Risk Roundup for January and February 2020
This month’s Risk Roundup traverses through the beginnings of a New Year and a new decade. January and February were filled with new developments in risk and compliance. The coronavirus dominated news cycles, but other notable events occurred around a number of new rules, regulations and guidance, from California’s data privacy regulation to NIST data privacy framework and SEC guidance on cybersecurity for financial service firms.
Pandemic puts the emphasis on business continuity programs
The COVID-19 pandemic is a global risk that has resulted in unprecedented actions taken by governments, businesses, and citizens. All the big brands like Apple, IBM, and Starbucks are taking defensive measures by closing stores, rerouting supply chains, and curtailing business travel.
The pandemic is a reminder of the importance of business continuity (BC) planning. A BC plan helps organizations plan and prepare for business disruptions to minimize their impact. It also encompasses recovery plans for restoring operations after an interruption or when risk levels become unacceptable. With BC plans, your organization will be prepared for adverse events while becoming a more resilient organization.
CCPA raises the stakes on data privacy compliance
The California Consumer Privacy Act (CCPA) took effect on January 1. However, in early February, revised regulations were issued. It’s a good thing that organizations have a six-month grace period for compliance, but the clock is ticking. In addition, 17 U.S. states have data privacy laws in the pipeline.
Given the breadth and depth of data privacy regulations in the US and worldwide, organizations need to address the top compliance challenges. The best response to regulatory change is an approach to compliance that is holistic, so it addresses data privacy laws worldwide. If you follow good governance principles, much of what you do for one data privacy regulation can apply to the next.
NIST releases version 1.0 of privacy framework
The National Institute of Standards and Technology (NIST) released Version 1.0 of the NIST Privacy Framework and labeled it a tool for improving privacy through enterprise risk management.
Whether you’re new to data privacy or have robust privacy risk management processes, the NIST privacy framework can help. It can set you up for program success or assist in implementing best practices for data privacy by using the framework’s Core Categories and Subcategories.
Given the preponderance of data privacy regulations on the books and on the horizon, the NIST privacy framework’s arrival is timely. You can use it to jump start your program or become more attuned to best practices which you can implement.
SEC releases cybersecurity guidance for financial firms
The Securities and Exchange Commission (SEC) leveraged audit findings of cybersecurity practices at financial services firms in its guidance labeled observations. Based on audits, SEC’s observations are meaningful. Data loss and vendor management play prominently in SEC’s call for better cybersecurity practices at financial firms.
Firms should use systems that can detect and block data transmissions containing sensitive information. They should also have procedures for terminating suppliers, especially cloud service providers, that preserve the data necessary for compliance or transitioning to a new provider. Preparation is key to managing third parties like vendors and external providers, as this guide shows.
That’s our roundup of notable risks from January and February. We’ll be back in May with a roundup of risks that occurred in March and April.
We see a trend that would unify compliance and risk management under the same umbrella and help address the new risk landscape. It’s a principled, ethical approach to governance. Good governance guides organizations to do the right thing.
UK banks must now comply with the Senior Managers and Certification Regime, known as SMCR. Learn SMCR’s major requirements, top challenges, and best practices for compliance.
In this post, we share the importance of BYOD policies, alert you to compliance challenges, as well as the risks posed by personal devices tethered to IT infrastructure.