Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Insights blog.
Read about the latest cybersecurity news and get advice on third-party vendor risk management, reporting cybersecurity to the Board, managing cyber risks, benchmarking security performance, and more.
Slicing through CISA’s KEV Catalog
![Blog Image KEV Research Announcement](/sites/default/files/styles/cta/public/2024/05/01/Blog%20Image%20KEV%20Research%20Announcement.png?itok=dUMFV8Tg)
Slicing through CISA’s KEV Catalog
Dive into the critical insights of CISA's Known Exploited Vulnerabilities (KEV) Catalog with Bitsight’s latest blog! Discover how KEVs, which signal urgent cybersecurity risks, are being tracked and mitigated across industries. Learn why addressing these vulnerabilities quickly is vital and how it impacts organizational security.
![The 8-Part GDPR Compliance Checklist For Prepared Organisations](/sites/default/files/styles/4_3_small/public/migration/images/GDPR%2520compliance%2520checklist%2520full_1.jpg.webp?itok=DSEQkEU8)
The May 2018 deadline for General Data Protection Regulation (GDPR) compliance is drawing closer — which means your organisation’s compliance activities should be well underway. But if you’re still looking for a place to start, here’s a GDPR checklist template to get you going:
![How & Why U.S. Businesses Should Prepare For GDPR](/sites/default/files/styles/4_3_small/public/migration/images/thumb-general-data-protection-regulation-gdpr_1.jpg.webp?itok=GSB5v5Py)
As a U.S.-based company, you may be asking yourself, “Does my company need to prepare for the EU’s General Data Protection Regulation (GDPR)?” Simply put, if you process personal data for anyone in the European Union, the answer is very likely yes.
![General Data Protection Regulation (GDPR): 12 Of Your Questions, Answered](/sites/default/files/styles/4_3_small/public/migration/images/thumb-general-data-protection-regulation-summary_1.jpg.webp?itok=kb-EET-r)
The goal of the General Data Protection Regulation (GDPR), which goes into effect in May 2018, is to protect the fundamental rights and freedoms of individuals in the EU as it pertains to their personal data. As you might imagine, it is a broad and complex piece of legislation, with far-reaching implications for businesses inside and outside the EU.
![A Breakdown Of Recent OCC-Issued Examination Procedures For Third-Party Risk Management](/sites/default/files/styles/4_3_small/public/migration/images/full_occexam_1.jpg.webp?itok=UyY6cANX)
Financial regulators have long been concerned about the cyber risk associated with third-party- supplied products or services in financial institutions. For example, in 2013, federal financial regulators put out an issuance to financial institutions regarding how to manage third-party cyber risk. Over the last few years since this 2013 bulletin was published, the attention on third-party risk has continued to increase and the topic has been included on several examination priorities published by the Office of the Comptroller of the Currency (OCC), the Securities and Exchange Commission (SEC), and the Federal Reserve.
![From Framework to Application: Protect with BitSight](/sites/default/files/styles/4_3_small/public/migration/images/digitalshield-stock-thumb_1.jpg.webp?itok=THSPSvTb)
This is the third post in a series exploring how Security Ratings can address key components of the NIST cybersecurity guidelines. You can read the first post here and the second post here.
![Regulators Continue to Emphasize Third Party Cyber Risk Management](/sites/default/files/styles/4_3_small/public/migration/images/ftc-stock-thumb_1.jpg.webp?itok=DM9SvuvR)
In recent months, we’ve seen a variety of regulators from Finance to Defense cite the importance of third party cyber risk management. You can now add the Federal Trade Commission to the list.
![From Framework to Application: Identify With BitSight](/sites/default/files/styles/4_3_small/public/migration/images/purplehighway-stock-thumb_1.jpg.webp?itok=9rfNjP_U)
This is the second post in a series exploring how Security Ratings can address key components of the NIST cybersecurity guidelines. You can read the first post here.
![From Framework to Application: Security Ratings and NIST](/sites/default/files/styles/4_3_small/public/migration/images/DC-Skyline-Big_1.jpg.webp?itok=x8NCgbaP)
This is the introductory post in a series exploring how security ratings can address key aspects of the National Institutes of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The purpose of these posts is to outline how security and risk professionals can leverage Bitsight’s ratings to drive better risk management through the lens of the NIST framework.
