As we noted in our recent blog post, “What do the SEC’s New Cybersecurity Risk Guidelines Mean for You as a Board Member?”, the Commission is increasingly focused on cyber risk as it pertains to disclosure requirements. The 2018 guidance addressed one of the criticisms of the original 2011 guidance – namely, that it lacked the teeth of enforceability.
Axio announces a new strategic partnership with North Highland, a global management consulting firm. We will be providing North Highland’s energy and utilities clients with our unmatched technology and services, all geared to addressing and protecting against cyber security events.
Idenhaus recently attended AIG and Axio’s Executive Risk Summit, which brought together a panel of insurance experts to discuss Cyber Risk management. Cyber exposures are expanding rapidly as businesses move their IT systems to the cloud and adopt the Internet of Things (IoT) and Bring Your Own Device (BYOD). These changes introduce fundamental new threats to businesses of all sizes and shapes.
This week, the Securities and Exchange Commission (SEC) published updated interpretive guidance on cybersecurity disclosure requirements for public companies. Following significant post-breach reporting delays from SEC-regulated entities, including Yahoo and Equifax, the Commission clearly desires to standardize cyber disclosure practices surrounding impactful cyber events. As noted in the interpretation, “[T]he Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” The investing community and public at large should welcome this standardization as a step in the right direction for fair markets.
Everywhere we turn, vast amounts of facts, figures, numbers, records and files are being processed, interpreted, organized, structured and presented in a way that turns those data bits and bytes into meaningful information. Putting the raw data into context is what makes information useful for business decisions and underlies many dashboards being developed across the enterprise. Data and information are important components for measurement and, if put into a suitable context, may also become meaningful metrics.
It has been nearly two weeks since the disclosure of the Spectre and Meltdown vulnerabilities. Here at Axio, we have been quietly monitoring the research community’s discussions about the severity of these vulnerabilities as well as user experiences in applying mitigation measures to fix the issues.
Ever since the Federal Energy Regulatory Commission approved mandatory cybersecurity standards for the nation’s grid, self-proclaimed gurus and experts have been making a headache of things. The Critical Infrastructure Protection (CIP) standards are one of the few compliance requirements that can monetarily penalize asset owners/operators for poor cybersecurity hygiene. And all the cool kids want to be CIP “ninjas.” But how do hiring managers, engineers, or IT peers know that the person they are talking to is really a CIP master?
In February 2014, the US National Institute of Standards and Technology (NIST) released the first version of the Cybersecurity Framework (CSF), as directed from Executive Order 13636. Later that year, Congress passed the Cybersecurity Enhancement Act and solidified NIST’s role with critical infrastructure owners and operators, through support and facilitation of cybersecurity risk frameworks. Over the past three years, NIST has held multiple workshops and collected comments across industry, academia, and government agencies.
In today’s modern and dynamic environment, the audit profession must evolve continuously and synergistically with the business and technology changes that occur every day.
I am writing to give you the skinny on KRACK, the attack, and to provide some of the “facts” along with some recommendations for what to do now. The bottom line is that your devices ARE vulnerable to this newly discovered attack. Practically every WiFi enabled device is affected. Computers and mobile devices will likely get updates in the near future, though IoT and embedded devices may be a different story. You will want to update your devices as vendors release patches. You may also consider getting in compliance with your backup policies now to save frustration later.
This past summer we witnessed various blue-chip firms like Maersk, Merck, FedEx and Mondelez, none of whom likely anticipated the reality of a major cyber event, all declare major impacts on operations and in some cases a resulting impact of hundreds of millions of dollars in losses. The leaves are now falling and so are the executives as Equifax, with more almost certainly on the way, compensation clawbacks being discussed, and years of litigation ahead. Most recently we’ve seen Deloitte suffer the exact fate that it proudly attempts to help thousands of clients avoid. While all of these companies are different, they likely share a common thread of investing an incredible amount of money in security technology, employing many capable security professionals, and thinking that their losses would be insured. Does anybody still believe that the current cybersecurity paradigm is working?