Revised DOJ compliance guidance offers risk-management lessons for cybersecurity leaders

Prosecutors use this guidance to assess criminal liability in a compliance breach, so it behooves business and security leaders to understand the expectations.

cso information security policy risk management writing policy by metamorworks getty 2400x1600
Metamorworks / Getty Images

In February 2017, the Criminal Division of the US Justice Department (DOJ) issued its first-ever guidance for prosecutors of white-collar crime to use when assessing whether a company complied with its own risk management program. The document urged prosecutors to consider whether a company’s compliance program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business” and “complex regulatory environment.” That guidance was updated in April 2019 into a formal document called “The Evaluation of Corporate Compliance Programs.”

Both documents aim to give prosecutors criteria to consider when bringing criminal charges. The three fundamental questions prosecutors are urged to answer when assessing whether the compliance programs are helping to “promote corporate behaviors that benefit the American public” are:

  1. Is the program well-designed?
  2. Is the program effectively implemented?
  3. Does the compliance program work in practice?

New update encourages dynamic compliance programs

On June 1, the DOJ issued yet another update to its compliance guidance, this time weaving in new language to make sure compliance programs aren’t merely one-and-done snapshots, but are instead dynamic programs that get updated to fit changing circumstances. The new guidance also asks prosecutors to make sure compliance programs are adequately resourced within organizations.

Like the earlier two versions, the latest guidance issued by DOJ is premised almost entirely on the adequacy of the organization’s risk assessment efforts, an approach well-known and particularly applicable to cybersecurity professionals. Prosecutors are urged to evaluate the quality and effectiveness of an organization’s risk assessment program by examining:

  1. The risk management process, particularly the methodology used to identify, analyze and address the risks an organization faces
  2. Risk-tailored resource allocation, namely whether the organization devotes enough resources to managing risks
  3. Updates and revisions, specifically whether the risk assessment is subject to periodic dynamic reviews
  4. Lessons learned, determining whether the company has a process for tracking and coordinating changes in its risk management program based on its experience

The DOJ also stressed the importance of risk-based training and communications about misconduct as essential parts of how it determines whether the organization’s compliance programs are up to snuff. Finally, the guidance highlights the importance of management support of the organization’s compliance initiatives and the value of extending compliance due diligence to third-party providers.

DOJ guidance takeaways for cybersecurity

Although the DOJ’s guidance is geared to helping prosecutors bring criminal charges against corporations and their officers, it is frequently used as a blueprint outside the Justice Department’s purview. It has particular relevance to the cybersecurity practices of organizations when it comes to, for example, data breach and other security-related lawsuits.

“If there were some kind of a failure that involves some kind of a [criminal] prosecution for, say, data loss or something along those lines, then this document might kick in to evaluate the effectiveness of how they set up and operated their data privacy and cybersecurity,” Carrie Penman, chief risk and compliance officer for risk and compliance software company NAVEX Global, tells CSO.

“But whether or not you end up in front of the DOJ, it sets up best practices to think about how you look at risk and how you mitigate risk,” which is vital in civil lawsuits, Penman says. Courts “want to know your thought processes and what your steps were to mitigate those risks to determine basically whether or not you did everything you could to try to avoid that situation from happening. This kind of an evaluation comes up in a civil case [when it comes to] large group of people or individuals that have had their information compromised in data breaches.”

“One of the reasons the DOJ puts this out is to help compliance officers and security teams and people who are worried about bribery and corruption to ensure that the board and leadership give enough attention to these issues and properly fund them to mitigate risk,” Penman says.

Regardless of whether civil or criminal litigation is involved, the kind of guidance DOJ puts out is devoured by compliance officers across all organizations, Penman says, and when it comes to compliance, cybersecurity is top of mind for those executives. “We’re just about to publish results of the survey of around 1,400 compliance officers. The highest priority or concern for risk compliance programs in that survey was enhancing data privacy and cybersecurity and data protection.”

Compliance programs are more critical than ever given the COVID-19 crisis, Alison Furneaux, vice president of marketing for cybersecurity compliance management company CyberSaint, tells CSO. “The attack surface has expanded dramatically. Organizations are being forced to innovate. They’re being forced to put into place processes that they didn’t have before. They’re being forced to document and prepare for audits in a much more proficient way.”

“The predictability of it all is a bit more difficult to keep track of, and that’s because of this notion of moving to remote work,” according to Furneaux. “Some of the employees are using their own devices. You don’t really know what security measures they have at home. All of these things increase the risk dramatically.”

Cybersecurity needs a risk mindset

The risk management guidance that the DOJ puts out could prove useful to cybersecurity executives. “As more cybersecurity leaders are being asked to step into the boardroom and present what they’re doing to the board, they’re being forced to move beyond that compliance mindset in the risk mindset,” Furneaux says.

Intent matters when it comes to defending an organization’s risk management process, and trying to implement an adequate--even if not perfect--risk management program is essential. “Rome wasn't built in a day, and neither was your compliance program,” Penman says. What compliance officers and cybersecurity personnel are expected to demonstrate “is that you're continually working on it, and you're that you're applying your resources in a risk-based way.”

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies