HALOCK News
The latest HALOCK Updates
Get the scoop, read all the current cyber security news, our services and our team. Or read our latest articles on information security.
Rane Risk Insights – One Year Later: The Impact of SEC Cybersecurity Regulations
Key Learnings from Early Disclosures
Another survey conducted by cybersecurity consulting firm Halock Security Labs published in September 2024 reviewed thousands of 10-Ks filed since December 2023 and found that only 24 of the forms listed risk assessment methods. The report claims that “public companies appear to be overstating their cybersecurity governance capabilities in their 10-Ks…companies do not yet know how to define what cybersecurity risk management is, how they determine what cyber risks and incidents would be qualitatively and quantitatively material, or how they discern strategy from governance.”
Confusion Over New SEC Cyber Rules Leading Firms to Overstate Attack Readiness
Companies may not be fully grasping—or explaining—how they handle cyber risk in their 10-K annual reports, leading some to unintentionally cast their attack defenses as stronger than they are.
Such are the findings from cybersecurity consulting firm Halock Security Labs’ review of thousands of 10-Ks in the year since the Securities and Exchange Commission enacted its cyber risk disclosure rules. READ FULL ARTICLE ON LAW.COM
US supreme court ruling suggests change in cybersecurity disclosure process (CSO)
Friday’s Supreme Court ruling “basically says that an omission in your S-K disclosures would be actionable only if it would have countered statements you did make. So, if you don’t feel like disclosing a risk, then also avoid making affirmative statements about things that the risk would compromise,” says Chris Cronin, a security consultant who serves as an expert witness for defense, plaintiffs, and regulators. “As a shareholder, I’m not happy about the now-clear instructions for hiding risks from your 10-K. The detail and comprehensiveness of appropriate cyber risk reporting was bound to be in contention without good examples and principles to guide filers. (The ruling) only hampers a portion of the cybersecurity rule that companies seem to be pretty bad at.”
Managing HIPAA Risk With Duty Of Care Risk Analysis (DoCRA)
ABOUT INSIDER: A brief Q&A synopsis from Health Care Law Today podcast featuring Foley Partner Jen Rathburn interviewing Terry Kurzynski, founder of HALOCK Security Labs. Jen has been practicing for almost 20 years in data privacy and security. Terry has over 25 years of experience in the cybersecurity arena and also serves as a board member on the DoCRA Council. The full podcast can be found here.
Understanding Risk’s Role in Reasonable Security
As regulations and privacy laws require ‘reasonable security’, we are seeing more organizations focusing on their duty of care to all interested parties. There are more references to ‘reasonableness’ in breach litigation, and inquiries in how company security programs are implementing reasonable controls.
Professionals seek answers for their specific working environment. Each organization also follows various standards, which can be a challenge. One approach that integrates this process is the Duty of Care Risk Analysis (DoCRA). It provides guidance on how to establish reasonable security.
Read full article at Techbullion.
TechTarget News
Spirion, a data protection and compliance company based in St. Petersburg, Fla., launched its Global Alliance Partner Program, which spans software developers, technology providers, systems integrators and solution providers. Partners will “extend the functionality” of Spirion’s Data Privacy Management Framework, according to the company. Solution provider members of the program include GuidePoint Security and Halock Security Labs, while technology partners include ContextSpace, Seclore and Tonic.
What lawyers mean by ‘reasonable’ cyber security controls
Cyber Security: A Peer-Reviewed Journal, Volume 3 / Number 4
Regulators, litigators and cyber security standards require that cyber security controls should be ‘reasonable’. But rarely do these authorities define what the word means. Lawyers and regulators have long stated that reasonableness is a balance between protecting others from harm and using controls that are no more burdensome than the risks they reduce. They have illustrated this concept with a calculation that is remarkably similar to risk calculations used in cyber security risk management. This paper explores an accidental collaboration between the cyber security community, judges and regulators to define reasonableness, and demonstrates to readers how they can use risk analysis to defend their security programmes as reasonable.
The Center for Internet Security, Inc. (CIS®): Conceptualizing Reasonableness for Risk Analysis
The Center for Internet Security, Inc. (CIS®): In episode 29 of Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Chris Cronin, ISO 27001 Auditor and Partner at HALOCK, a leading information security consultancy. Their discussion focuses on “reasonableness” as it relates to cybersecurity risk management. This topic isn’t just about proving to regulators, litigators, and others that security controls were in place prior to an incident. It also considers how to implement safeguards without overburdening users and executives.ESTIMATING RISK BY INDUSTRY
Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.Standards for Safeguarding Customer Information
“a) That risk assessments should evaluate the likelihood of magnitudes of harm that result from threats and errors, b) That risk assessments should explicitly estimate foreseeable harm to consumers as well as to the covered financial institutions, c) That risk mitigating controls are commensurate with the risks they address, [and] d) That risk assessments estimate likelihoods and impacts using available data.”
CIS RAM v2.1 for Implementation Group 2 (IG2)
CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.1 in 2021 – 2022. CIS is a founding member of the nonprofit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.
5 Cybersecurity Predictions For 2022
Increasing need for risk management ‘… taking sufficient measures to secure the sensitive personal data of other people as state regulators are now starting to use a clear definition for reasonable, risk-based security in their injunctions. In terms of litigation, a demonstrated due of care shows the absence of negligence which is a determining factor in lawsuits. A growing number of security frameworks are now available that can help organizations define what “reasonable security” actually.”
CIS Risk Assessment Method (RAM) v2.0 for CIS Controls v8 Released
The Center for Internet Security (CIS) recently released the CIS Risk Assessment Method (RAM) v2.0, an information security risk assessment method to help enterprises justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.0 in 2021. CIS is a founding member of the non-profit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.
HIPAA Risk Analysis 2.0: Duty of Care Risk Analysis
Foley Partner Jen Rathburn sits down with Terry Kurzynski, found of HALOCK Security Labs on the Duty of Care Risk Analysis, especially as it pertains to health care.