ICD Brief 59.
23.10.2017.-29.10.2017.
This week’s edition highlights an increased push primarily in the US to identify, quantify and qualify all things cyber. The SEC increases scrutiny of registered investment advisors. The UK’s Information Commissioner’s Office (ICO) considers sharing data breach details with insurers to “accurately price cyber risk.” McAfee stops allowing governments to review code. DHS launches its Continuous Diagnostics and Mitigation Program. New York State’s 23 NYCRR 500.04 law influences Cyber Due Diligence in Mergers and Acquisition. We feature PWC United States Global State of Information Security Survey 2018.
Kudos to Eileen Manning and the Event Group who produced an exceptional 7th Cyber Security Summit October 23-25 in the Minneapolis Convention Center. Governor Mark Dayton opened the event which featured 60 speakers including Dr. Stacey Dixon, Deputy Director, IARPA and drew 800 participants from 10 countries, 30 states and 350 companies. Dayton, Lawmakers to Tackle Cybersecurity
USA
DHS to Roll Out Governmentwide CD Dashboard
“The Department of Homeland Security will soon unveil a federal dashboard for the Continuous Diagnostics and Mitigation (CDM) program to give the agency a deeper and more up-to-date view of cybersecurity vulnerabilities across the government.”
Cyber threats ‘escalating at a rapid rate’
“Michael Kearn, a [Cyber Security] summit co-host and vice president and information security officer for Minneapolis-based U.S. Bank, told the audience that cyber breaches more often result from easily rectified vulnerabilities in companies’ existing security protocols than any failure to adopt the flashiest new products or solutions to counter threats. More than 9 billion data records have been compromised since 2013, according to research collected by the Breach Level Index and shared by Kearn. In the first half of 2017, some 1.9 billion records were compromised – quite a jump from the 1.38 billion in all of 2016. Just 4 percent of all compromised data was encrypted, so 96 percent was intelligible to hackers.”
NSA Contractor Leaked US Hacking Tools by Mistake, Kaspersky Admits
“An incredible sequence of security mistakes led to a US National Security Agency contractor leaking his own confidential hacking tools to Russian cybersecurity firm Kaspersky Lab, the Moscow-based company has alleged.”
USA’s Aviation Cybersecurity Market Forecast to 2022 Published by Leading Research Firm
“USA Aviation Cyber Security Market is an Extensive analysis of industry conducted by following key product positioning and monitoring the top competitors within the market framework. The report will assist reader with better market understanding and decision making.”
Senators Push Bill Requiring Warrant for US Data Under Spy Law
“A bipartisan group of at least 10 U.S. senators plans to introduce on Tuesday legislation that would substantially reform aspects of the National Security Agency’s warrantless internet surveillance program, according to congressional aides.”
McAfee Stops Allowing Governments to Review Source Code
“American cybersecurity firm McAfee will no longer allow U.S. or foreign governments to review its products’ source code, a company spokesperson confirmed.”
China
Foreign Firms Watch Out, Beijing May Require You to Leave China Data in China
“China’s controls on data flows in and out of the country are likely to become even stricter, as shown by draft measures issued last month. Companies in China are already required to store data on local servers, but the new rules appear to require any company doing business with a Chinese entity, even those based overseas, to leave China-related data in China. Like Wolf Warrior 2, China is reaching out beyond its borders – and this matters to any company dealing with China, because infringing the Cybersecurity Law could get you fined, detained, or even imprisoned.”
Czech Republic
Czech Election Websites Hacked, Vote Unaffected
“The websites used for presentation of the Czech Republic’s election results were hacked on Saturday afternoon, the Czech Statistical Office (CSU) said on Sunday, adding that the vote count was not affected.”
India
India Needs a Central Cyber Agency. MHA Official
“With cyber security threats in the country becoming rampant, there is a need to create a Central agency that can act as a one-stop centre for all issues related to cyber space. Rudra Murthy KG, Chief Information Security Officer (Digital India) at the Home Affairs Ministry, feels there has been a delay in decision making and lack of coordination between a host of departments and agencies across various States.”
NATO
Hackers Target Cyber Experts at NATO Conference
“It has been revealed that in early October the Russian hacking group, Fancy Bear launched a new operation targeting potential attendees of an upcoming US cybersecurity conference. Also known as APT28, the hackers weaponised a real Word document titled “Conference_on_Cyber_Conflict.doc” with a reconnaissance malware known as “Seduploader” to target delegates from Washington DC-based Cyber Conflict US, or CyCon. Josh Mayfield, Director at FireMon commented below.”
Singapore
Monetary Authority of Singapore Appoints First Chief Cyber Security Officer
“The Monetary Authority of Singapore (MAS) has appointed its first Chief Cyber Security Officer (CCSO), as part of senior management changes, which will take effect from December 1, 2017. Mr. Tan Yeow Seng will take up the position of CCSO, holding this appointment concurrently with his role as Executive Director (Technology Risk and Payments Department).”
UK
UK watchdog could share details of data breaches with insurers to help them price cyber risk
“Details of data breaches reported to the UK’s Information Commissioner’s Office (ICO) could be shared with insurers to help them “accurately price cyber risk”, the UK’s digital minister has said. The proposed data sharing arrangements would take effect after the new General Data Protection Regulation (GDPR) begins to apply on 25 May 2018, according to Hancock.”
Investments
SEC’s Most Recent Cybersecurity Move: What Registered Investment Advisors Need to Know
“As public concern over data security grows in the wake of the Equifax data breach, the U.S. Securities and Exchange Commission (SEC) is increasing its scrutiny of registered investment advisors (RIAs). In turn, RIAs should take additional steps to protect their businesses and clients. The SEC found two overarching themes. First, it found that firms were better prepared during this examination than during the 2014 Cybersecurity Initiative exams. Second, the staff found that investment adviser firms tended to be less prepared than broker-dealers in some areas examined, such as penetration testing and data breach notification.”
Dealmaking in the Internet Age: Cyber Due Diligence in Mergers & Acquisitions
“Mike Cunning and Douglas B. Bloom write: Given the number and significance of publicly disclosed cybersecurity events, acquisitive companies simply cannot ignore the risk that a target’s cybersecurity exposure presents to the value of a deal.”
“…So common are these attacks that they have become a regular part of board conversations and, where those conversations are not happening yet, regulators like New York’s Department of Financial Services and groups like the National Association of Insurance Commissioners, are crafting requirements for them to occur. See 23 NYCRR 500.04 (requiring annual board reporting by the Chief Information Security Officer); National Association of Insurance Commissioners, Preliminary Working and Discussion Draft, Insurance Data Security Model Law §4(E)(requiring board oversight of the Information Security Program).”
Feature
The Global State of Information Security® Survey 2018
PWC United States
“In the months ahead, we’ll explore key findings from the Global State of Information Security® Survey 2018, which draws on the responses of 9,500 executives in 122 countries and more than 75 industries. The first focus area in this series is why businesses are vulnerable to cyber disruptions – and how leaders can help their organizations build resilience to sustain operations and boost economic performance in the face of such challenges. The second focus area will explore themes related to privacy and trust. In the third focus area, we’ll look ahead at the long-term future of cybersecurity.
Key findings from The Global State of Information Security® Survey 2018
The growth in digital devices is driving risk management
Business leaders see new risks tied to emerging technologies
Cyber threats to the integrity of data are a rising concern
Current employees remain the top source of security incidents