Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

cyber security

The majority Of Risk Professionals Without Coverage Are Considering Purchasing Cyber Insurance

RIMS, the risk management society ™ has conducted its first Cyber Survey 2015 to explore strategies implemented by risk professionals including insurance investments, exposures, cyber security ownership, government involvement, as well as identification methods and response procedures.

Responses came in from 284 of RIMS U.S. professional members in various industries, with 58% of respondents coming from organizations that produce more than $1 billion in annual revenue.

RIMS said it conducted the survey, in part, to identify methods and response procedures used by its members. As well, the organization wanted uncover strategies in place addressing areas such as insurance investments, exposures, cyber security in order to uncover strategies used by its members against cyber threats, including insurance investments, exposures, cyber security ownership and government involvement.

RIMS President Rick Roberts said that the new information is intended to give “the global risk management community valuable insight, showing how organizations are trying to stay ahead of this top concern”

Key survey findings:

  • 77% of risk management professionals credit enterprise risk management with helping them spot cyber risks at their companies.
  • The top three first party exposures reported are:
    1. 79% reputational harm
    2. 78% business interruption
    3. 73% data breach response and notification
  • 51% said their companies or organizations purchase standalone cyber insurance policies.
  • 58 percent of those with cyber insurance policies carry under $20 million in cyber coverage, and just under half of those said they pay more than $100,000 in premium.
  • 74% of respondents who said their companies lack cyber coverage are considering getting it within the next 12-24 months.

SIFMA Publishes Recommendations for Effective Cybersecurity Regulatory Guidance

Securities Industry and Financial Markets Association (SIFMA) publishes recommendations for effective cybersecurity regulatory guidance 

SIFMA has published its “Principles for Effective Cybersecurity Regulatory Guidance,” that provides regulators with SIFMA members’ insight on productive ways to harmonize and create effective cybersecurity regulatory guidance. SIFMA’s goal is to promote a collaborative approach to cybersecurity that can foster innovation and strengthen efforts to protect financial industry operations and most importantly our clients. This paper is one in a series of initiatives undertaken by SIFMA focused on enhancing the industry’s cybersecurity preparedness and practices.

Cybersecurity is a top priority for the financial services industry, which is dedicating significant resources to protect the integrity of the markets and the millions of Americans who use financial services every day. Effective and consistent regulatory guidance is a critical component of the broader cyber defense effort, as it promotes best practices and accountability across the financial sector,” said Kenneth E. Bentsen, Jr., SIFMA president & CEO.

Cyber attacks are increasing in frequency and sophistication, and it is critical that the industry and government collaborate to mitigate these threats. We appreciate that the public sector has embraced this partnership and we will continue to offer our insights to help them in their work

Specifically, SIFMA’s paper outlines ten foundational principles that can serve as a framework for robust and efficient cybersecurity guidance. SIFMA’s recommendations are meant to help regulators as they move forward with plans to review, update and harmonize their cybersecurity policies, regulations, and guidance, in order to strengthen the financial sector’s defense and response to cyber attacks.

SIFMA members believe there is an opportunity to enhance regulatory guidance beyond existing requirements to improve the protection of the financial sector, and that a dynamic and collaborative partnership between the industry and government is the most effective path forward to accomplishing this goal. The benefits of this partnership approach led to the development of the NIST Cybersecurity Framework, which SIFMA is actively promoting within its membership and encourages regulators to use as a universal structure that can be leveraged as a starting point for creating a unified approach to cybersecurity.

Importantly, SIFMA’s paper notes that harmonization of regulatory guidance across agencies and across borders is essential to avoid confusion in the industry and the duplication of efforts. SIFMA recommends the development of an inter-agency harmonization working group that could coordinate the review of cybersecurity regulations, ensure consistency and receive private sector input.

SIFMA’s ten principles are:

Principle 1:  The U.S. government has a significant role and responsibility in protecting the business community

Principle 2:  Recognize the value of public-private collaboration in the development of agency guidance

Principle 3:  Compliance with Cybersecurity agency guidance must be flexible, scalable and practical

Principle 4:  Financial services Cybersecurity guidance should be harmonized across agencies

Principle 5:  Agency guidance must consider the resources of the firm

Principle 6:  Effective Cybersecurity guidance is risk-based and threat-informed

Principle 7:  Financial regulators should engage in risk-based, value-add audits instead of checklist reviews

Principle 8:  Crisis response is an essential component to an effective Cybersecurity program

Principle 9:  Information sharing is foundational to protection, must be limited to Cybersecurity purposes, and must respect firms’ confidences

Principle 10:  The management of Cybersecurity at critical third parties is essential for firms

A full copy of SIFMA’s “Principles for Effective Cybersecurity Guidance,” can be found here.

Europe’s Threat Landscape 2013 a report by ENISA

The EU’s cyber security Agency ENISA has issued its annual Threat Landscape 2013 report, where over 200 publicly available reports and articles have been analysed. 

Questions addressed are:

  • What are the top cyber-threats of 2013?
  • Who are the adversaries?
  • What are the important cyber-threat trends in the digital ecosystem?

Among the key findings is that cyber threats have gone mobile, and that adoption of simple security measures by end-users would reduce the number of cyber incidents worldwide by 50%.

The ENISA Threat Landscape presents the top current cyber threats of 2013 and identifies emerging trends. In 2013 important news stories news, significant changes and remarkable successes have left their footprint in the cyber-threat landscape. Both negative and positive developments have formed the 2013 threat landscape. In particular:

Negative trends 2013:

  • Threat agents have increased the sophistication of their attacks and of their tools.
  • Clearly, cyber activities are not a matter of only a handful of nation states; indeed multiple states have developed the capacity to infiltrate both governmental and private targets.
  • Cyber-threats go mobile: attack patterns and tools targeting PCs which were developed a few years ago have now migrated to the mobile ecosystem.
  • Two new digital battlefields have emerged: Big Data and the Internet of Things.

Positive developments in the cyber threat trends in 2013 include:

  • Some impressive law-enforcement successes. Police arrested the gang responsible for the Police Virus; the Silk Road operator as well as the developer and operator of Blackhole, the most popular exploit kit, were also arrested.
  • Both the quality and number of reports as well as the data regarding cyber-threats have increased
  • Vendors gained speed in patching their products in response to new vulnerabilities.

The top three threats:

  1. Drive-by-downloads
  2. Worms/Trojans
  3. Code injections.

Key open issues, identified are:

  • The end-users lack knowledge yet they need to be actively involved. Adoption of simple security measures by end-users would reduce the number of cyber incidents for 50% worldwide!
  • Numerous actors work on overlapping issues of threat information collection and threat analysis. Greater coordination of information collection, analysis, assessment and validation among involved organisations is necessary.
  • The importance of increasing the speed of threat assessment and dissemination, by reducing detection and assessment cycles has been identified.

The Executive Director of ENISA, Professor Udo Helmbrecht remarked: “This threat analysis presents indispensable information for the cyber security community regarding the top threats in cyber-space, the trends, and how adversaries are setting up their attacks by using these threats.”

The full report can be found here.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: