When it comes to cyber threats, a coordinated defense would appear to be logical, as companies and government agencies should work in concert.

But a robust level of information sharing between the public and private sectors has yet to materialize in part because companies are concerned that sharing information with the government and umbrella groups might violate certain laws.

A new report from the Homeland Security Project at the non-profit Bipartisan Policy Center reports that "The resolution of numerous legal impediments -- some real, some perceived -- is asserted by various stakeholders as a predicate to more robust cyber threat information sharing among private sector entities and between the private sector and the government. Perceptions of such impediments have created a collective action problem in which companies hold threat and vulnerability information close, rather than sharing it with each other or the government. Information that should be shared includes, but is not limited to, malware threat signatures, known malicious IP addresses, and immediate cyber attack incident details."

One proposed solution would provide exemptions from various laws to companies sharing information with cyber defense agencies and various safe harbors. Various statutes should also be amended, notably the Wiretap Act.

To be sure, it would be a shame if bureaucracy and conflicting laws were to frustrate attempt to coordinate efforts to combat APT and other attacks. Companies need all the help they can get.

For more:
- here's a CNET article

Related articles:
Banks to be liable for more online losses
Cyber risks continue to soar for small businesses

 

When it comes to corporate data breaches, the thought processes at the top are often driven by emotion, which is completely understandable.

Nothing will create heat quite like a security breach. While massive breaches that results in headlines are unfortunately more common than ever, there are myriad other breaches that in sum may be just as consequential.

K logix LLC, a data security company, calls this "slow-drip" data loss,  "the type of data loss that happens every day -- small hacks, unknown exposures and employee misuse of data." In its report "The Real Cost of Data Loss," which features findings from its research into the true impact of data loss on revenue, the company found "that in 2012 data leakage will impact 0.6% of revenue for the average company, and that number will continue to grow -- by 2018 1.6% of revenue will be lost."

The following outlines the hypothetical impact of data loss on a $1 billion dollar company, whose revenue is growing at 7.8 percent annually:         

        --  In 2012 a $1 billion company can expect to lose .6 percent of revenue

            due to data loss. That means they will lose $6 million of revenue.

        --  By 2014 poor data security will impact .93% of revenue or more than

            $17 million.

        --  By 2018 poor data security will impact 1.6% of revenue or $33 million.

        --  The impact of data loss on revenue will nearly triple between 2012 and

            2018.

For more:
- here's the item

Related articles:
Data recovery vendors pose security risks
The new security reality

The SEC's high-stakes legal battle with Deloitte Touche Tohmatsu's Chinese unit veered in a new direction recently, after the agency indicated that it was in talks with Chinese regulators could potentially allow the firm to produce various documents in the infamous Longtop case without much additional SEC action.

Deloitte Touche Tohmatsu's Chinese unit had been refusing to comply with an SEC subpoena that ordered the production of documents on the grounds that such a move was not allowable under Chinese law. It voiced concerns that local authorities could penalize the firm and its partners under state-secrecy laws. The SEC had filed suit in September to enforce the subpoena. Since then a state of legal limbo has been in place.

Earlier this month, according to Corruption Currents, SEC Chairman Mary Schapiro visited China to meet with the chairman of the CSRC and other Chinese government officials.

"In the course of these meetings, the parties discussed, among other things, the need to develop a mechanism by which the SEC can obtain audit workpapers and other documents from audit firms based in China (including DTTC and other firms) in connection with its enforcement investigations."

It would appear at this point that this will be resolved relatively amicably. Such a resolution would have a big impact on other investigations potentially.  More than a few Chinese companies that trade in the U.S. via ADRs have imploded and are worthy of additional scrutiny.

For more:
- here's the article

Related articles:

 

 

Historically, white collar crime waves have been followed by periods of prosecution and reform.

That has largely held true in the wake of the 2008 financial crisis. True, prosecutors never brought a criminal action against a top executive of a top bank, but lot of civil charges have been levied. And there's been quite a bit of reform legislation passed as well, notably Dodd-Frank.

According to a commentary in JDSupra, compliance in general might become the of focus of another reform wave.

"Compliance is going to become the new catch word for Congress and corporations. Congress is becoming more interested in corporate scandals which result from lack of corporate compliance. All of the elements are there for a new legislative push in this area. Congress does not have a positive view of corporate compliance, especially in the anti-corruption area. Congress will come up with 'new' ideas on how to fix such problems."

Compliance officers should take note, as they will be in the line of fire, even more than they are now. Some specific predictions include requiring CCOs to report directly to the audit or compliance committee, requiring CCOs to report to the audit committee twice a year; elevating CCOs within a company to the same management level as other C-level executives.

I doubt we'll see legislation in this area, but it's fair to say that compliance officers will continue to see their responsibility and liability rise.

For more:
- here's the commentary

Related articles:
Compliance officers underestimate cost of lapses
Debate over compliance officers kicks up again

The hope in the GRC software industry is that as GRC issues rise as a priority for corporate boards, more will be willing to invest in the systems necessary to automate these tasks.

 This was certainly borne out by a recent event held by RSA, a division of EMC, which hosted an executive forum for top governance, risk and compliance (GRC) executives, who shared their perspectives from a wide variety of industries.

"Risk management is increasingly a C-level and board-level conversation," a summary of the event notes. GRC program owners said they are spending more time reporting to the board about risks facing their organizations. Corporate directors are sensitive to their legal obligations for compliance oversight. Chiefly, executives and directors need to ensure their organizations' responsibilities are fulfilled and policies observed.

One participant said that,  "[The board is] starting to get it: regulatory pressure, news items. What really gets them is, 'How do we know the problems being reported in other places are being taken care of here?'"

Will this translate into higher sales? Certainly, RSA and others would like it to. It can't hurt to get buy-in from the top. So it's good strategy to get the board behind these issues in order to help secure the funds necessary for GRC investment.

This might be one way to get around a reluctant CEO or CFO, as more risk and compliance executives have access to key board committees these days, providing more opportunity to impress upon the board that importance of GRC issues. The stakes are exceedingly high.

For more:
- here's the item

Related articles:
GRC and new technology advances