If your organization is responsible for HIPAA compliance, you may have another incentive to begin regular pen testing. That is because on December 24, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify HIPAA. 

Published in The Electronic Health Reporter

A huge portion of the costs of cybersecurity breaches come from lawyers negotiating against each other.

“Every year, the NetDiligence Cyber Claims Study shows that a substantial portion of insurance payouts go not toward technical recovery, but toward legal liabilities,” said Chris Cronin, Principal Consultant and Partner, Halock Security Labs. “That tells insurance carriers their policyholders represent a massive liability risk in their portfolios.”

NASDAQ: Key Learnings from Early Disclosures

“Another survey conducted by cybersecurity consulting firm Halock Security Labs published in September 2024 reviewed thousands of 10-Ks filed since December 2023 and found that only 24 of the forms listed risk assessment methods. The report claims that “public companies appear to be overstating their cybersecurity governance capabilities in their 10-Ks…companies do not yet know how to define what cybersecurity risk management is, how they determine what cyber risks and incidents would be qualitatively and quantitatively material, or how they discern strategy from governance.”

Key Learnings from Early Disclosures

Another survey conducted by cybersecurity consulting firm Halock Security Labs published in September 2024 reviewed thousands of 10-Ks filed since December 2023 and found that only 24 of the forms listed risk assessment methods.

Companies may not be fully grasping—or explaining—how they handle cyber risk in their 10-K annual reports, leading some to unintentionally cast their attack defenses as stronger than they are.

Such are the findings from cybersecurity consulting firm Halock Security Labs’ review of thousands of 10-Ks in the year since the Securities and Exchange Commission enacted its cyber risk disclosure rules.   READ FULL ARTICLE ON LAW.COM

As regulations and privacy laws require ‘reasonable security’, we are seeing more organizations focusing on their duty of care to all interested parties. There are more references to ‘reasonableness’ in breach litigation, and inquiries in how company security programs are implementing reasonable controls.

Professionals seek answers for their specific working environment. Each organization also follows various standards, which can be a challenge. One approach that integrates this process is the Duty of Care Risk Analysis (DoCRA). It provides guidance on how to establish reasonable security.

Read full article at Techbullion. 

Cyber Security: A Peer-Reviewed Journal, Volume 3 / Number 4

Regulators, litigators and cyber security standards require that cyber security controls should be ‘reasonable’. But rarely do these authorities define what the word means. Lawyers and regulators have long stated that reasonableness is a balance between protecting others from harm and using controls that are no more burdensome than the risks they reduce. They have illustrated this concept with a calculation that is remarkably similar to risk calculations used in cyber security risk management. This paper explores an accidental collaboration between the cyber security community, judges and regulators to define reasonableness, and demonstrates to readers how they can use risk analysis to defend their security programmes as reasonable.

ESTIMATING RISK BY INDUSTRY

“a) That risk assessments should evaluate the likelihood of magnitudes of harm that result from threats and errors, b) That risk assessments should explicitly estimate foreseeable harm to consumers as well as to the covered financial institutions, c) That risk mitigating controls are commensurate with the risks they address, [and] d) That risk assessments estimate likelihoods and impacts using available data.”

CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.1 in 2021 – 2022. CIS is a founding member of the nonprofit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.

Increasing need for risk management ‘… taking sufficient measures to secure the sensitive personal data of other people as state regulators are now starting to use a clear definition for reasonable, risk-based security in their injunctions. In terms of litigation, a demonstrated due of care shows the absence of negligence which is a determining factor in lawsuits. A growing number of security frameworks are now available that can help organizations define what “reasonable security” actually.”