Robinhood Crypto anticipates $10M penalty for cyber, AML failures
Robinhood Markets said its cryptocurrency platform might face a penalty of “at least” $10 million from the New York State Department of Financial Services for anti-money laundering and cyber-security failures.
British Airways settles 2018 data breach class action
British Airways has settled one of the U.K.’s largest group actions after thousands of people sought compensation following a 2018 data breach that resulted in the airline being fined under the GDPR.
TPRM 2021: What to do before, during, and after a ransomware attack
Two risk and compliance practitioners opened their cyber-playbooks at CW’s TPRM virtual event, explaining how to identify and address vulnerabilities, establish transparency with vendors, and strengthen an organization’s incident management program.
Takeaways from NYDFS ransomware guidance
The New York State Department of Financial Services has issued guidance for regulated entities describing best practices for reducing the risk of a ransomware attack.
Pandemic effect on TPRM practices here to stay, expert warns
With many businesses still sorting through the new layers of risk that have emerged over the last 16 months, Linda Tuck Chapman of the Third Party Risk Institute shared her top areas of focus and more at CW’s virtual TPRM event.
Big week for breaches: McDonald’s, Carnival, and more
Multiple high-profile companies—including Carnival, Wegmans, McDonald’s, Volkswagen, and CVS—have confirmed in recent days they were either victims of a data breach or were alerted to a gap in their security controls.
First American Financial settles SEC charges for cyber-security failures
First American Financial Corp. reached a $487,616 settlement with the SEC for failing to maintain cyber-security disclosure controls and procedures that exposed more than 800 million title insurance records containing sensitive customer information.
SEC rulemaking list 2021: ESG, cyber-risk governance among highlights
The SEC’s spring 2021 rulemaking list is brimming with proposed regulations that would enhance ESG-related disclosures for public companies in areas like climate change, board diversity, human capital management, and cyber-security risk governance.
JBS USA confirms $11M ransom payment to hackers
Meatpacker JBS USA announced it paid the equivalent of $11 million in ransom in response to a May cyber-attack that impacted its operations in North America and Australia.
Assessing yet another ransomware attack on critical supplier (JBS)
Meatpacker JBS USA has become the latest critical infrastructure company to be targeted by a ransomware attack, which temporarily halted its global operations. The attack brings with it implications for the food and agriculture industries.
Colonial Pipeline fallout: Thwarting ransomware attacks requires collective defense
President Biden’s executive order on cyber-security largely applies to federal agencies. But its core message—that the public and private sectors must collectively defend against increasingly malicious ransomware attacks—should not be lost on companies.
Survey: Data access further complicated by emerging privacy laws
A recent survey of 100 executives from Fortune 500 companies found more than half are struggling to balance easy access to company data with privacy and security compliance under laws like the GDPR and CCPA.
New NIST revisions expand scope of cyber supply chain risk management guidance
The National Institute of Standards and Technology is seeking comment on a revised version of its cyber supply chain risk management guidance that is intended for a broader audience of public and private companies.
CPE Webcast: TPCRM best practices that reduce supply chain risk
Organizations are adopting digital transformation and, as a result, increasing their reliance on third parties faster than they can scale their third-party cyber-risk management programs.
SEC fines broker-dealer $1.5M for SARs filing failures
GWFS Equities will pay $1.5 million as part of a settlement with the SEC for lapses in the filing of suspicious activity reports related to the threat of cyber-breaches.
James Comey: Lessons from Enron era will ‘become real again’
Former FBI Director James Comey kicked off Compliance Week’s 16th annual National Conference on Tuesday by speaking candidly about a variety of risk and compliance matters, including the importance of a strong ethical culture in the coming post-pandemic “boom times.”
What you need to know about proposed EU rules for trustworthy AI
With various levels of defined risk and the potential for steep fines for offenders, the European Commission’s recent proposal to ensure trust in the use of artificial intelligence should receive urgent attention from industries beyond Big Tech.
Six best practices for managing cyber-security upon return to office
The hybrid work environment many organizations are expected to utilize as part of the gradual return to the workplace presents numerous cyber-security risks that require proactive attention.
Fines key attention to data privacy from boards, says ICO head
The threat of fines has done more to focus boardroom attention on data privacy and effective cyber-security than any other measure, U.K. Information Commissioner Elizabeth Denham believes.
New chief compliance officer, same Facebook
It isn’t surprising to see Facebook think it doesn’t have an ethical obligation to alert users to its latest data leak, writes Kyle Brasseur, but it is disappointing knowing the company now has a chief compliance officer in place.
U.S. sanctions Russia over SolarWinds hack
The Treasury Department announced sanctions against Russia implemented under an executive order from President Joe Biden in response to the SolarWinds hack and alleged election interference by the country.
Video: Kudos to whistleblower chief Jane Norberg on successful SEC tenure
Aaron Nicodemus applauds outgoing SEC whistleblower chief Jane Norberg for “revolutionizing” the program and the agency, while Kyle Brasseur laments Facebook’s ethical bungling of its recent data leak.
Facebook facing 10th GDPR probe over data leak
The Irish Data Protection Commission has launched an inquiry into Facebook over concerns the social media giant may not have properly disclosed the full extent of its recent data leak.
Facebook’s new leak: Assessing its liability under the GDPR
Old personal data of more than 533 million Facebook users was recently made publicly available on a hacker forum. Could the social media giant face a new investigation under the GDPR in response?
Irish DPC seeking answers on Facebook breach
The Irish Data Protection Commission has reached out to Facebook seeking to determine whether the social media giant’s weekend data breach should receive scrutiny under the General Data Protection Regulation.
