Example of Cybersecurity Disclosure Failures

First American

The Securities and Exchange Commission has fined a New York title insurance company $488,000 for failing to disclose cybersecurity problems to investors in a timely manner, in yet another example of how cybersecurity risks can spawn a secondary wave of compliance risks too. The company in question is First American Financial Corp., parent company of…

Read More

The Shifting Calculus on Cybersecurity

cybersecurity

So there I was the other day, talking to one of the many tech vendors in this field, when our conversation turned to a perpetually puzzling question: Why is the relationship between compliance and cybersecurity so difficult to get right?  After all, my acquaintance and I lamented, cybersecurity has been one of the top corporate…

Read More

Another Look at Cybersecurity Shortcomings

cybersecurity

The other week the Biden Administration issued an executive order to improve cybersecurity across the federal government. Now we have a peek at just how bad numerous government agencies are at the task — and what steps they’re likely to take to improve the situation, which could affect government contractors providing IT services. Said peek…

Read More

Parsing Biden’s Cybersecurity Order

cybersecurity

Earlier this week the Biden Administration issued an executive order to strengthen the federal government’s cybersecurity and oversight of the larger “software supply chain” that involves government contractors. IT auditors, risk managers, privacy officers, and related compliance professionals should prepare now for what’s coming soon. The order is most immediately a response to that ransomware…

Read More

A Suspicious Activity, Cybersecurity Mess

cybersecurity

A broker-dealer firm in Colorado has agreed to pay $1.5 million to settle charges with the SEC that the firm failed to file suspicious activity reports about cybersecurity thieves trying to take over customers’ accounts. It’s a sobering example of how weak cybersecurity controls can spill over into regulatory compliance trouble.  The firm in question…

Read More

Another Example for SOX & Cybersecurity

cybersecurity

From time to time I’ve written about how poor cybersecurity and software patch management leads to faulty internal financial controls. Now a bank in Tennessee has disclosed a cybersecurity breach that seems to demonstrate the case.  The bank, First Horizon Corp. ($FHN), disclosed the breach in an SEC filing last week. The breach wasn’t large,…

Read More

The Cracks in Third-Party Risk Management

Another day, another report looking at challenges of third-party risk management. This time the report is from software firm Prevalent, and it’s worth some attention for the conflicting perceptions about third-party risk that it calls out. Foremost, the report is interesting because it defines third-party risk as a cybersecurity and supply chain issue, rather than…

Read More

More on Cybersecurity, Compliance Risk

cybersecurity

We have another report on cybersecurity threats this week, one that demonstrates just how difficult it is for large organizations to address this risk effectively — because while the vulnerabilities themselves are squarely a CISO’s concern, the damage they can cause is very much a regulatory compliance problem. The report comes from Onapsis, a cybersecurity…

Read More

When Cybersecurity and IT Risk Converge

risk

The other week I had the good fortune to speak on a webinar about IT risk management, and specifically how compliance and security teams should take more of a risk-focused approach to cybersecurity, rather than a compliance-focused approach.  I’d like to unpack some of that today, because the challenges within a risk-focused approach are becoming…

Read More

Thoughts on IT Risk Management

risk

Another week, another report painting a mottled picture of corporations and their approach to IT risk and compliance. This time around we have interesting points to explore about the pandemic’s effect on IT risk, how companies are responding to that pressure, and who is or isn’t in charge of all this stuff. The report is…

Read More