Tag Archives: Cyber Risk

News Bites for the Week Ending November 30, 2018

Microsoft Azure and O.365 Multi-Factor Authentication Outage

Microsoft’s cloud environment had an outage this week for the better part of a day, worldwide.  The failure stopped users who had turned on two factor authentication from logging in.

This is not a “gee, Microsoft is bad” or “gee, two factor authentication is bad” problem.  All systems have failures, especially the ones that businesses run internally.  Unfortunately cloud systems fail occasionally too.

The bigger question is are you prepared for that guaranteed, some time in the future, failure?

It is a really bad idea to assume cloud systems will not fail, whether they are from a particular industry specific application or a generic one like Microsoft or Google.

What is your acceptable length for an outage?  How much data are you willing to lose?

More importantly, do you have a plan for what to do in case you pass those points of no return and have you recently tested those plans?

Failures usually happen when it is inconvenient and planning is critical to dealing with it.  Dealing with an outage absent a well thought out and tested plan is likely to be a disaster. Source: ZDNet.


Moody’s is Going to Start Including Cyber Risk in Credit Ratings

We have said for a long time that cyber risk is a business problem.  Business credit ratings represent the overall risk a business represents.

What has been missing is connecting the two.

Now Moody’s is going to do that.

While details are scarce, Moody’s says that they will soon evaluate organizations risk from a cyber attack.

Moody’s has even created a new cyber risk group.

While they haven’t said so yet, likely candidates for initial scrutiny of cyber risk are defense contractors, financial, health care and critical infrastructure.

For companies that care about their risk ratings, make sure that your cybersecurity is in order along with your finances.  Source: CNBC.


British Lawmakers Seize Facebook Files

In what has got to be an interesting game, full of innuendo and intrigue, British lawmakers seized documents sealed by a U.S. court when the CEO of a company that had access to them visited England.

The short version of the back story is that the Brits are not real happy with Facebook and were looking for copies of documents that had been part of discovery in a lawsuit between app maker Six4Three and Facebook that has been going on for years.

So, when Ted Kramer, founder of the company visited England on business, the Parliament’s Sargent-at-arms literally hauled Ted into Parliament and threatened to throw him in jail if he did not produce the documents sealed by the U.S. court.

So Ted is between a rock and a hard place;  the Brits have physical custody of him;  the U.S. courts could hold him in contempt (I suspect they will huff and puff a lot, but not do anything) – so he turns over the documents.

Facebook has been trying to hide these documents for years.  I suspect that Six4Three would be happy if they became public.  Facebook said, after the fact, that the Brits should return the documents.  The Brits said go stick it.  You get the idea.

Did Six4Three play a part in this drama in hopes of getting these emails released?  Don’t know but I would not rule that out.  Source: CNBC.


Two More Hospitals Hit By Ransomware

The East Ohio Regional Hospital (EORH) and Ohio Valley Medical Center (OVMC) were both hit by a ransomware attack.  The hospitals reverted to using paper patient charts and are sending ambulances to other hospitals.  Of course they are saying that patient care isn’t affected, but given you have no information available to you regarding patients currently in the hospital, their diagnoses, tests or prior treatments, that seems a bit optimistic.

While most of us do not deal with life and death situations, it can take a while – weeks or longer – to recover from ransomware attacks if the organization is not prepared.

Are you prepared?  In this case, likely one doctor or nurse clicked on the wrong link;  that is all it takes.  Source: EHR Intelligence.


Atrium Health Data Breach – Over 2 Million Customers Impacted

Atrium Health announced a breach of the personal information of over 2 million customers including Socials for about 700,000 of them.

However, while Atrium gets to pay the fine, it was actually the fault of one of their vendors, Accudoc.  Accudoc does billing for them for their 44 hospitals.

Atrium says that the data was accessed but not downloaded and did not include credit card data.  Of course if the bad guys “accessed” the data and then screen scraped it, it would not show as downloaded.

One more time – VENDOR CYBER RISK MANAGEMENT.  It has to be a priority.   Unless you don’t mind taking the rap and fines for your vendor’s errors.   Source: Charlotte Observer.

Bill To Modify Sarbanes To Include Cyber Introduced

HR 5069, the Cybersecurity Systems and Risks Reporting Act, was introduced last week in the House.  It would modify Sarbanes-Oxley by adding cybersecurity reporting requirements that are missing in the current law.  While there is a long road to follow between being introduced and being enacted, it might be smart to consider what the bill is saying.

Given the cybersecurity preparedness of many companies, both big and small, whether the bill passes this year or not, publicly traded companies should look at what is being proposed and begin the long journey to add cyber risk to their financial governance process.

Remembering that the bill language could change significantly before it is passed into law – if it makes it that far, what does the bill say. Here are a few details.

  • The definition of audit is changed by adding information systems to financial statements;  i.e. auditing information systems and financial statements.
  • Audit committees would responsible for reviewing financial and cybersecurity systems reporting processes.
  • The definition of professional standards would be modified to add cybersecurity systems standards and practices.
  • In addition to modifying the above definitions, three new terms are defined – information system, cybersecurity system and cybersecurity risk.
  • Information systems means a set of activities involving people, processes, data or technology which enable the user to obtain, generate, use and communicate information.  Those are not the exact words, but it is a very broad definition.
  • The bill adds responsibility for information systems to the existing responsibility for financial reports and adds a requirement for principal cybersecurity systems officer.
  • The bill adds assessment of information systems controls to other internal controls saying adequate internal control and cybersecurity systems structures and procedures for financial and information systems reporting.
  • Finally, the bill requires the disclosure of cybersecurity systems experts on the audit committee and requires the SEC to define that term.

There are some oddities in this bill.  For example, why do we only care about the cybersecurity of systems for financial reporting, other than that is where SOX’s main focus is.

Whether the government could get enough qualified people to oversee such a program is questionable.

And, finally, whether Congress has the will to pass a major extension to SOX in an election year is unknown.

Still, remember how CISA finally got passed.  At the last minute, it was inserted into a must pass spending bill.  Congress is well known for sticking unrelated stuff that they want to happen into bills that are either popular or must be passed.

What this bill is saying is that the Board and company management needs to be held accountable for managing cyber risk just like they are responsible for managing the rest of financial risk.

I would go even further to say that cyber risk is just a form of cyber risk and should be part of the financial audit process.  Just ask Target or Sony if a cyber breach has significant impact to the financial statement.

Whether this bill passes or not, I think that it is time for businesses to start treating cyber risk like the financial risk that it is, whether the government tells them that they have to or not.

Information for this post came from Chemical Facility Security News.