Sunday, March 7, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Consequences of Falling Behind Cyber Risk Management Standards: Federal Warning Beacons

by Jason Straight
October 7, 2014
in Risk
Consequences of Falling Behind Cyber Risk Management Standards: Federal Warning Beacons

The steady stream of high-profile data breach incidents we’ve seen over the last few years makes one thing clear: cyber risk is a serious concern for virtually any enterprise. Disruption of day-to-day business operations and damage caused by the exposure of critical intellectual property or consumer information are just a couple of examples of potential fallout from an information security incident, not to mention a tide of expensive and embarrassing litigation and the possibility of damaging regulatory inquiries or compliance actions.

Federal agencies extend their reach into cybersecurity

Not convinced? One need only look at the breadth of publicly disclosed document requests from the Federal Trade Commission (FTC) in response to recent data breaches to get a sense of the entirely new level of scrutiny regulators are focusing on information security risk management practices following a serious breach incident. Other federal agencies like the Securities and Exchange Commission (SEC) and the Commodity Futures Trade Commission (CFTC) are also extending their reach by issuing new guidance regarding cybersecurity. Even congressional committees are getting into the act.

Here’s a telling example: In a recent case involving an alleged violation of Section 5 of the FTC Act, the agency requested a stunning range of documents to assess the sufficiency of the defendant’s information security practices, including all “communications … about any security incident at any point in time,” all “forensic reports or analyses relating to any security incident” and all “external vulnerability scans provided to the company.”

Another example: In the wake of the notorious incident in which 70 million records were stolen from Target in November and December 2013, the House Committee on Energy and Commerce sent the company a letter giving it eight days to produce all “written policies or guidelines relating to threat monitoring, network security or point-of-sale system protection … from January 1, 2012 to the present” and all “e-mail correspondence, analyses, reports or any other communications relating to the Kaptoxa malware or to point-of-sale system security or any other information security systems implicated in this breach.”

Think about how your organization would respond to requests like these. Then consider the cybersecurity initiative recently published by the SEC’s Office of Compliance Inspections and Examination (OCIE), providing a sample list of “requests for information” the agency says it could use in conducting examinations of broker-dealers and registered investment advisers on cybersecurity issues. Among the specific sample requests are:

  • A copy of the firm’s written information security policy
  • Documentation of periodic risk assessments, including responsible parties and findings
  • Identification of “published cybersecurity risk management process standards” used to model the firm’s information security architecture and processes
  • Documentation of practices surrounding online account access by customers
  • Documentation of cybersecurity risk assessments of vendors and business partners

For its part, the CFTC has released a set of recommendations for developing, implementing and maintaining a written information security and privacy program, including:

  • Designation of a specific employee “with privacy and security management oversight responsibilities”
  • Design and implementation of policies and procedures for responding to an incident
  • Identification of “all reasonably foreseeable internal and external risks to security, confidentiality and integrity of personal information”
  • Regular testing of the safeguards’ “controls, systems, policies and procedures” and maintaining a written record of their effectiveness
  • Testing of the safeguards by an independent party at least once every two years
  • An annual assessment of the program to be provided to the Board of Directors

How does your organization measure up against these guidelines? If the answer is “not so well,” you’re not alone. Cybersecurity is a relatively new challenge, and many organizations still lack a detailed, formal program for mitigating information security risk that goes beyond IT and involves collaboration with legal and other key business functions.

On the bright side, the process of developing a unified risk management program is often a valuable opportunity for companies to accurately analyze the true risks—and ultimately, the costs—involved in major initiatives.

How to respond now: Establish a unified risk management program

Get proactive about cyber risk management.  Being proactive means you approach the problem as more than a compliance issue or “check-the-box” exercise. Instead, the goal is to develop a risk profile through an examination of the actual risks that stem from the unique characteristics of your business. Even if you already have a robust information security management program, proactive risk management will help you understand whether you should be doing more and how you can reprioritize security spending for optimal effectiveness. Generating detailed responses to the following questions should be a good start:

  • What critical data should you be most focused on protecting?
  • What are the specific threats to each type of critical data?
  • What is your organization’s vulnerability to those specific threats?

Align legal and IT security before an incident occurs, because a lack of communication, cooperation and shared accountability among departments in the incident response process can exacerbate the damage of a breach event. Even IT staff and consultants who are trained in incident response may not understand the importance of creating a detailed, defensible record of response measures that will help address subsequent legal and compliance challenges down the road.

Embrace a risk management philosophy based on convergence among multiple business functions to effectively manage sophisticated cyber threats. In conducting workshops for companies seeking better ways to manage cyber risk and respond to incidents, we’ve found that the best approach is to bring leaders from legal, IT, corporate security and risk management together for an open dialogue. For example, in a recent engagement with a large financial services firm, we found that by bringing leadership together we were able to illuminate specific risks associated with third-party service providers based overseas and take the necessary concrete steps together as a team to assess and mitigate those risks.

Incorporate cyber risk assessment into your company’s strategic planning process so you can quickly and effectively assess the risks involved in new opportunities, such as a potential merger or acquisition, a venture into a foreign market where data protection laws are less robust or the release of a new web-based service to improve speed to market and maximize profit opportunities. Providing the key business executives with actionable intelligence regarding the nature of previously unknown risks can have a material impact on your approach to closing a transaction.

The Benefits of Planning

The pressure on attorneys and compliance staff to get a handle on information security risks has reached unprecedented levels. There is, however, a clear path to mitigation, and it begins with the recognition that all stakeholders need to come together to define the organization’s true risk profile and develop an effective—and defensible—cyber risk management plan.

Careful, unified risk management planning will not only help your organization identify business strategies and tactics that are unreasonably risky, it will also position you to move ahead promptly with transactions or other initiatives that might have foundered if risk analyses were performed independently by separate departments.


Previous Post

Consumers Increasingly Hold Companies Responsible for Loss of Confidential Information, HyTrust Poll Shows

Next Post

FCPA Enforcement: Where Have All the Enforcement Actions Gone?

Jason Straight

Jason Straight headshot 10-22-14Jason Straight is Senior Vice President and Chief Privacy Officer with UnitedLex, a leading global provider of legal services and cyber risk mitigation solutions.  Jason has more than a decade of experience assisting clients in managing information security risks, data breach incidents, data privacy obligations and complex electronic discovery challenges. Prior to joining UnitedLex, Jason held numerous leadership positions at a leading global investigations and cyber security company, most recently as a managing director in the cyber investigations practice. Jason began his career as an attorney at Fried, Frank, Harris, Shriver & Jacobsen in New York. As a recognized domain expert and Certified Information Privacy Professional (CIPP), Jason is a frequent speaker and author on topics relating to data privacy, cyber security, data breach response and computer forensics.

Related Posts

blue road sign with arrow on black asphalt background

Dynamic Risk Governance: Linking Strategy and Risk Management

February 15, 2021
three red dice on green felt tabletop

The COVID Trio: 3 Top Risks from a Year of Upset

February 4, 2021
Deloitte: Global Risk Management Survey, 12th Edition

Deloitte: Global Risk Management Survey, 12th Edition

February 2, 2021
illustration of businessman holding giant shield to protect him from falling arrows

Is Your Risk Culture Aligned With the Realities of the Digital Age?

February 2, 2021
Next Post
FCPA Enforcement: Where Have All the Enforcement Actions Gone?

FCPA Enforcement: Where Have All the Enforcement Actions Gone?

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights