively the world’s largest carmaker. Reports suggest that Mr. Ghosn may have violated Japanese securities law by deferring compensation.
The incident has sent shockwaves rippling through an industry that is facing an economic downturn, a global trade war, and the shift to electric cars. Mr. Ghosn’s arrest also comes at a time when executive pay is being questioned by the public and regulators.
The chief executive of Flipkart, Walmart’s latest acquisition, stepped down in November following an internal probe into allegations of “serious personal misconduct”.
Coming along the heels of the departure of Flipkart’s other founder, Sachin Bansal, from the company, the news of Binny Bansal’s exit took many by surprise. The Wall Street Journal reported that Walmart opened an investigation into Mr. Bansal’s conduct after a former employee came forward with claims that he had sexually assaulted her in 2016.
The incident was also apparently not disclosed by Mr. Bansal during the negotiations to sell Flipkart to Walmart. Though Walmart’s internal investigation did not find any evidence to corroborate the complaint against Mr. Bansal, it is said to have revealed poor judgement calls from the former CEO that included the hiring of two private security firms at the end of 2016, “to make this matter go away.”
Despite scandals such as Facebook’s Cambridge Analytica, organizations seem to be left wanting in their detection and response time to data privacy issues. The Marriott incident is the latest in a spate of cyberattacks to hit businesses after the British Airways hack and goes to show that no industry is safe from bad actors looking to steal personal information.
The Carlos Ghosn incident highlights the need for thorough due diligence and compliance programs that can help ensure both adequate awareness of local laws and regulations, as well as adherence to them.
And in the light of movements such as #MeToo and Time’s Up, Walmart’s episode with Flipkart’s CEO is another reminder that for corporate leaders, the line between their private and professional lives is often blurry, and they can be held accountable for their actions in both.
As we witness some of the key news headlines in recent years – the Volkswagen emissions scandal, the Wells Fargo account fraud and the Uber crisis – to name some that are top of mind, I wonder what role technology could have played; not just to address the issues, but also to prevent such situations from occurring in the first place. I’ve sometimes been told these are ‘corporate culture’ issues and ‘technology’ cannot do much at all. However, I disagree.
The foundation for culture is laid out in the core values and tenets of a company. When a company is small – these messages can be easily communicated by verbal and non-verbal methods – and if issues surface, they can be handled quickly. However, as a company scales and grows, a lot of that shorthand needs to start getting codified into the way the business operates. The natural place for this codification is in its vision, mission, policies, training, controls, compliance, and risk management practices – in other words, the essence of GRC (governance, risk, and compliance) thinking. It is by using these essential components, and by constantly refreshing them, that one creates a sustainable machinery to help preserve the company’s culture, integrity, and core values.
Over time, as the company grows and evolves, and the culture has to be tweaked or even changed dramatically, a change agent or a set of initiatives might have to be deployed; however, one will need to rely on GRC technologies to codify these changes/initiatives and sustain them. Policies will need to be updated, training changes made, controls revisited, etc. In short, GRC technologies provide the necessary guardrails, as well as play a key role in the transformation and ongoing sustenance of a company’s culture.
To illustrate this point, let us look at two recent examples – Uber and Wells Fargo. In late 2016, Uber witnessed a crisis which some have labeled as ‘culture cancer’ that precipitated in early 2017 with published employee frustrations, lawsuits, and eventually a CEO change. Since that time, if you look at some of the key changes that were made by Uber, you will observe how the core tenets of GRC were embedded in them. First, over 20 employees were fired after a staff complaints examination. In order to do that, the HR policies and controls had to be re-codified and updated, to ensure that the change to the policies and controls remained sustained. Second, hiring changes related to diversity were made – which in effect is a HR process, and metric change. These key changes implemented by Uber, which were part of the overall culture transformation that the company undertook, demonstrate the importance of GRC technology thinking.
Now let us move to another example– Wells Fargo. In 2016 the bank was accused of opening bank accounts without its customers’ consent. More recently regulators heavily fined the bank for mortgage and auto loan abuses. Both these malpractices have been attributed partly to the bank’s corporate culture, or perhaps the lack of it. So, as I reflect on the changes that the bank has promised to put in place in its 2017 Annual Report entitled Rebuilding Trust – one can see several obvious examples of GRC, such as the strengthening of risk and compliance controls, the setting up of automated controls to notify customers of new account openings, and a mystery shopper program. Also, if you look at the specific changes that are being instituted around sales goals and new incentive programs – it becomes obvious that these can be sustained only if they are codified in each business unit’s policies and controls. Finally, on a personal note, last month I received a $50 reimbursement from Wells Fargo for a mortgage loan error. Clearly this was the result of a self-identified internal audit – a GRC process again!
Therefore, the million, or perhaps the billion-dollar question is, if GRC technology can play a role in sustaining changes to culture and the integrity quotient, why shouldn’t companies think about putting a GRC program in place before such calamities occur? Clearly, it’s food for thought for each and every one of us. As we learn from these cases and pay more attention to our classes on ethics, and invest in integrity, I believe that we will find that GRC technologies can be an extremely powerful asset in codifying and sustaining our learnings through this journey.
Subscribe for Latest Updates
Subscribe Now