According to Gartner, 84% of data loss incidents involve authorized parties distributing content externally. This data factoid was contained in a CERT Insider Threat Study titled Understanding the Risks & Defending the Enterprise, available here. The cost of that loss, according to 30% of survey respondents, exceeded $500,000.

The CERT study dates from the early part of this decade. There is little reason to believe the situation has improved much. Organizations are exchanging data more than ever as collaboration and partnering become strategy bywords and the human factors behind most bad security factors have changed.

There are ways to address this problem, which were described here back in April. Usually, they involve the use of secure online space, like that offered by Brainloop and IntraLinks. Although far from expensive, they are definitely feature-rich and high-end. Now the low end of the market is emerging. more

If you’ve been assuming that the Foreign Corrupt Practices Act (FCPA) isn’t a concern for folks in the finance and treasury areas, think again. To be sure, the FCPA historically has been seen as an issue for operations or sales – after all, they’re the ones who may be tempted to bribe a government official in the hope of winning a lucrative contract or two. Today, however, finance types also need to understand the law and their companies’ exposure, says Joe Zier, head of the West Coast FCPA Investigative and Consulting Services practice for Deloitte. In the last few years, as more companies have increased their global exposure through business partnerships, joint ventures, cross-border sourcing, and the like, they’re having to manage money differently. more

I first came across the phrase “risk intelligent” in the summer of 2006 when I was interviewing Deloitte & Touché LLP’s Stephen Wagner, who was heading his firm’s corporate governance practice. In fact, I poached the term – which the firm was using to promote the notion of centralized GRC and its GRC services – and used it in my headline.

(Last year, Wagner co-authored a conventional-wisdom-upending article in the Harvard Business Review titled “The Unexpected Benefits of Sarbanes-Oxley”)

Wagner said that the only way to achieve effective and efficient risk management and compliance management capabilities within an organization was “through greater coordination, adoption of common frameworks and sharing of information and practices.”

Three years later, this opinion remains valid. My GRC information sensors tingled when I came across an e-mail pitch, one for CA’s products, that contained the term “risk IQ.”

Yes, it’s a catchy term from a marketing perspective, but it also makes a lot of sense – especially after you read how CA Director of GRC Programs Sumner Blount (who reins in any marketing impulses he might have) defines the term and explains what qualities he sees within high risk-IQ organizations — in this Q&A.

Are you doing business with any Specially Designated Nationals?

More and more companies need to know the answer to this question. If the answer is “yes,” they can expect a swift compliance call from the Office of Foreign Assets Control (OFAC), which is part of the U.S. Department of the Treasury.

This Business Finance article offers a primer on OFAC and includes some OFAC compliance guidance from Gene Truono, managing director, BDO Consulting. Truono oversees his firm’s financial institution consulting practice and is a member of the Association of Certified Anti-Money Laundering Specialists. ###

Small public companies, also known as “non-accelerated filers,” have been facing for a long time the costs of compliance with Sarbanes-Oxley (SOX) Section 404(b)’s requirement for the external auditor to report on the adequacy of the company’s internal control over financial reporting. Over a year ago, in June 2008, the SEC announced that the 404(b) requirement for small companies was being extended to fiscal years ending on or after Dec. 15, 2009, as a cost-benefit study of compliance costs for small businesses was completed.

In case you missed it … on October 2, 2009, the SEC once again delayed the timing for compliance with 404(b). This time, the delay is only for nine months. And it sounds like this time the SEC means for this to be the last delay. more