Krone: “There’s an awareness that trusting the IT department won’t hold up with regulators.”

Cyber Rules: What to Guard Against

October 28, 2015 | By Rayna Katz

NEW YORK CITY—As the world-at-large grows more aware of cyber security—which will be the topic of conversation at a conference here in December—new mandatory requirements from financial industry oversight organizations, as well as strongly worded advice, concerning preparedness and the means to address a breach are becoming more prevalent.

The rise in guidance, of course, would impact investment banks with commercial real estate divisions, and will likely trickle down to other types of companies. And while some companies leave the matter of cyber security in the hands of information technology departments, this increased crack down has led some executives to question that strategy.

“More and more, with company directors facing liability, there’s an awareness that trusting what the IT department is saying isn’t sufficient and it’s not going to hold up with regulators,” says cyber security expert Winston Krone, managing director of Kivu Consulting. “We’re getting more calls from general counsels who want a better investigation.”

Those corporate lawyers have reason to be paranoid, he notes. Earlier this year, the NYS Dept. of Financial Services issued a letter to CEOs, CIOs and general counsel officers stating that the organization “has expanded its information technology examination procedures to focus more attention on cyber security.”

The letter goes on to demand of each organization a 16-part detailed report that, in part, outlines specific systems in place to safeguard information, describes an entity’s ‘incident report program’ and even includes the job description or resume of the CIO or person overseeing cyber security.

Rules such as these likely will spread to more states, asserts Krone. “Other states will simply copy what New York is doing. Regulation only will increase, it’s not going to go down.”

Other oversight organizations, including the Financial Industry Regulatory Authority and the Securities and Exchange Commission, have been conducting surveys and—in reports issued throughout the year—are urging members to take numerous proactive steps to guard cyber security.

Meanwhile, in its annual survey of mid-market companies, Deloitte notes a hefty rise in both the cost of a cyber security breach and some concerning new cyber attack trends.

“The average cost of a data breach increased by 23% between 2013 and 2015, with an average price tag of nearly $3.8 million per breach,” the report says, citing data from Ponemon Institute. Further, Deloitte & Touche partner Adnan Amjad, who leads Deloitte’s cyber threat management practice, says in the report, “An issue of particular concern for mid-sized companies is enacting training to spot the types of attempts to get information.”

Hackers are becoming increasingly sophisticated with a number of techniques, he adds, “including personal details about employees that convince even the most skeptical employees within organizations to divulge proprietary information or even write a check.”

Also of note, according to the research, is an increased risk faced by firms that allow employees to access and send information remotely. “It’s relatively easy to exploit and harder to cope with from an IT perspective,” Amjad reveals. “Organizations are well-served if they have the ability to remotely delete files on devices that are lost or otherwise exit the company.”


Read the full article here