The CCO’s blind spot: When team members go online

By John Klassen

John Klassen (jklassen@authentic8.com) is a Product Marketing Manager at Authentic8 in Redwood City, CA, USA.

Investment management firms depend on the internet for research, web apps, and communication with business partners, and most firms rely on the web browser as a primary tool for conducting business. This has created a widening compliance blind spot, because locally installed web browsers are notoriously difficult to maintain, secure, and monitor. How can chief compliance officers (CCOs) and IT teams manage the associated risks?

What happens when employees go online? Behind closed doors, many CCOs and IT administrators readily admit they don’t really know. Most compliance teams have only limited visibility into their employees’ online behavior. Though diligent about archiving email and chat communications, their firms lack similar records of employee web activities.

Finding themselves under growing pressure from regulators to ensure compliance and remediate areas of cybersecurity weakness,[1] compliance officers cannot trust that tightening policies and updating compliance handbooks will be sufficient to protect the firm and satisfy examiners.

Control lost, risk increased

Compliance leaders and IT administrators have ample reason to worry. Without effective governance and granular oversight of employee activities online, regulated firms are facing increasing risks of noncompliant behavior and cybersecurity breaches, mainly in three areas:

  • Social media and online comments/reviews: Social media sites are of particular concern for a growing number of CCOs.[2] Employees posting public online comments run the risk of violating the Testimonial Rule.[3] This risk extends well beyond the “traditional” social media sites; infractions are as likely to happen on LinkedIn or Facebook as in the comment sections of industry portals or garden-variety investor blogs.

  • Data exfiltration by insiders: Regular web browsers allow for unrestricted—and unmonitored—copy/paste or file transfer, for example from one cloud storage account or service to another.

  • Remote access and personal devices (BYOD): Employees are accessing sensitive data from remote locations like a home office, coffee shop, or airport lounge, often from insufficiently protected hardware, and they can inadvertently compromise the firm’s network in the process.

How did firms lose control and visibility over such critical areas? Industry insiders blame the web browser.[4] The primary tool used by employees in their online activities has become a critical compliance blind spot.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings