Protecting critical data will top the list of challenges chief compliance officers face over the next three years. So will figuring out how to calculate and divide the budget with their IT, risk, finance and operations peers.
Chief compliance officers are responsible for protecting their firms from reputational and legal risk. They are accustomed to explaining policies and procedures downstream to multiple business lines. Yet when it comes to dealing with cybersecurity risk and information risk, they may be forced to deal with too many cooks in the kitchen, each adding expertise to come up with the right recipe for success or, at least avoiding regulatory fines. The budgeting process could be seamless or contentious depending on how many staffers and who is involved.
“Because of the high technology requirements to mitigate cybersecurity and information risk, we have far less say in the total budget spend and allocation process,” gripes one chief compliance officer at a New York bank. “A decision that ordinarily ties up a few hours could end up taking a few days or even a few weeks.”
More than 40 percent of the 150 compliance managers at banks, broker-dealers and insurance companies surveyed by global consultancy Accenture expect to devote the bulk of their time addressing cybersecurity risk. A third of the respondents cite information risk as their top concern. Compliance investment will increase according to 89 percent of the respondents.
As usual, regulatory requirements are driving the expenditures, but future investments will be more focused on automation, rather than added bodies. “After years of increasing headcount as a strategy, compliance is now facing a scarcity of resources,” says Ben Shorten, a senior manager at Accenture in New York specializing in compliance. As a result, in-house platforms, licensed-technology or third-party providers now need to enter the equation.
The Securities and Exchange Commission, Financial Industry Regulatory Authority, and other securities watchdogs continue to list cybersecurity as one of their priorities during exams. Financial firms must have effective policies and procedures in place to mitigate the risk of theft of important customer and company data, or risk being fined millions of dollars in civil penalties. They could even face customer lawsuits.
The EU’s General Data Protection Regulation (GDPR), effective in May, highlights another sort of data protection — privacy. It requires financial firms and other corporations doing business in Europe or with European clients to prevent the external distribution of client or employee data without the explicit consent of the clients and employees. Individuals will also have the right to know how a firm is using their personal data, and they can ask for that data to be deleted. Penalties for violations can be as high as €2 million or four percent of annual global revenues.
Who’s in Charge?
Although compliance managers might be ultimately responsible for safeguarding their firm’s critical data, enabling technology isn’t necessarily their strong suit. They may need assistance to understand the costs of an application package or the relative return on investment of licensing software versus building defenses internally. That is where IT specialists come into the decision-making process.
“Compliance managers often defer to IT managers when it comes to spending on cybersecurity automation,” says Jane Shahmanesh, a managing principal at Adherence LLC, a regulatory consulting firm in New York. Does that mean that IT managers have complete say? Not necessarily. Compliance managers will have a better understanding of on-the-ground processes, such as the required training to fulfill an enterprisewide cybersecurity program. Employees need to grasp the risks of sharing passwords, opening certain emails or websites.
That’s where the debate begins. Do we really need all the technology we want or do we really want all the training we need is the question IT and compliance managers will need to address. “The spend on cybersecurity protection might be divided between the compliance department and the IT department,” says Shahmanesh. Several cybersecurity specialists tell FinOps Report that 70 percent of cybersecurity budgets are typically allocated to the IT department and 30 percent to the compliance department.
Yet just how high the overall cybersecurity budget should be might not depend on either the IT or the compliance manager. Regulators have indicated that firms may use a risk-based approach when it comes to creating a cyberecurity program.
“Risk managers will likely help quantify how much spending must take place depending on the type of data the financial firm has to protect, where it is located, and the key risks assocated within their respective areas,” explains Robert Lavigne, director of compliance solutions for Bates Group, a Portland, Oregon based financial services consultancy.
Where does that leave operations managers? Even the best technology and training won’t help a financial firm from averting a cybersecurity breach if its employees misuse them. After all, operations managers are the ones responsible for inputting data and following corporate policies and procedures for how it is to be used and safeguarded. They must verify to compliance and IT departments that their subordinates are adhering to the compliance rulebook.
