Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Bitsight and Google collaborate to reveal global cybersecurity performance
Bitsight and Google collaborate to reveal global cybersecurity performance
This joint study between Bitsight and Google arms organizations with actionable insights, providing the current status of global cybersecurity performance by analyzing nearly 100,000 global organizations across 16 cybersecurity controls and nine industries amid heightened stakeholder demands on cybersecurity strategy.
The goal of the General Data Protection Regulation (GDPR), which goes into effect in May 2018, is to protect the fundamental rights and freedoms of individuals in the EU as it pertains to their personal data. As you might imagine, it is a broad and complex piece of legislation, with far-reaching implications for businesses inside and outside the EU.
Financial regulators have long been concerned about the cyber risk associated with third-party- supplied products or services in financial institutions. For example, in 2013, federal financial regulators put out an issuance to financial institutions regarding how to manage third-party cyber risk. Over the last few years since this 2013 bulletin was published, the attention on third-party risk has continued to increase and the topic has been included on several examination priorities published by the Office of the Comptroller of the Currency (OCC), the Securities and Exchange Commission (SEC), and the Federal Reserve.
Over the last 5-10 years, we’ve seen a major uptick in the number of regulations across all sectors regarding cybersecurity. The following is a brief look at how cybersecurity regulations have been implemented across seven sectors and divisions.
The Federal Deposit Insurance Corporation was brought into existence in 1933 in the wake of catastrophic bank failures that occurred during the Great Depression. The FDIC’s most recognizable function is insuring deposits up to $250,000, meaning that if a bank files Chapter 11 or gets robbed by the Dillinger Gang, customers don’t lose their life savings. Additionally, the agency serves a regulatory/supervisory function by keeping an eye on the country’s financial institutions. To maintain its integrity and the trust of the American consumer, the FDIC must be accountable and forthright. However, a July 12th report by the House Committee on Science, Space and Technology found that Lawrence Gross, the FDIC Chief Information Officer may have deliberately withheld information pertaining to several data breaches occurring between 2015 and early 2016.
In 2002 California became the first state to pass a data breach notification law, requiring companies doing business in the state to disclose any breach of the security of computerized data including personal information. The law went into effect in the beginning of 2003 and, in the intervening years, the majority of states followed suit. Today 47 out of 50 states (and the District of Columbia) require companies to notify the Attorney General or another state agency in the event of data loss. As of this writing, there is no national notification requirement, but in 2015 S.177: the Data Security and Breach Notification Act was introduced to congress by Senator Bill Nelson (D) of Florida.
This is the third post in a series exploring how Security Ratings can address key components of the NIST cybersecurity guidelines. You can read the first post here and the second post here.
In recent months, we’ve seen a variety of regulators from Finance to Defense cite the importance of third party cyber risk management. You can now add the Federal Trade Commission to the list.
This is the second post in a series exploring how Security Ratings can address key components of the NIST cybersecurity guidelines. You can read the first post here.
This is the introductory post in a series exploring how security ratings can address key aspects of the National Institutes of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The purpose of these posts is to outline how security and risk professionals can leverage Bitsight’s ratings to drive better risk management through the lens of the NIST framework.
In recent years, the US government has become a leading advocate for continuous monitoring of security threats and vulnerabilities. But how effectively are departments and agencies in implementing these programs? And how do we measure success?
In his 2015 State of the Union Address, President Barack Obama mentioned the importance of improving America's cybersecurity and what he believes it will take to make it happen. Below is a review of the most interesting statements and initiatives mentioned in the address or recent media coverage, and the potential impact each could have on American Information Security.
In 2011, the SEC issued a set of disclosure guidelines that told companies to disclose any potential cyber risk, possible effects of that risk, as well as the status of internal controls and risk management procedures in place. It was a grand idea, one that had the potential to protect investors and boards by keeping them in the loop when it came to matters of security. Unfortunately, its grand potential wasn’t brought to fruition. The guidance was never updated to account for the growing frequency of security breaches, and companies were failing to report cyber incidents. Now, the SEC is revisiting the issue and considering turning those guidelines into standards so that companies will have to live up to the level of transparency their investors have come to expect.
In a previous blog post, we outlined federal initiatives to pass a data breach notification law that would simplify the current myriad of state regulations. In the wake of the Target and Neiman Marcus data breaches, legislators and government officials called for a national data breach notification standard. While bills have been introduced, little action has been taken beyond Senate or House subcommittee hearings. While high-profile breaches that brought this issue into the conciousness of the American public and government, the need for transparency is even more pressing due to the high volume of unreported breaches: Our own analysis found that just in our home state of Massachusetts, 1 million residents had their PII compromised from healthcare breaches during 2007-2011. Yet, just because there has been little movement in the US federal government does not mean data breach notification has been a stagnant issue in other countries and on the state level. In this post, we are going to round up some interesting legislative initiatives happening around the globe and in US state governments.
Since California became the first state to enact a security breach notification law in 2001, 46 states and the District of Columbia have enacted similar disclosure laws. These laws follow similar basic tenets that “companies must immediately disclose a data breach,” a burden most stringent when the data compromised could be classified as personally identifiable information (PII), such as name, social security number, date of birth, mothers maiden name, etc.
There’s certainly been a lot of talk about third party risks recently. There’s been the fallout from the Target breach, and the role a subcontractor played in that incident. Then there was the U.S. Department of Homeland Security incident, where the DHS reportedly exposed private documents of at least 114 contractors that bid for work at the agency, as well as plenty of discussion surrounding third-party risk and the critical infrastructure, too. And there’s also been considerable attention given to third-party risks as it relates to financial services companies.