Posts Tagged ‘cybersecurity’
Notes on the MGM Cyber Attack
As you may have already heard, earlier this week MGM Resorts suffered a ransomware attack that disabled multiple MGM properties, including its flagship MGM Grand and Bellagio casinos in Las Vegas. This raises an interesting question for compliance and audit professionals: How would the SEC’s new rules for disclosure of cybersecurity attacks apply to something…
Read MoreCyber Failure Leads to False Claims Penalty
We have a fascinating enforcement action from the Justice Department this week, where a subsidiary of Verizon has agreed to settle charges that its failure to meet certain cybersecurity standards as part of a government contract qualified as a violation of the False Claims Act. Verizon Business Network Services, an IT services subsidiary within the…
Read MoreCanadian Bank Needs Spy Compliance
Nutty news from up north: Canadian regulators have forced a bank there suspected of ties to the Chinese government to cut ties with its three founders, relocate to new headquarters with better security, sweep the corporate premises for bugs, and hire two senior compliance officers — including a “national security” compliance officer who will need…
Read MoreThoughts on Data Security
This week I’m attending the ISACA-Institute of Internal Auditors GRC Conference in Las Vegas. As one might imagine, data security is all over the agenda, so I’ve been taking notes for those audit and compliance executives back home looking for suggestions on how to make your GRC efforts better. For starters I attended a fascinating…
Read MoreA Look at Actual Cyber Disclosures
Today I want to return to cybersecurity disclosures. Before we even get to the Securities and Exchange Commission’s new rule for expanded disclosure of cybersecurity issues, perhaps we should pause to consider: what have companies already been disclosing about cyber incidents? After all, the most contentious part of the SEC’s new cyber disclosure rule is…
Read MoreSEC Adopts Cyber Disclosure Rule
As expected, the Securities and Exchange Commission adopted new rules today requiring publicly traded companies to make more disclosures about the cyber risks they have and the specific cyber attacks they suffer. The final rules are largely in step with what the SEC first proposed last year: annual discussion of cyber risks in the company’s…
Read MoreSEC’s Cyber Disclosure Expectations
While we all wait for the Securities and Exchange Commission to adopt new rules for cybersecurity disclosures later this week, we should also heed a recent speech from the SEC’s head of enforcement, where he outlined five principles that will guide how the agency thinks about corporate liability for cyber attacks. Enforcement chief Gurbir Grewal…
Read MoreSEC to Vote on New Cyber Rules
The Securities and Exchange Commission will, at long last, vote next Wednesday on new rules that would require companies to make expansive new disclosures about their cybersecurity risks and the cyber incidents they suffer. The SEC originally proposed the rules in March 2022 — and they have been a sleeper issue in SEC rulemaking while…
Read MoreIs Cyber Driving the CCO-Board Relationship?
We begin this week with yet another compliance benchmarking report, this time from Navex: a deep look at how compliance officers engage with senior management, and whether cybersecurity concerns, rather than anti-corruption, might be driving the board’s attention to compliance these days. Navex published the report late last week. It polled more than 1,300 compliance…
Read MoreA Closer Look at SOC Audits
Anyone involved in cybersecurity or privacy compliance knows that one handy tool to assess your vendor risks is a SOC audit. Now, at long last, we have a report that explores an important question: Just what do all those SOC audit reports actually examine, anyway? The report comes from CBiz MHM, a mid-sized accounting and…
Read More