Top 3 predictions for 2018 – a year of change

By French Caldwell

MetricStream Chief Evangelist

French Caldwell, MetricStream

French Caldwell, MetricStream

In what is becoming an annual event, MetricStream’s chief evangelist, French Caldwell, provides GRC & Fraud Software Journal readers with predictions for the upcoming year.


Prediction 1:

Data controllers and others face surge in complaints

In 2018, large data controllers, data processors, and privacy authorities will be found to be unprepared for a surge in requests and complaints by data subjects. The new EU GDPR expands the rights of EU citizens with several new rules, including the right to rectification, right to erasure, the right to object, and the right to restrict processing.

Privacy advocate groups will launch campaigns that drive large numbers of EU citizens to test these new rights. Many companies and government organizations will find they are vastly under-prepared to manage the large volume of requests and complaints.

Furthermore, many privacy authorities will not be prepared to manage the large number of complaints they receive.  To prepare, data controllers should have robust case management processes in place, and they should assure their third party data processors do as well.

Likewise, privacy authorities should evaluate their complaint management processes and ensure they are ready for a large surge.

Prediction 2:

The first €1million or more penalty under GDPR

In the event of a data breach, the new EU GDPR regulation provides for large penalties, up to 4 percent of revenues or €20million, whichever is larger. With the number of large data breaches growing, it’s just a matter of time before a large breach occurs.

While typically with a new regulation, there is a period of adjustment where regulators work through enforcement priorities, in the case of GDPR European privacy authorities are under a very public spotlight.

The first few companies or government agencies with a large data breach will set the standard for enforcement – especially if they delay reporting it.

While Europe has had many fewer reported data breaches than the U.S. that could change with the mandatory requirement in GDPR to report breaches within 72 hours of becoming aware of them.

The best defense for data controllers and processors will be strong data protection and cybersecurity programs that are well tested, documented, and ready for an audit by privacy authorities.

Prediction 3:

Regulatory technology primary driver for GRC In 2018 and 2019, regulatory tech – which utilizes information technology to enhance regulatory processes – will emerge as the primary driver of technological innovation for the GRC market.

Just as biotech is driving innovation in the life sciences industry, and fintech is doing the same in finance, regulatory tech is starting to impact the research and development investments of major GRC providers.

Artificial intelligence and machine learning applied to both unstructured and structured data to discover new risk and threat insights are the obvious technical leaders of innovation, but not the only ones.

Alexa-like advanced chatbots will enable users to quickly navigate applications, create reports, and discover relationships between risks, controls, processes, performance, assets and other data objects.

Hybrid machine-human scoring of third party cybersecurity, financial, and sustainability risks will supplement onboarding and continuous monitoring programs.

Facial recognition will provide a new means of assurance for data access and separation of duties. To gain competitive advantage, GRC vendors will increase funding for regulatory tech initiatives both organically and through acquisitions.


MetricStream releases new M7 Platform with ‘robust’ GRC apps

From MetricStream

MetricStream CEO Shellye Archambeau

MetricStream CEO Shellye Archambeau

MetricStream – the governance, risk, and compliance (GRC) apps and solutions provider – says its new M7 platform includes applications for risk, compliance, audit, IT security, third party management, and other functions upon which GRC professionals rely.

With M7, MetricStream says it is providing fourth-generation GRC technology the industry has so far lacked. The M7 platform and apps are designed to help companies preserve their corporate integrity, protect their brand, and drive exceptional business performance through GRC that is simple, pervasive, and delivered in the cloud, the company said.

M7 focuses on enabling high performers through an “engaging user experience, high degree of configurability, enhanced mobility and layering, sophisticated reporting and analytics, and a future-ready architecture,” MetricStream said in announcing the release.
“M7 enables high performing organizations by making GRC simple, intuitive, and more deeply embedded across the enterprise and extended ecosystem,” said MetricStream CEO Shellye Archambeau. “M7 gives our customers real-time intelligence that they need to anticipate risk, and balance opportunities effectively.”

