The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Benchmarking

  • From Vol. 4 No.22 (Jul. 25, 2018)

    Companies Face Increasing Cost of a Data Breach and an Inability to Detect Incidents Promptly, Surveys Show

    Two recent surveys, one by IBM and the Ponemon Institute showing that the average total cost of a data breach is $3.86 million, and the second by Marsh & McLennan Agency revealing that most organizations do not know how to measure the cyber risk they face, seem to demonstrate a collective corporate sense of false security in an organization’s ability to handle a cyber incident. Seventy-eight percent of respondents to the MMA survey were fairly to highly confident their organization would be able to manage and respond to a cyber attack, but the IBM/Ponemon survey found it takes almost six months to identify an incident. The Cybersecurity Law Report takes a closer look at the results of these surveys and what they reveal about risk awareness and, perhaps, a certain measure of corporate torpor in addressing the likelihood of a data breach. See “Pillars of Effective Breach Detection, Response and Remediation” (Apr. 25, 2018).

    Read Full Article …
  • From Vol. 4 No.21 (Jul. 18, 2018)

    GDPR Essentials for the Financial Sector: Compliance Steps (Part Two of Three)

    Can a bank or financial services firm partially comply with the GDPR? Some say it is an all-or-nothing proposition, but others assert that some economical steps can take a U.S.-based entity with limited E.U. contact most of the way. In this article, we discuss some of those compliance steps and how to preserve defenses to a class action that companies may be unwittingly waiving. The first article in the series discussed the current state of compliance in the financial sector, the extraterritorial applicability of the GDPR, its relationship to U.S. laws, enforcement priorities and the risk of collective action. The third installment in the series will examine special considerations of the law – such as determining the identity of controllers and processors and accounting for Member-State specificities – and will provide advice on monitoring ongoing compliance. See “What Are the GDPR’s Implications for Alternative Investment Managers? (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).

    Read Full Article …
  • From Vol. 4 No.20 (Jul. 11, 2018)

    GDPR Essentials for the Financial Sector: Benchmarking and Assessing the Risks (Part One of Three)

    Most banks and financial services firms are certainly aware of the GDPR, but the level of compliance and focus on it varies across the industry. “There are inquiries about GDPR on information-sharing sites, such as ‘Have you done a risk assessment for GDPR?’” Jeff Patterson, executive vice president at ANB Bank, told The Cybersecurity Law Report, “but I don’t think a lot of the professional associations in the industry think it is a big risk at this point.” Is that a mistake? In this article, we discuss the current state of compliance in the financial sector, the extraterritorial applicability of the GDPR, its relationship to U.S. laws, enforcement priorities and the risk of collective action. The second installment in the series will address specific compliance steps and identify common errors. The third article will examine special considerations of the law – such as determining the identity of controllers and processors and accounting for Member-State specificities – and will provide advice on monitoring ongoing compliance. See “Countdown to GDPR Enforcement: Final Steps and Looking Ahead” (May 16, 2018).

    Read Full Article …
  • From Vol. 4 No.1 (Jan. 17, 2018)

    Ten Cybersecurity Resolutions for 2018

    The start of the year brings new initiatives, new budgets and new risks. It is a good time to stop and ensure that your organization is taking the right steps. Even companies with mature information security practices must consistently reevaluate their needs and update their measures. The Cybersecurity Law Report spoke with several legal and technical experts to find out what they recommend companies prioritize in 2018 and compiled the resulting top ten cybersecurity action items for companies to tackle to ensure a more secure new year. See also “Ten Cybersecurity Priorities for 2017” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.25 (Dec. 20, 2017)

