HALOCK News
The latest HALOCK Updates
Get the scoop, read all the current cyber security news, our services and our team. Or read our latest articles on information security.
US supreme court ruling suggests change in cybersecurity disclosure process (CSO)
Friday’s Supreme Court ruling “basically says that an omission in your S-K disclosures would be actionable only if it would have countered statements you did make. So, if you don’t feel like disclosing a risk, then also avoid making affirmative statements about things that the risk would compromise,” says Chris Cronin, a security consultant who serves as an expert witness for defense, plaintiffs, and regulators. “As a shareholder, I’m not happy about the now-clear instructions for hiding risks from your 10-K. The detail and comprehensiveness of appropriate cyber risk reporting was bound to be in contention without good examples and principles to guide filers. (The ruling) only hampers a portion of the cybersecurity rule that companies seem to be pretty bad at.”
Managing HIPAA Risk With Duty Of Care Risk Analysis (DoCRA)
ABOUT INSIDER: A brief Q&A synopsis from Health Care Law Today podcast featuring Foley Partner Jen Rathburn interviewing Terry Kurzynski, founder of HALOCK Security Labs. Jen has been practicing for almost 20 years in data privacy and security. Terry has over 25 years of experience in the cybersecurity arena and also serves as a board member on the DoCRA Council. The full podcast can be found here.
Understanding Risk’s Role in Reasonable Security
As regulations and privacy laws require ‘reasonable security’, we are seeing more organizations focusing on their duty of care to all interested parties. There are more references to ‘reasonableness’ in breach litigation, and inquiries in how company security programs are implementing reasonable controls.
Professionals seek answers for their specific working environment. Each organization also follows various standards, which can be a challenge. One approach that integrates this process is the Duty of Care Risk Analysis (DoCRA). It provides guidance on how to establish reasonable security.
Read full article at Techbullion.
TechTarget News
Spirion, a data protection and compliance company based in St. Petersburg, Fla., launched its Global Alliance Partner Program, which spans software developers, technology providers, systems integrators and solution providers. Partners will “extend the functionality” of Spirion’s Data Privacy Management Framework, according to the company. Solution provider members of the program include GuidePoint Security and Halock Security Labs, while technology partners include ContextSpace, Seclore and Tonic.
What lawyers mean by ‘reasonable’ cyber security controls
Cyber Security: A Peer-Reviewed Journal, Volume 3 / Number 4
Regulators, litigators and cyber security standards require that cyber security controls should be ‘reasonable’. But rarely do these authorities define what the word means. Lawyers and regulators have long stated that reasonableness is a balance between protecting others from harm and using controls that are no more burdensome than the risks they reduce. They have illustrated this concept with a calculation that is remarkably similar to risk calculations used in cyber security risk management. This paper explores an accidental collaboration between the cyber security community, judges and regulators to define reasonableness, and demonstrates to readers how they can use risk analysis to defend their security programmes as reasonable.
The Center for Internet Security, Inc. (CIS®): Conceptualizing Reasonableness for Risk Analysis
The Center for Internet Security, Inc. (CIS®): In episode 29 of Cybersecurity Where You Are, co-hosts Tony Sager and Sean Atkinson are joined by Chris Cronin, ISO 27001 Auditor and Partner at HALOCK, a leading information security consultancy. Their discussion focuses on “reasonableness” as it relates to cybersecurity risk management. This topic isn’t just about proving to regulators, litigators, and others that security controls were in place prior to an incident. It also considers how to implement safeguards without overburdening users and executives.ESTIMATING RISK BY INDUSTRY
Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.Standards for Safeguarding Customer Information
“a) That risk assessments should evaluate the likelihood of magnitudes of harm that result from threats and errors, b) That risk assessments should explicitly estimate foreseeable harm to consumers as well as to the covered financial institutions, c) That risk mitigating controls are commensurate with the risks they address, [and] d) That risk assessments estimate likelihoods and impacts using available data.”
CIS RAM v2.1 for Implementation Group 2 (IG2)
CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.1 in 2021 – 2022. CIS is a founding member of the nonprofit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.
5 Cybersecurity Predictions For 2022
Increasing need for risk management ‘… taking sufficient measures to secure the sensitive personal data of other people as state regulators are now starting to use a clear definition for reasonable, risk-based security in their injunctions. In terms of litigation, a demonstrated due of care shows the absence of negligence which is a determining factor in lawsuits. A growing number of security frameworks are now available that can help organizations define what “reasonable security” actually.”
CIS Risk Assessment Method (RAM) v2.0 for CIS Controls v8 Released
The Center for Internet Security (CIS) recently released the CIS Risk Assessment Method (RAM) v2.0, an information security risk assessment method to help enterprises justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.0 in 2021. CIS is a founding member of the non-profit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.
HIPAA Risk Analysis 2.0: Duty of Care Risk Analysis
Foley Partner Jen Rathburn sits down with Terry Kurzynski, found of HALOCK Security Labs on the Duty of Care Risk Analysis, especially as it pertains to health care.
CIS Risk Management Method (CIS RAM) overview
CIS RAM is an interesting method at many levels. It conforms and supplements standards like ISO 27005, NIST Special Publications 800–30, or RISK IT. It also bridges two different risk analysis methods: the well known method found is U.S. regulations and InfoSec standards: Risk = impact + likelyhood, and the less known “Calculus of Negligence” or “Learned Hand Rule” and as such incorporates principles and practices from Duty of Care Risk Analysis.
A New Perspective on Cyber Risk
In a post on Halock.com, auditor Chris Cronin writes that as insurers try to model cyber risk and brokers try to get the right information from their clients it may be better to focus on management behavior than on hacker tactics.
Using data from NetDiligence reports, Cronin breaks down costs of crisis services, legal defense, settlements, regulatory defense and fines between small/medium and large organizations.