Cybersecurity is top concern for nine out of 10 CCOs, survey reveals

The WSJ surveyed around 300 compliance professionals to find out their current priorities.

The Wall Street Journal has released its recent survey of around 300 compliance professionals in North America. 

Nine out of 10 companies said cybersecurity risks rose, with nearly half saying the risk shot up substantially. Almost all midsize companies – those with between $50m and $1 billion in revenue – said they felt cyber threats had increased. 

The survey of CCOs was conducted between February 13 and March 11. More than three-quarters were based in the US and about 4% in Canada. Around 36% of respondents worked in the financial services sector, while around 13% worked in professional and business services and around 9% in the technology sector.

The second and third areas of concern on the list among those surveyed included regulatory scrutiny and enforcement, cited by 78%; and the digitization of their business, cited by 71%. 

Compliance professionals also said that cybersecurity is the biggest area in which they have had to build their own skill sets.

Privacy (68%) and third-party risk issues (65%) came next, then geopolitics and financial crime at 63% and 60%. Fewer than 50% listed employee misconduct, merger and acquisition/competition factors and diversity and inclusion-related issues as major concerns.

Staffing issues, skill sets

According to the survey results, the respondents are not only worried about cybersecurity risk – they specifically mentioned their increased uncertainty about their compliance department’s ability to respond to incoming threats.

Nearly half of compliance survey respondents said they had only a basic or novice level of expertise in overseeing cybersecurity-related compliance. Only 8% considered themselves experts. 

The need to beef up the staffing needed to handle incoming cyber threats also weighed on the mind of compliance professionals. About 35% of respondents said insufficient head count was a challenge faced by their company’s cyber compliance program, while 31% cited a need to keep up with regulatory changes around cybersecurity and 23% a lack of required skills.

Source: Wall Street Journal Survey of Compliance ​Professionals. Graphic: Martina Lindberg

Compliance professionals also said that cybersecurity is the biggest area in which they have had to build their own skill sets.

Nearly seven out of 10 respondents said they have needed to gain knowledge in this area over the past year. Regulatory scrutiny and enforcement was the only other area cited by more than half of respondents, at around 67%.

Despite these challenges, 90% said their cybersecurity compliance program was at least somewhat effective. Only 2% called their program “very ineffective.” 

Why cybersecurity concerns?

Cybersecurity getting the top spot is not surprising, given the incredible amount of public attention and havoc cyber incidents cause businesses.

Healthcare giant UnitedHealth Group confirmed in February that its subsidiary Optum was forced to shut down IT systems and various services after a cyber attack by “nation-state” hackers on the Change Healthcare platform. This ransomware strike absolutely paralyzed vital parts of the US healthcare system, given the breadth of the Change Healthcare network.

Just to prove how vulnerable the healthcare sector is, mega-health system Ascencion confirmed it was hit by a cyberattack that interrupted patient care in several states just last week.

School districts and county governments are also getting hit.

MGM Resorts International disclosed last September that a significant cybersecurity issue had affected some of its systems, including its main website, online reservations, and in-casino services, such as ATMs, slot machines, and credit card machines.

In April, in one of the most significant cybersecurity policy reforms in recent memory, the Cybersecurity and Infrastructure Security Agency (CISA, part of the US Department of Homeland Security or DHS) released its much-anticipated notice of proposed rulemaking to require critical infrastructure organizations to report cybersecurity incidents.

The study also suggested that while AI is a topic of interest to compliance professionals, most have yet to use it as part of their compliance efforts.

CISA also published draft rules in March on how critical-infrastructure companies would need to report significant cyberattacks within 72 hours and ransom payments within 24 hours,

And, last week, an array of notable technology companies said they expected to sign an agreement this week to build stronger security into their software from the start of development. The move is part of the Biden administration’s national cybersecurity strategy, and the 65 tech companies that have pledged to sign it include Alphabet’s Google, Amazon’s AWS, Cisco, Palo Alto Networks, IBM and Microsoft.

For its part, the SEC has also upped the pressure on companies to disclose cyber breaches more promptly. Starting in December, the agency started requiring registered firms to report cyberattacks no later than four business days after they determined the incident will have a material impact on operations.

Compliance pros using AI

The study also suggested that while artificial intelligence (AI) is a topic of interest to compliance professionals, most have yet to use it as part of their compliance efforts. Just over one-third of respondents said they were using AI tools for compliance, compared with 46% who said they weren’t yet using it – but planned to in the future. 

About one in five said they had no plans to use AI in compliance. Despite the rise of ChatGPT and other forms of generative AI in the mind of the public, many businesses are still taking a measured approach to the technology in all its forms. 

Source: Wall Street Journal Survey of Compliance ​Professionals. Graphic: Martina Lindberg

Perhaps unexpectedly, the smallest companies seem most likely to be using AI for compliance already, with about 41% of respondents from companies with less than $50m in revenue saying they had put the technology to use. But, more than half of the companies in the $1 billion-revenue class said they were considering adopting AI for their compliance.

Despite this, the use of AI is coming, say the compliance professionals answering the survey.

Only about one in 10 of compliance pros from the largest companies said they had no plans to use AI for their compliance efforts in the future, compared with about two in 10 from those working for small and midsize companies. 

Of those using AI, 45% said they used it to detect control deficiencies, while 44% said they used it for cybersecurity. Regulatory change management was cited by about one-third of respondents.