Why Are Governance and Compliance Important?
Without proper governance in place, an organization can have neither effective risk management nor compliance. A common theme thus far has been the reliance on IT throughout the organization. As a result, IT can have a tremendous impact on either the success or failure of an organization. The interest in formally governing the use and application of IT should come as no surprise. IT is now woven into the fabric of business and has made organizations dependent on information and the systems that help generate and store information. In addition, IT will continue to provide opportunities for competitive advantage and reduction of costs throughout the organization. On the other hand, IT systems are subject to numerous threats that continue to evolve and seek to exploit vulnerabilities.
At a fundamental level, internal compliance to corporate policies is critical to the success of any business. Risk management means deeming some risks acceptable so a company may accomplish its business goals. Compliance, therefore, embraces the organizational mission, and noncompliance can harm or even impede business.
Regulatory compliance benefits organizations, consumers, and shareholders. Regulatory compliance protects an organization’s reputation and integrity. It considers the interests of the consumer and shareholders. Regulatory compliance also has a further-reaching economic impact on ensuring public confidence in organizations and capital markets.
Policies by themselves do not reduce risk. Policies must be implemented and maintained. Governance that provides the management oversight ensures policies are not only written but effectively implemented. Compliance audits must include a detailed assessment of the various governance forums that ensure policies are in place and appropriately implemented. At a minimum a compliance audit should examine the following:
-
The compliance governance structure is documented and understood.
-
The governance goals are fit for the purpose.
-
Incentive structures do not create a conflict of interest.
-
Desired outcomes are being measured and reported on a timely basis.
-
Accountability is clear.
Case Study: Cetera and Cambridge
Consider what happens when governance is not in place or not effective. The Securities and Exchange Commission (SEC) on August 30, 2021, sanctioned eight investment firms and issued fines of $750,000 for failing to effectively implement cybersecurity policies.
In the case of Cetera, the fines resulted from an email breach. Between November 2017 and June 2020, more than 60 employees’ cloud-based email accounts were hacked. This breach exposed the personal information of at least 4,388 customers. Cetera compounded the problem by issuing misleading notifications to its customers. Additionally, Cetera had clear security policies published in 2018 that required dual-factor authentication to ensure email accounts remained secure. These policies were never fully implemented.
The case of Cambridge was also an email breach. Between January 2018 and July 2021, more than 121 employees’ cloud-based email accounts were hacked. This breach exposed the personal information of at least 42,177 customers. Cambridge compounded the problem because it discovered the breach in 2018 but failed to enhance and implement additional security measures until 2021.
What is equally telling about the SEC view on governance and compliance is its rationale statement that was issued about the sanctions:
“Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
While this statement was directed toward “investment advisers,” it applies to all industries. Consider how governance and compliance (or the lack thereof) played a role in this case study. An audit could potentially have discovered and, thus, prevented these control gaps:
-
Compliance to dual-factor authentication policy in the Cetera case
-
Governance over the incident response in the Cambridge case
The regulator statement makes the obligation clear that organizations must protect the privacy and information of their customers. Finally, it’s not good enough to have policies. Governance must ensure compliance through effective governance.