“Operations managers will be drawn into the [budget] discussion because business lines need to understand how the technology works,” says Lavigne. Ease of use and effectiveness go hand in hand.
Ideally, financial firms would have on a compliance IT manager to serve as the final arbiter of cybersecurity budgets. However, only the largest financial firms are willing to pay the high compensations those experts require, IT managers tell FinOps. As a result, most financial firms will still rely on the chief financial officer or dedicated chief information security officer to defend any proposed spending on new automation to their chief executive officers and board of directors.
Selling the Budget
What then? It could end up being a battle of wills or ignorance. Even if compliance, IT and other managers agree on the amount and the allocation of spending, CEOs might not be convinced that a bigger budget will pay off. After all, if their firms haven’t had a cybersecurity breach yet, why do they have to spend more to get the same results?
Of the ten IT managers at global banks contacted by FinOps, only four say that their CEOs and CFOs automatically agreed to their budget request for spending on cybersecurity protection. The remaining six say that their CEOs were hesitant and needed “an extra push.”
That incentive came in the form of explaining “all attempted breaches” that were averted. The higher the number, the more likely the CEO is to acquiesce to a higher cybersecurity budget, IT managers tell FinOps.
Is it easier to convince a CEO about spending for the GDPR than on cybersecurity? Sometimes it is, because of the stiff regulatory penalties involved with any violations of its rules. Spending on the GDPR is also likely be controlled by a single person: either the chief information technologist or a newly designated data privacy officer (DPO), says Lavigne.
The GDPR requires firms to appoint a DPO who understands how to craft policies for protecting data and how to implement the necessary technology. The chief data privacy officer will likely report to the chief technology officer.
However, most firms don’t have a DPO. Even if they do, they still might be behind in preparing for the GDPR. That’s likely the case with US firms, many of which are just waking up to the new requirements set by the European Commission, which apply to any firms with European clients or customers.
DPOs are hard to come by and expensive, say executive recruiters. Firms who don’t have a DPO might stick their CTOs with the task of preparing for the GDPR. Those CTOs, in turn, are likely to ask CEOs for more money to spend on external counsel to help them interpret the GDPR’s requirements.
Will they get what they want? It could all depend on how well-versed the CEO is on data privacy or how well external legal counsel can convince the CEO that the firm is ill-prepared.
Size of the firm is no indicator of fluency on data privacy. Case in point: Facebook allowed Cambridge Analytica access to as many as 87 million of its users through a personality quiz app. Facebook now says it has changed is policies since the data was misused and will audit and ban apps that may be improperly exploiting user information.
Given the rising budget demands of cybersecurity and GDPR compliance, financial firms could be forced to cut spending in other regulatory areas. Accenture’s survey suggests that conduct risk has fallen on the list of priorities. However, financial firms can ill-afford to be remiss when it comes to keeping their employees and third-party service providers in line. Conduct such as illegal trades, engage in illegal gift-giving or even bribery can translate to massive regulatory penalties.
“Spending more money on cybersecurity and the GDPR is logical considering the immediate regulatory requirements,” agrees Brian Fahey, chief executive officer of MyComplianceOffice, a Dublin-headquartered firm specializing in conduct risk technology. “There has already been a great deal of spending on mitigating conduct risk following the financial crisis.”
However, he points out, the focus of managing conduct risk is now changing. “Rather than rely on multiple applications, each specializing in a particular type of conduct risk, financial firms are starting to depend on a single integrated platform,” says Fahey.
Is this a good investment? It’s better than the alternative, where the right hand doesn’t know what the left hand is doing. Using a hodge-podge of purpose-built conduct-monitoring applications could easily lead to mistakes or, worse, miss larger patterns.
By contrast, a single centralized platform could consolidate conduct policies and rules, cross referencing the actions of internal employees and third-party vendors. The result should be faster and firmer identification of problens.