    Benchmarking Employee Monitoring Policies for Practical Approaches

    Keeping current with evolving multi-jurisdictional legal requirements, technological advances and best practices in the employee-monitoring realm can seem like a constant scurry. It's not long after one policy is finalized and promulgated and its attendant training developed and administered that something often happens to raise doubts. It can help to know what some competitors are doing, what their experiences have been and the reasoning behind what they do. Panelists at a recent cyberSecure conference discussed how to keep employee monitoring policies up-to-date. In this article, we cover the key takeaways from the panel, including regulatory realities, employee pushback and cultural inhibitors that prevent maximum monitoring, as well as examples of where circumventing an on-the-job virtual Big Brother is desired and doable. See also “Effective and Compliant Employee Monitoring (Part One of Two)” (Apr. 5, 2017); Part Two (Apr. 19, 2017).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    Audit of Websites’ Security, Privacy and Consumer Practices Reveals Deficiencies Despite Overall Progress

    Email authentication and adequate privacy are among key challenges for the financial sector, according to a recent audit by the Online Trust Alliance. Its 2017 Online Trust Audit & Honor Roll, an annual benchmarking analysis about security standards, privacy practices, and consumer protection, evaluates approximately 1,000 websites with over 60 criteria taking into consideration the evolving threat landscape, regulatory environment and globally accepted practices. With its goal of pushing companies past compliance to “stewardship,” the Audit results serve as a benchmarking tool for companies to compare their own practices against OTA’s list of best practices, Jeff Wilbur, Director of the Online Trust Alliance Initiative at the Internet Society, told The Cybersecurity Law Report. With commentary from Wilbur, we explore the Audit’s results and recommended best practices. See also “Surveys Show Cyber Risk Remains High for Financial Services Despite Preventative Steps” (Jun. 28, 2017).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    Deloitte Survey Shows Getting Skilled Cybersecurity Talent and Addressing Cyber Threats Among the Top Challenges for Financial Institutions

    Financial institutions anticipate cybersecurity to be one of the top risks they will face over the next two years, according to a Deloitte survey. Exacerbating the challenge is recruiting skilled cybersecurity talent as well as obtaining near-real-time threat intelligence. The survey also found that some organizations have turned to corporate risk officers to assist them, while others have seen increasingly activist boards of directors. We analyze the results of the survey. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 3 No.17 (Aug. 23, 2017)

    SEC Report Cites Cybersecurity Progress Along With Gaps in Training and Compliance

    Depite progress since 2014 in developing cybersecurity policies, there are still some critical areas where asset managers fall short with cyber preparedness, according to a new SEC risk alert. One particular shortcoming the SEC sets forth is the failure of some firms to act upon their own codified cybersecurity policies. With expert insight and advice, we detail the new alert’s findings, recommendations and implications. See “What the Financial Industry Should Know to Recognize and Combat Cyber Threats (Part One of Two)” (Jul. 26, 2017); Part Two (Aug. 9, 2017).

    Read Full Article …
  • From Vol. 3 No.16 (Aug. 9, 2017)

    What the Financial Sector Should Know to Recognize and Combat Cyber Threats (Part Two of Two)

    Financial Trojans are a widespread threat faced by the financial industry, and the U.S. is among the top five countries with the greatest number of detections, according to Symantec’s 2017 Internet Security Threat Report (ISTR). In a recent webinar, Symantec’s technical and threat experts provided insight on the key findings of the ISTR, with a focus on the latest and growing threats to the financial sector, noting that attackers will increasingly target large organizations and financial institutions. This second part of our two-part article series covering the ISTR and Symantec’s webinar details common sources of financial Trojans, looks at potential future attack targets and trends, and provides best practices for avoiding and mitigating these attacks. Part one summarized the threat landscape and the speakers’ insights on what common attacks look like, new threat actors and tools, and how to recognize them. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    Surveys Show Cyber Risk Remains High for Financial Services Despite Preventative Steps

    While financial services firms are spending more on key cybersecurity measures, the risk and the financial consequences of a breach remain high. Studies show that the average breach cost continues to rise in the U.S. and, for smaller financial firms especially, critical security gaps remain. This article highlights parts of three recent surveys conducted by Ponemon, TD Bank, and ACA Aponix with the National Society of Compliance Professionals that provide insight into the current state of vulnerabilities and benchmarking for financial firms. See “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …