73.7 F
Washington D.C.
Saturday, July 20, 2024

Finding Equilibrium: Transformative Regulations Create More Hurdles for TMT Companies

The technology, media and telecommunications industry faces significant challenges developing a culture of compliance.

Whether due to poor data privacy protections, weak cybersecurity controls and oversight, or anticompetitive behavior, the financial and reputational costs for noncompliance with regulations continue to rise, with governments more determined than ever to make violating the law as painful as possible to companies’ bottom lines. This aggressive enforcement approach is particularly acute in the technology, media and telecommunications (TMT) industry, where there’s an intensification of legislative and regulatory efforts globally to rein in companies that are perceived to have unfettered power and influence.

TMT companies are fighting to balance the pull of current and future regulations with the need to constantly push innovation. How does a responsible technology firm behave in this environment? In the white paper “Finding Equilibrium in an Era of Heightened Regulation,” Protiviti tackles these tough questions and provides some guidance, starting with a framework of how companies can increase their understanding of the changing expectations of today’s consumers, governments and other key stakeholders in order to make better business decisions.

Growing Pains

In a tweet last month, U.S. Representative David Cicilline, chair of the House’s Subcommittee on Antitrust, Commercial and Administrative Law, wrote that “the American people want us to #ReinInBigTech, and that’s exactly what we’re going to do.” Cicilline is one of the chief sponsors of the American Innovation and Choice Online Act, a legislative measure designed to block tech giants from favoring their own products and services. A Washington Post article described this bill as “the epicenter of a massive power struggle between Washington and Silicon Valley.”

In addition to an increase in active legislation, enforcement actions have become more common. In the United States, the Federal Communications Commission, the Federal Trade Commission and the Department of Justice are among the agencies leading this effort.

Given this dynamic, TMT companies with U.S. operations, as a first step, should be clear-eyed about the current state of their compliance program and how the program stacks up against trends in enforcement and regulation. Having this enhanced understanding would allow them to improve or scale their program, including remediating issues, as needed.

Across the Atlantic, there are also growing pains. In late April, the European Union passed the Digital Services Act (DSA), which aims to protect the digital space against the spread of illegal content (e.g., hate speech, child sexual abuse) and protect the fundamental rights of users (e.g., restrict advertising targeting children). The DSA, which contains very broad language, requires large digital platforms and services to analyze systemic risks they create and to carry out risk-reduction analysis. It is yet to be determined, however, how the EU plans on enforcing the new law, which comes with hefty fines and a potential outright ban for repeat offenders.

In the absence of a DSA-like federal law in the United States, a number of states (at least 11, as of today) are conducting investigations into how social media platforms are using algorithms that promote violence and cause mental health issues in children. States are leading the effort to regulate internet content, because they see the federal government moving too slowly.

As one example of U.S. federal government inertia, state legislators point to the federal government’s inaction on the Child Online Protection Act (COPA), which was passed in 1998 to restrict access to material defined as harmful to minors. The law never took effect, and after several rounds of litigation, a permanent injunction against it was entered in 2009. In recent weeks, following the mass shooting incident in Buffalo, New York, which was livestreamed by the shooter, the issue of regulating online content has flared up again, and New York Governor Kathy Hochul has blamed social media platforms for not doing enough to stop the spread of this violent recording.

Meanwhile, the war between Russia and Ukraine has also affected the relationship between the government and major tech firms. As an example, the threat of cyberattacks from Russia or from state-sponsored actors, and the fear that some tech companies might knowingly or unknowingly allow their products and platforms to be misused by Russia or its proxies, is inviting regulatory scrutiny around the world. Given these concerns, TMT organizations need to reevaluate the risk of using software or hardware made in or owned by Russia (or China) to ensure that supply chain network integrity is a priority within their overall cyber resilience management. Read our recent blog “Geopolitical Tensions Exacerbate TMT Industry’s Top Risk Concerns” for more on the war’s impact on the industry.

But it is not just Russia that’s driving concerns about supply chain integrity. The U.S. Justice Department has made it clear it will pursue companies that violate Section 889 of the National Defense Act (which targets companies doing business with five Chinese companies) and Executive Order 14028 (which requires companies to conduct full risk assessments of their cyber supply chain network). Under the order, companies seeking to do business with the U.S. government are required to vet third-party providers and continuously assess their vulnerabilities and the consequences of those vulnerabilities.

To achieve this objective, companies should put together a baseline of security standards by developing a framework for a software or hardware bill of materials that supports the government’s required attestation form. Clearly, this is an issue that is getting bigger and will impact more companies in the coming years. According to one estimate, 45% of organizations worldwide will have experienced an attack on their software supply chain by 2025.

