The Securities and Exchange Commission is conducting examinations of more than 50 registered broker-dealers and registered investment advisers focused on the following: the entity’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threat.
They have released a sample audit document “to empower compliance professionals with questions and tools they can use to assess their respective firms’ cybersecurity preparedness.’
Information-sharing about cyberthreats can be done lawfully as long as companies aren’t discussing competitive information such as pricing, the Justice Department and Federal Trade Commission said in a joint statement today.
Bill Baer, head of DOJ’s Antitrust Division:
This is an antitrust no-brainer. Companies who engage in properly designed cyberthreat information sharing will not run afoul of the antitrust laws.
Deputy Attorney General James Cole added:
Companies have told us that concerns about antitrust liability has been a barrier to being able to openly share cyberthreat information. Antitrust concerns should not get in the way of sharing cybersecurity information.
Retailers to Form Information Sharing and Analysis Center to Share Intelligence About Cyber Threats
Information-sharing about cyberthreats can be done lawfully as long as companies aren’t discussing competitive information such as pricing, the Justice Department and Federal Trade Commission said in a joint statement today. U.S. retailers are planning to form an industry group for collecting and sharing intelligence about cyber security threats in a bid to prevent future attacks in the wake of last year’s big attack on Target Corp. They are set up under terms of a 1998 U.S. presidential directive to foster sharing of security information between the public and private sector.
There are more than a dozen such organizations among industries including financial services, emergency services, healthcare, technology companies, public transportation and utilities. The financial services industry ISAC, which is widely considered the most successful group of its type, will help retailers set up the new organization
Cyber Insurance on the Rise
Cyber insurance “is by far the fastest growing area of insurance,” said Stephen Boyer, chief technology officer and co-founder of BitSight, a start-up that rates businesses’ security infrastructure.
Clients purchasing cyber insurance rose 21 percent in 2013 from 2012, according to Marsh Risk Management, a global risk management and insurance broker. Clients who bought cyber coverage of $100 million or more also rose significantly last year compared to 2012, according to a recent report from the company.
Cyber insurance offerings also underscore the growing complexity and breadth of the cyberecosystem. “It’s really the maturation of the cybersecurity world. It gives companies the ability to transfer the risk using an insurance model we have used for a long time,” Boyer said.
While this kind of insurance is expanding, industry watchers note the growth remains in the early stages. “It’s key to note that this (cyber insurance) is still a small and growing area of insurance,” Boyer said
New Tool Will Identify Breached Companies
A new online tool has been launched to help users identify large merchants and hotels that have exposed credit card data and other personal information to hackers, Inside Counsel reports. PrivacyAtlas.com allows users to search through 39,000 hotel and motel locations as well as 28,000 chain stores. Security Validation President and CEO David Durko said, “Consumers want to know how safe their credit card data is when it’s shared with hotels, retail stores or online.” The tool assesses whether a given retailer is PCI DSS compliant . For businesses, participation with PrivacyAtlas is voluntary, but those that choose not to disclose their compliance status with the site receive a “black mark.”