Posts Tagged ‘cybersecurity’
Good Guidance on Third-Party Cyber Risk
Good news if you’re still smarting from that Amazon Web Services failure earlier this week that paralyzed large swaths of the business world! Regulators in New York just released fresh guidance about how to manage the cybersecurity risks of third-party technology providers. Apparently we all need a refresher course, so let’s take a look. The…
Read MoreNY DFS Nails Insurance Firms on Cyber Fails
Regulators in New York have fined eight auto insurance businesses for poor cybersecurity practices that led to widespread privacy breaches in 2021. It’s our latest example of what cybersecurity risk looks like in the modern era, with numerous points that IT auditors and privacy compliance professionals can ponder. The New York Department of Financial Services…
Read MoreAre Boards Getting Cyber Wrong?
A new report finds that most large corporations in the United States assign oversight of cybersecurity risk to the board’s audit committee, which isn’t the craziest governance decision a board can make but does raise questions about whether boards are addressing cybersecurity as wisely as possible. The report comes from MyLogIQ, a software firm that…
Read MoreFalse Claims Act and Cybersecurity, Part II
Earlier this week we reviewed the case of a medical device company fined nearly $10 million under the False Claims Act for poor cybersecurity practices. Now let’s look at another example of the issue, because we have a second recent False Claims Act enforcement action for poor cybersecurity that had considerably different circumstances and outcome.…
Read MoreWhen False Claims Act and Cybersecurity Collide
Today we return to enforcement of the False Claims Act, and a case from last week where the Justice Department fined a medical device maker $9.8 million for failing to meet promised cybersecurity standards. Cybersecurity risk and increased enforcement of the False Claims Act are sizzling issues for compliance in the Trump 2.0 era, so…
Read MoreBanks Ask SEC to Scale Back Cyber Rule
The banking industry is asking the Securities and Exchange Commission to rescind its 2023 rules requiring companies to disclose more details about the cybersecurity incidents they suffer, presumably figuring that the Trump-tilted leaders of today’s SEC will be predisposed to agree. A collection of banking trade groups sent a letter to the SEC late last…
Read MoreStudy: Open-Source Software Risks Are Rampant
A newly released study finds that the vast majority of software systems that businesses use to manage their operations rely to at least some extent on open-source software — and the vast majority of that open-source code contains multiple high-risk vulnerabilities. So says the 2025 Open Source Security and Risk Analysis Report, released Tuesday by…
Read MoreSEC Keeps Cyber Enforcement Alive
The Securities and Exchange Commission has launched a new cybersecurity enforcement unit — or, more accurately, dropped crypto stuff from its previously existing crypto assets and cybersecurity enforcement unit. Anyway, it’s a reminder that cybersecurity issues are still on the SEC’s radar screen, so corporate audit and financial disclosure teams need to respond accordingly. Acting…
Read MoreCentene Dinged on Cyber Failures
Centene Corp. is paying $11.2 million to settle a lawsuit claiming that poor cybersecurity at one of its subsidiaries qualifies as a violation of the False Claims Act, in yet another example of how cybersecurity risk is worming its way into all parts of corporate compliance. The subsidiary in question is Health Net Federal Services,…
Read MoreAnother Tale of Poor Cyber Practices
Here’s an interesting item for all you cybersecurity auditors and GRC professionals: the state of New York just fined PayPal $2 million for “failing to use qualified personnel to manage key cybersecurity functions,” which led to an inept rollout of new accounting processes and a subsequent privacy breach. The New York Department of Financial Services…
Read More