How SOC2 Compliance easily achieves HIPAA & HITRUST

By Narendra Sahoo

vista infosecToday, we are witnessing an increase in the transition of physical data moving towards digital format. This has pushed the need for implementing strict security practices to protect the data from incidents of theft or breach. As personal information becomes more valuable, the frequency and severity of security breaches have only increased over the years. To address these growing issues of data security, a number of regulatory and compliance requirements have been established across industries for businesses to comply with. However, with so many compliances established, businesses are often left confused about which compliance commitment is right for their organization to pursue. Among many, there are some well-known compliances pertaining to data protection law which includes HIPAA, GDPR, CCPA, PCI DSS, etc that are designed to protect data and privacy of consumers.

While most of these industry standards and approaches have evolved to protect the data better, yet their variety and complexity can leave you struggling to know where to begin. While most have specific and unique requirements, all require a basic set of best practices with respect to the privacy and the protection of data and service. Having said that, using well-known standards like the SOC2 will help organizations establish a solid foundation for information security. Implementing SOC2 will also help your organization keep up with the evolving demands of compliance. In this article today we have highlighted how using SOC2 Compliance makes the process of achieving HIPAA Compliance easy.

Understanding SOC2 & HIPAA Compliance

SOC2 and HIPAA compliance are two different standard requirements that overlap on many fronts. There is an increasing trend among organizations using the SOC2 framework and the supporting Trust Services Principles for simplifying the process of achieving HIPAA compliance. Organizations that seek to become compliant with the evolving HIPAA standards, particularly HIPAA Security and Privacy Rules may find the process much simpler if they have achieved SOC2 Attestation. Before understanding how the process becomes simpler let us start with the basics of understanding what is SOC2 and HIPAA Compliance.

What is SOC2 Attestation?

SOC2 is an audit procedure that ensures organizations are securely managing customer data protecting the interest and the privacy of its clients. For security-conscious businesses, SOC2 compliance is a minimum requirement and a basic foundation for achieving other Regulatory Compliance.

What is HIPAA Compliance?

HIPAA Compliance is a regulatory Act that ensures entities and business associates covered under the act protect the integrity, and privacy of customer’s Protected Health Information (PHI). It is a federal law that requires entities to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Establishing the Foundation with SOC2

Achieving compliance with HIPAA and SOC2 only shows how serious organizations are when it comes to securing the privacy of consumer’s data.  Today, organizations are keen to demonstrate their desire towards implementing stringent security controls to prove their seriousness towards information security and data privacy. For this very purpose, SOC2 forms the foundation for achieving the most compliance and regulatory requirements pertaining to protecting data. SOC2 can present organizations with significant advantages by demonstrating the effectiveness of the design and operations of an organization’s internal controls. SOC2 defines a set of criteria for managing customer data which is based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy.

SOC2 Trust Service Principles

  1. Security: The system should be protected against unauthorized access, use, or modification;

2.Availability: The system should be available for operation and use as committed or agreed;

3.Processing Integrity: System processing should be complete, valid, accurate, timely, and authorized;

  1. Confidentiality: Information designated as confidential should be protected as committed or agreed;

5.Privacy: The collection, use, retention, disclosure, and disposal of personal information should be as per the commitments in the service organization’s privacy notice and with criteria outlined in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA.

Defining the Systems in Scope

Determining which TSP’s to validate against for achieving compliance with the HIPAA mandates is a major concern most people have. However, in reality, all of the five (5) TSP has a credible connection with HIPAA Compliance, but the organizations should first define the relevant scope for achieving compliance.

Infrastructure The physical and hardware components of a system that includes facilities, equipment, and networks.

Software Programs and operating software of systems that include applications, systems, and utilities.

People Personnel involved in the operation and use of systems that may include developers, operators, users, and managers.

Procedures– The Programmed and manual procedures involved in the operation of systems which may be either automated or manual.

Data – The information used and supported by a system which includes transaction streams, files, database, and tables.

SOC2 and HIPAA Compliance: Requirements that Overlap

While the regulations an organization is expected to follow greatly depend on the industry, customer base, region, and market of operations, there are enough overlapping requirements between established SOC2 standards and various regulations including HIPAA which make SOC2 a good foundation for achieving HIPAA Compliance. Given below are areas of SOC2 and HIPAA Compliance requirements that overlap. To understand how far SOC2 will get you on HIPAA Compliance, we have drawn out a comparison chart below to illustrate coverage levels on critical elements.

