Archives: Cybersecurity

Subscribe to Cybersecurity RSS Feed

SEC Cybersecurity Risk Alert Emphasizes Proactive Compliance and Ongoing Vigilance

On August 7, 2017, the Securities and Exchange Commission (SEC) released its latest cybersecurity risk alert, detailing findings from the examination of 75 broker-dealers, investment advisers and investment companies carried out by its Office of Compliance Inspections and Examinations (OCIE) pursuant to its 2015 cybersecurity examination initiative. In contrast with the previous round of examinations, … Continue Reading

FINRA Video Series Highlights Broker-Dealers’ Common Cybersecurity Deficiencies

In a series of three video programs published on the FINRA website in recent weeks, FINRA provided guidance on common deficiencies it has been seeing in its cybersecurity examinations of member firms, and recommended a number of measures to address these issues. Firms should heed these warnings both so that they are prepared for when FINRA … Continue Reading

Are Industrial Control Systems the Linchpin for Critical Infrastructure Cybersecurity?

Over the past few months, news headlines around the globe have been littered with reports of cyberthreats to the critical infrastructure of countries of all sizes. What were once just ominous theories of catastrophic cyberattacks crippling the nation’s critical infrastructure are now deemed credible threats that critical infrastructure enterprises must consider in their cybersecurity, business … Continue Reading

Deeper Dive: Application of Work-Product Doctrine to Forensic Investigations

In a recent post, we addressed the role a forensic investigation plays in a company’s response to a data security incident. We noted that to maximize the likelihood that a forensic firm’s work will be covered by the work-product doctrine or attorney-client privilege, the engagement letter should include outside counsel and the forensic firm should … Continue Reading

Countdown Begins for Cybersecurity Compliance

This month marks an important waypoint for defense contractors subject to the new cybersecurity requirements imposed by the Department of Defense. For contractors subject to the requirements of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (the clause), the deadline for compliance with the clause’s cybersecurity requirements is … Continue Reading

US Companies Create Principles for Cybersecurity Risk Ratings

On June 20, 2017, the U.S. Chamber of Commerce announced that a consortium of more than two dozen chamber member companies, including prominent big banks, big-box retailers, and technology giants released a set of principles designed to promote fair and accurate cybersecurity ratings. The creation of the “Principles for Fair and Accurate Security Ratings” comes … Continue Reading

Deeper Dive: Ransomware – WannaCry and the Future of Ransomware-as-a-Service

In our 2017 BakerHostetler Data Security Incident Response Report, we addressed the increasingly ubiquitous scourge of ransomware, one of the fastest-growing types of malware causing data security incidents. We noted that ransomware attacks have been steadily expanding in both frequency and severity, and that those trends seemed set to continue for the foreseeable future. Less than a … Continue Reading

Deeper Dive: Forensics

A company’s ability to quickly and efficiently conduct a forensic investigation is critical to limiting the impacts of a data security incident and determining the scope of the incident. In BakerHostetler’s 2017 Data Security Incident Response Report, we analyzed data from the more than 450 incidents we worked on in 2016. A forensic investigation occurred … Continue Reading

Coming Soon: Two-Factor Authentication for Social Security Website

The Social Security Administration recently announced that beginning June 10, two-factor authentication will be required for all account holders logging into the “My Social Security” portal. To comply with this new rule, account holders will be required to provide their username and password, and either their cell phone number or email address as the second … Continue Reading

Deeper Dive: Implementing Basic Security Measures Can Stop Some Network Intrusions and Reduce the Damage From Others

In BakerHostetler’s 2017 Data Security Incident Response Report, we analyzed 104 network intrusion attacks that we helped our clients respond to last year. Such incidents typically occur when criminals find a weakness in a company’s internet-facing network, penetrate the network, conduct reconnaissance to find valuable data and export the data before they can be detected … Continue Reading

