Thoughts on Corporate Risk and How Companies are Handling the Challenge
"I don't know that much about cyber, but I do think that's the number one problem with mankind." Warren Buffett, 2017 Last fall, the new owner of Yahoo’s web business, Verizon, shared that forensic experts had discovered that all 3 billion of Yahoo’s user...
Conduct risk management began gaining traction in the financial services industry as a way to minimize the probability of another financial meltdown. The Equifax cyber meltdown exposed the close connection between managing conduct risk and cyber risk.
In a recent Westlaw Journal article, I shared my conviction that the effects from the massive Equifax breach are only beginning to be felt. I believe this breach will have far reaching effects and perhaps change cyber law forever.
The strong technical background most CISOs bring to their position is a powerful asset, yet it can limit career growth if they fail to transition their perspective from technology to governance.
Pressure builds as the NY DFS cyber regulation deadline of February 15th approaches. Automation can accelerate meeting the requirements.
Here are six reasons why we think cybergovernance is a something to watch for in 2018.
Cybersecurity governance moved up during 2017 as the #1 concern of corporate directors.
Why aren’t business leaders making cyber risk management a higher priority?
Explore Workplace Issues, Predictions for Tomorrow, Careers and Protecting Infrastructure
How could the company think firing a couple of people is even the first step to solving the problem?
Be notified of new Journal entries in your email box or Follow us on Twitter.
October was the 16th annual National Cybersecurity Awareness Month (NCSAM). Read about the results of the first statewide cyber benchmark conducted for the banking industry.
There is a notable increase in governance discourse on the relationship of corporate purpose to sustainable revenue growth, in the context of changing social and political structures.
As we mentioned last month, managing conduct risk can improve attitudes about safe handling of customer data from the executive team down, and it encourages responsible initiatives that increase cyber resilience.
Just because insurance companies are gearing up to provide better cyber risk insurance it is still not the best excuse to be lax in cybersecurity practices.
Addressing cybersecurity effectively may seem like an undue burden and waste of institutional resources — until you are hit with a breach.
Relying solely on your IT department to handle cyber risk governance is asking for financial, legal, and institutional trouble when there is a breach.
You can give your IT department all the toys in the world, but that won’t solve your cybersecurity problems or comprehensively reduce your company’s cyber risk.
How transparent should your cybersecurity strategy be? Should cyber risk reduction be left in the hands of a few security experts or should it be an organization-wide effort to protect the company?
With the NIST framework used to measure federal agencies’ and department’s cybersecurity resilience, is it time for private institutions to gauge their own cyber defenses by the same or similar standards?
Not all cybersecurity frameworks are equal. While some companies recognize they need to utilize the most comprehensive plans, others will only implement the bare minimum putting other institutions at risk.
On March 16, we will speak and lead a panel at a Skytop Strategies conference on Cyber Risk Governance. Friends of Cybergovernance Journal who want to attend can get a 30% discount. We hope to see you there!
With the U.S. Government aiming to require agency compliance with the NIST Cyber Security framework, is making it part of a national cybersecurity regulatory plan that far off?
With the average cost of a cyber breach being $4 million (in addition to loss of future revenue and customers), what more motivation do board members need to take cyber risk seriously?
In the ever-changing world of cyber risk management, companies and organizations struggle for a way to get best available intelligence to their executive boards.
The monthly Cybergovernance Digest – check it out and sign up! Human hacking is one of the easiest ways for agents to create a breach, especially if company culture is not improved alongside technological cyber risk measures. LinkedIn Pulse, Feb. 8The psychological...
So you’ve finally committed your organization to a solid cybersecurity plan. How do you plan to monitor progress and find weaknesses?
The monthly Cybergovernance Digest – check it out and sign up! The worst way to deal with cybersecurity is to ignore the cyber risk your organization exposes itself to and then cover up evidence of the inevitable breach(es). Cybergovernance Journal, Jan. 23 The term...
The monthly Cybergovernance Digest – check it out and sign up! Spooked by data breaches and the bad press that accompanies them? It's never too late to obtain a cybersecurity audit and cultivate cyber risk mitigation habits. Cybergovernance Journal, Jan. 16How do we...
The monthly Cybergovernance Digest – check it out and sign up! Cybersecurity vulnerabilities don't just happen at the institutional level, but across interconnected and interdependent systems. A commonly adopted and widely accepted framework could lessen those shared...
The monthly Cybergovernance Digest – check it out and sign up! Government action on cybersecurity will be a hot topic this year as many nations focus on systems vulnerable to cyber attack with little in the way of defined policy to counteract it. Cybergovernance...
The monthly Cybergovernance Digest – check it out and sign up! While some strides in cybersecurity mitigation have been made in the past year, organizations as a whole still have much to do to keep threat actors at bay. Cyberscoop, Dec. 28It’s that familiar season...
Because there is no end point to establishing permanent cybersecurity, it is important to foster an organizational structure that is resilient, aware, and nimble.
A security breach can not only impact customer data, trade secrets or national security, it can also effect your company’s sale price.
Good cybersecurity planning can not only prevent an embarrassing, and costly, consumer data breach, but secure your intellectual property from theft.
As comprehensive cybersecurity practices become better defined we find that the scope has moved beyond organizations to encompass an internet of things; from refrigerators to pacemakers.
A strong cyber risk monitoring framework not only protects your organization from attack, but also augments your existing business strategy.
With a new incoming administration in the United States comes the possibility of a new direction and focus for government regarding cybersecurity.
As cybersecurity of digital infrastructure becomes increasingly vital, spreading risk around continues to be slowed by an ever-changing cyber threat landscape.
The insurance industry moving into the cybersecurity arena means the reduction of risk has to become more of a science than art.
A large problem in managing cyber risk is creating, and perpetuating, a culture within an organization that is security-aware.
Government bodies are working to ensure organizations build solid cybersecurity plans, which requires a board of directors who are committed to implementing them, which requires a cyber risk team that can provide actionable intelligence.
“Inconvenience,” hopelessness, or outright ignorance is not valid basis for cybersecurity strategy — especially when expert help is readily available.
As cybersecurity increasingly becomes a matter of national security, governments at the national and state levels vie to find regulatory solutions.
“Based on Gartner, NIST says 30% of U.S. organizations used the framework in 2015, and it expects usage to grow to 50% by 2020″
With multiple risk assessment frameworks available it’s time to evaluate which plans provide the greatest benefits, and which give a false sense of security.
Cybersecturity isn’t just protecting your technological infrastructure, but creating an organizational culture resistant to human hacking.
As the cybersecurity market matures and grows, some organizations are refining their policies while far too many are still lacking any policy at all.
Lax cybersecurity practices are increasingly becoming more of a liability for companies. Rather than being forced to by law or threat of legal action by stockholders and customers, a proactive company can get ahead of the coming regulatory curve. Cybergovernance...
>Keeping up with every external threat to your organization can be a Sisyphean task. Ensuring your company’s cyber resilience by focusing on internal practices in addition to physical infrastructure is achievable.
If organizations are hesitant or, worse, resistant to shoring up their cybersecurity practices, their insurance company and public shame may force them to.
With signs of a “cyber jihad” coming because of a mature hacking marketplace, organizations need to do more than rely on automated systems to protect themselves.
One of the problems of cybersecurity is that an assessment is a snapshot within a rapidly changing environment. This makes choosing a solid, reputable method of assessment for your organization all the more important.
Many companies still view cybersecurity as an IT-only problem. However, those who implement it with a holistic, institution-wide plan also reap the benefits of increased operational excellence.
It’s not recommended, when you are hit by hackers, that you cover it up to avoid liability. It’s better to have a comprehensive, holistic cybersecurity plan that is more than software plus the IT department.
At the federal and state levels, the U.S. government is making several moves to assist cybersecurity best practices; by establishing a federal CISO, ongoing cyber dialogs with China and increasing use of private, secure cloud networks for state business. Cybernance...
There is growing acceptance that cyber risk is a part of doing business. But how can a company or organization accurately gauge an acceptable level of risk?
The quantification of cyber risk is a hot topic as companies and organizations seek to insure themselves against security breaches.
One of the more common cyber attacks, phishing, is on the rise and many times it is coupled with ransomware. This is one of many reasons that, by 2020, most digital businesses will be affected by major service failures.
The $18M bank heist in Bangladesh is a case study in the result of not having a comprehensive cybersecurity plan in place. But which plan is best? NIST? The developing European approach? LinkedIn Pulse, May 31, 2016The NIST Cybersecurity Framework has won universal...
The vast majority of companies continue to be unprepared for cyber breaches, but will the passage of a “Sarbanes-Oxley” bill for cybersecurity provide the guidance and motivation to get them secure?
From a mixed Obama legacy on cybersecurity to institutional standards implementation to declaring cyber warfare, the US government is struggling to deal with cyber risk.
Cybersecurity leadership from an organization’s board is necessary to combat rising cyber risks like ransomware.
Being prepared and following best cybersecurity practices is the first step in preventing your data being stolen and sold on the dark web. SC Magazine, May 4Hold Security said the batch came from a “Russian kid” that one of its analysts found who had gathered 1.17...
Unprepared executives, losing sleep from cybersecurity issues, some not being able to read a cybersecurity report, are a cyber risk, not only to their careers but to their organizations.
One of the best markers that cybersecurity is rising in importance is looking at how the insurance industry is reacting to cyber risk. Another is to observe how national governments are reacting, or failing to act.
The price of reducing cyber risk is constant vigilance. It is not a duty reserved for the IT department or a few executives, but an organization-wide effort of compliance and training.
Cybergovernance is slowly maturing with the refinement of the NIST framework, strategies to fill security positions and increasing awareness that the entire organization is responsible for cybersecurity.
Cybersecurity awareness continues to rise; and with it the realization that the business world is far behind. Shortages in security talent has driven salaries up and boardroom governance is still below where it needs to be.
Mounting cyber risks are reaching the point where they adversely effect insurance ratings. The entire organization must be involved in preventing breaches.
While a new crop of MBAs specializing in cyber security analytics are being trained, current executives still need to protect themselves and their companies. Basic cybersecurity practices are easy to implement, but comprehensive implementation requires a challenging amount of organizational discipline.
Personal and corporate liability for breaches is a hot topic and action is being taken by the financial industry.
The technological elements of cybersecurity remain the easiest to regulate and build. The human elements, on the other hand, require changes that many companies are too slow in adopting.
Ensuring cybersecurity is relevant and important to everyone in your organization, not just the IT department, is a challenge.
Turning cybersecurity theory into practice is a challenge in the government and business spheres. The real world consequences of overconfidence in partially implemented plans can lead to ransomware demands and data breaches, putting CEO and Boards at risk of litigation.
NIST Framework is gaining traction in government circles, but companies are still falling short of comprehensives solutions; instead relying on periodic risk assessments or throwing more experts at the problem. Financial Times, Feb. 11 Mr. Weil says companies need to...
Regulations, periodic assessments and theoretical models can only lead the way to a partial, but not comprehensive, cybersecurity solution. This is especially true when it comes to making cybergovernance accessible to executives — until now.
As security breaches, especially from state actors like China, increase risk, technological, legislative and framework strategies are evolving to counter them.
While state actors plot further government and corporate breaches, strategies are being further refined to deal with them. Cybersecurity responses are moving from ineffective single-point plans to comprehensive structural risk responses.
Companies and government entities started the year by better defining cybersecurity and how to protect themselves from cyber attack.
The holidays were, once again, an unhappy time for corporate cybersecurity. 2015 also saw most organizations lacking comprehensive cybersecurity.
Latest news and opinion on cybersecurity governance from Cybergovernance Journal
More companies around the world are coming to realize how vulnerable they are to cyber attack. Recent articles discussed legislation aimed at ensuring cybersecurity standards are met, vulnerabilities to national infrastructure and to businesses, and how cyber affairs...
Cybergovernance is a hot boardroom topic – globally! The consensus is that success in mitigating cyber risk must involve an increased level of understanding by executives and board members, and increased education and awareness throughout the organization.
As more breaches happen and shareholder lawsuits follow, discovering how your organization as a whole, not just the technology team, deals with cybersecurity grows in importance. Directors must also understand how data must be handled in order to combat global espionage that is growing with the rise of global workforces.
The visibility of cybersecurity breaches as a source of corporate risk continues to grow. Recent articles discussed adding cybergovernance experts to boards, regulation in the financial services and healthcare industries, and worldwide concern for better security and...
Members of the U.S. futures market will soon be measured against heightened cybersecurity standards geared towards enhancing incident preparation, prevention, and response among industry participants regulated by the National Futures Association (NFA) Read Article...