National Cybersecurity Awareness Month (NCSAM) is coming to a close, but diligent cybersecurity efforts must continue. In honor of another successful NCSAM, below we have gathered some of our most popular cybersecurity content you can use as a quick reference for all of your cyber-related interests.
Recent headlines have detailed foreign-state actors targeting utilities and independent power producers in the United States to gain access to critical infrastructure at the nation’s utilities and military installations.[1] Cybersecurity practices within the independent power industry vary widely depending on the asset type and the operator’s sophistication. Despite this risk, purchase agreements and credit agreements for renewable energy facilities do not typically address compliance with cybersecurity standards. Generic representations and covenants relating to compliance with law or maintenance of project assets in compliance with prudent industry practices inadequately protect acquirers and lenders from cybersecurity risks. The overwhelming majority of renewable power projects are considered low impact under NERC’s Critical Infrastructure Protection standards and, thus, not subject to significant regulation.[2]
Continue Reading
FINRA issued their 2019 Report on Examination Findings and Observations ahead of prior years’ reports.
This most recent report, issued on October 16, 2019, starts by highlighting a recently implemented distinction on their part as to how they communicate exam results to firms. That is, FINRA stated that they now report “findings,” which are violations of the rules, and “observations” (f/k/a “recommendations”), which are “suggestions to [the] … firm about how it could improve its control environment in order to address perceived weaknesses that elevate risk, but do not typically rise to the level of a rule violation or cannot be tied to an existing rule.”
Continue Reading
Continuing our coverage of cybersecurity issues during National Cybersecurity Awareness Month (NCSAM), we have identified 5 important cybersecurity questions and talking points you can use to start a meaningful cybersecurity conversation at your business.
Counsel and business executives take note: cybersecurity is not just an IT problem, robust cybersecurity starts with a healthy dialogue between legal, business, and IT. The chart below illustrates how failure to engage in meaningful oversight of your company’s data and systems security will create costly, significant, and unnecessary risk.
(https://digitalguardian.com/blog/whats-cost-data-breach-2019)
The good news is that you need not be an IT expert to oversee your company’s cybersecurity risk. You do not need to be able to write code, or to know exactly what software is needed to keep the company’s data secure. The first step is to open a healthy dialogue with your IT professionals – a dialogue that will allow you to assess more capably your company’s readiness to counter a broad range of exploitation techniques.
Try calling your CISO or CIO and asking these questions:
This week, California Attorney General (AG) Xavier Becerra released the draft regulations for the California Consumer Privacy Act (CCPA). The rules set forth procedures for businesses covered under the CCPA to follow for compliance. The rules can be found here.
Nevada Consumer Privacy Law – In Effect
October 1st marks the beginning of National Cybersecurity Awareness Month (NCSAM). During October, government and industry work together to raise awareness of cybersecurity issues and help promote educational materials. This year, the Department of Homeland Security (DHS) is focusing on, “citizen privacy, consumer devices, and ecommerce security.” To assist with NCSAM efforts, the DHS
***Update – Amendments to the existing data breach notification law are now in effect.***
New York Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The law amends the existing data breach notification law and adds new cybersecurity requirements. Amendments to the existing data breach notification law take effect Oct. 2019. The SHIELD Act cyber provisions take effect in March 2020.
The Governor also signed into law the Identity Theft Prevention and Mitigation Services Act (Act). The Act requires that credit reporting agencies suffering a breach involving Social Security numbers must provide five years of identity theft prevention and mitigation services to affected consumers. The Act becomes effective in September 2019.
Continue reading for a summary of the SHIELD Act and how it could impact your business.
Continue Reading
Welcome back to our three-part series examining cyber vulnerabilities surrounding family offices and steps they can take to mitigate those risks. In Part One we discussed how family offices are particularly vulnerable to cyber-crime. In Part Two, we reviewed different types and trends of cyberattacks. Here, we will outline how family offices can defend against cyberattacks.
Over a quarter of multi-million dollar family offices do not have dedicated cybersecurity policies in place to protect their systems. This may be because they do not view themselves as needing an onerous cybersecurity policy. However, this view is short-sighted and can leave family offices subject to heavy losses. Family offices do not need to implement large scale or particularly burdensome policies or procedures. Rather, they can build specialized, flexible programs by utilizing a consultant that is reactive to ongoing and updating threats.
Continue Reading
Welcome back to our three-part series examining vulnerabilities surrounding family offices and steps they can take to mitigate those risks. In Part One we discussed how family offices are particularly vulnerable to cyber-crime. Here, we will review different types and trends of cyberattacks.
Most cyberattacks are the result of “phishing” emails. “Phishing” refers to a deceptive effort to obtain the recipient’s sensitive information by disguising the sender as someone the recipient knows and would trust. Phishing recipients can be deceived into downloading malicious software, providing personal information like account numbers or PINs, wiring funds or paying invoices to cyber-criminals. Ransomware is malware that denies the victim access to their system’s files until the victim pays a ransom. While malware can also take the form of “drive-by” downloading when a victim visits a website prompting the malware to download, over 90% of malware is still delivered via email.
Continue Reading