Featured Image

June 30, 2023

Getting SOC2 and ISO27001 ready

An extensive guide to understanding and being ready for ISO 27001 and SOC2 certifications.

Subscribe to get access to more posts like these!

Join Newton's newsletter to receive our blogs, templates, and the latest information right in your inbox. You can unsubscribe at any time.

This comprehensive article will cover a range of essential topics related to compliance. First, we will explore the critical importance of compliance and its significance in various industries. Next, we will delve into the role of Legal Ops in driving compliance efforts. We will then discuss effective project management strategies for achieving and maintaining compliance, followed by an in-depth look at the steps involved in preparing for ISO 27001 and SOC 2 certifications, including gap analysis, risk assessment, policy and procedure formalization, incident response, disaster recovery planning, and employee training programs. Additionally, we will examine data governance and privacy measures within the context of ISO 27001 and SOC 2 frameworks and the importance of auditing and monitoring for continuous compliance. Finally, we will cover the benefits of using software compliance automation tools and provide a wind-up to summarize the key points covered in the article.

In this article, we will cover the following:

Understanding the Importance of Compliance

By following this guide and leveraging compliance automation software, legal professionals in multinational corporations can efficiently navigate the process of obtaining SOC 2 and ISO 27001 certifications. This combination of effective guidance and automation tools ensures the security and compliance of their organizations' information assets, while also reaping the benefits of streamlined compliance processes.

Compliance is vital for multinational corporations that necessarily must contend with complex legal landscapes, protect their reputation, mitigate risks, maintain ethical standards, and gain a competitive edge in the global marketplace. While compliance is something you can’t live without, the complexity of compliance is increased by the existence of different frameworks.

EY Compliance risk survey revealed that 63% of companies consider it a top challenge. These frameworks form a multi-tiered system that demands substantial investments in specialized personnel and dedicated costs each year. A Coalfire analysis found that a majority of companies up to 40 percent of their security budgets towards compliance efforts. Furthermore, nearly half of medium large companies dedicate an extensive amount of time, equivalent to 20,000 man-hours per year, to ensure compliance. Astonishingly, 58 percent of these organizations also perceive compliance as a notable obstacle when attempting to penetrate new markets.

For all these reasons, legal entities must opting to align themselves with internationally recognized and highly standardized frameworks. They should allocate the necessary budget to anticipate compliance activities and increasingly consider adopting compliance automation software, which promises to streamline compliance processes, delivering an annual ROI of 80-85%. This strategic approach, embraced by Legal Ops professionals, ensures efficient compliance management while maximizing resources.

Why compliance certifications for multinational corps?  

By obtaining compliance certifications, multinational corporations can enhance trust, meet regulatory requirements, mitigate risks, gain a competitive edge, and access new markets. These certifications are instrumental in demonstrating commitment to data privacy, security, and compliance, which are crucial in today's interconnected business landscape.  

Nothing new to Legal Ops departments: when engaging in negotiations with a prospect, one of the initial requests often revolves around existing certifications within the company, particularly ISO 27001 and SOC 2, or any documentation showcasing the robustness, reliability, and security of the IT infrastructure. This holds especially true for businesses operating in the SaaS or cloud service domain.  

When a company lacks certification, the following unfolds:

  • The prospect client must submit all documentation to their internal departments (Legal and Cyber), seeking their review.
  • Internal departments invest considerable time and often attempt to deflect the request, suggesting certified services or questioning if the selected provider is the sole player in the market.
  • The prospect client finds themselves justifying internal costs right from the start, in addition to the service fees being negotiated.

Therefore, the first major benefit of IT certification is customer trust.  

Moreover, by embracing compliance, companies can enhance productivity, proactively address legal concerns, and conduct a thorough evaluation of internal policies and procedures. This is because pursuing an IT compliance certification often reveals inefficiencies and counterproductive practices within organizations, and executive leaders have the opportunity to establish a corporate culture centered around compliance by leveraging IT security compliance certifications. Instead of evading regulations or taking shortcuts, employees should recognize the significance of adhering to compliance standards.

Compliance certifications should not be underestimated, especially in terms of simplifying interactions with regulatory authorities. These authorities rely on certifications as evidence of a commitment to compliance, which in turn streamlines potential audit activities. Holding certification can serve as a valuable asset when engaging with regulatory bodies, facilitating smoother communication and demonstrating a proactive approach to meeting compliance requirements and avoiding fines and penalties.

Legal Ops plays a pivotal role in leading compliance processes, even in the realm of IT frameworks such as ISO and SOC. They support various departments in understanding the technical and legal requirements imposed by different frameworks. In practical experience, it is common for the legal department to be entrusted with defining policies that ensure compliance with the chosen framework. With their expertise, they strike the right balance between legal language and employee-friendly comprehension, tailoring the policies to communicate the necessary guidelines effectively. By bridging the legal and operational aspects gap, Legal Ops facilitates the smooth implementation of compliance measures, ensuring that employees grasp their obligations while aligning with the organization's overall strategic goals.

