Cyber Risk Governance Insights | January 29, 2024

WEEK IN HEADLINES

FIN SERVICES - Wall Street Firm Offline After by Cyberattack

EquiLend, a Wall Street firm processing trillions in securities transactions, has been hit by a cyberattack. The incident occurred days after Welsh, Carson, Anderson and Stowe (WCAS) agreed to acquire a majority stake in the company from Goldman Sachs and BlackRock Inc.

HEALTHCARE: Provider Notifies 4M Patients of Data Breach

Texas-based therapy provider, Concentra Health Services, is notifying nearly 4 million of its patients about a data theft incident as a result of a supply chain attack against Nevada medical transcription vendor, Perry Johnson & Associates, from November 2023.? The 3rd party breach is now affecting nearly 14M patients.

ENTERTAINMENT - Hackers Drain Funds From Latino Performing Arts Theatre

A theater in Washington DC, GALA Hispanic Theatre, is back in action after recovering from a cyberattack. The incident had disrupted its operations.

MANUFACTURING - Ransomware Blemishes Cosmetics Maker

The Akira ransomware gang has claimed responsibility for a cybersecurity incident at Lush, a UK-based global cosmetics giant. The gang alleges to have stolen 110 GB of data, including personal documents such as passport scans. The data breach suggests that the cybercriminals likely had access to a system containing staff-related data. The gang is threatening to make the data public soon. However, there is no evidence to suggest customer data was exposed.

HOSPITALITY - Data Exposure Puts National Deli in a Pickle

Jason’s Deli, a popular restaurant chain, has announced a data breach. The company says customer data was exposed in a credential stuffing attack, a type of cyberattack where stolen account credentials, lists of usernames and/or email addresses, and the corresponding passwords due to an attack against a web application.? MasterCard Inc. security personnel discovered evidence of the attack.

TRANSPORTATION - Ransomware Reroutes Public Transit Authority

In a recent spate of cyber-attacks in the state of Kansas, the latest victim is the Kansas City Area Transportation Authority (KCATA), a bi-state public transit agency serving seven counties of Kansas and Missouri, which was targeted by ransomware. The attack disrupted KCATA’s operations, but the extent of the impact is still being assessed

INSIGHTS & EXPERT PERSPECTIVES

COMPLIANCE - SEC's Cyber Rule: Crucial Insights for Companies of Every Size

The IANS Research recently published its 2023 SEC Cyber Disclosure Rules Guidance which outlines new cybersecurity disclosure rules set by the SEC, primarily targeting publicly traded companies. However, IANS emphasizes that non-public entities can benefit from implementing similar practices.

The focus is on materiality, requiring disclosure of incidents with significant impacts. The checklist provides clarity on the SEC's requirements, stressing the importance of understanding materiality and preparing for incident disclosures. Non-public entities are advised to assess cybersecurity practices, engage third-party auditors, and ensure effective board oversight.

The article highlights 3 important things to know:

1. Materiality Definition: Understanding and applying the SEC's definition of materiality is crucial. It extends beyond technical aspects, encompassing business, operational, and financial impacts.
2. Preparation and Disclosure: Timely and accurate incident disclosure is paramount. Non-public entities should proactively prepare for potential material incidents, including understanding the reporting requirements and regularly updating incident response practices.
3. Board Oversight: While not explicitly mandating cybersecurity expertise on boards, the SEC emphasizes board oversight. Non-public entities should consider augmenting board knowledge, either by adding cybersecurity experts or engaging external consultants.?

INSIGHTS: We have spoken quite a bit about what the new SEC Cyber Rules mean for companies and understanding cyber risk.? Netswitch has hosted webinars with legal specialists - John Levonick, J.P. Wilson, and Alex Sharpe.?

Why? Because it's important to understand that these SEC Cyber Rules are important to companies of all sizes, and there are things you can do as a leader in your organization to get ahead regarding the expectations of these new rules.

Do your Board and senior management have cyber expertise?? If not, consider external consultation to incorporate this critical expertise. When was the last time you evaluated your Risk Management Program?? You might need a third-party assessment of your cyber risk posture to ensure your technical and governance controls are in aligned.?Have you conducted a tabletop to test your incident response plans?? By the way, these plans should also have the required reporting documents and you should know to whom you need to report.?

