Through the GRC Lens: 2018 — A Year in Review

A litany of disruptions and corporate scandals in 2018 showed that while making profits, organizations will be held responsible for their actions in an increasing shift towards more ethical business practices

Last year did not turn out to be great for businesses: there were mounting data privacy concerns around the globe; cyberattacks continued to hobble cities and disrupt business operations in the US; and Brexit uncertainty left UK industries worried. Meanwhile, shocking bank and corporate scandals sparked renewed regulatory interest in Europe, India, and Japan.

Amidst these larger issues, several new laws and regulations came into effect, adding to the complexity of an already challenging business landscape.

With so much that happened over the past year, here are some of the events and stories that stood out:

1. Marriott’s Colossal Data Breach

The hotel chain’s disclosure of a massive data breach in November, which revealed the personal details of hundreds of millions of guests, saw the company’s stock price plummet by 5.6%. The security incident, reportedly perpetrated by state-sponsored Chinese hackers, made its way onto the list of the largest ever data breaches in history, coming second only to Yahoo’s 2013 incident where the personal information of 3 billion users was stolen.

As more details of the incident emerged, original estimates of its impact were revised:  Marriott said that it had identified “approximately 383 million records as the upper limit” for the total number of people affected by the breach. However, the revised figure was still greater than that of the 2017 attack on Equifax, the consumer credit reporting agency, in which the driver’s license and Social Security numbers of roughly 145.5 million Americans were compromised.

Marriott’s breach revealed sensitive information such as the passport details of its guests which the company later admitted were unencrypted, making them an easy target for hackers.

Due to strict data privacy laws such as the European Union’s (EU’s) General Data Protection Regulation (GDPR) — which also applies to organizations located outside of the EU if they handle the personal information of EU citizens — Marriott could reportedly face a fine of up to $990 million in the region.

2. Danske Bank’s $227 Billion Money Laundering Scandal

Denmark’s largest lender and one of Europe’s most prestigious banks, Danske Bank, made headlines in 2018 when it found itself in the middle of one of the world’s biggest money laundering scandals. The issue involved over $227 billion in suspicious payments flowing through the bank’s Estonian branch. And the reason? A string of governance failures dating all the way back to 2007.

As news of the money laundering scandal made landfall, the bank’s shares fell as much as 11% and its market value dropped by about 40%, making it the worst performer in the Bloomberg index of European financial stocks. The incident reportedly scared off investors who were upset that a scandal of such magnitude could take place under the management’s watch.

The bank’s woes were not over yet as regulators in Denmark and the US announced that they were investigating the lender. As investigators tried to get to the bottom of the massive scandal, numerous arrests were made. According to some estimates, Danske Bank could face fines as high as $8 billion.

3. Wells Fargo’s Whopping $2.09 Billion Fine

Misdeeds over a decade ago that eventually contributed to the financial crisis came back to haunt Wells Fargo as regulators came down hard on the bank in 2018.

The lender had allegedly issued mortgage loans that it knew were based on incorrect income details, causing investors, including federally-insured financial institutions, to lose billions of dollars from investing in mortgage-backed securities that contained Wells Fargo loans. To settle these claims, the bank agreed to pay a massive fine of $2.09 billion.

Earlier the bank was fined $1 billion for insurance and mortgage abuses for charging as many as 570,000 clients for car insurance they didn’t need.

Not surprisingly, the bank’s earnings and reputation were affected as it tried to rein in its “reckless, unsafe, and unsound practices.”

4. Silicon Valley’s Trial by Fire

In a year of rising geopolitical risks, the usually high-flying tech hub was forced to defend its policies and practices as it fell out of favor with regulators and even employees over its handling of issues ranging from data privacy, sexual harassment, and election interference to its plans to bow to censorship demands from foreign governments.

From the trial by fire that ensued, few Silicon Valley giants escaped unscathed: Facebook’s Cambridge-Analytica fiasco sent the company’s stocks tumbling and wiped out more than $119 billion off its market cap. The company was also fined $645,000 in the UK for failing to protect the data of UK citizens and $11 million in Italy over data misuse. The social media giant’s year of woes continued as it disclosed the largest ever data breach in its 14-year history and faced intense scrutiny from regulators around the world over its alleged role in election interference and in fueling violence.

Google was found guilty of violating anti-trust laws in the EU and was fined a record $5 billion. Employee activism at Google also threw a wrench into many of the company’s future plans — a bid for a Pentagon AI defense project and a decision to introduce a censored search engine in China were thwarted by employees who did not want the tech giant to stray from its ideals. Employees also staged protests from Google offices around the world and forced the company to revise its policy on sexual harassment after reports emerged that the company had protected male senior executives against credible allegations of sexual harassment.

Uber had its fair share of troubles as it struggled to win over regulators in London — its most lucrative European market — after they cancelled its license to operate in the region.

Reflections

Businesses paid a heavy price for non-compliance, both in terms of fines as well as reputational loss. Hopefully, organizations will take note of the lessons learnt from these episodes — that the cost of non-compliance far outweighs the cost of compliance, and that there are financial benefits to investing in thorough due diligence programs.

Here’s to a brighter, more compliant 2019.