A company that sends data to the cloud is only as secure as its cloud-service provider – a concept addressed in New York’s Stop Hacks and Improve Electronic Data Security Act, taking effect March 21, 2020, which extends its requirements to the service providers of covered entities. While the recent Capital One breach involved a cloud-service provider, AWS, it also holds a different lesson, according to BlackCloak CEO and founder Chris Pierson. He told us that the real story of the Capital One breach is about when there is a misconfiguration of a firewall appliance on a company’s server, which can happen regardless of where the server is located – not just in a cloud-based environment. We share Pierson’s insight on how to prevent, detect and remediate a firewall misconfiguration, as well as how to mitigate risk when using a cloud-service provider. We will also cover the SHIELD Act in depth in an upcoming article. See “FINRA Report Addresses Common Cybersecurity Risks and Recommends Mitigation Measures” (Feb. 13, 2019).