We think there are areas where a more nuanced discussion might be warranted.? Where it discussed the cybersecurity skills gap on boards, the document offers strategies, but it skipped adding depth, especially for smaller companies with limited resources. Elaborating on the challenges SMEs face and offering some general solutions could enhance the document's practical applicability.?

Further, while tabletop exercises are briefly mentioned, the IANS article might have missed an opportunity. Embedding cybersecurity practices into an organizational culture requires more than sporadic exercises.? Mature cyber risk management demands continuous sharing of info and educational efforts.?

Finally, we wish they delved a little deeper into how companies - especially SMEs - could better integrate these practices into their corporate culture as it would undoubtedly provide greater value to the guidance it otherwise provided.

John Levonick J.P. Wilson Alex Sharpe

RISK MANAGEMENT - A Prescription for Change

The U.S. Department of Health and Human Services (HHS) has released a comprehensive strategy to enhance cybersecurity in the healthcare sector - CYBERSECURITY PERFORMANCE GOALS. The strategy includes updating the HIPAA Security Rule, establishing new cybersecurity requirements setting new voluntary cybersecurity performance goals for healthcare entities, and expanding a “one-stop shop” where healthcare sector entities can tap HHS cybersecurity services and resources.

INSIGHTS: This move from HHS underscores the non-transferable responsibility of cyber risk by healthcare providers.? We welcome the guidelines and encourage a dialog in the industry to create a sense of shared responsibility that through this active participation from all parties reasonable guidelines and rules can emerge.

We are all well aware that healthcare has become increasingly reliant on technology. Electronic health records (EHR), telemedicine, and digital imaging have revolutionized patient care. However, this progress has resulted in more than health risks, but now Cyber Risks.

Many healthcare providers, particularly smaller or specialty practices, operate under the assumption that by outsourcing their IT operations, they are also transferring their cyber risk. This is a dangerous misconception.? When a healthcare provider outsources its IT operations, it cannot transfer the responsibility of protecting patient data. That responsibility remains with the healthcare provider, regardless of who is handling the data.

We have said before, nth-party risk management is critical, and it is equally essential in healthcare.? Third-party vendors and SaaS providers are not immune to cyber threats. In fact, they can often be the weak link in the cybersecurity chain. A breach in a vendor’s systems can have existential consequences for healthcare providers.

Boost Your Cyber Risk Awareness

Here’s How We Help

Fast and Comprehensive Risk Assessment at Your Fingertips

Experience our fully automated Security And Risk Assessment (SARA) that acts as your 3rd party auditor.

SARA provides an unbiased audit of your technical and risk controls.

Discover gaps, reorient resources, and prioritize your network.

Reach out to Netswitch for more details.

Stay Informed with Our LinkedIn Live Events

Join our regular LinkedIn Live Events designed to provide insights that will elevate your cyber risk awareness.

We aim to foster communication and collaboration among stakeholders - Business Executives, Technologists, and Governors – to align technical controls with GRC objectives and improve processes.

Stay updated about future events by following Netswitch Events on LinkedIn.

Jumpstart Your Cyber Journey with Our “Quick Start” Program

Sign up for our “Quick Start” Pilot Program and take a significant step towards reducing control misalignment, meeting GRC requirements, and improving cyber resilience.

Understand your risk level in cybersecurity and governance at no cost.

Contact Netswitch on LinkedIn for more information and to schedule a demo.

Join the LinkedIn CyberRisk Governance Group

Consider joining your peers in the fast-growing LinkedIn group dedicated to CyberRisk Governance.

The group aims to assist technologists, risk and compliance managers, and business leaders better manage their CyberRisk.

Interested in joining us? Here’s the link to our group: https://www.dhirubhai.net/groups/13991569

DISCLAIMER: Any articles, information, or links are provided by Netswitch for reference only. While we strive to keep the information and links correct and safe, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, or related graphics contained on the destination website. Any reliance on such information is therefore strictly at your own risk.