Posts Tagged ‘cybersecurity’
Help on Supply Chain Cyber Risks
I hadn’t noticed this until now, but we have fresh help for audit and risk managers worried about cybersecurity risks in the supply chain: CISA, the top cybersecurity regulator in the United States, has published a short guide on how small and medium-sized businesses can navigate that challenge. CISA released the guide last week —…
Read MoreFINRA Talks Cyber Risks
FINRA, the regulator for broker-dealer firms that every other compliance professional should follow anyway, has given us yet another piece of nifty guidance: its annual report on regulatory examinations, brimming with advice about risks related to cybersecurity, anti-money laundering, and other issues. Like most other financial regulators, FINRA examines the compliance programs of businesses under…
Read MoreSEC Reminders on Identity Theft
The Securities and Exchange Commission has published a review of financial firms’ identity theft programs, in case anyone is looking for helpful hints and tips on how to strengthen your own program. Most of the SEC’s advice, however, boils down to a company sincerely thinking about its risks here. The advice came in the form…
Read MoreGetting a Better Grip on IT Controls
Today I want to circle back to last week’s collapse of cryptocurrency exchange FTX. One allegation is that FTX’s now-former CEO, Sam Bankman-Fried, engineered a “back door” into the company’s financial systems so that he could execute transactions without review. My question: would an audit of internal controls over financial reporting catch something like that? …
Read MoreNY-DFS Proposes Updated Cyber Rule
Big news for audit and GRC professionals in the financial services world: the New York Department of Financial Services has proposed numerous updates to its Cybersecurity Rule, which would place more responsibilities on the CISO and impose more exacting standards for cybersecurity policies, procedures, and other control activities. The Department of Financial Services (DFS) unveiled…
Read MoreAnother FTC Cyber Enforcement Case
Another week, another enforcement action from the Federal Trade Commission to remind the rest of us what steps we should take to protect consumers’ personal data. This time the company going to the woodshed is Chegg, an education tech company that lumbered along for years with poor data protection practices. Chegg provides textbooks, study aides,…
Read MoreBold FTC Action Against Drizly
Fascinating enforcement action from the Federal Trade Commission this week, which brought charges of poor cybersecurity practices against an online liquor store and its CEO personally — who will need to abide by the terms of the consent order even if he leaves the company and takes another job elsewhere! The company is Drizly.com, which…
Read MoreNY DFS Strikes Again on Cyber
A vision insurance company based in Ohio has agreed to pay a $4.5 million penalty to regulators in New York, to settle charges that the company’s poor cybersecurity practices led to a data breach in 2020. It’s a small but informative case for all you and privacy compliance enthusiasts out there. The company in question…
Read MoreTwitter, Part II: Security Control Failures
Today we return to that whistleblower complaint against Twitter announced to the world last week. The complaint contained all sorts of allegations about poor cybersecurity and privacy governance — so what were those allegations, exactly; and what lessons can other compliance and audit professionals learn here? As you might recall from our previous post, the…
Read MoreFresh Approaches to Cybersecurity Risk
Every regulator and their uncle is climbing aboard the cybersecurity bandwagon these days. Before that bandwagon starts rolling away with itself, however, we might want to ask whether corporate audit and compliance teams, and even the regulators themselves, are going about all this in the wisest way possible. Two recent posts on Radical Compliance capture…
Read More