The Importance Of Being Ernest (In Your Compliance)

You can’t drive on the road without insurance on your car. We all know this, it’s a legal requirement to have, at least, third-party insurance coverage. This means that in the event of an accident, any damage to other people’s property as a result of your actions is covered by your insurance company, whether that is a scratched bumper, a broken wall, or a poor chap who now needs to spend his life in a wheelchair with intense support from carers. We hope we never need it, but its there if we do, otherwise we could be looking at having to pay for those repairs or care ourselves, which is why our insurance covers up to many millions of pounds of damages.

But it’s a lie. Of course you can drive on the road without having insurance on your car. Thousands of people do it each day. In 30 years of driving, I’ve not needed my insurance once (because, according to my brother, it's like I’m driving Miss Daisy I’m so slow). So for 30 years, I’ve paid a chunk of money out annually towards insurance that I’ve never once used. Maybe I could cancel it and get away with another 30 years of uninsured, accident-free driving and save myself that cash. But if I do have an accident, that’s a very different matter.

What's the point of this other than proving that I can make a car-based analogy of any situation? Well, car insurance is like compliance in a business. It's one of those things we have to do, for a given value of ‘have’. Any business has certain legislative governance that you must abide by, such as the Data Protection Act 2018 (the UK’s near-verbatim adoption of the European GDPR regulations we mirrored once we left the EU), pertaining to data protection; and how you must store, process and delete data over its lifecycle. It’s a legal framework that all businesses must conform to.

But outside of legal requirements, many businesses face other requirements of them for compliance that, from my experience with quite a number of SMEs, many are unaware of. Whilst the government can impose legal imperatives, and like GDPR these can be quite well advertised, other bodies may already be imposing restrictions and this is often going unnoticed.

In recent years, we’ve seen the monetisation of data and information by cybercriminals around the world, be it via the holding of data hostage following a ransomware virus attack, the data breach and extraction of corporate secrets, user data, client information etc for sale on the dark web. Information has value, and if you don’t protect your information, someone will happily steal it and use it in a way that may earn them money at your cost.

So who are these mysterious organisations seeking to apply their rules to you? It's not mysterious at all. It's those with a vested interest in your operations. Banks, insurance companies, regulatory authorities, governing bodies and even your supply chain and client base can put requirements on how you operate.

For some time now, banks and insurance companies have been forced to pay out against cybercrime and one thing that neither organisation wants to do is to pay out money. A couple of years ago, the cyber aspect of our corporate insurance was 2 sentences over 3 lines in an otherwise huge contract regarding our insurance. It was little more than a byline or footnote, probably not even worth the paper it was printed on. However, the most recent insurance had a 24-page separate book just for the cyber insurance that was the total antithesis of the short paragraph only a couple of years earlier. All of a sudden, the insurance company was saying that if we wanted cover, we had to be compliant in so many areas in so many ways with various accreditations and audits to prove we had done everything correctly. The banks have said something similar too, and it may be that within the terms and conditions of your contract, it stipulates certain requirements of your organisation.

In addition, many businesses are part of an industry organisation; maybe they have to be members in order to trade, maybe they have to have that certification to tender for jobs. Oftentimes, these membership bodies or governing councils with oversight of a profession (sectors like health and finance are obvious examples) have their own regulations that members must abide by. Typically this is when broad frameworks such as GRPR/DPA18 need further explicit measures defined due to the nature of data being held and processed. Put simply, you’d expect (and rightfully so) your healthcare and financial data to be stored somewhat more securely and with far greater controls in place than, say, newsagents may use to keep track of their crisps stock (and now I’m hungry, I fancy some crisps and there is a newsagent opposite).

The other group who can influence your governance requirements are those businesses you deal with regularly, either your suppliers or customers. Both parties may put restrictions on the relationship (obviously clients have more power) and as such may require a business to meet certain standards or criteria to continue the relationship. This is already familiar to many having to have accreditations such as ISO9001 to interact with certain clients.

With all these potential sources of influence over your business, how do you handle it all? Well, firstly, address the problem head-on. Any organisation that requires some form of compliance will almost certainly be able to point you in the right direction when it comes to becoming compliant. Speak to each, find out what their requirements are for your business, and then implement a control that ticks all the required boxes. You may need to get a consultant in to help with this and whilst that can be a substantial cost, the cost of not understanding what you must do can be huge. Failure to comply could mean fines from the ICO if you break GDPR or possible withdrawal of membership of a body if you breach their requirements, which could cripple a business, not to mention loss of faith from your client base.

So you can operate your business with no controls; no knowledge at all of any requirements of it to conform to certain operational frameworks, much like you can drive a car without insurance. But unlike a car, where you can go 30 years without a claim, it's worth remembering that adage from cyber security that it is not if you are going to be the victim of a successful attack, it’s when. Sticking your head in the sand and claiming ignorance won’t work any more than if you get found with no car insurance. Ignorance of the law is no defence, and ignorance of the responsibilities you have as a business is no defence if you find yourself the victim of an attack. Speak to those organisations who govern your industry, understand what is required from your business, and implement those changes. Your business will be safer as a result.

#compliance #governance #risk #legislation #gdpr #insurance #pcidss