HALOCK News
The latest HALOCK Updates
Get the scoop, read all the current cyber security news, our services and our team. Or read our latest articles on information security.
Cybersecurity Safe Harbor? There Be Dragons
When we examine where the dragons be in cyber litigation, you’ll start to realize that there are safer, deeper ports in which to anchor. And those are just about every state in the Union and every federal agency that has cybersecurity regulations where “reasonability” is the standard of care.
On Sept. 1, 2025, Texas will begin providing safe harbor to small companies who suffer data breaches. See, Texas S.B. No. 2610. They will be the sixth state to do so, depending on what you consider “safe harbor” to be. Each state has its own way to offer it.
The new Texas law states that a breached company is sheltered from “exemplary damages,” (punitive damages), when they “conform to an industry-recognized cybersecurity framework.”
By Chris Cronin
Why Every CIO Must Align Security with Business Strategy
CIO INFLUENCE: Why Every CIO Must Align Security with Business Strategy
In today’s digital-first world, CIOs are often viewed as the gatekeepers of innovation. But that innovation is only sustainable when it’s grounded in sound risk management. As a CISO, I’ve seen firsthand how easy it is for security to be treated as a separate function—an isolated department tasked with protecting assets rather than enabling growth. That’s a mistake.
The most important risk management rule every CIO should follow is this: security must align with business strategy.
Ready for the Proposed HIPAA Requirements for Penetration Testing?
If your organization is responsible for HIPAA compliance, you may have another incentive to begin regular pen testing. That is because on December 24, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify HIPAA.
Published in The Electronic Health Reporter
Cyber insurance isn’t always what it seems
A huge portion of the costs of cybersecurity breaches come from lawyers negotiating against each other.
“Every year, the NetDiligence Cyber Claims Study shows that a substantial portion of insurance payouts go not toward technical recovery, but toward legal liabilities,” said Chris Cronin, Principal Consultant and Partner, Halock Security Labs. “That tells insurance carriers their policyholders represent a massive liability risk in their portfolios.”
Top 50 Best Penetration Testing Companies in 2025
HALOCK ranked as Top 50 Best Penetration Testing Companies in 2025 – Cybersecurity News
One Year Later: The Impact of SEC Cybersecurity Regulations
NASDAQ: Key Learnings from Early Disclosures
“Another survey conducted by cybersecurity consulting firm Halock Security Labs published in September 2024 reviewed thousands of 10-Ks filed since December 2023 and found that only 24 of the forms listed risk assessment methods. The report claims that “public companies appear to be overstating their cybersecurity governance capabilities in their 10-Ks…companies do not yet know how to define what cybersecurity risk management is, how they determine what cyber risks and incidents would be qualitatively and quantitatively material, or how they discern strategy from governance.”
Rane Risk Insights – One Year Later: The Impact of SEC Cybersecurity Regulations
Key Learnings from Early Disclosures
Another survey conducted by cybersecurity consulting firm Halock Security Labs published in September 2024 reviewed thousands of 10-Ks filed since December 2023 and found that only 24 of the forms listed risk assessment methods.
The Role of Cybersecurity in Streamlining Business Processes
DEVPROJOUNRNAL with Rachel Braford: Solid security practices make it possible to streamline business processes by reducing downtime, improving performance, and simplifying operations.
Confusion Over New SEC Cyber Rules Leading Firms to Overstate Attack Readiness
Companies may not be fully grasping—or explaining—how they handle cyber risk in their 10-K annual reports, leading some to unintentionally cast their attack defenses as stronger than they are.
Such are the findings from cybersecurity consulting firm Halock Security Labs’ review of thousands of 10-Ks in the year since the Securities and Exchange Commission enacted its cyber risk disclosure rules. READ FULL ARTICLE ON LAW.COM
US supreme court ruling suggests change in cybersecurity disclosure process (CSO)
Friday’s Supreme Court ruling “basically says that an omission in your S-K disclosures would be actionable only if it would have countered statements you did make. So, if you don’t feel like disclosing a risk, then also avoid making affirmative statements about things that the risk would compromise,” says Chris Cronin, a security consultant who serves as an expert witness for defense, plaintiffs, and regulators. “As a shareholder, I’m not happy about the now-clear instructions for hiding risks from your 10-K. The detail and comprehensiveness of appropriate cyber risk reporting was bound to be in contention without good examples and principles to guide filers. (The ruling) only hampers a portion of the cybersecurity rule that companies seem to be pretty bad at.”
Managing HIPAA Risk With Duty Of Care Risk Analysis (DoCRA)
ABOUT INSIDER: A brief Q&A synopsis from Health Care Law Today podcast featuring Foley Partner Jen Rathburn interviewing Terry Kurzynski, founder of HALOCK Security Labs. Jen has been practicing for almost 20 years in data privacy and security. Terry has over 25 years of experience in the cybersecurity arena and also serves as a board member on the DoCRA Council. The full podcast can be found here.
Understanding Risk’s Role in Reasonable Security
As regulations and privacy laws require ‘reasonable security’, we are seeing more organizations focusing on their duty of care to all interested parties. There are more references to ‘reasonableness’ in breach litigation, and inquiries in how company security programs are implementing reasonable controls.
Professionals seek answers for their specific working environment. Each organization also follows various standards, which can be a challenge. One approach that integrates this process is the Duty of Care Risk Analysis (DoCRA). It provides guidance on how to establish reasonable security.
Read full article at Techbullion.
TechTarget News
Spirion, a data protection and compliance company based in St. Petersburg, Fla., launched its Global Alliance Partner Program, which spans software developers, technology providers, systems integrators and solution providers. Partners will “extend the functionality” of Spirion’s Data Privacy Management Framework, according to the company. Solution provider members of the program include GuidePoint Security and Halock Security Labs, while technology partners include ContextSpace, Seclore and Tonic.
What lawyers mean by ‘reasonable’ cyber security controls
Cyber Security: A Peer-Reviewed Journal, Volume 3 / Number 4
Regulators, litigators and cyber security standards require that cyber security controls should be ‘reasonable’. But rarely do these authorities define what the word means. Lawyers and regulators have long stated that reasonableness is a balance between protecting others from harm and using controls that are no more burdensome than the risks they reduce. They have illustrated this concept with a calculation that is remarkably similar to risk calculations used in cyber security risk management. This paper explores an accidental collaboration between the cyber security community, judges and regulators to define reasonableness, and demonstrates to readers how they can use risk analysis to defend their security programmes as reasonable.