Project Management Strategies for Implementing SOC 2 and ISO27001 Processes

The compliance management plan is a fundamental tool for implementing proper compliance processes within the company. This plan is a comprehensive roadmap that outlines the steps and strategies to ensure adherence to applicable regulations and standards. It encompasses various elements such as risk assessments, policy development, training programs, monitoring mechanisms, and continuous improvement initiatives.  

Here are some key tips to consider when creating your compliance management plan:

  • Conduct a thorough risk assessment: understand regulatory standards and identify potential failures in your business processes to prevent and correct them.
  • Establish corporate policies and procedures: develop top-down initiatives that align with the outcomes of your risk assessment.
  • Communicate the plan and provide training.
  • Account for routine maintenance: stay up to date on standards and conduct periodic reviews and corrections.
  • Conduct periodic audits: regular internal audits are essential to avoid irreparable mistakes and ensure ongoing compliance.

Preparing for ISO 27001 and SOC2 Certification: from zero to hero

ISO27001 and SOC2 Certifications: what is it?

In today's global business landscape, as we said, customers are increasingly concerned about the impact of their vendors on their IT infrastructure and the possible risks related to unreliable suppliers. Service Organization Control (SOC) 2 report and ISO 27001 are the most relevant certifications in the international market.  

But how does SOC 2 differ from ISO 27001, and can organizations use ISO 27001 to fulfill SOC 2 requirements?  

ISO 27001 is an international standard establishing Information Security Management System (ISMS) requirements. Applicable globally, it defines a systematic approach to protect information and consists of 10 clauses and 93 security controls grouped into four sections. It enables organizations to align security levels with desired objectives using a risk management approach. SOC 2 consists of audit reports demonstrating conformity to defined criteria (Trust Service Criteria or TSC). It validates internal controls related to information systems involved in service provision and covers five overlapping categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. ISO 27001 provides controls that align with the Trust Service Criteria of SOC 2. By implementing ISO 27001 controls, organizations can fulfill the requirements of SOC 2 while enhancing their information security practices; this is why many legal entities are adopting both frameworks. Instead of viewing them as competing choices, organizations can recognize that an ISO 27001 ISMS provides a solid foundation for preparing SOC 2 reports.

Also, some industry leaders are endorsing one standard over another. Microsoft Supplier Security and Privacy Assurance Program (SSPA) refers only to ISO 27001. This company-wide program assures Microsoft suppliers are adequately protected in terms of information security and privacy to be permitted to process personal data, information assets, or Microsoft Confidential Data under Microsoft policies, reflecting Microsoft values on all its suppliers. In Microsoft’s view, ISO27001 is of fundamental importance because an independent controlling organization attests it, is still up-to-date, and reflects all the relevant applicable laws and a recognized standard all over the world (while it’s true that SOC2 is more a US standard, now extending to Europe).

In my professional experience, I can say that 90% of the companies decide to go for ISO 27001 first, and only after adding the SOC 2 to streamline negotiations with US clients.

Gap Analysis: evaluating existing security measures and identifying gaps

Conducting a “gap analysis” is the first step for evaluating existing security measures and identifying gaps in compliance with SOC 2 and ISO 27001 standards. By assessing the current state of security controls, policies, and procedures, organizations can uncover areas of non-compliance and understand the potential risks associated with these gaps. This analysis serves as a foundation for developing remediation strategies and closing the identified gaps to achieve compliance objectives.

While assessing your information security controls, it is not solely the ISO 27001 and SOC 2 requirements that matter. Implementing appropriate best practices suitable for your organization's size and stage is equally important. Whether a large corporation or a series A startup, information security should be implemented and enforced based on your specific circumstances and growth objectives.  

The first output of a gap analysis is consciousness. It must be carried out with utmost respect for the principles of transparency and impartiality, encompassing all the most relevant processes within the company. A gap analysis is a fact-finding operation that evaluates your current security posture against industry standards and the SOC 2 framework. About ISO 27001, it assesses the key vulnerabilities: from potential human issues such as communication or technical problem areas like access controls. Regarding SOC 2, it is more likely a comparison of existing controls, such as those in place for data privacy, risk management, or cyber-attack mitigation, to the requirements outlined.

In my experience, the fundamental questions to address are:

Gap Analysis for ISO27001

  • What are the organization's current information security policies and procedures?
  • Are there clearly defined roles and responsibilities for information security management?
  • How is risk management currently practiced within the organization?
  • What security controls and safeguards are in place to protect information assets?
  • Are there established incident management and response processes?
  • Is there a process for monitoring, measuring, and evaluating information security performance?
  • How is employee awareness and training on information security conducted?
  • Are there appropriate physical and environmental security measures in place?
  • How are suppliers and third-party relationships managed from an information security perspective?
  • Is there a formal process for conducting regular security audits and reviews?

Gap Analysis for SOC 2

  • What type of data do you store or transfer?
  • Where does the data reside?
  • How does it flow within your organization?
  • Who has access to the data?

To conduct a gap analysis effectively, in my experience, I suggest utilizing specifically designed tools that allow for tracking requirements and essential elements for compliance with the chosen frameworks. Small organizations can adopt models such as checklists to be distributed to various departments with item cards divided by specific competence. Larger organizations with complex organizational structures and typically more than 250 employees will certainly prefer compliance automation tools, which will be discussed in the following paragraphs.

Conducting a comprehensive risk assessment  

Another crucial tool is a risk assessment to understand potential risks that could impact an organization's information security and compliance. Organizations can prioritize their efforts and allocate resources effectively by defining the scope, identifying risks, and assessing their likelihood and impact. The risk assessment outcomes inform the development of risk mitigation policies, enabling organizations to address and minimize potential risks to their information assets proactively.

The risk assessment process involves establishing scalar parameters, creating a matrix that relates probability and impact, and calculating the risk level. The assessment should consider information security and controls' structure, system, and privacy attributes. Implementing security and privacy measures requires the establishment of control objectives, which must be referenced from standards established by ISO 27001. The risk level is categorized based on the calculated probability and impact values, and the organization should define the acceptable risk level.  

Some fundamental steps in conducting an information security risk assessment can be identifying all information assets (e.g., physical copies, electronic files, devices, removable devices) and related threats and vulnerabilities (e.g., loss probability for device and data, exposure to data breach). Then, risks should be prioritized based on scores and criteria: level 1 should be mitigated immediately, only after the others shall be approached. Risk reports and documentation about the evaluation conducted must be kept for audit performance and to ensure that information is handled properly.

Developing policies and procedures to meet these requirements  

Effective policies and procedures provide a framework for consistent and compliant practices. It’s time to build the team to develop policies that align with the standards.  

My last professional experience made me realize that there are some fundamental elements to consider in this process, often led by Legal Ops as a center of cooperation. The first step is to ensure everyone is on board by adding team members and stakeholders to a centralized online platform or a shared tool or cloud that can be accessed anytime. To facilitate effective communication, it is important to utilize separate discussions for each document or topic and send notifications through email or internal chat tools to ensure that important information reaches everyone involved. I find really useful Slack channels specifically dedicated to compliance cooperation activities.  

By automating task creation, assignment, and notifications, tasks can be assigned to the appropriate team members, promoting accountability and ensuring timely completion. This is where software designed for compliance automation is the game-changing player. They also provide document management with storage and version control, review and approval, and logs related to all the steps and actions taken by teams. A clearly defined schedule for review and update of policies ensures that those remain relevant and effective in meeting the organization's needs, without the need to act on all documents at once during a single time of the year, which would result in an inefficient and unmanageable workload.

Incident Response and Disaster Recovery  

Incident response and disaster recovery are key components of a comprehensive cybersecurity and compliance strategy. Organizations can effectively detect, contain, and mitigate security incidents by developing incident response plans and minimizing their impact. Additionally, having a well-defined disaster recovery plan ensures the organization can quickly recover and resume operations in the event of a major disruption. All legal, cyber, and IT teams are well aware that a data breach can potentially cause catastrophic consequences for the organization, its business operations, and even its survival.

Here is a practical example of incident response plan steps. First, train employees in their roles and responsibilities, conduct mock data breaches and pen tests to evaluate your response plan, and ensure all aspects of the plan are approved and funded. In the event of a breach, determine if the breach has occurred and gather as much information as you can about the event documenting facts and security vulnerabilities. Disconnect all the devices affected, relying on redundant system backups to fix the breach consequences. Next, focus on eliminating the root cause of the breach. This involves securely removing malware, patching systems, and applying necessary updates. Address any existing security issues meticulously to minimize data loss and mitigate liability. Once the breach has been contained, proceed with the recovery phase. Restore devices and data to their normal functioning state. Hold an after-action meeting to analyze the breach and document lessons learned.

Employee Training and Awareness Programs: promoting a culture of security and compliance

Employee training and awareness programs are mandatory in every compliance framework but are often undervalued. Organizations should ensure employees have the knowledge and awareness to protect sensitive information and comply with requirements. These programs help establish a proactive approach towards security, encouraging employees to be vigilant, report incidents, and actively contribute to maintaining a secure work environment.

Ongoing awareness, understanding, and appropriate action are necessary to ensure data safety and prevent compromises. However, inconsistent messaging has created confusion among employees, leading to a lack of clarity on protecting company information. Building a strong security culture from the top down is crucial, involving continuous efforts to help employees understand the impact of their behaviors on corporate data.

Data Governance and Privacy Measures

Part of the journey throughout compliance is implementing data governance frameworks for protecting sensitive information and ensuring proper data management practices. Organizations can maintain data integrity, confidentiality, and availability by establishing clear policies and guidelines. Additionally, compliance always goes hand in hand with privacy regulations such as GDPR. By prioritizing data governance and privacy measures, organizations can safeguard sensitive information, build customer trust, and meet regulatory requirements.

