By now, most high-tech conferences have devoted at least one 30-minute session to the topic of Sarbanes-Oxley (aka “Sarbox”).
Complexity of language aside, Sarbox has wide-ranging implications that span the breadth of the high-tech industry. It has become increasingly important to know which portions of the law apply to your organization, and to the organizations that you do business with.
HIPAA, GLBA, ISO 17799...In addition to Sarbox, the sheer number and diversity of industry regulations make corporate compliance a challenging combination of company policy, necessary technology, and the ability to implement them both. What appears in nearly all government and industry regulations is the requirement for a comprehensive incident response process, and the technology needed to support it.
There are two critical sides of the equation to consider: That of the corporation, and that of their client. From a corporate perspective, getting a handle on all of the new legislation is not an easy task. An untold number of vendors are touting their ability to sell you magic software that answers all of your compliance needs. One silver band-aid to mend all of your untoward ways! Unfortunately, it doesn't work that way and in this careful economy, spending money on every new "issue" isn't looked upon kindly by the CFO. So how do you know which product is right for your organization? Do you really need a product? How about policies? Are the policies you currently have in place enough to call them compliant?
Those questions lead to more questions, such as, what are companies doing about compliance? What should they be doing? Is there a "minimum level of compliance"? Should corporations be as fearful as the 'compliance camp' is telling us we should be? The questions are endless.
I decided to consult the oracle of all things, the industry expert that is not me. In this case I turned to Victor Limongelli, General Counsel for Guidance Software in Pasadena, California. Victor spoke to me about what he sees happening in the industry from implementation to compliance enforcement. The changes are real, as is the seriousness of failing to comply.
"A company could have terrible internal controls and zero-ability to conduct internal investigations, but if at the end of the day they've had no accounts of fraud, then they've had no losses. It'd be less likely that the SEC would go after them than the companies that have had fraud occur that the SEC were unable to uncover. However, no one really knows what the level of enforcement will be, as most of the provisions of Sarbanes-Oxley haven't come into effect yet. The 404 provisions relating to internal controls, go into effect later this year for U.S. companies and next year for smaller and foreign issuers."
"I believe that the SEC will be focused on going after the high-level executives, and you see that currently with the type of prosecution against Koslowski of Tyco, and Kenneth Lay of Enron. The SEC is very focused on the heavy-hitters. Sarbox certainly reflects that with the requirement that the CEOs and the CFOs evaluate and attest to the company's internal controls," explains Victor.
Could it be construed then, that worrying about compliance isn't something one should be doing? It begs the question of complacence. How can any organization be sure that it won't experience some type of fraudulent action that requires an investigation? To put it simply, they can't.
"The key is to be able to uncover wrong-doing inside of the company and cooperate with law enforcement and regulatory authorities to limit corporate liability. You don't often know whether someone's committing fraud, misappropriating company assets, or stealing your intellectual property until it's happened. You have choices though, you can find out it's happened after you've suffered a huge loss, or you can intercept it when it's happening. You don't want to find out 2 years from now that someone in finance has been placing millions of dollars in offshore bank accounts," says Victor.
It was my understanding that the executives of these corporations are culpable for what occurs under their watch. It is actually more nuanced than that, and it is these nuances that underscore the importance of having a cohesive response plan in place.
As Victor illustrates, "First of all, the things that you have been seeing since 1999 (Enron, Tyco, etc.), involved executives who were actively taking part in the fraud of their companies, and were therefore held responsible. However, executives are culpable in that the CEOs and CFOs are signing off on the financial statements, essentially saying that they have evaluated the company's internal controls and they are effective. If it turns out that they didn't have good internal controls, they are going to be held accountable for having misstated the truth. I don't want to tie it only to executives though. The Board of Directors and the audit committee, are tasked with being able to investigate complaints about corporate fraud and accounting problems. Certainly the Board has a responsibility as well. To the extent that complaints are coming in, and the company is unable to investigate them effectively, unable to uncover what's going on, and at the same time the CEOs and CFOs are signing off that they have an adequate control structure, I think those executives are at great risk."
What about the companies that aren't necessarily large enough to report their finances to the SEC? Isn't it important to implement an incident response process and be in compliance with these regulations?
"Depending on the industry, there are other regulatory structures that are in place requiring companies to be able to self-investigate and cooperate with law enforcement. If you look at regulations under Graham-Leach-Bliley (GLBA), which apply to the finance industry, one of the requirements of a response program is to be able to make adequate reports to law enforcement. Clearly a company needs to be able to collect evidence and cooperate under those regulations. The same is true under HIPAA. We then have state regulations as well, such as California's SB1386 which deals with self-disclosure. There are a variety of laws on a per-industry-basis that apply," answers Victor.
I asked Victor what his impression was of compliance-related changes within various organizations, "I think what is important is the trend. If you go back six years, you could have given a talk titled 'Information response regulation is on its way.' Now, it's here, and it's expanding. You have it touching public companies under Sarbox, affecting the health-care industry with HIPAA and the financial industry with GLBA. You have anti-identity theft statutes such as SB1386, which is now primarily Californian, but is being looked at on a national level. The trend is to increase information security regulations, increase requirements for self-investigation and employ the ability to mitigate liability."
Compliance issues are not an American-only concern. John Weigelt, Chief of Security and Privacy for Microsoft Canada states, " When I speak to clients about security-related issues, they are also very focused on compliance issues. While the Personal Information Protection Electronic Documents Act (PIPEDA) remains a primary concern for Canadian businesses, I have found that many clients are equally occupied trying to address U.S. legislation such as Sarbanes-Oxley."
From a client perspective, the risks are even more serious as they are often life-altering and financially devastating. The potential damage resulting from the lack of an effective incident response process runs the gamut from the theft of one's identity to unauthorized financial transactions totaling millions of dollars. As a customer, I expect that the companies I do business with employ an effective incident response process. I expect that they will let me know my credit card data has gone missing. Unfortunately, as customers, we do not find out which companies take this seriously until it's too late. Personally, I don't want to open my credit card statement to find that I've apparently purchased one million boxes of latex gloves on eBay.
In a recent case in the Eastern U.S., BJ's Wholesale had a security breach that entailed the capture of up to tens of thousands of credit card numbers from registered customers. Several major U.S. banks were forewarned to alert their credit card customers to the possibility of fraudulent card use. A month after a formal investigation was opened into the incident, customers whose information had been stolen were just finding out that their credit cards has been used to create fraud around the globe. Though it's not been confirmed whether B.J.'s had any customers located in California, notification of the breach of security would be mandatory under the current California SB1386 statutes. As it stands, B.J.'s apparently left the unsavory task of notification up to the majority of banks and credit card issuers, passing the buck and delaying the negative publicity.
Essentially, they did not have an effective controls process in place, were not looked at by the regulatory bodies, were never fined or forced to improve processes, yet now they are forced to do all of the above, and have damaged their reputation and client's credit files in the process. So I pose the question, can any company afford not to worry about compliance?
The number of people paying attention to compliance-related issues speaks for itself.
At RSA's San Francisco conference this past February, more than 200 people, at standing-room only capacity, listened to a discussion on compliance and regulatory requirements from an enterprise perspective. Consistently, Guidance Software hosts educational webinars that address the issue of Sarbox as a control initiative for hundreds of worldwide attendees. Large corporations such as Sun Microsystems are having meetings to hear vendors present their "Sarbanes-Oxley support products," and at conferences around the globe there are multiple sessions devoted to understanding and preparing for regulatory compliance.
As criminals grow increasingly savvy, freely operating from inside as well as outside the organization, employing proper controls and technology becomes less of a compliance issue and more of a survival tactic. However, regulations were created to inspire such infrastructure changes and avoid the damage that occurs from the lack of an effective IT process. For corporations as well as clients, compliance is a critical issue on a variety of levels.
Whether it's Sarbox or GLBA, HIPAA, or PIPEDA, regulations are here and have expanded. It's no longer acceptable to wait until the inevitable to secure the fort.
As Victor reiterates, "Compliance with the securities law is no trivial matter but more importantly, do you have the ability to effectively investigate what's going on within your organization? "