The Risk Wheelhouse
The Risk Wheelhouse is designed to explore how RiskTech is transforming the way companies approach risk management today and into the future. The podcast aims to provide listeners with valuable insights into integrated risk management (IRM) practices and emerging technologies. Each episode will feature a "Deep Dive" into specific topics or research reports developed by Wheelhouse Advisors, helping listeners navigate the complexities of the modern risk landscape.
The Risk Wheelhouse
S5E2: Redrawing Data Lines - DOJ’s DSP and the New National Security Mandate
Your “encrypted” data may still be regulated and today the rules start to bite. We unpack how the Department of Justice’s Data Security Program moves from guidance to strict enforcement and why it reframes data governance as a national security mandate. From redefining “covered data” to treating anonymized and encrypted datasets as in-scope when they enable linkage or inference, we walk through what changes right now for risk leaders, counsel, and compliance teams.
We detail the two buckets that matter: prohibited transfers that stop cold, and restricted transfers that demand verifiable, ongoing controls. You’ll hear how the rule targets six countries of concern, China, Russia, Iran, North Korea, Cuba, and Venezuela, and why your contracts, audits, and vendor oversight must reach beyond first-line providers into sub-processors and hidden supply-chain links. We share a practical playbook: deep data mapping across systems and shadow IT, tiered vendor due diligence that verifies beneficial ownership and jurisdictional exposure, and contract clauses that add audit rights, localization, and explicit DSP obligations. Training becomes the connective tissue so sales, procurement, and operations can spot and halt restricted transactions before they happen.
Zooming out, we connect compliance to resilience. Treat this as a defense capability: build architectures that segment sensitive data, constrain cross-border flows, and maintain auditable trails. Prepare for forced decoupling scenarios with diversified providers and kill-switches. The hard question we leave you with: how many tiers deep should your due diligence go to prove control under this new national security lens? Press play to learn the steps to take today, and the mindset shift that will keep you both compliant and resilient. If this was useful, follow the show, share it with your team, and leave a review so more leaders can find it.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Subscribe at Apple Podcasts, Spotify, or Amazon Music. Contact us directly at info@wheelhouseadvisors.com or visit us at LinkedIn or X.com.
Our YouTube channel also delivers fast, executive-ready insights on Integrated Risk Management. Explore short explainers, IRM Navigator research highlights, RiskTech Journal analysis, and conversations from The Risk Wheelhouse Podcast. We cover the issues that matter most to modern risk leaders. Every video is designed to sharpen decision making and strengthen resilience in a digital-first world. Subscribe at youtube.com/@WheelhouseAdv.
Welcome back to the deep dive. Today we're really focusing in uh putting all our attention on something huge happening right now. It's a massive shift, potentially really disruptive in how we think about data governance and frankly national security. We're diving deep into the US Department of Justice's data security program. You'll hear it called the DSP. It was authorized under Executive Order 14117. And I mean, it fundamentally redraws the lines for how organizations handle sensitive American data, especially when foreign entities are involved. Our mission today is simple to cut through the jargon, the legalese, and really distill what this means for you. If you're a risk leader, a compliance officer, legal counsel, listen up. Because today, October 6th, 2025, that's the date, the critical enforcement date. That short grace period that started back in April, it's over. Noncompliance now carries immediate weight.
Ori Wellington:It really does. That switch, you know, from just guidance to actual strict enforcement, it changes the whole compliance picture, like overnight. The time to get ready is gone. The DOJ now expects, actively expects, organizations to show control. If your company handles large amounts of U.S. personal data or government-related data, this isn't some nice to have anymore. It's immediate liability.
Sam Jones:Aaron Powell Okay, liability. So what's the core driver here? Why this? Why now?
Ori Wellington:Well, the core purpose of the DSP is actually pretty straightforward. It's designed to stop the bulk transfer of Americans' really sensitive personal or government data, specifically to places, to jurisdictions. The U.S. considers national security risks.
Sam Jones:So the stakes feel almost existential then. It's not just hoping you're doing the right thing anymore. What's the absolute baseline requirement starting today?
Ori Wellington:Okay, starting immediately, like right now, companies must implement and maintain a verifiable written compliance program. And verifiable is the key word there. It's a huge distinction. It's not just about, you know, drafting some policy and sticking it in a drawer. You have to be able to prove it with documents, with audit trails. You need to show you know exactly where your cover data lives, who's got access to it, and critically, how that data stays protected when it's shared or processed across borders, especially with certain foreign partners.
Sam Jones:And if you can't prove it.
Ori Wellington:If you can't prove it, well, the DOJ sees that as a failure to comply, plain and simple. And that opens the door to immediate penalties.
Sam Jones:Okay, let's unpack that definition of covered data, because I think this is where the scope gets, well, frankly, shocking for a lot of folks. The DOJ didn't just stick to the obvious things, did they?
Ori Wellington:No, not at all.
Sam Jones:They've defined this really broad range of sensitive categories. You've got personal identifiers, naturally, but then health information, genetic data, financial details, biometrics, even precise location data. I mean, that list alone pulls in almost every major tech and finance company, doesn't it?
Ori Wellington:It absolutely does. But wait, here's the real kicker. The genuine compliance landmine, the part that could totally change your tech requirements.
Sam Jones:Okay.
Ori Wellington:It's about anonymized and encrypted data.
Sam Jones:Wait, hang on. If data is encrypted, isn't that the whole point? Isn't it supposed to be protected? Are you saying the DOJ just sort of bypassed traditional data masking as a defense?
Ori Wellington:That's exactly what I'm saying. The rule explicitly states that even data that's been anonymized or encrypted can still qualify as covered data. The condition is if that data can somehow be linked back to individuals or if it can be used to infer sensitive insights about Americans. Wow. Think about what that means. If you run, say, machine learning models on encrypted data sets, and those models let you deduce health trends or maybe mobility patterns of Americans, that data, even though encrypted, is still restricted under this rule.
Sam Jones:Okay, for anyone listening in data science or maybe fintech, that just sounds like their compliance job got ten times harder. They basically have to treat mass data almost like it's live PII now, because the potential for re-identification is seen as too big a national security risk.
Ori Wellington:Precisely. It widens the net far beyond what most companies traditionally track or worry about.
Sam Jones:And this incredibly broad definition of data. It's then applied very specifically, geopolitically speaking.
Ori Wellington:Yes, it's paired with a focused geopolitical line. The rule targets six specific countries of concern. This ensures the compliance effort, the resources are really centered on preventing data flow to those jurisdictions the U.S. views as the highest risk.
Sam Jones:And those countries are.
Ori Wellington:China, Russia, Iran, North Korea, Cuba, and Venezuela.
unknown:Okay.
Sam Jones:So China, Russia, Iran, North Korea, Cuba, Venezuela, if your organization has any kind of data processing, any operational ties, uh, vendors, partners in those countries, you absolutely need to know which restriction level applies because there are two, right?
Ori Wellington:Correct. The DOJA created a pretty clear spectrum here, moving away from maybe past ambiguities. You've got two main buckets. And understand which bucket your transaction falls into basically dictates your whole compliance strategy.
Sam Jones:What's the first bucket?
Ori Wellington:First, you have prohibited transactions. This is exactly what it sounds like. Hard stop, full stop, no transfers allowed, no licenses available, no exceptions. This typically applies to specific types of highly sensitive government data or uh certain bulk data sets deemed too critical.
Sam Jones:So if you're dealing with that kind of data related to those countries, the message is severities, ensure it cannot move. Period.
Ori Wellington:Period. That's it.
Sam Jones:Okay, what's the second category?
Ori Wellington:Then you have restricted transactions. Now, these aren't banned completely, but and this is a big but, they are only permitted if the company meets some incredibly strict ongoing requirements.
Sam Jones:And this is likely where most multinational companies are going to feel the heat right. This is where the bulk of the work and probably the expense lies.
Ori Wellington:I think that's right. For restricted transfers, the core demand is proof. Establishing an auditable paper trail and showing rigorous continuous due diligence. To stay compliant here, organizations basically need systems up now to document every single relevant data exchange. You have to confirm the true ownership structure of your foreign counterparties, no show games. You need to assess their foreign risk exposure and perform annual audits. And remember, those annual audits, the clock starts now. They begin immediately.
Sam Jones:Okay, that raises a really critical point about just feasibility. For the chief compliance officer listening right now, hearing implement a verifiable program overnight, including annual audits starting now. That sounds, well, daunting. What if a company uses standard commercial software? You know, off-the-shelf stuff where they maybe can't easily see the entire underlying data pipeline. Are they really expected to be 100% compliant today?
Ori Wellington:Look, the expectation is that you have a documented plan and you are executing it now.
Sam Jones:Yeah.
Ori Wellington:Immediately. The DOJ isn't naive. They understand this involves major infrastructure shifts for some companies. But the liability phase, that has begun. So they expect that data mapping work is already underway. They expect vendor vetting is a top priority. You essentially have to assume liability for any blind spots now. Ignorance isn't an excuse.
Sam Jones:Right. Okay. So let's dig into those immediate practical steps because this really does reshape how companies use global data infrastructure. If I'm leading this effort inside my organization, what are the say first three things I absolutely must demand from my teams like today?
Ori Wellington:Okay, number one, internal mapping. And I mean deep mapping. This goes way beyond just knowing where your main databases are. You've got to comprehensively map your data flows, find every category of sensitive covered data, pinpoint exactly when and where it interacts with any system. That includes internal shadow IT systems, by the way. Any system that might connect even indirectly to foreign operations in those countries of concern. It's like diagnosing your entire data infrastructure for hidden risks.
Sam Jones:Okay, map the internal landscape first. Got it. But that data doesn't just sit there, right? It moves. So that immediately forces you to look outward at who you share it with globally.
Ori Wellington:Exactly. Step two, evaluate your foreign vendors and cloud services. This is critical and honestly probably the most challenging part for many. Most businesses rely on dozens, maybe hundreds, of third-party providers. You now must vet them for jurisdictional exposure related to those six countries.
Sam Jones:And it's not just your direct vendor, is it?
Ori Wellington:No. The DOJ expects you to look deeper. Assess not just your direct barger, but potentially their supply chain too, the sub vendors. If your primary foreign partner uses a subprocessor operating out of one of the countries of concern, guess what? That risk flows up to you. It becomes your compliance problem.
Sam Jones:Wow, okay. That supplier risk just got way more complex, which leads directly to needing immediate action on contracts, I assume.
Ori Wellington:Absolutely. Step three is contracts. They need updating right now. This isn't just good practice. It's a legal requirement with real operational teeth. You need to insert new, strict data handling clauses. They should specifically reference the DSP guidance. They need to require your counterparties to prove their own compliance posture, maybe through audit rights. And beyond just the contracts, organizations really need to immediately set up internal governance, clear reporting frameworks. There needs to be documented accountability for DSP rules right up to the executive level.
Sam Jones:And you can't forget the people actually doing the work day to day. The human element. Training must be front and center, wouldn't you say?
Ori Wellington:Oh, absolutely crucial. Training employees is vital. Especially people in roles like sales, procurement, operations, the ones making deals or setting up processes. They need to be able to spot a potentially restricted transaction before it happens. They need to understand this isn't just some IT problem or a legal thing handled elsewhere. It's an operational issue now. And getting it wrong could lead to severe consequences for the company.
Sam Jones:Aaron Powell, What kind of consequences are we talking?
Ori Wellington:Well, there's the official stuff, civil penalties, potentially even criminal enforcement, depending on the severity and intent. But honestly, the bigger, maybe longer lasting consequence, losing trust, losing reputational standing, both commercially and, you know, nationally. That's catastrophic. Aaron Powell, Jr.
Sam Jones:So stepping back a bit, what does this all mean in the bigger picture? This feels like it's about more than just ticking compliance boxes for data rules. It feels like a fundamental shift where data privacy has been sort of merged or elevated into a core national security mandate.
Ori Wellington:That's precisely the synthesis here, I think. The data security program, the DSP, it signals this powerful new alignment. Handling sensitive data is no longer just a technical issue or, you know, regulatory compliance task you assign to the back office. It's been institutionalized now as a fundamental geopolitical challenge. It forces us, all of us, to manage data responsibly, right where those digital boundaries smash up against national security interests.
Sam Jones:Interesting. Is there a framework for thinking about this kind of intersection?
Ori Wellington:Yeah, actually, if you look at it through an integrated risk management lens and IRM perspective, like described in some of our source materials, the DSP really underscores the connection, the indivisibility of resilience and compliance.
Sam Jones:Okay, explain that. Resilience being what? The ability to anticipate these kinds of global shifts and withstand them without your core business falling apart.
Ori Wellington:Aaron Powell Exactly. Resilience is about adapting withstanding shocks. And compliance in this context is the verifiable, auditable action you take to meet the letter and the spirit of this new law. The two are now completely intertwined by this rule.
Sam Jones:So the lesson for every risk leader listening.
Ori Wellington:The lesson is unmistakable. Regulatory compliance has fundamentally changed. It's transformed. It is no longer just a reporting function or a cost center. It's now a frontline defense mechanism. This mandate makes it crystal clear. Your operational resilience, and frankly, the nation's ability to protect its interests and citizens is now being fought partly through meticulous data protection protocols.
Sam Jones:Right. Which brings us right back to today, October 6th, 2025. This milestone isn't just about checking a box on a form somewhere. It's truly about redefining what responsible data stewardship means in a world where digital operations and geopolitical borders are constantly colliding.
Ori Wellington:It demands a whole new level of due diligence, one that has to extend deep, deep into your supply chain, deeper than most are probably used to.
Sam Jones:And I think that leads us perfectly into our final provocative thought. Something for you to really chew on as you process all this critical information. Given that incredibly expansive definition of covered data, especially including anonymized and encrypted data, if it can be linked back the real test for compliance, it isn't just about auditing your own internal systems, is it?
Ori Wellington:No, it goes beyond that.
Sam Jones:It's about auditing your partners' partners. And maybe their partners. So the question is just how many tiers deep does your due diligence truly need to go now? How far down the supply chain must you look to ensure you are fully compliant in this demanding new national security landscape?
Ori Wellington:A challenging question indeed. Thank you for joining us for this crucial deep dive.
Sam Jones:We'll see you next time.