Over the past year, Outlook Ventures has been actively looking at the financial and operational implications of government regulation on the enterprise, and the various methods that organizations use to manage policies related to government legislation. In this article Outlook's associate Shazia Makhdumi focuses on the regulations that we believe have increasingly channeled the energy of executives and Board members, and how technology can help them achieve compliance.

Recently, corporations have experienced an outpouring of government legislation and regulations in response to corporate scandals, concerns around consumer privacy and an increased risk of terrorism. These regulations are clearly affecting companies - from line managers to the Board room -- in a variety of industries and across numerous functional areas. The corporate challenge to comply with regulations while improving business processes presents an opportunity for large IT vendors and start-up software firms.

Recent Legislative Mandates

The Sarbanes Oxley Act (SOX) was passed in 2002 as a response to the corporate scandals, bankruptcies and criminal charges which have intensified focus on internal controls. Among other provisions, SOX requires CEOs and CFOs of public companies to explicitly evaluate and report to the public on the effectiveness of internal controls over financial reporting. Executives need to establish a framework for internal control, define rules, put processes in place that meet the rules, and show a clear audit trail. In addition, public companies are required to have an independent auditor attest to their policies and controls.

Most large companies already have some processes in place for internal controls, although they are sometimes informal and not always consistently enforced. However, the added personal liability of executives and Board members, including the possibility of incarceration for non-compliance, has driven company executives to spend money on consultants and software to ensure that they have formal, tested and documented processes with a clear audit trail.

California Senate Bill 1386 (SB 1386) was recently passed in California and the proposed federal Database Breach Security Notification Act, based on this bill, could extend this law to other states. The bill requires any agency, person or business that conducts any business in California and owns or licenses computerized "personal information" to disclose the possibility of a breach of security to customers whose unencrypted data is believed to have been disclosed. Personal information refers to information that can be used to identify an individual, such as their name in conjunction with their Social Security number, driver's license number or bank/credit card number together with the PIN, as well as confidential information such as their employment or medical histories. The law requires companies to disclose a suspected breach of customer data to every affected consumer residing in California within 48 hours, by mail or electronically. If a company does not have up-to-date contact information for those consumers, they must post a notification on their website. Needless to say, this bill has the potential of causing companies public embarrassment and potential customer loss.

The Patriot Act was signed by President Bush in October 2001, in response to the terrorist attacks of 9/11. Amongst other provisions, this Act specifically requires financial services companies to develop improved capabilities to identify customers and flag suspicious transactions. Financial institutions are now required to establish anti-money-laundering and antiterrorism programs that include

The Gramm Leach Bliley Act (GLBA), a.k.a. the Financial Modernization Act of 1999, includes provisions to protect consumers' personal information held by financial institutions. GLBA affects traditional financial institutions such as banks, securities firms, and insurance companies. It also affects companies providing other types of financial products and services to consumers such as lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities.

GLBA requires financial institutions to give their customers privacy notices that explain the financial institution's information collection and sharing practices, allowing customers to limit the sharing of their information. It also requires all financial institutions to design, implement and maintain safeguards to protect the confidentiality and integrity of personal consumer information. These institutions cannot disclose, voluntarily or inadvertently, any personally identifiable financial information resulting from any transaction with the consumer or any service performed for the consumer, such as information that a consumer provides on a loan or credit card application; account balance information, payment history, and credit or debit card purchase history or any information a consumer provides in connection with the collection or servicing of a credit account.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 affects hospitals, physician offices, health plans, clearinghouses and other entities, such as auditors, lawyers etc. that do business with them. Among other requirements HIPAA mandates that 1) all providers, health plans, clearinghouses and employers use the same format for electronic health care transactions and 2) personal health information be maintained securely and be disclosed only to authorized individuals. As a result, health plans, doctors, hospitals and other health care providers that process claims and other transactions electronically have to switch over to an EDI format to transmit and store health documents. They also have to establish physical and technical safeguards to limit the use and disclosure of and protect the confidentiality, integrity and availability of individually identifiable health information.

Technology initiatives to help achieve compliance

Nearly all companies, be they public or private, service or manufacturing oriented, established or startup, have been affected in some way, shape or form by the above-mentioned regulations. Some view legislation as a necessary evil that takes resources away from more important company initiatives, while others view compliance as an opportunity to establish or improve upon internal processes which in turn will help their core business. However, nearly all of them are currently examining or being solicited by technology firms that claim to help them achieve compliance.

The increasing regulatory complexity as well as the large number of regulations that need to be addressed eliminates manual compliance as an option for large enterprises. Automated tools will become increasingly important, not just to meet regulatory mandates but also to establish controls and procedures to safeguard company reputation. Most enterprises across various industries are extremely interested in tools that monitor their compliance with the regulations, as well as tools that can review data handling and access control policies, disaster recovery and business continuity processes, and employee screening practices. They are evaluating software that can automatically monitor and audit adherence to policy as well as compliance with the dozens of proposed and approved state and federal privacy-related laws.