Data breach disclosures drop in 2020, report says
Cyber-breach disclosures in 2020 were down 19 percent from 2019—the first drop in the statistic in five years, according to a new report from Audit Analytics.
Booking.com fined $557K under GDPR for reporting data breach late
Online reservation Website Booking.com has been fined €475,000 (U.S. $557,000) by the Dutch Data Protection Authority for reporting a data breach 22 days later than the 72 hours required under the GDPR.
Video: More scrutiny coming to data breach disclosures?
Aly McDevitt assesses controversial data breach disclosures from U.K. retailer FatFace and technology vendor Ubiquiti in light of a report Congress is considering stricter requirements for reporting data breaches.
James Comey: Buckle up for dangerous post-pandemic risk landscape
Former FBI Director James Comey predicted a “time of extraordinary change” is ahead for the compliance profession in the post-pandemic world during a prerecorded video message at Compliance Week’s Financial Crimes virtual event.
Internal audit’s role in cyber-security testing: Where to start
Nathan Anderson, senior director of internal audit at McDonald’s, discusses ways internal audit can better answer management questions about cyber-risks and become a more independent cyber-security testing function overall.
Ask a CCO: Are you in favor of federal data privacy legislation?
It’s a clean sweep: All five CCOs we spoke with are in favor of U.S. federal data privacy legislation. Read on for the reasoning behind their answers.
NYDFS fines mortgage banker $1.5M for cyber-security violations
The New York State Department of Financial Services fined Residential Mortgage Services $1.5 million for violating New York’s cyber-security regulation.
Ask a CCO: What’s your strategy for preventing and detecting data breaches?
Five senior compliance practitioners outline their strategies for protecting their firms from data breaches.
Ask a CCO: How is your company reacting to cyber-risks introduced by COVID-19?
Five senior compliance practitioners tell Compliance Week how their organizations are reacting to new cyber-threats introduced by the pandemic.
Ask a CCO: What’s your role in creating/implementing cyber-security policies?
Five senior compliance practitioners share insights on their roles in implementing and overseeing cyber-security policies and procedures.
Special report: Compliance, infosec & battling cyber-threats
LifePoint Health’s VP for Compliance Program Operations/Chief Privacy Officer Ellen Hunt and VP/CISO Andy Heins share how they work ”hand in glove” to protect their company’s data from bad actors.
CPE Webcast: How modern cyber-threat intelligence can enrich system security
Threat Intelligence is normally used to enrich the process of security assessment, providing proof on the enforcement of security controls required to be secure and compliant.
Cyber-insurance: Why you need it and how to choose the right plan
As cyber-attacks surge, the need for cyber-insurance is growing more urgent. But it’s critical for companies to first familiarize themselves with how to navigate the labyrinth of cyber-insurance products on the market so that they are properly covered.
Kroger joins victims of Accellion data breach
Two months after cloud service vendor Accellion first identified one of its legacy products was targeted by a sophisticated cyber-attack, users of the product continue to feel the impact, with grocery chain Kroger the latest to reveal its exposure.
Survey: Firms enhanced cyber-security in 2020, but not enough
Companies forced to pivot to remote work in a global health crisis spent the bulk of 2020 grappling with heightened cyber-security risks. A year later, compliance practitioners say their companies’ cyber-security postures are better for it—even in the wake of the stunning SolarWinds hack.
CPE Webcast: Vital framework to defensible data incident and breach response
Today’s breach landscape is unprecedented and complex. Every organization is facing potential enforcement of many interconnected and overlapping laws in multiple jurisdictions.
FINRA report: Top risk areas for AML, cyber-security
The Financial Industry Regulatory Authority has published a new report designed to help inform member firms’ compliance programs by providing annual insights from its examinations and risk monitoring programs.
Survey: Pandemic pervades executives’ top 10 risks for 2021
The aftermath of the coronavirus pandemic dominates the top risks that will keep boards of directors and executive management teams on their toes in 2021, a new survey by Protiviti and NC State’s ERM Initiative finds.
White paper: Digital Transformation & Cyber Risk: What You Need to Know to Stay Safe
CyberGRX and Ponemon Institute surveyed 581 IT security and 302 C-suite executives to determine what impact digital transformation is having on cybersecurity and how prepared organizations are to deal with that impact.
SolarWinds hack turning into Pandora’s box of cyber-risk
The more we learn about the SolarWinds hack, the more troubled compliance officers should be by the scope and breadth of the risks their companies might have incurred.
NYDFS regulation a best-practices model for cyber-security training
Companies must make cyber-security a continuous priority as threats evolve, often more quickly than the technology and regulations to counter them. That’s why the New York Department of Financial Services, under Maria Vullo, developed a policy that should act as a model for organizations.
White paper: Reducing Cyber Risk for the Financial Service Industry
The financial services industry is a leading target for cyber criminals because there’s more than one way one way to profit from an attack.
Cyber-Risk Summit: Compliance should view cyber-security through prism of risk
What’s most important for compliance officers is to understand the risks breaches and hacks pose to their organizations, not the technical manner of how those breaches occur, according to an expert panel at CW’s virtual Cyber-Risk & Data Privacy Summit.
Cyber-Risk Summit: 7 best practices for protecting employee health data
Experts at CW’s virtual Cyber-Risk and Data Privacy Summit explain the importance for companies to review and enhance their current data security compliance policies and procedures.
Excellus Health Plan fined $5.1M for 2015 data breach
The U.S. Department of Health and Human Services’ Office for Civil Rights fined Excellus Health Plan $5.1 million for failures relating to a 2015 data breach that exposed the personal information of 9.3 million individuals.