Four tips for managing compliance risk while scaling across borders
Compliance is a key consideration and sore point for founders, especially when navigating regulations while expanding internationally, as understanding and tackling regulatory environments in different countries can be a difficult process and time-consuming.
Regulatory compliance can generally be defined as a company’s adherence to national, federal and international laws and regulations, relevant to its operations, to ensure product safety and quality, data and cybersecurity, working conditions safe for employees, etc.
So, for our last subdued discussions, we focused on compliance and security challenges during expansion – and how to address them effectively.
Our experts were:
- Rudy Martin, chief security officer at Maze, a product research platform;
- Victoria Martin, Head of Compliance and Regulatory Affairs at 10x Banking, a cloud banking fintech;
- Paulo Rodriguez, Head of International Growth at Vantaa compliance software startup.
This is what we learned about how to avoid compliance risks.
1/ Choose standards adapted to your company and the needs of your customers
There is no one-size-fits-all approach to security and compliance regulations. Although there are different sets of standards that can be used to demonstrate a company’s security posture – the overall strength of the company’s cybersecurity and how well it is protected against data breaches and intellectual property theft. – it is crucial to consider your specific business needs and security and compliance requirements.
Victoria Martin said startups need to consider the intent of the regulations to understand which standard is best suited to the needs of their business and their customers. She pointed out that while some standards are great at identifying minimum compliance requirements, it’s important to consider what would help you survive if you were to be challenged in a data breach scenario.
Rudy Martin agreed, adding that in highly regulated industries like fintech, it’s necessary to figure out how to prove to your customers that you’re compliant. This conveys what your customers need before they share their data with you so they can trust and use your services – which can then be correlated with your business risk to understand which standards are a good fit.
“You can’t watch [security and compliance regulations] like a tick box exercise – you need to look at it holistically on your business processes” – Victoria Martin, 10x Banking
2/ Include security champions in all teams
Often in early stage startups, leaders such as the founder or CTO wear many hats and therefore also have security and compliance related responsibilities.
Rudy Martin underscored this point, adding that it is no longer effective for the founder or CTO to lead compliance roles as companies evolve and grow. He added that as head of security at Maze, he ensures that “security champions” are embedded in all teams so that each team can think about security in its own capacity.
Martin added that it was essential to ensure compliance teams were engaged with other teams – such as product and engineering – so that there was a collaborative and open relationship.
Rodriguez pointed out that companies in highly regulated sectors such as fintech and healthtech tend to be prepared early by recruiting profiles focused on risk management. However, other companies in industries that aren’t as heavily regulated operate more on a needs basis and only start thinking about their security posture as they scale and acquire larger customers.
“Instead of increasing my resources and having a bigger team under me, I try to empower each team to think about safety in some way within the organization” — Rudy Martin, Labyrinth
3/ Understanding international regulatory environments
While your compliance and security posture may not be an urgent requirement when working in local markets, it certainly should be a priority when scaling up in international markets, Rodriguez said. He highlighted the importance of assessing your security posture, especially when scaling from Europe to the US, given the wide gap between the two countries’ regulatory environments.
Victoria Martin presented the different areas that need special attention in a new regulatory environment: understanding the regulations that affect your product, regulations around the storage of customer data, security accreditation requirements such as ISO27001 and SOC2and regulatory requirements on hardware outsourcing to ensure you operate your business safely for your customers.
“It’s about trying to figure out what kind of regulation you’re bound to where you’re trying to do business and trying to find a way to unify that with what you’re doing right now” — Rudy Martin, Labyrinth
4/ Align the needs of current and new customers
Victoria Martin pointed out that when entering new markets it is important to understand if existing frameworks within the business can be used to comply with regulations or if improvement is needed, which is often the case. She added that it is also essential to check whether the updated framework meets the needs of the company’s existing customer base in order to avoid barriers to scaling.
Rodriguez further emphasized that new executives should align with the company’s overall growth direction and business strategy. He added that to avoid a slowdown due to security and compliance needs in a new jurisdiction, the company can focus on meeting the minimum requirements when entering a new market and gradually develop the framework.
Panelists also highlighted the importance of having a healthy security posture in order to gain customer trust – especially when it comes to storing their data and using it to communicate the value of your product to markets. existing as well as new markets.
“Your level of security can be used to eliminate competition and establish a relationship of trust [with customers]. And more than anything, it removes barriers to entry and lets you talk about your product and the value you bring to your customers” —Paulo Rodriguez, Vanta
Do you like it and want more? Watch the full discussions here: