By Nina Bryant – Director in FTI Consulting’s IG Privacy and Security practice in EMEA, Cheryl Davis – Managing Director for Cybersecurity at FTI Consulting & Paul Prior – Managing Director within FTI Consulting’s Performance Analytics Practice
Establishing and maintaining trust with shareholders and clients is becoming increasingly difficult in a world of data breaches, cybersecurity attacks and patchwork data privacy laws.
Trust is essential for businesses to thrive, especially in today’s competitive global market. Consumers and business partners have endless choices for where to spend their money and place their trust. Social media and the accessibility of information is placing a greater burden than ever before on corporations to be transparent and meet expectations. CEOs are being held personally accountable for mistakes that have exposed private consumer data. Conversely, valuing and protecting privacy, and demonstrating that the controls are in place to do so, can make a positive impact on commercial business.
As countless headline-making breaches have shown, trust can be lost in an instant and is difficult to regain. Beyond the brand damage and disruption to company leadership, data breaches are also expensive. The Ponemon Institute and IBM have studied and monitored the costs of data breaches over the last several years. In 2017, the average cost was $3.62million and the average size was more than 25,000 records.
Issues that can impact the trust ecosystem are evolving quickly and they are unfolding in the daily news. It was recently revealed that Cambridge Analytica, a data analysis company that provides consulting services for politicians, obtained private information from tens of millions of Facebook profiles from a third-party partner of the social media giant. It allegedly used this information to tailor messaging in an effort to influence voters’ decisions in US elections. This is a glaring reminder that personal data is often utilised – perhaps even unbeknown to data subjects – to shape public feelings and attitudes, sometimes in violation of existing policies and laws. When incidents like this are uncovered, new questions and concerns about privacy and trust emerge.
The Cambridge Analytica news came on the heels of social media companies facing the aftermath of revelations that entities had allegedly leveraged their platforms to spread false information to sway public opinion. Facebook announced it would introduce trust ratings for news sources to rein in the spread of disinformation and begin addressing the difficulty of verifying the truth of information online. Mark Zuckerberg appears to understand the gravity of this, saying: “Social media enables people to spread information faster than ever before, and if we don’t specifically tackle these problems, then we end up amplifying them.”
Companies, such as Franklin Trust Ratings, which leverages data analytics to provide trust intelligence for the healthcare industry, and Trust Pilot, an online review community that has enabled more than 32 million reviews of hundreds of thousands of businesses around the world, are gaining traction in the global shift towards transparency and accountability. These and other emerging platforms are making trust more quantifiable, but demonstrating and upholding integrity will remain a fragile endeavour.
Boards have taken notice and executive leadership is more invested than ever before in mitigating reputational risk stemming from a breach of trust. Still, multinational corporations are struggling to reconcile their cybersecurity and information governance efforts with the shifting landscape of privacy laws, consumer expectations and data management challenges. But a company that is facing privacy and security issues does not need to radically change the way it does business. Instead, it can leverage culture to implement and foster the necessary policy, procedural and technological transformations needed to strengthen its security stance and protect its trust ecosystem.
Though many organisations are losing sleep over how to manage information under the new expectations and regulations for privacy and security, these can be viewed as an opportunity. This article will discuss how a holistic, client-centric approach to compliance and cybersecurity can build stronger trust with external and internal stakeholders and enable leadership to leverage emerging standards as opportunities to improve their overall corporate stance.
We have seen that cyber incidents and attacks can have far-reaching impacts on a society – including the company’s own reputational loss, economic impacts, critical infrastructure disruption and national security risks. A key step in strengthening cybersecurity posture is to understand the current landscape and top threats on the horizon. Among these are trust-based threats and risks stemming from the supply chain and third-party vendors. An organisation needs to trust that its systems and vendors have the appropriate measures in place and are meeting basic cybersecurity standards. If it is found that basic standards are not met and data is compromised, integrity is undermined among employees, partners and clients.
