When Compliance and the Internet of Things Collide

April 2nd, 2018

Emerging technologies have a habit of sneaking up on corporate ethics and compliance functions, so anticipating their consequences is always a worthwhile pursuit. Today let’s turn our attention to one that already seems clichéd but is indeed an enormous issue: the Internet of Things.

“IoT” is the technology of putting wifi-enabled processors onto equipment — medical devices, building sensors, electrical systems, heavy machinery; the list is endless — so that equipment can transmit data back and forth to some control node back in the main office.

The technology works; we’ve had Internet-enabled phones in our pockets for a decade now. As the cost of the technology keeps falling, the IoT will bring that same potential functionality to everything else.

The implications for corporate compliance, audit, and risk functions are equally vast.

Yes, your cybersecurity risk will increase in the IoT world, but that doesn’t paint the full picture. The more challenging question is how the IoT will transform cybersecurity risk, and what role the compliance officer will need to play while your organization responds to that.

For example, your IT security team will need to devise new security protocols to keep IoT-enabled devices (and the data they create) secure. But in the modern supply chain world, you’ll also need to enforce those standards on vendors that supply components to you — so there’s your vendor risk management issue. Software coders in your engineering division might use open-source code from the Internet in the device; they will need to test that code for security, and update it as newly discovered flaws are patched by the open-source community — so there’s your policy management issue.

Now imagine your business makes wifi-enabled medical devices for patients to use in their bodies. The device is a point of security risk; your corporate data center collecting data from the device is a security risk; the network transmitting the data is a security risk. How many third parties are involved in the chain of data transmission? How do you get assurance of security from them all? What happens if something fails?

Conceptually, these questions are not new. Banks, for example, have been struggling with them for years while we fiddle with banking apps on our wifi-enabled phones.

Our example just underlines the point that the IoT will allow for the digital transformation of many business processes; which means more organizations will confront the security and compliance transformations that come along with that.

So what points should compliance professionals ponder about IoT? Here are three.

Risk assessments will be more complicated, because you could have many more points of failure — and that complexity will spill into legal and regulatory compliance risk, too. (Consider our medical devices, above. If they are secure but the network transmitting the data is not, who is responsible for possible breaches? Who discloses what to whom?)

Design of controls becomes more important. Compliance, IT security, IT audit, and operations leaders will need to identify what type of control addresses each risk most effectively. For example, a policy enforced on vendors might address some security issues; but perhaps extra password protections inserted into the code work better on others.

Anticipate the strategic shifts that the IoT will allow. The Internet of Things will let objects generate data. The data can then be analyzed, and business processes improved. That’s when a board starts thinking about strategic shifts, such as a move from selling products (say, IoT-enabled farm equipment) to selling services (“data-driven agricultural optimization”). New technologies allow new business processes, and new business processes allow new business models.

Don’t let the implications of that shift — compliance or otherwise — catch you by surprise.