Insights blog.

In today’s security climate, talk of proper cybersecurity procedures must include discussion of a continuous monitoring plan that applies both internally and externally (with the company’s third-party vendors). And while continuous monitoring is critical to the health and well-being of your company, it’s also incredibly challenging to do.

As a U.S.-based company, you may be asking yourself, “Does my company need to prepare for the EU’s General Data Protection Regulation (GDPR)?” Simply put, if you process personal data for anyone in the European Union, the answer is very likely yes.

In a report focused on cybersecurity in the banking and financial sector, Bitsight researchers examined the security performance of more than 5,200 organizations in the Legal, Technology, and Business Services industries. These organizations—monitored by Finance organizations on the Bitsight Security Rating Platform—represent a critical part of the financial services supply chain. Our report shows a number of findings representative of information security in banking and financial industry.

September marked a month of heated discussion concerning data privacy issues, with continuing coverage in the media regarding breaches at major, global institutions. Bitsight looked into the types of breaches experienced by the finance sector over three years of data to determine whether web application compromise is on the rise as well as the impact of these events.

The goal of the General Data Protection Regulation (GDPR), which goes into effect in May 2018, is to protect the fundamental rights and freedoms of individuals in the EU as it pertains to their personal data. As you might imagine, it is a broad and complex piece of legislation, with far-reaching implications for businesses inside and outside the EU.

This August, Bitsight announced the release of several new risk vectors specifically chosen to help organizations identify and manage risks across their own networks and the networks of their third parties. Bitsight chose those new risk vectors to enhance the insights across the “spectrum of risk” and provide a more comprehensive picture of an organization’s security posture.

October is Cybersecurity Awareness Month, which offers organizations the opportunity to thoroughly examine their security and risk programs and identify where any vulnerabilities might exist. Here at Bitsight, we talk about risk management every day. However, we have to practice what we preach — our IT Team offered some insight into areas where organizations can improve their network health not just this month, but regularly.

Most insurers find that the cyber insurance renewal process is fairly efficient from a time perspective—but it’s not very effective. In other words, they are able to quickly re-underwrite a company in their portfolio, but don’t have any better understanding about the insured’s security posture to see whether the risk has changed and is still suitable to keep on the books.

An increasing number of security and risk management executives are being asked to present to the Board of Directors on the state of their — and their third parties’ — security and risk programs. A recent joint survey by Veracode and NYSE found that nearly 80% of directors said that cybersecurity topics are discussed at nearly every board meeting.

Ransomware is rapidly becoming one of the most common forms of malware distributed on systems all over the world.

Reducing cyber risk that stems from third and fourth party vendors is no easy task. It requires that organizations not only have the ability to continuously monitor and identify new risk, but also the ability to work with their vendors to fix security issues quickly. Getting to risk reduction quickly means that both organizations are communicating effectively, using data and evidence rather than conjecture to make progress.

When it comes to vendor risk management, organizations ultimately need their vendors to meet the same standard of security performance they hold for their own organization. For years, the Finance industry has been a trailblazer in managing the risk posed by vendors, suppliers, and business partners. However, are vendors in the Finance supply chain meeting the same level of security performance held by Finance organizations?

The goal of cybersecurity is to help mitigate or prevent a cyber attack that could cause significant harm to your business, your operations, your financial performance, or your customers. But organizations with mature cybersecurity programs are increasingly aware of the fact that they cannot address every cyber threat since bad actors will continually find ways to hack and mine data. Instead, they choose to focus on preventing catastrophic attacks from taking place.

In many lines of insurance, claim activity is part of the norm—and it’s expected that you’ll have to underwrite to losses consistently. For example, in casualty lines, it’s common to have workers file for worker’s compensation because of an injury they experienced on a job.

Today, businesses are at an interesting intersection when it comes to cybersecurity reporting: with modern technology, tons of data and thousands upon thousands of metrics are available to report on — but it’s difficult to determine which cybersecurity metrics actually matter. Because of this conundrum, many security and risk professionals feel a level of confusion around their security posture (and the security posture of their third party vendors). Does this sound familiar?