Titles SOC2 HIPAA
Security The 5TSP requires organizations to protect the system against unauthorized access, use, or modification  HIPAA’s Security Rule calls for security of data and protection against unauthorized access or use. The rule includes having three protective measures in place which includes-·         Administrative security

·         Physical Security

·         Technical security

Availability The TSP requires the system to be available for operation and use as committed.  HIPAA rule requires entities to ensure the availability of all e-PHI they create, receive, maintain, or transmit.
Confidentiality Information designated as confidential should be protected by all means. In HIPAA Compliance the confidentiality of PHI is given great emphasis. PHI cannot be disclosed to anyone without the consent of the patient.
Integrity System processing should be complete, valid, accurate, timely, and authorized.  HIPAA compliance needs to cover integrity controls or have in place measures to confirm that ePHI is not altered or destroyed.
Privacy The collection, use, retention, disclosure, and disposal of personal information should be as per organization policy and as set in the GAPP The Privacy rule in HIPAA suggests a balance between protecting the PHI and using the information only when it is necessary.

 

SOC2 and HITRUST CSF Convergence

HITRUST CSF is a security and privacy framework, initially built on ISO 27001 which meets the requirements of multiple regulations and standards. Over time, the CSF evolved to include a significant number of standards, regulations, and business requirements which includes 14 high-level control categories, 46 control objectives, and 149 control specifications. The framework provides a way to comply with standards such as ISO/IEC 27000-series and HIPAA. While SOC2 reports are based on a framework of reporting, and HITRUST CSF is based on a security and privacy control framework. There are synergies between SOC2 TSC categories and the underlying criteria and HITRUST CSF controls.  HITRUST certification and SOC2 attestation in tandem facilitate greater resource efficiency as the HITRUST CSF requirements cover many of those within SOC2 attestation.

Simplifying Compliance Efforts 

The bottom line is that organizations should select the standard that is best suited to their market and customers. Selecting a standard that aligns your organizational goal closer to meeting another standard is critical. Having said that, SOC2 Type 2 audit is a broader framework and goes farther than ISO 27001 in terms of measuring the design and operating effectiveness of systems. Since SOC2 Compliance covers a broader range of control requirements, it builds a foundation for achieving compliance with other regulations. It simplifies the effort required to achieve and demonstrate compliance with other regulations like HIPAA & HITRUST CSF. With a SOC2 attestation, your organization will be well-positioned to satisfy a range of requirements under other regulatory compliance. However, it is important to note that while SOC2 brings makes compliance efforts easy, but it is not a substitute for a HIPAA audit.  HIPAA requires specific policy, personnel training, and breach remediation processes that are not covered in SOC2 audits. So, do not misinterpret SOC2 Compliance as a substitute for HIPAA or HITRUST audit.

Author Bio

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, CRISC) is the Founder and Director of VISTA InfoSec, a foremost Company in the Infosec Industry.

Digital fraud, cyber crime increases globally during coronavirus

Connect Global Group holding virtual summit June 16

CGG logoCOVENT GARDEN, LONDON — The coronavirus outbreak is wreaking havoc on commercial activity across the globe and hastening cyber and financial crime.

A growing dependence on digital infrastructure — coupled with this sudden increased threat landscape — has raised the cost of failure. It has allowed cyber and financial criminals to feed on augmented levels of fear and uncertainty from those who are finding themselves online more and more, today and in the future.

The solution: Financial institutions need to activate boosted digital hygiene standards, be extra vigilant on verifications and follow official updates to protect customers and their own business.

That’s why Connect Global Group — known for its forums, professional training, content library, and community of experts — has put together perhaps the year’s most important interactive, virtual summit on cyber and financial crimes. The cyber threat and crime summit, called IDENTITY.i Virtual Summit, takes place June 16. The speakers and panel of international experts will focus on anti-money laundering (AML) technology and processes; know your customer (KYC) processes at large and small institutions; true digital identity verification, as well as effective methods of detecting and halting fraud and other financial crimes on systems you or your customer’s run.

The IDENTITY.i Virtual Summit allows you to address key challenges in the areas of Open Banking and Digital Identity, Client Onboarding and Client Lifecycle Management, Financial Crime and Fraud — all from the comfort of your home office.

Tune in to more than 25 keynote speakers, access vital case studies and engage with in-depth panel discussions. Participants can also download hundreds of assets and literature in your “digital swag bag”, ask questions in real-time, maintain networking bonds in the virtual lounge and witness innovative solutions in the virtual exhibition hall.

Open Banking, Innovation and digitization are imposing yet another operational challenge that will force financial institutions to rethink their day-to-day processes to achieve efficiency and effectiveness in KYC, Client onboarding, AML, financial crime and fraud prevention. To be efficient, the community must come together to develop a single standard practical approach to customer onboarding and financial crime prevention built around emerging technologies of digital identities, Open Banking, Blockchain, ML and AI. Along with enabling operational efficiency and cost reduction, this will allow much-needed focus on de-risking, which can make AML, Fin Crime and KYC processes effective.

Key Take-aways from the upcoming IDENTITY.i Virtual Summit:

  • Understand Emerging Financial Crime Risks in an Open Banking World
  • Latest Trends and challenges if tackling fraud in the digital age
  • Enhance Client Lifecycle Management (CLM) with AI
  • Revolutionize Client Onboarding with Digital Identity and AI
  • Streamline Compliance with ML
  • Optimize KYC processes and information sharing of Global Banks

To register, please go here.

NLYTE survey: Most companies seek real-time view of software, technology assets

From Pres Releases

More than 80 percent of technology asset decision-makers say a lack of technology asset management is a key business issue for the C-suite, the latest Nlyte Software survey shows.

Nlyte, which develops software for managing computing infrastructure says the fact that a third (31 percent) of organizations still track it manually, is no surprise.

The study, commissioned by Nlyte and delivered by Sapio Research, also found that almost two thirds (61 percent) of business leaders see a need for a real-time view of their technology and software assets. With over a third (37 percent) of respondents believing they could save 20 percent of their budget by remediating underutilized software, and 39 percent stating they could save their IT delivery teams six to ten percent time in daily business operations – but only if they had a real-time view of the situation.

It’s all about the risk

Despite the apparent priority, the motivating factor behind the decision to implement asset control across the entire technology stack is most likely to come from a cybersecurity breach, according to 29 percent of respondents. And there are stark differences between how managers and senior teams see this as a priority, with C-suite respondents believing that assets are being scanned hourly (27 percent) or daily (35 percent): yet those at manager level are less confident (8 percent and 28 percent respectively).

 

It also seems that the majority (84 percent) of asset decision makers are still concerned about the prospect of a vendor software audit, and as nearly a quarter (21 percent) of respondents face fines – a worrying amount that perhaps comes from an inability to manage processes well, rather than any deliberate misdemeanor.

“Organizations seeking to regain control of the disorderly technology assets proliferating throughout their organization would be advised to consider TAM,” said Robert Neave, cofounder, Chief Technology Officer, and Vice President of Product Management for Nlyte Software. “Across our transnational sample (USA, UK, and France) 96 percent say that hardware and software technology asset control is a top 5 priority for the business, yet this still isn’t being implemented across the board.”

Further findings from Nlyte’s research:

  • 61 percent told us that a real-time view of technology and software assets would enhance their IT innovation to support their business goals.
  • Yet, only 45 percent said that their assets are validated daily (30% do this weekly)
  • 50 percent are tracking assets in their data center – at least a majority (62 percent) are doing so for desktop and laptops
  • 78 percent of the global respondents claimed that up to 20 percent of their assets remain undetected from network scans
  • On average 67 percent of devices have the latest security software and firmware patches, less than half (49%) have a solution that scans and validates all devices; 48 percent of devices are not proactively managed at all
  • 36 percent of C-suite aren’t tracking their edge assets – where the risk of intrusion is highest

Technology Asset Management

Several of the learnings from this research showed that large organizations as a whole have no agreement on a clear vision of what their asset management strategy is for. A lightweight, agentless technology-based solution, like TAM, that isn’t limited to certain vendor platforms or industry protocols removes these headaches. Such a solution allows for the discovery of any and all types of technology assets, compute, storage, network, software, firmware, IoT and more.

Nlyte’s TAM solution delivers a self-aware IT infrastructure by updating CMDB, DCIM, and BMS systems with current assets configuration and location improving efficiency and SLA on change management workflows and to helpdesk tickets. It identifies all things attached to the organization’s network, providing detailed information about location, configuration, and accessibility monitoring for unplanned changes, unauthorized access, vulnerable software, lost and unresponsive assets.

