Posts Tagged ‘cybersecurity’
NY-DFS Proposes Updated Cyber Rule
Big news for audit and GRC professionals in the financial services world: the New York Department of Financial Services has proposed numerous updates to its Cybersecurity Rule, which would place more responsibilities on the CISO and impose more exacting standards for cybersecurity policies, procedures, and other control activities. The Department of Financial Services (DFS) unveiled…
Read MoreAnother FTC Cyber Enforcement Case
Another week, another enforcement action from the Federal Trade Commission to remind the rest of us what steps we should take to protect consumers’ personal data. This time the company going to the woodshed is Chegg, an education tech company that lumbered along for years with poor data protection practices. Chegg provides textbooks, study aides,…
Read MoreBold FTC Action Against Drizly
Fascinating enforcement action from the Federal Trade Commission this week, which brought charges of poor cybersecurity practices against an online liquor store and its CEO personally — who will need to abide by the terms of the consent order even if he leaves the company and takes another job elsewhere! The company is Drizly.com, which…
Read MoreNY DFS Strikes Again on Cyber
A vision insurance company based in Ohio has agreed to pay a $4.5 million penalty to regulators in New York, to settle charges that the company’s poor cybersecurity practices led to a data breach in 2020. It’s a small but informative case for all you and privacy compliance enthusiasts out there. The company in question…
Read MoreTwitter, Part II: Security Control Failures
Today we return to that whistleblower complaint against Twitter announced to the world last week. The complaint contained all sorts of allegations about poor cybersecurity and privacy governance — so what were those allegations, exactly; and what lessons can other compliance and audit professionals learn here? As you might recall from our previous post, the…
Read MoreFresh Approaches to Cybersecurity Risk
Every regulator and their uncle is climbing aboard the cybersecurity bandwagon these days. Before that bandwagon starts rolling away with itself, however, we might want to ask whether corporate audit and compliance teams, and even the regulators themselves, are going about all this in the wisest way possible. Two recent posts on Radical Compliance capture…
Read MoreLessons in the HanesBrands Cyber Attack
Before we all forget, compliance and audit professionals should note that HanesBrands coughed up an ugly quarterly report last week — and one principal reason for that awful report was a ransomware attack that apparently cost HanesBrands $100 million in lost revenue. The ransomware attack itself is not news; Hanes disclosed the matter on May…
Read MoreAttestations for Cyber Controls
Last week I was in Atlanta speaking to a group of IT auditors. Conversation turned to the SEC’s proposals for expanded disclosure of cybersecurity risks, and attendees raised a good question: Does this mean that CISOs and other executives will need to attest that, yes, the company’s cybersecurity measures are effective? Under the text of…
Read MoreCFPB Warning on Data Protection
The Consumer Financial Protection Bureau has issued a fresh warning to financial firms that they must keep customer data safe, and cited three specific cybersecurity controls as measures that firms should implement if they want to avoid liability under federal consumer protection law. The CFPB fired its warning shot on Thursday afternoon in the form…
Read MoreOn Wisconsin and Cyber Risks
IT audit professionals looking for a fresh example of cybersecurity risk to study should turn their gaze to Wisconsin. A voter fraud conspiracy theorist there uncovered what is indeed a legitimate risk to election integrity, and his discovery speaks volumes about taking a risk-based approach to design of internal controls. The gadfly in question is…
Read More