In recent years the Chief Compliance Officer (CCO) role has expanded dramatically. As cybersecurity, AI, cryptocurrencies, and the way that companies conduct their business come under greater scrutiny from regulators and stakeholders, CCOs and their teams must stay ahead of new regulations, conducting risk assessments, tweaking policies, and continuing to monitor, investigate, and report on company compliance on a rising list of topics to a growing number of interested parties.
The Cost of Non-compliance
The cost of non-compliance can have a far-reaching impact, and not just on the company in terms of both brand reputation and cost. If no action is taken on information they receive, the CCO can be investigated for individual liability. It’s a lot to keep on top of as regulations will depend on where the company operates, the industry they are in, and their own internal policies.
But as the landscape continues to evolve, demand for experienced compliance personnel is rising, making it easier for overworked staff to find positions elsewhere and placing an additional burden on CCOs to ensure retention of key expertise. It is perhaps unsurprising that 76% of respondents to a 2023 report said compliance costs have increased in the last year.
With challenges coming from seemingly every direction and compliance touching more areas of the business, it’s clear that teams must adopt a collaborative approach, and IT is in a good position to help. IT has access to data by the bucketload, held within the various point solutions and systems of record they have invested in. And it’s this data that CCOs and their teams can tap into to manage their priorities, particularly in the realms of cybersecurity and ESG initiatives.
Cybersecurity Compliance
A growing reliance on digital technologies amid an unstable geopolitical climate has seen an increase in global cyberattacks, as well as the cost of an attack. Statista recently estimated the global cost of cybercrime will grow 69.94% between 2023 and 2028 to reach $13.82 trillion.
Visibility across the enterprise environment is key to assessing and minimizing risk. CISA is one organization concentrating on this through its binding operational directive, BOD 23-01, which aims to enhance visibility into federal agency assets and associated vulnerabilities, and places strict requirements on the frequency of asset discovery and vulnerability enumeration.
IT teams can help CCOs gain access to relevant data for security risk assessments and reporting including:
- Where devices are located, who has access to them, what is running on them, and where they are in their lifecycle to understand if there are any unsupported or unpatched systems, missing assets, or gaps in processes that could lead to policy violations. For example, in the case of SAP, a lack of data center security led to the theft of four SSD sticks, with one later appearing on eBay.
- The relationship between vendor devices and software and company critical data to assess potential risks that could grow as more smart office services and other industry digitalization applications are integrated into the environment. In doing this they could avoid fines of $millions and a damaged reputation, something Target experienced when cyber criminals accessed data through a third-party HVAC vendor system.
- When the company could be impacted by a known vulnerability in software that is hidden or bundled within other software. In the case of the Log4j vulnerability cybercriminals exploited a vulnerability in a logging tool that was widely used in software and installed in computers around the world, making it hard to understand who was impacted when the vulnerability was exposed. Regulations are being proposed around the globe to strengthen the software supply chain and US government agencies are already able to request an SBOM from suppliers.
Rules around reporting cybersecurity are changing too. In the US the SEC recently released requirements for large companies to disclose material cybersecurity incidents within 4 business days of determining it is material. Companies must also annually disclose material information about their cybersecurity risk management, strategy, and governance. In Europe, the Digital Operations Resilience Act (DORA) is being established as a regulatory framework for the management of cyber risks in finance and includes requirements around sharing data with other companies.
Leverage ReadyWorks' data intelligence and workflow orchestration to reduce cybersecurity risks. Learn how.
DOWNLOAD THE SOLUTION BRIEFEnvironmental, Social, and Governance Compliance
Governments, investors, customers, and employees are calling for greater transparency and accountability around the impact companies have on the environment in which they operate, their workforce practices, and their decision-making processes.
Given the reliance on digital technologies, it may come as no surprise that McKinsey estimated enterprise technology contributes to around one percent of total global greenhouse gas emissions (about half of that from aviation or shipping). Last year the SEC unveiled plans that would require listed companies to disclose their Scope 1 (direct emissions), Scope 2 (indirect emissions, for example from purchased energy), and Scope 3 (value chain emissions) data. IT can work with CCOs to gather and analyze data from point solutions and systems and records to track and report these emissions and identify ways to offset or reduce them.
As part of this, IT should also collaborate with CCOs to identify sustainable IT asset management (ITAM) practices, including the use of shared resources, extending the lifecycle of assets, and defining company policies and processes around sustainable IT asset disposition (ITAD). These methods won’t only go some way to proving the sustainability credentials of the company but can also help to reduce costs.
Measure Carbon Emissions Produced by IT Resources. Learn how.
DOWNLOAD THE SOLUTION BRIEFOvercoming Data and Reporting Challenges with a DPC
While IT is in a great position to help CCOs and their teams with access to data, making it meaningful to manage risk assessments and reporting is another issue. The problem is the point solutions and systems of records that store the data they need to access don’t interact, creating blind spots in the business. Time, effort, and a mountain of spreadsheets are required to collect and make sense of that data.
There is, however, a way to get these systems, tools, and databases working together, and that’s by using a digital platform conductor (DPC). A DPC connects to all relevant data sources to gain access to the data they hold, cleans and correlates the data, and orchestrates business processes across systems.
Using a DPC you can:
- Detect and mitigate security and compliance risks.
- Easily identify unpatched or outdated systems and automate workflows to patch or replace them.
- Analyze IT data and use it to determine Scope 1,2, and 3 GHG emissions.
Generate customizable reports focusing on different audiences including internal stakeholders, regulators, and investors. By working together and leveraging a DPC, CCOs and IT can more easily maintain compliance with regulatory and internal policies. ReadyWorks is a digital platform conductor.
Book a demo to discover how ReadyWorks helps IT align with CCO priorities.
