Cyber Alert – Q2 2015 – Standards and benchmarks

Tom Pritchard

Global

  • The International Chamber of Commerce published a “cyber security guide for businesses.”  The aim of the guide is to help management “frame cyber security discussions with information technology professionals – and vice versa – to put a collaborative and ongoing management approach in place.”  The guide provides five main areas of focus: gathering information, developing a resilient mind-set, being prepared to respond, demonstrating leadership and taking action.

UK

  • According to SC Magazine, the Bank of England approved its first commercial provider of CBEST threat intelligence and penetration testing (read more from Datonomy about the financial sector CBEST programme here). The company now approved to assess financial sector companies’ preparedness for a cyber attack is BAE Systems.
  • One of CERT-UK’s weekly updates featured a plug for the importance of public-private cyber threat information sharing as the US looks to follow the UK’s lead with the Cyber Intelligence Sharing and Protection Act (read more on the subject of US public-private information sharing from Datonomy here). Read the full update here.
  • Cyber Essentials Scheme: the insurance industry has a major opportunity to expand offerings given that fewer than 10% of UK companies currently have cyber insurance protection according to a report by the UK government and Marsh (a UK insurance broker and risk advisor) titled, “UK cyber security: the role of insurance in managing and mitigating the risk”. The report details how the UK can become the world centre for cybersecurity insurance by working with the Cyber Essentials Scheme.  Read the full report here.

US

  • The Department of Justice released a cyber guide regarding “Best Practices for Victim Response and Reporting of Cyber Incidents”. The publication is part of a wider effort to encourage the private sector to report more information relating to cyber threats.  The guide provides non-binding suggestions for: steps to takes before a cyber intrusion, executing an incident response plan and what not to do following a cyber incident.
  • According to our friends at Alston & Bird LLP, the Securities and Exchange Commission (“SEC”) is planning to rewrite the rules relating to disclosure of information concerning cybersecurity incidents. Though there has been no formal announcement regarding the content of these new rules, SEC Chief of Staff, Smeeta Ramarathnam’s comments at the RSA conference (reported on by Datonomy, here) suggested a move towards greater disclosure of potentially sensitive information.
  • The Security and Exchange Commission (SEC) published cybersecurity guidance for investment companies and investment advisors. Given that investment firms and advisors hold a plethora of very private and valuable data, and given that the financial industry as whole has been regularly targeted by hackers, the guidance may serve as a nudge from SEC that they think insufficient resource is currently being used to address the issue.  The guidance features a series of best practice models to address the legal, compliance, and business risks posed by cyber threats.

Leave a Reply

Your email address will not be published. Required fields are marked *