Insights blog.

In March 2017, the New York Department of Financial Services (NYDFS) cybersecurity regulations—known as 23 NYCRR Part 500—went into effect. According to the regulation, “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” is considered a covered entity and must comply.

The May 2018 deadline for General Data Protection Regulation (GDPR) compliance is drawing closer — which means your organisation’s compliance activities should be well underway. But if you’re still looking for a place to start, here’s a GDPR checklist template to get you going:

As a U.S.-based company, you may be asking yourself, “Does my company need to prepare for the EU’s General Data Protection Regulation (GDPR)?” Simply put, if you process personal data for anyone in the European Union, the answer is very likely yes.

The goal of the General Data Protection Regulation (GDPR), which goes into effect in May 2018, is to protect the fundamental rights and freedoms of individuals in the EU as it pertains to their personal data. As you might imagine, it is a broad and complex piece of legislation, with far-reaching implications for businesses inside and outside the EU.

Financial regulators have long been concerned about the cyber risk associated with third-party- supplied products or services in financial institutions. For example, in 2013, federal financial regulators put out an issuance to financial institutions regarding how to manage third-party cyber risk. Over the last few years since this 2013 bulletin was published, the attention on third-party risk has continued to increase and the topic has been included on several examination priorities published by the Office of the Comptroller of the Currency (OCC), the Securities and Exchange Commission (SEC), and the Federal Reserve.

This is the third post in a series exploring how Security Ratings can address key components of the NIST cybersecurity guidelines. You can read the first post here and the second post here.

In recent months, we’ve seen a variety of regulators from Finance to Defense cite the importance of third party cyber risk management. You can now add the Federal Trade Commission to the list.

This is the second post in a series exploring how Security Ratings can address key components of the NIST cybersecurity guidelines. You can read the first post here.

This is the introductory post in a series exploring how security ratings can address key aspects of the National Institutes of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The purpose of these posts is to outline how security and risk professionals can leverage Bitsight’s ratings to drive better risk management through the lens of the NIST framework.

In recent years, the US government has become a leading advocate for continuous monitoring of security threats and vulnerabilities. But how effectively are departments and agencies in implementing these programs? And how do we measure success?

In his 2015 State of the Union Address, President Barack Obama mentioned the importance of improving America's cybersecurity and what he believes it will take to make it happen. Below is a review of the most interesting statements and initiatives mentioned in the address or recent media coverage, and the potential impact each could have on American Information Security.

In 2011, the SEC issued a set of disclosure guidelines that told companies to disclose any potential cyber risk, possible effects of that risk, as well as the status of internal controls and risk management procedures in place. It was a grand idea, one that had the potential to protect investors and boards by keeping them in the loop when it came to matters of security. Unfortunately, its grand potential wasn’t brought to fruition. The guidance was never updated to account for the growing frequency of security breaches, and companies were failing to report cyber incidents. Now, the SEC is revisiting the issue and considering turning those guidelines into standards so that companies will have to live up to the level of transparency their investors have come to expect.

In a previous blog post, we outlined federal initiatives to pass a data breach notification law that would simplify the current myriad of state regulations. In the wake of the Target and Neiman Marcus data breaches, legislators and government officials called for a national data breach notification standard. While bills have been introduced, little action has been taken beyond Senate or House subcommittee hearings. While high-profile breaches that brought this issue into the conciousness of the American public and government, the need for transparency is even more pressing due to the high volume of unreported breaches: Our own analysis found that just in our home state of Massachusetts, 1 million residents had their PII compromised from healthcare breaches during 2007-2011. Yet,  just because there has been little movement in the US federal government does not mean data breach notification has been a stagnant issue in other countries and on the state level. In this post, we are going to round up some interesting legislative initiatives happening around the globe and in US state governments.

Since California became the first state to enact a security breach notification law in 2001, 46 states and the District of Columbia have enacted similar disclosure laws.  These laws follow similar basic tenets that “companies must immediately disclose a data breach,” a burden most stringent when the data compromised could be classified as personally identifiable information (PII), such as name, social security number, date of birth, mothers maiden name, etc.

There’s certainly been a lot of talk about third party risks recently. There’s been the fallout from the Target breach, and the role a subcontractor played in that incident. Then there was the U.S. Department of Homeland Security incident, where the DHS reportedly exposed private documents of at least 114 contractors that bid for work at the agency, as well as plenty of discussion surrounding third-party risk and the critical infrastructure, too. And there’s also been considerable attention given to third-party risks as it relates to financial services companies.