Larger enterprises are especially excited about software that manages privacy standards across the whole company by tagging data according to which privacy policies apply and then monitoring applications accessing that data to prevent violations. This software typically includes templates for each regulation to help corporations achieve compliance with specific laws.

Sarbanes Oxley

To comply with SOX public companies need to put in governance systems that help define controls and map them to best practices. Currently they are engaging consulting firms to help them with understanding their existing processes. However, they are actively seeking technologies that can automate data collection across the company, help them quickly understand their existing processes and map them to best practices within their industry/function. Software that can help poll employees, executives and Board members to quickly understand their internal processes and prioritize tasks is being sought. Public companies are also actively reviewing governance platforms through which they can define processes based on best practices and implement formal and documented controls that they can execute, monitor and audit.

These governance systems need to be heavily integrated with existing ERP and other financial systems so that executives can monitor data, processes and controls across the company. Therefore enterprises are focusing development and consulting dollars on software that connects all internally developed and legacy storage systems so they can understand how systems are connected to each other, what transactions take place and where each piece of data goes. Complex environments such as large financial institutions and healthcare organizations where multiple operation systems and applications running on myriad platforms like mainframes, servers, desktops and mobile devices, require tools that help enterprises understand where data resides and how it moves between the various systems.

Since a key aspect of the legislation involves being able to show a clear audit trail that company executives and the Board can sign off on, monitoring and reporting tools are extremely important. Of particular interest is reporting software which ensures that material events are reported and escalated quickly, executives have a continuous dashboard view of the organization and which is integrated into the various notification systems (email, phone, pager). Analytic applications with be key in automating reporting and review processes, as well as implementing a more stringent execution of internal controls.

Enterprises are also increasing spending on business process software that helps them manage critical aspects of their supply chain and ensure that their revenue stream is protected. Software that can help them instantly understand data flows, automate business processes and adjust them on the fly in adherence with existing controls and leave a clear audit trail, is extremely attractive. Another area of interest is risk management software that allows executives to assess whether they are on plan, where the risks in the systems are and automatically execute on defined contingencies. They also need to have document and records management systems that can help them automate the creation, management, delivery, archiving and destruction of content, based on legislation-defined rules.

There are myriad companies in the market that purport to help with SOX compliance, ranging from ERP and document management system companies to startups developing enterprise governance and control frameworks. Unfortunately public companies and the consulting / auditing firms they engage have been inundated with information from large and small "SOX compliance vendors" that has made it hard for them to fully appreciate the differentiation between these various solutions. An example of this trend is ProMana, an enterprise governance platform vendor, that has a product that extends the control framework beyond SOX and is trying to get traction in a noisy marketplace. Nth Orbit provides a similar solution with Certus, a compliance platform with a rich library of controls and contingencies. Movaris has released Movaris Certainty, a business process management platform that monitors and enforces controls and gathers evidence of compliance for auditors.

SB 1386

SB 1386 is a source of potential embarrassment and customer loss, since the regulation is strict about reporting on even the slightest suspicion of compromise. Since it applies specifically to unencrypted data, enterprises are currently examining their encryption policies and are considering spending on technologies that encrypt all data, whether during transmission or at rest. They are specifically interested in technologies that overcome the challenge of encrypting stored data without breaking up indexing and backup schemes. Also required is a mechanism to share keys such that encrypted information on desktops, servers and other areas of the network can be easily accessible.

Companies are also considering spending on tools that can detect whether data has been accessed or compromised by external and internal sources. Besides the usual authentication, authorization and access tools and intrusion detection/prevention software there is a focus on tools that can detect, in a method that is applicable in a court of law, whether data has actually been accessed, and if so, which data it is.

Recent market trends such as outsourcing of software development and customer service, the proliferation of Internet enabled devices and ubiquitous Internet access is requiring enterprises to spend on technologies that can help them centrally manage and enforce security policies to remote locations, international offices and mobile and wireless devices, such as laptops, PDAs and cellphones.

Since SB 1386 exempts encrypted data from the disclosure rules, storage security vendors like Kasten Chase Applied Research are promoting PKI-based authentication and encryption at the storage device level for "at rest" data. Encryption also doesn't protect companies from insider attacks, which are believed to be more of a threat than external threats. Liquid Machines extends encryption to data retrieved in queries. Policies set in Active Directory or another LDAP-compliant directory service control user access and results can be pasted into and viewed locally within supported applications. Vontu offers a surveillance tool to help monitor access to sensitive data and "quarantine" it when issues arise, while StrongAuth offers compliance management and SB 1386 policy templates. Credant has developed a framework to extend its enterprise security to mobile devices.

Patriot Act

Most of the IT budget devoted to compliance with the Patriot Act is being spent on integrating backend systems and upgrading infrastructure such as storage and hardware. Financial institutions are also spending on software to combat money laundering such as record-keeping and reporting tools. Also under evaluation are rules-based and workflow products and intelligent systems which are primarily being developed by companies in the regulatory compliance, risk management and business intelligence space.

