Comments on SEC Cyber Proposal

lawyers

We continue our focus on cybersecurity compliance today with a return to the SEC’s proposals for expanded disclosure of cybersecurity risk in corporate reports. The public comment period for those proposals closed last week, and compliance officers have a bundle of interesting points to ponder. The SEC received dozens of comments, and to no surprise…

Read More

Some Thoughts on IT Workforce Risks

Looking for another reason to worry about the long-term success of your compliance, audit, or risk management efforts? Fear not! A recent report on workforce development in cybersecurity paints a stark picture of just how challenging it is these days to build and maintain a good team.  The report comes from ISACA, the professional association…

Read More

Russia’s Effect on Supply Chains, Compliance Risk

supply

The Ethics & Compliance Initiative hosted its annual conference this week, including a panel discussion about Russia’s war against Ukraine and its long-term implications for corporate ethics and compliance. The speakers spooled out a bundle of useful observations, so let’s take a few minutes to recap those points and ponder them a bit more.  The…

Read More

SEC’s Push for Better Cyber Governance

board

Today I want to revisit the SEC’s proposed new rules requiring public companies to disclose more about their cybersecurity risks. Those plans would obligate companies to discuss how the board and senior management address cybersecurity risk at a strategic, enterprise level. What’s that all about?  In a previous post about the SEC proposals, I considered…

Read More

SEC Proposes Cyber Disclosure Rules

disclosure

The Securities and Exchange Commission has proposed new rules that would require all public companies to disclose much more about how they manage cybersecurity risks and to disclose “material cybersecurity incidents” to investors promptly. The commission voted to propose the new rules on Wednesday morning — and to be clear, these are proposed new rules,…

Read More

Bulletin on Russia Cyber Threat

cyber

The United States’ top cybersecurity regulator published a special bulletin this week listing numerous measures companies should implement immediately to ward off possible attacks from Russia during its Ukraine invasion.  CISA, the Cybersecurity Infrastructure and Security Agency, issued the bulletin on Tuesday in conjunction with the Department of Homeland Security. Both agencies stressed that they…

Read More

Justice Dept. Beefs Up Cyber Actions

cyber

Just in time for Russia’s invasion of Ukraine and the cyber attacks that inevitably will follow, the Justice Department is promising to use “disruptive action” against cyber criminals, even if those actions jeopardize the department’s chance for future charges and arrests.  So said deputy attorney general Lisa Monaco on Thursday, speaking at the annual Munich…

Read More

Ransomware Update: It Still Sucks

cybersecurity

We have a trio of reminders this week on the perilous state of corporate cybersecurity, with ransomware becoming an ever-more sophisticated threat and business ERP systems still persistently vulnerable to attack. Compliance professionals should take note, since effective strategies to combat ransomware depend on a strong compliance function. First is the latest alert from the…

Read More

Log4j: We Have to Talk About This

log4j

By now compliance and audit professionals may have heard about the cybersecurity vulnerability called Log4j. This will foremost be a problem for IT security officers; but Log4j also illuminates a lot of challenges that audit, compliance, and risk management challenges will face in the 2020s. So let’s unpack the issues afoot here. First, the background.…

Read More

Notes on Cybersecurity and Operational Risk

risk

Last week one of the country’s top banking regulators published its semi-annual report on risks to the financial system, and to no surprise cybersecurity risk was near the top. The more one ponders the findings, however, the more you can see insights about cybersecurity, internal control, and innovation that are worth the time of a…

Read More