INTERVIEW: Cyber-risk strategy advice from former U.S. Justice Dept. official John Carlin

NEW YORK (Thomson Reuters Regulatory Intelligence) - Financial services firms have the challenge of trying to develop a cyber-security program that sufficiently protects the firm, its data and its customers’ identities and investments. No program will be foolproof, the best any firm can do is mitigate it, as John Carlin, partner at Morrison & Foerster and former top national security attorney at the Department of Justice told Thomson Reuters Regulatory Intelligence last week.

U.S. Assistant Attorney General for National Security John Carlin addresses a news conference to announce indictments on Iranian computer hackers, in Washington March 24, 2016.

Firms should assume regulators will be scrutinizing cyber-security and risk mitigation efforts, and be ready to demonstrate that the firm and its culture are giving proper importance to cyber security. Multiple managers should have the opportunity to keep top executives and the board of directors informed on how the firm is assessing and mitigating the risks posed to the business, Carlin said.

Compliance officers can play a pivotal role in ensuring that these managers have complied with standards imposed by regulators and expected by shareholders and the investing public, he said.

“With so many potential entry points to a company’s network (such as smart phones, tablets and laptops), the bottom line is that cyber-security risks have increased for all organizations, and what you must focus on is mitigating them,” said Carlin.


As FBI Director James Comey stated in 2014: “There are only two types of companies when it comes to cyber-security. Those that have been hacked, and those that do not know they’ve been hacked.”

Real security requires more than simply complying with rules; Carlin said. The organization must embrace security as a basic requirement of business operations.

In this way, as risks grow, companies are forced to understand how their own systems work, how to protect them, and who does what in terms of coordinating a defense to these threats, he said.

“The firms are now playing catch-up with their policies now that security is such a concern,” Carlin said.

Businesses are behind in crafting more effective user policies -- key to mitigating risk as there still is no foolproof technical solution for keeping risk out of the equation.

“Each business has to assess the risks posed to it based on its profile and make these policy determinations,” Carlin said.

Businesses should learn from the mistakes of others and consider implementing some of the directives imposed by regulators in enforcement actions against other companies.

“There should be training, and it should inform people as to how to use their devices more appropriately, including how to write emails,” Carlin said. “There are always changes in what is permissible, and those updates should be a part of this ongoing training.”

Continual risk assessments and strong detection tools are essential, since risks both evolve and grow. As the Internet of Things demonstrates, since we now have technology in our cars and even our bodies, Carlin noted.


Businesses need to get away from the idea of “do this and you are secure” and committing themselves to a process of continuous security improvement, said Carlin.

Plus, firms should consider showcasing how cyber-security cuts across multiple lines of a business and make sure multiple perspectives are presented to top company leadership.

“Companies can benefit from having Compliance/Legal, IT/Information Security, and Operations representatives make a periodic presentation to the heads of two or three different board-level committees. That overarching committee can listen to how these managers’ departments have been mitigating and assessing threats to the company’s systems and evaluate them as part of its overall strategy,” Carlin said.

The responsibility to help protect an organization’s sensitive information should be shared, as it includes protecting personnel, financial and strategic data, over which multiple persons have oversight.


Carlin said that even if some of the recently proposed federal-level regulatory initiatives are watered down in shift to a deregulation-minded federal administration and agency leadership, some states are showing a willingness to step into the mix. This includes New York and its Department of Financial Services. Its cyber-security rules mandate, among other things, that covered firms appoint a Chief Information Security Officer. It goes into effect on March 1.

Carlin does not expect fines and regulatory scrutiny to go away any time soon, and they might even increase.

“They certainly will increase for businesses that get it wrong repeatedly. And the power of public opprobrium and harm to one’s brand are damaging enough,” he said.

“I see the government trying to instill a culture that is conscious of cyber-security, but it is taking longer than maybe planned because it is both scary and a technical area,” Carlin said.

Compliance officers and others working on assessing and mitigating cyber-security risk need to be able to “translate” for all affiliated persons -- from the sales staff to the C-suite to the board -- to get across the importance of identifying cyber-security risk. Doing so requires using clear, accessible language.

Protecting against so many threats is not too daunting a task, Carlin said. Doing so requires teamwork by compliance, IT, legal, information security, operations, HR, and communications staff to improve the firm’s resilience, to limit the reach and potential damage of threats, and thereby minimize any harm.

It is up to the business how it achieves this, Carlin said.

“It could be that more information needs to be encrypted, or multi-factor authentication is used for certain databases, deleting data that is no longer needed, limiting who has access to sensitive information or that the company’s crown jewels are put into a certain folder and anyone wanting to access them needs to know naming conventions,” he said.

Those decisions can be made by businesses by working in an inter-departmental, collaborative way, guided by the mandates and recommendations provided by regulatory organizations and from standards-setting, non-regulatory agencies in this arena.

Compliance departments can help by supporting a speak-up culture, and demonstrating that when employees are not sure what to do, they have somewhere to take their concerns.

- FBI Director James Comey speech 2014: here

- NY Dept of Financial Services mandate: here

- National Institute of Standards and Technology, U.S. Dept of Commerce, non-regulatory agency:

(Julie DiMauro is a regulatory intelligence and e-learning expert in the GRC division of Thomson Reuters Regulatory Intelligence. Follow Julie on Twitter @Julie_DiMauro. Email Julie at