Insights blog.

Last week, the SEC issued a Risk Alert, announcing that they will continue to assess cybersecurity risk and preparedness among brokers/dealers, investment advisors, and other financial institutions. The release details several focus areas for these exams. Here are a few highlights: 

Today Bitsight published our third annual industry benchmarking report: Are Energy and Utilities At Risk of a Major Breach? This report illustrates the latest security performance of the Finance, Federal Government, Retail, Energy and Utilities, Healthcare, and Education industries. All of these industries hold sensitive data- and as a result they are targets for hackers. Like we do for all of our Bitsight Insights, let’s dive into how each sector performed.

There are obvious and non-obvious vendors, third parties, and contractors that have access to your data or your corporate network. The obvious ones are organizations that provide IT or technology services to you. Naturally, these individuals would have access to your data, because you’ve granted it!

This is the third post in a series exploring how Security Ratings can address key components of the NIST cybersecurity guidelines. You can read the first post here and the second post here.

Prioritizing vendors based on risk is considered a vendor risk management best practice. But how do you do this? To start, let’s look at a commonly referred-to equation:

Last month, the Office of Personnel Management revealed the true extent of it’s mega data breach - 21.4 million Americans. This means that around 7% of all Americans are affected by this breach. Lawmakers are beginning to debate how the federal government can implement twenty-first century policies to counter growing cyber threats. A recent study from the US GAO noted that there was a 32.5% increase in cyber incidents at federal agencies from 2012 to 2013. As lawmakers begin to look internally at policies and processes to combat these threats, it is important that they also look externally. Primarily this means taking note of third party risks and emulating models of success found in other industries.

When you think of an audit, what comes to mind? If you’re at all familiar with the traditional auditing process, I’d imagine your answer would look something like this:

Today, we are pleased to announce that NAFCU Services has selected Bitsight as a Preferred Partner, giving its member credit unions access to Bitsight Security Ratings. The partnership is very timely: credit unions have been increasingly targeted with cyber attacks. A recent survey found that 84.4% of credit unions were impacted by a data breach in the last two years.

Your organization probably deals with handfuls (or maybe hundreds) of vendors. Whatever the case may be, having a comprehensive third-party risk management solution is the best way to protect yourself against cyber mischief.

Last week, Walmart Canada, Rite-Aid, CVS, and Sam’s Club were among the retailers to suspend their online photo operations due to a possible data breach of third-party photo service provider PNI Digital (a Staples subsidiary). This is the latest cyber incident to affect the retail industry, which has witnessed a number of high-profile breaches involving third-party vendors in recent years.

In recent months, we’ve seen a variety of regulators from Finance to Defense cite the importance of third party cyber risk management. You can now add the Federal Trade Commission to the list.

In business and in life, safety is always made a priority. From simple day-to-day tasks like wearing a seatbelt, to important business security decisions, prioritizing our safety and the safety of our families and valuable information is of utmost importance. But this process isn’t always easy. It seems like there are new security threats, from computer hackers and otherwise, that force us to find new ways to protect ourselves on a near-constant basis.

When I was a young pup studying statistics, I remember reading about a study on weight loss that found three factors correlated with weight loss: weighing yourself daily, eating a good breakfast and having access to work out equipment at home. While none of these cause weight loss directly, together they indicate a passion for and dedication to a healthy lifestyle. Connections like this, where subtle observations can lead to a larger understanding, have always been an interest for me and have driven me forward in my career.

If your organization outsources to vendors, you are probably involved in a lot of due diligence. You may be looking at and verifying credit checks, getting background reports, monitoring legal standings and litigation, ensuring that third parties pay their bills and don’t employ criminals, and more.

This is the second post in a series exploring how Security Ratings can address key components of the NIST cybersecurity guidelines. You can read the first post here.