Do your business continuity plans account for your company’s compliance and regulatory requirements? For many, the answer to that question is “no”. An unfortunate reality encountered by companies across the globe in the past year.

2020 has been a year of growth and discovery in the world of business resiliency.  The COVID-19 pandemic has had an unprecedented impact on supply chains, forcing many companies to enact their continuity procedures and resort to remote work.

However, many others discovered that their business continuity procedures were not up to the task. Plans and procedures were initiated, only to find that while they were updated with technology and personnel operations in mind, procedures to maintain compliance obligations were deficient, if not completely absent.

The Danger

By not planning how to continue operations in a compliant manner, many of these companies’ responses were delayed. Instead of being able to maneuver quickly to the changing environment, they had to identify areas of compliance impact and redesign or create new business continuity procedures.

In the worst cases, they leaped into their original plans without a clear path to maintaining their compliance program.

At best, this creates a lapse in the successful operation of established controls. At worst, this may be in clear violation of federal law, regulatory requirements, and/or contractual obligations the organization may have made.  This has the possibility of opening companies up to wide-ranging liability exposure.

 

Regulations Which Apply to All Industries

If your company operates in the United States, you may be subject to the following regulations when it comes to business continuity:

  • Sarbanes-Oxley Act: For publicly-traded organizations, this act requires the implementation of controls to avoid financial misconduct and ensure that your infrastructure will protect and preserve financial records. Records should be protected from destruction, loss, and unauthorized use.
  • IRS Procedure 86-19: You may be surprised to find that the IRS requires the off-site storage of all electronic records retaining tax information.

 

Industry-Specific Regulations

In addition to the previously identified regulations, companies operating in regulated industries such as healthcare, government, or the financial services industry could be subject to the following regulations:

  • Health Insurance Portability & Accountability Act (HIPAA): HIPAA requires Covered Entities and Business Associates (BA) to maintain reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of their electronic protected health information (EPHI) against any reasonably anticipated risks. Companies not in compliance face with steep penalties and fines. As companies were recently forced to begin working remotely, those that did not plan accordingly found they were unable to continue processing Protected Health Information (PHI). This was due to the reliance on unapproved information transfer mechanisms implemented to support remote operations.
  • FEMA’s Continuity of Operations: Requires the ability to implement emergency plans and recover operations within 12 hours of activation for hospitals.
  • Financial Industry Regulatory Authority (FINRA): FINRA requires that all financial institutions maintain clear and actionable business continuity procedures, including how the customer will maintain prompt access to their funds.
  • Payment Card Industry Data Security Standard (PCI DSS): A standard developed by the credit card industry, PCI DSS requires incident response plans to contain all elements necessary to respond to events impacting cardholder data. Similar to issues encountered with HIPAA compliance, companies enacting their business continuity plans may have found that their new procedures did not account for the remote processing of cardholder data (CHD). This inadvertently and unexpectedly expanded the card data environment (CDE), greatly increasing the level of protection required.

 

How Could They Have Prepared?

Organizations not prepared before 2020’s pandemic learned the hard way that it pays to be prepared. Others were able to demonstrate value in their existing programs by effectively responding, and in some cases even flourishing.

For those that have been struggling in achieving or maintaining business continuity compliance, developing situational awareness will greatly assist in maturing your programs.

 

Maintaining Situational Awareness

An effective situational awareness program gathers information from surrounding regulatory, marketing, and competitive landscapes necessary to identify hazards and opportunities for your organization.

Hazards may include new regulations impacting your industry, such as the newly passed California Privacy Rights Act (CPRA), while opportunities could be in the form of new market opportunities to stand out among your competition, such as ISO 27701.

Your situational awareness program should, at a minimum, identify applicable laws and regulations your organization must abide by.

For added value, this program should work to identify new opportunities as well. Throughout this process you might determine that your regulatory commitments fall into two categories:

  • Elective: Standards and frameworks your company elects to participate in such as SOC 2 and ISO 27001, generally to communicate the maturity of your environment to clients, vendors, and business partners.
  • Mandated: Government or industry mandated regulations based on location (CCPA, HIPAA) or industry (PCI-DSS).

I have seen many organizations find success in maintaining situational awareness by incorporating the discovery of applicable regulations in the legal review and risk assessment process.

Additional value has been achieved through this process by identifying competitive advantages within their industry by aligning to, or certifying against, a specific framework.

An example could include certifying against the newly developed ISO 27701 standard if operating in an industry that manages sensitive information. ISO 27701 is a privacy-specific extension of ISO 27001 that closely aligns with GDPR.

By certifying, companies can demonstrate to the market and their customers that they have taken additional steps to safeguard the data they have been entrusted with.

Conclusion

There are many ways to approach the development of your business continuity compliance program. If you find establishing your situational awareness program is too overwhelming, don’t fret.

Our team of craftsmen is ready to assist in developing an effective and actionable program to meet your specific needs.

Please request to speak to one of our qualified team members here. We will guide you in developing a robust program that your team and customers can be confident in.