Departing ABN AMRO risk chief says climate, cyber among priorities
Tanja Cuppen, chief risk officer of ABN AMRO, shared her view on the Dutch bank’s biggest risk focus areas and the accomplishments of her tenure a month ahead of her planned departure.
Privacy by design a silver bullet for stemming AI risks?
The proliferation of artificial intelligence technologies—and their reliance on publicly available data—has reinforced the need for tech developers and the companies using their solutions to ensure privacy by design and by default is at the crux of any offering.
Change Healthcare facing HHS probe following crippling cyberattack
Change Healthcare, a health payment processor hit by a crippling cyberattack in February, is under investigation by the Department of Health and Human Services’ Office for Civil Rights.
U.S. banking regs mulling enhanced operational resiliency frameworks
Acting Comptroller of the Currency Michael Hsu said federal banking agencies are considering enhancements to their operational resiliency requirements for member banks.
New Zealand banks to report material cyber incidents within 72 hours
The Reserve Bank of New Zealand added new reporting requirements for its member banks to follow if they suffer a material cyber incident and for all types of cyberattacks.
Italian DPA fines UniCredit $3M over data breach GDPR lapses
The Italian data protection authority announced a fine of €2.8 million (U.S. $3 million) against UniCredit for alleged violations of the General Data Protection Regulation regarding insufficient security measures the bank had in place during a cyberattack.
Biden executive order to target commercial data broker activities
A new executive order seeks to put clamps on the sale of Americans’ personal data by data brokers and other companies to certain countries found to be of national security concern.
CW National 2024 preview: Diana Kelley on AI implications for compliance
Artificial intelligence expert Diana Kelley will discuss what AI means for organizations and explore the technology’s implications for compliance and enterprise risk as part of a keynote address at Compliance Week’s National Conference in Washington, D.C.
Apr 9 | Doubling down on compliance: deep dive into SEC cybersecurity regulations
KPMG and ServiceNow experts will delve into best practices to help you not only understand the new regulations but also navigate critical regulatory challenges by highlighting how a platform like ServiceNow can help with compliance.
DOJ official: Expect more cybersecurity false claim enforcements
The announcement of a record year in several areas of False Claims Act enforcement at the Department of Justice was accompanied by a warning that more significant cases are coming, particularly regarding cybersecurity-related claims.
Toeing the ‘fine line’ of cloud security compliance
When organizations move their data or operations to the cloud, the compliance team has their work cut out and then some, experts discussed at CW’s Cyber Risk & Data Privacy Summit.
Montefiore Medical Center to pay $4.8M over employee’s data theft
Montefiore Medical Center agreed to pay $4.75 million to settle allegations by the Department of Health and Human Services’ Office for Civil Rights that failures by the New York City nonprofit facility allowed an employee to steal and sell patient information for six months.
Alphabet to pay shareholders $350M over Google+ privacy lapses
Alphabet, the parent company of technology giant Google, agreed to pay $350 million in a preliminary settlement with shareholders over alleged data privacy violations and materially false and misleading statements linked to now-defunct social media site Google+.
Experts: Good data breach response grounded in preparation
Two chief compliance officers and an attorney discussed preparation for the “when, not if” threat of a data breach during a panel at CW’s Cyber Risk & Data Privacy Summit.
Clorox discloses $49M hit from cyberattack
Cleaning products company Clorox disclosed the major cybersecurity incident that led to a shutdown of its automated order processing late last year has cost it about $49 million.
Blackbaud avoids fine in FTC deal requiring data deletion
Software company Blackbaud will be required to delete unnecessary data and boost cybersecurity as part of a proposed settlement with the Federal Trade Commission stemming from a 2020 data breach.
N.Y. sues Citi for lax data security, failing to reimburse fraud victims
Citibank faces a lawsuit from New York Attorney General Letitia James for allegedly failing to protect and reimburse customers who lost thousands of dollars in fraudulent wire transfers.
Consultation opens debate on proposed U.K. cyber governance code
Cybercrime is regularly cited as a leading concern for executives, yet board oversight of cyber risks is often inadequate and governance poorly understood, according to the authors of a proposed U.K. code of practice on cybersecurity governance.
New DOJ cyber section wants more private sector partnership
Cooperation between businesses and the new cybersecurity section at the Department of Justice has led to the successful defanging of numerous, major ransomware operations worldwide in just the few months since its creation, according to its chief.
OFAC official urges company transparency on ransomware events
Despite its reputation as a fierce enforcer of sanctions, the Office of Foreign Assets Control has a softer side and wants to help companies that are hit with ransomware attacks, according to the agency’s senior compliance officer.
VF discloses data breach impacted 35.5M customers
Apparel company VF Corp., the owner of brands including The North Face, Vans, and Timberland, disclosed its estimation approximately 35.5 million customers had their personal data stolen as part of a cybersecurity incident it uncovered in December.
Robinhood Financial to pay $7.5M in Mass. settlement
Online stock trading platform and broker-dealer Robinhood Financial agreed to pay a $7.5 million fine as part of a settlement with the Commonwealth of Massachusetts addressing claims related to “gamification” of its platform and cybersecurity issues that lent to a 2021 data breach.
Genesis Global Trading fined $8M by NYDFS over AML, cyber lapses
Virtual currency brokerage firm Genesis Global Trading agreed to pay an $8 million penalty levied by the New York State Department of Financial Services for alleged compliance failures that left it vulnerable to illicit activity and cybersecurity threats.
NIST report: Mitigating the risks of cyberattacks on AI systems
Cyberattacks on artificial intelligence systems are increasing, so it’s important users know their vulnerabilities and try to soften the damage if they get hit, according to a new report by the National Institute of Standards and Technology.