Malicious cyber actors, whether they be nation state, cybercriminals, hacktivists, or cyber terrorists, have a globally accessible platform to conduct all manner of highly effective operations, from physical destruction and undermining of trust, to stealing money. The reach of these operations is not limited to governments, but instead is infiltrating private industry and civil society, and businesses must be prepared for their critical areas to become targets. A case in point is the WannaCry ransomware event that was set to target unpatched systems and resulted in major financial costs and disruption of medical services in the UK.
“Multinational corporations are struggling to reconcile their cybersecurity and information governance efforts with the shifting landscape of privacy laws, consumer expectations and data management challenges”
The proliferation of connected devices is another top issue and a double-edged sword. Society is benefitting from this connectivity, but the opportunity space for cyber threats and vulnerabilities has grown exponentially in parallel. While the community is working diligently to enhance the cybersecurity of devices and communication pathways comprising the Internet of Things, such as the signals sent between autonomous vehicles, malicious cyber actors are trying to capitalise on these devices’ insecurity.
Privacy has become law
Strict data privacy and cybersecurity regulations have emerged in many jurisdictions around the world and have created a complex patchwork of laws that corporations must navigate, just as they are trying to enhance resilience in the face of a dangerous threat landscape. In some cases, these laws may overlap or contradict each other, and organisations operating across international borders must have frameworks in place that manage the jurisdictional nuances and maintain compliance.
The European Union’s General Data Protection Regulation (GDPR) is top of mind for many organisations. This regulation requires organisations to meet stringent data protection requirements over personal data belonging to EU citizens (defined as any information relating to an identifiable individual, which can include anything from a physical or email address, age and gender, to IP addresses, GPS location, health information, search queries, items purchased, etc). The GDPR has also introduced new requirements around the rights of European data subjects. This requires corporations to find and retrieve data across multiple platforms within a short time frame and potentially erase, update, export or limit processing of some data.
The Network and Information Security (NIS) Directive should be on the radar of EU organisations. It complements the GDPR and brings additional compliance measures around network security and breach management. The directive states that organisations that are operators of essential services (e.g. telecoms, energy, transport, banking, health, etc) and digital service providers must establish breach-response procedures, and member states may prosecute cyber crimes committed within their jurisdictions. The UK, Canada, France, Germany, Japan, India, Singapore, Australia and others have varied laws to this extent.
China’s Cybersecurity Law is an extensive law that, unlike the GDPR, was drafted from a national security perspective, rather than for the empowerment of citizens’ rights over their private data. It went into effect in June 2017 and failure to comply can lead to serious legal prosecution by the Chinese government, including the suspension or closing of a business and fines of up to RMB 1,000,000. Requirements in the law span greater demands on the protection of key information and sensitive data to be stored domestically, not transferred outside of China.
Both China’s new law and the GDPR are in stark contrast to US policy, which outside of certain vertical industry regulations (such as the Health Insurance Portability and Accountability Act) and various state data breach laws, does not at the federal level address data protection holistically across all sectors. Some federal and state laws that outline how corporations must respond and communicate in the event of a breach have emerged, and fines may result if reporting is not carried out in a timely and thorough manner. The Computer Fraud and Abuse Act and the Electronic Communications Privacy Act prohibit unauthorised computer access and interference to obtain data.
There is also a strong push in the US for government and private sector collaboration on the cybersecurity front, so a community of experts is sharing intelligence across sectors. The UK and Australia have also implemented consolidation across public and private groups to share cybersecurity standards and intelligence.
Consistency through information governance
An information governance (IG) framework can help corporations understand their data landscape, identify business and cybersecurity risks, assign accountability and address critical trust issues. Corporations can then build the controls and structure to ensure critical data is protected and managed appropriately, demonstrating that it takes privacy of customer data seriously. A strong IG framework identifies what data is stored where, defines how long data is retained and ensures it can be retrieved in a timely fashion. This simplifies the challenge of dealing with conflicting regulations and jurisdictions by defining the corporation’s retention policies across jurisdictions and making it easier for organisations to locate critical documents. Legal and compliance teams can then align various groups of data, such as personal data within marketing databases or contracts, with their cybersecurity risk profile and regulatory requirements and ensure the appropriate security and retention controls are applied.
