Regulatory Compliance: An Investment, Not Just an Expense

By Tom Schmidt

As statistics go, these should grab the attention of financial services executives everywhere:

AMR Research recently released a study that predicts the cost of regulatory compliance over the next five years will reach $80 billion. The researcher estimates that organizations will spend close to $15.5 billion on compliance-related activities in 2005 alone.

But here's the kicker, according to AMR: "Compliance is forcing businesses to look at what contributes to financial success, not just how to report financial performance. Through compliance mandates, companies are streamlining processes and reducing exposure to financial risk."

As AMR and a number of other researchers have observed, increasing pressures from both foreign and domestic regulatory bodies are finally forcing organizations to see the big picture, and to view compliance as a set of activities that cross business and IT groups.

Regulatory compliance and the fear of failed audits are major concerns for senior managers and their IT staffs. And for financial institutions in particular, business continuity (ensuring high levels of uptime) is directly connected to government oversight, revenue generation, profitability, and customer satisfaction.

Fortunately, the solutions that help an organization address regulatory compliance can also provide the foundation for addressing the security management challenge while creating value. Addressing regulatory compliance obligations with respect to information security, data protection, privacy, and operational sustainability requires that executives build or strengthen comprehensive capabilities in all of the following areas:

• Threat detection (intrusion monitoring, malicious program identification, rogue technology discovery, log activity analysis)
• Vulnerability detection (compliance testing, vulnerability scanning, operations availability analysis)
• Threat and vulnerability infrastructure remediation (security infrastructure, security remediation, incident response)
• Security and availability information management (asset classification, intelligence analysis, event correlation, standards and policy management, reporting)

The need to exceed minimum requirements

Because of increasing regulatory pressure, some financial institutions may be tempted to seek a shortcut and concentrate on meeting only the level of security that these regulations specify. But financial institutions need to understand that regulatory requirements represent the very minimum level of security that any organization can afford to implement. That's because regulations are intentionally crafted to be broad or vague, enabling individual companies to select the hardware or software that best fits their pre-existing infrastructure.

Generally speaking, the majority of today's financial regulations necessitate safeguards, strong internal controls, or strong security controls to protect the confidentiality, integrity, and availability of information systems. These requirements aim to protect the systems and their data against known and unknown threats, as well as internal and external threats. Most require companies to:

• Establish and implement security controls
• Maintain, protect, and assess compliance of established safeguards
• Identify, respond to, and remediate weaknesses and violations

An information security program that exceeds minimum regulatory requirements and creates new opportunities should be the goal of every financial institution. Increasingly, forward-looking companies, while still very focused on meeting individual compliance requirements, are beginning to think strategically about implementing what some observers call a "system of record" for their businesses. Such a system precludes "chasing after" regulations by ensuring that the right people, processes, and technology are in place to focus on assessing risks and deploying protection.

The benefits of "tough love"

In a recent report that explores how compliance can provide business benefits, researcher Gartner Inc. noted that the processes necessary to demonstrate compliance are essentially nothing more than the basic controls necessary to manage a business and to manage risk. Compliance makes these controls visible to outsiders, and legally enforceable. Further, the report noted that "the basic architecture and infrastructure for gathering compliance-related information can be easily extended to provide better business management. Extending the information gathered and analyzing it will help manage key risks. To mitigate the cost of compliance, companies must look for and execute the leverage points that improve business performance.

"Compliance imposes a discipline and a structure that ensures documented decisions about how the business is run. It provides a mechanism for implementing best practices throughout the business, which will lead to improved business performance. Companies are realizing only now that the 'tough love' regimen imposed by compliance does lead to long-term benefits in terms of improved business performance."

Gartner's report goes on to cite other tangible benefits as well. A good rating for compliance processes, for example, can reduce premiums for director-and-officer insurance, and improve a company's credit rating. A good rating will also reassure shareholders about the quality of an institution's management.

Conclusion

The integration of leading technologies -- tight controls, and strong processes not only achieves compliance with a wide range of regulations, but also adds meaningful value to the business by protecting a financial institution's most critical assets -- its information, brand strength and reputation, and continuity of operations.

For financial institutions, compliance should be simply the first step in a strategic and comprehensive approach to building a secure and available infrastructure. It's an investment that's well worth the expense.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.