Compliance frameworks such as ISO 27001 and SOC 2 provide a solid foundation for establishing robust security controls. However, integrating compliance with data governance and privacy becomes crucial for organizations aiming to manage and protect their data assets effectively. Organizations must go beyond mere compliance to ensure effective data governance and privacy. Data governance encompasses the policies, procedures, and processes that govern the collection, storage, use, and sharing of data throughout an organization. It provides a framework for organizations to manage data as a valuable asset and ensures data quality, integrity, and availability.

In the EU zone it is essential to consider technical compliance, as ISO 27001 and SOC 2, together with GDPR, which sets strict guidelines for data protection and privacy, and organizations must align their data governance practices with these regulations. By incorporating GDPR principles into the data governance program, organizations can proactively protect personal data, demonstrate accountability, and mitigate the risks associated with non-compliance.

In my business organization, we establish scope, identify data owners, and set clear objectives aligned with business needs and regulations. The expertise of key stakeholders from various departments is crucial for implementing the program, though you must involve people, including IT, cyber, accounting, and HR. Legal must create comprehensive data policies that align with regulatory requirements, including the GDPR, which includes the definition of clear role and responsibility to answer to the accountability principle stated by the law.  

A data governance program fits into an ongoing, continuous cycle that never ceases. As a result, it is crucial to include an evaluation and assessment phase, which may sometimes involve modifying or enhancing the program. Corrective measures should be implemented when vulnerabilities or weaknesses are identified, while adjustments may be necessary in response to regulatory changes, technological advancements, new risks, or organizational restructuring. This ensures that the data governance program remains adaptable and resilient in evolving circumstances.

Regular Audits and Compliance Monitoring

Conducting internal audits allows for objective evaluations of security controls and processes, identifying areas that require improvement. Indeed, regular compliance assessments and monitoring help identify any deviations or non-compliance, allowing for timely corrective actions to be taken. Audit findings are the main tool to monitor security controls, update deficiencies and mitigate risks. Continuous compliance monitoring ensures that the organization remains aligned with industry standards and regulatory requirements, and it is mandatory under every compliance framework. By monitoring and updating security controls, organizations show a proactive approach to the compliance process.

Legal and Compliance managers identify high-risk areas related to operational aspects, considering factors such as fraud alerts, advisory opinions, audits, enforcement priorities, and contractor activities. Once these high-risk areas are discovered, a comprehensive compliance audit plan should be developed, prioritizing the areas with the highest risk levels.

To address these risks effectively, managers must develop and implement monitoring plans that follow ongoing activities and review procedures for compliance risks.

It is advisable to schedule monitoring and auditing results as part of the agenda in compliance committees at the management and board level to ensure continuous oversight. Moreover, it is highly recommended to involve independent compliance experts to assess the compliance program's effectiveness. These assessments should particularly concentrate on verifying the appropriate handling of high-risk areas.

If you’re finding this newsletter valuable, share it with a friend, and consider subscribing if you haven’t already. You can unsubscribe at any time.

The Benefits of Compliance Automation Software for SOC2 and ISO27001

Compliance automation software is not new to the compliance industry sector. Utilizing compliance automation software benefits organizations pursuing SOC2 and ISO27001 compliance. It simplifies and accelerates the overall compliance journey. This is possible thanks to the advanced capabilities of such software, which can effectively address the diverse legal and technical requirements of various compliance frameworks while also allowing for the integration and layering of multiple frameworks.  

Additionally, it offers time and resource efficiency by automating manual tasks, allowing personnel to focus on higher-value activities (ROI). With the ability to centralize and integrate compliance data, these tools provide real-time visibility into the organization's compliance posture, enabling proactive identification and remediation of issues. Additionally, compliance automation software supports audit readiness by facilitating evidence collection and documentation, simplifying the audit process.  

To determine the most suitable compliance automation software for your organization, I recommend involving key stakeholders in demo meetings from the outset. This will provide them with direct visibility into the platform's offered functionalities. Before committing to the software, one of the most frequently asked questions is how efficiently and to what extent it can replace human work, particularly in reducing reliance – and costs – on consultants. Based on my professional experience, engaging stakeholders in the demo process and addressing their concerns can greatly inform decision-making. This approach ensures that the selected software aligns with your organization's needs and can effectively streamline compliance processes while minimizing dependence on external resources.

Most compliance automation platforms thoroughly map ISO 27001 and SOC 2 frameworks and other regulations. The setup process usually takes a few hours to a few days, and a gap analysis report is generated immediately. This report helps prioritize high-priority actions using a risk-based approach. After achieving full compliance with the chosen framework, top market players confirm that only a 15-minute weekly check is needed to maintain continuous compliance, with a maximum of one hour for fixing activities. These platforms can be customized to suit the organization's specific characteristics, allowing the elimination of certain checkpoints for justified reasons. They also offer automatic alerts within the platform or through email or Slack notifications.

