Compliance is Among the Top Concerns of Chief Financial Officers and Chief Legal Officers

Chief Executive Officers (CEOs) look to Chief Financial Officers (CFOs) to help keep costs down. According to the Deloitte CFO surveys taken in 2014[1], CFOs name regulations and the cost of compliance among their uppermost concerns. CFOs specifically stated concerns about:

  1. New regulations
  2. The lack of clarity around those regulations
  3. The complexity of the regulatory environment
  4. The costs of compliance with those regulations
  5. Unanticipated impacts and unintended consequences of rules and regulation.

Regulatory concerns were the most consistently voiced worry during the second quarter of 2014. When it comes to concerns about industry-specific regulations, healthcare regulations were among those causing the most significant distress.

Apparently, the CFOs are not the only ones concerned. The legal teams are also up at night worrying about the regulatory landscape. The 2016 Association of Corporate Counsel survey of Chief Legal Officers found that regulatory issues are among the greatest concerns for Chief Legal Officers (CLO). CLOs named the following top five concerns:

  1. Ethics and Compliance
  2. Regulatory issues/challenges
  3. Data breaches or protection of corporate data
  4. Privacy law and regulation
  5. Information governance

Thirty-one percent of CLOs report their organization has been the target of a regulatory enforcement action or investigation. If CFOs and CLOs are concerned about the regulatory challenges and the impact of violations and breaches on the companies bottom-line, you should be too!

CFOs and CLOs have cause to be concerned. Regulatory enforcement actions are intensifying, and fines and penalties are sobering (to say the least). Aside from serious fines and penalties, CFOs and CLOs know that legal and regulatory issues can erode public confidence in the brand; it can negatively affect stock value and place companies at a disadvantage in a financial transaction.

HIPAA Breaches

Breaches heavily hit the healthcare industry. As mentioned above, 49 percent of healthcare CLOs surveyed experienced a data breach in their organization within the last two years. Breaches are especially worrying in healthcare because of HIPAA regulations. Recent HIPAA enforcement action has levied hefty fines. Plus, HIPAA is very prescriptive about the requirements related to breach mitigation and notifications. Then there are the state privacy and breach laws which companies also have to contend. The steps necessary to mitigate damage and notify impacted customers can also be costly. And, there still is that potential reputational harm and loss of client trust discussed above. So, what do you do?

Minimizing Risk and Protect Your Clients and Your Bottom Line

Take steps to protect your assets, your clients, and your revenue.

  1. Know the pain points of applicable regulations. Know what the regulators are focusing on by “staying in the know” about regulatory activity; and if regulators have issued audit protocols, measure your operations and systems against those protocols.
  2. Know the best ways to mitigate the risk associated with the regulations which your company is subject.
  3. If your internal team cannot see the risk and ways to mitigate, because of lack of regulatory expertise, or because they are too close to the potential problem, bring in the consultants for independent reviews and for expert advice.

Best Practices

Section 164.308 of HIPAA provides some useful best practices for any business. Below is my take away from § 164.308:

Policies and Procedures

  • Implement policies and procedures to prevent, detect, contain, and correct security violations
  • Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports
  • Perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of electronic protected health information
  • Establish (and implement as needed) procedures to restore any loss of data


  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information

Workforce and Training

  • Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures
  • Identify the security official who is responsible for the development and implementation of the policies and procedures
  • Implement a security awareness and training program for all members of its workforce


  • Implement security measures that are sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
  • Implement:
    • Periodic security updates
    • Procedures for guarding against, detecting, and reporting malicious software
    • Procedures for monitoring log-in attempts and reporting discrepancies
    • Procedures for creating, changing, and safeguarding passwords


  • Identify and respond to suspected or known security incidents
  • Mitigate, to the extent practicable, harmful effects of security incidents that are known to the business
  • Document security incidents and their outcomes

 It’s a challenging world – put controls in place and get some sleep. All the best.

[1] Accessed at ,, and