Here are the M7 highlights:

For risk management professionals

The MetricStream Enterprise Risk Management app enables organizations to manage a wide range of risks and related activities in a systematic and integrated manner. Through the app, users can identify, assess, monitor, and mitigate enterprise risks effectively.

Powerful analytics and reporting capabilities, paired with detailed graphical dashboards and charts, offer comprehensive and real-time visibility into risks, enabling stakeholders to make informed decisions. This app is often deployed with the Operational Risk Management, Business Continuity Management, and Internal Audit Management apps.

For regulatory and corporate compliance pros

The MetricStream Regulatory Engagement Management app streamlines and automates the process of managing various regulatory engagements, including examinations, meetings, and requests for information from regulators.

metricstreamIn tandem with the Compliance Management app, the Regulatory Engagement Management app simplifies engagement creation and task management, and captures all regulatory engagement data in a central repository.

Powerful dashboards and reports provide real-time insights, enabling stakeholders to make informed decisions that strengthen the organization’s relationships with regulators.

For audit management professionals

The MetricStream Internal Audit Management app helps organizations plan, manage, and track internal audits with ease and efficiency.

The app streamlines audit planning and scheduling, audit execution, review and analysis of audit findings, creation of the final audit report, and follow-up activities.

Through an intelligent, risk-based approach to internal auditing, the app helps prioritize audit tasks and resources based on the areas of highest risk.

For an enterprise audit management solution, the Internal Audit Management App is often deployed with the Compliance Management and Operational Audit Management apps.

For IT security professionals

The MetricStream IT Risk Management app empowers organizations to adopt a focused and business-driven approach when managing and mitigating their IT risks.

The app streamlines IT risk identification, IT risk assessments, and risk treatment. It also provides sophisticated analytics and reports that transform raw risk data into actionable IT risk intelligence, providing clear visibility into the top risks, and improving decision-making.

This app is often deployed with the IT Compliance Management and Threat and Vulnerability Management apps for an integrated IT GRC solution.

The MetricStream Threat and Vulnerability Management app strengthens IT security by proactively aggregating and correlating threats and vulnerabilities across information assets. The app integrates with multiple end-point IT security and infrastructure management tools and security intelligence feeds to identify and prioritize the risk exposure for IT assets, and streamline the remediation process.

Third party management 

The MetricStream Issue Management app facilitates a systematic and integrated approach towards managing governance, risk, and compliance issues.

The app provides a single system for enterprise-wide issue management initiatives, thereby strengthening compliance and risk management, while reducing the associated costs.

Through an integrated approach, the app facilitates cross-functional coordination and collaboration on issue management, and helps align these processes centrally with corporate governance and reporting objectives. Issue Management is a critical component of any GRC solution.

Survey Management app

The MetricStream Survey Management app enables a structured and automated process to manage surveys for systems compliance, process compliance, risk assessments, HR policy awareness, legal attestations, etc.

The app fosters accountability by streamlining the flow of information and records, and documenting attestations and representations at appropriate stages.

Moreover, the reporting engine built on the MetricStream GRC Platform aggregates survey data, and enables exploration and evaluation of survey findings at the enterprise level.

Survey Management is a critical component of any GRC solution requiring the collection of intelligence across the enterprise and business partners, and can be integrated with other apps including Compliance Management, Risk Management, and Third Party Management.

For more information, go here

Susan Palm: Companies can use GRC to adopt to Dodd-Frank changes

By John L. Guerra

Editor, GRC & Fraud Software Journal

Susan Palm, senior vice president, Industry Solutions, MetricStream

Susan Palm, senior vice president, Industry Solutions, MetricStream

Susan Palm, senior vice president of Industry Solutions for MetricStream, talks about the impact repealing Dodd Frank will have on mergers and acquisitions, the operational risk firms will face and how GRC technology that can help to alleviate subsequent risks.

MetricStream continues to ramp up its investment in mSIG user groups in response to the volatility of change coming out of the White House.


Q: How will this investment help customers to address the volatility?