Access the whitepaper here: https://www.nlyte.com/whitepaper/technology-asset-management.

Lockpath launches templates to Keylight Team Edition, premier GRC platform

Lockpath just launched templates to its Keylight Team Edition, its premier governance, risk management and compliance (GRC) platform.  .

Templates included with the platform are a pre-built starting point for customers to solve their initial compliance management needs, the company said.

“In today’s rapidly changing regulatory environment, businesses are continually seeking ways to streamline and improve their integrated solutions,” said Chris Caldwell, Lockpath’s co-founder and CEO. “Our platform helps them overcome the challenge of building and implementing a robust compliance program quickly and efficiently.”

The addition of templates to Keylight Team Edition gives customers the ability to quickly create and implement policies. The additional steps needed for an effective compliance management program such as mapping to controls, logging awareness events and collecting attestations, can be accelerated with templates.

“Last year we launched Keylight Team Edition to give our SMB customers better access to an integrated risk management program and now templates further enhance this commitment to all of our customers,” Caldwell said.

 

Lockpath’s initial library of pre-defined templates includes the initial elements to comply with regulations and frameworks such as GDPR, CCPA (California Consumer Privacy Act), ISO 27001, NIST SP800-53, Sarbanes Oxley (SOX), HIPAA, COBIT, PCI-DSS and more. The library will continue to expand based on customer feedback. Templates can also be customized to fit any organization’s specific needs and preferences.

 

Templates are continuously updated to remain current as regulations change. This gives our customers assurance knowing they will have access to reliable, up-to-date information.

 

“As regulations change frequently or new regulations are established, compliance can be a daunting task for even experienced practitioners,” said Chris Goodwin, Lockpath’s Chief Technology Officer and Co-Founder. “An organization can choose from any of our pre-built templates for the most widely used frameworks or regulations and customize them as needed.”

Lockpath’s templates will be available out-of-the-box to all Keylight Team Edition customers and can be added by request to Standard and Enterprise editions of Keylight. To learn more about Lockpath, the Keylight Platform and templates visit lockpath.com.

About Lockpath: Lockpath is an enterprise software company that helps organizations understand and manage their risk. For more information on Lockpath and the Keylight Platform, visit lockpath.com.

Strange Craft: The True Story of an Air Force Intelligence Officer’s Life with UFOs

strangecraft coverU.S. Air Force Major George Filer belongs to the generation of pilots and airmen who first became aware of the strange aircraft showing up in the Earth’s atmosphere after World War II.

These men – military professionals who flew planes, commanded ships, served as radar operators and air traffic controllers at air fields around the world – began to whisper amongst themselves about encounters with suspected extraterrestrial aircraft. During secret debriefings at U.S. bases, pilots and air crew told their commanders of seeing strange lights at night and in the daylight, groups of saucer- or cigar-shaped craft that easily paced them just a few yards off their plane’s wingtip.

Award-winning investigative reporter John Guerra spent four years interviewing Filer, a decorated intelligence officer. From objects in the skies over Cold War Europe to a UFO overflight during the Cuban Missile Crisis to strange lights over the DMZ during the Tet Offensive, Filer leaves nothing out about his Air Force UFO encounters, providing Guerra all the amazing details of his six decades investigating extraterrestrials and their craft. Filer’s most memorable case – the shooting of an alien at Fort Dix Army Base in 1978 – is fully recounted for the first time in this book.

Filer – who readers have seen on countless UFO documentaries – is also a member of the Disclosure Project, the famous panel of military experts, astronauts, and scientists that urges the U.S. government to release all it knows about UFOs to the public.

Then, in the fall of 2017, the Pentagon released the F-18 gun camera footage of what can only be described as an extraterrestrial vehicle outperforming U.S. Navy fighters off San Diego …Keys writer John Guerra’s biography of real-life Air Force UFO investigator Maj. George Filer is now out on Amazon. Filer leaves nothing out about his own UFO encounters on the ground and in the air, providing Guerra all the important details of his six decades investigating extraterrestrials and their craft.

