Managing Technology Risk Through Strong Compliance and Controls
- Mar 31, 2023
In a Solution Session focused on the digital transformation era, the EisnerAmper Digital Team shares how companies are embracing technology to stay relevant and competitive. Leaders will learn the leading practices for governing risk and keeping pace both with the evolving regulatory landscape among increasing government oversight.
Kate Siegrist:Hi everyone. Thanks for joining us today. My name is Kate Siegrist. I am a partner at EisnerAmper. I lead the firm's technology assurance practice, which includes SOC reporting, HITRUST, ISO, NIST, a variety of other standards.
Ray Soriano:Hi everyone. My name is Ray Soriano. I'm a Director in our technology risk and security compliance service area with EisnerAmper. I focus on all things that are related to Sarbanes Oxley reporting, internal controls, and also doing security advisory services related to assessments and other strategy type arrangements for clients.
So Kate, what is technology risk?
KS:It's an interesting question because I would say over time it has changed. 5, 10, 15, 20 years ago, I think technology risk was really the responsibility of the IT department within a company. It was the responsibility of the CIO, the managers, the directors of that part of the organization, and it was probably more reporting to other leadership within the firm. Today, technology risk is really business risk. It is of interest to everybody within an organization from the CEO, CFO, and really even Boards. Boards care about technology cybersecurity risk. I'm even aware of clients that have even renamed their audit committee to be the risk committee, because there's so much more broad risk for organizations today due to technology.
Ray, what do you think are some common risks and threats across the industry today?
RS:Yeah, well great question, Kate. I think there's a lot of looming risks that are associated with variety of adversarial attacks that are out there. So things like ransomware and malware, spearfishing, business email compromise, and other cyber risks that companies just can't avoid. It's something that's going to be apparent within the industry. The other thing that's apparent is that there's a lot more focus on supply chain risk and concerns associated with how not only the organization is protecting the interests, but how their parties, their business partners, and even the Nth parties that are supporting those business partners, how they're protecting data and looking at the interest of the organization that they're doing business with. So it's a kind of an ecosystem of risks that's being associated with all the companies that are working with one another.
KS:Yeah, that second one is interesting because it seems like a lot of the really big breaches that we're hearing about in the news are occurring through some sort of supplier, a provider, within an organization. And so it's become, when we take it back to that business risk piece, it's not just about what are we doing to protect our own technology, but what are we doing to ensure that our providers are also have those protections in place? That's really interesting.
RS:No, that's absolute. I mean as far as some of the more recent events that have occurred out there, a lot of them have been based on independent parties, or third parties, contractors. Not to say that they're all-
RS:Yeah, software providers. That's kind of the big thing nowadays is to ensure that you have the appropriate controls with the types of solutions that you're using, and even the government has stepped in to really impose some regulations related to how third parties are being managed as far as risk.
KS:So what about trends? So there's, we've got these risks, so that's already challenging the leadership within an organization. What are some of the other maybe challenges or trends that are facing organizations today?
RS:Yeah, I think one of the biggest challenges that I see, from an industry perspective, is just a lack of talent. And having the right type of talent with a commensurate not only security, but compliance mindset, as well as being able to have the soft skills, if you will, the business acumen to be able to interface and interact with the executives, the boards, and relay some of these challenges related from an industry. So that's one particular area I think is a challenge for us. Another area is that the regulations are, they're evolving and once you become compliant with one regulation, it's changing, and it has to keep up with the pace of technology. And that's a challenge in itself because there's so many variables as far as technology, and how it's been integrated, and the understanding of the people that are implementing the solution. So it's an ongoing challenge that companies have to face.
KS:Yeah, that brings up a really good point, because for so long organizations were at least worried about cybersecurity, and now there's this whole concept of, I mean not that it's new, but it's a lot more of a common trend that organizations are focusing on, which is privacy. So we had GDPR in Europe, we had California that followed with CCPA, and many other states now, and even federal legislation, that is finally coming to potential fruition within the United States. And so that is such a challenge for organizations because when you're operating multi-state and now maybe even multinational, you're worrying about the legislation that's within all of those different jurisdictions. And privacy is interesting, too, when you take it back to the talent challenge, it's a different skillset when you're trying to figure out privacy within an organization. That is more of a legal concept. So now you're looking at, "While I need to bring in security talent, I also need to bring in some legal or compliance talent to help face these challenges."
