UnitedHealth’s Big Cyber Compliance Mess


UnitedHealth filed its latest quarterly earnings report today, complete with an update on the staggering costs of a ransomware attack the healthcare giant suffered earlier this year — and if anyone needs a fresh example of how cyber attacks can tie your company into compliance knots, pull up a chair. The attack itself happened in…

Read More

Internal Accounting Controls and Cyber Risk

internal controls

Today I want to return to that recent enforcement action against RR Donnelley, where the Securities and Exchange Commission cited faulty internal accounting controls at Donnelley as grounds to impose a $2.1 million sanction over the company’s poor handling of a cybersecurity incident. What are internal control professionals supposed to make of an enforcement action…

Read More

SEC Advice on Ransomware Disclosure 


The Securities and Exchange Commission has published fresh advice about when companies need to disclose a ransomware incident to investors, warning that companies will need to perform materiality assessments and be prepared to disclose the attack even if the attack is small and the company returns to normal operations quickly. The agency released five compliance…

Read More

Example of Cyber Disclosure Challenges


Radical Compliance is back from vacation, and what better way to catch up on current compliance issues than an enforcement action over poor cybersecurity? Lucky for us, the Securities and Exchange Commission served up a fresh case just last week on exactly that headache. The case involves R.R. Donnelley, provider of business marketing services to…

Read More

NYSE Parent Fined $10M Over Breach Failure


The parent company of the New York Stock Exchange has agreed to pay $10 million for failing to promptly alert the Securities and Exchange Commission about a cybersecurity breach the company suffered in 2021. Take note, all you public companies still uncertain about how and when to disclose breaches of your own. The SEC announced…

Read More

More Tips on Good Data Protection

data protection

Another week, another enforcement action from the Federal Trade Commission giving us a glimpse into what modern data protection programs should look like. This time the company in question is a telecommunications company that flubbed basic data protection protocols and then suffered a breach; and as usual, the FTC gives compliance, privacy, and IT security…

Read More

Cyber, AML Lessons From a Crypto Flop

New York financial regulators have served up another case study in poor cybersecurity, transaction monitoring, and anti-money laundering compliance, courtesy of an enforcement action against a bankrupt cryptocurrency platform found to be deficient in all three. The state’s Department of Financial Services announced the sanction against Genesis Global Trading last Friday, fining the company $8…

Read More

Qualitatively Material Cyber Incidents

qualitatively material

Today I want to revisit the new SEC rules for disclosing material cybersecurity incidents, and in particular those qualitatively material incidents that might seem especially tricky to assess and prevent. What internal controls become more important for that type of threat? This is on my mind because we’re already starting to see some companies disclose…

Read More

First American Suffers Second Cyber Flop

First American

Well this is going to hurt: First American Financial Corp., one of the largest title insurance firms in the United States, suffered a cyber attack over the Christmas break that has left legions of homebuyers and sellers unable to close their sales — and it is the second significant cyber incident First American has endured…

Read More

Asking to Delay Cyber Attack Disclosure


Here’s news all you cybersecurity compliance professionals can use: the Justice Department has published guidance on how public companies can seek a national security exemption from the Securities and Exchange Commission’s new rules for expanded disclosure of cybersecurity incidents. As you may recall, the SEC adopted those new rules in July, and they go into…

Read More