Deeper Dive: Incorporating Incident Response Into Disaster Recovery Plans

Incident response and disaster recovery are both essential components of a comprehensive written information security program. However, too often these plans are implemented in a vacuum, without considering the potential synergies and improvements that can be gained when such plans are developed, deployed and tested together. Incident response and disaster recovery tend to have the … Continue Reading

Deeper Dive: Security Incident Notification Under the New EU General Data Protection Regulation (GDPR)

As noted in the 2017 BakerHostetler Data Security Incident Response Report, the enactment of the EU General Data Protection Regulation (GDPR) represents the most significant change in European data protection law in more than 20 years. Coming into effect on May 25, 2018, the GDPR focuses on a number of core data protection principles and … Continue Reading

Deeper Dive: Be Prepared for Regulatory Investigations in the Wake of a Security Incident

Your company had a data security event. After an investigation, it was determined that notifications were required, and the incident was made public as a result. Notification letters were mailed and regulators were notified, all in accordance with the law. Your company also enhanced security measures and took other remedial action, so there is nothing … Continue Reading

Deeper Dive: Phishing/Hacking/Malware Attacks Remain Leading Cause of Security Incidents

During 2016, our BakerHostetler privacy and data protection team worked on data security incidents across virtually all industries. For the second year in a row, phishing/hacking/malware attacks have accounted for the largest percentage of incidents handled by our team. Specifically, security incidents arising from phishing/hacking/malware made up 43 percent of all security incidents we handled … Continue Reading

Deeper Dive: Protecting Paper Records

Our third annual BakerHostetler Data Security Incident Response Report analyzes the more than 450 data security incidents we led clients through in 2016, and includes a number of interesting trends relating to the causes of incidents, how companies are identifying and responding to incidents, and the regulatory and litigation trends after an incident is disclosed. … Continue Reading

Deeper Dive: Frequency and Severity

All industries are affected by cyberattacks, but how often and to what extent they occur vary greatly by industry type. Industry Type As for frequency, the healthcare industry in 2016, for the third year in a row, saw the greatest number of incidents and by a wide margin. Specifically, about 35 percent of the incidents … Continue Reading

Be Compromise Ready: Go Back to the Basics

We are excited to release our third annual BakerHostetler Data Security Incident Response Report. This report analyzes the more than 450 data security incidents we led clients through in 2016. Companies continued to experience incidents at a record pace, and we expect this will continue through 2017. We have received more calls to our breach … Continue Reading

Colorado Proposes Cybersecurity Requirements for Investment Advisers and Broker-Dealers

On March 27, 2017, the Colorado Department of Regulatory Agencies proposed changes to the Colorado Securities Act that would impose new cybersecurity requirements on investment advisers and broker-dealers (the “Proposed Rule”). Among other obligations, the Proposed Rule would require these entities to include cybersecurity as part of their risk assessments, and establish and maintain written … Continue Reading

FCC Broadband Privacy Rule Dead and Buried

The Federal Communications Commission (FCC) Privacy and Data Security Rule for broadband internet access service (BIAS) providers (the Privacy Rule) is dead. As we discussed here, the new rule that was set to start phased implementation was recently put on hold. We detailed what the Privacy Rule would have required in prior blog posts available … Continue Reading

Finalized New York Department of Financial Services Cybersecurity Regulation to Take Effect March 1

On February 16, 2017, the New York Department of Financial Services (NYDFS) announced the release of its finalized Cybersecurity Requirements for Financial Services Companies (“Cybersecurity Regulation”), which will take effect on March 1, 2017. This final iteration, issued following an additional 30-day comment period, is in large part the same as the revised version dated … Continue Reading

New York Department of Financial Services Issues Revised Cybersecurity Regulations

With the clock ticking down to the new year, on December 28, 2016, the New York State Department of Financial Services (NYDFS) released highly anticipated revisions to its proposed Cybersecurity Requirements for Financial Services Companies (the “Proposal”). As we previously reported, the NYDFS first announced the proposed regulations in September; at that time, they were … Continue Reading
LexBlog