Compliance is a fact of life for just about every company — especially in highly regulated industries such as healthcare, financial services, and government. And while compliance is often under the mantel of legal, compliance, risk management, or other departments, IT is certain to be involved in any organization’s compliance efforts.
CIOs and other top tech executives must be aware of all regulations that involve data, privacy, security, and other technology elements. They can play a key role in ensuring their organizations don’t get hit with hefty fines for non-compliance.
IT executives at healthcare and related sectors for years have had to deal with the impact of the Health Insurance Portability and Accountability Act (HIPAA), for example, which mandates the security and privacy of electronic healthcare information. But the regulatory environment has become increasingly complex, especially with the emergence of so many new rules covering data privacy, including the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Dozens of countries and US states are following suit with similar regulations to safeguard the data of individuals. Research firm Gartner has predicted that by the end of 2023, modern privacy laws will cover the personal information of 75% of the world’s population.
Regulatory compliance related to IT systems, networks, devices, and data is a fact of life for businesses today, making it a significant area of concern for CIOs. The key is to help compliance efforts without causing difficulties. Here are some mistakes to avoid, according to experts.
Treating auditors as adversaries
Getting into a defensive posture is sometimes hard not to do, says Gary Kern, CIO at Middlefield Banking. This can happen when auditors and examiners question IT initiatives and their impact on compliance. “You have folks picking apart your well thought out strategy, and you know they will comment on something,” he says.
Letting this create friction will not help matters, however. “It is always better to have face-to-face discussions and talk about their perspective and contemplate on how that might make your environment better,” Kern says. “The hope is everyone is out for the same thing, including those who made the compliance rules, and that is to assure mistakes don’t happen, the environment is better, and there is more transparency in the process.”
Kern had a chance to put this tactic to the test with a bank examination. “I wasn’t necessarily on board with some of the preliminary findings, so I had an in-depth discussion with the lead IT examiner to get to the ‘whys’ of the comments and try to non-defensively explain what we may have been doing instead,” he says. “We reached an understanding that we both felt was fair, and then moved on.”
About six months later the examiner asked Kern to take part in a bankers panel at an examiners’ annual national training conference. “That proved to be a great experience for me that provided even better insights into the full process,” he says.
Often, regulators pick up their observations from internal audit (IA) reports, says Samir Datt, managing director in the technology consulting practice of consultancy Protiviti. “If CIOs collaborate with and embrace the IA process rather than hide from it, they have an opportunity to proactively address regulatory compliance in advance of regulatory review,” he says.
There are exceptions to most rules, and that applies to regulations governing different aspects of IT.
“Rarely is something the right answer in 100% of the cases, especially if there are business, security, and customer impact trade-offs,” Kern says. “Therefore, it is good to put in place an exception management process.”
This includes documenting what is being done and why it might conflict with an existing compliance rule; what additional steps are being taken to meet the compliance objectives; whether bypassing a rule is being done permanently or will be reviewed on a regular basis; and what senior non-IT stakeholder signed off on the appropriateness of the exception.
“Granted, there are some rules that simply can’t be bypassed,” Kern says. “But in the situation where a business decision needs to be made to ‘accept the risk,’ be sure that is fully explained. How intent of the compliance rule may be handled in other ways, or rationale for why it may not make sense in each situation, should be recorded.”
Failing to prep your team
As with most aspects of IT, a lack of skills, experience, and knowledge necessary can lead to problems when it comes to compliance.
“A strong compliance strategy starts with its team,” says Rashmi Kumar, CIO at technology provider Hewlett Packard Enterprise (HPE). It’s important that CIOs build a compliance team that uses a continuous improvement approach in addressing regulatory requirement changes related to IT, he says.
HPE’s Global IT Compliance Team “relies on a continuous improvement plan, where we continuously identify changes needed to the compliance program in areas of reporting, engagement, and control management,” Kumar says. “Leveraging our approach to compliance, we have been able to improve our evidence delivery time by five days.”
Compliance efforts need to be cross-functional, Kumar says. “We make compliance everyone’s responsibility by including it in the goals for each individual” inside and outside IT, he says. “This ensures that [the company has] support and engagement from the entire organization, ultimately growing compliance culture.”
Allowing compliance to dictate security
While IT and cybersecurity leaders need to stay abreast of compliance issues, especially regulatory mandates, “the goal should always be a sound security program that properly supports your business, company objectives, and the vertical in which you operate,” says Russel Prouix, CISO at healthcare payments company Zelis. “If you do that, then compliance becomes a result and not simply the goal.”
Basic security measures are often poorly managed resulting in a stumbling block for compliance, Prouix says. This includes proper patching and vulnerability management, user account security hygiene (or removing accounts in a timely manner when an employee leaves the organization), use of two-factor authentication for remote access, and proper security and mobile device management for mobile devices, he says.
“Proper security requires a top-down approach,” Prouix says. Before attempting to implement any cybersecurity program initiatives, including those that support compliance, “you must have buy-in from the board, CEO, and executive leadership to set the tone,” he says. IT and security need to then partner with the business to ensure data protection while enabling data to flow for the business to flourish and stay competitive, he says.
Omitting key technology tools
There’s a whole market of technologies that address compliance needs, and while legal and compliance teams might be responsible for procuring these, IT leaders can certainly be involved in helping to select and deploy the most appropriate solutions.
Gartner in September 2021 identified three areas where compliance leaders should focus their technology investments. One is foundational systems of record. Investments in these systems for compliance can reduce the otherwise ad hoc data capture required for reporting and build datasets that could unlock the potential of analytics and artificial intelligence (AI) for compliance, the firm says.
Another is digitally enabled workflows. Legal and compliance teams face more work to manage than ever, Gartner says, and digitizing the highest volume workflows is feasible through technology and can deliver significant improvements in workflow.
The third area is digital management of risk. Regulatory volatility, digital business transformation, increasing cybersecurity risks, and the magnitude of information derived from monitored risk and security activities are straining organizations’ ability to manage risk effectively through traditional analog means, the firm says. Compliance leaders should look for opportunities to streamline risk management and compliance-related activities and improve their understanding of risks through system integration with operational-level data sources, it says.
Technology adoption for the average compliance team lags many other corporate functions, notes Zack Hutto, director of advisory in Gartner’s legal and compliance practice. Teams should first establish foundational systems of record and then invest in tools to facilitate key workflows, before exploring more sophisticated opportunities such as digitally-enabled risk management, he says.
Not understanding regulation intent
In some cases organizations’ understanding of a regulatory issue might not fully align to the regulatory intent, which can lead to confusion. This can apply to IT-related issues such as data privacy.
“We often see companies revert back with an answer without really understanding the ask of the regulators,” Datt says. “Regulators often provide observations/MRAs [matters requiring attention], which is a ‘hint’ to what they really see as an issue.”
So instead of hyper-focusing on the verbiage of the MRA or observation, organizations should really understand the spirit of what is being indicated, Datt says. “A good collaborative dialogue with the regulators helps to understand the spirit of what is being indicated,” he says.
Lacking structured governance
While organizations might have substantive processes and controls in place, they often lack a structured governance and risk framework that confirms risk coverage as well as alignment of their processes and controls to regulatory requirements, Datt says.
“The lack of structured and documented processes can lead to unrationalized enterprise architecture/controls, churn in responding to regulatory or other stakeholder inquiries, or potential blind spots of exposure,” Datt says.
CIOs and other technology leaders should help facilitate an overall governance structure that brings together information security, enterprise architecture, application, and infrastructure teams in a way that embeds regulatory compliance into technology delivery by design, Datt says.