Risk & Compliance News.

Jan 20th, 2021 - The U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR) on Jan. 15 fined Excellus Health Plan $5.1 million and ordered it to implement a corrective action plan for failures relating to a 2015 data breach that exposed the personal information of 9.3 million individuals. In September 2015, Excellus filed a breach report notifying HHS that cyber-attackers had gained unauthorized access to its IT systems beginning around December 2013 and ending in May 2015. The hackers installed malware that resulted in the disclosure of protected health information, including ... [Read More]

Jan 20th, 2021 - Predictions for 2021 and Beyond LogicGate CEO Matt Kunkel shares thoughts on what businesses and risk management professionals can expect in the GRC space in the near future, including how risk prioritization and quantification may define GRC in the years to come. 2020 brought massive business disruptions, economic challenges and increasing consumer privacy and data legislation unlike we’ve seen before. And while governance, risk and compliance policies were previously a back-office function, stuck in spreadsheets and rarely revisited, the unprecedented hurdles we experienced this year have ... [Read More]

Jan 19th, 2021 - IAM governance is a priority for DevOps and security teams in the public cloud. Accounts, access, permissions, and privileges have become popular targets in recent cybersecurity attacks on the cloud. A well-established IAM governance policy will significantly reduce the risks of data breaches on the cloud from unauthorized access. While cloud service providers may offer effective baseline security policies that safeguard users from malicious activities, enterprises may face compromised security when implementing a multi-cloud strategy. However, multi-cloud adoption may seem inevitable for ... [Read More]

Jan 19th, 2021 - The Most Pressing Concerns Facing CISOs Today Building security into the software development life cycle creates more visibility, but CISOs still need stay on top of any serious threats on the horizon, even if they are largely unknown. With software being one of the most valuable assets in business today and DevOps in the driver's seat for software pipelines, CISOs are facing an array of challenges regarding their organizational security and integrity. The role and overall visibility of CISOs have continued to evolve because corporate security isn't just nice to have anymore — it's an ... [Read More]

Jan 19th, 2021 - With the rapid development in technology and ever-increasing internet users, cyber security plays a critical role in every industry. Securing the IT infrastructure in an enterprise helps in maintaining smooth workflow and consistent business operations. In recent times, cyber crimes have become extremely sophisticated and threat actors have come up with new ways to obtain access to an organization’s systems and sensitive information. All throughout 2020, everyone was battling to overcome the onslaught of challenges brought by the pandemic. However, cyber criminals saw an opportunity and ... [Read More]

Jan 18th, 2021 - Finding and implementing a cybersecurity risk framework is a challenge every organization faces. Time has shown that this endeavor almost always calls for the heavy lifting to be carried by chief information security officers (CISOs) and their staff. As a result, the focus of cybersecurity risk frameworks typically centers on established technical defenses and desired technical solutions. While this approach certainly addresses some important and critical aspects of cyber risk within an organization, what it does not address is true cyber resiliency, which should never be overlooked. Cyber ... [Read More]

Jan 18th, 2021 - The Department of Defense’s long-anticipated DFARS Interim Rule went into effect in December 2020. The Interim Rule mandates that defense contractors not only perform a self-assessment based on NIST 800-171, but also report that score to the DoD. The Interim Rule also implicitly makes the new CMMC framework—to be implemented over the next several years—the law of the land. All work done by primes and subcontractors subject to the DFARS 252.204-7012 clause now is also subject to the requirements described in the Interim Rule. That includes all defense contractors that handle CUI. ... [Read More]

Jan 17th, 2021 - As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The 2020 Update devotes an entire prong to third-party management. You must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management As every compliance practitioner is well aware, third parties still ... [Read More]

Jan 15th, 2021 - Getting the Most Out of Internal Audit Public accounting firms are recognizing the value that an effective internal audit team can provide an organization — an encouraging sign. In July 2020, PwC shared its views in " Getting the Most Out of Internal Audit: How Can the Audit Committee Help Maximize the Value of Internal Audit? " (PDF) The article makes a number of good points, but misses the most important issues in my opinion. PwC's Take on Internal Audit Let’s first look at a few of PwC's observations: "Maximizing the value proposition of the internal audit group is an effective way to ... [Read More]

Jan 15th, 2021 - This article was co-written with Troy Fine , SOC 2 Audit Expert at Schneider Downs . From the beginning, SaaS start-ups focus on revenue generation, marketing, product design, functionality, and customer satisfaction. Unfortunately, all too often, cybersecurity is an after-thought for most SaaS start-ups and it will not be prioritized until a large enterprise customer starts asking questions pertaining to cybersecurity controls and if the company can provide them with an independent third party attestation report. When this occurs, companies begin a mad-rush to answer customer questions, ... [Read More]