Aug. 14, 2019

Capital One Breach Demonstrates Risk of Overlooking Vulnerabilities When Sending Data to the Cloud

A company that sends data to the cloud is only as secure as its cloud-service provider – a concept addressed in New York’s Stop Hacks and Improve Electronic Data Security Act, taking effect March 21, 2020, which extends its requirements to the service providers of covered entities. While the recent Capital One breach involved a cloud-service provider, AWS, it also holds a different lesson, according to BlackCloak CEO and founder Chris Pierson. He told us that the real story of the Capital One breach is about when there is a misconfiguration of a firewall appliance on a company’s server, which can happen regardless of where the server is located – not just in a cloud-based environment. We share Pierson’s insight on how to prevent, detect and remediate a firewall misconfiguration, as well as how to mitigate risk when using a cloud-service provider. We will also cover the SHIELD Act in depth in an upcoming article. See “FINRA Report Addresses Common Cybersecurity Risks and Recommends Mitigation Measures” (Feb. 13, 2019).

Practical Implications of China’s New Cybersecurity Inspection Regulation

Does compliance with China’s new Regulation on the Internet Security Supervision and Inspection by Public Security Organs heighten the risk of exposing sensitive data to third parties and disruption of network systems? The Regulation, which took effect on November 1, 2018, also raises concerns about more intrusive state action in the cybersecurity space – it has expanded the authority of the Public Security Bureau to perform cybersecurity inspections of internet-related businesses operating in China. In this guest article, Reed Smith attorneys Xiaoyan Zhang and Vincent James (Jim) Barbuto discuss some of the Regulation’s practical implications and risk mitigation strategies that should be considered by entities covered by it. See “China Establishes Certification Scheme for Mobile App Operators” (Apr. 17, 2019).

Report Weighs In on Understanding and Mitigating Rising Data Breach Costs

The cost of a data breach has continued to rise, the time from breach to containment has lengthened, and organizations today are 31% more likely to experience a breach within two years than they were in 2014, according to the 14th annual Cost of a Data Breach Report, sponsored by IBM Security and independently conducted by the Ponemon Institute. For the first time, the Report also explored how the cost of a breach played out over time, finding that companies continue to incur costs even two years after the incident. On the bright side, the Report also found that certain factors significantly mitigated data breach costs. We examine these and other key findings from the Report with insight, including advice on keeping breach costs down, from Ponemon’s chairman and IBM Security’s content marketing manager. See also “Ponemon Report Cites Third-Party Risk Management Shortfalls and Offers Best Practices” (Dec. 19, 2018).

Kroll Adds Associate Managing Director of Cyber Practice in NJ

Michael Vega has joined Kroll as an associate managing director of its cyber practice in Secaucus, where he assists companies with strategic planning, digital research and security challenges. For more from Kroll, see “Keeping CISOs and the C-Suite Off the Witness Stand” (May 29, 2019).