Almost Everybody is Unprepared for SEC Cybersecurity Disclosures. But You Can Get Through This.
Just how, exactly, are you going to describe your company’s cybersecurity strategy, governance, and risk management program in your 10-K? You need to know what governance is, right? And how that’s different from strategy? And how cybersecurity risk management is … something that executives’ roles and … board director sign-off … and reasonable investors too … right? Oh, and materiality, too. Got it. For most companies, 10-Ks will be hard to fill out because U.S. companies generally don’t run cybersecurity through governance, strategy, or risk management programs. At least not in a way that could withstand review by inquiring analysts or investors. Most public companies do, however, provide demonstrable (and prudent) disclosures. So how will your 10-K cybersecurity disclosures be both accurate and not scare away reasonable investors? In this presentation, Chris Cronin will help you understand what cybersecurity strategy, governance, and risk management are, and will show you how to use an emerging definition for reasonable cybersecurity controls to help you define materiality. Your first 10-K will likely be a light touch among many pretty weird 10-Ks that other companies will file. But your 2024 preparation for your second filing can put you ahead of your competitors.
Compliance Week: Five Deliverables Every Cybersecurity Team Needs to Survive, Thrive and Comply with the New SEC Cybersecurity Rule
Join this webinar to review tools and templates for the five deliverables to: 1. Ensure your security program is legally defensible and compliant with the new SEC Cybersecurity Rule, published July 26, 2023.
2. Define a “clear line of acceptable risk” below which you accept risks and above which you remediate.
3. Understand the “total risk” (i.e., your risk FICO score) to your organization.
4. Communicate risks and justify expenditure requests in business terms.
5. Provide C-suite a roadmap for your program that reduces risk to an acceptable level (answering the C-suite question of, “Are we where we need to be? If not, when will we get there?”)
PCI Webinar Series 4: How to do Targeted Risk Analysis using a Duty of Care Risk Analysis Method
In version 4.0, all periodic cadence requirements must be justified with a targeted risk analysis. Also, if the customized approach is used to validate compliance with a requirement, a targeted risk analysis must be performed. Join Viviana Wesley to learn how to conduct a targeted risk analysis that use the duty of care risk analysis method, that litigators and regulators expect to see when doing risk assessments
PCI Webinar Series 3: A Deep Dive into the Emerging New 4.0 DSS Requirements that are Due by March 2025
There are 51 requirements that are best practices until March of 2025. Some will be process related and some will require technology or program changes. Join Viviana Wesley for a deep dive into these requirements so your organization can start budgeting and planning for upcoming changes before these requirements become effective.
PCI Webinar Series 2: A Deep Dive into the New 4.0 DSS Requirements that are Applicable Immediately
There are 14 new requirements that are effective immediately for any PCI DSS 4.0 validation. Join Viviana Wesley for a deep dive into these requirements so your organization can start working on these right away. View the recording to prepare for your transition to PCI DSS v4.0.
PCI Webinar Series 1: Preparing for Your Transition to PCI DSS v4.0 Webinar
PCI DSS v3.2.1 expires on March 31, 2024. Organizations should now be planning their transition to PCI DSS v4.0. With 64 new requirements in PCI DSS v4.0, companies have a lot to consider in preparation for the coming deadline. In our PCI Webinar Series, learn about the general changes to 4.0, new requirements, best practices, and how an increased focus on risk evaluations in this new version will be a driving force for security and compliance. View Viviana Wesley, CISM, PCI QSA, ISO 27001 Auditor and HALOCK Principal Consultant to review key updates and next steps to support your transition to PCI DSS v4.0.
The Questions a Judge Will Ask You After a Data Breach
In post-data breach litigation, you must demonstrate due care and reasonable control. Learn what basic questions the court will ask and how the duty of care risk assessment (DoCRA)—based on judicial balancing tests and regulatory definitions of reasonable risk—helps you answer them. Distinguish the risk assessment criteria that allow for comparison, reflect your organization’s values and hold up to public scrutiny. See how you can employ DoCRA to fulfill regulators’ requirements for a complete and thorough risk assessment following a data breach. Learn how to define 'reasonable security'. PRESENTER: Chris Cronin, ISO 27001 Auditor | Board Chair - The DoCRA Council | Partner - HALOCK Security Labs
They Know You Can’t Get to 100% Compliance … and That’s Okay (HIPAA, CCPA/CPRA, GDPR, 23 NYCRR Part 500, CMMC, PCI, FISMA, FERPA)
Meeting old and new security requirements is about to change. For the first time, all requirements, even version 4.0 of the PCI DSS, are going to be driven by risk. What does that mean exactly? Each organization will need to decide what its definition of “acceptable risk” is, not only for the organization, but for its clients and business partners as well as the general public. Those who could be harmed by your service or product, and in how you conduct business, need to be considered in the risk equation. To address these issues, the next Midwest Cyber Security Alliance virtual meeting will offer an update on some familiar topics including the concept of “reasonable controls” and “acceptable risk.” These terms have permeated our security regulations and standards over the last decade and have plagued organizations just as long — until today. Quite recently, regulators, judges, and security experts have all agreed to a common calculus to determine if an organization has reasonable controls. During this session, we will dissect the Sedona Conference’s new proposed legal test for reasonable security controls.
Data Privacy Hardship? Data Privacy Experts Field the Tough Questions
With evolving compliance requirements and the exponential growth of private data that must be managed, organizations are struggling to balance security, regulations, and corporate business goals. How do you prioritize resources and budget? Most organizations do not know where their data lives and may not want to do the hard work to find it. Or maybe that’s not it; perhaps they simply don’t know how to start. There is a path forward. Our panel of experts will share how they are achieving data privacy across the U.S. for big and small clients.
Cyber Security Summit Threat Forecasting Using Open Source Data to Foresee Your Next Breach
We forecast cybersecurity events not to predict the future, but to change it. Regulators and litigators all hold us accountable for knowing foreseeable threats so we can avoid them. But what is foreseeable? And how do we evaluate risks knowing what is foreseeable? This session will demonstrate how open source information can help you prioritize your cybersecurity efforts, and demonstrate that you were being reasonable even if a breach does occur.