Some Major Suppliers… A Major Bank… And An Important Regulator Raise The Ante Big-Time On “Cybersecurity At One’s Suppliers”
But A Surprising Number Of Companies Dig-In Their Heels About Reviewing And Expanding Their Internal Control Environment… Do Not Be One Of Them… Or Use One Of Them, We Warn
A recent survey of 758 banks, insurers, money-managers and other, mostly large companies, conducted by PricewaterhouseCoopers indicates that most such companies have increased their spending on protecting their networks and on other cybersecurity measures significantly in the wake of the big JPMC data breach – and a PWC consultant predicted that spending will rise by 10% to 20% annually in coming years.
Not long after the survey was released, Citigroup seems to have accidentally leaked an internal memo taking aim at cyberattacks at law firms in particular - noting that it was “reasonable” to expect attacks on law firms by foreign governments and other hackers because they acquire so much sensitive data on corporate deals and business strategies….much as the OPTIMIZER pointed out a few issues ago. The report also said that Citigroup employees should be “mindful” of the fact that despite improvements of late, digital security at law firms remains below the standards for other industries: “Due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general… it is not possible to determine whether cyberattacks against law firms are on the rise” the report noted.
Then, just as we were locking down this issue, the wonderfully named Benjamin Lawsky, New York State’s top regulator of financial institutions said that a survey of 40 banks found that only about a third of them require their outside vendors to notify them of breaches to their own networks…fewer than half of them conduct regular on-site inspections of all their outside vendors… and only half of them require vendors to offer a warrantee that their services and products are secure – and virus free. A similar survey of major insurance companies is underway currently. (Sure wish we had more “Lawsky kinda’ guys and gals” out there and on the beat!)
But no…and oh woe…a 3/3 WSJ article reported that although the original set of standards for internal control reviews that were published by the Treadway Commission ten years ago lapsed on December 15th of 2014 – and where the original five rules were replaced by 17 new ones – more than 300 companies have decided not to review their control environment much less get up to speed with the Treadway Commission “COSO” standards…much less, we’d presume, to get up to speed on cybercrime…And oops! No penalties are involved. An SEC spokesman indicated that they might step up their scrutiny of such companies – and we can guarantee that there will indeed be financial penalties due to both data and operational “losses.” So, in addition to asking about SAS standards as we have been urging, we now urge readers to ask vendors about compliance with COSO standards too.