![Third-Party Risk Management Insights: 2015 Gartner Security & Risk Summit](/sites/default/files/styles/4_3_small/public/migration/images/cta-banner-bg_34.png.webp?itok=ArzrhB3E)
In recent years, the US government has become a leading advocate for continuous monitoring of security threats and vulnerabilities. But how effectively are departments and agencies in implementing these programs? And how do we measure success?
![How the State of the Union Will Affect American Information Security](/sites/default/files/styles/4_3_small/public/migration/images/American_Information_Security_1.jpg.webp?itok=60WKvcud)
In his 2015 State of the Union Address, President Barack Obama mentioned the importance of improving America's cybersecurity and what he believes it will take to make it happen. Below is a review of the most interesting statements and initiatives mentioned in the address or recent media coverage, and the potential impact each could have on American Information Security.
![How can the SEC become the primary regulator of corporate cyber security?](/sites/default/files/styles/4_3_small/public/2022/06/08/479235277_1.jpg.webp?itok=vrWOBJmq)
In 2011, the SEC issued a set of disclosure guidelines that told companies to disclose any potential cyber risk, possible effects of that risk, as well as the status of internal controls and risk management procedures in place. It was a grand idea, one that had the potential to protect investors and boards by keeping them in the loop when it came to matters of security. Unfortunately, its grand potential wasn’t brought to fruition. The guidance was never updated to account for the growing frequency of security breaches, and companies were failing to report cyber incidents. Now, the SEC is revisiting the issue and considering turning those guidelines into standards so that companies will have to live up to the level of transparency their investors have come to expect.
![gavel and computer](/sites/default/files/styles/4_3_small/public/2022/07/28/gavel%20and%20computer.jpeg.webp?itok=Rb6cxwKE)
In a previous blog post, we outlined federal initiatives to pass a data breach notification law that would simplify the current myriad of state regulations. In the wake of the Target and Neiman Marcus data breaches, legislators and government officials called for a national data breach notification standard. While bills have been introduced, little action has been taken beyond Senate or House subcommittee hearings. While high-profile breaches that brought this issue into the conciousness of the American public and government, the need for transparency is even more pressing due to the high volume of unreported breaches: Our own analysis found that just in our home state of Massachusetts, 1 million residents had their PII compromised from healthcare breaches during 2007-2011. Yet, just because there has been little movement in the US federal government does not mean data breach notification has been a stagnant issue in other countries and on the state level. In this post, we are going to round up some interesting legislative initiatives happening around the globe and in US state governments.
Since California became the first state to enact a security breach notification law in 2001, 46 states and the District of Columbia have enacted similar disclosure laws. These laws follow similar basic tenets that “companies must immediately disclose a data breach,” a burden most stringent when the data compromised could be classified as personally identifiable information (PII), such as name, social security number, date of birth, mothers maiden name, etc.
![Interest in Financial Services Third Party Risk Rising](/sites/default/files/styles/4_3_small/public/migration/images/ConnectedBusiness_1.png.webp?itok=DUiD5Va_)
There’s certainly been a lot of talk about third party risks recently. There’s been the fallout from the Target breach, and the role a subcontractor played in that incident. Then there was the U.S. Department of Homeland Security incident, where the DHS reportedly exposed private documents of at least 114 contractors that bid for work at the agency, as well as plenty of discussion surrounding third-party risk and the critical infrastructure, too. And there’s also been considerable attention given to third-party risks as it relates to financial services companies.
![Managing Third Party Security Risk in the Critical Infrastructure](/sites/default/files/styles/4_3_small/public/migration/images/third-party-security-risk-critical-infrastructure_1.jpg.webp?itok=A1Sgx8mb)
There’s no shortage of challenges when it comes to securing the critical infrastructure. These are very complex, interconnected systems, and highly motivated, potentially well-trained and funded adversaries target them. And should critical infrastructure systems become unavailable, whether electrical, financial, or communications systems – every public sector organization and private enterprise that relies on them is also in danger of being severely hampered, or even shut down.