Their services offer APIs seamlessly integrating with an organization's key infrastructure components like AWS, Atlassian, Google Workspace, Workday, and more. They even provide pre-packaged solutions to fix any identified vulnerabilities or errors during analysis. These platforms feature a dedicated section for legal departments, which includes a set of policies tailored to your organization's internal structure, ensuring the availability of all necessary documentary evidence to demonstrate compliance posture. Furthermore, they make HR functions more accessible by incorporating a training section for all employees.

I was particularly impressed by the internal and external auditing features provided by these platforms. The continuous access to all supporting documentation is remarkable, as it can be easily shared with auditors at any time. This eliminates the need for teams to collect the required documentation and exchange information and clarifications with auditors. In most cases, automatically generated reports or visibility access is sufficient. Additionally, some market players offer a trust center for clients to create a dedicated repository. This enables auditors to directly access the repository and verify the correct implementation of the relevant framework.

One may have concerns about the accuracy and reliability of the data stored on the platform. However, all tools maintain access logs and monitor every action taken. Profiles can be personalized, precise visibility and action authorizations can be granted, and data remains unchanged and regularly refreshed.

When assessing compliance automation's ROI (Return on Investment), it's crucial to consider various factors, including time saved, cost reduction, enhanced efficiency, better resource allocation, risk mitigation, scalability, and other intangible benefits. Organizations can ascertain the software's worth by computing the financial gains and comparing them to the initial investment. Compliance automation licenses are between 15-25k per year, while the costs of relying solely on consultants can be four or five times higher.

Conclusion: The Benefits of Achieving SOC2 and ISO27001 Certifications

Enhancing trust and credibility with clients and stakeholders is important to gain a strong market position and expand the customer portfolio by making one investment that benefits the entire company. Compliance with ISO 27001 and SOC 2 frameworks opens new business opportunities, as many clients and partners prioritize working with compliant organizations.

The legal department plays a fundamental role in compliance. Their expertise helps interpret and apply regulatory standards effectively. They guide legal implications, assist in risk assessment, and ensure adherence to relevant laws and regulations. Compliance is a cross-functional activity in 100% of cases, but the legal department plays a central role in building a corporate compliance program. It helps establish a collaborative network where other teams serve as key stakeholders, with increased involvement from IT and Cyber departments. Additionally, the legal department typically enjoys privileged communication channels with the corporate decision center and C-managers. It has a direct reporting role to these functions, acting as a link between the compliance function and top management.

Strengthening the cybersecurity posture and mitigating risks is paramount in today's digital landscape. Organizations can proactively address potential vulnerabilities and protect sensitive data by implementing robust compliance frameworks such as ISO 27001 and SOC 2. Adopting compliance automation software streamlines processes enhances efficiency, and ensures ongoing compliance. Compliance automation software, combined with active involvement from the legal department, enhances efficiency and effectiveness in achieving and maintaining compliance.

About the Author

Camilla Ragazzi, a guest writer at Newton, is a practical legal thinker who provides speedy, straightforward, yet solution-oriented advice. Understanding the dynamic nature of the tech industry, believing in technology enhancements, and knowing the legal requirements enabled her to help companies build efficient and legally compliant processes. She is currently in-house legal counsel in a multinational holding group managing and overseeing legal matters related to corporate management, including contract law, compliance, and corporate law.

Adopting Newton for your governance

Newton delivers an easy and intuitive platform to manage and automate your legal entities' information, governance, and compliance. If your entity management processes have an essential role in the sustainability and performance of your business (which they do for most), be sure to get in touch to explore how Newton can help you have everything you need to be in control of your entity portfolio.

But that's not all. By partnering with Newton, businesses can establish internal compliance policies that cover a more comprehensive range of issues related to their dealings with customers and suppliers.

So if you're looking to help your business stay ahead of the curve regarding compliance and legal support, chat with our team about partnering with Newton today.

About this article

Sources

Pathway Communications (2020). Significance of Compliance Certification to Business
Indeed (2023). 5 reasons why Compliance is important for a business
EY (2021). Compliance Risk management: four key areas of opportunity for a stronger compliance program
Diligent (2019). How to evaluate legal compliance
Perforce (2022). Compliance Management 101: Process and Challenges
Signaturit (2016). 8 essential processes and tools for any compliance officer
Thoropass (2021). How SOC 2 Compliance works_ Gap Analysis
Sprinto (--). What is ISO 27001 Gap Analysis?
Advisera (2021). SOC 2 vs. ISO 27001: What are the differences?
ISMS (2022). Why ISO 27001 is better tnah SOC 2
ISACA (2022). Performing an Infomration Security and Privacy Risk Assessment
CISO (2021). Information Security risk assessment – 7-Step Guide
VARONIS (2022). SOC 2 Compliance Definition & Checklist
Advisera (2020) Enable teamwork to develop the right policies and procedures aligned with ISO 27001
Nakivo (2023) Incident response & Disaster recovery Plans Overview
IBM (2023). A step-by-step guide to setting up a data governance program
Techtarget (2022) 7 Best Practices for Successful Data Governance Programs
Diligent (2022). What is compliance monitoring and Why is it important?
SMS (2017). Monitoring vs. Auditing: best practices for compliance
Fortinet (--). What is compliance automation?
GAN (2021). Compliance Automation: the 6 essential building blocks
Forbes (2021). The importance of a strong Security Culture and how to build one

Images

Featured Image: Photo by Studio Republic on Unsplash
Featured CTA blog post: Photo by Jurica Koletić on Unsplash / Photo by Christina @ wocintechchat.com on Unsplash

Published by Camilla Ragazzi in How to & Guides
Tags: Cybersecurity, ISO27001, Security Compliance, SOC2
Featured Image

June 5, 2023

Cybersecurity & Governance: Navigating the Challenges

Uncover the link between cybersecurity risks and corporate governance, learn about threats, proactive measures, and safeguarding data. Stay protected with expert advice and best practices.

Dear Legal Ops!
Welcome to this week’s Let’s talk about Legal Ops, offered by Newton. We tackle corporate legal departments, speed up processes, and career growth. Please send us your questions; in return, we come back with real insights and actionable tips.
If you find this post valuable, don't miss the chance to check out our latest posts.

Subscribe to get access to more posts like these!

Join Newton's newsletter to receive our blogs, templates, and the latest information right in your inbox. You can unsubscribe at any time.

Businesses today face a critical issue that cannot be ignored: the dual importance of corporate governance and cybersecurity.

The projected cost of cybercrime worldwide is expected to exceed $8 trillion annually in 2023, and the United Kingdom government’s 2022 Cyber Security Breaches Survey found that 39% of businesses had identified a cyberattack in the previous twelve months.

Indeed, as the alarming rate of cyber threats rises along with the potential of successful hacking attempts on businesses, you must remain alert and consistently proactive to secure your business data and ensure the wholesale safety of your operations. At the same time, it is important, both as a legal requirement and for the safety of your business, that you have full and effective corporate governance in place.  

By combining these two key focus areas, cybersecurity together with corporate governance, you will be able to help your clients achieve their desired long-term success whilst building trust with your stakeholders and safeguarding their reputation. Here, we explore the close relationship between cybersecurity and corporate governance and stress the importance of prioritizing both. So, let’s delve into how paying close attention to these two areas will benefit your business.  

In this article, we will cover the following:

Cybersecurity: Protecting Your Business from Digital Threats

Cybersecurity is a huge concern for governments, businesses, and individuals alike. Over the past couple of years, it has received significant political attention in both the US and the UK and is a prominent discussion topic amongst the business community. The UK government has released numerous reports on the issue, such as the FTSE 350 Cyber Governance Health Check Report in 2018, which examined how the FTSE 350 – that is, the 350 largest companies as defined by their market capitalization share on the London Stock Market – were managing their security risks. Now, in 2023, the European Union Agency for Cybersecurity is seeking to standardize EU cybersecurity legislation as a matter of urgency. This matter is being taken seriously across the board, and,  as the prestigious international law firm Slaughter and May has noted, the UK government has categorized cybersecurity as a “Tier 1 threat” that ranks alongside terrorism.  As this has become such a significant issue on the world political stage, it is essential to grant it the same level of attention in the boardroom.

With more sensitive data being stored via technological means, the risk of cyber-attacks and data breaches has increased substantially. In an attempt to mitigate these risks, companies are, by necessity, firming up their cybersecurity governance framework and best practices to ensure the safety of their digital assets. We’re sure we don’t need to tell you how the implementation of robust cybersecurity policies and procedures will help to protect your business from potential threats, as well as safeguard the valuable information you hold. However, staying ahead of the ever-changing nature of cybersecurity threats can be extremely challenging. That’s why it is so vital that you embed a fundamental cybersecurity governance strategy in your business..  

Have you considered whether your company is taking sufficient measures to ensure its cyber security? There is an ongoing danger of complacency on the part of companies, and it is crucial that directors acknowledge that cyber security is not just a trendy term or a technical issue relevant to IT teams, but an aspect that warrants attention at the board level for continued business growth and success.  

As Luis Aguilar, Commissioner at the United States Securities and Exchange Commission (SEC) warned as far back as 2014, the failure to implement strong risk and crisis management protocols could expose directors and companies to significant legal risks, including the accusation of breaches of corporate governance, directors’ duties, and disclosure obligations.

Securing the Board: Awareness of Cybersecurity Risks

As the multinational professional service firm, Price Waterhouse Coopers reported in 2022,  

“Cyber is a complex, technical area with emerging threats occurring almost weekly. Most board members are not cyber experts, yet boards have an obligation to understand and oversee this significant risk. They need active engagement with leadership, access to expertise, and robust information and reporting from management.”

The ever-evolving nature of cyber threats and the unpredictable motives and actions of malicious actors make it difficult to anticipate risks. Traditional risk governance models that have previously proven successful for physical and financial assets are mostly ineffective in tackling cyber risks – and the risks are multiple.

