As digitalisation initiatives remain at the forefront for businesses in Malaysia, the need for convergence of evolving regulations is vital, especially for multinational firms.
With the rapid advancement of technologies in various sectors, regulators in Malaysia have made cybersecurity a pressing regulatory concern. Bank Negara Malaysia, which previously only required assessments on the technology infrastructure of critical systems for large firms, now requires the same for smaller firms due to an increased level of risk following the Covid-19 pandemic.
According to Thomson Reuters’ 2021 Cost of Compliance Report, the biggest challenge faced by organisations is the rising volume of regulatory change. The vast majority (78%) of surveyed compliance officers expect the amount of regulatory information to increase. Depending on the nature of one’s business, keeping abreast of the influx of regulatory challenges can be quite burdensome. As compliance requirements evolve, so should one’s compliance strategy.
In the wake of the General Data Protection Regulation (GDPR), which has now been enforced for over three years, there have been a bevy of new laws enacted throughout Southeast Asia. In fact, the data privacy landscape in Asia has changed quite drastically over the past decade, and it will continue to change in the near future.
Between 2010 and 2020, 13 jurisdictions in Asia enacted new data privacy laws. To cite a few, there was Malaysia’s Personal Data Protection Act 2010, followed by Singapore’s Personal Data Protection Act 2012; the Philippines’ Data Privacy Act 2012; Thailand’s 2019 Personal Data Protection Act, B.E. 2562; and China’s 2021 Personal Information Protection Law. Also, India and Indonesia have data privacy bills coming down the pike. To put it mildly, it can be challenging to track all the different regulatory changes.
Business leaders’ concerns
Firstly, there are subtle differences in the regulations across various regions. As a quick example, certain regions have different rules related to the transfer of data from one region to another.
Secondly, not every agency tasked with interpreting and implementing these laws does so in the same fashion, which can create confusion.
And thirdly, international conflicts can also pose concerns, as such geopolitical strife can result in unexpected obstacles.
Establishing transparency and accountability
The recent increase in BYOD (bring your own device), hybrid work environments and shadow IT has caused many organisations to operate with a mix of old and new systems. In such a scenario, it is vital that the organisation understands exactly which systems are being used for what purposes. Likewise, it is important to assess what data is being collected and for what purpose.
Global standards, such as GDPR, PCI DSS and ISO/IEC 27001, require organisations to maintain reports of their internal processes. This includes organisational processes related to network and systems security mechanisms, information security policies and identity management systems. In order to ensure that an organisation is complying with such standards, one must monitor employee data, financial transactions and network logs. In addition, companies should ensure that all third-party affiliates are compliant with these standards.
(The GDPR is a global standard that provides a strategic vision of how organisations need to ensure data privacy. The PCI DSS or Payment Card Industry Data Security Standard is a set of requirements intended to ensure that all companies that process, store or transmit credit card information maintain a secure environment. The ISO/IEC 27001 is the international standard for information security.)
Building a successful regulatory compliance plan
Given the vast number of regulations that organisations face, it is wise to build a regulatory compliance plan. Of course, every organisation operates differently. The key is to understand the organisation’s unique requirements, and then to adopt the most applicable, universally adopted frameworks in order to standardise the process.
Through the implementation of a governance, risk and compliance (GRC) team, organisations can streamline their compliance efforts. The GRC team should comprise senior management executives as well as members from the legal, security, privacy and IT teams. Risk assessment and audit-related functions can be undertaken by the GRC team members in these various departments. By embedding compliance-related activities within these departments, organisations can be sure there is a robust internal audit infrastructure in place.
Risk management should be fully integrated into operations. All employees should be trained, educated and quizzed on regulation and compliance. It is important to foster a strong internal audit culture and be sure to have a mechanism in place for escalating regulatory and compliance issues to top management.
It is vital to have a robust risk management framework in place. Let’s take a quick look at this in a bit more detail.
• Identify the GRC framework’s objectives: The initial step is to ascertain what the framework should achieve.
• Adopt an incremental implementation strategy: Although it may seem counter-intuitive, it is important to roll out this organisation-wide framework in stages.
• Clearly define key success indicators: Establish clear success metrics for all of the goals identified at the beginning of the GRC framework process.
• Determine which tools the framework requires: Identify the tools that will help meet one’s objectives. However, when considering which tools to use, be sure to take ease of deployment and application security into consideration.
• Adapt the operational strategy: Given that GRC initiatives affect an organisation’s processes and systems, a GRC framework needs to be flexible enough to adapt when new threat vectors and regulations emerge.
The risk management and compliance framework are always a work in progress. By continually reviewing the framework, organisations can ensure they are always in compliance and their audits are a breeze.
Rajesh Ganesan is the vice-president of products at ManageEngine, the IT management division of Zoho Corporation