On the topic of government regulations, some of what we're seeing coming about is related to ransomware. It's really, that is kind of an attack vector that can affect any organization, whether it's a multi-national billion dollar organization or a small business, everyone is subject to it. And we always hear that if you pay the ransom, then the bad actors will just come back for more money. And so the government is really trying to stop that. And so there are a couple of states today that actually have laws against organizations, certain types of organizations, paying ransomware. There might be a fine if you pay ransomware. So now here you are as an organization, your data has been locked down, you can't operate your business, and you have now even lost the option of saying, "Gosh, I can't recover. I'm at least going to pay the ransom and hope that I'll get my data back."
And I think that related to that, after a couple of really big breaches that have occurred over the last couple of years, politicians are taking note. And if you listen to really some of what's going on in Washington, there's even discussion that to me, so I work a lot in the healthcare industry, so I'm very familiar with HIPAA laws, breach notification. There is talk about what feels like HIPAA type regulation that could be relevant to all organizations to all types of data. And so if I had a crystal ball and maybe were to make some sort of a prediction in terms of what that would look like in the future, I could see a potential scenario where if there's a breach that occurs, you would be required to report it.
Just kind of like the HIPAA breach notification law requires now. And if it's found that you haven't done enough to protect consumer data or sensitive data within the US, there potentially could be fines. If I were to make a prediction, I think that that could be something into the future that we could see. And really we've seen some of that being discussed already with potential legislation. I think it would take a while for it to happen. And that then makes this topic really interesting, because now historically you thought of financial institutions, healthcare institutions, as really the ones that had to focus on security and privacy. Now we're making about everyone.
RS:It's across the board.
KS:It's any type of organization. Because if you don't have that option to pay that ransom, because it's now illegal and you have to report that breach, every type of organization has to care about these topics.
RS:If you look at some of the studies that are out there. Recently, IBM, as part of the Cost of the Data Breach 2022 version that they put out there, they talk about a lot of these different industries that are affected. And it's interesting to note that for the cost of a data breach, notably in the healthcare space, the average cost is about over $10 million. And that's across varying types of healthcare organizations. But kind of in a general sense, from a global perspective, the overall cost is somewhere in about the $4 to $5 million range. But in the US alone, specifically, the average cost is about $9 million. So thinking about that, yeah.
KS:I mean that is closing down the doors for a small to medium size business, right?
RS:Oh, absolutely. Yeah.
KS:That is shutting a business down. And we need those small businesses. We need those startups that are bringing the new technology, the new advances that the large enterprises are buying into that technology and using it. We need that. We don't want to see those things happen to the new rapid growth companies that are coming to market.
RS:That's absolutely correct, and I think this all ties into this talk was related to compliance and thinking about good oversight, and governance, and security controls, and it affects all size of an organization, small to enterprise scale. So on the small side, I know that you have a lot of experience with dealing with those type of clients.
KS:Early stage startups, rapid growth technology.
RS:Early stage, that's exactly right.
RS:And I have the experience of working with large enterprise institutions. And the challenge that I've seen from an enterprise, maybe you can relate on the small, medium size, on the enterprise side, it's not that there's a lack of maturity. They understand their compliance, they're trying to keep up with it. One of the things was the staffing, trying to maintain that. But the challenge is that they work in a very disparate way across the businesses. So they have in many respects, unique security requirements per business entity, and they don't necessarily look at the overall compliance framework from a holistic perspective. So it does make it very challenging for them to move the needle and be secure and compliant at the same time. What's your thoughts on the small side?
KS:Yeah, so certainly taking it back to what you mentioned earlier, the lack of talent, that's a challenge for a small to mid-size kind of rapid growth company, is the cost of talent today, even if the talent is available, the cost to bring in a specialized resource that maybe has experience with cybersecurity, understands the cloud, understands all of those challenges. If you can find that person, it could be cost prohibitive for a rapid growth type company. So that's certainly a challenge. The other thing that we see, there's a lot of consolidation when you look at that part of the kind of economic ecosystem. When you've got small businesses, small to medium size, rapid growth, and PE is kind of coming in and finding opportunities to create portfolios of companies that have similar offerings, similar client bases.
And so I work with a lot of those types of companies where they maybe have 3, 4, 5 different software companies that have come together. One might have been compliant with ISO, one was compliant with SOC, one was compliant, and then maybe three have never gone through any compliance. And so creating one, picking a framework and following that framework, and putting that in place when you have all these disparate kind of groups of people who are still running their own individual organizations, I mean, that's such a challenge for that small to medium size space [inaudible 00:12:28]
RS:That's right. So it's always going to be a balancing act regardless of this size and scale of the organization.
RS:Trying figure out what framework makes the most sense and is relevant. And many times it's a harmonization or rationalization of controls that are looked at from the different frameworks. I know that there are frameworks that many institutions kind of leverage right now, national Institute of Standards Technology, there's the ISO framework, there's the Center for Internet Security. And so it's trying to understand the right balance and the right framework to leverage, because at the end of the day, the framework is kind of like a guiding stick for the organization. It's not necessarily the end all be all. It's something to kind of help bring the maturity of security into play.
Also looking at it from a privacy and data protection perspective, but also tries to compliment some of the other areas of security. Not just data protection, but making sure that the resources are available so you have availability of resources or resilience of the data and even integrity, ensuring that you know have the appropriate level of detail and data, and it's irrefutable from the understanding of the data quality. And so those are things that have to be balanced into compliance framework that you're using.
KS:I think using a framework is important, too, because it maybe reminds you to do some things that aren't top of mind. So when you think cybersecurity, I think many organizations think, "I'm going to try to prevent the breach from happening."
KS:But I think in today's day and age, it's important to understand that it's just likely, there's a good likelihood that you may not prevent the breach. So then it's about, I think it's equally as important to be prepared how to respond to a breach, right?
KS:And so for example, I had a client, we had a client within the firm years ago that had a malware attack. This was actually even before ransomware was kind of the new thing for attackers. [inaudible 00:14:30] Right. But they were not in any sort of a highly regulated industry, so they manufactured something that really wouldn't be considered sensitive, but they had CAD drawings, they had their own proprietary information that they really couldn't manufacture their products if they didn't have, or develop new products, if they didn't have access to those drawings.
They lost that data. There was a malware attack, they could no longer access that. And they thought that they were doing their backups, they thought that they were backing up their data, but they hadn't been doing any sort of recovery exercises. And so when that breach happened, and they didn't have access to those drawings, they went to recover the data, they couldn't. They were actually stopped operation for almost six weeks because their backups were not there. They didn't have the data they needed. And they had to spend a significant amount of money to essentially hire a really high tech company to try to recover that data on their hard drives. And it took a long time, and of course they were able to rely a bit on some of their cyber insurance, but it was a challenge. And so they had spent so much time trying to prevent a breach from happening. It happened, and then they weren't able to recover. And really it was a significant impact to their revenues.
RS:Yeah, I think you're bringing up a great point, and I think that example is maybe translated in different forms for other organizations, similar circumstances, or maybe other distinct notables as far as security breakdowns in their environment. I think from an overall perspective, it just kind of points out and highlights that it's not easy. This is not an easy process, or program if you will, to try to institute. Compliance, like I said, is evolving and there are things right now that's going to enable compliance to be a little bit more simpler or more structured and in some ways and updated to current day trends as far as technology advancements. Take a case in point, PCI, payment card industry, they've gone through an overhaul, if you will, of their requirements and they've put out new releases out there. Same thing with ISO. They've done very similar things as far as kind of simplifying, standardizing. CIS controls, we talked about that a little bit. That actually has just gone through an iteration where it used to be 20, now it's 18 controls that they're-
KS:We're trying to make it easier.
RS:Trying to make it easier.
KS:As easy as possible for organizations to implement.
RS:That's exactly right. That's the whole element of the compliance game is trying to at least make it manageable, but it does take discipline, and it takes the rigor of the organization to maintain compliance. And I think that's where the talent staff, staffing and everything has to come into play. It requires the diligence of the organization to bring in the expertise. Sometimes it may not be in house and they have to leverage outside help to do that. And then also just being able to look at it from not only the preventive measures, but monitoring that, and having real performance measures that are associated with how you're securing and complying with some of these frameworks.
KS:Ray, how do you think enterprises should go about tackling these challenges?
RS:Well, I think part of the reality is just kind of understanding what the real risks are. So getting a current state understanding, an analysis if you will, of some sort of your current threats and risks to the organization. And a lot of times that's done through an assessment of sorts, using one of these frameworks maybe as a backdrop and doing a comparative, even if it's a self-assessment. And then looking at maybe expanding that to get in more detail with some expertise.
So it does require you to do first an understanding of the risks, trying to strategize on how you're going to mitigate what you observed as risks, and figuring out the strategy there. And that encompasses people, process, and technology. And then the third thing is then once you have that, take a deep introspective as far as the capabilities that you have. Do you have the right kind of resources that are going to be able to manage and address those risks? And sometimes, you may have the talents in place that you can apply certain mitigating controls and do that on a routine basis. In other cases, you're going to need to have outside expertise, outside providers manage services maybe to support that. And so I think it's a matter of taking a real look at the reality of your overall landscape and your posture and taking steps in that manner.
KS:I've seen a lot of companies try to do this kind of on paper, if you will. Are there any tools or automation options that are out there for organizations to try to help pull this together and manage their overall compliance?
RS:Yeah, absolutely. I mean, there's a plethora of different tools and technologies that are out there that can help. Very specific, almost like a Swiss army knife type selection, if you will, a specific tool for a specific purpose. And that's fine. That's one way of going about trying to skin this cat, if you will. But there are overall technologies that can help you look at it from an overall perspective, from the framework perspective, and balance that off.
And then there's the element of automation that needs to be thought about. And that's a new kind of phenomenon, I guess, that a lot of organizations are putting their arms around and embracing, is taking some routine things and trying to make it more automated and more efficient. And that helps with the compliance side of this, too, by the way, because in years past, usually companies would go through spreadsheets and other manual type of efforts to try to maintain, and now there are solutions out there that are either cloud-based, SaaS-based, that they can help them manage and collaborate with not only the security folks, but also with the business stakeholders and have that interactive arrangement. So like I said, there are a variety of tools out there. We work with some of the more notables out there. And as far as the one tool over another, it really is more of a custom tailor fit solution for our clients, and it's really going to be based on where they feel comfortable as far as the level of expertise that they need to incorporate, or maybe even hire.
KS:Being an auditor, doing a lot of technology type audit and compliant assessments, I will say that when we work with clients that are using some of these automated controls, automated tools, it certainly makes, really our clients' lives a lot easier when the documentation and data is available. It certainly makes the auditor's life easier, but I think it really impacts and makes it easier for the clients. So we always like to see our clients using that. Again, I work with a lot of startups, technology, rapid growth companies. What you're saying makes a lot of sense and is doable more for large enterprises. But I sometimes work with organizations, not that I don't work with large enterprises as well, but I can see a lot of companies who are, their resources are limited. They would love to get an automation tool, but maybe that's on their roadmap.
So when we think about small rapid growth companies, sometimes it's like, where do you start? We have to start somewhere. And there are a couple of frameworks out there that maybe have been whittled down and are a good kind of set of basics. So we've mentioned a couple times already, center for... CAS, internet...
KS:Security, thank you. There's essentially 18 controls that companies from a base perspective could start with. Another one is the NIST cybersecurity framework. That's another really good one for organizations to start to lay the foundation for security. And then even if we want to take it back to as simple as possible, kind of interestingly going back to what I was saying before about how our government is starting to get involved with cybersecurity, the White House in 2021 came out with a list of the basic sets of controls that companies should be implementing. Things like multifactor authentication, encrypting your data, backing up your data, doing security awareness and phishing tests. Those are kind of the basic things that if you're not quite ready to take that enterprise approach, there are basic things that, again, every organization should be doing. This is no longer about the financial institutions and the healthcare organizations. Every company, small, medium, or large, needs to be thinking about these things.
RS:One thing to also note is that a lot of organizations are doing this and thinking that they're alone in trying to handle this. And there are sharing groups, information sharing groups that are out there, they call them notably from an industry perspective, ISACs. So for in financial space, the ISACs are a very thriving group, and they do expose and talk about different threats and risks that are occurring within their particular industry segment. You brought up something that I think is pretty interesting because, again, focused on financial services, but you can translate this to other industries. A lot of the financial institutions are now looking at self-assessment tools and things to help them assess and evaluate if they are going to be subject to any concern or risk.
