How do major data breaches affect cyber insurance?

Posted by Ben Fagan

Sep 15, 2014 9:00:00 AM

InsuranceButtonGraphicThere is no denying that cyber security issues have captured headlines over the course of the year. From the highly public Heartbleed bug to major data breaches affecting some of the largest names in business, there has been increased focus on data security. As we have noted in previous posts, in the wake of these events and in the face of new threats, cyber insurance has emerged as a viable option to transfer the risk of financial losses related to data loss. In just the past week a White House official went as far as to say that cyber insurance will be standard for businesses by 2020, just as property or liability insurance is now. But as the cyber insurance market continues to grow, how will large scale breaches affect the industry?

more

Topics: Cyber Insurance

What Do Boards Need to Know About Third Party Risk?

Posted by Ben Fagan

Sep 4, 2014 11:10:00 AM

emptyboardroomISACA and the Institute of Internal Auditors (IIA) recently released a report emphasizing the board’s role in overseeing security risk management. In particular, the report mentioned management of third party risk, arguing that boards should ask tougher questions about third party security. According to an IIA survey, only 14 percent of board members said they were actively involved in cyber security oversight. Even though the SEC has asked board members to get involved, 58 percent of board members admit that they should be doing more. If you’ve struggled to get your board to become engaged in your security risk management efforts, particularly related to third party risk, now is the right time to make them aware.

Third-party breaches trigger steep regulatory fines from agencies like the SEC and the Department of Health and Human Services. Data breaches can also shake shareholder confidence, and they can have devastating consequences for customers whose identities are stolen. The people at the top of the company often pay the price for data breach aftermath. Target’s massive 2013 data breach, which resulted from a third-party vulnerability, cost CEO Gregg Steinhafel his job. In addition, ISS advised Target shareholders to overhaul the board, charging board members with poor risk oversight.  

How Boards Can Protect Themselves and Their Organizations

more

Topics: Industry Regulation, Security in the Board Room

Setting Standards: Benchmarking Security in Higher Education

Posted by Ben Fagan

Aug 26, 2014 9:00:00 AM

Computer_in_LibraryData breaches at higher education institutions are becoming more and more common, putting them near the top of the list of industries most affected by cyber security risks. Hackers target .EDU networks because they tend to be left wide open for attacks, either because the schools fail to prepare against such intrusions or because network users fall victim to vicious phishing scams. As our latest BitSight Insights report revealed, university security teams juggle diverse IT infrastructure needs and unique challenges, including BYOD culture and multiple network access points. This leads to a major slump in security performance throughout the school year. So how can universities overcome these challenges?

more

Topics: Benchmarking

BitSight Insights: Powerhouses and Benchwarmers

Posted by Tom Turner

Aug 21, 2014 8:30:00 AM

Assessing the Cyber Risk of Collegiate Athletic Conferences

It is no secret that America's colleges and universities hold a wealth of personal and sensitive information that is frequently targeted by cybercriminals, as evidenced by some public data breaches in the past year affecting major universities. Today we at BitSight published our quarterly BitSight Insights report that analyzes the security performance of higher education insitutions in America.  We conducted a thorough analysis of the largest and most prestigious collegiate athletic conferences in the nation: the ACC, SEC, Pac 12, Big 10, Big 12 and Ivy League. The member schools of these athletic conferences are large to medium sized universities that give a strong representative sample of the higher education industry in the United States, encompassing a student population of 2.25 million and a network space of more than 11 million IP addresses.

more

Topics: BitSight Insights

Why are America's colleges a prime target for cyber criminals?

Posted by Ben Fagan

Aug 19, 2014 10:12:00 AM

179292405The last couple of years have been tough on higher education systems in terms of cyber security. In 2012, in particular, there was a near-record-high number of data breaches, with nearly two million exposed records reported. The following year saw Maricopa Community College in Arizona experience a data breach that affected 2.4 million people. In 2014, there have already been several high-profile .EDU data breaches. In our latest BitSight Insights report, we found that many universities are struggling to secure their networks due to unique IT infrastructure requirements and persistent security problems. 

more

Topics: Security Risk Management

Performance Measurement and the Cyber Security Mindshift

Posted by Melissa Stevens

Aug 12, 2014 9:00:00 AM

Measuring Security PerformanceThe other day, I received yet another email asking, "How much cyber security is enough?" You probably recognize this message, and see similar phrases on a regular basis. It's a really interesting question and something that a lot of people ponder, but more importantly, I think it signifies an important mind-shift that is starting to occur in the security space. We're starting to wonder, "When will it be enough? When will I be able to say I'm secure?"  The quantification of security performance is now a reality.

more

Topics: Benchmarking, Security Performance, Security in the Board Room

How can the SEC become the primary regulator of corporate cyber security?

Posted by Ben Fagan

Aug 6, 2014 9:00:00 AM

479235277In 2011, the SEC issued a set of disclosure guidelines that told companies to disclose any potential cyber risk, possible effects of that risk, as well as the status of internal controls and risk management procedures in place. It was a grand idea, one that had the potential to protect investors and boards by keeping them in the loop when it came to matters of security. Unfortunately, its grand potential wasn’t brought to fruition. The guidance was never updated to account for the growing frequency of security breaches, and companies were failing to report cyber incidents. Now, the SEC is revisiting the issue and considering turning those guidelines into standards so that companies will have to live up to the level of transparency their investors have come to expect.

more

Topics: Industry Regulation, Breach Regulation

Months After Target Breach, Retailers Still Leaving Data at Risk

Posted by Stephen Boyer

Jul 29, 2014 9:00:00 AM

On July 21, 2014, Brian Krebs (once again) broke the news of a potentially major retail breach. Goodwill Industries and its 165 independent agencies across North America appear to be the most recent victims in the seemingly plagued retail industry.

more

Topics: Retail, Security Performance

Putting Preparedness in Context: Comparing Your Security Performance to Other Companies in Your Industry

Posted by Melissa Stevens

Jul 23, 2014 9:00:00 AM

BitSightiPadDavid Burg, Principal at PriceWaterhouseCoopers, said recently that businesses are moving beyond mere compliance when assessing their security postures. Today’s companies now view outstanding security performance to be a major competitive advantage. How does your company stack up to others in the industry? Benchmarks let you know whether you’re getting the most for your security investment and whether your performance is keeping you at the top of your game.

more

Topics: Benchmarking

The SEC emerges as a vocal proponent of cyber security

Posted by Ben Fagan

Jul 17, 2014 10:00:00 AM

US-SecuritiesAndExchangeCommission-SealProposed cyber security legislation, notably bills relating to a federal data breach notification standard, has been slow moving in the halls of Congress. While measurable progress has been made on some legislative pushes -- recently evidenced by the Senate Intelligence Committee’s passage of Sen Dianne Feinstein’s cyber threat information sharing bill -- it would be a stretch to say that lawmakers are currently influencing how private industry addresses this issue.

Yet the slow pace of legislation does not mean that Washington has kept quiet about the importance of IT security in today’s business environment. The SEC (Securities & Exchange Commission) has been increasingly vocal about the importance of corporate cyber security. Last month, SEC Commissioner Luis Aguilar called on corporate boards to take steps to include cyber issues in overall risk management decisions made at the board level. This guidance echoes last year’s alert, issued by the SEC’s Office of Compliance Inspections & Examinations, which outlined policies and procedures that companies should adopt to be in compliance.

more

Topics: Transparency, Industry Regulation, Breach Regulation