Susan Palm: MetricStream’s clients represent both the largest and smallest financial services firms. These clients are examined by the FDIC, OCC, and Federal Reserve. The regulators sometimes publicly share examples of best practices for generating a strong risk culture, for managing third party vendors, conducting effective control tests etc. The mSIGs act as a forum for banks to discuss their own best practices and experiences and learn from each other.

Clients find the user group forums particularly useful to share information regarding adherence to laws and regulations and the use of technology to create efficiencies and good data analytics.
Q: How will changes in Dodd Frank or a total repeal of the law impact mergers and acquisitions?

Susan Palm: There are certain dollar thresholds for increased regulatory scrutiny. For example, banks under $10 billion in assets have one type of examination schedule. Banks greater than $10 billion in assets have a more rigorous schedule of examinations, and banks greater than $50 billion have an even greater level of regulatory oversight and examination.

This has created a barrier for banks to merge if their new combined asset size puts them into a different examination category.


Q: How can GRC technology, especially M7, help companies to remain compliant and address risk in view of sweeping change?

Susan Palm: One feature of M7 enables companies to leverage mobile phones and tablet technologies in addition to traditional PC technology to deliver policy, standards and procedures to staff.

As the laws change, banks need to update their policies and procedures appropriately. Ensuring that policy and procedure changes are completed — and delivered to staff when and how they want to consume this information — will now be faster and easier with M7.
Q: What are a few best practices for firms, to prepare for continued changes in regulation from the White House?

Susan Palm: Firms should implement GRC technology solutions that integrate with strong law and regulation content providers, so that changes in laws and regulations can be quickly consumed and analyzed.

Stay vigilant and get involved in user group forums, such as RMA, ABA, with MetricStream. For smaller banks that don’t have sizable legal and compliance teams, participation in these user forums enables them to learn from the bigger bank’s experiences and leverage the investments made by larger banks with greater resources.


Risk and insurance industry law firm adds top lawyers

hermesHermes Law, which represents corporate clients and cases impacting the insurance and risk industry, recently hired attorneys John Barcus, Leslie Davis and Matthew Brower, as well as case administrator Maria Rodriguez.

The award-winning firm represents commercial clients on risk, compliance and insurance-related cases in the areas of Appellate Law, Casualty, Commercial Litigation, Construction Law, Cyber Liability, Environmental Law, Medical Malpractice, Premises Liability, Product Liability, Professional Liability and Transportation Law.

Barcus earned his Juris Doctor from the University of Texas Law School and is a member in good standing with the State Bar of Texas, all United States District Courts in Texas and the Fifth Circuit Court of Appeals.

Barcus is the team leader for the firm’s property team. He focuses his practice on property and casualty coverage disputes, as well as other insurance lines, labor and employment, and complex commercial litigation.

Davis received her Juris Doctor from the University of Mississippi School of Law and is a member in good standing with the State Bar of Texas and the State Bar of Mississippi, as well as the U.S. District Courts for the Northern District of Texas, the Northern and Southern Districts of Mississippi and the Fifth Circuit Court of Appeals.

Her professional affiliations include the Dallas Bar Association and the Dallas Association of Young Lawyers. The focus of her practice at Hermes Law will be in the areas of general litigation, premises liability, products liability, personal injury and commercial litigation.

Brower received his Juris Doctor from the University of Kansas School of Law. He is a member in good standing with the with the State Bar of Texas and the U.S. District Courts for the Northern, Southern, Eastern and Western Districts of Texas. At Hermes Law, he will focus his practice in the areas of transportation and premises liability.

Rodriguez was hired as a case administrator. She holds an associate’s degree in science from Brookhaven College in Farmers Branch, Texas.

Hermes Law represents commercial clients on insurance-related cases in the areas of Appellate Law, Casualty, Commercial Litigation, Construction Law, Cyber Liability, Environmental Law, Medical Malpractice, Premises Liability, Product Liability, Professional Liability and Transportation Law.


