Growing Data Privacy Concerns, Continued Cyber-Attacks, and the Failure of Audits to Detect Frauds: Q1 of 2018 Ends on a Less-Than-Savory Note

Introduction

With a major data privacy scandal involving Facebook, a crippling ransomware attack on the City of Atlanta in the US, and a $2 billion fraud at Punjab National Bank in India, we take a look at some of the biggest news stories that have dominated the GRC space in the first few months of 2018.

The Data Privacy Conundrum: Facebook and Cambridge Analytica

Mark Zuckerberg, Facebook’s CEO, recently testified before Congress on the alleged harvesting of personal data by Cambridge Analytica – a third-party data analytics firm – to influence the 2016 US elections.

The scandal, which reports say involved the personal data of more than 70 million Americans, has led to a public outcry, prompted #deletefacebook, and shaved off over $80 billion from the company’s stock value since the incident was uncovered. The social media giant may also be at risk of hefty fines for possibly violating an FTC privacy deal.

With public trust in Facebook diminishing, the company has had to postpone the launch of its smart speaker for a “better time.”

Atlanta Cybersecurity Incident: Cyber-Attacks Continue to Grow More Potent

After WannaCry and NotPetya last year, cyber-attacks have intensified – this time, it was the City of Atlanta in the US that was the victim. The attackers, who reportedly hobbled several internal and public services, demanded a ransom payment in bitcoins in exchange for unlocking systems. The incident was serious enough for the FBI to get involved in the investigation.

According to a New York Times report, the attack has unnerved security experts. One security intelligence analyst noted that attackers are constantly learning from their mistakes, and evolving their code before launching the next assault. With growing concerns around these issues, it isn’t surprising that the US has devoted $380 million of its spending bill to election cybersecurity.

$2 Billion Punjab National Bank Fraud in India

The news of how one of India’s richest men, who until recently was on Forbes’ billionaire list, defrauded the country’s second largest state-run bank of over $2 billion, sent shockwaves across the Indian banking sector. Nirav Modi, a diamond jeweler, and his uncle, Mehul Choksi, reportedly colluded with Punjab National Bank (PNB) officials to get credit through fraudulently issued papers. But how did one of the largest frauds in recent banking history in India go undetected for over 6 years?

As the story unfolded, reports emerged of how auditors failed to detect the scam for a long time with multiple audits failing to raise an alarm. The fall-out of the scam has led to the creation of the National Financial Reporting Authority (NFRA), a new watchdog for the auditing profession with sweeping powers to act against erring auditors or auditing firms.

What Do They Mean for GRC?

A massive breach of trust at one of the biggest names in Silicon Valley, also a reputed social media giant, has led to public outrage, and highlighted yet again the importance of better controls for data privacy and data protection. As concerns grow over the use of personal data by companies, there are calls for more extensive data privacy laws. Europe appears to be leading the way with the General Data Protection Regulation (GDPR), but it remains to be seen if the US will follow suit.

With cyber-attacks continuing to exploit system vulnerabilities, holding governments ransom, and threatening to override democracy, there will be a renewed focus on cybersecurity and the protection of critical systems.

Meanwhile, in emerging Asian markets such as India, recently plagued by scandals and scams, we are likely to see the beginning a new era of not just regulations, but also of increased scrutiny and enforcement.