Order the book on Amazon

 

mglass

MetricStream report predicts 2019 GRC trends

From MetricStream’s “GRC 2019: The Known Unknowns” 

 

globeHow will GRC roles evolve in the coming year? What are the weak links to watch out for? Find out in MetricStream’s report on the trends and predictions for 2019. The future of GRC will not just be about managing known risks or monitoring compliance. It will be about sustaining an organization’s social license to operate.

 

Balancing Value Protection and Value Creation As enterprises strive to stay ahead of the curve, GRC executives will be expected to go beyond their traditional roles as the guardrails of the organization and become enablers of business performance and growth. They will need to find a balance between protecting value and creating it; between being the voice of reason in the C-suite and enabling the business to take the requisite risks to achieve the desired rewards. CROs, for instance, will be called on to help leadership teams decide when to launch a new product, or which markets to target first based on the associated risks and opportunities. In doing so, they will be seen as enablers of innovation.

Truth-tellers and Strategic Advisors

Boards will demand more transparency. They will want to respond more proactively to potential risks and opportunities. Therefore, CROs, CCOs, CAEs, and CISOs will need to deliver insights that are forward-looking, actionable, and performance enabling. They will also need to become better story-tellers, communicating their message clearly, succinctly, and in a way that the board can understand and act on. To support these efforts, new generations of GRC solutions will be designed to predict potential risks with greater accuracy and speed than ever.

Leading from the Front

More risk and compliance responsibilities will move down into the first line of defense. But first, organizations will need to think about how GRC can be adapted to the first line, not how the first line should adapt to GRC. How can GRC be made so intuitive that it becomes a seamless, almost inherent part of employee routines? The answers, to some extent, will lie with technology. GRC tools will increasingly be layered into the systems used by the first line in such a way that when an employee is confronted with a potentially risky or non-compliant transaction, the underlying technology will automatically trigger checklists and workflows to guide the employee towards making the right decision.

GAN Integrity adds new risk management module

From press releases

GAN Integrity this week launched its Risk Management module that builds on GAN’s all-in-one compliance platform. GAN designers say the module is designed to integrate seamlessly with the rest of GAN’s compliance components, so users can make strategic, data-driven decisions based on a holistic and real-time view of all compliance-related activities.

GANCompanies can customize how they frame their risk management and shift to a dynamic approach. The tool complements annual risk assessments and helps compliance teams take action on next steps, company officials said.

“As an organization’s risk management evolves, so does GAN’s tool configuration, enabling real-time identification, assessment and management of all risks,” said Valerie Charles, chief strategy officer for GAN Integrity. “It empowers compliance teams to focus on what matters with technology that enables them to proactively manage any compliance issue that arises, at anytime, anywhere.”

The Risk Management module joins GAN’s comprehensive compliance platform, which includes Training, Due Diligence, Policy, Gifts and Case Management modules.

According to GAN Integrity engineers, the Risk Management module lets teams can:

  • Identify: The user-friendly solution allows users to easily map and manage all risks across the company in a centralized risk library, along with any related controls and action plans.
  • Assess: Detailed information on specific risks enables users to design customized risk rating scales and matrices that are tailored to the organization.
  • Manage: Users exchange manual, paper-driven, siloed processes for a simple and user-friendly solution and import risk assessment data into a configurable tool.
  • Monitor: The module tracks compliance risks in real time using a heat map that enables a company to instantly react to critical changes to risks throughout the business. All changes and activity are saved for later reference.
  • Evolve: The module automatically updates risks based on changes to the business.

mglass

FCPA Blog: Panasonic case provides a teachable moment

By Erich Lochner

President and CEO, Steele Compliance Solutions Inc.

Erich Lochner, Steele Compliance Solutions

Erich Lochner, Steele Compliance Solutions

The Panasonic enforcement action in April — resulting in $280 million in penalties and disgorgement to the DOJ and SEC — offers almost every lesson a compliance officer might want to discuss about anti-bribery programs.

First, due diligence matters all the time, all the way down

As often happens with anti-bribery offenses under the FCPA, bribes were relayed to government officials through intermediaries and sales agents. Multiple agents working for Panasonic failed the company’s internal due diligence checks and parted ways with the company — and were then hired back as subcontractors, with a sales agent that had passed the due diligence.

That scenario underlines the point of what due diligence truly is: an effort to expel corrupt third parties from the enterprise permanently, rather than a simple background check to be performed at one moment in time.