One of the most significant risks by which cybersecurity problems can harm an organization and its reputation occurs in the event that a hacker is able to obtain confidential information, such as bank account or credit card details, which can be sold on the “dark web”. This may result in a company’s loss of its banking or credit card privileges and the breach of privacy laws. Each month, high-profile security breaches affecting personal data are reported globally.

Recently, ransomware has become a major concern, with reports of commercially focused campaigns dating back to 2012. You also need to be aware of the many problems related to hacking. A hacker who gains access to sensitive information then achieves the ability to damage an organization’s reputation – an especially devastating risk for small companies that may struggle to recover from the loss of goodwill. That’s not to mention the risk of legal or regulatory action if customer data is lost or if a third-party files a lawsuit. A single breach of privacy laws has the potential to result in significant penalties and legal action. As the types of risks constantly evolve, companies are best advised to consult specialists to identify their most notable risks. The non-profit Bipartisan Policy Center in the United States has identified the cyber hazards that companies are most likely to face in 2023, along with the advised critical actions that directors and their company boards can take.

Corporate Governance and Effective Cyber Risk Management

The results of a study conducted by a top 200 UK law firm are very concerning. The study found that over 80% of firms had at least one vulnerable service that hackers could exploit.

It isn’t only hacking from outsiders that’s the problem. There is also the risk of insider threats, from employees who knowingly or unknowingly reveal sensitive information, not to mention the threat of disgruntled employees who may purposefully disclose information in exchange for compensation. Threats abound, from malware as a service, the lowered price of which has effectively democratized the hacking landscape. Then there are phishing links, the compromising of business emails, and the security vulnerability of cloud networks, to mention merely a few.  

All this means that it is necessary that businesses and law firms are acutely aware of any vulnerabilities and chinks in their armor and take steps to plug them. This is such a serious issue that in 2021 the Ninth Circuit Court of the United States reminded public companies of the vital importance of updating their risk factors in regard to cybersecurity, whilst the US Securities and Exchange Commission has long focused on cybersecurity risks.

Solving Common Governance Issues in Cybersecurity

The cyber risk landscape constantly evolves, and bad actors pose a constant threat. One problem with cyber risk is that it’s difficult to quantify. This means that governance boards are grappling with emerging risks and how to best exercise their duty of care to the highest standards. Companies must also be aware of the downfalls they face in the Inaccurate mapping of existing and potential risks that can lead to the underestimation of risk, as well as confirmation bias, and any overconfidence on the part of management and company directors. As a 2020 study on cybersecurity and challenges in corporate governance quoted one company director,

“Boards are illiterate about cybersecurity and the company’s reliance on information technology. But enterprise access to the internet is fundamental to delivering value, and all those transactions that rely on access to the internet are inherently unsafe”.

Yet the Corporate Governance Institute has noted that despite the increased attention firms now devote to cyber-risk. 95% of board committees only discuss both cyber and tech risks only circa four times a year.  

Many company directors have admitted the inadequacy of their board oversight processes for cyber risk, blaming its constantly changing nature. Even the boards proficient in managing intricate financial risks, like those of major banks, are still trying to determine the most effective way to oversee cybersecurity, especially in light of the never-ending demand for technology and connectivity from customers and managers. This means that thought must be paid to the creation of new, specific cybersecurity governance roles and responsibilities, as companies have discovered that they cannot simply delegate the management of cyber risk to their IT department. As one director has acknowledged, there is an ongoing blurring between operational technology and IT, so

“if we limit cybersecurity to just IT, we’re leaving ourselves vulnerable”.

Building a Strong Cyber Shield: The Art of Board Composition

As board governance is commonly expressed through the establishment of principles, a fixed set of rules may not be the best way to regulate cyber security. Instead, a principles-based method will enable every board to define and evaluate their individual direction while working within an established framework. The World Economic Forum has provided a significant reference study for companies that seek to formulate their organization's cybersecurity strategy and engage with stakeholders on cyber risk, and is particularly helpful for its provision of six consensus principles for cybersecurity board governance.

Boards need to fully understand their exposure to cyber risk whilst taking proper ownership of company security, with full orientation on detail. Then, a wholesale holistic approach is necessary that reduces the complexity of the technology and fully addresses processes as well as company culture and human vulnerabilities within the organization. Boards must ensure that cyber security provisions are independently validated and tested, just like any other important matter, and that a careful approach is taken to the legal and regulatory environment regarding cyber security as it becomes ever-more more intricate worldwide. This includes aspects such as industry-specific regulations, data protection laws, national security policies, and reporting obligations.  

If you’re finding this newsletter valuable, share it with a friend, and consider subscribing if you haven’t already. You can unsubscribe at any time.