Last year, the Justice Department created the Civil Cyber-Fraud Initiative, a task force utilizing the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. The goal is to hold entities and individuals accountable if they knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or neglect to monitor and report cybersecurity incidents and breaches.

Data privacy remains the most consequential issue for TMT companies. In the United States, states like California have taken the lead on data privacy regulation, with many more expected to follow.

As discussed in this blog post, there’s also been a steady increase in enforcement by the FTC against alleged privacy violators. Last year, the agency banned a spyware maker and its chief executive officer from operating in the surveillance industry, accusing them of secretly harvesting and sharing mobile data on people’s physical movements, phone use and online activities, and leaving the information exposed on the open internet. And in the EU, there are growing calls for additional privacy regulations around the use of artificial intelligence and machine learning, efforts that will only increase with the rollout of more Internet of Things devices.

What Companies Can Do Now

As a whole, the TMT industry faces significant challenges developing a culture of compliance, as the industry has not been heavily regulated in the past, with companies focusing instead on a culture of innovation and a first-to-market attitude to drive success. Those days are gone.

Established and emerging companies will need to focus on building capabilities, including staffing up on compliance, risk management, legal, privacy and legislative expertise, with clearly assigned roles and responsibilities. As part of this effort, companies should consider hiring an independent consultant to ensure that they are operating within policy, regulatory and ethical standards. Additionally, it may be prudent for some to create a chief trust officer role that will ensure the company acts with integrity and the highest ethical standards when it comes to corporate behavior in a digital environment.

Companies should also implement a comprehensive risk management framework that will enable them to break down risk silos throughout the organization and conduct regular risk assessments. Assessing and reacting to the impact of evolving regulations and enforcement to their business model should be a key part of this process. Also, many companies will need help developing a data-driven transformative risk framework model that is able to evolve quickly at the same pace as innovation.

As an example, companies should seriously consider creating a comprehensive data privacy program, if they haven’t already, and making it an embedded process. Check out this blog post on four actionable steps that technology companies can take to bolster their data privacy programs. And finally, there has never been a more appropriate time to leverage new and emerging technologies that will enable compliance with data-intensive and time-sensitive regulatory requirements.

Read Finding Equilibrium in an Era of Heightened Regulation for more recommendations on how technology companies can act responsibly and take strategic actions during these uncertain times.

Gordon Tucker and Christine Halvorsen
Gordon Tucker and Christine Halvorsen
Gordon is a Managing Director with Protiviti and has over 25 years of experience providing management consulting, internal and external audit services to software, internet, high tech manufacturing and life science companies. His experience includes serving companies ranging in size from emerging, high growth organizations to Global 1000 businesses. Gordon's professional experiences include consulting with executive management teams and Audit Committees on preparing to operate as a public company, developing annual risk assessments and executing global internal audit plans, ensuring effective corporate compliance, internal controls and governance requirements, assessing and implementing finance process improvements, and overall project management. Gordon is market leader for Protiviti’s San Francisco Bay Area practice and also leads the firm's Technology, Media and Telecommunication (TMT) Industry. Prior to joining Protiviti, Gordon was a managing director at BearingPoint and a partner in Andersen's Business Consulting Practice. Gordon began his career in Andersen’s Audit practice rising to the level of senior manager. Gordon is a member of the Technology Industry Standards Advisory Group for the Sustainability Advisory Standards Board (SASB) and he has served as an officer of the San Francisco Chapter of the Institute of Internal Auditors, as well as a member of the Board of Governors. Christine Halvorsen is a Managing Director at Protiviti and board member for GTSC's FITGov Summit. Christine served 23 years with the Federal Bureau of Investigation where she retired as an Assistant Director. During her career with the FBI, Christine was appointed to a variety of Executive, investigative, crisis management, and International positions. In her leadership roles, Christine led five major IT transformations leading to enterprise-wide technology, culture, skills and behaviors advancements. For example, as the Deputy Assistant Director in the Counterterrorism Division, her strategic and innovative thinking led to the development and launch of the FBI’s first-ever cloud-based operational platform, which improved response times to threats at home and abroad. Her other duties included the program management of the FBI’s Domestic Terrorism investigations; communication and digital media exploitation; bulk data analysis; and administration of the division’s budget, personnel and infrastructure. Christine is a highly sought-after speaker on cybersecurity, cloud technologies, and counterterrorism. In 2018, she was named Homeland Security Person of the Year by Homeland Security Today. Christine is also the recipient of the 2008 FBI Director’s Award for Excellence in Investigative Support, and the 2012 FBI Director's Award for Outstanding Technical Achievement. After leaving the FBI, she served as a Senior Technical Business Development Manager at Amazon Web Services (AWS), leading the AWS Mission Acceleration Team. She also serves on the Intelligence and National Security Foundation (INSF) Technology Council and the Northern Virginia Technology Council.

Related Articles

Latest Articles