Search results for: "patch management"
Centene Dinged on Cyber Failures
Centene Corp. is paying $11.2 million to settle a lawsuit claiming that poor cybersecurity at one of its subsidiaries qualifies as a violation of the False Claims Act, in yet another example of how cybersecurity risk is worming its way into all parts of corporate compliance. The subsidiary in question is Health Net Federal Services,…
Read MoreMortgage Firms Fined on Cybersecurity Fails
State banking regulators have fined three home mortgage businesses and their corporate parent $20 million for a data breach in 2021 that uncovered a raft of poor cybersecurity practices at the firms. The offending companies will now need to implement an extensive remediation plan, and as usual, the rest of us have numerous lessons to…
Read MoreMarriott Settles Huge Privacy Case
Marriott International has reached a settlement with state and federal regulators over repeated privacy breaches the hotel chain suffered in the 2010s, where Marriott will pay $52 million states across the country and implement a raft of cybersecurity improvements under the watchful eye of the Federal Trade Commission. The FTC and state attorneys general announced…
Read MoreInternal Accounting Controls and Cyber Risk
Today I want to return to that recent enforcement action against RR Donnelley, where the Securities and Exchange Commission cited faulty internal accounting controls at Donnelley as grounds to impose a $2.1 million sanction over the company’s poor handling of a cybersecurity incident. What are internal control professionals supposed to make of an enforcement action…
Read MoreSEC Advice on Ransomware Disclosure
The Securities and Exchange Commission has published fresh advice about when companies need to disclose a ransomware incident to investors, warning that companies will need to perform materiality assessments and be prepared to disclose the attack even if the attack is small and the company returns to normal operations quickly. The agency released five compliance…
Read MoreQualitatively Material Cyber Incidents
Today I want to revisit the new SEC rules for disclosing material cybersecurity incidents, and in particular those qualitatively material incidents that might seem especially tricky to assess and prevent. What internal controls become more important for that type of threat? This is on my mind because we’re already starting to see some companies disclose…
Read MoreMore Help on Key Cyber Controls
Some interesting news for internal audit and cybersecurity professionals: new research has identified five key controls deemed to have the greatest effect in reducing the chance of (and damage from) a cybersecurity attack. The research comes from insurance giant Marsh McLennan, which operates a Cyber Risk Analytics Center that helps Marsh understand how to price…
Read MoreFresh Approaches to Cybersecurity Risk
Every regulator and their uncle is climbing aboard the cybersecurity bandwagon these days. Before that bandwagon starts rolling away with itself, however, we might want to ask whether corporate audit and compliance teams, and even the regulators themselves, are going about all this in the wisest way possible. Two recent posts on Radical Compliance capture…
Read MoreLessons in the HanesBrands Cyber Attack
Before we all forget, compliance and audit professionals should note that HanesBrands coughed up an ugly quarterly report last week — and one principal reason for that awful report was a ransomware attack that apparently cost HanesBrands $100 million in lost revenue. The ransomware attack itself is not news; Hanes disclosed the matter on May…
Read MoreCFPB Warning on Data Protection
The Consumer Financial Protection Bureau has issued a fresh warning to financial firms that they must keep customer data safe, and cited three specific cybersecurity controls as measures that firms should implement if they want to avoid liability under federal consumer protection law. The CFPB fired its warning shot on Thursday afternoon in the form…
Read More