Cyber, AML Lessons From a Crypto Flop

New York financial regulators have served up another case study in poor cybersecurity, transaction monitoring, and anti-money laundering compliance, courtesy of an enforcement action against a bankrupt cryptocurrency platform found to be deficient in all three. The state’s Department of Financial Services announced the sanction against Genesis Global Trading last Friday, fining the company $8…

Read More

Qualitatively Material Cyber Incidents

cybersecurity

Today I want to revisit the new SEC rules for disclosing material cybersecurity incidents, and in particular those qualitatively material incidents that might seem especially tricky to assess and prevent. What internal controls become more important for that type of threat? This is on my mind because we’re already starting to see some companies disclose…

Read More

First American Suffers Second Cyber Flop

First American

Well this is going to hurt: First American Financial Corp., one of the largest title insurance firms in the United States, suffered a cyber attack over the Christmas break that has left legions of homebuyers and sellers unable to close their sales — and it is the second significant cyber incident First American has endured…

Read More

Asking to Delay Cyber Attack Disclosure

cybersecurity

Here’s news all you cybersecurity compliance professionals can use: the Justice Department has published guidance on how public companies can seek a national security exemption from the Securities and Exchange Commission’s new rules for expanded disclosure of cybersecurity incidents. As you may recall, the SEC adopted those new rules in July, and they go into…

Read More

A Memo on Cyber Materiality

cybersecurity

So there I was the other day, pondering that new Securities and Exchange Commission rule for expanded disclosure of cybersecurity issues, when my phone rang. It was my friend the cybersecurity auditor. “Hey,” he said, “I have an idea for how companies can prepare for that new rule about disclosing cybersecurity stuff.”  I was intrigued.…

Read More

Nuttiest Cybersecurity Risk Ever

cybersecurity

Well here’s a nutty new risk for cybersecurity compliance professionals at publicly traded companies: ransomware attackers reporting their own attacks against you to the Securities and Exchange Commission when you don’t meet their demands.  Yes, this actually happened last week. A ransomware group known as Alphv breached MeridianLink, a California company that provides digital lending…

Read More

SolarWinds, Part II: This Is Not New

cybersecurity

Today we continue our look at that lawsuit filed by the Securities and Exchange Commission against SolarWinds and its CISO for poor disclosure of the company’s cybersecurity issues. As unsettling as this case might be for compliance and audit professionals, is it really a ground-breaking moment in securities enforcement? Perhaps not. Let’s first appreciate what…

Read More

A Deep Dive Into SEC’s SolarWinds Lawsuit

SolarWinds

Heads up, compliance and internal audit professionals! The Securities and Exchange Commission just filed a potentially profound lawsuit against the tech company SolarWinds and its CISO for misleading investors about the state of that company’s cybersecurity defenses — defenses that were proven toothless during a cybersecurity breach in 2020.  The lawsuit, filed Monday against SolarWinds…

Read More

Fresh Stats on Cyber & Privacy Risks

key controls

We have a fascinating new snapshot of cybersecurity risks these days — including companies racing to embrace cloud computing without fully understanding the security fundamentals, insecure mobile applications, and persistent bad habits with software patching and encryption. Said snapshot comes from Coalfire, one of the more notable cybersecurity and compliance software firms, which just released…

Read More

Notes on the MGM Cyber Attack

MGM

As you may have already heard, earlier this week MGM Resorts suffered a ransomware attack that disabled multiple MGM properties, including its flagship MGM Grand and Bellagio casinos in Las Vegas. This raises an interesting question for compliance and audit professionals: How would the SEC’s new rules for disclosure of cybersecurity attacks apply to something…

Read More