If the mantra is, “Companies don’t commit crime; people working for companies do,” then due diligence programs should flag specific high-risk people and ensure they don’t work on behalf of the organization. That can require language in contracts with other third parties (to avoid subcontractor risk), follow-up audits, and similar measures.

Second, accounting controls also matter

Panasonic engaged in considerable books-and-records violations both to mask the improper payments and to inflate revenue and pre-tax income by recognizing revenue early. Panasonic ultimately paid more than $1.75 million to supposed sales agents who provided few (if any) actual services. None of that was properly recorded in the company’s books.

Moreover, Panasonic employees knew about, and concealed, the scheme to sub-contract the sales agents who had been terminated. The third party that employed those sub-contractors was paid from a Panasonic budget line under the sole control of a senior Panasonic Avionics executive, with no oversight from anyone else at the company.

Proper accounting controls are crucial to effective FCPA compliance, since they can choke off the supply of money necessary for criminal violations. For example, a company could require multiple executives to counter-sign any payment above, say, $50,000; and require documentation that the party receiving that money has delivered the services promised.

Compliance with the civil side of the FCPA (implementing strong accounting controls) supports compliance with the criminal side (not paying bribes).

Third, leadership works if the first two issues to matter.

Large organizations are always porous collections of people and business practices. Even the most exhaustive controls, policies, and procedures leave some crack where misconduct can sprout. Strong ethical leadership is the sealant that tries to fill those cracks. The absence of strong leadership does the company no favors.

In Panasonic’s case, an internal audit in 2010 flagged potential problems with high-risk agents, and that report was circulated among senior executives. No follow-up happened for years.

Panasonic didn’t disclose the misconduct voluntarily. Only when the Securities and Exchange Commission began requesting documents did Panasonic admit potential problems and begin cooperating. That said, after the investigation began Panasonic did cooperate fully, including a thorough internal investigation and providing foreign employees for interviews with the Justice Department.

The company ultimately received a 20 percent discount on its penalties, per the DOJ’s new FCPA Corporate Enforcement Policy (pdf).

mglass

MetricStream GRC summit highlights issues facing enterprises

By John L. Guerra

GRC & Fraud Software Journal

Gaurav Kapoor, COO MetricStream

Gaurav Kapoor, COO MetricStream

MetricStream’s 2018 GRC Summit in Baltimore brought together governance, risk, compliance and regulatory leaders from various industries and market segments. The three-day summit covered the biggest issues facing GRC practitioners in banking, real estate, health care, and other business sectors.

Gaurav Kapoor, chief operating officer for MetricStream, spoke with GRC & Fraud Software Journal about the summit.

“We created a GRC summit where we could gain feedback from thought leaders and practitioners in the room,” Kapoor said. “It was intensive, with some 500 people representing 300 small to large companies representing a number of different industries – the main takeaway is that we’re all on the same journey.”

To set the stage for discussion, MetricStream announced its new tagline: “Perform with Integrity.”

“That mirrors the desire that companies have to raise performance while maintaining integrity in several aspects of the GRC model.”

According to Kapoor, companies both large and small worry about maintaining not only the integrity of their data, but their company’s integrity in the eyes of their customers who too often find they can’t trust companies to protect their personal data. Top executives at Uber, Facebook, Wells Fargo, and other companies have been summoned before Congressional hearings to answer for misuse of customer data.

“For the last two years, there have been huge breaches of trust when it comes to high-performing companies and major banks,” he said. “Companies are ensuring their GRC platforms are built for performance and integrity, and that’s in addition to preventing bribery, money laundering and other ethical problems. For the companies at our summit, maintaining the trust of their customers topped the list.”

The largest companies at the MetricStream summit said they designed GRC systems that would control ethical standards, prevent data breaches and enable them to report problems quickly to customers when they occur, Kapoor said.

“A large retailer in Sweden said their primary GRC strategy is to align systems that build trust with customers,” Kapoor said. “If there is a breach, how do we deal with customers? How do you write GRC to reflect ‘Tone at the Top?’ When your platform lets you document what kind of policies you need or have in place, you can accomplish these controls.”

At one point, the moderator asked for the attendees to stand and sit back down when the moderator hit their chief concern.

“At change and change management, most sat down,” Kapoor said. “Companies have been faced with so much change, that they are looking for the ability to adapt quickly to concerns and write it into GRC applications. For instance Crypto is an issue nobody knows how to handle. Companies are exposed to more risk like that because things are a lot more digital.”