Insights blog.

Data breaches are a constant in today’s headlines, but in recent years the risk has been front and center of some of the most significant M&A deals. In 2017, Verizon discounted its acquisition price by $350 million when Yahoo belatedly disclosed that it experienced several massive breaches. And in November 2018, Marriott publicly disclosed that Starwood’s guest reservation database — containing hundreds of millions of personal records — had been compromised since 2014, prior to the Marriott acquisition. These incidents — and countless others — raise critical questions.  How should Boards be thinking about cyber risk in the acquisition process? What steps should they take to address this risk prior to the acquisition?

In 2019, cyber incidents will be the second most important global business risk.  The more cyber incidents that continue to happen on a global scale, the more critical it is for users to understand how to classify the dangers that exist for both businesses and users. In this blog post, we’ll break down the basics and explore the difference between three key areas of cyber risk: vulnerabilities, threats, and exploits.

When it comes to data breach prevention, there are plenty of guides for reducing risk in the long term. While it’s definitely valuable to be working on a data breach prevention strategy with 6-month, 1-year, or 5-year goals, not every cybersecurity initiative takes so much time.

This quarter, Bitsight released several new product features that enable organizations to more rapidly assess, prioritize and manage cyber risk. These new capabilities — the Portfolio Risk Matrix and Asset Risk Matrix — leverage Bitsight’s market-leading data to provide risk prioritization, helping customers address the most important risks within their own environment as well as their broader third-party ecosystem.

After years of debate over whether to impose new cybersecurity regulations on companies,  General Data Protection Regulation (GDPR) laws went into effect in Europe in May 2018. Already we’ve seen several data breach victims ordered to pay fines under the new rules and cookie disclosure notices are popping up on more websites than ever. 

When it comes to security performance management within your organization, how do your security teams measure performance? If they’re using security ratings, they know that this objective, quantitative measurement is an effective place to start when evaluating performance in certain areas.

This past Tuesday, Bitsight was named a Leader in The Forrester New Wave™: Cybersecurity Risk Rating Solutions, Q4 2018 evaluation. This report evaluates the current offering and strategy of vendors in a particular technology market, such as security ratings. This is significant, as this is the first analyst report that has a core focus on evaluating security ratings services solutions side-by-side.

In today’s evolving threat landscape, corporate directors are increasingly asking for security performance updates from Chief Information Officer, Chief Information Security Officers, Chief Risk Officers, and other executives.

Businesses are becoming increasingly reliant on outsourced IT services to support day-to-day operations.

In Spain, cybersecurity is becoming more of a priority among businesses across all industries. One way to quantify these cybersecurity postures is by looking at Spain’s security ratings across all markets. In Spain, Bitsight Security Ratings are on average 119 points below Europe as a whole. The highest performing industry is Real Estate, which has a security rating of 71 security rating points better than the European average. The lowest performing industries are Financial Services and Insurance, which are more than 200 security rating points lower than the average European rating. Given the sensitive data financial services companies possess, this report suggests there is a need for additional investment in cybersecurity and cyber risk management. As companies invest in digital transformation programs, their exposure to risk increases and requires an increased investment in risk management across their organization. 

October was Cybersecurity Awareness Month, which gave companies the opportunity to thoroughly examine their security and risk programs and identify where they can strengthen security practices. A Bitsight, we talk about risk management every day. We sat down with our Co-Founder & CTO, Stephen Boyer, to talk about the significance of having a risk-aware organization and proactive ways security ratings can help with risk management.

Banks and other financial institutions are a proving ground for new risk management methods. High risk and intense regulations feed into a culture of serious, comprehensive security — a culture that has manifested in mature methodologies such as the three lines of defense.

In a 2017 survey of almost 1,300 CEOs conducted by PwC, 63% of respondents said they were “extremely concerned” about cyber threats — up from just 8% in 2013.

Over the last several years, cybersecurity regulations (like NYDFS and GDPR) have placed pressure on the financial services industry to build and enforce some of the strongest risk management programs across any industry. These programs focus not only on internal security performance, but also on managing third party risk. Financial service organizations are both highly regulated and handle extremely sensitive personally identifiable information (PII), and as a result typically have higher security budgets when compared to other industries.

With every reported data breach or cyberattack, the cyber risk landscape gets a little more complex. Cyber criminals create new attack vectors, cybersecurity professionals develop new controls to protect their systems, the criminals get to work circumventing the controls, and so on.The result of this back and forth is that cyber risk professionals have a huge variety of risk factors to worry about. In response, risk managers and security specialists need to develop extremely complex cybersecurity programs to make sure all of their bases are covered. With so many cybersecurity risks to consider, it’s inevitable that some will receive less attention than they deserve. Unfortunately, these overlooked risk factors could play a role in your next cyberattack, and if your financial services firm isn’t prepared, that could be extremely costly. Here are a few historically overlooked risk factors that deserve some additional attention: