Posts Tagged ‘cybersecurity’
Pointers on Preventing Ransomware
Among the many interesting discussions I heard at the Institute of Internal Auditors’ global conference this week, one particularly compelling session was about ransomware: how attackers try to foist it upon companies, and the internal controls you could implement to keep such attacks at bay. Since ransomware risk is going nowhere but up these days,…
Read MoreNew York Fines Carnival $5M on Cyber Fails
Financial regulators in the state of New York just served up quite the example of cybersecurity enforcement, with a $5 million fine slapped against Carnival Corp. for failing to report several cybersecurity breaches in a timely manner and failing to implement required technical controls that would’ve reduced the odds of those attacks in the first…
Read MoreCybersecurity Risk: Something’s Happening
I was working at my desk last week when the phone rang. At the other end of the line was my friend the cybersecurity auditor. “Dude, we have to talk,” he said. “Our team here has discovered an issue.” Ummm, a lot of people in our line of work have issues, I replied. Can you…
Read MoreNIST Pushes More Use of Impact Analysis
NIST, everyone’s favorite publisher of cybersecurity standards, is asking for public comment on another good idea: how to use business impact analysis to guide your risk prioritization and response efforts. Performing a business impact analysis (BIA) is already an important element of business continuity and disaster recovery planning. True, most cybersecurity and data privacy frameworks…
Read MoreComments on SEC Cyber Proposal
We continue our focus on cybersecurity compliance today with a return to the SEC’s proposals for expanded disclosure of cybersecurity risk in corporate reports. The public comment period for those proposals closed last week, and compliance officers have a bundle of interesting points to ponder. The SEC received dozens of comments, and to no surprise…
Read MoreSome Thoughts on IT Workforce Risks
Looking for another reason to worry about the long-term success of your compliance, audit, or risk management efforts? Fear not! A recent report on workforce development in cybersecurity paints a stark picture of just how challenging it is these days to build and maintain a good team. The report comes from ISACA, the professional association…
Read MoreRussia’s Effect on Supply Chains, Compliance Risk
The Ethics & Compliance Initiative hosted its annual conference this week, including a panel discussion about Russia’s war against Ukraine and its long-term implications for corporate ethics and compliance. The speakers spooled out a bundle of useful observations, so let’s take a few minutes to recap those points and ponder them a bit more. The…
Read MoreSEC’s Push for Better Cyber Governance
Today I want to revisit the SEC’s proposed new rules requiring public companies to disclose more about their cybersecurity risks. Those plans would obligate companies to discuss how the board and senior management address cybersecurity risk at a strategic, enterprise level. What’s that all about? In a previous post about the SEC proposals, I considered…
Read MoreSEC Proposes Cyber Disclosure Rules
The Securities and Exchange Commission has proposed new rules that would require all public companies to disclose much more about how they manage cybersecurity risks and to disclose “material cybersecurity incidents” to investors promptly. The commission voted to propose the new rules on Wednesday morning — and to be clear, these are proposed new rules,…
Read MoreBulletin on Russia Cyber Threat
The United States’ top cybersecurity regulator published a special bulletin this week listing numerous measures companies should implement immediately to ward off possible attacks from Russia during its Ukraine invasion. CISA, the Cybersecurity Infrastructure and Security Agency, issued the bulletin on Tuesday in conjunction with the Department of Homeland Security. Both agencies stressed that they…
Read More