DHS Releases 4 Guidelines for Cyber Threat Info-Sharing

by Chris Talipsky 17. March 2016 13:39
Following the 2015 passage of the Cybersecurity Information Sharing Act (CISA), which we wrote about previously, the Department of Homeland Security (DHS) has released their guidelines for how government and the private sector are to share their threat data. The CISA is the largest cybersecurity legislation to have passed in 2015, and initially did not include instruction to the private sector and government regarding how the threat data is to be shared, and how personally identifiable information should be handled. Proponents of the legislation note that information is the biggest weapon against cyber-threats and malicious actors, and sharing this information between the private sector and government will offer leverage against cyber-attacks. The guidance also explains how the shared information will be used, which may allay opponents’ fear of misuse. DHS Secretary Jeh Johnson noted that “…Companies are required to remove personal information before sharing cyber threat indicators and DHS is required to conduct a privacy review of received information and has implemented its own process.” The DHS guidance consists of four documents: · Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government · Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities · Interim Procedures Related to the Concept of Cyber Threat Indicators and Defensive Measures by the Federal Government · Privacy and Civil Liberties Interim Guidelines It is important for companies in the private sector to read the appropriate guidance and make sure that they are in compliance regarding the data that is shared. Some of it receives liability protection and some does not.
Categories: cyber security

Cyber Security is Driving Board Engagement with Internal Audit

by David Ritzert 10. March 2016 12:14
Almost three out of four companies are now including cyber security risks in their internal audit plans, according to a survey of more than 1,300 IA professionals just released by Protiviti. This is an increase of 20% year over year, and stands in contrast to the findings reported in the Institute of Internal Auditors 2016 North American Pulse of Internal Audit, which concluded that internal audit leaders lack confidence in their staff’s cyber security capabilities (see our related blog). Suppliers and business partners are increasingly engaged with the issue as well. More than half of the survey respondents reported receiving inquiries from clients, insurance vendors, and customers about their cyber security posture. An important byproduct of cyber security risk becoming a fixture in the annual audit plan is that it is driving more Board engagement with the process. The Protiviti survey provided these important takeaways: in order to implement and maintain an effective cyber security plan, an organization must have a high level of engagement by its board of directors regarding information security risks, and it should also include an evaluation of cyber security risk in its current audit plan. Having directors more engaged with the internal audit process will provide further support for IA professionals as they seek to integrate increased cyber security measures into the overall enterprise risk management plan. This is a very positive trend.
Categories:

Congress Gets CISA Passed in Omnibus Spending Bill

by Joe Clark 27. January 2016 10:04
Employing an age-old trick, Congress managed to receive passage of their Cybersecurity Information Sharing Act, or CISA into the omnibus spending bill that President Obama recently signed into law. The CISA is a contentious bill, with vocal proponents and opponents. It incentivizes companies and corporations to share data classified as a “cyber threat” with the federal government as a means of security. The thinking behind the bill is that corporations will share information they receive about cyber threats with one another and the federal government. With this shared information, entities will be better prepared against future cyber attacks and able to mitigate the current cyber threat landscape. Proponents argue that this type of bill will hinder future cyber attacks from those who were able to achieve relative anonymity in the past and offer the government a better means of mitigating cyber threats. Opponents feel that the government’s definition of cyber threat is too broad and this bill is a mandated violation of expected personal privacy and more a means of government surveillance. Had the President not signed the omnibus into law, there would likely have been a government shutdown. Though the Senate had not passed the bill, Congress placed it into the omnibus spending bill knowing it would likely get through.
Categories:

Preparedness is Key in Managing Crises

by Ken Urish 14. January 2016 12:35
Not if, but when. That is the approach companies should take toward breach response planning in our current cyber security environment. Risk managers must prepare as though a breach or data security crisis will occur in their company. Looking at past breaches of companies big and small provides perspective on the actions that have worked best for such organizations. There are steps that can be taken that will mitigate damage and manage reputational issues. Before delving into what companies should be doing, it’s important to stress what doesn’t work, and what companies should not be doing. Making the wrong moves, even early, can diminish trust from stakeholders and customers and set in motion further, possibly irreparable mistakes. One of the worst consequences of being unprepared is a lack of certainty about how to handle situations, and firms that aren’t prepared often shoot themselves in the foot through inaction. Part of that inaction is a hesitancy or delay in declaring the issue to stakeholders, clients, customers, etc. But a delay can cause distrust in those people that weren’t informed in a timely manner. Further inaction can cause issues to compound, which makes the situation even more difficult to deal with and to recover from. When any declaration or announcement is made regarding the situation, it should come from an informed place. Misrepresenting the facts or providing false information will only complicate issues further. Additionally, don’t make assumptions about what 3rd parties are or aren’t doing to ameliorate the issue. Take the information you have and do the right things. A well prepared company will be focused on business continuity, key stakeholders, and data management. In order to keep things moving in the midst of crisis, it’s important that you maintain stakeholders' trust during this time. That is why preparedness is such an issue. You should be fostering and developing relationships with your stakeholders, so that trust is already present. Even if the trust is there, don’t lose sight of the human element. The stakeholders are people, and their feelings are important to listen to and to consider. Making fast, critical decisions will also instill trust in your abilities and keep things moving. Very importantly, a lot of data related to your business and any that was directly involved in whatever caused the incident will need to be collected and reviewed by legislators, regulators, lawyers. Having the necessary data in place keeps the process moving and maintains a level of transparency for everyone involved. It also avoids negative legal and regulatory consequences. Obviously, to have the data readily available, means having a plan in place to track and monitor important data. As you can see, preparation is the biggest part of what to do versus what not to do. A company that is prepared to deal with a crisis is already ahead of the game and many missteps that would normally occur are naturally eliminated during a thorough planning process.

Seeking Cyber Resiliency in 2016

by Ken Urish 8. December 2015 11:40
In the evolving cyber risk management environment, cyber security is becoming an increasing priority for CFO’s, risk managers and financial executives. This is evidenced by the projected increased emphasis on cyber security for 2016 disclosed by two recent surveys. Consulting firm Protiviti surveyed 650 CFOs and found that, while margins and earnings performance top the list of priorities for 2016, cyber security risks are the next highest priority. TD Ameritrade surveyed 300 senior finance executives and found that 41% of respondents identified data security as an area for increased capital expenditures for 2016. With this increased emphasis, CFO’s are reacting to increased sophistication and frequency of cyber attacks, and a better understanding of the inherent financial risks. The true cost of a cyber breach is complex. A breach of intellectual property affects not just competitiveness, it also hurts market share due to reputational damage and loss of confidence by customers. Productivity suffers during the remediation process and the throughout the internal changes – system upgrades, procedural changes, etc. - that tend to be implemented following a breach. Then there is litigation expense, and in many industries, fines and fees from regulatory non-compliance. Along with growing awareness of the true cost of a breach is the acknowledgement by many risk managers that it is "not if, but when" a breach will occur. Therefore, the focus of the increased expenditures is not just for defense, but rather on preparing for efficient breach response and containment. Investments are increasing in cyber insurance, forensic tools, and for training staff in both protection and response techniques. In short, we are seeing a shift by CFOs and risk managers to a more proactive approach to cyber risk management. The goal - a cyber resilient organization.
Categories:

Do Your Diligence – Cyber Risk in Mergers & Acquisitions

by David Ritzert 10. November 2015 11:34
As M&A activity increases, so too does the need for cyber security assessments. Cyber breaches are often in the news headlines, however, many companies have been slow to adopt cyber security risk procedures as part of their due diligence process. Companies that plan growth through M&A activity should assess the cyber risk associated with their acquisition targets. The value of the target, as well as the overall enterprise, could be significantly impacted by a cyber breach. In addition to the potential loss in market value, an acquiring company that comes under attack can experience a major disruption to their normal operations, including increased costs and management efforts being diverted to remediation and shoring up defenses, rather than the integration efforts necessary to achieve the anticipated synergies from the transaction. When cyber security procedures are incorporated into the due diligence process, companies can proactively understand and mitigate the potential risks of acquiring a compromised entity. If your company is involved in M&A activity and you don’t incorporate cyber security procedures into the due diligence process, you could be putting your company and the contemplated transaction at risk.
Categories: Assurance

The Rising Tide in Risk Management

by Mark Gibbons 30. October 2015 15:59
Based on the results of a survey conducted in September 2015[1] with 150 directors of public company boards, it seems that directors are finally starting to understand their critical role in addressing cyber security. Indeed, cyber attacks are becoming more and more frequent, often targeting high-profile companies and their sensitive data and information. As the attacks become more widespread and damaging, the involvement of the corporate board in mitigating cyber risk has become an imperative. Of the 150 corporate board directors surveyed, 22% reported having experienced a cyber breach within the past two years, which has doubled since 2013 (11%). While those numbers are alarming, the good news is that 69% of corporate directors reported their board being more involved with cyber security than it was in the previous 12 months. Additionally, more than 70% of board members report having increased their company’s investments in cyber security within the last 12 months. 28% have purchased cyber insurance. Though the tide seems to be turning, the survey results indicate that there are many corporate boards and directors that haven’t yet taken key steps to mitigate cyber risk and protect their digital assets. Only 34% of directors reported having conducted a formal assessment of their critical digital assets, while 32% have had an assessment, but have no final strategy in place based on those assessments. Furthermore, although third-party vendors are a critical source of cyber attacks, only 35% of directors have developed cyber risk requirements for their third-party vendors. Has your board performed a risk assessment of its critical assets? Do you have a plan in place to mitigate cyber attacks? Don’t be the 21% without a plan in place.   To view the results of the survey, conducted by our Alliance partner BDO, click here. [1] Survey conducted by Market Measurement on behalf of Urish Popeck’s alliance partner BDO.
Categories: Risk Management