Penetration testing or conducting a pen test can be a key element in a firm’s arsenal to protect itself against cyber intrusions. Firms use pen tests to test potential vulnerabilities of their networks, determine where there may be gaps, and assess their cybersecurity defenses. Today’s post is the fourth in a series of summaries sharing essential, timely insight on how these practices may impact your business. Please click here for the first, second, and third posts on cybersecurity practice impacts.
Continue Reading

Freshman Delegate Hala Ayala recently introduced House Bill 2793 in this session of the Virginia General Assembly.  If enacted, the legislation will impose new requirements on businesses with regard to the disposal of certain consumer records and manufacturers in the design and maintenance of devices that connect to the internet.
Continue Reading

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the second in a series of summaries sharing essential, timely insight on how these practices impact your business. Please click here for the first post on cybersecurity practice impacts.

FINRA names “phishing” attacks as one of the most common cybersecurity threats raised by firms with the self-regulator.[1] The goal of a phishing email is to manipulate the recipient into taking action. FINRA focuses on two types of phishing attacks in the report. The first is “spear phishing,” where the sender researches and targets the recipient(s) with a customized approach designed to get confidential information from the individual(s). The second is “whaling,” wherein the hacker sends targeted emails impersonating senior executives at the firm in order to set action in motion, typically wiring funds to specifically identified accounts.   
Continue Reading

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. This post is the first of a series of summaries sharing essential, timely insight on how these practices impact your business. The Report follows close on the heels of FINRA’s annual Report on Examination Findings issued Dec. 14, 2018. Now we know why Cybersecurity, a top regulatory and examination priority for FINRA in 2018, was not included in their examination findings report. Not surprising, albeit somewhat unusual, the importance of the topic and FINRA’s insights warranted a separate communication.
Continue Reading

As previously discussed, software as a service (SaaS) solutions offer the allure of being able to outsource IT for data storage.  Being able to rely on someone else to protect you sounds great, but is it really?  Losing control over your sensitive data requires serious diligence of the third party vendor.  Caveat emptor: SaaS solutions can expose companies to unknown risks. Tips to avoid those risks are discussed below.

Continue Reading

On November, 2, 2018, Ohio’s recently passed Data Protection Act (Act) officially became law. The Act provides a possible affirmative defense to businesses in lawsuits where the plaintiff alleges a tort based on a business’ failure to implement a cybersecurity framework.

Importantly, the new law does not create a minimum cybersecurity standard in Ohio or new cybersecurity regulations that businesses must follow. Rather, the law operates by incentivizing businesses to develop and maintain a cybersecurity program that “reasonably conforms” to an already existing, industry recognized cybersecurity framework. If the company can prove that it had a compliant cybersecurity program in place at the time of a breach, the company can use the program’s existence as an affirmative defense to certain tort claims.
Continue Reading

As a part of National Cybersecurity Month, last week the Federal Trade Commission (FTC) launched a campaign to help educate and assist small businesses with cybersecurity.  In conjunction with the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), and the Small Business Administration (SBA), the FTC has published a collection

NIST has published Special Publication (SP) 1800-5, “IT Asset Management” to help financial service companies monitor and manage IT assets.  According to the release:

“The example solution…gives companies the ability to track, manage, and report on information assets throughout their entire life cycle. This can ultimately increase cybersecurity resilience by enhancing the visibility of assets,

CTIA, a trade association representing the wireless communications industry, recently announced a new cybersecurity certification program for IoT cellular-connected devices. The announcement comes shortly after NIST hosted a workshop in July regarding Considerations for Managing IoT Cybersecurity and Privacy Risks.

CTIA states, “[t]he program will protect consumers and wireless infrastructure, while creating a more