- New Tool Allows Companies to Estimate the Costs of a Data Breach (MarketWatch): According to the article by MarketWatch, PivotPoint Risk Analytics launched a product designed to help organizations quantify their cybersecurity risk by estimating the actual dollar cost of a breach. The article states that PivotPoint uses a questionnaire to examine areas such as:
- What are the biggest revenue operations?
- What are the most critical operations?
- What would the business impact be to a system shutdown?
- What would the business impact be to a data leak or exfiltration?
The article points out that the City of San Diego was an early adopter of PivotPoint and used it to estimate how much a breach of personally identifiable information (PII) would cost the city if they had to provide credit monitoring services following a breach. Additionally, the city was also able to use this tool to assess the vulnerabilities of its 911 system, according to the article. The full article is here.
- Former FBI Cyber Chief Sees Threat Outlook Getting Worse (eWeek): In this eWeek article, the former special agent in charge of the Cyber Division at the FBI’s New York Field Office, Leo Taddeo, indicates that hackers from nation-states to script-kiddies¹ have a wealth of tools at their disposal. Taddeo indicates that the advances made by nation-states are trickling down to lower-end consumers of hacking tools, whose hacking efforts have become more difficult to counter with the new advanced tools that they have at their disposal, according to the article. Further exacerbating the issue is the fact that the risk to hackers is very low, given the fact that the vast majority of hackers are never apprehended, let alone charged, according to the eWeek article. The full article can be found here.
- SEC Potentially Targets CCOs for Cybersecurity Lapses (LegalTech): LegalTech reports that two recent speeches given by Securities and Exchange Commission (SEC) officials seem to indicate that the SEC will bring enforcement actions against Chief Compliance Officers (CCO)s that fail to address cybersecurity compliance issues. The article points out that CCOs can look to the SECs action against investment advisor R.T. Jones Capital Equities Management where they were assessed a $75,000 penalty and ordered to undertake actions such as:
- Retain multiple cybersecurity firms to perform breach assessment;
- remove all PII from the external webserver and encrypt all PII on its intranet;
- Install a new firewall with logging capabilities;
- Appoint an Information Security Officer (ISO) and implement a written information security policy; and
- Notify all affected parties of the breach and provide them with free identify monitoring services
The SEC is willing and able to take enforcement actions against organizations that fail to adequately address cybersecurity and the article indicates that it may be only a matter of time before the SEC extends its actions to personal liability for compliance personnel following a breach. The full article is here.
¹ Script-kiddie is a term of infamy in the hacker community. Typically it is used to describe someone that lacks overt technical skills and merely executes code that someone else wrote. Referring to a “hacker” as a script-kiddie is not a compliment.
Leave a Reply