Like many CEO's, hearing about global companies experiencing a data breach makes me lose sleep. In fact, I followed the recent Garmin data breach quite closely, and not only because I'm an avid runner. Every organizational leader should no doubt feel a sense of anxiety when they consider the hidden legal and reputational risks associated with a possible data breach. I feel managing these risks can actually be quite simple - and it comes down to internal controls.
I recently shared an article with Chief Executive where I explored how to work with your internal teams to put systems in place to identify risks associated with third-party relationships. In part:
"On the data privacy front, compliance is becoming increasingly complex due to a slew of new laws like CCPA, GDPR and the European Court of Justice’s recent ruling that shut down the U.S.-E.U data privacy shield. Ransomware is also growing ever more sophisticated, with Fortune 500 companies coming under increasingly brazen attacks. The clear trend is toward more stringent requirements on companies to protect the data they control, including through third parties.
Controls will help you stay on the right side of the growing thicket of regulations while avoiding the kind of long-term reputational and client confidence damage that Garmin is facing.
The stakes on corruption are also rising as the Department of Justice follows through on its intent to prosecute more individuals under the FCPA. Last year, it prosecuted 39 people, among the highest numbers on record, and collected a record $2.65 billion in settlements.
Jail time for executives who were not diligent in managing these relationships is an increasingly real possibility as more cases go to trial.
Foreign channel partners are among the biggest risks for a FCPA violation. That sales agent in China may have been bringing in solid revenues for years with few questions asked, but what if he’s been going around bribing officials in your company’s name? When he’s caught, the FCPA’s primary focus is going to fall on you, not him.
Getting on top of these risks is easier than most CEOs think and doesn’t require an army of expensive external lawyers. What is required is a system of controls to identify risk and to move forward with remediation. Merely having controls in place is usually an effective defense in FCPA cases, even if something slips through. The biggest FCPA settlements have involved companies that had no controls. When its star real-estate deal-maker in China was prosecuted for FCPA violations, Morgan Stanley was cleared of blame because it had strong internal controls in place."
The key to sleeping well at night, in my opinion, is feeling confident that if the regulators shine a light on your internal processes, you will have the right controls in place to demonstrate you have done your part to identify and remediate third-party risks.
Read this article to learn more: Why The Garmin Data Breach Should Be A Wakeup for Every CEO