Integrating Vendor and 3rd Party Security into Your Risk Program

Considering vendor security as part of your own risk program is an accepted best practice. But what exactly does it mean to do so? How do you determine which vendors merit the most attention? What data do you need?  What roles should your legal, compliance, purchasing, IT, and operations resources play?  What access might they[…]

Why Vendor Management Is Critical To Cyber Risk and Security

Where We Were Diligence mattered, but was relatively straightforward. Not long ago the vendors, suppliers, and other 3rd parties your business engaged with were discreet, independent service or material providers of one sort or another.  You communicated by phone, fax, written correspondence or maybe email or EDI. For the most part data flows were simple.[…]

Compelling Board-Level Content on The State of Cyber Risk At Your Company

Previous posts have discussed how to present cyber and related risk information to your Board of Directors in a relevant and meaningful manner. They’ve also explored how a GRC software platform can help gather, organize and structure risk data from multiple sources necessary to perform this analysis to support such meaningful Board level reporting. Now,[…]

How GRC Platforms Enable Effective Board-Level Reporting

Our last discussion talked about how to present cyber and related risk information to your Board of Directors in a relevant and meaningful manner. Here we’ll explore how a GRC software platform can help organize and structure risk data from multiple sources necessary to perform this analysis to support such meaningful Board level reporting. And[…]

Translating Risk Discussions into Language Your Board Will Relate to and Respect

Every CIO, CISO, and CRO has had this experience, even if only once.  They have a meeting with their Board of Directors, for which they have prepared volumes of detailed factual data about the state of risk in their organization; they are confident of their preparation and their message. But, almost immediately upon beginning, the[…]

An Argument for Comprehensive Cyber Risk Management Including Insurance: And GRC Can Help

The frequency and scale of cyberattacks continues to grow, and the financial stakes appear to be rising too. Revenue losses, liability costs, recovery fees, and even regulatory fines are all consequences facing companies experiencing successful cyber incidents. In the recent past, ransomware attacks like NotPetya, one of the most devastating cyber events ever, caused millions[…]

Applying NIST Standards to Managing Cyber Risk and Regulatory Compliance

In our last blog, we explored the content and value of the New York State Department Of Financial Services 23 NYCRR 500; Cybersecurity Requirements For Financial Services Companies. In this article, we’ll explore how the application of a framework like NIST 800-53, or the NIST Cybersecurity Framework helps structure and achieve strong compliance with regulations[…]

A New York State Cybersecurity Regulation; A NY State of Mind and Direction for Financial Services

Exploring the intent and value offered through the New York State Department Of Financial Services 23 NYCRR 500; Cybersecurity Requirements For Financial Services Companies From time to time it’s worthwhile to explore an example of a regulation put into place to help define, encourage, and oblige sound cybersecurity and risk management practices. Financial institutions are[…]

Once Upon A Time in Cyber Land…From ATM’s to AI and Beyond

I’m old enough to remember a time before ATM’s, cell phones, the internet, and portable computing in any number of form factors. No, there were no dinosaurs stealing my school lunch, and I didn’t learn to write on a clay tablet with a stick (despite what my now grown children might think). But the depth[…]

Addressing the Right Cyber Risk…. An Example

Recently there was a malware attack discovered. “So?”, you might ask?  “There’s always a malware attack of some sort or another being identified, reported and measured for its scope and impact.”  Well, this one was unique in several ways: First, it seemed to target Mac OS, which is a rarity for technical (its UNIX roots)[…]

Top