[BreachExchange] Revised DOJ compliance guidance offers risk-management lessons for cybersecurity leaders

[Destry Winant]

https://www.csoonline.com/article/3563017/revised-doj-compliance-guidance-offers-risk-management-lessons-for-cybersecurity-leaders.html#tk.rss_news

In February 2017, the Criminal Division of the US Justice Department
(DOJ) issued its first-ever guidance for prosecutors of white-collar
crime to use when assessing whether a company complied with its own
risk management program. The document urged prosecutors to consider
whether a company’s compliance program is appropriately “designed to
detect the particular types of misconduct most likely to occur in a
particular corporation’s line of business” and “complex regulatory
environment.” That guidance was updated in April 2019 into a formal
document called “The Evaluation of Corporate Compliance Programs.”

Both documents aim to give prosecutors criteria to consider when
bringing criminal charges. The three fundamental questions prosecutors
are urged to answer when assessing whether the compliance programs are
helping to “promote corporate behaviors that benefit the American
public” are:

- Is the program well-designed?
- Is the program effectively implemented?
- Does the compliance program work in practice?

New update encourages dynamic compliance programs

On June 1, the DOJ issued yet another update to its compliance
guidance, this time weaving in new language to make sure compliance
programs aren’t merely one-and-done snapshots, but are instead dynamic
programs that get updated to fit changing circumstances. The new
guidance also asks prosecutors to make sure compliance programs are
adequately resourced within organizations.

Like the earlier two versions, the latest guidance issued by DOJ is
premised almost entirely on the adequacy of the organization’s risk
assessment efforts, an approach well-known and particularly applicable
to cybersecurity professionals. Prosecutors are urged to evaluate the
quality and effectiveness of an organization’s risk assessment program
by examining:

- The risk management process, particularly the methodology used to
identify, analyze and address the risks an organization faces
- Risk-tailored resource allocation, namely whether the organization
devotes enough resources to managing risks
- Updates and revisions, specifically whether the risk assessment is
subject to periodic dynamic reviews
- Lessons learned, determining whether the company has a process for
tracking and coordinating changes in its risk management program based
on its experience

The DOJ also stressed the importance of risk-based training and
communications about misconduct as essential parts of how it
determines whether the organization’s compliance programs are up to
snuff. Finally, the guidance highlights the importance of management
support of the organization’s compliance initiatives and the value of
extending compliance due diligence to third-party providers.

DOJ guidance takeaways for cybersecurity

Although the DOJ’s guidance is geared to helping prosecutors bring
criminal charges against corporations and their officers, it is
frequently used as a blueprint outside the Justice Department’s
purview. It has particular relevance to the cybersecurity practices of
organizations when it comes to, for example, data breach and other
security-related lawsuits.

“If there were some kind of a failure that involves some kind of a
[criminal] prosecution for, say, data loss or something along those
lines, then this document might kick in to evaluate the effectiveness
of how they set up and operated their data privacy and cybersecurity,”
Carrie Penman, chief risk and compliance officer for risk and
compliance software company NAVEX Global, tells CSO.

“But whether or not you end up in front of the DOJ, it sets up best
practices to think about how you look at risk and how you mitigate
risk,” which is vital in civil lawsuits, Penman says. Courts “want to
know your thought processes and what your steps were to mitigate those
risks to determine basically whether or not you did everything you
could to try to avoid that situation from happening. This kind of an
evaluation comes up in a civil case [when it comes to] large group of
people or individuals that have had their information compromised in
data breaches.”

While digital technologies have improved modern workforce productivity
and enabled flexible work schedules, remote work is now mandatory for
many. Attend our upcoming live virtual event for...

“One of the reasons the DOJ puts this out is to help compliance
officers and security teams and people who are worried about bribery
and corruption to ensure that the board and leadership give enough
attention to these issues and properly fund them to mitigate risk,”
Penman says.

Regardless of whether civil or criminal litigation is involved, the
kind of guidance DOJ puts out is devoured by compliance officers
across all organizations, Penman says, and when it comes to
compliance, cybersecurity is top of mind for those executives. “We’re
just about to publish results of the survey of around 1,400 compliance
officers. The highest priority or concern for risk compliance programs
in that survey was enhancing data privacy and cybersecurity and data
protection.”

Compliance programs are more critical than ever given the COVID-19
crisis, Alison Furneaux, vice president of marketing for cybersecurity
compliance management company CyberSaint, tells CSO. “The attack
surface has expanded dramatically. Organizations are being forced to
innovate. They’re being forced to put into place processes that they
didn’t have before. They’re being forced to document and prepare for
audits in a much more proficient way.”

“The predictability of it all is a bit more difficult to keep track
of, and that’s because of this notion of moving to remote work,”
according to Furneaux. “Some of the employees are using their own
devices. You don’t really know what security measures they have at
home. All of these things increase the risk dramatically.”

Cybersecurity needs a risk mindset

The risk management guidance that the DOJ puts out could prove useful
to cybersecurity executives. “As more cybersecurity leaders are being
asked to step into the boardroom and present what they’re doing to the
board, they’re being forced to move beyond that compliance mindset in
the risk mindset,” Furneaux says.

Intent matters when it comes to defending an organization’s risk
management process, and trying to implement an adequate--even if not
perfect--risk management program is essential. “Rome wasn't built in a
day, and neither was your compliance program,” Penman says. What
compliance officers and cybersecurity personnel are expected to
demonstrate “is that you're continually working on it, and you're that
you're applying your resources in a risk-based way.”