Ignoring Enterprise Risk Management Can Result in Damaging Losses
Jon Siegler | August 15, 2016
In today's global and economic environment, two of the biggest areas of risk are regulatory compliance and cyber threats. With regulations on the rise, companies are facing a new and more varied challenges. If a company’s systems are breached it can mean severe damage to their reputation in the market and loss of customers, to name a few.
One example of a common damaging financial penalty is the Payment Card Industry Data Security Standard (PCI DSS). If your company is found to be non-compliant, the fines can range from $5,000 to $500,000. In this post, we discuss the challenges and solutions to ignoring enterprise risks.
Having a globally distributed workforce means your company must manage risks across a wide array of geographies.
Each of these geographies have unique regulations and compliance requirements. In the past five years, regulatory change has increased significantly – particularly in the U.S. Some of the law changes include the Dodd-Frank Wall Street Reform and Consumer Protection Act. The George Washington University Regulatory Studies Center has very interesting stats on how regulation volume and type has changed over time. In the U.K. and Europe, recent regulation changes include the Financial Services Authority, European Union Directives, and Basel Accords.
The challenge many multi-national corporations face is the daunting process to keep up with new regulatory information within varying global jurisdictions. If ignored, this can result in massive financial losses, revocation of licenses and more. Companies also need to maintain their reputation in the market in the event of compliance or regulatory disputes. For markets that are particularly uncertain and volatile a clearly defined compliance strategy is a necessity.
Regulatory compliance systems help remediate risks.
Chief Compliance Officers and corporate counsel can help by putting in place the right compliance process controls and designing training plans to teach employees to self-evaluate their own risks. Moreover, there should be an independent audit and internal audit should occur consistently to assess the potential for risks and put in place action plans for remediation. The focus should be on process and continuous improvements, while monitoring routines.
There needs to be a process for determining, assessing and noting potential and current compliance breaches. The objective should be to enable future compliance risk management processes within the organization. These practices help to build a culture of compliance within the company.
Understand how PCI fines work.
In terms of PCI compliance, it is the acquiring bank that gets fined by payment card brands for non-compliance. The bank will then fine the merchant the full amount and more for the annoyance. This means that the risk is felt by the merchant and acquirer.
As a result, it is essential for merchants and acquirers to work together in an effort towards PCI compliance. When a merchant is PCI compliant, the acquirer can go about business without worrying about fines.
Even if you are 100 percent PCI compliant, a data breach can still occur. Here is what happens:
Loss of reputation with customers, vendors, and partners
Potential for civil litigation from affected customers
Decrease in sales due to a loss of customers and reputational damage
The acquirer may suspend credit card acceptance
The PCI standard was created by MasterCard, AMEX, JCB, Discover and Visa. Non-compliant merchants may experience brand damage, forensic audits, fines and costs for card replacement. According to Gartner Inc., the security requirement costs for the largest merchants is around $2.7 million.
For small merchants, it can cost several thousand dollars to take part in the security assessment and to purchase new security measures. However, compliance requires continued practice and investment. A small annual investment in great compliance controls is better than getting audited or losing your ability to accept credit cards. The single biggest stop-gap your business can put in place is a consistent risk assessment process. This will help to identify weaknesses and put controls in place to remediate risks.
According to security services vendor VeriSign, 79 percent of assessed merchant companies failed due to the inability to protect stored data.
One of the most common reasons a merchant will fail a PCI audit is due to potential for data theft. That means the merchant failed to protect stored data. Risk Based Security found that in 2015, 736 million data records were stolen. It can cost multi-millions of dollars and years of effort for companies to recover from a major data breach.
The loss of intellectual property and damage done to critical infrastructure can have lasting effects. The most popular way for hackers to gain access is through email spoofing. CEOs and other C-suite employees are often the targets. Email spoofing allows hackers to pillage intellectual property. The emails can appear to come from an executive asking a subordinate to send a large cash transfer--this is called a Business Email Compromise.
From October 2013 through August 2015, the FBI found that scammers stole $750 million from over 7,000 U.S. companies using unauthorized wire transfers. Since this is a business to business transaction, banks offer little protection from this type of scam.
Another example of a cyber-attack is ransomware. Ransomware campaigns typically involve an attacker that encrypts the victim's data or blocks access to a resource and demands a ransom to restore access.
Your business must be aware of and prepared for potential risks at all times.
Failure to meet compliance and manage cyber security can result in financial and data losses that affect your company for years. You should not be afraid of fines as long as you are engaging in the practices listed above. You also need to focus on implementing security measures and creating awareness of the latest cyber threats.