The Patriot Act has driven financial institutions, large and small, to re-evaluate their processes for managing customer identity. Most organizations are actively examining technologies such as biometrics to reinforce their existing identity management solutions. Traditional biometric approaches have focused on specific biometric technologies, such as fingerprints, iris scan and facial recognition. However, companies such as BioXign and IDMetrics are approaching the market with identity management platforms which incorporate multiple biometric technologies and work with a variety of algorithms.

Financial institutions are also paying for outsourcing services with operators of customer databases, such as Regulatory DataCorp International LLC(RDC) in New York, which was launched by Goldman Sachs and other firms to develop a database for screening suspected criminals. Companies use a secure Web portal to send individual names or lists of customers to RDC, which then runs the names through their database.

Gramm Leach Bliley Act

The requirement of GLBA on financial services companies to notify customers of their information-sharing practices has created huge amounts of mail for consumers and corresponding costs for financial institutions. Financial-services companies last year collectively spent about $1 billion to prepare and mail privacy-policy statements required by GLBA. Financial institutions are eagerly seeking technologies that will help them automate the preparation and mailing of privacy-policy statements, as well as tools to monitor customer data and privacy preferences. They are evaluating rules engine applications that can automatically enforce customer-privacy policies and control the flow of information, based on customer privacy preferences, across multiple divisions and business units. Software that integrates databases containing customer privacy preferences across business units allows financial institutions to have a consolidated view of customers across multiple divisions so that, for example, one of the bank's brokerage-services telemarketers won't be able to access data about a banking-services customer who asked not to be contacted.

Large financial institutions and healthcare companies are also interested in software that ensures personal and confidential customer information remains protected. They have been focusing internal development efforts, as well as evaluating third party applications around privacy management and monitoring of customer data, which ensures that personal information is not disclosed through any channel, be it mail, email or web. Another increasingly popular area for IT spending is tools that enable customers to manage personal privacy, such as XML-based versions of privacy policies that comply with Platform for Privacy Preferences (P3P) technology. P3P lets people set privacy standards on their browsers and warns them when a site doesn't meet those standards. However, some enterprises are of the opinion that most privacy problems can be resolved with relatively simple policy changes, such as halting questionable Web-site practices like unnecessary data collection or use of cookies, and tweaking internal practices with regard to data access.

Given recent state legislation giving consumers greater control over data, financial institutions are realizing the need to install flexible data systems. As more states create their own laws (e.g. the recent Vermont law requiring customers to opt-in vs. opt-out), systems will need to handle greater complexity and enterprises will require tools to verify that their information collection and sharing practices meet the law and internal policy.

Products that help companies align business processes with privacy policies and monitor the flow of customer data throughout the company to prevent intentional or inadvertent violations are increasingly being considered. Privacy Council markets its Privacy Scan software for identifying privacy risks by comparing Web-site practices with written privacy policies. A similar product is produced by Watchfire. Zero-Knowledge Systems has developed Enterprise Privacy Manager, an application designed to centrally manage privacy policies and practices.

HIPAA

Healthcare organizations are expected to spend on commercial electronic management report (EMR) and electronic data integration (EDI) products as a result of HIPAA. EMR software will help them for audit trail and access authorization purposes, and EDI is necessary for the conversion of transaction code set standards used in reimbursement. Technologies that allow standardizing both patient records access and reimbursement formats, which is vital to HIPAA compliance and financial revenue flow, will be purchased.

Most healthcare commercial software will incorporate conventional electronic proof of identity using user authentication fields, unique patient identifier generators, and code-set conversion menus, into next generation releases. Storage needs for healthcare organizations are expected to increase, making server-lease programs a highly attractive and cost-effective option for hospitals, while the low capital budget requirements of ASPs make them attractive to the physician practice sector. The growing needs assessment of large organizations is also expected to create a niche market in the managed care sector for consultants and integrators. Teros, a web application firewall vendor, has developed additional modules on top of its core product that ensure certain confidential information, such as social security numbers, patient identifier numbers and credit card numbers, is not accessible by unauthorized individuals. Cedaron's CardioCare is an information entry system which allows medical personnel to capture clinical information easily within standard templates, which improves documentation handling and reporting for large hospitals and clinics. HROffice from Ascentis Software is an integrated HR and benefits management solution for small and medium sized organizations. It provides complete HR management capabilities such as performance appraisals, attendance, compensation, COBRA administration and FMLA tracking and benefits management functionality such as supporting multiple benefits plans, reporting capabilities, and billing reconciliation.

Summary

All in all, the various pieces of regulation have been a major driver toward pushing enterprises, ASPs and small companies toward allocating their IT budgets on products and services that will help achieve compliance. The key to successful investing in this area will be to pick the technologies that can improve business processes, while helping companies achieve compliance and demonstrate short-term ROI to management and the board of directors. Aside from many of the companies mentioned in this article, we expect to see more investment opportunities and interesting start-ups enter the marketplace in the near future and Outlook Ventures will continue to track new technologies and products that help enterprises achieve operational and financial compliance.