Archives: Cybersecurity

Subscribe to Cybersecurity RSS Feed

SEC Updates Data Privacy and Cybersecurity Guidance for Registered Firms

On April 16, 2019, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a risk alert, “Investment Adviser and Broker-Dealer Compliance Issues Relating to Regulation S-P – Privacy Notices and Safeguard Policies,” highlighting its data privacy and cybersecurity observations from recent examinations of registered firms. Regulation S-P By … Continue Reading

Deeper Dive: The Scourge of O365 Incidents

A Growing Menace 2018 saw a continuation of companies moving toward cloud-based email systems. Phishing incidents targeting those systems followed suit. Fully one-third of incidents addressed by our incident response team in 2018 involved unauthorized access to an online email account. Phishing attacks continued to dominate the types of cyberattacks organizations experienced in 2018, owed, … Continue Reading

Cybersecurity Firms Issue Annual Threat Reports

CrowdStrike, FireEye and IBM Security recently released their annual threat reports. These reports contain a wealth of information on recent trends in cybersecurity attacks and recommendations on the preventive measures companies can take to protect themselves. As attackers’ tactics, techniques and procedures continue to evolve, and as the attack surface of organizations continues to grow, … Continue Reading

Beware the Ides of March – Is Your NYDFS Cybersecurity Compliance in Order?

March is now here and with it the Cybersecurity Regulation of the New York Department of Financial Services (NYDFS) is now in full force and effect, including requirements relating to Third Party Service Providers[1] (e.g., vendors, suppliers, agents). To comply with the regulation, banks, insurance companies, and other financial institutions and individuals who are, or … Continue Reading

Trojan Malware Reclaims the Top Spot as the Greatest Cyber Threat to the Healthcare Sector

Cybersecurity threats continued to plague the healthcare sector in 2018. Healthcare organizations notified twice as many individuals under HIPAA and other notification statutes in 2018 as compared with 2017. According to a new report from Malwarebytes Labs, 2019 State of Malware Report, trojan malware was the greatest threat to the healthcare sector in 2018.[1] Specifically, … Continue Reading

Insurance Data Security Model Law Picks Up Steam

Three states recently enacted variations of the National Association of Insurance Commissioner’s (NAIC) Insurance Data Security Model Law (MDL-668), based on the landmark cybersecurity requirements issued by the New York Department of Financial Services (NYDFS) in March 2017. The NYDFS requirements apply to certain banking, insurance and financial service entities licensed in the state of … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Phishing Prevention

This article is part of a series of blog posts exploring the recommendations and guidance Health and Human Services (HHS) provides healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here. In its report on cybersecurity best practices, HHS highlights email phishing attacks as one of the top threats … Continue Reading

NFA’s Amended Cybersecurity Guidance Includes New Incident Reporting Requirement

Following other regulators, the National Futures Association (NFA) recently amended its cybersecurity guidance to, among other things, impose a new cybersecurity incident reporting requirement on members. Cybersecurity Incident Reporting. According to the amended guidance, members will be required to report to NFA any cybersecurity incident related to the member’s commodity interest business that resulted in … Continue Reading

HHS Issues Cybersecurity Guidance for Healthcare Organizations

BakerHostetler will post a series of blogs to fully explore the recommendations and guidance Health and Human Services provides healthcare organizations in its report. Cyberattacks continue to rise across industries, and healthcare is no different. Eighty percent of U.S. physicians reported having experienced some form of cyberattack. In 2017, cyberattacks cost small and midsize businesses … Continue Reading

HHS OIG Launches Cybersecurity Webpage to Raise Awareness and Boost Cybersecurity Best Practices

Healthcare data can be up to 10 times more valuable to cyber criminals than credit card numbers, according to a report from the Department of Health & Human Services’ (HHS) Office of the Inspector General (OIG). And, with healthcare-focused ransomware attacks like WannaCry and NotPetya in the news more frequently, it’s no wonder that HHS OIG … Continue Reading

FDA Regional Incident Preparedness and Response Playbook Provides Guidance to the Healthcare Industry for Large-scale, Multi-patient Medical Device Cybersecurity Incidents

Earlier this month, the Mitre Corporation, on behalf of the Food and Drug Administration (FDA), released the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (the Playbook) as part of the FDA’s ongoing efforts to protect patients from cybersecurity vulnerabilities associated with the use of medical devices. The Playbook highlights high-profile cybersecurity attacks, including … Continue Reading

SEC Investigation Highlights BEC Risk and Need for Comprehensive Risk Assessments by Public Companies

The Securities and Exchange Commission issued a press release and an investigative report on Oct. 16 cautioning public companies to consider cyber threats when implementing internal accounting controls. The report stems from the SEC’s investigation of nine companies that lost between $1 million and $100 million each in so-called business email compromise (BEC) frauds, in … Continue Reading

Department of Justice Releases Attorney General’s First Cyber-Digital Task Force Report

The Department of Justice recently released its comprehensive assessment of cyber threats in the United States, titled “Report of the Attorney General’s Cyber-Digital Task Force.” The Report is the result of the establishment of the Attorney General’s Cyber-Digital Task Force by the Department in February 2018. Attorney General Jeff Sessions directed the Task Force to … Continue Reading

11th Circuit Issues Opinion Vacating Order That Required LabMD to Overhaul Its Data Security Program

On June 6, the 11th Circuit issued its long-awaited decision on LabMD Inc. v. Federal Trade Commission, vacating as unenforceable the Federal Trade Commission’s (FTC’s) cease and desist order that required LabMD to create and implement a variety of protective measures with respect to data security. Notably, however, the decision did not address the most … Continue Reading

SEC Clarifies Existing Cybersecurity Disclosure Guidance

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued cybersecurity disclosure guidance for public companies (“SEC Guidance”) that, according to SEC Chair Jay Clayton, “reinforces and expands” on the SEC Division of Corporation Finance’s prior guidance from 2011 (“Corp Fin Guidance” as we previously covered) regarding disclosure requirements under the federal securities … Continue Reading

When Obscurity Is Not a Defense

Many organizations facing a data-security incident struggle to understand how or why their organization was targeted in an attack. Most simply believe they are too small or too obscure to be targeted by malicious cyber actors. Even larger, well-known businesses are lulled into complacency, mistaking years without a major security incident as evidence that their … Continue Reading

Recent OCR Newsletter Highlights Growing Cyber Extortion Threat for Healthcare Organizations

The OCR’s January 2018 newsletter details specific types of cyber extortion that healthcare organizations are currently encountering, including ransomware, denial of service attacks, distributed denial of service attacks and theft of protected health information (PHI). Each type of attack poses unique challenges that may affect an organization in different ways. However, all cyber extortion disrupts … Continue Reading

Looking Back: The Federal Trade Commission Issues Annual Data Privacy Report for 2017

On Jan. 18, 2018, the Federal Trade Commission (FTC) published its Annual Privacy and Data Security Update. The update is helpful to businesses in that it recaps the efforts and areas of involvement the FTC has targeted in the past year as well as guides data protection strategies for 2018. The report provides a detailed … Continue Reading

Moving Beyond Passwords – Does Your Face Raise Privacy Concerns?

Phishing attacks continue to be the root cause of a considerable number of data breaches. Typically, these incidents occur when employees are enticed into giving up their login credentials in response to a cleverly designed, yet fake email. Thus, network passwords, combined with employee susceptibility to phishing emails, remain a major security weakness for corporations. … Continue Reading

Uber Settles With FTC Over Allegedly Deceptive Privacy And Data Security Practices

Uber, the ride-hailing giant, agreed this week to implement a comprehensive privacy program and to undergo 20 years of privacy and data security audits in order to settle allegations by the Federal Trade Commission (FTC) that Uber did not keep its promises to protect customer data. The FTC had alleged two separate failures by Uber: … Continue Reading

SEC Cybersecurity Risk Alert Emphasizes Proactive Compliance and Ongoing Vigilance

On August 7, 2017, the Securities and Exchange Commission (SEC) released its latest cybersecurity risk alert, detailing findings from the examination of 75 broker-dealers, investment advisers and investment companies carried out by its Office of Compliance Inspections and Examinations (OCIE) pursuant to its 2015 cybersecurity examination initiative. In contrast with the previous round of examinations, … Continue Reading

FINRA Video Series Highlights Broker-Dealers’ Common Cybersecurity Deficiencies

In a series of three video programs published on the FINRA website in recent weeks, FINRA provided guidance on common deficiencies it has been seeing in its cybersecurity examinations of member firms, and recommended a number of measures to address these issues. Firms should heed these warnings both so that they are prepared for when FINRA … Continue Reading

Are Industrial Control Systems the Linchpin for Critical Infrastructure Cybersecurity?

Over the past few months, news headlines around the globe have been littered with reports of cyberthreats to the critical infrastructure of countries of all sizes. What were once just ominous theories of catastrophic cyberattacks crippling the nation’s critical infrastructure are now deemed credible threats that critical infrastructure enterprises must consider in their cybersecurity, business … Continue Reading
LexBlog