Compliance isn’t the most glamorous thing in the eyes of most business leaders. They may see it as a necessity to avoid regulatory pressure, yet also something that can be handed to a junior member of staff or at least handled on an ad hoc basis.
But with technology now the lifeblood of most modern businesses, criminals exploiting this and regulators and other stakeholders consequently pressuring companies to take compliance more seriously, such an approach is no longer sustainable.
Compliance and governance must now be an ongoing exercise, supported by unified frameworks and leadership buy-in, to counter the growing plethora of information, cyber and supply chain risks businesses and their stakeholders face. How can this be achieved, though?
Cyber Risk Is Business Risk
A core driver in the shift of compliance from a checkbox exercise to a strategic priority in the day-to-day operations of businesses is “the sheer breadth of laws, regulations, standards, and good practice” with which they are now expected to comply, according to Stephanie Locke, head of product at AI experts Nightingale HQ. She says non-compliance can lead to significant reputational and financial implications.
Notable examples of laws and regulations that have driven this change include the European Union’s Network and Information Security Directive 2 (NIS2) and its landmark Artificial Intelligence Act – not to mention the varying data privacy standards in different parts of the world. Given that technology is deeply ingrained in all parts of an organisation’s operations, Locke says boards are closely paying attention to these rules and now see IT risk as an enterprise one.
With the technology ecosystem – and the regulatory landscape designed to keep it in check – both evolving rapidly, Locke says businesses are now forced to manage cyber risk continuously rather than periodically. She adds: “AI in particular creates new operational, legal, and reputation risks, with early enforcement patterns likely to mirror the disruptive impact GDPR had after launch.”
Echoing similar thoughts, Jake Moore – global cybersecurity advisor at antivirus software maker ESET – says the rise of legal frameworks like NIS2 and the EU AI Act has turned “cyber risk into a business risk”. With this in mind, he says both laws necessitate “director-level accountability” and underscore that “compliance now dictates operating models, rather than the other way around”.
He tells IO: “The cost of getting it wrong is expensive, and checkboxes can’t always cut it. Compliance may be a longer way of going about things, but it proves organisations can operate securely and at scale.”
Regulators are Getting Smarter
Regulators aren’t just moving at speed to introduce and tweak industry laws, though. They’re also working much faster behind the scenes to detect companies that may be in breach of their rules, thanks to advancements in artificial intelligence.
Using AI, Lee Bryan – founder and CEO of compliance solutions provider Arcus Compliance – says regulators are able to “scan products, packaging, data, and documentation at a scale” and across “entire categories”. The technology is also allowing them to “spot gaps, inconsistencies, and false claims instantly”.
He adds that such a major change in how regulators work means brands are no longer able to “hide behind volume, geography, or slow manual checks”, meaning they have no choice but to treat compliance as a crucial business activity or be hit with regulatory action.
No Longer an Afterthought
Regulators aren’t the only group that expects businesses to take compliance seriously.
Other stakeholders, such as investors, customers and partners, are increasingly scrutinising the security and privacy posture of businesses before signing contracts – and even afterwards.
In the face of rising supply chain cyber-attacks like the one experienced by SolarWinds, Locke of Nightingale says businesses are aware of the risks that third-party technology vendors can pose if they aren’t complying with cyber risk best practices and rules. She adds: “As a result, security and privacy posture have become core components of commercial and investment due diligence.”
Specifically, when it comes to digital due diligence, George Tziahanas – vice president of compliance at archiving software specialists Archive360 – explains potential customers may be deterred from working with businesses that are unable to explain how they store, govern and delete data and see this as an “operational risk”.
Existing stakeholders also expect high levels of regulatory compliance from the businesses they work with as they look to avoid being implicated in supply chain incidents. Tziahanas says failure to do so could result in businesses experiencing “contractual penalties, regulatory action and reputational impact”.
Avoiding Siloes
Bad compliance isn’t simply businesses viewing it as a tick box exercise, though. Tziahanas explains that compliance gaps like “inconsistent controls, incomplete records, and unreliable data” can result in issues such as “false reporting, failed attestations, and over-retention”.
To avoid this, businesses should ideally combine all the different dots of compliance – risk, security, privacy and continuity – into a single governance thread. According to Moore of ESET, doing so will result in their compliance and risk posture shifting from “reactive firefighting” to “proactive” – something that “saves money and hidden costs” at the same time.
John Phillips, general manager of EMEA at accounting software provider FloQast, also sees the benefits of a unified and proactive approach to compliance and cyber risk management. He says teams that adopt this approach can “anticipate internal and external pivots, align early with leadership, and focus resources where they will make the biggest impact”.
Complying with industry rules and best practices in the early stages of a new business venture or product can also be beneficial in the long run. For starters, Tziahanas of Archive360 says it’ll prevent “costly retrofits” as “classification, retention, and deletion rules” will have already been defined and implemented.
A robust compliance posture will also help businesses build strong stakeholder relationships built on trust, adds Tziahanas. This is the key to “enabling faster deal cycles and smoother market entry”.
Practical Steps
When it comes to building and implementing a strong compliance strategy, respected industry frameworks like ISO 27001, ISO 42001, SOC 2 and ISO 27701 can be a good starting point.
Describing them as a “starter playbook for governance”, Locke of Nightingale HQ says they provide businesses with all the “fundamentals’ needed to meet their compliance and governance obligations. She adds that such frameworks also enable organisations and their stakeholders to commit to “shared expectations and commitments” regarding compliance and governance.
Clear risk visibility is also important. Bryan of Arcus Compliance explains that business leaders may not be aware of the risks they face because “data, documentation, and suppliers are scattered across systems”. He believes that this can be solved through the adoption of “agile systems, a risk-based approach, and a genuine compliance culture”.
For ESET’s Moore, leadership buy-in is essential in making compliance and governance plans work. But that can only be achieved by educating leaders on the fast-expanding cyber threat landscape and how it can affect the business, he says.
On the face of it, compliance seems a tedious task only to please regulators. But it can actually benefit businesses by allowing them to spot and solve risks before they cause serious damage. At the same time, it can attract potential customers and strengthen ties with existing ones – all of whom are concerned about recent supply chain cyber-attacks and want to ensure any business they work with takes these risks seriously.
