Whitepaper: The Compliance Officer’s guide to preventing cyber-attacks

compliance officer - cyber attack

The realities of cyber attacks
Europe leads the world when it comes to detecting security breaches. In 2013 alone, Europe experienced an increase of 41% in security incidents amounting to tremendous financial losses. So what are the realities of cyber-attacks across the globe and how can compliance officers prevent them?

Everyone talks about having Policies & Procedures in place, but nobody talks about the practicalities of communicating them to a global, possibly multi-lingual
audience, ensuring that they have been received, read, and understood by
every employee.

Please complete this form to download the whitepaper
*Please note, to save the whitepaper onto your computer, simply right click on the pdf and select “Save as”.

Data Protection: Turning compliance into opportunity

Written by Lyn Boxall one of our expertise panel members in the area of Data Protection.

Data protection regulations are now in force in Singapore.

data protection

The Do Not Call (DNC) Registry rules took effect on 2 January 2014. Holders of Singapore telephone numbers have been able to register and avoid receiving unwanted text, voice or fax marketing messages.

After an 18-month “sunrise” period to allow organisations to get their internal processes in order, nine personal data protection obligations and limitations took effect on 2 July 2014. Organisations must comply with them when they collect, use or disclose personal data from or about individuals, including their employees.

Compliance-based approach

Boards of companies need to ensure that management implements a robust compliance framework as part of its overall risk management responsibilities. In implementing this framework where the law is clear, management should act on an understanding of what is permissible and what is not. Where the application of the law is subject to interpretation, management should proceed in a way that is consistent with the risk appetite developed by the Board.

The DNC rules present a good example. They do not prevent organisations from sending marketing messages to Singapore telephone numbers in all circumstances. For instance and leaving aside the data protection rules for the moment, the DNC rules are clear that marketing messages may be sent to numbers that are not listed in the DNC Registry.

Where a number is listed in the DNC Registry, marketing messages may nevertheless be sent in the context of an on-going relationship if the purpose of the message is related to the subject of the ongoing relationship. There could be genuine debate as to whether there is an on-going relationship in any particular case and/or about whether the message has the necessary connection with that relationship. A decision consistent with the organisation’s risk appetite must be made before deciding whether or not to proceed with sending the message.

Yet, it appears that some organisations in Singapore have simply tipped targetted marketing messages into the “too difficult basket” and stopped using them altogether.

Similarly, the data protection rules do not prevent organisations from continuing to use personal data for the purposes for which they were collected prior to 2 July 2014. And yet, rather than applying a risk-based approach to determining the purpose for which personal data was collected, many organisations play it safe by burdening their stakeholders and requiring them to give specific consent for the continued use of personal data.

Beyond compliance to opportunities

The practical outcomes currently observed suggest boards need to guide management to not only apply a risk-based approach, but to also try another perspective: stop seeing data protection merely as a legal and compliance requirement that stands in the way of doing business.

Boards can, and should, communicate to management an expectation that they will implement data protection requirements in ways that find new opportunities to enhance operations and customer relationships.

One example is SingTel. It went beyond the current data protection rules to build a portal which provides customised options for its users on the type of marketing messages they want to receive. The greater granularity of options is beneficial to its customers but also provides the telco greater insights into its customers’ preferences. On top of that, the widely-reported pioneering response made good marketing copy.

As I observe the implementation of data protection laws in Singapore and elsewhere, the common factor is that legal or compliance staff are expected by management to take “ownership” of the issue. This yields a necessarily conservative outcome because legal and compliance staff are tasked with minimising risk, not with making decisions that take the company’s risk appetite into account.

Fundamentally different outcomes would occur if the issue of data protection was “owned” by chief executives and their sales and marketing teams, with expert input by legal or compliance staff.

This turns the conversation, and therefore the outcome, on its head. It stops being “tell me what I can and cannot do” and becomes “how do we make it happen – within acceptable legal parameters? What are the risks and options for such decisions?”

This solution-led approach could creatively improve customer service and relationships in the new data protection era. It directly confronts the key operational premise: how can we do better at winning and retaining customer loyalty in this new reality?

Clearly, I am not advocating non-compliance of the law. However, practical requirements can give rise to a considerable grey area, and the need to “make a judgment call”. The board must guide management towards decisions based on sound risk management, not just from a minimal-risk perspective.

Data protection laws are here to stay. The response from boards and management should be to leverage these laws while complying with them.

Lyn Boxall is a member of the Professional Development Committee of the Singapore Institute of Directors.

This article was first published in The Business Times and BT Invest (a financial portal of The Business Times), under the column “Boardroom Matters” by the Singapore Institute of Directors.

PolicyHub 4 released

GRC Solutions is pleased to announce the release of PolicyHub 4, Hitec’s award winning Policy Management Solution.

PolicyHub is designed to manage the entire policy lifecycle from creation, review, approval, publishing and distribution management, attestation to reporting with full audit trails.

PolicyHub 4 comes with a refreshed user interface for an improved (UX) User Experience as well as other performance enhancements.


Key developments:

  • Full administration access from anywhere in the world via a web browser
  • Refreshed user interface with improved user experience
  • Tests & Questionnaires comprehensively redesigned
  • Single Sign On through-out including SaaS (Software as a Service)
  • Efficiency improvements

Jeremy Crame, Hitec CEO, comments:
“At an important time when firms are required to meet increasing regulatory obligations Hitec are continuing to make enhancements across all product and service lines. PolicyHub 4 brings improved efficiencies to your Policy Management workflows enabling you to increase performance and keep on top of your GRC programmes.”

GRC Solutions is a reseller of Hitec’s PolicyHub solution within the Asia Pacific region. We have recently integrated PolicyHub with a complete risk management software to bring you GRCHub for all your governance, risk and compliance needs.

Please do not hesitate to contact us for a demo of either or both of these products.

Whitepaper: The importance of actions/activities/tasks in risk management

GRCHUB - the importance of actions, acitivites and task in rm

Liam O’Brien recently joined our team at GRC Solutions as a Senior Risk and Compliance Consultant. This whitepaper shares his insights on the importance of actions, activities and tasks which ultimately act as controls in a risk management program.

Liam has worked for large and diverse organisations in senior management roles for over a decade. His governance, risk and compliance expertise comes from successfully executing:

    • risk management frameworks
    • compliance programs
    • governance reviews
    • bribery and corruption assessments
    • audit programming


This paper outlines just two of many essential controls that must be implemented to avoid a risk becoming reality. It examines in detail how these controls can be introduced or reviewed and embraced by an organisation.

The journey towards ensuring organisational effectiveness requires action and perhaps the best way to deploy your efforts is within a sound risk management framework. It should identify where any individual organisation will get the best return for each dollar spent, ensuring strategy becomes reality and that risks don’t.

Please complete this form to download the whitepaper
*Please note, to save the whitepaper onto your computer, simply right click on the pdf and select “Save as”.