For IG to be successful, executive leadership must buy in and fully support these initiatives and drive the required shift in culture and behaviour. Board-level support is key to eliminating the departmental siloes that often block programmes from success and instilling organisational awareness of responsibilities and training employees about the ways to uphold privacy and how these efforts align with business objectives.
“A business that has established trust, and has the foundation in place to maintain that trust, gains an advantage over competitors that have not taken these important, proactive steps”
Certain steps can be taken to build a strong respect for, and practice of, security and privacy into the cultural fabric of any organisation. Practical steps organisations can take to proactively build IG programmes that shape a culture of trust that is sustainable long-term include:
- Build cross-functional teams IG, compliance and privacy programmes are often born out of a single function and eventually become marginalised because they are perceived to not make an impact across the entire organisation. When cross-functional teams are aligned, they can build remediation programmes that address overall risk, not just the risks that apply to a single department
- Map critical data Understanding where critical, personal or sensitive data and assets are stored, and prioritising security for those first and foremost, helps to arm against the diverse landscape of threats that can compromise privacy and security. Building programmes that can evolve, based on emerging cybersecurity threats, are also critical in driving a long-term defence
- Leverage training and incentives Employees must receive engaging and customised training to help them understand how to transform habitual activities into practices that align with IG policies. This may also include incentives for compliance. Some of our clients have escalated this to senior executives, introducing incentive and bonus schemes that include data protection benchmarks
- Watch for emerging tech Technology capabilities are maturing, and we are seeing new tools and features that utilise unstructured data analytics to evaluate risk and make recommendations about where controls should be tightened. Privacy, compliance and IG teams should stay abreast of technology advancements and be prepared to implement tools that can automate some of the most challenging aspects of data management
Ultimately, data regulation forces organisations to reconcile the information they store, which, beyond strengthening the privacy stance and mitigating risk, creates an opportunity to leverage data assets for analytics and business use. An organisation that has executed a ‘privacy by design’ culture and IG framework is not limiting what it can do, but rather opening doors to innovation that can drive business. A business that has established trust, and has the foundation in place to maintain that trust, gains an advantage over competitors that have not taken these important, proactive steps.
About the Authors:
Nina Bryant is a Director in FTI Consulting’s Information Governance Privacy and Security practice in EMEA. Nina is an experienced Information Lifecycle Governance strategy leader and expert in leading complex global regulatory, IT and business transformation programmes to deliver world-class information governance (IG) solutions. Nina specialises in combining IG knowledge across legal, compliance, privacy and risk with technology transformation experience: aligning stakeholders and building global business transformation programmes which drive changes in culture and behaviour underpinned by effective technology and user adoption. She has led the development and implementation of policy, governance, and control frameworks, and assessment of compliance with regulatory requirements for data protection and records retention.
Cheryl Davis is a Managing Director for Cybersecurity at FTI Consulting. She previously served as the Director for Cyber Response Policy at the U.S. National Security Council, where she led the development of whole-of-government responses to malicious cyber activity. She coordinated the implementation of the bilateral U.S.–China Four Point Agreement, which set the rules for theft of intellectual property by nation-state actors. Before serving on the National Security Council, Ms. Davis was the Principal Director for Cyber Policy at the Department of Homeland Security, and she has served on the staff of the Office of the Secretary of Defense.
Paul Prior, is a Managing Director within FTI Consulting’s Performance Analytics Practice. He is both an Award Winning Digital Strategist and also a Risk and Regulation specialist, having spent the best part of two decades working with Fortune 500 companies and High Potential StartUps in the America’s, South Africa and Europe. Paul regularly contributes to reputable publications such as The Guardian, The Sunday Business Post, CIO Magazine, Consulting Magazine, The Times and Business Insurance, and is a regular on the speaking circuit – offering diverse insights from areas such as pragmatic data compliance to automation and digital operating models.