Annual GRC conference in Fort Lauderdale this morning

isaca nessISACA, in conjunction with the Institute of Internal Auditors, is holding its 2016 GRC Conference this morning in Fort Lauderdale.

The annual event brings together some of the leading minds in the field to share their knowledge and meet with other GRC and fraud professionals about the challenges facing the industry.

More than 600 CIOs, senior executives, directors and managers from around the world who work in IT will descend on the Diplomat Resort & Spa in Fort Lauderdale for the conference, which focuses on the critical business priorities of governance, risk management and compliance

The GRC Conference will offer new insights and perspectives from renowned presenters, including keynote speakers:

  • Theresa Payton, former White House CIO, cybersecurity authority and expert on identity theft and the Internet of things, will deliver the opening keynote, titled: “Big Data and the Internet of Things: Boon or Bust for Your Cybersecurity Efforts?”
  • Richard Chambers, CIA, QIAL, CGAP, CCSA, CRMA, IIA President and CEO, will speak on “The Influence of Culture on GRC.”
  • Andrew Tarvin, Engineer of Humor, who will discuss “Agile Leadership: How to Lead Up, Across, and Down in a VUCA World.”

Conference details are here.

Panama Papers database may contain bad news for honest banks

By John L. Guerra

Editor, GRC & Fraud Software Journal

Alan Morley, AML, compliance chief at GFT

Alan Morley, AML, compliance chief at GFT

The International Consortium of Investigative Journalists recently released a searchable database of 200,000 offshore entities, which may include details on accounts owned by Americans – information as yet unpublished.

When that occurs, the U.S. government, as well as financial regulators from around the world will be quick to act, investigating the banks and financial institutions in the database.

The Panama Papers revelations, the earthquake that rocked financial institutions around the globe, already has banks of all sizes preparing for greater regulatory scrutiny, says Alan Morley, head of AML and Compliance Practice at GFT, a global consultancy that councils nine of the world’s 10 largest banks and hedge funds.

Honest banks will review accounts

Banks know that illegal tax shelters, money laundering and providing accounts to banned entities and criminal groups is against the law, but that’s not the point. Honest banks also will fall under the regulatory magnifying glass.

Regulators want to see if compliant banks have managed – unwittingly or not – accounts or transactions with any of the firms and persons connected to the Panama Papers schemes.

Banks will beef up compliance staff

For instance, compliant U.S. banks that in the past facilitated questionable transactions that weren’t quite risky enough to stop or report to regulators could find themselves scrambling if those accounts and players turn up on the list. That means hiring more employees and auditors.

“There will be a temporary employee headcount increase in even smaller banks to handle the volume of work as a result of the new information and possible sanctions directives,” Morley says.

AML, KYC under microscope

Financial industry regulators will review documentation of the bank’s on-boarding process and audit the financial institution’s due diligence and Know Your Customer (KYC) procedures. That’s how they will determine whether a bank documented all the steps in the anti-money laundering procedures when approving new accounts.

“Banks will have to follow their own internal AML investigations processes to determine if a person or entity’s activity is worthy of a Suspicious Activity Report, be blocked or left as is,” Morley says.

Auditing of reporting processes

Financial institutions also will have to audit their reporting processes and find other solutions to ensure compliance with AML and other banking regulations.

‘The Panama Papers revealed some of the biggest and most frustrating gaps in AML coverage – and the increased risk of audit gaps, leading to possible action against global banks,” Morley says.

Are third-party entities on the list?

That includes whether the bank performed due diligence on third-party entities – the relationships account holders had with other individuals, financial institutions and organizations. For instance, does the account holder receive deposits from banned organizations or suspect individuals?

Though banks conduct enhanced due diligence on the Correspondent Bank (CB), they are unable to do effective third-party entity due diligence on the CB’s customers, other than name matching for Sanctions, Morley says.

Are account holders tax-compliant?

“It is likely that some institutions may have to conduct supplementary transaction look-backs, using both the names listed and an updated Customer Risk Scoring Process,” Morley says.