Cybersecurity Risk in ESG Oversight and Disclosures

Companies need to develop and sustain a well-thought-out global approach. It’s a tough challenge, and that’s not to mention the real risk of personal liability for company directors and officers. In fact, it's quite possible that European authorities, including the UK, may follow the lead of US counterparts and hold directors personally liable if management failings lead to a cybersecurity breach or mishandling of one. This approach is similar to the current stance taken by authorities and regulators in various jurisdictions on environmental, social, and governance (ESG) disclosure requirements & examples. In fact, this issue is so important that the SEC has emphasized its focus on cybersecurity in recent years. In 2022, the SEC Chair Gary Gensler announced plans to request staff recommendations for disclosing cybersecurity practices, risk disclosures, and public disclosure of cyber events, with the aim of providing consistent, comparable, and decision-useful information.  

The Crucial Safeguarding Role of the Executive Committee

If you are to ensure the role of transparency in your board governance, then you need to ensure that you have put a robust corporate governance system in place. For many firms, this may mean a total recalibration of the executive committee structure. Companies should now regularly evaluate their risk response and question whether it is keeping up with the pace of development. This includes the careful consideration of executive committee roles & responsibilities, and challenging executive management to ensure that the response is sufficient and evolving as required. Another major issue concerns the need to note vulnerabilities and envisage and prepare for incidents well in advance. Companies would be best served by considering the roles allocated to the executive committee versus the board of directors, considering the suppliers and service providers instead of solely focusing on the organization, and implementing appropriate response strategies across all levels of the organization.

Summary

Ultimately, it is vital to emphasize the importance of good corporate governance in protecting your company, shareholders, and clients. Whilst many companies and their boards are taking on this challenging role and performing it well by being active, informed, independent, involved, and focused on shareholder interests, there’s still a long way to go – and it isn’t helped by the way cyber-risks are evolving, with the constant emergence of malicious software.  Boards, therefore, have no choice but to adapt and oversee cyber-risk management to prevent and prepare for potential harm. Proper preparation, deliberation, and engagement are essential.

About this article

Sources

Aguilar, L. (2014) Board of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus.  US Securities and Exchange Commission.
Romanoff, T.; Neschke, S.; Draper, D.; Farschi, J.; Lord, B.; Douglas, A.(2023) “Top Risks in Cybersecurity 2023” Bipartisan Policy Center  
Caisley, L. (2023) “Directors face personal liability over cybersecurity” White & Case Tech Newsflash    
Crowe. (2018) “Fraud and cybercrime vulnerabilities in the legal sector: Research into the risks impacting the top 200 law firms”
Esentire (2022)   “Official Cybercrime Report”  
European Union Agency for Cybersecurity (2023) “How Cybersecurity Standards Support the EU Evolving Legislative Landscape
Gensler, G. (2022). “Remarks on Cybersecurity and Securities Laws at the Northwestern University Pritzker School of Law” US Securities and Exchange Commission.  
Ivory, I.; F Pittman, F.P.; Timmons, J.; Caisley, L.; Burke, A.; Hahn, A.A.; Turgel, D (2023) “Cybersecurity Developments and Legal Issues” White & Case.  
Phelps, B.; Cleaveland, A.; Weber, S. (2020) “Resilient Governance for Boards of Directors: Considerations for Effective Oversight of Cyber Risk”. Berkeley, CA, and McLean, VA: Center for Long-Term Cybersecurity and Booz Allen Hamilton.
Price Waterhouse Coopers (2022) Overseeing Cyber Risk: The Board’s Role.  
Slaughter and May (2017) “Cyber Security: Corporate insights for companies and their directors”.
Stark, T.; Pittman, F.P.; Diamond, C. J.; Gez, M. (2021) “Time to Revisit Risk Factors in Periodic Reports” White & Case.  
Summer, P.; Day, J.; Mahoney, M. (2020) “Cybersecurity: An Evolving Governance Challenge” Harvard Law School.  
The Corporate Governance Institute (2020) @CorpGovInst. “Cyber risk massively important at boardroom level”
The World Economic Forum. (2021). “Principles for Board Governance of Cyber Risk”
UK Government. (2018) FTSE 350 Cyber Governance Health Check Report 2018  
UK Government (2022) Official Statistics: Cyber Security Breaches Survey 2022
Ursillo, S. and Arnold, C. (2023) “Cybersecurity Is Critical for all Organizations – Large and Small” International Federation of Accountants.

Images

Featured Image: Photo by Arif Riyanto on Unsplash
Featured CTA blog post: Photo by Jurica Koletić on Unsplash / Photo by Christina @ wocintechchat.com on Unsplash

Published by Alexandra Singer in Corporate Governance
Tags: Corporate Governance, Cybersecurity

One single source of truth

Integrations

Add-Ons/Enterprise module

Manage bank accounts, invoices, and approval workflows

By team size

Newton for

Support

Stay on top of things

One single source of truth

Add-Ons/Enterpise module

Integrations

By team size

Newton for

pie-chart-2

Vc & venture-backed

The answer for complex investment structures, legal and regulatory requirements

Made with 🤍 in Berlin

newton_quer_invers

Flexible workflows for Legal Entity and Governance Management

Made with 🤍 in Berlin