Uber’s Settlement With FTC Emphasizes Companies’ Need for Cyber Risk Management Programs

The FTC and Uber have settled the enforcement action the FTC brought against the company. This action stems from Uber’s data breach of more than 100,000 individuals’ PII despite its promises that their data was “securely stored within our databases.” The FTC found this promise was misleading when compared with the actions the company was really taking. In settling the dispute, Uber entered into a Consent Decree that Continue reading “Uber’s Settlement With FTC Emphasizes Companies’ Need for Cyber Risk Management Programs”

Does Board Oversight of Cybersecurity Mean Directors Must Become Cybersecurity Experts?

Does the board of directors’ duty of oversight over their companies’ cybersecurity require the individual directors to become experts on cybersecurity? That is a fair question and one that I’ve seen many people have difficulty understanding.

The answer is “no,” as explained by Michael Santarcangelo (@catalyst) in his CSO article Why the board needs security leaders to fuel disciplined growth:

As the risk of breaches increases, boards – whose role when they oversee the CEO is to act as fiduciaries on behalf of shareholders– are increasingly at risk of falling short of their responsibilities. While board members are not expected to be experts on information security, they must make sure that the company has the right people and processes in place to erect defenses against information security violations, to establish procedures for monitoring the level of information security, and to make sure that the right steps are taken should a security breach occur.

Santarcangelo interviews Peter S. Cohan in this article and shares additional insight that all directors, CEOs, and CISOs need to understand about each of their respective roles in this process. Take the time to read this article.

 

Critical Steps Companies Must Take to Comply with New York’s Cybersecurity Rules – Ethical Boardroom

Winter2017New York’s Cybersecurity Regulations went into effect on March 1, 2017 and their impact could reach farther than you think — including to small and mid-sized companies that do not do business in New York and are not in the financial services industries. And, they require direct involvement by the Board of Directors. Is your company ready?

In my latest Ethical Boardroom article, I explain

  1. how these Cybersecurity Regulations can impact businesses of all sizes, in all industries, and all around the world,
  2. what specific steps regulated companies must take to be in compliance with the Cybersecurity Regulations, and
  3. what these Cybersecurity Regulations mean for nearly all companies.

Here is the full article from the Winter 2017 edition (page 140) which is available with free registration to the Ethical Boardroom website: Getting to Grips with New York’s Cybersecurity Compliance Rules

Here are other Ethical Boardroom (@EthicalBoard) articles that I have written that are also available for free:

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Improving Your Cybersecurity Plan, Explained by Paul Ferrillo in WSJ

The Wall Street Journal did an interview of my friend, collaborator, prolific author, and the the original Cyber Patriot, Paul Ferrillo to discuss how companies can make their cybersecurity plan better. Here is the full article: Making Your Cybersecurity Plan Better

Paul and I are both firm believers in focusing on the basics so that is all you really need to know to make you want to read the article. Beyond that, I’m not going to spoil it here by giving away all of the answers but here are some of the topics that Paul explains in more detail in the article:

  • What are the biggest mistakes companies make when it comes to thinking about and executing on a cybersecurity plan?
  • Why companies have trouble communicating about cybersecurity issues.
  • What companies can do to improve their communications.
  • Whether boards are getting better about cybersecurity issues.
  • Where companies are falling short in training employees about cybersecurity.
  • How companies should think about cybersecurity in the new Trump administration.

Go read the article Making Your Cybersecurity Plan Better and give Paul a shoutout on Twitter (@PaulFerrillo) or LinkedIn (Profile) or on this LinkedIn post and let him know what you think!

 

New York Cybersecurity Regulations Delayed, Being Revised

New York Skyline at Twilight Hour
The New York Skyline at Twilight Hour

Photo Credit: Photo Credit: Marco Verch
Licensed under Creative Commons Attribution 2.0 (no changes were made to the image) https://creativecommons.org/licenses/by/2.0/deed.en

The New York Department of Financial Services has pushed back the effective date of its Cybersecurity Regulations from January 1, 2017 to March 1, 2017. This is to give the NYDFS time to significantly revise the proposed Cybersecurity Regulations initially released for comment in September 2016, which created quite a bit of controversy. The revised regulations are to be published on December 28, 2016.

The NYDFS signaled this change two days after a hearing in Albany, New York in which New York bankers voiced their concerns to New York State lawmakers. While the NYDFS has not elaborated on what is being re-written, the following are some of the key concerns that were voiced to lawmakers in the hearing:

  1. It would cost too much.
  2. Banks shouldn’t be forced to hire CISOs.
  3. The rules are too tough.
  4. New York’s regulation is too different from the federal rules of FFIEC, Federal Reserve, the OCC, the FDIC and even NIST.
  5. The regulation is “one size fits all.”
  6. It calls for too much incident reporting.
  7. The extra regulation and reporting could create an impression that New York banks are less secure than others.

These points are explained more thoroughly in the American Banker source article New York Rewriting Cybersecurity Rules After Banker Pushback.

Here are two articles I have written for SecureWorld that discuss the proposed NYDFS Cybersecurity Regulations and I will also address the revisions in the near future:

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.