Business Cyber Risk
Analyzing the Global Impact of Cybersecurity, Law, and Business Risk
Business Cyber Risk

Is the law evolving to hold individuals–specifically the CISO–responsible for companies’ cybersecurity failures?

Is the law evolving to hold individuals — specifically CISOs — responsible for companies’ cybersecurity failures? In my opinion, the answer is yes, albeit slowly and incrementally, but it certainly appears to be moving in that direction. Here are some of my thoughts on the SEC’s recently issuing a Wells Notice to SolarWinds’ executives —…

Read More

A few quotes from my keynote at SecureWorld Boston

Following the outstanding SecureWorld Boston event, my friends at SecureWorld shared Highlights and Insights from SecureWorld Boston 2023 and were kind enough to include a few quotes from my lunch keynote — let me know what you think and please offer your perspective on these ideas: For my friends in the Houston area, get ready,…

Read More

Join me and #EnterpriseUniversity for Real-World Cyber Risk Management and Resilience Planning on March 28, 2023!

On Tuesday, March 28, 2023, I will be teaching a class on Real-World Cyber Risk Management and Resilience Planning as part of #EnterpriseUniversity Enterprise Bank & Trust’s education program for business leaders and professionals! Join me for this course, and take a look at all of the live, virtual courses available at no cost to…

Read More

HHS Releases HPH Sector Cybersecurity Framework Implementation Guide to Help Healthcare Organizations Leverage NIST Cybersecurity Framework

On March 8, 2023, the U.S. Department of Health and Human Services (HHS) released its HPH Sector Cybersecurity Framework Implementation Guide (the Guide) to help healthcare organizations leverage the NIST Cybersecurity Framework. This Guide is not only a must-read for all healthcare “covered entities,” especially small and midsize organizations, but it is excellent advice for…

Read More

FBI, CISA, MS-ISAC Joint Cybersecurity Advisory – #StopRansomware: LockBit 3.0

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) routinely release a Joint Cybersecurity Advisory (CSA) as part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. On March 16, 2023, they…

Read More

Boston Area Friends – Join me for the lunch keynote at SecureWorld Boston on March 23!

I am super excited to share that next week I will be headed to Boston to speak at one of my absolute favorite conferences each year — the United States’ preeminent cybersecurity conference — SecureWorld! On Thursday, March 23, 2023, I will present the lunch keynote on Cybersecurity Really Is a Team Sport, since folks…

Read More

The White House Cybersecurity Plan – the Devil is in the Details

“The devil is in the details” — that about sums up my take on the White House Cybersecurity Plan. Many thanks to Lily Newman for including this and some other points from our discussion in her Wired article The High-Stakes Blame Game in the White House Cybersecurity Plan. I appreciate that the Administration is talking…

Read More

Charlotte, NC Area Friends – Join me at SecureWorld Charlotte on March 1 & 2!

I am super excited to share that next week I will be headed to Charlotte, North Carolina to speak at one of my absolute favorite conferences each year — the United States’ preeminent cybersecurity conference — SecureWorld! On Wednesday, March 1, 2023, I will be leading a full day workshop for SecureWorld Plus registrants on…

Read More

Shareholders Can Sue Corporate Officers for Breach of Duty of Oversight in landmark Ruling — CISOs and CPOs, You Listening?

In a landmark ruling, the Delaware Court of Chancery has recognized that corporate officers owe the company a legal duty of oversight, which has traditionally been an obligation solely of directors, and can be sued by shareholders for breach of that duty. In the cybersecurity and privacy context, what does this mean for Chief Information…

Read More

SEC Continues to Emphasize Importance of Cybersecurity and Cyber Risk Governance

“While this is an oversimplification of all of the requirements and nuances of the forthcoming SEC rules, the SEC’s objectives are to require companies to provide meaningful and actionable information to shareholders to better understand companies’ cyber risks and how companies are managing and responding to them. From a very high level, this can be…

Read More
%d bloggers like this: