If you’re a CEO and you haven’t heard of Evil Corp, you need to start paying attention.
No, it’s not a plot line for the next James Bond movie. It’s a real-life Russian hacker collective linked to a reported ransomware attack on GPS tracking firm Garmin in July that should have set alarm bells ringing in every corporate boardroom.
Garmin confirmed it had been the victim of a cyberattack that caused a days-long outage in late July, during which users worldwide were unable to upload their fitness data from the company’s sports devices. Garmin reportedly paid a sizable ransom to get its data back.
More worrying for Garmin than the immediate financial cost of the attack is how the security breach has shaken some customers’ trust in the company as they question how such highly personal data was being used and secured.
If reading about Garmin gave you a sense of anxiety about hidden legal and reputational risks to your own company, you’re probably right to be concerned. Too often, CEOs don’t get to see and react to these threats until they’ve already become a crisis—a hack or even a corruption issue coming to light in a far-flung market.
A good place to begin to address this anxiety is to work with your IT head and general counsel to ensure you have a system of controls governing your relationships with third parties such as vendors, sales agents and channel partners. Although it’s unclear whether that was the source of the Garmin breach, it is often the biggest compliance risk because companies are more likely to overlook what protections are in place outside their own walls.
The massive Target customer data breach of 2013, for example, happened after hackers accessed the company’s systems through a third-party refrigeration and HVAC contractor. One recent survey found that 53% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate.
The two big categories of third-party risk are data privacy and bad behavior that can lead to prosecutions under the Foreign Corrupt Practices Act (FCPA). Shoring up your third-party data can also be a chance to cover yourself for anti-corruption.
Both risks are looming larger these days.
On the data privacy front, compliance is becoming increasingly complex due to a slew of new laws like CCPA, GDPR and the European Court of Justice’s recent ruling that shut down the U.S.-E.U data privacy shield. Ransomware is also growing ever more sophisticated, with Fortune 500 companies coming under increasingly brazen attacks. The clear trend is toward more stringent requirements on companies to protect the data they control, including through third parties.
Controls will help you stay on the right side of the growing thicket of regulations while avoiding the kind of long-term reputational and client confidence damage that Garmin is facing.
The stakes on corruption are also rising as the Department of Justice follows through on its intent to prosecute more individuals under the FCPA. Last year, it prosecuted 39 people, among the highest numbers on record, and collected a record $2.65 billion in settlements.
Jail time for executives who were not diligent in managing these relationships is an increasingly real possibility as more cases go to trial.
Foreign channel partners are among the biggest risks for a FCPA violation. That sales agent in China may have been bringing in solid revenues for years with few questions asked, but what if he’s been going around bribing officials in your company’s name? When he’s caught, the FCPA’s primary focus is going to fall on you, not him.
Getting on top of these risks is easier than most CEOs think and doesn’t require an army of expensive external lawyers. What is required is a system of controls to identify risk and to move forward with remediation. Merely having controls in place is usually an effective defense in FCPA cases, even if something slips through. The biggest FCPA settlements have involved companies that had no controls. When its star real-estate deal-maker in China was prosecuted for FCPA violations, Morgan Stanley was cleared of blame because it had strong internal controls in place.
Imagine coming under such scrutiny—how much better would you feel being able to point to a system in place meant to manage such risks? Even if a third party circumvents your controls, and you may still need lawyers if one of your third parties misbehaves, but the consequences won’t be as damaging.
Ultimately, the bigger your company is, and the more relationships you have, the more diligent you need to be about your partners. The good news is that you will sleep better at night knowing you have made the effort to manage the risks.