Deepfakes: A silent threat to digital integrity and AML efforts
Deepfakes have emerged in the digital world as a silent pandemic threatening not only our digital integrity but becoming a major risk to anti-money laundering efforts.
CPPA preview: Cybersecurity audit regs nearing formal proposal
Companies with business in California could face tough new cybersecurity mandates under draft regulations that could be headed for formal rulemaking as soon as Friday.
FINRA report: Exam trends on off-channel comms, crypto, cybersecurity
A new report from the Financial Industry Regulatory Authority provides observations from examiners on emerging issues affecting the industry, including surveilling potential use of off-channel communications by employees, crypto-asset developments, cybersecurity trends, and more.
CPE Webcast: If it’s not auditable, is it real?
Learn the importance of creating a unified environment to keep up with compliance regulations and how critical having a central source of information is for compliance professionals.
CMMC implementation plan takes shape in proposed rule
The Department of Defense released for comment a proposed rule setting guidelines for implementation of the Cybersecurity Maturity Model Certification program.
White paper: Empowering Cybersecurity Governance and Disclosures
Do you have a clear vision of what ‘good’ means when it comes to managing governance and your security program? Setting the right targets for your organization is crucial.
Top ethics and compliance failures of 2023
A virtual currency exchange that sought to mislead regulators, banks failing after ignoring obvious risks, and a manufacturer that sold millions of its products in violation of U.S. export controls are among those that make up CW’s list of the biggest ethics and compliance fails of 2023.
Experts: More privacy rules, enforcement expected in 2024
Businesses can prepare for a bumpy ride as the 2024 global landscape of data privacy and other related laws and regulations begins to take shape.
DOJ sets expectations for SEC cyber incident disclosure delays
Companies won’t have an easy path toward earning additional time from the Department of Justice regarding the disclosure of a material cybersecurity incident to the Securities and Exchange Commission as required under a new rule.
FBI guidance: How to earn delay on SEC cyber incident disclosures
Businesses seeking additional time before disclosing to the Securities and Exchange Commission the occurrence of a material cybersecurity incident must be prepared to provide detailed information on the matter to the Federal Bureau of Investigation.
AI in 2024: More business use, more fraud risks
Use of generative artificial intelligence by businesses will ramp up in 2024, as will risk of AI-driven cyberattacks and fraud, according to experts.
Lafourche Medical Group to pay $480K in landmark HHS phishing action
Louisiana-based Lafourche Medical Group agreed to pay $480,000 as part of the first phishing attack-related settlement the Department of Health and Human Services’ Office for Civil Rights has reached under the Health Insurance Portability and Accountability Act.
HHS: New cybersecurity regs on the way for hospitals
Hospitals can soon expect to see new draft cybersecurity regulations and benchmarking goals, according to the Department of Health and Human Services.
First American fined $1M by NYDFS over 2019 cybersecurity breach
First American Title Insurance Company agreed to pay a $1 million fine and implement stronger compliance measures for not securing customers’ personal data, the New York State Department of Financial Services announced.
Australia seeks help from businesses under ‘bold and ambitious’ cyber strategy
Australia released an updated cybersecurity strategy that will rely more heavily on public-private partnerships to support the country’s cyber defense efforts.
CISA guidance provides cyber risk mitigation strategies for healthcare
New guidance released by the Cybersecurity and Infrastructure Security Agency offers best practices for organizations in the healthcare and public health sector to adopt to combat rising cyber threats.
Morgan Stanley settles with states for $6.5M over mishandled data
Morgan Stanley agreed to pay $6.5 million as part of a settlement with six states requiring the firm to strengthen its data security after actions it took compromised the personal data of millions of customers.
N.Y. hospitals face stiff cybersecurity requirements under proposed rules
New York hospitals would be required to have a cybersecurity program that includes regular cyber risk assessments under newly proposed regulations.
Merged UBS, AI on FINMA’s risk radar
A year of significant change in the Swiss banking sector, including the acquisition of Credit Suisse by UBS, has the country’s financial regulator prioritizing new risk areas on its radar.
Amended N.Y. cyber regs up pressure on financial firms to combat risks
New York will require financial institutions to conduct risk assessments more often and improve governance under a broad update to the state’s cybersecurity regulations.
Medical management company to pay $100K in landmark HHS ransomware case
Doctors’ Management Service agreed to pay $100,000 in settling the first ransomware agreement under the Health Insurance Portability and Accountability Act reached by the Department of Health and Human Services’ Office for Civil Rights.
SolarWinds cries SEC ‘overreach’ in fraud lawsuit against company, CISO
SolarWinds will contest a lawsuit brought by the Securities and Exchange Commission against it and its chief information security officer alleging fraud and internal control failures related to the software company’s cyberattack reported in 2020.
FTC tweaks Safeguards Rule to address data breaches
Nonbank financial institutions must report certain data breaches to the Federal Trade Commission within 30 days of discovery under a new amendment to the agency’s Safeguards Rule.
CPE Webcast: Reinforce your defenses with strong cybersecurity compliance training
Join this webinar, where compliance training experts will outline the strategy behind a solid cybersecurity defense to mitigate risks for your organization, starting with your compliance training program.
Survey: Risk chiefs feeling pressure from growing compliance mandates
Mounting compliance requirements and technological innovations have chief risk officers facing more complex risk environments, according to a KPMG survey.
CPE Webcast: Unprepared for SEC cyber disclosures? You can get through this
Learn what cybersecurity strategy, governance, and risk management are and how to use an emerging definition for reasonable cybersecurity controls to help you define materiality.