Notes on the MGM Cyber Attack

MGM

As you may have already heard, earlier this week MGM Resorts suffered a ransomware attack that disabled multiple MGM properties, including its flagship MGM Grand and Bellagio casinos in Las Vegas. This raises an interesting question for compliance and audit professionals: How would the SEC’s new rules for disclosure of cybersecurity attacks apply to something…

Read More

Cyber Failure Leads to False Claims Penalty

SolarWinds

We have a fascinating enforcement action from the Justice Department this week, where a subsidiary of Verizon has agreed to settle charges that its failure to meet certain cybersecurity standards as part of a government contract qualified as a violation of the False Claims Act.  Verizon Business Network Services, an IT services subsidiary within the…

Read More

Canadian Bank Needs Spy Compliance

Canadian

Nutty news from up north: Canadian regulators have forced a bank there suspected of ties to the Chinese government to cut ties with its three founders, relocate to new headquarters with better security, sweep the corporate premises for bugs, and hire two senior compliance officers — including a “national security” compliance officer who will need…

Read More

Thoughts on Data Security

data protection

This week I’m attending the ISACA-Institute of Internal Auditors GRC Conference in Las Vegas. As one might imagine, data security is all over the agenda, so I’ve been taking notes for those audit and compliance executives back home looking for suggestions on how to make your GRC efforts better.  For starters I attended a fascinating…

Read More

A Look at Actual Cyber Disclosures

SolarWinds

Today I want to return to cybersecurity disclosures. Before we even get to the Securities and Exchange Commission’s new rule for expanded disclosure of cybersecurity issues, perhaps we should pause to consider: what have companies already been disclosing about cyber incidents?  After all, the most contentious part of the SEC’s new cyber disclosure rule is…

Read More

SEC Adopts Cyber Disclosure Rule

qualitatively material

As expected, the Securities and Exchange Commission adopted new rules today requiring publicly traded companies to make more disclosures about the cyber risks they have and the specific cyber attacks they suffer.  The final rules are largely in step with what the SEC first proposed last year: annual discussion of cyber risks in the company’s…

Read More

SEC’s Cyber Disclosure Expectations

enforcement

While we all wait for the Securities and Exchange Commission to adopt new rules for cybersecurity disclosures later this week, we should also heed a recent speech from the SEC’s head of enforcement, where he outlined five principles that will guide how the agency thinks about corporate liability for cyber attacks. Enforcement chief Gurbir Grewal…

Read More

SEC to Vote on New Cyber Rules

SolarWinds

The Securities and Exchange Commission will, at long last, vote next Wednesday on new rules that would require companies to make expansive new disclosures about their cybersecurity risks and the cyber incidents they suffer. The SEC originally proposed the rules in March 2022 — and they have been a sleeper issue in SEC rulemaking while…

Read More

Is Cyber Driving the CCO-Board Relationship?

SolarWinds

We begin this week with yet another compliance benchmarking report, this time from Navex: a deep look at how compliance officers engage with senior management, and whether cybersecurity concerns, rather than anti-corruption, might be driving the board’s attention to compliance these days.  Navex published the report late last week. It polled more than 1,300 compliance…

Read More

A Closer Look at SOC Audits

auditors

Anyone involved in cybersecurity or privacy compliance knows that one handy tool to assess your vendor risks is a SOC audit. Now, at long last, we have a report that explores an important question: Just what do all those SOC audit reports actually examine, anyway? The report comes from CBiz MHM, a mid-sized accounting and…

Read More