The compliance risks that organizations face come in many forms. While issues such as bribery, conflicts of interest and fraud have traditionally been major concerns, cybercrime is now the compliance threat that is drawing the most attention from ethics and compliance officers these days.

According to a joint survey of more than 900 ethics and compliance professionals conducted by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association, 39 percent of the respondents listed cybercrime/cybersecurity as the issue they would be focusing on the most in 2016, followed by social medial compliance (38 percent), leveraging compliance practices with business practices for greater effectiveness and efficiency (34 percent), establishing and maintaining an ethical culture (32 percent) and increasing the effectiveness of internal investigations (31 percent).

The pervasiveness of cybercrime poses a daunting challenge for the ethics and compliance function. In the past, organizations were primarily concerned with identifying and correcting internal cultural aspects that could lead to compliance breaches. The presence of cybercrime has now forced ethics and compliance to broaden its scope to address threats from hackers and other third parties from outside the organization.

Increased Regulatory Focus on Cybersecurity

When one considers that cybercrime impacts approximately 556 million individuals each year, it’s not surprising that cybersecurity has become a top concern for a variety of regulatory agencies. For example, in 2014 the Securities and Exchange Commission announced that it would be including a review of cybersecurity policies as part of the routine examination procedures of its registrants. Other federal and state regulatory bodies are formulating or have already developed a set of best practices to ensure organizations are taking appropriate cybersecurity measures. In general, these cybersecurity reviews focus on the following areas:

• Adequacy of cybersecurity policies and procedures as well as proper enforcement
• Conducting of regular and thorough cybersecurity assessments
• Effectively responding to any identified cybersecurity deficiencies
• Taking appropriate steps to protect computer networks and sensitive customer information
• Installation and effectiveness of firewalls and/or anti-virus software
• Instituting appropriate user access measures
• Ensuring comprehensive third-party vendor oversight
• Responding promptly to any identified security breaches

Developing/Maintaining an Effective Cybersecurity Program for Your Organization

Because of the enhanced enforcement practices, cybersecurity is no longer solely an information technology issue; it also requires the involvement of the ethics and compliance function to ensure adherence to all applicable laws and regulations. Giselle Casella, Senior Principal Consultant at the ACA Compliance Group recommends the development and implementation of the following action plan:

Performing a Comprehensive Risk Assessment

The ethics and compliance department should work in tandem with IT to conduct a comprehensive risk assessment on at least an annual basis to identify the organization’s primary cybersecurity threats. The assessment should be tailored to the unique security risks the organization faces and should take into account factors such as:

• The existence of any sensitive information the organization handles/stores such as personal customer data, trade secrets and proprietary information
• Current data breach monitoring and detection procedures
• Relationships with third parties and any policies in place regarding the sharing of information
• The need to update outdated cybersecurity software and other related technologies
• Any previous occurrences of cybercrimes and data breaches
• Degree of vulnerability to attacks by entities such as terminated employees, hackers and even organized crime
• Potential financial and reputational damage that could result from cybercriminal activity
• Procedures in place to respond to and recover from a significant cybersecurity event

Establishing Appropriate Cybersecurity Policies and Procedures:

The completion of the cybersecurity risk assessment should be followed by the development of written policies and procedures, which should be updated as necessary after each subsequent risk assessment. These policies and procedures should cover the following areas:

• Clearly identifying the employees charged with the responsibility of cybersecurity program oversight
• Ensuring that access to all sensitive data is limited to employees and third parties on a “need to know” basis
• Clearly outlining protocols for safeguarding data and computer networks
• Identifying the internal control mechanisms in place for monitoring and responding to data breaches
• Stipulating all relevant vendor/third party oversight policies
• Compliance with any laws/regulations regarding identity theft
• Identifying any procedures in place for testing the effectiveness of the organization’s cybersecurity programs

As cybercriminals continue to find new, inventive ways to penetrate an organization’s cybersecurity defenses, organizations must continue to ramp up their efforts to protect their data – and their good name. When combined with the need to comply with increasing stringent data privacy regulations, the ethics and compliance officer can expect to have an increasing role in an organization’s efforts to combat cybercrime in the years to come.