That includes determining whether prospective account holders met tax reporting requirements for U.S. citizens, filed annual reports required by the Foreign Account Tax Compliance Act, as well as the Report of Foreign Bank and Financial Accounts required by the Financial Crimes Enforcement Network.

The good news

The release of the database on Monday will also help banks get a better picture of risk.

“When finally fully published, the new Panama Papers list will also give financial institutions an opportunity to improve their monitoring and classification programs,” Morley says.

“Knowing the names of the offshore shell companies, names of the people associated with them and their banking relationships will make this process much easier. Intelligence gathering will also increase.”

Knowledge leads to better compliance

“Remember, we have no idea as to any criminality but we do know that the very nature of this probably catapults them to high – very high risk categories in any bank’s KYC due diligence program,” Morley says.

Morley suggests banks to prepare for:

  • An increase in KYC activities – potentially more head count
  • Adjustments to their Sanctions Filtering and Transaction Monitoring platforms (applications, data and tuning)
  • Significant updates to their own watch-lists
  • Spin off project(s) to make sure this gets done and in accordance with policy and procedure in a timely fashion- which will require more head count.

Advice: Cooperate with investigations

More positive news: The U.S. Security Exchange Commission’s Enforcement Division’s Cooperation Program awards greater cooperation by individuals and companies in SEC investigations. In some cases, banks can receive safe harbor as well as reduced fines and punishment for cooperating.

“Cooperation is encouraged and welcomed,” Morley says. “I heard Kara Brockmeyer, chief of the Foreign Corrupt Practices Act Unit at the SEC, speak at the Securities Industry and Financial Markets AML and Financial Crimes conference in New York in early April. She encouraged active cooperation on all levels. The sooner something is self-reported to the SEC and acted upon, the better for all.”



Former IT worker going to prison for sabotaging networks

By John L. Guerra

GRC & Fraud Software Journal

cougar2Another former IT worker is headed to prison for sabotaging his ex-employer’s computer networks, reminding companies the risk disgruntled employees can pose to their systems.

Anastasio N. Laoutaris has been sentenced to more than nine years in prison and fined $1.7 million for attacking his former employer’s computer system in 2011.

Laoutaris, 41, worked as an IT engineer for a Dallas law firm. Several months after he stopped working at the firm, Laoutaris accessed the systems and caused damage, “deleting or disabling hundreds of user accounts, desktop and laptop accounts, and user email accounts.”

Dark Reading reports that the IT engineer hacked former employer Locke Lord LLP’s networks and issued commands that deleted or disabled hundreds of user accounts, desktop and laptop accounts, and user e-mail accounts.

Jake Williams, a SANS Institute course author and founder of Rendition InfoSec, has warned companies before that disgruntled former IT employees pose security risks.

“Failure to terminate access during employee separation continues to be a weakness at many organizations,” Williams says. “Just having a policy is not enough. Organizations should ensure that supervisors at every level know that it is their responsibility to notify IT to suspend access for separated employees as soon as possible.”




ITAC 2015 opens this morning in Orlando

The IT Audit and Controls Conference 2015 opens this morning at the Omni Orlando Resort at ChampionsGate.

itac logo2ITAC brings together IT audit managers, directors as well as internal controls analysts, risk and compliance advisors – just to name a few – for two and a half days to discuss industry trends, strategies for overcoming today’s emerging technology obstacles and threats and tools to enhance your day-to-day functions all while earning up to 40 CPEs.

Five tracks at ITAC will cover all aspects of IT audit and controls:

  • What data breaches mean for cloud computing
  • ICT audit & security synergy
  • Added value pre-implementation audits
  • SSAE 16 SOC reporting
  • Social media risk management
  • CloudBots – abusing free cloud services to build botnets in the cloud
  • Network intrusion detection best practices
  • Internet of Things (IoT)
  • Auditing Oracle database security
  • Auditing UNIX and Linux servers
  • Securing and auditing Windows-based systems

For a complete look at the conference, go to the show’s website.