Episode 1: Terry Kurzynski and Dave Bruskin

Just how, exactly, are you going to describe your company’s cybersecurity strategy, governance, and risk management program in your 10-K? You need to know what governance is, right? And how that’s different from strategy? And how cybersecurity risk management is … something that executives’ roles and … board director sign-off … and reasonable investors too … right? Oh, and materiality, too. Got it.

For most companies, 10-Ks will be hard to fill out because U.S. companies generally don’t run cybersecurity through governance, strategy, or risk management programs. At least not in a way that could withstand review by inquiring analysts or investors.

Most public companies do, however, provide demonstrable (and prudent) disclosures. So how will your 10-K cybersecurity disclosures be both accurate and not scare away reasonable investors?

In this presentation, Chris Cronin will help you understand what cybersecurity strategy, governance, and risk management are, and will show you how to use an emerging definition for reasonable cybersecurity controls to help you define materiality.

Your first 10-K will likely be a light touch among many pretty weird 10-Ks that other companies will file. But your 2024 preparation for your second filing can put you ahead of your competitors.

Join this webinar to review tools and templates for the five deliverables to:

1. Ensure your security program is legally defensible and compliant with the new SEC Cybersecurity Rule, published July 26, 2023. 2. Define a “clear line of acceptable risk” below which you accept risks and above which you remediate. 3. Understand the “total risk” (i.e., your risk FICO score) to your organization. 4. Communicate risks and justify expenditure requests in business terms. 5. Provide C-suite a roadmap for your program that reduces risk to an acceptable level (answering the C-suite question of, “Are we where we need to be? If not, when will we get there?”)

In version 4.0, all periodic cadence requirements must be justified with a targeted risk analysis. Also, if the customized approach is used to validate compliance with a requirement, a targeted risk analysis must be performed. Join Viviana Wesley to learn how to conduct a targeted risk analysis that use the duty of care risk analysis method, that litigators and regulators expect to see when doing risk assessments

There are 51 requirements that are best practices until March of 2025. Some will be process related and some will require technology or program changes.

Join Viviana Wesley for a deep dive into these requirements so your organization can start budgeting and planning for upcoming changes before these requirements become effective.

There are 14 new requirements that are effective immediately for any PCI DSS 4.0 validation. Join Viviana Wesley for a deep dive into these requirements so your organization can start working on these right away. View the recording to prepare for your transition to PCI DSS v4.0.

PCI DSS v3.2.1 expires on March 31, 2024. Organizations should now be planning their transition to PCI DSS v4.0. With 64 new requirements in PCI DSS v4.0, companies have a lot to consider in preparation for the coming deadline. In our PCI Webinar Series, learn about the general changes to 4.0, new requirements, best practices, and how an increased focus on risk evaluations in this new version will be a driving force for security and compliance. View Viviana Wesley, CISM, PCI QSA, ISO 27001 Auditor and HALOCK Principal Consultant to review key updates and next steps to support your transition to PCI DSS v4.0.

In post-data breach litigation, you must demonstrate due care and reasonable control. Learn what basic questions the court will ask and how the duty of care risk assessment (DoCRA)—based on judicial balancing tests and regulatory definitions of reasonable risk—helps you answer them. Distinguish the risk assessment criteria that allow for comparison, reflect your organization’s values and hold up to public scrutiny. See how you can employ DoCRA to fulfill regulators’ requirements for a complete and thorough risk assessment following a data breach. Learn how to define 'reasonable security'. PRESENTER: Chris Cronin, ISO 27001 Auditor | Board Chair - The DoCRA Council | Partner - HALOCK Security Labs

Meeting old and new security requirements is about to change. For the first time, all requirements, even version 4.0 of the PCI DSS, are going to be driven by risk. What does that mean exactly? Each organization will need to decide what its definition of “acceptable risk” is, not only for the organization, but for its clients and business partners as well as the general public. Those who could be harmed by your service or product, and in how you conduct business, need to be considered in the risk equation.

To address these issues, we will discuss and update on some familiar topics including the concept of “reasonable controls” and “acceptable risk.” These terms have permeated our security regulations and standards over the last decade and have plagued organizations just as long — until today. Quite recently, regulators, judges, and security experts have all agreed to a common calculus to determine if an organization has reasonable controls. During this session, we will dissect the Sedona Conference’s new proposed legal test for reasonable security controls based on B₂ – B₁ < (P x H)₁ – (P x H)₂.

SPEAKERS:

With evolving compliance requirements and the exponential growth of private data that must be managed, organizations are struggling to balance security, regulations, and corporate business goals. How do you prioritize resources and budget? Most organizations do not know where their data lives and may not want to do the hard work to find it. Or maybe that’s not it; perhaps they simply don’t know how to start.

There is a path forward. Our panel of experts will share how they are achieving data privacy across the U.S. for big and small clients.

PANELISTS

Terry Kurzynski – Sr. Partner, HALOCK Security Labs; Board Member, The DoCRA Council Jennifer L. Urban – CIPP/US, Partner at Foley & Lardner LLP Aaron Stine – Sr. Product Manager, Spirion

Discussion topics include:

• The biggest challenges in the data privacy compliance process • Best methodologies to understand, protect, and govern your data • Balancing state-mandated compliance regulations • Methods for minimizing and controlling personal data

We forecast cybersecurity events not to predict the future, but to change it. Regulators and litigators all hold us accountable for knowing foreseeable threats so we can avoid them. But what is foreseeable? And how do we evaluate risks knowing what is foreseeable? This session will demonstrate how open source information can help you prioritize your cybersecurity efforts, and demonstrate that you were being reasonable even if a breach does occur.

How much security is enough? Business decision-makers juggle countless variables and make risk decisions using “due care” and “reasonableness.” Understand how to apply duty of care to your specific organization.

HALOCK senior partner, Terry Kurzynski, and Jennifer L. Rathburn, partner from Foley & Lardner LLP present the challenging topic of balancing compliance, cyber security, and business objectives in the healthcare arena.

CIS RAM. CIS® (Center for Internet Security, Inc.) released its first risk assessment method, CIS Risk Assessment Method (RAM). CIS RAM uses a simple equation developed by the courts as the basis for reasonableness in your risk assessment. This method helps you define your acceptable level of risk in a way that creates consensus among executives, attorneys, and regulators.

Learn more about how to define reasonable security with Duty of Care Risk Analysis (DoCRA).

Reasonable Security & Duty of Care Risk Analysis

Why it is essential.

1 Hr. webinar on how risk management can help you comply with anything

1 Hr. webinar on Risk Management as a security requirement

1 Hr. webinar about the new HIPAA Security Omnibus rule.

1 Hr. webinar explaining the updates to Version 3.0 of PCI DSS

PCI DSS Updates & Changes

As we work to protect ourselves from cybersecurity threats Unintended consequences are hurting us. What can we do to avoid them?

In this high-powered webinar on ransomware, we define ransomware, what it is and what can be done about it.