Cybersecurity is a hot topic at the moment as treasurers are focused on regulations such as the FCPA and the UK Bribery Act. Treasury Insider speaks to Lee Meyrick, director of information management at Nuix, about compliance planning and the implementation experience today.
Nuix’s Director of Information Management? Lee has 10 years of data discovery and compliance planning and implementation experience. Lee advises organisations on the use of discovery techniques for information retrieval in unstructured data, with a particular focus on the fields of FCPA and UK Bribery Act and in the discovery of ‘risky data’ for remediation.
Treasury departments are increasingly focusing on cybersecurity, why do you think this is?
Information itself is valuable to the organisations that keep it, but also to criminals. Credit card and banking details are almost as good as cash for cyber-crooks. More general information about staff or customers can be monetised through identity theft and fraud. Highly specific information such as pharmaceutical research is harder to monetise but can be extremely valuable to competitors who are trying to replicate a product. That ease of monetisation directs criminal activity to the most lucrative areas. The game changer for cybersecurity is that it removes proximity as a barrier. Bank robbers had to be physically present and get away with the money. In the cyber world, the further you are from the target, the more likely you are to get away with it due to the difficulty of attributing the attack and getting overseas law enforcement bodies to cooperate.
How does Nuix deal with “risky data”?
We generalise our steps as: identify, understand, classify, act. In many ways, the first two steps are the most important steps. Nuix allows organisations to adopt an evidence-based approach for dealing with risky data. Often we find the risks which organisations self-identify are based on flawed assumptions. As a result, they focus on areas where the risks are actually quite limited and miss others where the risks are higher. An example we see quite frequently is where organisations still have older versions of data, perhaps a backup, testing copy, or an extract report, which they thought had been removed. Often, these copies are much easier for cybercriminals to access than the master copy which has more rigorous controls. Once we understand our risks, Nuix allows us to take actions to remediate them. These are usually variants of deleting, encrypting, moving and securing the data to ensure it is either appropriately protected or removed.
What advice would you give treasurers in order to effectively plan for compliance to new regulations?
Regulation has increased globally. There are more rules and regulators are being more rigorous, some might say zealous, in applying the existing ones. Companies too are becoming more global, which means they must adhere to more, and sometimes conflicting rules. There are two main aspects to compliance. First, you must understand the rules, and second, you must understand what data you have. Only then can you have clarity on what those rules mean to your organisation. You should also expect oversight. We have seen companies globally investigated for reasons ranging from home market advantage, political pressures and this is especially true in banking over the recent years, or just to remind that the regulator is watching and testing response times.
How is the Foreign Corrupt Practices Act affecting treasurers today?
In the domestic arena, we have the UK Bribery Act with very similar stipulations to the FCPA. However, over recent years we have seen the US Securities and Exchange Commission ramp up its investigative activities as a result of political considerations of perceived unfair advantage. As a result the SEC has opened new offices to support the investigations. This has resulted in companies globally being subjected to sometimes very invasive scrutiny relating to their overseas activity and often the actions of subsidiary companies and agents. This requires strong institutional oversight to ensure compliance and good information management processes so organisations being investigated can supply the requested data in a timely fashion.
Last month, the UK government reviewed the Bribery Act put in place 5 years ago. How has this act helped to improve corruption?
One of the main benefits of the UKBA is that in many ways it is more stringent than the FCPA. Thus a firm’s adherence to UKBA by extension meets many of the obligations of other regimes. As the legislation is still quite recent, there are still some issues to be ironed out, such as the self-reporting regime which in some cases has resulted in disincentives to reporting. The biggest issue seems to still be company’s awareness of when and where the act applies, especially where subsidiaries and agents are concerned. Some companies have seen benefits as a result of the enhanced scrutiny of their overseas operations because the need to supply information has led to better management of that information. However, there is still a long way to go.
Give 3 ways financial institutions can best deal with data challenges.
- Know what data you have and where.
- Understand which rules apply to you (which is not necessarily the same as which country you store the data in).
- Keep it safe and secure.