Red-tape "jungle" has businesses tied up in knots

Complying with the increasing amount of complex regulatory red tape such as Sarbanes-Oxley (SOX) continues to be a pain but half of businesses say the blood, sweat and tears have been worth it, according to new research from analyst Forrester.

For a multinational company doing business on both sides of the Atlantic there are a multitude of European Union directives, individual member state regulatory regimes and the stringent requirements imposed by Canada and the US to contend with.

The three regulations causing companies the most headaches are SOX, Basel II and the EU's data protection directive, according to Forrester's survey of 20 user companies and 20 IT vendors.

Time is running out for non-US companies to be SOX-compliant as the law requires businesses listed in the US to comply by the end of their respective financial year after 15 July this year. Listed US-based companies had to be compliant in November 2004.

A respondent from AXA said in the report: "SOX did help us in some ways but the load of paperwork and explanations we need to provide is just massive. In the end, it's extremely expensive for us to be SOX-compliant and it doesn't even really improve our IT security. [But] it did help the information holders inside the company realise the value of the information they were handling."

Mary McCrohan, head of group information security at AIB, also suggested that a compliance backlash, while understandable, could undermine the benefits it has delivered.

Speaking at the Gartner Security Summit this week, McCrohan said: "I have a nagging feeling that we are going to see a regulation backlash and a lot of babies will get thrown out with that bathwater."

The European Markets in Financial Instruments Directive (MiFID) is another piece of red-tape looming on the horizon for the European financial services industry, set to take effect in November 2007, but the research found many companies have not even begun the complex and resource-intensive process of planning for MiFID compliance.

Regulation, regulation, regulation...

Baffled by Basel II? Muddled by MiFID? Foxed by SOX? Let silicon.com's Cheat Sheets steer you through the compliance jungle...

♦  MiFID
♦  Basel II
♦  SOX

But despite the business benefits of being compliant it is scare tactics about the threat of financial penalties and jail sentences that are still the most effective way of getting the boardroom's attention and ensuring enough resources are devoted to making sure the company's processes and infrastructure are compliant, according to the Navigating the European Security Compliance Jungle research.

The advice for businesses is to start off with SOX and industry-specific regulations such as Basel II first, and to work with compliance specialists and trusted vendors.

The research said: "For example, if you use HP OpenView, use HP's Compliance Manager. If you already work with a security vendor for all your security needs, take a look at its compliance program - but take a hard look, because you want more than the vendor's security offering with a 'compliance' sticker hastily affixed to the box."