Revised DOJ compliance guidance offers risk-management lessons for cybersecurity leaders
Prosecutors use this guidance to assess criminal liability in a compliance breach, so it behooves business and security leaders to understand the expectations.
In February 2017, the Criminal Division of the US Justice Department (DOJ) issued its first-ever guidance for prosecutors of white-collar crime to use when assessing whether a company complied with its own risk management program. The document urged prosecutors to consider whether a company’s compliance program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business” and “complex regulatory environment.” That guidance was updated in April 2019 into a formal document called “The Evaluation of Corporate Compliance Programs.”
Both documents aim to give prosecutors criteria to consider when bringing criminal charges. The three fundamental questions prosecutors are urged to answer when assessing whether the compliance programs are helping to “promote corporate behaviors that benefit the American public” are:
- Is the program well-designed?
- Is the program effectively implemented?
- Does the compliance program work in practice?
On June 1, the DOJ issued yet another update to its compliance guidance, this time weaving in new language to make sure compliance programs aren’t merely one-and-done snapshots, but are instead dynamic programs that get updated to fit changing circumstances. The new guidance also asks prosecutors to make sure compliance programs are adequately resourced within organizations.[This article appeared in CSO Online. To read the rest of the article please visit here.]