In the financial services space, again, there's the kind of a collaborative effort that was done with banking regulators and with the Secret Service, they actually did a test for ransomware, in particular. And it was a basic questionnaire that was out there, and it enabled financial institutions to go through a basic checklist of things that would be helpful in managing the risk associated with ransomware, and some of the things that we talked about like backup strategies, and incident response plans, and having the multifactor and other things of that technical nature in place.
But it gave the opportunity for the client, the company, to evaluate, and self-evaluate, whether they have these things in place without going through an exhaustive exercise of bringing in outside talent or independent reviews and all that. Just kind of going through a checklist and getting an appreciation of whether they do need to focus and put some additional efforts in this place. So there's outside help, let me put it that way, and information sharing within industries that should also be leveraged as part of this.
KS:Yep. I've seen to think about what are some of our clients that have successfully worked through this. Certainly there are certain types of companies that are in a B2B type service, that's their offering. And so it comes down to you can't sell your product or service if you aren't compliant. And that's where we work with a lot of companies that need that additional certification, assessment, audit in order to not only ensure that their data is they're following privacy laws, they're protecting the data, but then they're actually proving that to their customers.
We worked with, it's interesting, we work with companies that are very, very, very early stage startups and sometimes what we hear is, "Gosh, we're just too small. We can't do this. We don't have the team to support this." But I can attest to the fact that whether you're a early stage startup to a large enterprise, you can find a solution that works and satisfies the needs of your customers, what the government expects of you, consumers, whatever kind of, whoever your constituents are. There are solutions or options out there.
Do you have any kind of specific customer success stories that have been able to successfully implement some of these solutions?
RS:Yeah, absolutely. And in fact, I went through an exercise with an organization that essentially they're in the pharma space and they were kind of an early stage startup as well. So I've had some exposure on a small mid-size side as well. But they were early stage, not as mature and in discipline, if you will, from a security perspective. And one of the things that they were looking at was what are all the different opportunities for them to be able to provide practical security measures in place and also leverage frameworks? So we went through an analysis of this pharma company with looking at their security program and evaluating their policies, evaluating how they're doing a security awareness, what they're doing to institute controls within different solutions that are part of their overall infrastructure, how they're managing privileged access, as an example, and many things that are very complimentary to what we do from an audit perspective, too.
And just looking at what's the reality? And coming up with an as is state, a current state, if you will. And then what we were able to identify was there were opportunities for them to basically mitigate the risks with certain controls. And some of those controls weren't necessarily technical in nature. There were other things that they could leverage. For example, cyber insurance. They didn't have a cyber insurance program or a solution, a policy in place, and it was something that it could be as kind of a defunct opportunity for them to use as a tool. In the event that nothing else worked, they at least can rely on maybe some basic policy arrangements for them to either deal with a breach response investigation, communications, and even handling consumer related data or sensitive data, in this respect.
KS:You brought up a good topic on cyber insurance, which is companies now... Cyber insurers are really requiring companies to prove that they have good controls in place, or they either may not get their policy or may have to pay a really, really high premium. And so we actually are having companies that are contacting us, and recently we had someone reach out that they, again, not in a highly regulated industry at all, but they're looking at going through some sort of a security audit in order to reduce the cost of their cyber insurance policy. They're actually willing to go through an audit and pay for that audit, and that cost is going to be less than what they would have to pay on their policy if they didn't do that. So really interesting to see how this really expands all industries.
Ray, if there were just a couple of takeaways that organizations could kind of use from our discussion today to solve these cyber challenges, trends, threats, what would they be?
RS:Yeah, I think if we were to just boil it down based on what we were talking about today, I think we have to boil it down to the three things that we've talked about. Identifying risks, being able to strategize on those risks and coming up with mitigating controls, and then using talent and making sure that we have, or the organization has, the right type of talent mix. That it has a security mindset, a compliance mindset, a business acumen, and is able to obviously take all that and harmonize some of the risks that are out there.
Ray, thank you for sitting with me today and talking about these topics.
RS:Oh, it was my pleasure. This was great.
KS:This was fun.
RS:It was a lot of fun. Yeah.
Transcribed by Rev.com
What's on Your Mind?
Start a conversation with the team
Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.