Risk News

FBI: $1.45 Billion in Losses to Internet Crime Reported in 2016
"The FBI has published its Internet Crime Report 2016 based on information received by the Internet Crime Complaint Center (IC3). It shows that 298,728 complaints were received by the IC3 during 2016 (up from 288,012 in 2015); and that reported losses to internet crime totaled more than $1.45 billion (up from $1.07 billion in 2015)."
Annie's take:

This report turns out to be one of the most valuable produced by the government each year.
Under pressure, Western tech firms bow to Russian demands to share cyber secrets
"Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found."
Annie's take:

This is a real problem.
Barclays reels from its costly Qatar cash call
"John Varley was in his office on the 31st floor of Barclays’ headquarters in London’s Canary Wharf when he called a team of his executives heading for Qatar on the bank’s private jet with some alarming news."
Annie's take:

One would assume that the more detail we have on lapses like this, the less likely they are to happen again. This time, the regulators have senior executives on trial.
Fed official: banks must recover from cyber attack in two hours
"Financial institutions should be capable of a two-hour return to operations (RTO) following a cyber attack, a senior banking supervisor said on Tuesday (June 20)."
Annie's take:

This will cause many banks, large and small, to pick up their game.
Treasury calls on financial regulators to coordinate cybersecurity oversight
"In its first report on financial regulatory reform, the Treasury Department called for state and federal officials to work together to harmonize and coordinate examinations."
Annie's take:

This is actually a very promising sign.
SEC identifies adviser cyber security flaws
"In the wake of the recent WannaCry ransomware attack, the Securities and Exchange Commission's exam team is warning investment advisers that many are failing to perform steps critical to fighting cyber security attacks."
Annie's take:

Another perspective on how SEC regulators are stepping up where cyber is concerned.
Executives and Risk: What Your Teams Won't Tell You
"Operational risk management is still a relatively new discipline. Like other disciplines that have evolved in a complex technological world,the maturity of practitioners varies widely."
Annie's take:

This is the twentieth column I've written for The Risk Universe magazine, and it was written for the last issue of what has been five and a half years of contributions to the profession. My thanks again to publisher Mike Finlay, and to editors Victoria Tozer-Pennington and Carrie Cook.
Be wary of vendors touting superior data science
"In the highly competitive market for security tools, many vendors make the misleading claim of having the best of everything, and at this point in time "everything" often refers to data science, machine learning and AI. The result is an arms race of claims about tools that “automagically” address security problems, according to Forrester Research."
Annie's take:

An excellent caution!
Israeli hackers pulled off something few other nations have
"Israeli government hackers were recently able to do something few others have been able to manage: They hacked the Islamic State."
Annie's take:

No surprises here!
OCR Issues a Cyberattack Response 'Checklist
"Federal regulators have issued new materials to aid healthcare organizations and their vendors in their "quick response" to cyberattacks."
Annie's take:

The HHS Office of Civil Rights has great powers, so it is good to see them stepping up on the issue of cyber.
Security & Fraud: The SEC Is Picking Up The Pace Of Cyberattack Enforcement
"Cyber hackers are targeting the accounts of brokerage firms to steal assets and/or make illegal trades at an increasing rate, which has prompted securities regulators in the U.S. to shift their focus to this growing trend, reported Reuters."
Annie's take:

It's good to know that one division of a federal agency is working well on something we all agree must be stopped.
Crying wolf: Combatting cybersecurity alert fatigue
"No wonder alert fatigue has become an unwelcome part of the mitigation process. With red lights constantly triggered – could be a legitimate intrusion, could be a false positive – IT security administrators, charged with keeping the data flowing without malware or any other pollutant getting into the operation, face a formidable obstacle."
Annie's take:

The tedium of continuous monitoring is well laid out in this article.
The Limits of Presidential Power
"In my operational risk seminar this spring, students ranked and then restacked and ranked the top operational risks present in our world."
Annie's take:

Here's this month's newsletter, with my column on the president and the situation in which we find ourselves; as well as two new research notes, one from Joytsna Saxena on risks around Indian auto manufacturing; and the other by Evan Cottingham on BYOD risks for firms.
The dangers of encryption becoming a political football
"Following recent terror attacks in Manchester and London some politicians have appealed to Internet companies to provide a way for government to inspect the communications of those suspected of terrorist activity. Others have even called for a blanket ban on end-to-end-encryption altogether."
Annie's take:

"You must do something" has become a familiar refrain. I believe one of the reasons that Prime Minister Teresa May did not win a majority yesterday is because she has discussed changing what she calls "human rights laws" as a solution to part of the terrorism problem. It is worth noting that the PM was head of the country's counter-terrorism efforts before she became prime minister.
Privacy in the Cellphone Age
"Odds are you need to use that phone in your pocket many times a day — and doing so leaves you no choice but to constantly relay data revealing your location and movements to Verizon, AT&T or whatever cellphone company you pay for the service."
Annie's take:

Is location data content? That's the question that will be in front of the Supreme Court. Here's a good reprise of the issues involved.
Best Practices for Meeting Cybersecurity Requirements
"The 2017 examination priorities disclosed by the SEC and Finra include, among other themes, a strong focus on cybersecurity."
Annie's take:

The added focus on cybersecurity by regulators is good to see. Here are two of the most powerful U.S. agencies doubling down on the controls.
C-suite: Cybersecurity is #1 issue, ISA report
"The problem, according to a new blog post written by Stacey Barrack, senior director of the Internet Security Alliance (ISA), is that most of the team members comprising corporate boards, while savvy in business, may not always have insight and basic awareness about cyber issues and, therefore, need to learn how to understand cyber risk."
Annie's take:

It's great to see that NACD is updating their original handbook on cybersecurity!
Target's data breach settlement sets a low bar for industry security standards
"Target’s multistate data breach settlement over its 2013 data breach outlines the kind of security measures enterprises should have in order to not be found negligent with customer data."
Annie's take:

I agree with the author of this article: we need to set a higher bar -- at least describe if not prescribe best practices to be followed rather than the bare minimum from a compliance perspective.
Our Disgraceful Exit From the Paris Accord
"Only future generations will be able to calculate the full consequences of President Trump’s incredibly shortsighted approach to climate change, since it is they who will suffer the rising seas and crippling droughts that scientists say are inevitable unless the world brings fossil fuel emissions to heel."
Annie's take:

Three governors, 30 mayors,more than 80 university presidents as well as more than 100 businesses have already pledged to stick to the accord and petition the United Nations to be a formal partner in the Paris accord. I have never been more proud to live in the great state of Washington.