Chief Compliance Officers and Cyber Security: A Match Made in the Boardroom
By Suzanne Rich Folsom, CCO & SVP-Government Affairs, United States Steel Corporation and Robert Garretson, GM, Governance Strategy, United States Steel Corporation
Put succinctly, “We make the point there are only two kinds of companies in the United States. Those who know they’ve been hacked and those who do not yet know,” Gen. Michael Hayden, former head of the NSA and CIA, said recently.
The CCO is well positioned to take the lead in the organization, maintenance, and implementation of company-wide cyber protection and response responsibilities
For companies and their Boards of Directors, the enterprise-wide threat that cyber issues represent translates into an urgent need for action. As businesses have expanded their global footprint and embraced a data-centric approach to manage their external processes (from product development to supply chain management to customer interface) and internal operations (from compensation agreements to health care data to all manner of personally identifiable information), state-sponsored actors, criminal organizations, and those with malicious intent simply cannot resist the payday such information offers.
To adequately meet and overcome this challenge, the corporate compliance function is ideally suited to identify and manage the full scope of potential cyber risks and oversee the development of the appropriate response protocols. The specter of cyber theft of proprietary trade secrets, business strategy, confidential customer intellectual property, and a range of other information justifiably increases an organization’s risk profile dramatically.
Indeed, U.S. Steel is currently litigating against 11 of China’s largest steel companies at the International Trade Commission (ITC) alleging multiple Chinese government sponsored cyber-attacks undertaken to illegally appropriate information from the company’s confidential files about its new high-strength, low-weight Advanced High Strength Steel (AHSS)/Hot-Dipped Galvanneal Dual-Phase 980 steel.
U.S. Steel’s case cites a detailed forensic analysis of an alleged 2011 attack that found that the methods utilized were similar to those used by five Chinese military hackers who were indicted on 31 counts of theft, computer fraud, and economic espionage in 2014 by a federal grand jury in Western Pennsylvania.
The Challenge of a Changing Compliance Environment
Without fear of contradiction, it is fair to say that the corporate compliance environment continues to shift to confront new challenges. There was a time when compliance programs were common only in highly-regulated industries, such as financial services.
Generally speaking, “Corporate compliance” relates to an organization’s ability to conform with laws, rules, regulations, and internal corporate procedures. As stated in the U.S. Attorney’s Manual, corporate compliance programs should be implemented to allow an organization to organically “prevent and detect misconduct and to ensure that corporate activities are conducted in accordance with applicable criminal and civil laws, regulations, and rules;”thereby avoiding or mitigating risks, transgressions, and legal liability.
At the same time, American companies recognize the need–and opportunity–to invest in international and emerging markets as part of their growth. But with this expansion comes a parallel scaling of potential risk. Failure to comply with the appropriate regulations in each of the venues in which a company operates can result in severe civil and criminal penalties, the imposition of remedial solutions, and direct oversight by government regulators–all of which converts into a loss of business and a negative impact on the bottom line.
Role of Chief Compliance Officer (CCO)
In a 2002 speech delivered to the American Society of Corporate Secretaries, Cynthia Glassman, then a Commissioner at the Securities and Exchange Commission (SEC), identified the essential need for a “corporate responsibility officer” who would “personify the corporate conscience.” In other words, the Chief Compliance Officer (CCO).
The CCO is the executive with the appropriate seniority and authority to establish, own, and execute a company’s standards of ethical conduct–and then enforce those standards through the implementation of an effective compliance program. As an individual, the CCO is a trusted business partner and advisor to the Board, senior management, and business leaders across the company. In turn, the CCO provides the organization with the comfort that its operations are effectively overseen by a compliance program that considers and addresses risks of all types, including those driven by local and industry sectors, business opportunities, potential business partners, involvement with governments, appropriate government regulation and oversight, and exposure to potential legal action.
To establish a compliance environment that will foster business growth, the CCO will naturally invest the time needed to gather the requisite knowledge and fully understand each of the company’s issues and challenges–and then work as part of the team to deliver the right, bespoke solutions. Additionally, the CCO will be an expert whose guidance and counsel is actively sought by senior management; be approachable and accessible; and provide timely, relevant, and workable answers needed to address the respective business needs and associated issues.
A Welcome Marriage
Consequently, the CCO is well positioned to take the lead in the organization, maintenance, and implementation of company-wide cyber protection and response responsibilities. Just as the implications of a cyber breach means lawsuits, disclosure questions, and investigations for the legal department, they portend human resource challenges across the employee base, customer and partner communication necessities, investor outreach, and other stakeholder engagement.
At its most fundamental, a cyber crisis response team is about ensuring that all of the company’s managers have a baseline understanding of the ever-changing regulatory landscape in order to meet compliance standards and to engage with all of the company’s critical internal and external constituencies.
The management of cyber security is an extraordinary undertaking and requires proactive collaboration to plan, prepare, implement, and regularly update the company’s cybersecurity and data privacy practices. For Board members and senior managers alike, a robust cyber program driven by the CCO is likely to be the most welcomed gift of all in 2017.